Minutes of Meeting #40 on Programming Language Vulnerabilities, 23 November 2015

Document ISO/IEC/JTC 1/SC 22/WG 23 N0602

Meeting Minutes #40
ISO/IEC JTC 1/SC 22/WG 23: Programming Language Vulnerabilities
23 November 2015

Meeting Location :

WebEx

Meeting Times:

23 November 2015: 1600-1800 EDT (2100-2300 UTC)

Local Arrangements:

N/A

Local Contacts:

N/A

IMPORTANT:

Teleconference Info:

Meeting Minutes

1 Opening activities

1.1 Opening Comments

1.2 Introduction of Participants/Roll Call

Stephen Michell – convenor
Larry Wagoner
Clive Pygott
Erhard
David Keaton

1.3 Procedures for this Meeting

1.4 Approval of previous Minutes (meeting 39)

OK.

1.5 Review of actions items and resolutions, Action Item and Decision Logs

1.6 Approval of Agenda [N 0594]

1.7 Future Meeting Schedule


2016
#49	TBD November 2016	Teleconference
#48	TBD October 2016	Teleconference
#47	14-16 Sep 2016	Vienna, Austria (with SC 22 Plenary)
#46	17-18 June 2016	Face-to Face, Pisa Italy with Ada Europe (tentative)
#45	23/05/16	Teleconference (UTC 2000, 2 hr)
#44	April 14-15 2016	BSI, London UK, with SC 22/WG 14
#43	07/03/16	Teleconference (UTC 2100, 2 hr)
#42	08/02/16	Teleconference (UTC 2100, 2 hr)
#41	11 -12 Jan 2016	Orlando, Florida (EST 0900-1700)

2015
			oo

2. Liaison Activities

2.1 SC 22

2.2 PL 22 (Open)

2.3 PL22.3/WG5 (Fortran)

2.4 WG4 (COBOL)

2.5 WG9 (Ada)

2.6 PL22.11/WG14 (C)

2.7 PL22.16/WG21 (C++)

2.8 Ecma International, TC49/TG2 (C#)

2.9 Ecma International, TC39 (ECMAScript)

2.10 MISRA (C)

2.11 MISRA (C++)

2.12 SPARK

2.13 SC7/WG19 (UML)

2.14 SC27/WG3, WG4 Security

2.15 Other Liaison Activities or National body reports

3. Document Review

3.1 TR 24772-1 Vulnerabilities, language independent

We examine document N0605, rewrite of clause 6.39 Memory Leaks XYL with material from Erhard Ploedereder. The reviewed material was incorporated into N0590, which was issued as N0606.

3.2 TR 24772-2 Ada language specific part

Waiting for a proposal from SC 22/WG 9

3.3 TR 24772-3 C language specific part

Discuss at meeting 40 (this meeting).

3.4 TR 24772-4 Python language specific part

Discuss at meeting 40.

3.5 TR 24772-8 Fortran

Document [N0560] needs review.

3.6 TR 24772-X C++

Some WG 21C++ has published at C++ “C++ Core Guidelines” at CPPCon. Clive will look at that as he considers its applicability to a TR24772 Part.

3.7 Bibliography for each TR24772 Part

The creation of the bibliography for each part is very much a work in progress. We need to decide a few issues:

Should each bibliography be a repeat of the parent document’s?
Should each bibliography include only material for that language?
Should we put relevant text in the text of a Part to support a bibliographic reference?
Guidelines for creating and using a bibliographic entry

We will give each Part author a copy of the full bibliography from the current TR (2012), plus any additions. The will delete those that do not apply and add any new ones that were used.

AI 40-01– Steve – send around current bibliography.

3.8 Dirty Dozen Rules for C and generic

Material from Larry Wagoner, N 599 (general) and N 600 (C-specific). Consider at meeting 40.

We consider and edit the 2 lists. Results are captured as N0603 and N0604. Participants are requested to review the documents as some issues are still under consideration.

AI 40-02 Language authors – consider the generic and C-specific top 10 lists and propose similar lists for your language.