Document ISO/IEC/JTC 1/SC 22/WG 23 N0529

Minutes of Meeting #33
ISO/IEC JTC 1/SC 22/WG 23: Programming Language Vulnerabilities
30 March 2015

Meeting Times:

30 March 2015: 2100-2300 UTC

Local Contacts:


1 Opening activities

1.1 Opening Comments

1.2 Introduction of Participants/Roll Call

Stephen Michell
Clive Pygott
Bob Karlin
Erhard Ploedereder
Tullio Vardenega
Larry Wagoner

1.3 Procedures for this Meeting

1.4 Approval of previous Minutes

1.5 Review of actions items and resolutions, Action Item and Decision Logs

1.6 Approval of Agenda [N 0525]

1.7 Future Meeting Schedule




April 15-16


BSI, London UK (UTC)


TBD Jan-Feb

Monthly teleconference





Oct 27-29

Sep 16-17

June 26-27

New Delhi, India with SC 27 (UTC+5:30)

Washington with SC 22

Madrid with Ada Europe (UTC+1)



May 26

Teleconference (UTC 2100 for 2hr)


April 27

Teleconference (UTC 2100 for 2hr)

2. Liaison Activities (as needed – not for this meeting)

2.1 SC 22

2.2 PL 22 (Open)

2.3 PL22.3/WG5 (Fortran)

2.4 WG4 (COBOL)

2.5 WG9 (Ada)

2.6 PL22.11/WG14 (C)

2.7 PL22.16/WG21 (C++)

2.8 Ecma International, TC49/TG2 (C#)

2.9 Ecma International, TC39 (ECMAScript)

2.10 MISRA (C)

2.11 MISRA (C++)

2.12 SPARK

2.13 SC7/WG19 (UML)

2.14 SC27/WG3, WG4 Security

2.15 Other Liaison Activities or National body reports

3. Document Review

          3.1 DIS 17960 Code Signing

          About to start DIS Ballot

          3.2 TR 24772-1 Vulnerabilities, language independent

          3.3 TR 24772-2 Ada

This document is proposed to show how a language-specific TR would be formulated. Pay attention to numbering, normative references, terms and definitions. What about sections 4 and 5

We discuss placement of issues and alignment between the main document and language-specific parts. It was proposed that section 3, 4 and 5 of each part should mirror TR24772-1. Erhard to rework N0526 to show a possible implementation of this idea.

          3.4 Business Plan

      Discuss draft business plan circulated by the convenor as document N0512.

      We identify the need for an editor for each part. We decide to create an editing project for all parts and name Larry Wagoner as the project lead.

      3.5 Language guidance from Erhard - TBD

      – Query to group, should “does not apply or “mitigates” - should these have a rationale? Worry that it could become repetitive – likely not.

      3.6 JSF-TR comparison from Larry. Document to be reviewed by all for the April meeting and make recommendations as appropriate. (AI)

4 Strategy (for face-to-face meetings)

5. Publicity (for face-to-face meetings)

4. Other Business

4.1 Assignment of responsibilities

5. Resolutions and Action Items

6. Adjournment