From 869ca2dbc0c365d1b503ae464c959877fa6c93fb Mon Sep 17 00:00:00 2001 From: Helge Wehder Date: Thu, 4 Sep 2025 11:54:26 +0100 Subject: [PATCH 1/9] adding 460 to main table Signed-off-by: Helge Wehder --- docs/Secure-Coding-Guide-for-Python/readme.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/Secure-Coding-Guide-for-Python/readme.md b/docs/Secure-Coding-Guide-for-Python/readme.md index 0718edf5..2b80caef 100644 --- a/docs/Secure-Coding-Guide-for-Python/readme.md +++ b/docs/Secure-Coding-Guide-for-Python/readme.md @@ -57,6 +57,7 @@ It is __not production code__ and requires code-style or python best practices t |[CWE-410: Insufficient Resource Pool](CWE-664/CWE-410/README.md)|| |[CWE-426: Untrusted Search Path](CWE-664/CWE-426/README.md)|[CVE-2015-1326](https://www.cvedetails.com/cve/CVE-2015-1326),
CVSSv3.0: __8.8__,
EPSS: __00.20__ (23.11.2023)| |[CWE-459: Incomplete Cleanup](CWE-664/CWE-459/README.md)|| +|[CWE-460: Improper Cleanup on Thrown Exception](CWE-664/CWE-460/README.md)|[CVE-2008-0002](https://www.cvedetails.com/cve/CVE-2008-0002),
CVSSv3.1: __5.8__,
EPSS: __04.10__ (04.09.2025)| |[CWE-501: Trust Boundary Violation)](CWE-664/CWE-501/README.md)|[CVE-2023-28597](https://www.cvedetails.com/cve/CVE-2023-28597),
CVSSv3.0: __7.5__,
EPSS: __00.11__ (05.11.2024)| |[CWE-502: Deserialization of Untrusted Data)](CWE-664/CWE-502/.)|[CVE-2018-8021](https://www.cvedetails.com/cve/CVE-2018-8021),
CVSSv3.0: __9.8__,
EPSS: __93.54__ (05.11.2024)| |[CWE-532: Insertion of Sensitive Information into Log File](CWE-664/CWE-532/README.md)|[CVE-2023-45585](https://www.cvedetails.com/cve/CVE-2023-45585),
CVSSv3.1: __9.8__,
EPSS: __0.04__ (01.11.2024)| From 79842e74817be691ec02e9a07115ef8047e3e817 Mon Sep 17 00:00:00 2001 From: Helge Wehder Date: Thu, 4 Sep 2025 12:06:05 +0100 Subject: [PATCH 2/9] also fixing wonky code example Signed-off-by: Helge Wehder --- .../CWE-664/CWE-460/compliant.py | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/compliant.py b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/compliant.py index c95fc17e..19195c09 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/compliant.py +++ b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/compliant.py @@ -1,11 +1,7 @@ - +# SPDX-FileCopyrightText: OpenSSF project contributors +# SPDX-License-Identifier: MIT +"""Compliant Code Example""" -## Compliant Code Example - -```python import threading lock = threading.Lock() From 9bdbda37dd0a0510ad27338c8cd227472664e8b4 Mon Sep 17 00:00:00 2001 From: Helge Wehder Date: Thu, 4 Sep 2025 12:19:32 +0100 Subject: [PATCH 3/9] codestyle Signed-off-by: Helge Wehder --- .../CWE-664/CWE-460/noncompliant.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/noncompliant.py b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/noncompliant.py index 80810ac7..a26c08ba 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/noncompliant.py +++ b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/noncompliant.py @@ -1,6 +1,7 @@ # SPDX-FileCopyrightText: OpenSSF project contributors # SPDX-License-Identifier: MIT -""" Non-compliant Code Example """ +"""Non-compliant Code Example""" + import threading @@ -23,4 +24,3 @@ def perform_critical_operation(): # Next attempt to acquire the lock will block forever; as there is a deadlock! lock.acquire() print("This will not print because the lock was never released.") - From a20ee5d3945109859a0937fa42be88dd7b956989 Mon Sep 17 00:00:00 2001 From: Helge Wehder Date: Thu, 4 Sep 2025 12:57:19 +0100 Subject: [PATCH 4/9] some more cosmetics on readme, created example01.py code and moved it up, fixe file naming Signed-off-by: Helge Wehder --- .../CWE-664/CWE-460/README.md | 71 +++++++++++-------- .../CWE-460/{compliant.py => compliant01.py} | 0 .../CWE-664/CWE-460/example01.py | 11 +++ .../{noncompliant.py => noncompliant01.py} | 0 4 files changed, 53 insertions(+), 29 deletions(-) rename docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/{compliant.py => compliant01.py} (100%) create mode 100644 docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/example01.py rename docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/{noncompliant.py => noncompliant01.py} (100%) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md index 113e18e3..e4c9a0f2 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md @@ -10,91 +10,103 @@ A consequence of this is that the code is left in a bad state. One of the ways to mitigate this is to make sure that cleanup happens or that you should exit the program. Use throwing exceptions sparsely. -Another way to mitigate this is to use the ‘with’ statement. It simplifies resource management by automatically handling setup and cleanup tasks. It's commonly used with files, network connections and databases to ensure resources are properly released even if errors occur making your code cleaner. +Another way to mitigate this is to use the `with` statement. It simplifies resource management by automatically handling setup and cleanup tasks. It's commonly used with files, network connections and databases to ensure resources are properly released even if errors occur making your code cleaner. + +Not using the `with` statement requires to use `lock.aquire()` and `lock.release()` as demonstrated in the `example01.py` code. + +*[example01.py](example01.py):* + +```python +# SPDX-FileCopyrightText: OpenSSF project contributors +# SPDX-License-Identifier: MIT + +import threading + +lock = threading.Lock() +lock.acquire() +try: + ... +finally: + lock.release() + +``` + +It is best practice to use `with` statement in such cases as it will make sure the resource gets released even if an exception occurs in the execution. + ## Non-Compliant Code Example -In the noncompliant.py example, a thread gets locked, but not unlocked due to an exception being thrown before it can be closed. This might lead to the lock remaining closed and inaccessible for further use. +In the `noncompliant.py` example, a thread gets locked, but not unlocked due to an exception being thrown before it can be closed. This might lead to the lock remaining closed and inaccessible for further use. -noncompliant.py: +*[noncompliant01.py](noncompliant01.py):* ```python # SPDX-FileCopyrightText: OpenSSF project contributors # SPDX-License-Identifier: MIT - """Non-compliant Code Example""" import threading + lock = threading.Lock() + def perform_critical_operation(): - # the lock has been acquired for performing a critical operation lock.acquire() print("Lock acquired, performing critical operation...") - # simulating an error before it can be released raise ValueError("Something went wrong!") lock.release() # This line is never reached due to the exception + try: perform_critical_operation() except ValueError as e: print(f"Caught exception: {e}") -# Next attempt to acquire the lock will block forever — deadlock! + +# Next attempt to acquire the lock will block forever; as there is a deadlock! lock.acquire() -print("This will never print because the lock was never released.") +print("This will not print because the lock was never released.") ``` -In the above code example, the acquired lock never gets released, as an error gets thrown before it can be released. +In the `noncompliant.py` code example, the acquired lock never gets released, as an error gets thrown before it can be released. ## Compliant Solution -In compliant01.py we use the with statement to ensure that the lock is released properly even if an error is to occur. +The `compliant01.py` is using the `with` statement to ensure that the lock is released properly even if an error is to occur. -compliant01.py: +*[compliant01.py](compliant01.py):* ## Compliant Code Example ```python # SPDX-FileCopyrightText: OpenSSF project contributors # SPDX-License-Identifier: MIT +"""Compliant Code Example""" -""" Compliant Code Example """ import threading lock = threading.Lock() -def compliant_example(): + +def perform_critical_operation(): with lock: # the lock has been acquired using the 'with' statement and will be released when the block exits; even if an exception occurs print("Lock acquired, performing critical operation...") # raising an exception raise ValueError("Something went wrong!") + # This line will not be reached because of the exception above, print("Lock released.") + try: - compliant_example() + perform_critical_operation() except ValueError as e: print(f"Caught exception: {e}") -``` - -### with lock: is shorthand for - -```python -# SPDX-FileCopyrightText: OpenSSF project contributors -# SPDX-License-Identifier: MIT - -lock.acquire() -try: - ... -finally: - lock.release() ``` -It is best practice to use 'with' in such cases as it will make sure the resource gets released even if an exception occurs in the execution. ## Automated Detection @@ -106,4 +118,5 @@ It is best practice to use 'with' in such cases as it will make sure the resourc ||| |:---|:---| -|[CWE MITRE Pillar](http://cwe.mitre.org/)|[https://cwe.mitre.org/data/definitions/460.html]| +|[SEI CERT](https://wiki.sei.cmu.edu/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java)|[ERR03-J. Restore prior object state on method failure - SEI CERT Oracle Coding Standard for Java - Confluence (cmu.edu)](https://wiki.sei.cmu.edu/confluence/display/java/ERR03-J.+Restore+prior+object+state+on+method+failure)| +|[CWE MITRE Pillar](http://cwe.mitre.org/)|| diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/compliant.py b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/compliant01.py similarity index 100% rename from docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/compliant.py rename to docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/compliant01.py diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/example01.py b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/example01.py new file mode 100644 index 00000000..12aa197a --- /dev/null +++ b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/example01.py @@ -0,0 +1,11 @@ +# SPDX-FileCopyrightText: OpenSSF project contributors +# SPDX-License-Identifier: MIT + +import threading + +lock = threading.Lock() +lock.acquire() +try: + ... +finally: + lock.release() diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/noncompliant.py b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/noncompliant01.py similarity index 100% rename from docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/noncompliant.py rename to docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/noncompliant01.py From 649840f59d03b5893e60883356ce550178fa406a Mon Sep 17 00:00:00 2001 From: Helge Wehder Date: Thu, 4 Sep 2025 13:00:31 +0100 Subject: [PATCH 5/9] linter... Signed-off-by: Helge Wehder --- docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md index e4c9a0f2..6eccaaa7 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md @@ -33,7 +33,6 @@ finally: It is best practice to use `with` statement in such cases as it will make sure the resource gets released even if an exception occurs in the execution. - ## Non-Compliant Code Example In the `noncompliant.py` example, a thread gets locked, but not unlocked due to an exception being thrown before it can be closed. This might lead to the lock remaining closed and inaccessible for further use. @@ -107,7 +106,6 @@ except ValueError as e: ``` - ## Automated Detection ||||| From eb7e4d364fc51240e728aa04684a4d8ece9412d6 Mon Sep 17 00:00:00 2001 From: myteron Date: Wed, 17 Sep 2025 09:18:31 +0100 Subject: [PATCH 6/9] Update docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md Co-authored-by: Hubert Daniszewski <61824500+s19110@users.noreply.github.com> Signed-off-by: myteron --- docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md index 6eccaaa7..1ddd25c1 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md @@ -35,7 +35,7 @@ It is best practice to use `with` statement in such cases as it will make sure t ## Non-Compliant Code Example -In the `noncompliant.py` example, a thread gets locked, but not unlocked due to an exception being thrown before it can be closed. This might lead to the lock remaining closed and inaccessible for further use. +In the `noncompliant01.py` example, a thread gets locked, but not unlocked due to an exception being thrown before it can be closed. This might lead to the lock remaining closed and inaccessible for further use. *[noncompliant01.py](noncompliant01.py):* From c8bf407288da905458623a453e1008e2f8f64d5e Mon Sep 17 00:00:00 2001 From: myteron Date: Wed, 17 Sep 2025 09:18:43 +0100 Subject: [PATCH 7/9] Update docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md Co-authored-by: Hubert Daniszewski <61824500+s19110@users.noreply.github.com> Signed-off-by: myteron --- docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md index 1ddd25c1..dc25d20a 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md @@ -69,7 +69,7 @@ print("This will not print because the lock was never released.") ``` -In the `noncompliant.py` code example, the acquired lock never gets released, as an error gets thrown before it can be released. +In the `noncompliant01.py` code example, the acquired lock never gets released, as an error gets thrown before it can be released. ## Compliant Solution From acdba4ab3c6d7318276371fd34ff7be727ec9dc5 Mon Sep 17 00:00:00 2001 From: myteron Date: Wed, 17 Sep 2025 09:18:59 +0100 Subject: [PATCH 8/9] Update docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md Co-authored-by: Hubert Daniszewski <61824500+s19110@users.noreply.github.com> Signed-off-by: myteron --- docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md index dc25d20a..634ce098 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md +++ b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/README.md @@ -93,9 +93,8 @@ def perform_critical_operation(): with lock: # the lock has been acquired using the 'with' statement and will be released when the block exits; even if an exception occurs print("Lock acquired, performing critical operation...") - # raising an exception raise ValueError("Something went wrong!") - # This line will not be reached because of the exception above, + # This line will not be reached because of the exception above print("Lock released.") From ddd9a3d7e4f0c3ee3dd56582a11944f53f259afb Mon Sep 17 00:00:00 2001 From: Helge Wehder Date: Thu, 18 Sep 2025 12:02:53 +0100 Subject: [PATCH 9/9] also added comment changes to the complian01.py code Signed-off-by: Helge Wehder --- .../CWE-664/CWE-460/compliant01.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/compliant01.py b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/compliant01.py index 19195c09..1191f27f 100644 --- a/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/compliant01.py +++ b/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-460/compliant01.py @@ -11,9 +11,8 @@ def perform_critical_operation(): with lock: # the lock has been acquired using the 'with' statement and will be released when the block exits; even if an exception occurs print("Lock acquired, performing critical operation...") - # raising an exception raise ValueError("Something went wrong!") - # This line will not be reached because of the exception above, + # This line will not be reached because of the exception above print("Lock released.")