Map the G115 rule to an CWE ID

Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
securego · May 27, 2024 · c3209fc · c3209fc
1 parent 45fbb27
commit c3209fc
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 30 deletions.
diff --git a/cwe/data.go b/cwe/data.go
@@ -18,6 +18,31 @@ const (
 )
 
 var idWeaknesses = map[string]*Weakness{
+	"22": {
+		ID:          "22",
+		Description: "The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.",
+		Name:        "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
+	},
+	"78": {
+		ID:          "78",
+		Description: "The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.",
+		Name:        "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
+	},
+	"79": {
+		ID:          "79",
+		Description: "The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.",
+		Name:        "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
+	},
+	"88": {
+		ID:          "88",
+		Description: "The software constructs a string for a command to executed by a separate component\nin another control sphere, but it does not properly delimit the\nintended arguments, options, or switches within that command string.",
+		Name:        "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')",
+	},
+	"89": {
+		ID:          "89",
+		Description: "The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.",
+		Name:        "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
+	},
 	"118": {
 		ID:          "118",
 		Description: "The software does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files.",
@@ -33,11 +58,6 @@ var idWeaknesses = map[string]*Weakness{
 		Description: "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.",
 		Name:        "Exposure of Sensitive Information to an Unauthorized Actor",
 	},
-	"22": {
-		ID:          "22",
-		Description: "The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.",
-		Name:        "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
-	},
 	"242": {
 		ID:          "242",
 		Description: "The program calls a function that can never be guaranteed to work safely.",
@@ -93,41 +113,21 @@ var idWeaknesses = map[string]*Weakness{
 		Description: "The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.",
 		Name:        "Improper Handling of Highly Compressed Data (Data Amplification)",
 	},
+	"676": {
+		ID:          "676",
+		Description: "The program invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.",
+		Name:        "Use of Potentially Dangerous Function",
+	},
 	"703": {
 		ID:          "703",
 		Description: "The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software.",
 		Name:        "Improper Check or Handling of Exceptional Conditions",
 	},
-	"78": {
-		ID:          "78",
-		Description: "The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.",
-		Name:        "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
-	},
-	"79": {
-		ID:          "79",
-		Description: "The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.",
-		Name:        "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
-	},
 	"798": {
 		ID:          "798",
 		Description: "The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.",
 		Name:        "Use of Hard-coded Credentials",
 	},
-	"88": {
-		ID:          "88",
-		Description: "The software constructs a string for a command to executed by a separate component\nin another control sphere, but it does not properly delimit the\nintended arguments, options, or switches within that command string.",
-		Name:        "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')",
-	},
-	"89": {
-		ID:          "89",
-		Description: "The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.",
-		Name:        "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
-	},
-	"676": {
-		ID:          "676",
-		Description: "The program invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.",
-		Name:        "Use of Potentially Dangerous Function",
-	},
 }
 
 // Get Retrieves a CWE weakness by it's id

diff --git a/issue/issue.go b/issue/issue.go
@@ -67,6 +67,7 @@ var ruleToCWE = map[string]string{
 	"G112": "400",
 	"G113": "190",
 	"G114": "676",
+	"G115": "190",
 	"G201": "89",
 	"G202": "89",
 	"G203": "79",