Skip to content

JS: add CWE-1333 to the JS ReDoS queries #6129

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
codeql-ci merged 1 commit into from
Jun 22, 2021
Merged

JS: add CWE-1333 to the JS ReDoS queries #6129

codeql-ci merged 1 commit into from
Jun 22, 2021

Conversation

@erik-krogh
Copy link
Contributor

@erik-krogh erik-krogh commented Jun 22, 2021

CWE-1333 sounds like a perfect fit.

Inspired by Nicks comment here: #6038 (comment)

@erik-krogh erik-krogh requested a review from a team as a code owner June 22, 2021 08:25
@github-actions github-actions bot added the JS label Jun 22, 2021
@esbena
Copy link
Contributor

esbena commented Jun 22, 2021

Historically (as in: this used to be in the Semmle-wiki), we have tried to only make use of the Class Research Roncept for CWEs. CWE-1333 uses the Base concept. I am not sure if that guideline still is in effect.

@calumgrant you have recently worked with the CWEs. Do you know what the guidelines are these days for query/CWE combinations?

@erik-krogh erik-krogh added the no-change-note-required This PR does not need a change note label Jun 22, 2021
@calumgrant
Copy link
Contributor

calumgrant commented Jun 22, 2021

There are no established guidelines yet, but the tooling is still a work in progress. However, it should be fairly safe to just add CWE to an existing query as this will in theory just refine the severity score. In theory you should also rerun the cwe scoring tool as part of the PR but the exact workflow has not been established.

@esbena
Copy link
Contributor

esbena commented Jun 22, 2021

Thanks.
I vote for making use of this CWE then.

@erik-krogh erik-krogh changed the title JS: add CWE-1333 to the JS ReSoS queries JS: add CWE-1333 to the JS ReDoS queries Jun 22, 2021
@codeql-ci codeql-ci merged commit eb95dff into github:main Jun 22, 2021
@RasmusWL RasmusWL mentioned this pull request Nov 9, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@esbena esbena esbena approved these changes

Assignees

No one assigned

Labels

JS no-change-note-required This PR does not need a change note

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@erik-krogh @esbena @calumgrant @codeql-ci