pySCG: Replacing CWE-400 with something that describes the resource exhaustion case better

[openrefactorymunawar]

The description of CWE-400 in MITRE document (https://cwe.mitre.org/data/definitions/400.html#Vulnerability_Mapping_Notes_400) suggests this:

Usage: DISCOURAGED(this CWE ID should not be used to map to real-world vulnerabilities)

Reason: Frequent Misuse

Rationale:

[CWE-400](https://cwe.mitre.org/data/definitions/400.html) is intended for incorrect behaviors in which the product is expected to track and restrict how many resources it consumes, but [CWE-400](https://cwe.mitre.org/data/definitions/400.html) is often misused because it is conflated with the "technical impact" of vulnerabilities in which resource consumption occurs. It is sometimes used for low-information vulnerability reports. It is a level-1 Class (i.e., a child of a Pillar).

Comments:

Closely analyze the specific mistake that is causing resource consumption, and perform a CWE mapping for that mistake. Consider children/descendants such as [CWE-770](https://cwe.mitre.org/data/definitions/770.html): Allocation of Resources Without Limits or Throttling, [CWE-771](https://cwe.mitre.org/data/definitions/771.html): Missing Reference to Active Allocated Resource, [CWE-410](https://cwe.mitre.org/data/definitions/410.html): Insufficient Resource Pool, [CWE-772](https://cwe.mitre.org/data/definitions/772.html): Missing Release of Resource after Effective Lifetime, [CWE-834](https://cwe.mitre.org/data/definitions/834.html): Excessive Iteration, [CWE-405](https://cwe.mitre.org/data/definitions/405.html): Asymmetric Resource Consumption (Amplification), and others.

Do you want to pinpoint to another specific CWE that is more appropriate?

[myteron]

Hi @openrefactorymunawar,

Is this issue in context with the Python Secure Coding guide:

https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-400/README.md

Would you have a recommended CWE that fits better?

Thanks Helge