CWE 4.17 Mapping
ID | Name/description | Parasoft rule ID(s) |
|---|---|---|
CWE-6 | J2EE Misconfiguration: Insufficient Session-ID Length |
|
CWE-7 | J2EE Misconfiguration: Missing Custom Error Page |
|
CWE-8 | J2EE Misconfiguration: Entity Bean Declared Remote |
|
CWE-9 | J2EE Misconfiguration: Weak Access Permissions for EJB Methods |
|
CWE-15 | External Control of System or Configuration Setting |
|
CWE-20 | Improper Input Validation |
|
CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
CWE-59 | Improper Link Resolution Before File Access ('Link Following') |
|
CWE-61 | UNIX Symbolic Link (Symlink) Following |
|
CWE-64 | Windows Shortcut Following (.LNK) |
|
CWE-73 | External Control of File Name or Path |
|
CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
|
CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
|
CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
|
CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|
CWE-80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) |
|
CWE-81 | Improper Neutralization of Script in an Error Message Web Page |
|
CWE-83 | Improper Neutralization of Script in Attributes in a Web Page |
|
CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
|
CWE-90 | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') |
|
CWE-91 | XML Injection (aka Blind XPath Injection) |
|
CWE-93 | Improper Neutralization of CRLF Sequences ('CRLF Injection') |
|
CWE-94 | Improper Control of Generation of Code ('Code Injection') |
|
CWE-95 | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
|
CWE-99 | Improper Control of Resource Identifiers ('Resource Injection') |
|
CWE-102 | Struts: Duplicate Validation Forms |
|
CWE-103 | Struts: Incomplete validate() Method Definition |
|
CWE-104 | Struts: Form Bean Does Not Extend Validation Class |
|
CWE-106 | Struts: Plug-in Framework not in Use |
|
CWE-109 | Struts: Validator Turned Off |
|
CWE-111 | Direct Use of Unsafe JNI |
|
CWE-113 | Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') |
|
CWE-114 | Process Control |
|
CWE-116 | Improper Encoding or Escaping of Output |
|
CWE-117 | Improper Output Neutralization for Logs |
|
CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer |
|
CWE-125 | Out-of-bounds Read |
|
CWE-128 | Wrap-around Error |
|
CWE-129 | Improper Validation of Array Index |
|
CWE-131 | Incorrect Calculation of Buffer Size |
|
CWE-134 | Use of Externally-Controlled Format String |
|
CWE-172 | Encoding Error |
|
CWE-173 | Improper Handling of Alternate Encoding |
|
CWE-176 | Improper Handling of Unicode Encoding |
|
CWE-185 | Incorrect Regular Expression |
|
CWE-188 | Reliance on Data/Memory Layout |
|
CWE-190 | Integer Overflow or Wraparound |
|
CWE-191 | Integer Underflow (Wrap or Wraparound) |
|
CWE-193 | Off-by-one Error |
|
CWE-197 | Numeric Truncation Error |
|
CWE-198 | Use of Incorrect Byte Ordering |
|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
|
CWE-209 | Generation of Error Message Containing Sensitive Information |
|
CWE-212 | Improper Removal of Sensitive Information Before Storage or Transfer |
|
CWE-213 | Exposure of Sensitive Information Due to Incompatible Policies |
|
CWE-215 | Insertion of Sensitive Information Into Debugging Code |
|
CWE-221 | Information Loss or Omission |
|
CWE-223 | Omission of Security-relevant Information |
|
CWE-245 | J2EE Bad Practices: Direct Management of Connections |
|
CWE-246 | J2EE Bad Practices: Direct Use of Sockets |
|
CWE-248 | Uncaught Exception |
|
CWE-250 | Execution with Unnecessary Privileges |
|
CWE-252 | Unchecked Return Value |
|
CWE-256 | Plaintext Storage of a Password |
|
CWE-258 | Empty Password in Configuration File |
|
CWE-260 | Password in Configuration File |
|
CWE-261 | Weak Encoding for Password |
|
CWE-266 | Incorrect Privilege Assignment |
|
CWE-269 | Improper Privilege Management |
|
CWE-276 | Incorrect Default Permissions |
|
CWE-279 | Incorrect Execution-Assigned Permissions |
|
CWE-284 | Improper Access Control |
|
CWE-285 | Improper Authorization |
|
CWE-287 | Improper Authentication |
|
CWE-290 | Authentication Bypass by Spoofing |
|
CWE-295 | Improper Certificate Validation |
|
CWE-297 | Improper Validation of Certificate with Host Mismatch |
|
CWE-306 | Missing Authentication for Critical Function |
|
CWE-307 | Improper Restriction of Excessive Authentication Attempts |
|
CWE-311 | Missing Encryption of Sensitive Data |
|
CWE-312 | Cleartext Storage of Sensitive Information |
|
CWE-313 | Cleartext Storage in a File or on Disk |
|
CWE-315 | Cleartext Storage of Sensitive Information in a Cookie |
|
CWE-319 | Cleartext Transmission of Sensitive Information |
|
CWE-321 | Use of Hard-coded Cryptographic Key |
|
CWE-325 | Missing Cryptographic Step |
|
CWE-326 | Inadequate Encryption Strength |
|
CWE-327 | Use of a Broken or Risky Cryptographic Algorithm |
|
CWE-328 | Use of Weak Hash |
|
CWE-329 | Generation of Predictable IV with CBC Mode |
|
CWE-330 | Use of Insufficiently Random Values |
|
CWE-334 | Small Space of Random Values |
|
CWE-335 | Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) |
|
CWE-336 | Same Seed in Pseudo-Random Number Generator (PRNG) |
|
CWE-337 | Predictable Seed in Pseudo-Random Number Generator (PRNG) |
|
CWE-338 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) |
|
CWE-344 | Use of Invariant Value in Dynamically Changing Context |
|
CWE-345 | Insufficient Verification of Data Authenticity |
|
CWE-346 | Origin Validation Error |
|
CWE-347 | Improper Verification of Cryptographic Signature |
|
CWE-350 | Reliance on Reverse DNS Resolution for a Security-Critical Action |
|
CWE-352 | Cross-Site Request Forgery (CSRF) |
|
CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor |
|
CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
|
CWE-367 | Time-of-check Time-of-use (TOCTOU) Race Condition |
|
CWE-369 | Divide By Zero |
|
CWE-375 | Returning a Mutable Object to an Untrusted Caller |
|
CWE-377 | Insecure Temporary File |
|
CWE-382 | J2EE Bad Practices: Use of System.exit() |
|
CWE-383 | J2EE Bad Practices: Direct Use of Threads |
|
CWE-384 | Session Fixation |
|
CWE-390 | Detection of Error Condition Without Action |
|
CWE-391 | Unchecked Error Condition |
|
CWE-395 | Use of NullPointerException Catch to Detect NULL Pointer Dereference |
|
CWE-396 | Declaration of Catch for Generic Exception |
|
CWE-397 | Declaration of Throws for Generic Exception |
|
CWE-400 | Uncontrolled Resource Consumption |
|
CWE-404 | Improper Resource Shutdown or Release |
|
CWE-413 | Improper Resource Locking |
|
CWE-416 | Use After Free |
|
CWE-426 | Untrusted Search Path |
|
CWE-427 | Uncontrolled Search Path Element |
|
CWE-434 | Unrestricted Upload of File with Dangerous Type |
|
CWE-436 | Interpretation Conflict |
|
CWE-441 | Unintended Proxy or Intermediary ('Confused Deputy') |
|
CWE-456 | Missing Initialization of a Variable |
|
CWE-457 | Use of Uninitialized Variable |
|
CWE-459 | Incomplete Cleanup |
|
CWE-470 | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') |
|
CWE-471 | Modification of Assumed-Immutable Data (MAID) |
|
CWE-476 | NULL Pointer Dereference |
|
CWE-477 | Use of Obsolete Function |
|
CWE-478 | Missing Default Case in Multiple Condition Expression |
|
CWE-480 | Use of Incorrect Operator |
|
CWE-481 | Assigning instead of Comparing |
|
CWE-483 | Incorrect Block Delimitation |
|
CWE-484 | Omitted Break Statement in Switch |
|
CWE-486 | Comparison of Classes by Name |
|
CWE-487 | Reliance on Package-level Scope |
|
CWE-491 | Public cloneable() Method Without Final ('Object Hijack') |
|
CWE-492 | Use of Inner Class Containing Sensitive Data |
|
CWE-493 | Critical Public Variable Without Final Modifier |
|
CWE-495 | Private Data Structure Returned From A Public Method |
|
CWE-496 | Public Data Assigned to Private Array-Typed Field |
|
CWE-497 | Exposure of Sensitive System Information to an Unauthorized Control Sphere |
|
CWE-499 | Serializable Class Containing Sensitive Data |
|
CWE-500 | Public Static Field Not Marked Final |
|
CWE-501 | Trust Boundary Violation |
|
CWE-502 | Deserialization of Untrusted Data |
|
CWE-506 | Embedded Malicious Code |
|
CWE-511 | Logic/Time Bomb |
|
CWE-521 | Weak Password Requirements |
|
CWE-522 | Insufficiently Protected Credentials |
|
CWE-523 | Unprotected Transport of Credentials |
|
CWE-532 | Insertion of Sensitive Information into Log File |
|
CWE-538 | Insertion of Sensitive Information into Externally-Accessible File or Directory |
|
CWE-543 | Use of Singleton Pattern Without Synchronization in a Multithreaded Context |
|
CWE-546 | Suspicious Comment |
|
CWE-555 | J2EE Misconfiguration: Plaintext Password in Configuration File |
|
CWE-561 | Dead Code |
|
CWE-563 | Assignment to Variable without Use |
|
CWE-568 | finalize() Method Without super.finalize() |
|
CWE-570 | Expression is Always False |
|
CWE-571 | Expression is Always True |
|
CWE-572 | Call to Thread run() instead of start() |
|
CWE-573 | Improper Following of Specification by Caller |
|
CWE-576 | EJB Bad Practices: Use of Java I/O |
|
CWE-577 | EJB Bad Practices: Use of Sockets |
|
CWE-578 | EJB Bad Practices: Use of Class Loader |
|
CWE-579 | J2EE Bad Practices: Non-serializable Object Stored in Session |
|
CWE-580 | clone() Method Without super.clone() |
|
CWE-581 | Object Model Violation: Just One of Equals and Hashcode Defined |
|
CWE-582 | Array Declared Public, Final, and Static |
|
CWE-583 | finalize() Method Declared Public |
|
CWE-584 | Return Inside Finally Block |
|
CWE-585 | Empty Synchronized Block |
|
CWE-586 | Explicit Call to Finalize() |
|
CWE-594 | J2EE Framework: Saving Unserializable Objects to Disk |
|
CWE-595 | Comparison of Object References Instead of Object Contents |
|
CWE-600 | Uncaught Exception in Servlet |
|
CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') |
|
CWE-605 | Multiple Binds to the Same Port |
|
CWE-607 | Public Static Final Field References Mutable Object |
|
CWE-609 | Double-Checked Locking |
|
CWE-610 | Externally Controlled Reference to a Resource in Another Sphere |
|
CWE-611 | Improper Restriction of XML External Entity Reference |
|
CWE-613 | Insufficient Session Expiration |
|
CWE-614 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute |
|
CWE-617 | Reachable Assertion |
|
CWE-642 | External Control of Critical State Data |
|
CWE-643 | Improper Neutralization of Data within XPath Expressions ('XPath Injection') |
|
CWE-644 | Improper Neutralization of HTTP Headers for Scripting Syntax |
|
CWE-652 | Improper Neutralization of Data within XQuery Expressions ('XQuery Injection') |
|
CWE-657 | Violation of Secure Design Principles |
|
CWE-662 | Improper Synchronization |
|
CWE-664 | Improper Control of a Resource Through its Lifetime |
|
CWE-665 | Improper Initialization |
|
CWE-666 | Operation on Resource in Wrong Phase of Lifetime |
|
CWE-667 | Improper Locking |
|
CWE-668 | Exposure of Resource to Wrong Sphere |
|
CWE-669 | Incorrect Resource Transfer Between Spheres |
|
CWE-670 | Always-Incorrect Control Flow Implementation |
|
CWE-671 | Lack of Administrator Control over Security |
|
CWE-672 | Operation on a Resource after Expiration or Release |
|
CWE-673 | External Influence of Sphere Definition |
|
CWE-674 | Uncontrolled Recursion |
|
CWE-675 | Multiple Operations on Resource in Single-Operation Context |
|
CWE-676 | Use of Potentially Dangerous Function |
|
CWE-680 | Integer Overflow to Buffer Overflow |
|
CWE-681 | Incorrect Conversion between Numeric Types |
|
CWE-682 | Incorrect Calculation |
|
CWE-691 | Insufficient Control Flow Management |
|
CWE-693 | Protection Mechanism Failure |
|
CWE-694 | Use of Multiple Resources with Duplicate Identifier |
|
CWE-695 | Use of Low-Level Functionality |
|
CWE-697 | Incorrect Comparison |
|
CWE-703 | Improper Check or Handling of Exceptional Conditions |
|
CWE-704 | Incorrect Type Conversion or Cast |
|
CWE-705 | Incorrect Control Flow Scoping |
|
CWE-706 | Use of Incorrectly-Resolved Name or Reference |
|
CWE-710 | Improper Adherence to Coding Standards |
|
CWE-732 | Incorrect Permission Assignment for Critical Resource |
|
CWE-749 | Exposed Dangerous Method or Function |
|
CWE-754 | Improper Check for Unusual or Exceptional Conditions |
|
CWE-755 | Improper Handling of Exceptional Conditions |
|
CWE-756 | Missing Custom Error Page |
|
CWE-758 | Reliance on Undefined, Unspecified, or Implementation-Defined Behavior |
|
CWE-759 | Use of a One-Way Hash without a Salt |
|
CWE-764 | Multiple Locks of a Critical Resource |
|
CWE-770 | Allocation of Resources Without Limits or Throttling |
|
CWE-771 | Missing Reference to Active Allocated Resource |
|
CWE-772 | Missing Release of Resource after Effective Lifetime |
|
CWE-778 | Insufficient Logging |
|
CWE-787 | Out-of-bounds Write |
|
CWE-789 | Memory Allocation with Excessive Size Value |
|
CWE-798 | Use of Hard-coded Credentials |
|
CWE-799 | Improper Control of Interaction Frequency |
|
CWE-805 | Buffer Access with Incorrect Length Value |
|
CWE-806 | Buffer Access Using Size of Source Buffer |
|
CWE-807 | Reliance on Untrusted Inputs in a Security Decision |
|
CWE-820 | Missing Synchronization |
|
CWE-821 | Incorrect Synchronization |
|
CWE-825 | Expired Pointer Dereference |
|
CWE-829 | Inclusion of Functionality from Untrusted Control Sphere |
|
CWE-832 | Unlock of a Resource that is not Locked |
|
CWE-833 | Deadlock |
|
CWE-834 | Excessive Iteration |
|
CWE-835 | Loop with Unreachable Exit Condition ('Infinite Loop') |
|
CWE-836 | Use of Password Hash Instead of Password for Authentication |
|
CWE-838 | Inappropriate Encoding for Output Context |
|
CWE-841 | Improper Enforcement of Behavioral Workflow |
|
CWE-843 | Access of Resource Using Incompatible Type ('Type Confusion') |
|
CWE-862 | Missing Authorization |
|
CWE-863 | Incorrect Authorization |
|
CWE-908 | Use of Uninitialized Resource |
|
CWE-909 | Missing Initialization of Resource |
|
CWE-912 | Hidden Functionality |
|
CWE-913 | Improper Control of Dynamically-Managed Code Resources |
|
CWE-916 | Use of Password Hash With Insufficient Computational Effort |
|
CWE-918 | Server-Side Request Forgery (SSRF) |
|
CWE-922 | Insecure Storage of Sensitive Information |
|
CWE-923 | Improper Restriction of Communication Channel to Intended Endpoints |
|
CWE-943 | Improper Neutralization of Special Elements in Data Query Logic |
|
CWE-1004 | Sensitive Cookie Without 'HttpOnly' Flag |
|
CWE-1023 | Incomplete Comparison with Missing Factors |
|
CWE-1025 | Comparison Using Wrong Factors |
|
CWE-1046 | Creation of Immutable Text Using String Concatenation |
|
CWE-1051 | Initialization with Hard-Coded Network Resource Configuration Data |
|
CWE-1066 | Missing Serialization Control Element |
|
CWE-1069 | Empty Exception Block |
|
CWE-1071 | Empty Code Block |
|
CWE-1075 | Unconditional Control Flow Transfer outside of Switch Block |
|
CWE-1076 | Insufficient Adherence to Expected Conventions |
|
CWE-1077 | Floating Point Comparison with Incorrect Operator |
|
CWE-1078 | Inappropriate Source Code Style or Formatting |
|
CWE-1102 | Reliance on Machine-Dependent Data Representation |
|
CWE-1106 | Insufficient Use of Symbolic Constants |
|
CWE-1115 | Source Code Element without Standard Prologue |
|
CWE-1120 | Excessive Code Complexity |
|
CWE-1126 | Declaration of Variable with Unnecessarily Wide Scope |
|
CWE-1164 | Irrelevant Code |
|
CWE-1173 | Improper Use of Validation Framework |
|
CWE-1176 | Inefficient CPU Computation |
|
CWE-1177 | Use of Prohibited Code |
|
CWE-1204 | Generation of Weak Initialization Vector (IV) |
|
CWE-1285 | Improper Validation of Specified Index, Position, or Offset in Input |
|
CWE-1385 | Missing Origin Validation in WebSockets |
|
CWE-1390 | Weak Authentication |
|
CWE-1391 | Use of Weak Credentials |
|
CWE-1419 | Incorrect Initialization of Resource |
|
CWE-1428 | Reliance on HTTP instead of HTTPS |
|
