What is the rationale behind mapping cpp/uncontrolled-process-operation query to discouraged CWEs?

[Arpan3323]

Hi,

I was looking at the CWEs that are mapped to cpp/uncontrolled-process-operation query on this page. Currently there are 3 CWEs that it is mapped to and they are:

• CWE-20
• CWE-114
• CWE-693

However, according to MITRE's CWE website they are all discouraged for mapping to real-world vulnerabilities. I assumed that that it does make sense to put the actual query under a high level CWE and when the query is used on a real codebase and a alert is actually reported by it, depending on the situation, one would just manually map the bug to a more concrete CWE. For example, if it is reported where dlopen is used, one may want to map it to CWE-73 and if it is reported where system is used, CWE-622 could be a good choice and so on. So essentially, cpp/uncontrolled-process-operation query is mapped to discouraged CWEs because there are different situations where it can find a bug and there isn't a generic enough CWE for this that is also not discouraged. Additionally, it makes more sense to not map an actual bug to a discouraged CWE, whereas for a CodeQL query, using a high level CWE, even if discouraged, does make sense because the query is general enough rather than very specific.

My question is, is my assumption correct regarding the reason behind mapping queries to discouraged CWEs or is it something else?

Thanks.
-Arpan

[rvermeulen]

Hi @Arpan3323,

Thanks for your question. Let me reach out to the team to see if they confirm your assumption around the mapping. Stay tuned.

[rvermeulen]

Hi @Arpan3323,

I had a look at how we generate the documentation. Our aim is to provide a coverage overview and thus compute the parents (according to the research view with id 1000) of a CWE assigned to a query to help users determine which queries (partially) cover a CWE. This means that in that overview discouraged CWE will be assigned to a query.

That being said, the actually CWE assigned to the query here is also discouraged. I will report this to the team.

[Arpan3323]

Ok, I think I understand the reasoning behind the assignment of CWEs to queries on this page. Thank you so much.