Skip to content

CodeQL Rules Mapped to 'Discouraged' CWEs #22131

Description

@davewichers

Description of the issue

The rule: cpp/uncontrolled-process-operation is tagged with CWE 114. If you look at that CWE description: https://cwe.mitre.org/data/definitions/114.html, the Vulnerability Mapping to it is marked as DISCOURAGED. Meaning you shouldn't map rules to that CWE.

I haven't reviewed all the CodeQL rules but suspect this is not the only rule mapped to a DISCOURAGED CWE.

Recommendation

Seems like this rule would be better mapped to CWE 78, Command Injection.

In addition, I'd recommend you review the CWE mappings for ALL the CodeQL rules and any other mappings to DISCOURAGED CWEs should be remapped to one that is not discouraged. Or if the rule is mapped to multiple CWEs, and one of them seems like a good, not DISCOURAGED, CWE mapping, then simply drop the mapping to the DISCOURAGED CWE number.

Metadata

Metadata

Assignees

No one assigned

    Labels

    questionFurther information is requested

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions