CWE Standard Compliance
CWE
CWE (Common Weakness Enumeration) is the most common and impactful issue that allows developers, testers, users, project managers to find the severe and current security weak code checks.
Supported Language: Java, C/ C++, Go, Python, Ruby
CPP
The below table will provide you with insight into currently supported CWE C/CPP security checks.
| Sr. No | Supported CWE Checks |
|---|---|
| 1. | CWE-910 : The software uses or accesses a file descriptor after it has been closed. |
| 2. | CWE-415: The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations. |
| 3. | CWE-404: The program does not release or incorrectly releases a resource before it is made available for re-use. |
| 4. | CWE-401: The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory |
| 5. | CWE-369: The product divides a value by zero. |
| 6. | CWE-252: The software does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions. |
| 7. | CWE-783: The program uses an expression in which operator precedence causes incorrect logic to be used. |
| 8. | CWE-561: The software contains dead code, which can never be executed. |
| 9. | CWE-484 : The program omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition. |
| 10. | CWE-478: The code does not have a default case in a switch statement, which might lead to complex logical errors and resultant weaknesses. |
| 11. | CWE-338: The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. |
| 12. | CWE-121: Stack-based Buffer Overflow |
| 13. | CWE-122: Heap-based Buffer Overflow |
| 14, | CWE-124: Buffer Underwrite ('Buffer Underflow') |
| 15. | CWE-126: Buffer Over-read |
| 16. | CWE-127: Buffer Under-read |
| 17. | CWE-197: Numeric Truncation Error |
| 18. | CWE-242: Use of Inherently Dangerous Function |
| 19. | CWE-398: Indicator of Poor Code Quality |
| 20. | CWE-401: Improper Release of Memory Before Removing Last Reference ('Memory Leak') |
| 21. | CWE-416: Use After Free |
| 22. | CWE-457: Use of Uninitialized Variable |
| 23. | CWE-476: NULL Pointer Dereference |
| 24. | CWE-483: Incorrect Block Delimitation |
| 25. | CWE-562: Return of Stack Variable Address |
| 26. | CWE-563: Assignment to Variable without Use ('Unused Variable') |
| 27. | CWE-570: Expression is Always False |
| 28. | CWE-571: Expression is Always True |
| 29. | CWE-674: Uncontrolled Recursion |
| 30. | CWE-758: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior |
| 31. | CWE-762: Mismatched Memory Management Routines |
| 32. | CWE-704: Incorrect Type Conversion or Cast |
| 33. | CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') |
| 34. | CWE-15: External Control of System or Configuration Setting |
| 35. | CWE-908: Use of Uninitialized Resource |
| 36. | CWE-911: Improper Update of Reference Count |
| 37. | CWE-772: Missing Release of Resource after Effective Lifetime |
| 38. | CWE-833: Improper Locking |
| 39. | CWE-413: Improper Resource Locking |
| 40. | CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) |
| 41. | CWE-468: Incorrect Pointer Scaling |
| 42. | CWE-825: Expired Pointer Dereference |
| 43. | CWE-466: Return of Pointer Value Outside of Expected Range |
| 44. | CWE-390: Detection of Error Condition Without Action |
| 45. | CWE-1069: Empty Exception Block |
| 46. | CWE-477: Use of Obsolete Function |
| 47. | CWE-676: Use of Potentially Dangerous Function |
| 48. | CWE-749: Exposed Dangerous Method or Function |
| 49. | CWE-547: Use of Hard-coded, Security-relevant Constants |
| 50. | CWE-628: Function Call with Incorrectly Specified Arguments |
| 51. | CWE-694: Use of Multiple Resources with Duplicate Identifier |
| 52. | CWE-1041: Use of Redundant Code |
| 53. | CWE-1045: Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor |
| 54. | CWE-1046: Creation of Immutable Text Using String Concatenation |
| 55. | CWE-1116: Inaccurate Comments |
| 56. | CWE-1077: Floating Point Comparison with Incorrect Operator |
| 57. | CWE-681: Incorrect Conversion between Numeric Types |
| 58. | CWE-1071: Empty Code Block |
| 59. | CWE-1126: Declaration of Variable with Unnecessarily Wide Scope |
| 60. | CWE-1113: Inappropriate Comment Style |
| 61. | CWE-1109: Use of Same Variable for Multiple Purposes |
| 62. | CWE-1108: Excessive Reliance on Global Variables |
| 63. | CWE-1102: Reliance on Machine-Dependent Data Representation |
| 64. | CWE-1098: Data Element containing Pointer Item without Proper Copy Control Element |
| 65. | CWE-1078: Inappropriate Source Code Style or Formatting |
| 66. | CWE-590: Free of Memory not on the Heap |
| 67. | CWE-664: Improper Control of a Resource Through its Lifetime |
| 68. | CWE-788: Access of Memory Location After End of Buffer |
| 69. | CWE-786: Access of Memory Location Before Start of Buffer |
| 70. | CWE-687: Function Call With Incorrectly Specified Argument Value |
| 71. | CWE-688: Function Call With Incorrect Variable or Reference as Argument |
| 72. | CWE-686: Function Call With Incorrect Argument Type |
| 73. | CWE-665: Improper Initialization |
| 74. | CWE-391: Unchecked Error Condition |
| 75. | CWE-703: Improper Check or Handling of Exceptional Conditions |
| 76. | CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer |
| 77. | CWE-685: Function Call With Incorrect Number of Arguments |
| 78. | CWE-672: Operation on a Resource after Expiration or Release |
| 79. | CWE-771: Missing Reference to Active Allocated Resource |
| 80. | CWE-775: Missing Release of File Descriptor or Handle after Effective Lifetime |
| 81. | CWE-190: Integer Overflow or Wraparound |
| 82. | CWE-595: Comparison of Object References Instead of Object Contents |
| 83. | CWE-467: Use of sizeof() on a Pointer Type |
| 84. | CWE-682: Incorrect Calculation |
| 85. | CWE-587: Assignment of a Fixed Address to a Pointer |
| 86. | CWE-131: Incorrect Calculation of Buffer Size |
| 87. | CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
| 88. | CWE-195: Signed to Unsigned Conversion Error |
| 89. | CWE-128: Wrap-around Error |
| 90. | CWE-597: Use of Wrong Operator in String Comparison |
| 91 | CWE-834: Excessive Iteration |
| 92. | CWE-768: Incorrect Short Circuit Evaluation |
| 93. | CWE-392: Missing Report of Error Condition |
| 94. | CWE-415: Double Free |
| 95. | CWE-606: Unchecked Input for Loop Condition |
| 96. | CWE- 835: Loop with Unreachable Exit Condition |
| 97. | CWE-129: An unvalidated argument is passed to a function that uses it to access an array. |
| 98. | CWE-664: invalid iterator |
| 99. | CWE-476: unconditional pointer return dref |
Java
The below table will provide you with insight into currently supported Java security checks.
| Sr.No | Supported Rules |
|---|---|
| 1. | CWE-352 : Do not disable spring security's CSRF |
| 2. | CWE-359 : Avoid logging of application sensitive data |
| 3. | CWE- 624: Regex pattern coming as input (method parameter, web request attribute, etc.) |
| 4. | CWE- 459: Close the resources in finally block |
| 5. | CWE- 404: Close the resources in finally block |
| 6. | CWE- 330: Secure Random should not initialize in method |
| 7. | CWE- 327: Use a stronger cipher algorithm |
| 8. | CWE- 833: Avoid using Thread.sleep() in a synchronized block or method |
| 9. | CWE- 820: Non-private field accessed in synchronized block indicates possibly partial synchronization |
| 10. | CWE- 521: Use password while creating database connection. |
| 11. | CWE- 78: Potential Command Injection |
| 12. | CWE- 521: LDAP connections should be authenticated |
| 13. | CWE- 489: Web applications should not have a "main" method |
| 14. | CWE- 807: HttpServletRequest.getRequestedSessionId() should not be used |
| 15. | CWE- 22: Potential Path Traversal |
| 16. | CWE- 312: Accessing Android external storage is security-sensitive |
| 17. | CWE- 20: Accessing Android external storage is security-sensitive |
| 18. | CWE- 502:Using unsafe Jackson deserialization configuration is security-sensitive |
| 19. | CWE- 15: Setting JavaBean properties is security-sensitive |
| 20. | CWE- 572: Do not call run() method directly |
| 21. | CWE- 586: RunFinalizersOnExit Should Not Be Called |
| 22. | CWE- 579: Non Serializable In Session |
| 23. | CWE- 500: Public Static Field Should Be Final |
| 24. | CWE- 585: Empty Synchronized Block |
| 25. | CWE- 584: Return In Finally Block |
| 26. | CWE- 586: Explicit Call To Finalize |
Updated almost 2 years ago