Built-in Test Configurations

The following tables include the test configurations shipped in the [INSTALL]/configs/builtin directory.

Static Analysis

This group includes universal static analysis test configurations. See Security Compliance Pack for test configurations that enforce security coding standards.

Built-in Test Configuration	Description
Recommended Rules	The default configuration of recommended rules. Covers most Severity 1 and Severity 2 rules. Includes rules in the Flow Analysis Fast configuration.
Recommended .NET Core Rules	Includes rules that identify high-severity defects in .NET Core projects.
Find Duplicated Code	Applies static code analysis rules that report duplicate code. Duplicate code may indicate poor application design and lead to maintainability issues.
Metrics	Computes values for several code metrics.
Flow Analysis	Detects complex runtime errors without requiring test cases or application execution. Defects detected include using uninitialized or invalid memory, null pointer dereferencing, array and buffer overflows, division by zero, memory and resource leaks, and dead code. This requires a special Flow Analysis license option.
Flow Analysis Aggressive	Includes rules for deep flow analysis of code. A significant amount of time may be required to run this configuration.
Flow Analysis Fast	Includes rules for shallow depth of flow analysis, which limits the number of potentially acceptable defects from being reported.
Critical Rules	Includes most Severity 1 rules, as well as rules in the Flow Analysis Fast configuration.
Demo	Includes rules for demonstrating various techniques of code analysis. May not be suitable for large code bases.
Find Memory Issues	Includes rules for finding memory management issues in the code.
Find Unimplemented Scenarios	Includes rules for finding unimplemented scenarios in the code.
Find Unused Code	Includes rules for identifying unused/dead code.
Check Code Compatibility against .NET [2.0, 3.0, 3.5, 4.0 Client Profile, 4.0 Full, 4.5, 4.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8]	Includes a set of test configurations that validates the code’s compatibility with the specified version of .NET framework.
IEC 62304 (Template)	A template test configuration for applying the IEC 62304 Medical standard.
Roslyn .NET Analyzers Default Rules	Applies the .NET compiler platform (Roslyn) analyzer rules from the roslyn-analyzer project that have high severity and are enabled by default. See Overview of source code analysis for more information about Roslyn analyzers.

Security Compliance Pack

This compliance pack includes test configurations that help you enforce security coding standards and practices. See Compliance Packs Rule Mapping for information how the standards are mapped to dotTEST's rules.

Security Compliance Pack requires dedicated license features to be activated. Contact Parasoft Support for more details on licensing.

Displaying compliance results on DTP

Some test configurations in this category have a corresponding "Compliance" extension on DTP, which allows you to view your security compliance status, generate compliance reports, and monitor the progress towards your security compliance goals. See the "Extensions for DTP" section in the DTP documentation for the list of available extensions, requirements, and usage.

Built-in Test Configuration	Description
CWE 4.9	Includes rules that find issues identified in the CWE standard v4.9. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.
CWE Top 25 2022	Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard v.2022. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.
CWE Top 25 2021	Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard v.2021. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.
CWE Top 25 + On the Cusp 2022	Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard or included on the CWE Weaknesses On the Cusp list v.2022. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.
CWE Top 25 + On the Cusp 2021	Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard or included on the CWE Weaknesses On the Cusp list v.2021. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.
DISA-ASD-STIG	Includes rules that find issues identified in Application Security and Development STIG (Security Technical Implementation Guide) provided by Defense Information Systems Agency.
HIPAA	Includes rules that find issues identified by the HIPAA (Health Insurance Portability and Accountability Act) regulations.
OWASP API Security Top 10-2019	Includes rules that find issues identified in OWASP’s API Security Top 10. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.
OWASP Top 10-2021	Includes rules that find web application security risks identified in the OWASP Top 10 - 2021. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.
OWASP Top 10-2017	Includes rules that find web application security risks identified in the OWASP Top 10 - 2017. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.
PCI DSS 4.0	Includes rules that find issues identified in PCI Data Security Standard version 4.0.
PCI DSS 3.2	Includes rules that find issues identified in PCI Data Security Standard version 3.2.
Security Assessment	General test configuration that finds security issues.
UL 2900	Includes rules that find issues identified in the UL-2900 standard.
Microsoft Secure Coding Guidelines	Includes rules that enforce Microsoft Secure Coding Guidelines.
VVSG 2.0	Includes rules that enforce the specifications and requirements defined in Voluntary Voting System Guidelines 2.0.

Unit Testing and Collecting Coverage

This group includes test configurations that allow you to run and collect coverage data for unit tests.

Built-in Test Configuration	Description
Run VSTest Tests	Runs NUnit, MSTest, and xUnit tests that are found in the scope of analysis.
Run VSTest Tests with Coverage	Runs NUnit, MSTest, and xUnit tests that are found in the scope of analysis and monitors coverage.
Calculate Application Coverage	Processes the application coverage data to generate a coverage.xml file. See Application Coverage for Web Applications.
Collect Static Coverage	Generates the static coverage data necessary for application coverage. See Application Coverage for Web Applications.

Compliance Packs Rule Mapping

This section includes rule mapping for the CWE standard. The mapping information for other standards is available in the PDF rule mapping files shipped with Compliance Packs.

CWE Top 25 2022 Mapping

CWE ID	CWE name/description	Parasoft rule ID(s)
CWE-787	Out-of-bounds Write	CWE.787.ARRAY
CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	CWE.79.VPPD CWE.79.TDRESP CWE.79.TDXSS CWE.79.AXSSE CWE.79.CSP
CWE-89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')	CWE.89.TDSQL CWE.89.TDSQLC
CWE-20	Improper Input Validation	CWE.20.ARRAY CWE.20.VPPD CWE.20.TDNET CWE.20.TDFNAMES CWE.20.TDCMD CWE.20.TDRESP CWE.20.TDXSS CWE.20.TDSQL CWE.20.TDSQLC
CWE-125	Out-of-bounds Read	CWE.125.ARRAY
CWE-78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')	CWE.78.TDCMD
CWE-416	Use After Free	CWE.416.DISP CWE.416.FIN
CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')	CWE.22.TDFNAMES
CWE-352	Cross-Site Request Forgery (CSRF)	CWE.352.VPPD CWE.352.TDRESP CWE.352.VAFT CWE.352.CA3147 CWE.352.CA5391
CWE-434	Unrestricted Upload of File with Dangerous Type	CWE.434.TDFNAMES
CWE-476	NULL Pointer Dereference	CWE.476.NR CWE.476.DEREF CWE.476.CNFA
CWE-502	Deserialization of Untrusted Data	CWE.502.IIDC CWE.502.UIS CWE.502.IDC CWE.502.MGODWSPA CWE.502.CA2350 CWE.502.CA2351 CWE.502.CA2352 CWE.502.CA2353 CWE.502.CA2354 CWE.502.CA2355 CWE.502.CA2356 CWE.502.CA2361 CWE.502.CA2362
CWE-190	Integer Overflow or Wraparound	CWE.190.AIWIL CWE.190.AIOAC CWE.190.INTOVERF
CWE-287	Improper Authentication	CWE.287.TDPASSWD CWE.287.AAM CWE.287.UAAMC CWE.287.LUAFLA CWE.287.IIPHEU CWE.287.CA5359 CWE.287.CA5403 CWE.287.CA5376 CWE.287.CA5390
CWE-798	Use of Hard-coded Credentials	CWE.798.HARDCONN CWE.798.HPW CWE.798.CA5403
CWE-862	Missing Authorization	CWE.862.UAA
CWE-77	Improper Neutralization of Special Elements used in a Command ('Command Injection')	CWE.77.TDCMD
CWE-306	Missing Authentication for Critical Function	CWE.306.ADSVSP
CWE-119	Improper Restriction of Operations within the Bounds of a Memory Buffer	CWE.119.ARRAY
CWE-276	Incorrect Default Permissions	N/A
CWE-918	Server-Side Request Forgery (SSRF)	CWE.918.TDNET CWE.918.CA3147 CWE.918.CA5368 CWE.918.CA5391 CWE.918.CA5395
CWE-362	Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')	CWE.362.LOCKSETGET CWE.362.DIFCS
CWE-400	Uncontrolled Resource Consumption	CWE.400.LEAKS CWE.400.TDLOG CWE.400.CA5362
CWE-611	Improper Restriction of XML External Entity Reference	CWE.611.PDTDP CWE.611.USXRS CWE.611.CA3061 CWE.611.CA3075 CWE.611.CA3077 CWE.611.CA5366 CWE.611.CA5369 CWE.611.CA5370 CWE.611.CA5371 CWE.611.CA5372
CWE-94	Improper Control of Generation of Code ('Code Injection')	CWE.94.TDCODE

CWE Weaknesses On the Cusp 2022 Mapping

CWE ID	CWE name/description	Parasoft rule ID(s)
CWE-295	Improper Certificate Validation	CWE.295.TDCODE
CWE-427	Uncontrolled Search Path Element	CWE.427.DNICV CWE.427.CA5359 CWE.427.CA5403
CWE-863	Incorrect Authorization	CWE.863.CA5393
CWE-269	Improper Privilege Management	CWE.269.AAM CWE.269.UAAMC CWE.269.AUTH
CWE-732	Incorrect Permission Assignment for Critical Resource	CWE.732.IDENTITY CWE.732.CA5375 CWE.732.CA5377
CWE-843	Access of Resource Using Incompatible Type ('Type Confusion')	CWE.843.ADSVSP CWE.843.CA5396
CWE-668	Exposure of Resource to Wrong Sphere	N/A
CWE-200	Exposure of Sensitive Information to an Unauthorized Actor	N/A
CWE-1321	Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')	CWE.1321.SDE CWE.1321.SENS CWE.1321.PEO CWE.1321.ACPST CWE.1321.CSG CWE.1321.SENSLOG CWE.1321.CA3004
CWE-601	URL Redirection to Untrusted Site ('Open Redirect')	N/A
CWE-401	Missing Release of Memory after Effective Lifetime	CWE.401.TDNET CWE.401.TDRESP
CWE-59	Improper Link Resolution Before File Access ('Link Following')	N/A
CWE-522	Insufficiently Protected Credentials	CWE.522.VLT
CWE-319	Cleartext Transmission of Sensitive Information	CWE.319.TDPASSWD
CWE-312	Cleartext Storage of Sensitive Information	N/A

CWE Top 25 2021 Mapping

CWE ID	CWE name/description	Parasoft rule ID(s)
CWE-787	Out-of-bounds Write	CWE.787.ARRAY
CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	CWE.79.VPPD CWE.79.TDRESP CWE.79.TDXSS CWE.79.AXSSE CWE.79.CSP
CWE-125	Out-of-bounds Read	CWE.125.ARRAY
CWE-20	Improper Input Validation	CWE.20.ARRAY CWE.20.VPPD CWE.20.TDNET CWE.20.TDFNAMES CWE.20.TDCMD CWE.20.TDRESP CWE.20.TDXSS CWE.20.TDSQL CWE.20.TDSQLC
CWE-78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')	CWE.78.TDCMD
CWE-89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')	CWE.89.TDSQL CWE.89.TDSQLC
CWE-416	Use After Free	CWE.416.DISP CWE.416.FIN
CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')	CWE.22.TDFNAMES
CWE-352	Cross-Site Request Forgery (CSRF)	CWE.352.VPPD CWE.352.TDRESP CWE.352.VAFT CWE.352.CA3147 CWE.352.CA5391
CWE-434	Unrestricted Upload of File with Dangerous Type	CWE.434.TDFNAMES
CWE-306	Missing Authentication for Critical Function	CWE.306.ADSVSP
CWE-190	Integer Overflow or Wraparound	CWE.190.AIWIL CWE.190.AIOAC CWE.190.INTOVERF
CWE-502	Deserialization of Untrusted Data	CWE.502.IIDC CWE.502.UIS CWE.502.IDC CWE.502.MGODWSPA CWE.502.CA2350 CWE.502.CA2351 CWE.502.CA2352 CWE.502.CA2353 CWE.502.CA2354 CWE.502.CA2355 CWE.502.CA2356 CWE.502.CA2361 CWE.502.CA2362
CWE-287	Improper Authentication	CWE.287.TDPASSWD CWE.287.AAM CWE.287.UAAMC CWE.287.LUAFLA CWE.287.IIPHEU CWE.287.CA5359 CWE.287.CA5403 CWE.287.CA5376 CWE.287.CA5390
CWE-476	NULL Pointer Dereference	CWE.476.NR CWE.476.DEREF CWE.476.CNFA
CWE-798	Use of Hard-coded Credentials	CWE.798.HARDCONN CWE.798.HPW CWE.798.CA5403
CWE-119	Improper Restriction of Operations within the Bounds of a Memory Buffer	CWE.119.ARRAY
CWE-862	Missing Authorization	CWE.862.UAA
CWE-276	Incorrect Default Permissions	N/A
CWE-200	Exposure of Sensitive Information to an Unauthorized Actor	CWE.200.SDE CWE.200.SENS CWE.200.PEO CWE.200.ACPST CWE.200.CSG CWE.200.SENSLOG CWE.200.CA3004
CWE-522	Insufficiently Protected Credentials	CWE.522.TDPASSWD
CWE-732	Incorrect Permission Assignment for Critical Resource	CWE.732.ADSVSP CWE.732.CA5396
CWE-611	Improper Restriction of XML External Entity Reference	CWE.611.PDTDP CWE.611.USXRS CWE.611.CA3061 CWE.611.CA3075 CWE.611.CA3077 CWE.611.CA5366 CWE.611.CA5369 CWE.611.CA5370 CWE.611.CA5371 CWE.611.CA5372
CWE-918	Server-Side Request Forgery (SSRF)	CWE.918.TDNET CWE.918.CA3147 CWE.918.CA5368 CWE.918.CA5391 CWE.918.CA5395
CWE-77	Improper Neutralization of Special Elements used in a Command ('Command Injection')	CWE.77.TDCMD

CWE Weaknesses On the Cusp 2021 Mapping

CWE ID	CWE name/description	Parasoft rule ID(s)
CWE-295	Improper Certificate Validation	CWE.295.DNICV CWE.295.CA5359 CWE.295.CA5403
CWE-400	Uncontrolled Resource Consumption	CWE.400.LEAKS CWE.400.TDLOG CWE.400.CA5362
CWE-94	Improper Control of Generation of Code ('Code Injection')	CWE.94.TDCODE
CWE-269	Improper Privilege Management	CWE.269.IDENTITY CWE.269.CA5375 CWE.269.CA5377
CWE-917	Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')	N/A
CWE-59	Improper Link Resolution Before File Access ('Link Following')	CWE.59.VLT
CWE-401	Missing Release of Memory after Effective Lifetime	N/A
CWE-362	Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')	CWE.362.LOCKSETGET CWE.362.DIFCS
CWE-427	Uncontrolled Search Path Element	CWE.427.CA5393
CWE-319	Cleartext Transmission of Sensitive Information	N/A
CWE-843	Access of Resource Using Incompatible Type ('Type Confusion')	N/A
CWE-601	URL Redirection to Untrusted Site ('Open Redirect')	CWE.601.TDNET CWE.601.TDRESP
CWE-863	Incorrect Authorization	CWE.863.AAM CWE.863.UAAMC CWE.863.AUTH
CWE-532	Insertion of Sensitive Information into Log File	CWE.532.ALSI CWE.532.SENSLOG
CWE-770	Allocation of Resources Without Limits or Throttling	CWE.770.TDALLOC CWE.770.UHCF CWE.770.CA2014

CWE 4.9 Mapping

CWE ID	CWE name/description	Parasoft rule ID(s)
CWE-20	Improper Input Validation	CWE.20.VPPD CWE.20.TDNET CWE.20.TDFNAMES CWE.20.TDCMD CWE.20.TDRESP CWE.20.TDXSS CWE.20.TDSQL CWE.20.TDSQLC CWE-120.AUK CWE-129.ARRAY CWE-134.TDINPUT CWE-470.TDRFL CWE-190.AIWIL CWE-190.AIOAC CWE-190.INTOVERF
CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')	CWE.22.TDFNAMES
CWE-59	Improper Link Resolution Before File Access ('Link Following')	CWE-64.VLT CWE-1386.VLT
CWE-64	Windows Shortcut Following (.LNK)	CWE.64.VLT
CWE-74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')	CWE-88.TDCMD CWE-88.VPPD CWE-89.TDSQL CWE-89.TDSQLC CWE-99.TDFNAMES CWE-99.TDNET CWE-79.TDXSS CWE-79.AXSSE CWE-79.CSP CWE-78.TDCMD
CWE-77	Improper Neutralization of Special Elements used in a Command ('Command Injection')	CWE-624.CA3012 CWE-88.TDCMD CWE-88.VPPD CWE-78.TDCMD
CWE-78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')	CWE.78.TDCMD
CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	CWE.79.TDXSS CWE.79.AXSSE CWE.79.CSP CWE-80.VPPD CWE-80.TDRESP
CWE-80	Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)	CWE.80.VPPD CWE.80.TDRESP
CWE-88	Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')	CWE.88.TDCMD CWE.88.VPPD
CWE-89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')	CWE.89.TDSQL CWE.89.TDSQLC
CWE-90	Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')	CWE.90.TDLDAP
CWE-94	Improper Control of Generation of Code ('Code Injection')	CWE-95.TDCODE
CWE-95	Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')	CWE.95.TDCODE
CWE-99	Improper Control of Resource Identifiers ('Resource Injection')	CWE.99.TDFNAMES CWE.99.TDNET
CWE-116	Improper Encoding or Escaping of Output	CWE-838.AIHUE CWE-838.CA1054 CWE-838.CA1055 CWE-838.CA1056 CWE-838.CA5365
CWE-119	Improper Restriction of Operations within the Bounds of a Memory Buffer	CWE-125.ARRAY CWE-120.AUK CWE-787.ARRAY
CWE-120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')	CWE.120.AUK
CWE-125	Out-of-bounds Read	CWE.125.ARRAY
CWE-129	Improper Validation of Array Index	CWE.129.ARRAY
CWE-131	Incorrect Calculation of Buffer Size	CWE.131.AUK
CWE-134	Use of Externally-Controlled Format String	CWE.134.TDINPUT
CWE-190	Integer Overflow or Wraparound	CWE.190.AIWIL CWE.190.AIOAC CWE.190.INTOVERF
CWE-191	Integer Underflow (Wrap or Wraparound)	CWE.191.AIWIL CWE.191.AIOAC CWE.191.INTOVERF
CWE-197	Numeric Truncation Error	CWE.197.ECLSII
CWE-200	Exposure of Sensitive Information to an Unauthorized Actor	CWE.200.CSG CWE.200.CA3004 CWE-532.ALSI CWE-532.SENSLOG CWE-201.SELSPLAT CWE-209.SDE CWE-209.SENS CWE-209.PEO CWE-209.ACPST
CWE-201	Insertion of Sensitive Information Into Sent Data	CWE.201.SELSPLAT
CWE-209	Generation of Error Message Containing Sensitive Information	CWE.209.SDE CWE.209.SENS CWE.209.PEO CWE.209.ACPST
CWE-212	Improper Removal of Sensitive Information Before Storage or Transfer	CWE.212.CSG
CWE-221	Information Loss or Omission	CWE-397.NTSAE CWE-396.NCSAE
CWE-250	Execution with Unnecessary Privileges	CWE.250.AUEP CWE.250.CA5375 CWE.250.CA5377
CWE-252	Unchecked Return Value	CWE.252.RETVAL CWE.252.CHECKRET
CWE-256	Plaintext Storage of a Password	CWE.256.TDPASSWD
CWE-259	Use of Hard-coded Password	CWE.259.HPW
CWE-269	Improper Privilege Management	CWE.269.IDENTITY CWE-250.AUEP CWE-250.CA5375 CWE-250.CA5377
CWE-284	Improper Access Control	CWE-269.IDENTITY CWE-863.AAM CWE-863.UAAMC CWE-863.AUTH CWE-862.UAA CWE-285.TDSQL CWE-287.AAM CWE-287.UAAMC
CWE-285	Improper Authorization	CWE.285.TDSQL CWE-732.ADSVSP CWE-863.AAM CWE-863.UAAMC CWE-863.AUTH CWE-862.UAA
CWE-287	Improper Authentication	CWE.287.AAM CWE.287.UAAMC CWE-294.CA5376 CWE-295.DNICV CWE-295.CA5359 CWE-295.CA5403 CWE-798.HARDCONN CWE-798.CA5403 CWE-306.ADSVSP CWE-307.LUAFLA
CWE-290	Authentication Bypass by Spoofing	CWE-350.IIPHEU
CWE-294	Authentication Bypass by Capture-replay	CWE.294.CA5376
CWE-295	Improper Certificate Validation	CWE.295.DNICV CWE.295.CA5359 CWE.295.CA5403 CWE-299.CA5399 CWE-299.CA5400
CWE-299	Improper Check for Certificate Revocation	CWE.299.CA5399 CWE.299.CA5400
CWE-306	Missing Authentication for Critical Function	CWE.306.ADSVSP
CWE-307	Improper Restriction of Excessive Authentication Attempts	CWE.307.LUAFLA
CWE-312	Cleartext Storage of Sensitive Information	CWE-316.RSFSS CWE-316.SSFP
CWE-316	Cleartext Storage of Sensitive Information in Memory	CWE.316.RSFSS CWE.316.SSFP
CWE-321	Use of Hard-coded Cryptographic Key	CWE.321.CA5390
CWE-326	Inadequate Encryption Strength	CWE.326.RSAKS CWE-328.ICA
CWE-327	Use of a Broken or Risky Cryptographic Algorithm	CWE.327.DNCCKS CWE.327.ACCA CWE-780.UOWR CWE-328.ICA
CWE-328	Use of Weak Hash	CWE.328.ICA
CWE-329	Generation of Predictable IV with CBC Mode	CWE.329.ACCA
CWE-330	Use of Insufficiently Random Values	CWE.330.USSCR
CWE-344	Use of Invariant Value in Dynamically Changing Context	CWE-798.HARDCONN CWE-798.CA5403
CWE-345	Insufficient Verification of Data Authenticity	CWE-352.VPPD CWE-352.TDRESP CWE-352.VAFT CWE-352.CA3147 CWE-352.CA5391 CWE-494.IREC
CWE-350	Reliance on Reverse DNS Resolution for a Security-Critical Action	CWE.350.IIPHEU
CWE-352	Cross-Site Request Forgery (CSRF)	CWE.352.VPPD CWE.352.TDRESP CWE.352.VAFT CWE.352.CA3147 CWE.352.CA5391
CWE-362	Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')	CWE.362.LOCKSETGET CWE.362.DIFCS
CWE-369	Divide By Zero	CWE.369.ZERO
CWE-391	Unchecked Error Condition	CWE.391.LGE
CWE-395	Use of NullPointerException Catch to Detect NULL Pointer Dereference	CWE.395.NCNRE
CWE-396	Declaration of Catch for Generic Exception	CWE.396.NCSAE
CWE-397	Declaration of Throws for Generic Exception	CWE.397.NTSAE
CWE-400	Uncontrolled Resource Consumption	CWE.400.CA5362 CWE-771.LEAKS CWE-770.UHCF CWE-770.CA2014 CWE-779.TDLOG
CWE-402	Transmission of Private Resources into a New Sphere ('Resource Leak')	CWE.402.CSG
CWE-404	Improper Resource Shutdown or Release	CWE-299.CA5399 CWE-299.CA5400 CWE-772.LEAKS
CWE-412	Unrestricted Externally Accessible Lock	CWE.412.NLT
CWE-416	Use After Free	CWE.416.DISP CWE.416.FIN
CWE-426	Untrusted Search Path	CWE.426.PBRTE
CWE-427	Uncontrolled Search Path Element	CWE.427.CA5393
CWE-434	Unrestricted Upload of File with Dangerous Type	CWE.434.TDFNAMES
CWE-441	Unintended Proxy or Intermediary ('Confused Deputy')	CWE-918.TDNET CWE-918.CA3147 CWE-918.CA5368 CWE-918.CA5391 CWE-918.CA5395
CWE-456	Missing Initialization of a Variable	CWE.456.NOTEXPLINIT
CWE-457	Use of Uninitialized Variable	CWE.457.NOTEXPLINIT
CWE-470	Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')	CWE.470.TDRFL
CWE-476	NULL Pointer Dereference	CWE.476.NR CWE.476.DEREF CWE.476.CNFA
CWE-480	Use of Incorrect Operator	CWE.480.PUO CWE-481.AWC
CWE-481	Assigning instead of Comparing	CWE.481.AWC
CWE-494	Download of Code Without Integrity Check	CWE.494.IREC
CWE-499	Serializable Class Containing Sensitive Data	CWE.499.CSG
CWE-502	Deserialization of Untrusted Data	CWE.502.IIDC CWE.502.UIS CWE.502.IDC CWE.502.MGODWSPA CWE.502.CA2350 CWE.502.CA2351 CWE.502.CA2352 CWE.502.CA2353 CWE.502.CA2354 CWE.502.CA2355 CWE.502.CA2356 CWE.502.CA2361 CWE.502.CA2362
CWE-522	Insufficiently Protected Credentials	CWE-256.TDPASSWD
CWE-532	Insertion of Sensitive Information into Log File	CWE.532.ALSI CWE.532.SENSLOG
CWE-538	Insertion of Sensitive Information into Externally-Accessible File or Directory	CWE-532.ALSI CWE-532.SENSLOG
CWE-546	Suspicious Comment	CWE.546.TODO
CWE-561	Dead Code	CWE.561.UC
CWE-563	Assignment to Variable without Use	CWE.563.POVR CWE.563.VOVR
CWE-570	Expression is Always False	CWE.570.CC
CWE-571	Expression is Always True	CWE.571.CC
CWE-573	Improper Following of Specification by Caller	CWE-329.ACCA
CWE-595	Comparison of Object References Instead of Object Contents	CWE.595.REVT
CWE-601	URL Redirection to Untrusted Site ('Open Redirect')	CWE.601.TDNET CWE.601.TDRESP
CWE-610	Externally Controlled Reference to a Resource in Another Sphere	CWE-601.TDNET CWE-601.TDRESP CWE-470.TDRFL CWE-918.TDNET CWE-918.CA3147 CWE-918.CA5368 CWE-918.CA5391 CWE-918.CA5395 CWE-611.PDTDP CWE-611.USXRS CWE-611.CA3061 CWE-611.CA3075 CWE-611.CA3077 CWE-611.CA5366 CWE-611.CA5369 CWE-611.CA5370 CWE-611.CA5371 CWE-611.CA5372
CWE-611	Improper Restriction of XML External Entity Reference	CWE.611.PDTDP CWE.611.USXRS CWE.611.CA3061 CWE.611.CA3075 CWE.611.CA3077 CWE.611.CA5366 CWE.611.CA5369 CWE.611.CA5370 CWE.611.CA5371 CWE.611.CA5372
CWE-613	Insufficient Session Expiration	CWE.613.ISE
CWE-617	Reachable Assertion	CWE.617.ATA
CWE-624	Executable Regular Expression Error	CWE.624.CA3012
CWE-642	External Control of Critical State Data	CWE-426.PBRTE
CWE-657	Violation of Secure Design Principles	CWE-250.AUEP CWE-250.CA5375 CWE-250.CA5377
CWE-662	Improper Synchronization	CWE.662.DIFCS CWE-833.ORDER
CWE-664	Improper Control of a Resource Through its Lifetime	CWE-662.DIFCS CWE-400.CA5362
CWE-665	Improper Initialization	CWE-456.NOTEXPLINIT CWE-770.UHCF CWE-770.CA2014 CWE-457.NOTEXPLINIT
CWE-667	Improper Locking	CWE-412.NLT CWE-833.ORDER
CWE-668	Exposure of Resource to Wrong Sphere	CWE-22.TDFNAMES CWE-499.CSG CWE-134.TDINPUT CWE-402.CSG CWE-732.ADSVSP CWE-427.CA5393 CWE-426.PBRTE CWE-200.CSG CWE-200.CA3004
CWE-669	Incorrect Resource Transfer Between Spheres	CWE-829.DMSC CWE-829.ADLL CWE-494.IREC CWE-434.TDFNAMES CWE-212.CSG
CWE-670	Always-Incorrect Control Flow Implementation	CWE-480.PUO CWE-617.ATA
CWE-671	Lack of Administrator Control over Security	CWE-798.HARDCONN CWE-798.CA5403
CWE-672	Operation on a Resource after Expiration or Release	CWE-416.DISP CWE-416.FIN CWE-613.ISE
CWE-673	External Influence of Sphere Definition	CWE-426.PBRTE
CWE-676	Use of Potentially Dangerous Function	CWE.676.APDM
CWE-681	Incorrect Conversion between Numeric Types	CWE.681.ECLTS CWE-197.ECLSII
CWE-682	Incorrect Calculation	CWE-369.ZERO CWE-131.AUK CWE-191.AIWIL CWE-191.AIOAC CWE-191.INTOVERF CWE-190.AIWIL CWE-190.AIOAC CWE-190.INTOVERF
CWE-691	Insufficient Control Flow Management	CWE-362.LOCKSETGET CWE-362.DIFCS CWE-662.DIFCS
CWE-693	Protection Mechanism Failure	CWE-807.AUTH CWE-330.USSCR CWE-326.RSAKS CWE-327.DNCCKS CWE-327.ACCA
CWE-703	Improper Check or Handling of Exceptional Conditions	CWE-391.LGE CWE-397.NTSAE
CWE-704	Incorrect Type Conversion or Cast	CWE-681.ECLTS
CWE-705	Incorrect Control Flow Scoping	CWE-397.NTSAE CWE-396.NCSAE CWE-395.NCNRE
CWE-706	Use of Incorrectly-Resolved Name or Reference	CWE-827.PDTDP CWE-22.TDFNAMES
CWE-707	Improper Neutralization	CWE-20.VPPD CWE-20.TDNET CWE-20.TDFNAMES CWE-20.TDCMD CWE-20.TDRESP CWE-20.TDXSS CWE-20.TDSQL CWE-20.TDSQLC
CWE-710	Improper Adherence to Coding Standards	CWE-476.NR CWE-476.DEREF CWE-476.CNFA CWE-571.CC CWE-570.CC
CWE-732	Incorrect Permission Assignment for Critical Resource	CWE.732.ADSVSP CWE-1004.CA5396
CWE-754	Improper Check for Unusual or Exceptional Conditions	CWE-476.NR CWE-476.DEREF CWE-476.CNFA CWE-391.LGE CWE-252.RETVAL CWE-252.CHECKRET
CWE-755	Improper Handling of Exceptional Conditions	CWE-396.NCSAE CWE-395.NCNRE CWE-209.SDE CWE-209.SENS CWE-209.PEO CWE-209.ACPST
CWE-759	Use of a One-Way Hash without a Salt	CWE.759.SALT
CWE-760	Use of a One-Way Hash with a Predictable Salt	CWE.760.SALT
CWE-770	Allocation of Resources Without Limits or Throttling	CWE.770.UHCF CWE.770.CA2014 CWE-789.TDALLOC
CWE-771	Missing Reference to Active Allocated Resource	CWE.771.LEAKS
CWE-772	Missing Release of Resource after Effective Lifetime	CWE.772.LEAKS
CWE-779	Logging of Excessive Data	CWE.779.TDLOG
CWE-780	Use of RSA Algorithm without OAEP	CWE.780.UOWR
CWE-787	Out-of-bounds Write	CWE.787.ARRAY
CWE-789	Memory Allocation with Excessive Size Value	CWE.789.TDALLOC
CWE-798	Use of Hard-coded Credentials	CWE.798.HARDCONN CWE.798.CA5403 CWE-259.HPW CWE-321.CA5390
CWE-799	Improper Control of Interaction Frequency	CWE-307.LUAFLA
CWE-807	Reliance on Untrusted Inputs in a Security Decision	CWE.807.AUTH CWE-350.IIPHEU
CWE-825	Expired Pointer Dereference	CWE-416.DISP CWE-416.FIN
CWE-827	Improper Control of Document Type Definition	CWE.827.PDTDP
CWE-829	Inclusion of Functionality from Untrusted Control Sphere	CWE.829.DMSC CWE.829.ADLL CWE-827.PDTDP
CWE-833	Deadlock	CWE.833.ORDER
CWE-834	Excessive Iteration	CWE-835.IVFLC CWE-835.IVFLI CWE-835.NSIVFLN
CWE-835	Loop with Unreachable Exit Condition ('Infinite Loop')	CWE.835.IVFLC CWE.835.IVFLI CWE.835.NSIVFLN
CWE-838	Inappropriate Encoding for Output Context	CWE.838.AIHUE CWE.838.CA1054 CWE.838.CA1055 CWE.838.CA1056 CWE.838.CA5365
CWE-862	Missing Authorization	CWE.862.UAA
CWE-863	Incorrect Authorization	CWE.863.AAM CWE.863.UAAMC CWE.863.AUTH
CWE-908	Use of Uninitialized Resource	CWE-457.NOTEXPLINIT
CWE-909	Missing Initialization of Resource	CWE-456.NOTEXPLINIT
CWE-913	Improper Control of Dynamically-Managed Code Resources	CWE-470.TDRFL CWE-502.IIDC CWE-502.UIS CWE-502.IDC CWE-502.MGODWSPA CWE-502.CA2350 CWE-502.CA2351 CWE-502.CA2352 CWE-502.CA2353 CWE-502.CA2354 CWE-502.CA2355 CWE-502.CA2356 CWE-502.CA2361 CWE-502.CA2362
CWE-916	Use of Password Hash With Insufficient Computational Effort	CWE-760.SALT CWE-759.SALT
CWE-918	Server-Side Request Forgery (SSRF)	CWE.918.TDNET CWE.918.CA3147 CWE.918.CA5368 CWE.918.CA5391 CWE.918.CA5395
CWE-923	Improper Restriction of Communication Channel to Intended Endpoints	CWE-350.IIPHEU
CWE-943	Improper Neutralization of Special Elements in Data Query Logic	CWE-90.TDLDAP CWE-89.TDSQL CWE-89.TDSQLC
CWE-1004	Sensitive Cookie Without 'HttpOnly' Flag	CWE.1004.CA5396
CWE-1025	Comparison Using Wrong Factors	CWE-595.REVT
CWE-1078	Inappropriate Source Code Style or Formatting	CWE-546.TODO
CWE-1164	Irrelevant Code	CWE-561.UC CWE-563.POVR CWE-563.VOVR
CWE-1177	Use of Prohibited Code	CWE-676.APDM
CWE-1204	Generation of Weak Initialization Vector (IV)	CWE-329.ACCA
CWE-1284	Improper Validation of Specified Quantity in Input	CWE-789.TDALLOC
CWE-1285	Improper Validation of Specified Index, Position, or Offset in Input	CWE-129.ARRAY
CWE-1386	Insecure Operation on Windows Junction / Mount Point	CWE.1386.VLT

Page tree