Why BF?

The Bugs Framework aims to have the expressiveness power to clearly describe any software bug or weakness, underlying any vulnerability. It builds on the following commonly used repositories of software weaknesses and vulnerabilities, while considering the problems that they have.

Repository Problems

CWE and CVE are widely used, but they have some problems. Many CWEs and CVEs have imprecise descriptions and unclear causality. CWE also has gaps and overlaps in coverage.

CWE-502: Deserialization of Untrusted Data: The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

It’s not clear here what “sufficiently” means. “Verifying that data is valid” is also confusing. It should say “... without validating and verifying it”.

CVE-2018-5907: Possible buffer overflow in msm_adsp_stream_callback_put due to lack of input validation of user-provided data that leads to integer overflow in all Android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the Linux kernel.

NVD labels it with CWE-190 – Integer Overflow or Wraparound, while the cause is CWE-20 – Improper Input Validation.

The full chain is: CWE 20 – CWE 190 – CWE 119, the last one being – Improper Restriction of Operations within the Bounds of a Memory Buffer.