Python guide: Doc2GitHub, moving code from an Ericsson internal confluence to this GitHub space.

[myteron]

There are around 40 rules on and Ericsson internal confluence that have approval by Ericsson Opensource group to be published. Some of the text and code requires refactoring and this work can only be done by Ericsson employees.

Once all docs are made available in GitHub we have:

• Documentation for each code example.
• GitHub as the main source for these documents
• Stop using Ericsson internal Confluence for the Python secure coding individual rules

Plain text : Nothing on GitHub
Link Only : Code on GitHub
Link Only : Code and Docs on GitHub

Full List:
CWE-78, Improper Neutralization of Special Elements Used in an OS Command ("OS Command Injection")
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-116: Prevent XML Injection
CWE-117: Improper Output Neutralization for Logs
CWE-134: Use of Externally-Controlled Format String
CWE-175: Improper Handling of Mixed Encoding
CWE-180: Incorrect Behavior Order: Validate Before Canonicalize
CWE-184: Incomplete List of Disallowed Input
CWE-191: Integer Underflow (Wrap or Wraparound)
CWE-197: Control rounding when converting to less precise numbers
CWE-197: Numeric Truncation Error
CWE-209: Generation of Error Message Containing Sensitive Information
CWE-230: Improper Handling of Missing Values
CWE-252: Unchecked Return Value
CWE-330: Use of Insufficiently Random Values
CWE-362, Concurrent Execution Using Shared Resource with Improper Synchronization ("Race Condition")
CWE-366, Race Condition within a Thread
CWE-369, Divide by Zero
CWE-390, Detection of Error Condition without Action
CWE-392: Missing Report of Error Condition
CWE-397, Declaration of Throws for Generic Exception
CWE-400: Uncontrolled Resource Consumption
CWE-404: Improper Resource Shutdown or Release
CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)
CWE-410: Insufficient Resource Pool
CWE-426: Untrusted Search Path
CWE-460: Improper Cleanup on Thrown Exception
CWE-472: External Control of Assumed-Immutable Web Parameter
CWE-476, NULL Pointer Dereference
CWE-489: Do not deliver an Application with Design tooling into Production.
CWE-501: Trust Boundary Violation)
CWE-502: Deserialization of Untrusted Data)
CWE-532: Insertion of Sensitive Information into Log File
CWE-584: Return Inside Finally Block
CWE-595: Comparison of Object References Instead of Object Contents
CWE-617: Reachable Assertion
CWE-665: Improper Initialization
CWE-681: Avoid an uncontrolled loss of precision when passing floating-point literals to a Decimal constructor
CWE-681: Incorrect Conversion between Numeric Types
CWE-754: Improper Check for Unusual or Exceptional Conditions
CWE-755: Improper Handling of Exceptional Conditions
CWE-778: Insufficient Logging
CWE-798: Use of hardcoded credentials
CWE-833: Deadlock
CWE-838: Inappropriate Encoding for Output Context
CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')
CWE-1095: Loop Condition Value Update within the Loop
CWE-1109: Use of Same Variable for Multiple Purposes
CWE-1335: Incorrect Bitwise Shift of Integer
CWE-1335: Promote readability and compatibility by using mathematical written code with arithmetic operations instead of bit-wise operations
CWE-1339: Insufficient Precision or Accuracy of a Real Number
XXX-001: Avoid confusion over the evaluation order by using simple expressions
XXX-005: Consider hash-based integrity verification of byte code files against their source code files

[myteron]

@SecurityCRob I wonder what the best handling is. I could start striking through the CWE's we have processed but it overall appears to me that an "issue" is to small for what we are trying to do here. It seems that a project is the next level up to an issues but never used that.
Not sure how well a milestone would work for this.