Agenda: Meeting #63 on Programming Language Vulnerabilities, July 16-18 2019

Document ISO/IEC/JTC 1/SC 22/WG 23 N1137

Revised Draft Agenda Meeting #74
ISO/IEC JTC 1/SC 22/WG2

12 January 2022 1700-1900 UTC

Meeting Location : Zoom

Hi,

Stephen Michell is inviting you to a scheduled Zoom meeting.

Topic: SC 22/WG 23 Meeting 74

Time: Jan 12, 2022 17:00 Universal Time UTC

Join from PC, Mac, Linux, iOS or Android: https://iso.zoom.us/j/91447119718?pwd=K1ZJdnI4c0FMbDl0VlMzTFB4bWZCUT09 Password: 590208

Or iPhone one-tap : US: +12133388477,,91447119718# or +12532158782,,91447119718#

Or Telephone: Dial(for higher quality, dial a number based on your current location):

US: +1 213 338 8477 or +1 253 215 8782 or +1 267 831 0333 or +1 301 715 8592 or +1 312 626 6799 or +1 346 248 7799 or +1 408 638 0968 or +1 470 250 9358 or +1 470 381 2552 or +1 602 753 0140 or +1 646 518 9805 or +1 646 876 9923 or +1 651 372 8299 or +1 669 219 2599 or +1 669 900 6833 or +1 720 928 9299 or +1 786 635 1003 or +1 971 247 1195 or +1 206 337 9723 or 877 853 5247 (Toll Free) or 888 788 0099 (Toll Free)

Meeting ID: 914 4711 9718 Password: 590208

International numbers available: https://iso.zoom.us/u/aebNAIqtPh

Agenda

74.1 Opening activities

74.1.1 Opening Comments

74.1.2 Introduction of Participants/Roll Call

74.1.3 Procedures for this Meeting

74.1.4 Approval of previous Minutes of meeting 73

74.1.5 Review of actions items and resolutions, Action Item and Decision Logs (N/A)

74.1.6 Approval of Agenda

74.1.7 Future Meeting Schedule


2022
#75	TBD Feb 2022	Electronic	1700-1900 UTC
#76	TBD June 2022	With WG 5 Fortran
#77	TBD Sep 2022	With SC 22
#78	TBD Nov 2022	With WG 21





2023
#79	TBD Feb 2022	Electronic	1
#80	TBD June 2022	With WG 5 Fortran
#81	TBD Sep 2022	With SC 22
#82	TBD Nov 2022	With WG 21

74.2 Liaison Activities (for in-person meetings only)

74.2.1 PL22.3/WG5 (Fortran)

74.2.2 WG4 (COBOL)

74.2.3 WG9 (Ada) Erhard Ploedereder

74.2.4 PL22.11/WG14 C Clive Pygott

74.2.5 PL22.16/WG21 (C++) Michael Wong
74.2.6 MISRA C Clive Pygott

74.2.7 MISRA (C++) Clive Pygott

74.2.8 SPARK Erhard Ploedereder

74.2.9 Other Liaison Activities or National body reports

74.3. Report from SC 22 (Convenor)

The SC 22 committee manager has reported that ISO rejected the free availability of TR 24772-1:2019, TR 24772-2:2020 and 24772-3:2020 because they are technical reports and not technical standards. In its 2021 Directives, ISO and IEC have also stated that TR's can no longer contain guidance.

This leaves us no choice but to reissue the documents as international standards. We have balloted a NWIP for IS 24772-1, which passed unanimously. The SC 22 Committee Manager is initiating a DIS ballot for the document.

In the meantime, we have discovered one or two new vulnerqabilities that should be added immediately. The most critical one is the existence of source text (control characters) that can completely hide source text from human review. The Convenor believes that this is important enough to immediately initiate an amendment to DIS 24772-1. Since amendment ballots only take 3 months, we can complete development and ballot by the time that the DIS ballot completes, and integrate it for a 2-month FDIS ballot.

Another issue is free availability of Part 1. The Committee Manager has some concrete recommendations for the wording of a case to go to JTC 1 at its May plenary for approval and forwarding to ISO/IEC. It is recommended that we create a small committee to prepare this document in January 2022.

As part of the free availability discussions, ISO is in general resisting granting free availability to documents that provide mandatory criteria or that provide guidance. Since 24772 (all parts) contain the word “guidance” in the title and contain sections that use the word “guidance”, the convenor proposes that we remove that word largely from the title and the document. For example, Part one would become
ISO/IEC 24772-1 – Programming languages – Avoiding vulnerabilities in programming languages – Part 1: Language independent catalogue of vulnerabilities

74. 4 Document Review

Review of following document activities

Part 2 Ada has been accepted by WG 9 and requires approval by WG 23. This document is N1135. We have discovered one situation that Erhard will explain that requires removing some guidance from N1121, if WG 9 agrees.

N1135, proposed DIS 24772-1 is deemed ready to go to DIS ballot, with the changes made to address a WG 9 concern (from N1105) and corrections to remove “guidance” wording from normative text. This document will be reviewed and a motion to progress to DIS made.
The SC 22 convenor has raised an issue that there is a statement at the bottom of the forward stating that conformance information has been added, and that this statement should be removed.

74.6 Review of Assignment of responsibilities

74.7 Resolutions and Action Items

Motion to submit N1121 to SC 22 for the initiation of an NWIP ballot for Ada together with an NWIP Form 4.

– To Submit N1128 SPARK to SC 22 for the initiation of an NWIP ballot for SPARK together with an NWIP Form 4.

Motion: To accept the document N1135 as edited by this meeting and the ISO Free availability request form for submission to the SC 22 Committee Manager for submission to ISO for DIS ballot.