Description
There is a risk that we confuse the reader due to using the exact same ID + TITLE as MITRE. This issue is to discuss options before creating a PR to apply the changes.
For example a reading:
CWE-390: Detection of Error Condition without Action
Allow exceptions to bubble up and handle exceptions at the right level in the stack.
Each except block must ensure that the program continues only with formally specified behavior by either:
.....
vs reading
CWE-390: Detection of Error Condition Without Action
The product detects a specific error, but takes no actions to handle the error.
We must make clear that pySCG is not MITRE. Using the same ID+TITLE format also causes issues when referencing between different pySCG rules. We also avoid confusion when mixing links between MITRE Pillars and pySCG on the main readme.md file.
We like to keep :
- The folder structure to avoid breaking links
- Avoid need for scraping to avoids breaking links.
- Keep a overview of direct relations between pySCG and CWE
Renaming title's could be beneficial to pySCG as it allows to use more documentation friendly "Do's" rather than "Dont's".
Option A)
We remove the ID from all titles and add column with the CWE to the main readme.md
Optional renaming of titles.
Example CWE-390: Detection of Error Condition without Action would become Detection of Error Condition without Action.
Add a CWE column to the main readme.md example
| MITRE | Python Secure Coding | Prominent CVE |
| CWE-703 | Improper Check or Handling of Exceptional Conditions | |
| CWE-390 | Detection of Error Condition without Action |
Folders remain as is.
Option B)
Remove MITRE ID from title and rename titles to "Do's", link to MITRE in first line of a rule and change main readme as per Option A)
Keep folder structure as is.
Example CWE-390: Detection of Error Condition without Action would become Allow exceptions to bubble up and handle exceptions at the right level in the stack..
Option C)
Replace MITRE CWE prefix with pySCG, remove prefix from folders, quote CWE in main readme as in option A
Example CWE-390: Detection of Error Condition without Action would become pySCG-390: Detection of Error Condition without Action
Its folder would have to change from CWE-703/CWE-390 to pySCG-703/pySCG-390.