You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The description of CWE-197 in the python secure coding guide section talks about predictable outcomes in loops by using int instead of float.
That is fine, we may want to narrow the scope of the CWE when we are creating a guideline. However, the examples that follow are not necessarily about loops.
Consider this example.
""" Non-compliant Code Example """counter=0.0whilecounter<=1.0:
ifcounter==0.8:
print("we reached 0.8")
break# never going to reach thiscounter+=0.1
Here the problem is in the if statement, not the loop.
In fact, the float issue may be in any equality case, even if it is not in a loop.
We need to update this description to either align more with numeric truncation (generalize the content) or keep the scope and make it more appropriate.
The text was updated successfully, but these errors were encountered:
Hi @openrefactorymunawar, well spotted. The original name of the title was "Do not use float in counters". We had to restructure and rename all rules and made a mistake here, now its kind of a hybrid partially talking about two things.
It is apparently very hard or just odd to use a float as an actual counter in Python. Using range() forces int. I was neither able to come up with an example that uses a lambda that can successful break something.
There are more rules in the pipe that are related to truncation error's, rounding and precision.
Only one of them is on GitHub atm. Some of the content might be redundant. We have 2x197 and 2x681. Might be worth while to merge some of the stuff and break out the content that does not match.
UPDATE: we now have 3 online. Only the other CWE-681 missing. believe its best to have all 4 online before taking actions.
For the floating point comparison, do you suggest that CWE-1339 is a more appropriate way to capture that? In that case, maybe a rule is created for CWE-1339 and another for CWE-681.
myteron
changed the title
Modifying the description of CWE-197 so that it captures the CWE better
pySCG: Modifying the description of CWE-197 so that it captures the CWE better
Oct 23, 2024
CWE-197 is about numeric truncation error (https://cwe.mitre.org/data/definitions/197.html).
The description of CWE-197 in the python secure coding guide section talks about predictable outcomes in loops by using int instead of float.
That is fine, we may want to narrow the scope of the CWE when we are creating a guideline. However, the examples that follow are not necessarily about loops.
Consider this example.
Here the problem is in the if statement, not the loop.
In fact, the float issue may be in any equality case, even if it is not in a loop.
We need to update this description to either align more with numeric truncation (generalize the content) or keep the scope and make it more appropriate.
The text was updated successfully, but these errors were encountered: