ISO/IEC/JTC1/SC22/WG23 N0761

2017-11-08

Liaison Statement

SC 22/WG 23 Programming Language Vulnerabilities and

SC 22/WG 21/SG 12 Undefined Behavior and Vulnerabilities and Vulnerabilities Study Group



SC 22/WG 23 and SC 22/WG 21/SG 12 agree to work together to develop TR 24772-9 Programming Language Vulnerabilities in C++.

In developing the Technical Report, the parties agree that the following principles will apply:

  1. The TR will, wherever possible, provide meaningful references to existing work (such as the CERT C++ security guidelines and the C++ Core Guidelines)

  2. In developing the TR, the parties will evaluate those existing guidelines mentioned in a) (and others) for safety and security

  3. The parties will help to enhance existing guidelines by alerting the developers of the referenced guidelines of issues identified in those guidelines due to the analysis for the TR.

  4. The parties will add new sections to the TR to address new issues found, and to notify developers of other guidelines of such issues.

  5. As part of the work, the parties will develop a cross-language taxonomy of issues found from C++ to C and other languages.

  6. The parties will explore ways to link the effort described herein with other efforts such as MISRA, AUTOSAR, OpenCL/SYCL SC, and CUDA

  7. The work will consider how to provide guidance for previous language versions of C++:2011 and later. Currently identified potential approaches could be

    1. To produce inline guidance for other versions, or

    2. Document guidance for previous version in clause 7 (or even clause 8).

      These be will considered analysis is done clause-by-clause. For example -- strings.

  8. The target of the audience is those developing new code vs old code (in the sense that adding significant functionality under maintenance is also “new code). TR 24772 is generally oriented to the creation of new code, and the coding guidelines for such code. It is expected that old code would only be affected when a major rewrite occurs.

  9. The target audience is team leads that produces the coding guidelines for the organization, but C++ programmers, not new C++ programmers coming from another language. Goal is not to teach C++.