Defect Logs - sgml/signature GitHub Wiki

Defect Categories

Irrelevant condition - I was checking for something that should have been skipped altogether

Constant unset - I was checking for a constant value which was never set

Missed parentheses - I did not lint the code

Public function was not local - I added a function to an object within a function instead of simple nesting

Cached value was wrong - I cached a dynamic value in a variable instead of wrapping it in a function call

Ambiguity Types and Their Consequences

Ambiguity Type	CVE-Relevant Impact	ASCII Parse Impact	Example CVEs / Failures
Spec ambiguity	Logic flaws, bypasses	Misaligned expectations across renderers	CVE-2014-3566 (POODLE), CSP directive conflicts
Parsing ambiguity	Injection, deserialization flaws	Misrendered glyphs, broken layout	CVE-2017-18342 (YAML coercion), JSON edge cases
Encoding ambiguity	XSS, path traversal	Corrupted visuals, invisible characters	CVE-2021-42574 (Unicode Bidi), UTF-8 overlong encoding
Protocol ambiguity	Downgrade attacks	ASCII over network misaligns due to tabs	TLS negotiation flaws, MIME boundary confusion
UI ambiguity	Spoofing, clickjacking	Misleading visual structure in diagrams	CVE-2015-0070 (IE spoofing), Markdown misinterpretation
Auth ambiguity	Privilege escalation	Misaligned role maps or ACLs	CVE-2020-0605 (.NET validation bypass), token scope confusion

Defect Governance

Issue Type	Governance Lens	Prioritization Criteria
Critical outage	Business continuity	Immediate escalation
Performance issues	Quality threshold breach	Prioritized if over SLA
Tech debt bugs	Risk to deliverables	Assessed via scope/schedule
Security flaw	Compliance risk	Elevated via audits

Defect Prioritization

Concept	CVE Example & Relevance
Time Tolerance	CVE-2021-44228 (Log4Shell): Delayed patch rollout exceeded time tolerance, triggering emergency escalation
Cost Tolerance	CVE-2020-0601 (CurveBall): Emergency remediation required unplanned crypto module updates, breaching cost tolerance
Scope Tolerance	CVE-2022-22965 (Spring4Shell): Required expanding scope to include legacy Java apps, exceeding original scope tolerance
Risk Tolerance	CVE-2017-5638 (Apache Struts): Risk of exploit exceeded organizational risk tolerance, prompting full platform migration
Quality Tolerance	CVE-2019-0708 (BlueKeep): RDP quality degradation risk exceeded tolerance, forcing early-stage patch deployment
Benefit Tolerance	CVE-2023-23397 (Outlook Privilege Escalation): Threat to user trust and productivity exceeded benefit tolerance, requiring reprioritization
Stage Tolerance	During remediation of CVE-2021-34473 (Exchange Server), Stage 2 exceeded time and cost tolerances due to unexpected patch complexity
Stage Plan	Stage plan for CVE-2022-30190 (Follina) included: patch rollout, user education, and monitoring — all within defined time/cost tolerances

Defect Remediation

                          +---------------------+
                          |     GOVERNANCE      |
                          |---------------------|
                          | ◉ Roles & authority |
                          | ◉ Decision process  |
                          | ◉ Risk thresholds   |
                          | ◉ Escalation paths  |
                          +----------+----------+
                                     |
                                     |
                                     |  OVERLAP
                                     |
                          +----------+----------+
                          |   GOVERNANCE +      |
                          |   DOCUMENTATION     |
                          |---------------------|
                          | ◉ Issue prioritization|
                          | ◉ Change control     |
                          | ◉ Quality gates      |
                          | ◉ Strategic alignment|
                          +----------+----------+
                                     |
                                     |
                                     |
                          +----------+----------+
                          |   DOCUMENTATION     |
                          |---------------------|
                          | ◉ Issue logs        |
                          | ◉ Risk registers    |
                          | ◉ Lessons learned   |
                          | ◉ Audit trails      |
                          +---------------------+

Log Types

• https://www.loggly.com/docs/automated-parsing/
• https://www.loggly.com/blog/8-handy-tips-consider-logging-json/
• https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-92.pdf

Loguru Example Code

• https://github.com/Daniel-at-github/lightning_loguru/blob/master/slides.md
• https://github.com/David-Lor/Logging-Requests-POC/blob/master/logging_requests_poc/logger.py

Python Logging Example Code

• https://medium.com/better-programming/python-progress-bars-with-tqdm-by-example-ce98dbbc9697
• https://github.com/Supervisor/supervisor/blob/master/supervisor/loggers.py
• https://stackoverflow.com/questions/616645/how-to-duplicate-sys-stdout-to-a-log-file/616686

References

• https://siderite.blogspot.com/2017/02/caching-as-antipattern.html
• https://news.ycombinator.com/item?id=3233526
• https://www.reddit.com/r/reactjs/comments/3bjdoe/state_is_an_antipattern/
• https://ariya.io/2016/09/anatomy-of-a-bug-report
• https://reactjs.org/docs/strict-mode.html