From 8a81aa1762b26a9b1db8ad564bd74f73c512672d Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Mon, 19 May 2025 14:43:08 -0400 Subject: [PATCH 1/3] Set CWE-134 from 9.3 to 7.3 CVSS score for memory safe languages - Sync up to score given to javascript/ruby --- .../src/Security Features/CWE-134/UncontrolledFormatString.ql | 2 +- .../Security/CWE/CWE-134/ExternallyControlledFormatString.ql | 2 +- .../ql/src/queries/Security/CWE-134/UncontrolledFormatString.ql | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql b/csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql index b99839226c59..3fc132eb3016 100644 --- a/csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql +++ b/csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql @@ -4,7 +4,7 @@ * and cause a denial of service. * @kind path-problem * @problem.severity error - * @security-severity 9.3 + * @security-severity 7.3 * @precision high * @id cs/uncontrolled-format-string * @tags security diff --git a/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql b/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql index fc5af977a331..ffb191327a2b 100644 --- a/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql +++ b/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql @@ -3,7 +3,7 @@ * @description Using external input in format strings can lead to exceptions or information leaks. * @kind path-problem * @problem.severity error - * @security-severity 9.3 + * @security-severity 7.3 * @precision high * @id java/tainted-format-string * @tags security diff --git a/swift/ql/src/queries/Security/CWE-134/UncontrolledFormatString.ql b/swift/ql/src/queries/Security/CWE-134/UncontrolledFormatString.ql index 7f6ea32341b2..4376f0f4c0f3 100644 --- a/swift/ql/src/queries/Security/CWE-134/UncontrolledFormatString.ql +++ b/swift/ql/src/queries/Security/CWE-134/UncontrolledFormatString.ql @@ -3,7 +3,7 @@ * @description Using external input in format strings can lead to exceptions or information leaks. * @kind path-problem * @problem.severity error - * @security-severity 9.3 + * @security-severity 7.3 * @precision high * @id swift/uncontrolled-format-string * @tags security From 53a6133e6f204446962fbb98fda3773d0e260079 Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Fri, 6 Jun 2025 12:23:59 -0400 Subject: [PATCH 2/3] Add change-notes for csharp/java/swift --- .../2025-06-06-reduce-CWE-134-for-memory-safe-languages.md | 4 ++++ .../2025-06-06-reduce-CWE-134-for-memory-safe-languages.md | 4 ++++ .../2025-06-06-reduce-CWE-134-for-memory-safe-languages.md | 4 ++++ 3 files changed, 12 insertions(+) create mode 100644 csharp/ql/src/change-notes/2025-06-06-reduce-CWE-134-for-memory-safe-languages.md create mode 100644 java/ql/src/change-notes/2025-06-06-reduce-CWE-134-for-memory-safe-languages.md create mode 100644 swift/ql/src/change-notes/2025-06-06-reduce-CWE-134-for-memory-safe-languages.md diff --git a/csharp/ql/src/change-notes/2025-06-06-reduce-CWE-134-for-memory-safe-languages.md b/csharp/ql/src/change-notes/2025-06-06-reduce-CWE-134-for-memory-safe-languages.md new file mode 100644 index 000000000000..60006391ac61 --- /dev/null +++ b/csharp/ql/src/change-notes/2025-06-06-reduce-CWE-134-for-memory-safe-languages.md @@ -0,0 +1,4 @@ +--- +category: queryMetadata +--- +* Adjusts the `@security-severity` from 9.3 to 7.3 for `cs/uncontrolled-format-string` to align `CWE-134` severity for memory safe languages to better reflect their impact. diff --git a/java/ql/src/change-notes/2025-06-06-reduce-CWE-134-for-memory-safe-languages.md b/java/ql/src/change-notes/2025-06-06-reduce-CWE-134-for-memory-safe-languages.md new file mode 100644 index 000000000000..0aadb06a32b8 --- /dev/null +++ b/java/ql/src/change-notes/2025-06-06-reduce-CWE-134-for-memory-safe-languages.md @@ -0,0 +1,4 @@ +--- +category: queryMetadata +--- +* Adjusts the `@security-severity` from 9.3 to 7.3 for `java/tainted-format-string` to align `CWE-134` severity for memory safe languages to better reflect their impact. diff --git a/swift/ql/src/change-notes/2025-06-06-reduce-CWE-134-for-memory-safe-languages.md b/swift/ql/src/change-notes/2025-06-06-reduce-CWE-134-for-memory-safe-languages.md new file mode 100644 index 000000000000..799093d0b399 --- /dev/null +++ b/swift/ql/src/change-notes/2025-06-06-reduce-CWE-134-for-memory-safe-languages.md @@ -0,0 +1,4 @@ +--- +category: queryMetadata +--- +* Adjusts the `@security-severity` from 9.3 to 7.3 for `swift/uncontrolled-format-string` to align `CWE-134` severity for memory safe languages to better reflect their impact. From 0135cf661f7953852daea2c4313b3ac715e7a45d Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Wed, 11 Jun 2025 13:06:48 -0400 Subject: [PATCH 3/3] Attempt to edit swift change notes for CI failure --- ...2025-06-06-reduce-CWE-134-for-memory-safe-languages.md | 8 ++++---- ...2025-06-06-reduce-CWE-134-for-memory-safe-languages.md | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/java/ql/src/change-notes/2025-06-06-reduce-CWE-134-for-memory-safe-languages.md b/java/ql/src/change-notes/2025-06-06-reduce-CWE-134-for-memory-safe-languages.md index 0aadb06a32b8..6ab4beb72905 100644 --- a/java/ql/src/change-notes/2025-06-06-reduce-CWE-134-for-memory-safe-languages.md +++ b/java/ql/src/change-notes/2025-06-06-reduce-CWE-134-for-memory-safe-languages.md @@ -1,4 +1,4 @@ ---- -category: queryMetadata ---- -* Adjusts the `@security-severity` from 9.3 to 7.3 for `java/tainted-format-string` to align `CWE-134` severity for memory safe languages to better reflect their impact. +--- +category: queryMetadata +--- +* Adjusts the `@security-severity` from 9.3 to 7.3 for `java/tainted-format-string` to align `CWE-134` severity for memory safe languages to better reflect their impact. diff --git a/swift/ql/src/change-notes/2025-06-06-reduce-CWE-134-for-memory-safe-languages.md b/swift/ql/src/change-notes/2025-06-06-reduce-CWE-134-for-memory-safe-languages.md index 799093d0b399..43be14dc8eb8 100644 --- a/swift/ql/src/change-notes/2025-06-06-reduce-CWE-134-for-memory-safe-languages.md +++ b/swift/ql/src/change-notes/2025-06-06-reduce-CWE-134-for-memory-safe-languages.md @@ -1,4 +1,4 @@ ---- -category: queryMetadata ---- -* Adjusts the `@security-severity` from 9.3 to 7.3 for `swift/uncontrolled-format-string` to align `CWE-134` severity for memory safe languages to better reflect their impact. +--- +category: queryMetadata +--- +* Adjusts the `@security-severity` from 9.3 to 7.3 for `swift/uncontrolled-format-string` to align `CWE-134` severity for memory safe languages to better reflect their impact. \ No newline at end of file