FEEDBACK - better adjectives other than "improper" #177
Description
Please fill out the following sections
Is there a problem using the CDR GitHub Repository?
No
Do you have any suggestions on how we could improve the repository?
The use of the adjective improper in CWEs—such as "Improper neutralization of script"—logically implies that some neutralization is occurring, but that it is being done with some impropriety. The dictionary defines "improper" as being "not in accordance with accepted rules or standards, especially of morality or honesty." These connotations of immorality or dishonesty make it sound as though the description is accusing the developer of impropriety, which is certainly not the intent of these CWE descriptions.
Words such as insufficient, incomplete, or insecure seem better word choices as in most cases there is really no neutralization or validation, or it is not enough. Can you please update the language for these CWEs where appropriate?
CWE-20 Improper input validation
CWE-41 Improper resolution of path equivalence
CWE-59 Improper link resolution before file access ('link following')
CWE-66 Improper handling of file names that identify virtual resources
CWE-67 Improper handling of windows device names
CWE-69 Improper handling of windows ::DATA alternate data stream
CWE-72 Improper handling of apple HFS+ alternate data stream path
CWE-76 Improper neutralization of equivalent special elements
CWE-78 Improper neutralization of special elements used in an OS command ('OS command injection')
CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')
CWE-80 Improper neutralization of Script-Related HTML tags in a web page (basic XSS)
CWE-81 Improper neutralization of script in an error message web page
CWE-82 Improper neutralization of script in attributes of IMG tags in a web page
CWE-83 Improper neutralization of script in attributes in a web page
CWE-84 Improper neutralization of encoded URI schemes in a web page
CWE-86 Improper neutralization of invalid characters in identifiers in web pages
CWE-87 Improper neutralization of alternate XSS syntax
CWE-88 Improper neutralization of argument delimiters in a command ('argument injection')
CWE-89 Improper neutralization of special elements used in an SQL command ('SQL injection')
CWE-90 Improper neutralization of special elements used in an LDAP query ('LDAP injection')
CWE-93 Improper neutralization of CRLF sequences ('CRLF injection')
CWE-95 Improper neutralization of directives in dynamically evaluated code ('eval injection')
CWE-96 Improper neutralization of directives in statically saved code ('static code injection')
CWE-97 Improper neutralization of Server-Side includes (SSI) within a web page
CWE-98 Improper control of filename for Include/Require statement in PHP program ('PHP remote file inclusion')
CWE-113 Improper neutralization of CRLF sequences in HTTP headers ('HTTP Request/Response splitting')
CWE-117 Improper output neutralization for logs
CWE-129 Improper validation of array index
CWE-130 Improper handling of length parameter inconsistency
CWE-140 Improper neutralization of delimiters
CWE-141 Improper neutralization of Parameter/Argument delimiters
CWE-142 Improper neutralization of value delimiters
CWE-143 Improper neutralization of record delimiters
CWE-144 Improper neutralization of line delimiters
CWE-145 Improper neutralization of section delimiters
CWE-146 Improper neutralization of Expression/Command delimiters
CWE-147 Improper neutralization of input terminators
CWE-148 Improper neutralization of input leaders
CWE-149 Improper neutralization of quoting syntax
CWE-150 Improper neutralization of escape, meta, or control sequences
CWE-151 Improper neutralization of comment delimiters
CWE-152 Improper neutralization of macro symbols
CWE-153 Improper neutralization of substitution characters
CWE-154 Improper neutralization of variable name delimiters
CWE-155 Improper neutralization of wildcards or matching symbols
CWE-156 Improper neutralization of whitespace
CWE-158 Improper neutralization of null byte or NUL character
CWE-160 Improper neutralization of leading special elements
CWE-161 Improper neutralization of multiple leading special elements
CWE-162 Improper neutralization of trailing special elements
CWE-163 Improper neutralization of multiple trailing special elements
CWE-164 Improper neutralization of internal special elements
CWE-165 Improper neutralization of multiple internal special elements
CWE-166 Improper handling of missing special element
CWE-167 Improper handling of additional special element
CWE-168 Improper handling of inconsistent special elements
CWE-170 Improper null termination
CWE-173 Improper handling of alternate encoding
CWE-175 Improper handling of mixed encoding
CWE-176 Improper handling of unicode encoding
CWE-177 Improper handling of URL encoding (hex encoding)
CWE-178 Improper handling of case sensitivity
CWE-212 Improper removal of sensitive information before storage or transfer
CWE-229 Improper handling of values
CWE-230 Improper handling of missing values
CWE-231 Improper handling of extra values
CWE-232 Improper handling of undefined values
CWE-233 Improper handling of parameters
CWE-235 Improper handling of extra parameters
CWE-236 Improper handling of undefined parameters
CWE-237 Improper handling of structural elements
CWE-238 Improper handling of incomplete structural elements
CWE-240 Improper handling of inconsistent structural elements
CWE-241 Improper handling of unexpected data type
CWE-244 Improper clearing of heap memory before release ('heap inspection')
CWE-273 Improper check for dropped privileges
CWE-280 Improper handling of insufficient permissions or privileges
CWE-281 Improper preservation of permissions
CWE-295 Improper certificate validation
CWE-296 Improper following of a certificate's chain of trust
CWE-297 Improper validation of certificate with host mismatch
CWE-298 Improper validation of certificate expiration
CWE-299 Improper check for certificate revocation
CWE-307 Improper restriction of excessive authentication attempts
CWE-333 Improper handling of insufficient entropy in TRNG
CWE-347 Improper verification of cryptographic signature
CWE-354 Improper validation of integrity check value
CWE-358 Improperly implemented security check for standard
CWE-409 Improper handling of highly compressed data (data amplification)
CWE-413 Improper resource locking
CWE-460 Improper cleanup on thrown exception
CWE-591 Sensitive data storage in improperly locked memory
CWE-611 Improper restriction of XML external entity reference
CWE-612 Improper authorization of index containing sensitive information
CWE-622 Improper validation of function hook arguments
CWE-641 Improper restriction of names for files and other resources
CWE-643 Improper neutralization of data within XPath expressions ('XPath injection')
CWE-644 Improper neutralization of HTTP headers for scripting syntax
CWE-652 Improper neutralization of data within XQuery expressions ('XQuery injection')
CWE-653 Improper isolation or compartmentalization
CWE-776 Improper restriction of recursive entity references in DTDs ('XML entity expansion')
CWE-781 Improper address validation in IOCTL with METHOD_NEITHER I/O control code
CWE-827 Improper control of document type definition
CWE-837 Improper enforcement of a single, unique action
CWE-841 Improper enforcement of behavioral workflow
CWE-911 Improper update of reference count
CWE-914 Improper control of Dynamically-Identified variables
CWE-915 Improperly controlled modification of Dynamically-Determined object attributes
CWE-917 Improper neutralization of special elements used in an expression language statement ('expression language injection')
CWE-920 Improper restriction of power consumption
CWE-924 Improper enforcement of message integrity during transmission in a communication channel
CWE-925 Improper verification of intent by broadcast receiver
CWE-926 Improper export of android application components
CWE-939 Improper authorization in handler for custom URL scheme
CWE-940 Improper verification of source of a communication channel
CWE-1021 Improper restriction of rendered UI layers or frames
CWE-1173 Improper use of validation framework
CWE-1174 ASP.NET misconfiguration: improper model validation
CWE-1189 Improper isolation of shared resources on System-on-a-Chip (SoC)
CWE-1191 On-Chip debug and test interface with improper access control
CWE-1192 Improper identifier for IP block used in System-On-Chip (SOC)
CWE-1224 Improper restriction of Write-Once bit fields
CWE-1231 Improper prevention of lock bit modification
CWE-1232 Improper lock behavior after power state transition
CWE-1236 Improper neutralization of formula elements in a CSV file
CWE-1239 Improper zeroization of hardware register
CWE-1245 Improper finite state machines (FSMs) in hardware logic
CWE-1246 Improper write handling in limited-write Non-Volatile memories
CWE-1247 Improper protection against voltage and clock glitches
CWE-1250 Improper preservation of consistency between independent representations of shared state
CWE-1256 Improper restriction of software interfaces to hardware features
CWE-1257 Improper access control applied to mirrored or aliased memory regions
CWE-1259 Improper restriction of security token assignment
CWE-1260 Improper handling of overlap between protected memory ranges
CWE-1261 Improper handling of single event upsets
CWE-1262 Improper access control for register interface
CWE-1266 Improper scrubbing of sensitive data from decommissioned device
CWE-1274 Improper access control for volatile memory containing boot code
CWE-1275 Sensitive cookie with improper SameSite attribute
CWE-1284 Improper validation of specified quantity in input
CWE-1285 Improper validation of specified index, position, or offset in input
CWE-1286 Improper validation of syntactic correctness of input
CWE-1287 Improper validation of specified type of input
CWE-1288 Improper validation of consistency within input
CWE-1289 Improper validation of unsafe equivalence in input
CWE-1300 Improper protection of physical side channels
CWE-1304 Improperly preserved integrity of hardware configuration state during a power Save/Restore operation
CWE-1311 Improper translation of security attributes by fabric bridge
CWE-1315 Improper setting of bus controlling capability in fabric end-point
CWE-1317 Improper access control in fabric bridge
CWE-1319 Improper protection against electromagnetic fault injection (EM-FI)
CWE-1320 Improper protection for outbound error messages and alert signals
CWE-1321 Improperly controlled modification of object prototype attributes ('prototype pollution')
CWE-1323 Improper management of sensitive trace data
CWE-1325 Improperly controlled sequential memory allocation
CWE-1331 Improper isolation of shared resources in network on chip (NoC)
CWE-1332 Improper handling of faults that lead to instruction skips
CWE-1336 Improper neutralization of special elements used in a template engine
CWE-1338 Improper protections against hardware overheating
CWE-1351 Improper handling of hardware behavior in exceptionally cold environments
CWE-1427 Improper neutralization of input used for LLM prompting