-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
C#: Add missing CWE tags #16461
C#: Add missing CWE tags #16461
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good to me, but maybe we should also ask someone with a bit more CWE domain knowledge.
@atorralba : Do you think this is a reasonable CWE tag to add to these queries (we just need to add at least one)?
CWE-1173 is a bit generic in my opinion and doesn't particularly apply to this vulnerability pattern. After some time reviewing CWEs, I think CWE-348: Use of less trusted source is a better fit. The examples are a bit fixated on bypassing IP controls with the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍
Thank you @atorralba ! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
Adds cwe-1173 to
cs/ambiguous-client-variable
andcs/ambiguous-server-variable
.