Fix cwe tags to include leading zero #19429
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR updates the CWE tag annotations in the QL queries to use three-digit CWE numbers with leading zeros, aligning them with the query metadata style guide.
- Updates CWE-20, CWE-12, CWE-16, CWE-11, and CWE-14 tags to their three-digit formats (e.g. from cwe-20 to cwe-020).
- Improves consistency of metadata across Go, C#, and C++ query files.
Reviewed Changes
Copilot reviewed 38 out of 38 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| go/ql/src/Security/CWE-020/UntrustedDataToUnknownExternalAPI.ql | Updated tag from cwe-20 to cwe-020 |
| go/ql/src/Security/CWE-020/UntrustedDataToExternalAPI.ql | Updated tag from cwe-20 to cwe-020 |
| go/ql/src/Security/CWE-020/SuspiciousCharacterInRegexp.ql | Updated tag from cwe-20 to cwe-020 |
| go/ql/src/Security/CWE-020/MissingRegexpAnchor.ql | Updated tag from cwe-20 to cwe-020 |
| go/ql/src/Security/CWE-020/IncompleteHostnameRegexp.ql | Updated tag from cwe-20 to cwe-020 |
| go/ql/src/Security/CWE-020/ExternalAPIsUsedWithUntrustedData.ql | Updated tag from cwe-20 to cwe-020 |
| csharp/ql/src/Security Features/CWE-248/MissingASPNETGlobalErrorHandler.ql | Updated tag from cwe-12 to cwe-012 |
| csharp/ql/src/Security Features/CWE-020/UntrustedDataToExternalAPI.ql | Updated tag from cwe-20 to cwe-020 |
| csharp/ql/src/Security Features/CWE-020/RuntimeChecksBypass.ql | Updated tag from cwe-20 to cwe-020 |
| csharp/ql/src/Security Features/CWE-020/ExternalAPIsUsedWithUntrustedData.ql | Updated tag from cwe-20 to cwe-020 |
| csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequest.ql | Updated tag from cwe-16 to cwe-016 |
| csharp/ql/src/Security Features/CWE-016/ASPNetMaxRequestLength.ql | Updated tag from cwe-16 to cwe-016 |
| csharp/ql/src/Security Features/CWE-011/ASPNetDebug.ql | Updated tag from cwe-11 to cwe-011 |
| csharp/ql/src/Configuration/PasswordInConfigurationFile.ql | Updated tag from cwe-13 to cwe-013 |
| cpp/ql/src/experimental/Security/CWE/CWE-020/LateCheckOfFunctionArgument.ql | Updated tag from cwe-20 to cwe-020 |
| cpp/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql | Updated tag from cwe-20 to cwe-020 |
| cpp/ql/src/Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql | Updated tag from cwe-20 to cwe-020 |
| cpp/ql/src/Security/CWE/CWE-020/IRCountUntrustedDataToExternalAPI.ql | Updated tag from cwe-20 to cwe-020 |
| cpp/ql/src/Security/CWE/CWE-020/CountUntrustedDataToExternalAPI.ql | Updated tag from cwe-20 to cwe-020 |
| cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql | Updated tag from cwe-14 to cwe-014 |
|
There are more than 1000s CWEs. Example: https://cwe.mitre.org/data/definitions/1191.html. This also is not consistent with the numbering used by Mitre, which does not prefix the number with zeros. See, e.g., https://cwe.mitre.org/data/definitions/14.html. So I'm not sure if this is the way to go? |
|
@jketema Good points. But I don't think they should block this PR. The aim of this PR is just to make what we have now more consistent. I see we are using some 4 digit CWE numbers. If we want to move to not using leading zeros then I suggest that is done in a separate PR so that this one doesn't get held up. (There are 295 results in 191 files for |
The query metadata style guide gives examples where the cwe number has leading zeros to make it three digits, like
external/cwe/cwe-022. Most queries do this, but some are missing the leading zeros. This PR fixes that, and also one query that I noticed in passing had the wrong form for its CWE tags.I hope this doesn't need a change note for each language. Let me know if I'm wrong.I got copilot to generate change notes for me