Document ISO/IEC/JTC 1/SC 22/WG 23 N0635

Draft Agenda Meeting #43
ISO/IEC JTC 1/SC 22/WG 23: Programming Language Vulnerabilities
7 March 2016

Meeting Location :


Meeting Times:

7 March 2016: 1600-1800 EDT (2100-2300 UTC)

Local Arrangements:


Local Contacts:



Teleconference Information:


1 Opening activities

1.1 Opening Comments

1.2 Introduction of Participants/Roll Call

Stephen Michell (convenor)
Larry Wagoner
David Keaton
Patrice Roy
Clive Pygott
Tullio Vardanega

1.3 Procedures for this Meeting

1.4 Approval of previous Minutes (meeting 42)


1.5 Review of actions items and resolutions, Action Item and Decision Logs

Reviewed and updated.

1.6 Approval of Agenda [N 0601]

1.7 Future Meeting Schedule



TBD November 2017

In-person or Teleconference


TBD October 2017



TBD August 2017

London, UK (with SC 22 Plenary)


TBD June 2017

Face-to Face, location TBD


TBD May 2017

Teleconference (UTC 2000, 2 hr)


TBD April 2017

In-person (2 day), IBM Toronto, with WG 14


TBD March 2017

Teleconference (UTC 2100, 2 hr)


TBD February 2017

Teleconference (UTC 2100, 2 hr)


23-24 January 2017

In-person (2 day), place TBD










15-16 Sep 2016

Vienna, Austria (with SC 22 Plenary)





14-15 June 2016

With Ada Europe, Pisa, Italy

Pre-mtg 45


Teleconference (UTC 2000, 2 hr)


April 15-16 2016

BSI, London UK, with SC 22/WG 14

We agree to make the teleconferences pre and post meeting telecons and only number the F2F meetings. We also reconfirm the meeting times (2200CET/2100 London/1600Eastern/1300 Pacific).

2. Liaison Activities

For in-person meetings, unless specific issues arise.

2.1 SC 22

2.2 PL 22 (Open)

2.3 PL22.3/WG5 (Fortran)

2.4 WG4 (COBOL)

2.5 WG9 (Ada)

2.6 PL22.11/WG14 (C)

2.7 PL22.16/WG21 (C++)

2.8 Ecma International, TC49/TG2 (C#)

2.9 Ecma International, TC39 (ECMAScript)

2.10 MISRA (C)

2.11 MISRA (C++)

2.12 SPARK

2.13 SC7/WG19 (UML)

2.14 SC27/WG3, WG4 Security

2.15 Other Liaison Activities or National body reports

3. Document Review

3.1 TR 24772-1 Vulnerabilities, language independent

Review N0639 with material from Larry (N0623, N0629), Clive (N0630, N0631), Stephen (N0633) to be considered for addition.

We note that the current layout is difficult to read and determine references. We create a table to contain the guidance in 5.4 and references to the vulnerability clauses.

Steve finished populating the table in 5.4 after the meeting and republished as N0644..

Section 7 – Steve renumbered all vulnerabilities such that 7.2 is now the first application vulnerability. - Accepted in principle.

AI 43-01 – all – review the changes to TR24772-1 clause 7.x.4 and 7.x.5 removals for sanity check and content. Also review changes to 5.4.

3.2 TR 24772-2 Ada language specific part

Waiting for a proposal from SC 22/WG 9.

3.3 TR 24772-3 C language specific part

Consider N0640 as updated at this meeting, this document should be sent to WG 14 as a snapshot for their careful review, with the expectation that a cleaner, almost final version will be available for the fall meeting.

3.4 TR 24772-4 Python language specific part

No action at this meeting.

3.5 TR 24772-8 Fortran

No action at this meeting.

3.6 TR 24772-X C++

No action at this meeting.

3.7 Bibliography for each TR24772 Part

3.8 Dirty Dozen Rules for C, generic, and other languages

Consider for Part 1 and Part 3 in meeting 42.

    1. Time Vulnerability

    We consider N634. David expresses concern that some vulnerabilities are too safety-related and posiibly beyond our scope. Consider at the London meeting after IRTAW and more thought. Clive suggests that item 3 of N0634 belongs in section 7.

4 Strategy (Face to face meetings only)

5 Publicity (Face to face meetings only)

6 Other Business

6.1 Review of Assignment of responsibilities

7. Resolutions and Action Items

AI 43-01 – all – review the changes to TR24772-1 clause 7.x.4 and 7.x.5 removals for sanity check and content. Also review changes to 5.4.

8. Adjournment