CWE Standard Compliance

CWE

CWE (Common Weakness Enumeration) is the most common and impactful issue that allows developers, testers, users, project managers to find the severe and current security weak code checks.

Supported Language: Java, C/ C++, Go, Python, Ruby

CPP

The below table will provide you with insight into currently supported CWE C/CPP security checks.

Sr. No

Supported CWE Checks

CWE-910 : The software uses or accesses a file descriptor after it has been closed.

CWE-415: The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.

CWE-404: The program does not release or incorrectly releases a resource before it is made available for re-use.

CWE-401: The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory

CWE-369: The product divides a value by zero.

CWE-252: The software does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.

CWE-783: The program uses an expression in which operator precedence causes incorrect logic to be used.

CWE-561: The software contains dead code, which can never be executed.

CWE-484 : The program omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition.

CWE-478: The code does not have a default case in a switch statement, which might lead to complex logical errors and resultant weaknesses.

CWE-338: The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

CWE-121: Stack-based Buffer Overflow

CWE-122: Heap-based Buffer Overflow

14,

CWE-124: Buffer Underwrite ('Buffer Underflow')

CWE-126: Buffer Over-read

CWE-127: Buffer Under-read

CWE-197: Numeric Truncation Error

CWE-242: Use of Inherently Dangerous Function

CWE-398: Indicator of Poor Code Quality

CWE-401: Improper Release of Memory Before Removing Last Reference ('Memory Leak')

CWE-416: Use After Free

CWE-457: Use of Uninitialized Variable

CWE-476: NULL Pointer Dereference

CWE-483: Incorrect Block Delimitation

CWE-562: Return of Stack Variable Address

CWE-563: Assignment to Variable without Use ('Unused Variable')

CWE-570: Expression is Always False

CWE-571: Expression is Always True

CWE-674: Uncontrolled Recursion

CWE-758: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior

CWE-762: Mismatched Memory Management Routines

CWE-704: Incorrect Type Conversion or Cast

CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')

CWE-15: External Control of System or Configuration Setting

CWE-908: Use of Uninitialized Resource

CWE-911: Improper Update of Reference Count

CWE-772: Missing Release of Resource after Effective Lifetime

CWE-833: Improper Locking

CWE-413: Improper Resource Locking

CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

CWE-468: Incorrect Pointer Scaling

CWE-825: Expired Pointer Dereference

CWE-466: Return of Pointer Value Outside of Expected Range

CWE-390: Detection of Error Condition Without Action

CWE-1069: Empty Exception Block

CWE-477: Use of Obsolete Function

CWE-676: Use of Potentially Dangerous Function

CWE-749: Exposed Dangerous Method or Function

CWE-547: Use of Hard-coded, Security-relevant Constants

CWE-628: Function Call with Incorrectly Specified Arguments

CWE-694: Use of Multiple Resources with Duplicate Identifier

CWE-1041: Use of Redundant Code

CWE-1045: Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor

CWE-1046: Creation of Immutable Text Using String Concatenation

CWE-1116: Inaccurate Comments

CWE-1077: Floating Point Comparison with Incorrect Operator

CWE-681: Incorrect Conversion between Numeric Types

CWE-1071: Empty Code Block

CWE-1126: Declaration of Variable with Unnecessarily Wide Scope

CWE-1113: Inappropriate Comment Style

CWE-1109: Use of Same Variable for Multiple Purposes

CWE-1108: Excessive Reliance on Global Variables

CWE-1102: Reliance on Machine-Dependent Data Representation

CWE-1098: Data Element containing Pointer Item without Proper Copy Control Element

CWE-1078: Inappropriate Source Code Style or Formatting

CWE-590: Free of Memory not on the Heap

CWE-664: Improper Control of a Resource Through its Lifetime

CWE-788: Access of Memory Location After End of Buffer

CWE-786: Access of Memory Location Before Start of Buffer

CWE-687: Function Call With Incorrectly Specified Argument Value

CWE-688: Function Call With Incorrect Variable or Reference as Argument

CWE-686: Function Call With Incorrect Argument Type

CWE-665: Improper Initialization

CWE-391: Unchecked Error Condition

CWE-703: Improper Check or Handling of Exceptional Conditions

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-685: Function Call With Incorrect Number of Arguments

CWE-672: Operation on a Resource after Expiration or Release

CWE-771: Missing Reference to Active Allocated Resource

CWE-775: Missing Release of File Descriptor or Handle after Effective Lifetime

CWE-190: Integer Overflow or Wraparound

CWE-595: Comparison of Object References Instead of Object Contents

CWE-467: Use of sizeof() on a Pointer Type

CWE-682: Incorrect Calculation

CWE-587: Assignment of a Fixed Address to a Pointer

CWE-131: Incorrect Calculation of Buffer Size

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CWE-195: Signed to Unsigned Conversion Error

CWE-128: Wrap-around Error

CWE-597: Use of Wrong Operator in String Comparison

91

CWE-834: Excessive Iteration

CWE-768: Incorrect Short Circuit Evaluation

CWE-392: Missing Report of Error Condition

CWE-415: Double Free

CWE-606: Unchecked Input for Loop Condition

CWE- 835: Loop with Unreachable Exit Condition

CWE-129: An unvalidated argument is passed to a function that uses it to access an array.

CWE-664: invalid iterator

CWE-476: unconditional pointer return dref

Java

The below table will provide you with insight into currently supported Java security checks.

Sr.No

Supported Rules

CWE-352 : Do not disable spring security's CSRF

CWE-359 : Avoid logging of application sensitive data

CWE- 624: Regex pattern coming as input (method parameter, web request attribute, etc.)

CWE- 459: Close the resources in finally block

CWE- 404: Close the resources in finally block

CWE- 330: Secure Random should not initialize in method

CWE- 327: Use a stronger cipher algorithm

CWE- 833: Avoid using Thread.sleep() in a synchronized block or method

CWE- 820: Non-private field accessed in synchronized block indicates possibly partial synchronization

CWE- 521: Use password while creating database connection.

CWE- 78: Potential Command Injection

CWE- 521: LDAP connections should be authenticated

CWE- 489: Web applications should not have a "main" method

CWE- 807: HttpServletRequest.getRequestedSessionId() should not be used

CWE- 22: Potential Path Traversal

CWE- 312: Accessing Android external storage is security-sensitive

CWE- 20: Accessing Android external storage is security-sensitive

CWE- 502:Using unsafe Jackson deserialization configuration is security-sensitive

CWE- 15: Setting JavaBean properties is security-sensitive

CWE- 572: Do not call run() method directly

CWE- 586: RunFinalizersOnExit Should Not Be Called

CWE- 579: Non Serializable In Session

CWE- 500: Public Static Field Should Be Final

CWE- 585: Empty Synchronized Block

CWE- 584: Return In Finally Block

CWE- 586: Explicit Call To Finalize