Language Specific Vulnerability Template

ISO/IEC JTC 1/SC 22/WG 23 N 0271
Revised format for language-specific annexes, from ISO/IEC TR 24772:2010

Date: 2010-08-31
Contributed by: John Benito
Original file name: Annex E.htm
Notes

Annex E
(informative)
Language Specific Vulnerability Template

E. Vulnerability descriptions for <language>

E.1 <language>.1 Identification of standards

[This clause should list the relevant language standards and other documents that describe the language treated in the annex. It should not be simply a list of standards. It should do whatever is required to describe the language that is the baseline. In some cases, it might be a standard plus some other documents, or a standard minus the annex that lists deprecated features. It might include some explanation, such as "don't use any features that are undefined".]

E.2 <language>.2 General terminology and concepts

[This clause should provide an overview of general terminology and concepts that are utilized throughout the annex.]

Every vulnerability description of Clause 6 of the main document should be addressed in the annex in the same order even if there is simply a notation that it is not relevant to the language in question.

Each vulnerability description should have the following format:

E.3 <language>.<x> <Vulnerability Name> [<3 letter tag>]

<language>.<x>.0 Status and history

[Revision history. This clause will eventually be removed.]

<language>.<x>.1 Terminology and features

[In this and other clasues, if there is nothing to be explained, simply say "None".]

[This section should describe terms that are in the language standard and which are used in the explanation that follows.]

term: An explanation in the form of one or more complete sentences.

<language>.<x>.2 Description of vulnerability

[This merges the prior clauses for description and mechanism. Examples, both good and bad, are strongly encouraged.]

<language>.<x>.3 Avoiding the vulnerability or mitigating its effects

[An imperative sentence followed by optional additional sentences written in the indicative.]
...

<language>.<x>.4 Implications for standardization

Future standardization efforts should consider:

Requiring
Adding ...
Changing ...
Other verbs ending in "ing"

In those cases where a vulnerability is simply not applicable to the language, the following format should be used:

<language>.<x> <Vulnerability Name> [<3 letter tag>]

This vulnerability is not applicable to <language>. [Optionally, an explanation of inapplicability may be added, including qualifications and pointers to other related vulnerabilities that might be present.]