From AB review by Pete Rivet, March 17, 2020:
"Example 1 uses XMI 2.0 (even older than the metamodel XMI) and kdmanalytics.com.
The elements have no xmi:types which is mandatory for any XMI element. In some cases they instead have xsi:types."
Comments by NM: see page 43.

From AB review by Pete Rivett, March 17, 2020

9.1.1.1 also refers to common sections shared amongst multiple SFPs – however the metamodel does not seem to allow that.

From AB review by Pete Rivett, March 17, 2020:

The XSD has a bad URI for spmf and XMI; and a proprieraty location for the XMI namespace import.

From AB review by Pete Rivett, March 17, 2020:
The clean UML file provided sysa/20-02-06 is an appropriate file for MOF 2.4+ so should be the normative file for the metamodel. As such it validates well apart from the following issues:

• the top level element should be uml:Package (not uml:Model) and the URI root www.omg.org not www.kdmanalytics.com
• there are over a hundred unnamed properties and associations (strictly speaking required for EMOF)
• many visibilities of “private”

From AB review by Pete Rivett, March 17, 2020:
9.1.3.2 describes a taxonomy of Injuries but the metamodel provides for no structure at all

From AB review by Pete Rivett on March 17, 2020
Figure 2: the metamodel requires each Cluster to be owned by exactly 1 Cluster, which would never allow a root – the composite end should be 0..1.

From AB review by Pete Rivett, March 17, 2020:

And each CWESection to owned both by a Cluster and a SFP which breaks the rule of having only one composite owner. Again the composite ends should both be 0..1.

From AB review by Pete Rivett, March 17, 2020:
The preface has several assertions that should be justified by references: “the community”, “it has been observed” “all existing classifications resist automation”.

From AB review by Pete Rivett, March 17, 2020:
9.1.2.3 says that “Variations in the variation tree are considered ordered” but this is not represented in the metamodel using an ordered property.

From AB review by Pete Rivett, Mach 17, 2020:
Would be better for CWE::status should be an enumeration rather than a string.

From AB review by Pete Rivett, March 17, 2020:
The similar analogs “DNA” and “signature” are used to describe quite different things.

From AB Review by Pete Rivett, March 17, 2020:
I don’t understand the purpose of replicating chunks of SBVR (in 9.4, 9.5), or even why vocabularies would be needed for Software Patterns. If they’re structural in nature why the need to link them to a conceptual model? It should at most be an optional compliance point.

The use of SBVR seems an odd choice for something that is intended to be first order logic and executable (mentioned elsewhere), since SBVR is neither of those, and it would be necessary to define a subset. Why not use ODM?

From AB review by Pete Rivett, March 17, 2020:
The spec uses “Canonical” as a synonym for “Exemplary” or as a sample which is the opposite of its normal use which is for something authoritative or official.

From AB review by Pete Rivett, March 17, 2020:
The spec in Appendix A seems to introduce its own Human Usable Textual Notation, ignoring the (admittedly dated) OMG standard. And with no description or justification.
Reference should be made to the CFG syntax used.
Though the readable text spec is non-normative it is made use of extensively in the normative sections.

From AB review by Pete Rivett, March 17, 2020:
I don’t see the value of being able to generate sample code from the Catalog – why not just insert existing code?

From AB review by Pete Rivett, March 17, 2020:
Conformance is very unclear. A few times the spec documents “three supporting capabilities” (e.g. in 9.3.1) but these don’t appear under Conformance. That section 9.3.1 also describes 2 purposes: certification (of software) and synthesis. And 3 further capabilities.
And then the end of 9.3.3. refers to another “interface to the external capabilities”

From AB review by Pete Rivett, March 17 2020:
9.1.1.4 states that the objective of SFP is to resolve problems with the CWE catalog maintained by Mitre. This does not seem a community way of working: why not report problems and get them fixed at source?

From AB review by Pete Rivett on March 17, 2020:
The spec several times mentions “Software Fault Pattern Catalog” and seems to commit OMG to maintaining one. Indeed 9.1.1.1 refers to delivering content related to a single SFP “to the OMG for it to be validated and added to the OMG SFP Catalog”. Who would be responsible for this? How is it reviewed and “validated”? More generally how is the catalog accessed (by human and/or machine) and searched?

From AB review by Pete Rivett March 17 2020:
there is a further confusion between “weakness”/”vulnerability” and “fault”.
It seems to me they are different – a plain fault (aka bug) resulting in the software not acting according to its spec is not necessarily an exploitable weakness.
It seems to me the spec is all about weaknesses, not faults (bugs). That also ties in with the language around CWE which this spec is based on. Use of “fault” should be avoided.