pySCG: Replacing CWE-400 with something that describes the resource exhaustion case better #657
Description
The description of CWE-400 in MITRE document (https://cwe.mitre.org/data/definitions/400.html#Vulnerability_Mapping_Notes_400) suggests this:
Usage: DISCOURAGED(this CWE ID should not be used to map to real-world vulnerabilities)
Reason: Frequent Misuse
Rationale:
[CWE-400](https://cwe.mitre.org/data/definitions/400.html) is intended for incorrect behaviors in which the product is expected to track and restrict how many resources it consumes, but [CWE-400](https://cwe.mitre.org/data/definitions/400.html) is often misused because it is conflated with the "technical impact" of vulnerabilities in which resource consumption occurs. It is sometimes used for low-information vulnerability reports. It is a level-1 Class (i.e., a child of a Pillar).
Comments:
Closely analyze the specific mistake that is causing resource consumption, and perform a CWE mapping for that mistake. Consider children/descendants such as [CWE-770](https://cwe.mitre.org/data/definitions/770.html): Allocation of Resources Without Limits or Throttling, [CWE-771](https://cwe.mitre.org/data/definitions/771.html): Missing Reference to Active Allocated Resource, [CWE-410](https://cwe.mitre.org/data/definitions/410.html): Insufficient Resource Pool, [CWE-772](https://cwe.mitre.org/data/definitions/772.html): Missing Release of Resource after Effective Lifetime, [CWE-834](https://cwe.mitre.org/data/definitions/834.html): Excessive Iteration, [CWE-405](https://cwe.mitre.org/data/definitions/405.html): Asymmetric Resource Consumption (Amplification), and others.
Do you want to pinpoint to another specific CWE that is more appropriate?