6.2.12.5. CWE

Checks for issues listed in the CWE - Common Weakness Enumeration

Excerpt from CWE [https://cwe.mitre.org], Copyright (C) 2006-2026, the MITRE Corporation. See section 9.4. "3rd-Party Licenses" in the documentation for full details.

Nested Rules

CWE-20

Improper Input Validation. [Improper-Neutralization, Top25-2024-12]

CWE-22

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’). [File-Handling-Issues, Improper-Control-Of-A-Resource-Through-Its-Lifetime, Top25-2024-5]

CWE-23

Relative Path Traversal. [Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-36

Absolute Path Traversal. [Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-77

Improper Neutralization of Special Elements used in a Command (‘Command Injection’). [Improper-Neutralization, Top25-2024-13]

CWE-78

Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’). [Data-Neutralization-Issues, Improper-Neutralization, Top25-2024-7]

CWE-79

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’). [Data-Neutralization-Issues, Improper-Neutralization, Top25-2024-1]

CWE-89

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’). [Data-Neutralization-Issues, Improper-Neutralization, Top25-2024-3]

CWE-94

Improper Control of Generation of Code (‘Code Injection’). [Data-Neutralization-Issues, Improper-Neutralization, Top25-2024-11]

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer. [Improper-Control-Of-A-Resource-Through-Its-Lifetime, Top25-2024-20]

CWE-120

Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’). [Memory-Buffer-Errors, Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-121

Stack-based Buffer Overflow. [Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-123

Write-what-where Condition. [Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-124

Buffer Underwrite (‘Buffer Underflow’). [Memory-Buffer-Errors, Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-125

Out-of-bounds Read. [Memory-Buffer-Errors, Improper-Control-Of-A-Resource-Through-Its-Lifetime, Top25-2024-6]

CWE-126

Buffer Over-read. [Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-127

Buffer Under-read. [Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-131

Incorrect Calculation of Buffer Size. [Memory-Buffer-Errors, Incorrect-Calculation]

CWE-134

Use of Externally-Controlled Format String. [String-Errors, Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-135

Incorrect Calculation of Multi-Byte String Length. [String-Errors, Incorrect-Calculation]

CWE-190

Integer Overflow or Wraparound. [Numeric-Errors, Incorrect-Calculation, Top25-2024-23]

CWE-191

Integer Underflow (Wrap or Wraparound). [Numeric-Errors, Incorrect-Calculation]

CWE-192

Integer Coercion Error. [Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-194

Unexpected Sign Extension. [Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-195

Signed to Unsigned Conversion Error. [Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-197

Numeric Truncation Error. [Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor. [Improper-Control-Of-A-Resource-Through-Its-Lifetime, Top25-2024-17]

CWE-242

Use of Inherently Dangerous Function. [Api-Function-Errors, Improper-Adherence-To-Coding-Standards]

CWE-243

Creation of chroot Jail Without Changing Working Directory. [Privilege-Issues, Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-244

Improper Clearing of Heap Memory Before Release (‘Heap Inspection’). [Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-248

Uncaught Exception. [Error-Conditions, Insufficient-Control-Flow-Management]

CWE-252

Unchecked Return Value. [Error-Conditions, Improper-Check-Or-Handling-Of-Exceptional-Conditions]

CWE-253

Incorrect Check of Function Return Value. [Error-Conditions, Improper-Adherence-To-Coding-Standards]

CWE-259

Use of Hard-coded Password. [Improper-Access-Control, Improper-Adherence-To-Coding-Standards, Protection-Mechanism-Failure]

CWE-269

Improper Privilege Management. [Improper-Access-Control, Top25-2024-15]

CWE-271

Privilege Dropping / Lowering Errors. [Improper-Access-Control]

CWE-272

Least Privilege Violation. [Privilege-Issues, Improper-Access-Control]

CWE-273

Improper Check for Dropped Privileges. [Privilege-Issues, Improper-Check-Or-Handling-Of-Exceptional-Conditions]

CWE-287

Improper Authentication. [Improper-Access-Control, Top25-2024-14]

CWE-335

Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG). [Cryptographic-Issues, Random-Number-Issues, Protection-Mechanism-Failure]

CWE-336

Same Seed in Pseudo-Random Number Generator (PRNG). [Protection-Mechanism-Failure]

CWE-337

Predictable Seed in Pseudo-Random Number Generator (PRNG). [Protection-Mechanism-Failure]

CWE-338

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG). [Cryptographic-Issues, Random-Number-Issues, Protection-Mechanism-Failure]

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’). [Insufficient-Control-Flow-Management]

CWE-369

Divide By Zero. [Numeric-Errors, Incorrect-Calculation]

CWE-378

Creation of Temporary File With Insecure Permissions. [File-Handling-Issues, Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-379

Creation of Temporary File in Directory with Insecure Permissions. [File-Handling-Issues, Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-396

Declaration of Catch for Generic Exception. [Error-Conditions, Insufficient-Control-Flow-Management]

CWE-397

Declaration of Throws for Generic Exception. [Error-Conditions, Insufficient-Control-Flow-Management]

CWE-400

Uncontrolled Resource Consumption. [Improper-Control-Of-A-Resource-Through-Its-Lifetime, Top25-2024-24]

CWE-401

Missing Release of Memory after Effective Lifetime. [Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-404

Improper Resource Shutdown or Release. [Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-413

Improper Resource Locking. [Resource-Locking-Problems, Improper-Control-Of-A-Resource-Through-Its-Lifetime, Insufficient-Control-Flow-Management]

CWE-415

Double Free. [Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-416

Use After Free. [Improper-Control-Of-A-Resource-Through-Its-Lifetime, Top25-2024-8]

CWE-426

Untrusted Search Path. [File-Handling-Issues, Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-457

Use of Uninitialized Variable. [Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-464

Addition of Data Structure Sentinel. [Data-Neutralization-Issues, Improper-Neutralization]

CWE-467

Use of sizeof() on a Pointer Type. [Incorrect-Calculation]

CWE-468

Incorrect Pointer Scaling. [Pointer-Issues, Incorrect-Calculation]

CWE-469

Use of Pointer Subtraction to Determine Size. [Pointer-Issues, Incorrect-Calculation]

CWE-476

NULL Pointer Dereference. [Pointer-Issues, Improper-Adherence-To-Coding-Standards, Top25-2024-21]

CWE-477

Use of Obsolete Function. [Api-Function-Errors, Improper-Adherence-To-Coding-Standards]

CWE-478

Missing Default Case in Multiple Condition Expression. [Bad-Coding-Practices, Incorrect-Comparison]

CWE-480

Use of Incorrect Operator. [Behavioral-Problems, Expression-Issues, String-Errors, Insufficient-Control-Flow-Management]

CWE-481

Assigning instead of Comparing. [Insufficient-Control-Flow-Management]

CWE-482

Comparing instead of Assigning. [Insufficient-Control-Flow-Management]

CWE-483

Incorrect Block Delimitation. [Behavioral-Problems, Insufficient-Control-Flow-Management]

CWE-484

Omitted Break Statement in Switch. [Behavioral-Problems, Improper-Adherence-To-Coding-Standards]

CWE-489

Active Debug Code. [Bad-Coding-Practices, Improper-Adherence-To-Coding-Standards]

CWE-500

Public Static Field Not Marked Final. [Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-502

Deserialization of Untrusted Data. [Resource-Management-Errors, Improper-Control-Of-A-Resource-Through-Its-Lifetime, Top25-2024-16]

CWE-547

Use of Hard-coded, Security-relevant Constants. [Bad-Coding-Practices, Improper-Adherence-To-Coding-Standards]

CWE-558

Use of getlogin() in Multithreaded Application. [Improper-Control-Of-A-Resource-Through-Its-Lifetime, Insufficient-Control-Flow-Management]

CWE-561

Dead Code. [Bad-Coding-Practices, Improper-Adherence-To-Coding-Standards]

CWE-562

Return of Stack Variable Address. [Bad-Coding-Practices, Improper-Adherence-To-Coding-Standards]

CWE-563

Assignment to Variable without Use. [Bad-Coding-Practices, Improper-Adherence-To-Coding-Standards]

CWE-587

Assignment of a Fixed Address to a Pointer. [Pointer-Issues, Improper-Adherence-To-Coding-Standards]

CWE-588

Attempt to Access Child of a Non-structure Pointer. [Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-590

Free of Memory not on the Heap. [Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-595

Comparison of Object References Instead of Object Contents. [Incorrect-Comparison]

CWE-606

Unchecked Input for Loop Condition. [Data-Validation-Issues, Improper-Neutralization]

CWE-617

Reachable Assertion. [Error-Conditions, Insufficient-Control-Flow-Management]

CWE-665

Improper Initialization. [Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-672

Operation on a Resource after Expiration or Release. [Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-674

Uncontrolled Recursion. [Insufficient-Control-Flow-Management]

CWE-675

Multiple Operations on Resource in Single-Operation Context. [Improper-Adherence-To-Coding-Standards]

CWE-676

Use of Potentially Dangerous Function. [Api-Function-Errors, Improper-Adherence-To-Coding-Standards]

CWE-683

Function Call With Incorrect Order of Arguments. [Improper-Adherence-To-Coding-Standards]

CWE-685

Function Call With Incorrect Number of Arguments. [Improper-Adherence-To-Coding-Standards]

CWE-686

Function Call With Incorrect Argument Type. [Improper-Adherence-To-Coding-Standards]

CWE-690

Unchecked Return Value to NULL Pointer Dereference. [Improper-Check-Or-Handling-Of-Exceptional-Conditions]

CWE-761

Free of Pointer not at Start of Buffer. [Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-762

Mismatched Memory Management Routines. [Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-763

Release of Invalid Pointer or Reference. [Pointer-Issues, Resource-Management-Errors, Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-766

Critical Data Element Declared Public. [Permission-Issues, Improper-Access-Control, Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-767

Access to Critical Private Variable via Public Method. [Permission-Issues, Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-772

Missing Release of Resource after Effective Lifetime. [Resource-Management-Errors, Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-773

Missing Reference to Active File Descriptor or Handle. [Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-775

Missing Release of File Descriptor or Handle after Effective Lifetime. [Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-783

Operator Precedence Logic Error. [Behavioral-Problems, Expression-Issues, Insufficient-Control-Flow-Management]

CWE-787

Out-of-bounds Write. [Memory-Buffer-Errors, Improper-Control-Of-A-Resource-Through-Its-Lifetime, Top25-2024-2]

CWE-789

Memory Allocation with Excessive Size Value. [Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-798

Use of Hard-coded Credentials. [Credentials-Management-Errors, Key-Management-Errors, Improper-Access-Control, Top25-2024-22]

CWE-806

Buffer Access Using Size of Source Buffer. [Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-824

Access of Uninitialized Pointer. [Pointer-Issues, Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-825

Expired Pointer Dereference. [Pointer-Issues, Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-828

Signal Handler with Functionality that is not Asynchronous-Safe. [Insufficient-Control-Flow-Management]

CWE-831

Signal Handler Function Associated with Multiple Signals. [Insufficient-Control-Flow-Management]

CWE-839

Numeric Range Comparison Without Minimum Check. [Numeric-Errors, Incorrect-Comparison]

CWE-843

Access of Resource Using Incompatible Type (‘Type Confusion’). [Type-Errors, Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-910

Use of Expired File Descriptor. [Resource-Management-Errors, Improper-Control-Of-A-Resource-Through-Its-Lifetime]

CWE-1043

Data Element Aggregating an Excessively Large Number of Non-Primitive Elements. [Bad-Coding-Practices, Complexity-Issues, Improper-Adherence-To-Coding-Standards]

CWE-1055

Multiple Inheritance from Concrete Classes. [Complexity-Issues, Improper-Adherence-To-Coding-Standards]

CWE-1056

Invocable Control Element with Variadic Parameters. [Complexity-Issues, Improper-Adherence-To-Coding-Standards]

CWE-1064

Invocable Control Element with Signature Containing an Excessive Number of Parameters. [Complexity-Issues, Improper-Adherence-To-Coding-Standards]

CWE-1069

Empty Exception Block. [Improper-Adherence-To-Coding-Standards]

CWE-1071

Empty Code Block. [Bad-Coding-Practices, Improper-Adherence-To-Coding-Standards]

CWE-1074

Class with Excessively Deep Inheritance. [Complexity-Issues, Improper-Adherence-To-Coding-Standards]

CWE-1075

Unconditional Control Flow Transfer outside of Switch Block. [Complexity-Issues, Improper-Adherence-To-Coding-Standards]

CWE-1077

Floating Point Comparison with Incorrect Operator. [Incorrect-Comparison]

CWE-1079

Parent Class without Virtual Destructor Method. [Bad-Coding-Practices, Improper-Adherence-To-Coding-Standards]

CWE-1080

Source Code File with Excessive Number of Lines of Code. [Complexity-Issues, Improper-Adherence-To-Coding-Standards]

CWE-1082

Class Instance Self Destruction Control Element. [Bad-Coding-Practices, Improper-Adherence-To-Coding-Standards]

CWE-1086

Class with Excessive Number of Child Classes. [Complexity-Issues, Improper-Adherence-To-Coding-Standards]

CWE-1087

Class with Virtual Method without a Virtual Destructor. [Bad-Coding-Practices, Improper-Adherence-To-Coding-Standards]

CWE-1119

Excessive Use of Unconditional Branching. [Complexity-Issues, Improper-Adherence-To-Coding-Standards]

CWE-1121

Excessive McCabe Cyclomatic Complexity. [Complexity-Issues, Improper-Adherence-To-Coding-Standards]

CWE-1124

Excessively Deep Nesting. [Complexity-Issues, Improper-Adherence-To-Coding-Standards]

CWE-1126

Declaration of Variable with Unnecessarily Wide Scope. [Bad-Coding-Practices, Improper-Adherence-To-Coding-Standards]

CWE-1127

Compilation with Insufficient Warnings or Errors. [Bad-Coding-Practices, Improper-Adherence-To-Coding-Standards]

CWE-1390

Weak Authentication. [Improper-Access-Control]

CWE-1391

Use of Weak Credentials. [Improper-Access-Control]

Options