Versions Compared

Old Version 4

changes.mady.by.user Izabela Jarosz

Saved on

compared with

New Version Current

changes.mady.by.user Izabela Jarosz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Built-in Test ConfigurationDescription
CWE 4.15

Includes rules that find issues identified in the CWE standard v4.15.

(info) This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.

CWE Top 25 20242023

Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard v.20242023

(info) This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.

CWE Top 25 20232022

Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard v.20232022

(info) This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.

CWE Top 25 + On the Cusp 20242023

Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard or included on the CWE Weaknesses On the Cusp list v.20242023.

(info) This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.

CWE Top 25 + On the Cusp 20232022

Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard or included on the CWE Weaknesses On the Cusp list v.20232022.

(info) This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.

DISA-ASD-STIGIncludes rules that find issues identified in Application Security and Development STIG (Security Technical Implementation Guide) v.5 provided by Defense Information Systems Agency.
HIPAAIncludes rules that find issues identified by the HIPAA (Health Insurance Portability and Accountability Act) regulations.
OWASP API Security Top 10-2023

Includes rules that find issues identified in OWASP’s API Security Top 10 - 2023.

(info) This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.

OWASP API Security Top 10-2019

Includes rules that find issues identified in OWASP’s API Security Top 10 - 2019.

(info) This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.

OWASP ASVS 4.0.3

Includes rules that enforce the requirements defined in the ASVS (Application Security Verification Standard).

OWASP Top 10-2021

Includes rules that find web application security risks identified in the OWASP Top 10 - 2021.

(info) This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.

OWASP Top 10-2017

Includes rules that find web application security risks identified in the OWASP Top 10 - 2017.

(info) This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.

PCI DSS 4.0Includes rules that find issues identified in PCI Data Security Standard version 4.0.
PCI DSS 3.2Includes rules that find issues identified in PCI Data Security Standard version 3.2.
Security AssessmentGeneral test configuration that finds security issues.
UL 2900Includes rules that find issues identified in the UL-2900 standard.
Microsoft Secure Coding GuidelinesIncludes rules that enforce Microsoft Secure Coding Guidelines.
VVSG 2.0Includes rules that enforce the specifications and requirements defined in Voluntary Voting System Guidelines 2.0.

...

This section includes rule mapping for the CWE standard. The mapping information for other standards is available in the PDF rule mapping files shipped with Compliance Packs.

CWE Top 25

...

2023 Mapping

CWE ID

CWE name/description

Parasoft rule ID(s)

CWE-787

Out-of-bounds Write

  • CWE.787.ARRAY

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE.79.VPPD
  • CWE.79.TDRESP
  • CWE.79.TDXSS
  • CWE.79.AXSSE
  • CWE.79.CSP

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

  • CWE.89.TDSQL
  • CWE.89.TDSQLC

CWE-416

Use After Free

  • CWE.416.DISP
  • CWE.416.FIN

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  • CWE.78.TDCMD

CWE-20

Improper Input Validation

  • CWE.20.ARRAY
  • CWE.20.VPPD
  • CWE.20.TDNET
  • CWE.20.TDFNAMES
  • CWE.20.TDCMD
  • CWE.20.TDRESP
  • CWE.20.TDXSS
  • CWE.20.TDSQL
  • CWE.20.TDSQLC

CWE-125

Out-of-bounds Read

  • CWE.125.ARRAY

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE.22.TDFNAMES

CWE-352

Cross-Site Request Forgery (CSRF)

  • CWE.352.VPPD
  • CWE.352.TDRESP
  • CWE.352.VAFT
  • CWE.352.CA3147
  • CWE.352.CA5391

CWE-434

Unrestricted Upload of File with Dangerous Type

  • CWE.434.TDFNAMES

CWE-862

Missing Authorization

  • CWE.862.UAA

CWE-476

NULL Pointer Dereference

  • CWE.476.NR
  • CWE.476.DEREF
  • CWE.476.CNFA

CWE-287

Improper Authentication

  • CWE.287.TDPASSWD
  • CWE.287.AAM
  • CWE.287.UAAMC
  • CWE.287.LUAFLA
  • CWE.287.IIPHEU
  • CWE.287.CA5359
  • CWE.287.CA5403
  • CWE.287.CA5376
  • CWE.287.CA5390

CWE-190

Integer Overflow or Wraparound

  • CWE.190.AIWIL
  • CWE.190.AIOAC
  • CWE.190.INTWRAP
  • CWE.190.INTDL
  • CWE.190.INTVC

CWE-502

Deserialization of Untrusted Data

  • CWE.502.IIDC
  • CWE.502.UIS
  • CWE.502.IDC
  • CWE.502.MGODWSPA
  • CWE.502.CA2350
  • CWE.502.CA2351
  • CWE.502.CA2352
  • CWE.502.CA2353
  • CWE.502.CA2354
  • CWE.502.CA2355
  • CWE.502.CA2356
  • CWE.502.CA2361
  • CWE.502.CA2362

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE.77.TDCMD

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE.119.ARRAY

CWE-798

Use of Hard-coded Credentials

  • CWE.798.HARDCONN
  • CWE.798.HPW
  • CWE.798.CA5403

CWE-918

Server-Side Request Forgery (SSRF)

  • CWE.918.TDNET
  • CWE.918.CA3147
  • CWE.918.CA5368
  • CWE.918.CA5391
  • CWE.918.CA5395

CWE-306

Missing Authentication for Critical Function

  • N/A

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

  • CWE.362.LOCKSETGET
  • CWE.362.DIFCS

CWE-269

Improper Privilege Management

  • CWE.269.IDENTITY
  • CWE.269.CA5375
  • CWE.269.CA5377

CWE-94

Improper Control of Generation of Code ('Code Injection')

  • CWE.94.TDCODE

CWE-863

Incorrect Authorization

  • CWE.863.AAM
  • CWE.863.UAAMC
  • CWE.863.AUTH

CWE-276

Incorrect Default Permissions

  • N/A

CWE Weaknesses On the Cusp

...

2023 Mapping

CWE ID

CWE name/description

Parasoft rule ID(s)

CWE-

787Out-of-bounds Write

617

Reachable Assertion

  • CWE.617.ATA

CWE-427

Uncontrolled Search Path Element

  • CWE.
787
  • 427.
ARRAY
  • CA5393

CWE-

79

611

Improper

Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Restriction of XML External Entity Reference

  • CWE.
79
  • 611.
VPPD
  • PDTDP
  • CWE.
79
  • 611.
TDRESP
  • USXRS
  • CWE.
79
  • 611.
TDXSS
  • CA3061
  • CWE.
79
  • 611.
AXSSE
  • CA3075
  • CWE.
79
  • 611.
CSP
  • CA3077
  • CWE
-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE.89.TDSQL
  • .611.CA5366
  • CWE.
89
  • 611.
TDSQLC
  • CA5369
  • CWE
-20

Improper Input Validation

CWE.20.ARRAY
  • .611.CA5370
  • CWE.
20
  • 611.
VPPD
  • CA5371
  • CWE.
20
  • 611.
TDNET
  • CA5372

CWE

.20.TDFNAMESCWE.20.TDCMD

-770

Allocation of Resources Without Limits or Throttling

  • CWE.
20
  • 770.
TDRESP
  • UHCF
  • CWE.
20
  • 770.
TDXSS
  • CA2014
  • CWE.
20
  • 770.
TDSQL
  • TDALLOC

CWE

.20.TDSQLC

CWE-125

Out-of-bounds Read

  • CWE.125.ARRAY

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  • CWE.78.TDCMD

CWE-416

Use After Free

  • CWE.416.DISP
  • CWE.416.FIN

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE.22.TDFNAMES

CWE-352

Cross-Site Request Forgery (CSRF)

  • CWE.352.VPPD
  • CWE.352.TDRESP
  • CWE.352.VAFT
  • CWE.352.CA3147
  • CWE.352.CA5391

CWE-434

Unrestricted Upload of File with Dangerous Type

  • CWE.434.TDFNAMES

CWE-476

NULL Pointer Dereference

  • CWE.476.NR
  • CWE.476.CNFA

CWE-502

Deserialization of Untrusted Data

  • CWE.502.IIDC
  • CWE.502.UIS
  • CWE.502.IDC
  • CWE.502.MGODWSPA
  • CWE.502.CA2350
  • CWE.502.CA2351
  • CWE.502.CA2352
  • CWE.502.CA2353
  • CWE.502.CA2354
  • CWE.502.CA2355
  • CWE.502.CA2356
  • CWE.502.CA2361
  • CWE.502.CA2362

CWE-190

Integer Overflow or Wraparound

  • CWE.190.AIWIL
  • CWE.190.AIOAC
  • CWE.190.INTWRAP

CWE-287

Improper Authentication

  • CWE.287.TDPASSWD
  • CWE.287.AAM
  • CWE.287.UAAMC
  • CWE.287.LUAFLA
  • CWE.287.IIPHEU
  • CWE.287.CA5359
  • CWE.287.CA5403
  • CWE.287.CA5376
  • CWE.287.CA5390

CWE-798

Use of Hard-coded Credentials

  • CWE.798.HPWCS
  • CWE.798.HARDCONN
  • CWE.798.HPW
  • CWE.798.CA5403

CWE-862

Missing Authorization

  • CWE.862.UAA

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE.77.TDCMD

CWE-306

Missing Authentication for Critical Function

  • N/A

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE.119.ARRAY

CWE-276

Incorrect Default Permissions

  • N/A

CWE-918

Server-Side Request Forgery (SSRF)

  • CWE.918.TDNET
  • CWE.918.CA3147
  • CWE.918.CA5368
  • CWE.918.CA5391
  • CWE.918.CA5395

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

  • CWE.362.LOCKSETGET
  • CWE.362.DIFCS

CWE-400

Uncontrolled Resource Consumption

  • CWE.400.LEAKS
  • CWE.400.TDLOG
  • CWE.400.CA5362

CWE-611

Improper Restriction of XML External Entity Reference

  • CWE.611.PDTDP
  • CWE.611.USXRS
  • CWE.611.CA3061
  • CWE.611.CA3075
  • CWE.611.CA3077
  • CWE.611.CA5366
  • CWE.611.CA5369
  • CWE.611.CA5370
  • CWE.611.CA5371
  • CWE.611.CA5372

CWE-94

Improper Control of Generation of Code ('Code Injection')

  • CWE.94.TDCODE

CWE-295

Improper Certificate Validation

  • CWE.295.DNICV
  • CWE.295.CA5359
  • CWE.295.CA5403
  • CWE.295.CA5399
  • CWE.295.CA5400

CWE-427

Uncontrolled Search Path Element

  • CWE.427.CA5393

CWE-863

Incorrect Authorization

  • CWE.863.AAM
  • CWE.863.UAAMC
  • CWE.863.AUTH

CWE-269

Improper Privilege Management

  • CWE.269.IDENTITY
  • CWE.269.AUEP
  • CWE.269.CA5375
  • CWE.269.CA5377

CWE-732

Incorrect Permission Assignment for Critical Resource

  • CWE.732.ADSVSP
  • CWE.732.CA5396

CWE-843

Access of Resource Using Incompatible Type ('Type Confusion')

  • N/A

CWE-668

Exposure of Resource to Wrong Sphere

  • CWE.668.TDINPUT
  • CWE.668.TDFNAMES
  • CWE.668.PBRTE
  • CWE.668.CA5393
  • CWE.668.CSG
  • CWE.668.CA3004
  • CWE.668.SELSPLAT
  • CWE.668.SDE
  • CWE.668.SENS
  • CWE.668.PEO
  • CWE.668.ACPST
  • CWE.668.ALSI
  • CWE.668.SENSLOG
  • CWE.668.TDPASSWD
  • CWE.668.ADSVSP
  • CWE.668.CA5396

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

  • CWE.200.SELSPLAT
  • CWE.200.SDE
  • CWE.200.SENS
  • CWE.200.PEO
  • CWE.200.ACPST
  • CWE.200.ALSI
  • CWE.200.SENSLOG
  • CWE.200.CSG
  • CWE.200.CA3004

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

  • N/A

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

  • CWE.601.TDNET
  • CWE.601.TDRESP

CWE-401

Missing Release of Memory after Effective Lifetime

  • N/A

CWE-59

Improper Link Resolution Before File Access ('Link Following')

  • CWE.59.VLT

CWE-522

Insufficiently Protected Credentials

  • CWE.522.TDPASSWD

CWE-319

Cleartext Transmission of Sensitive Information

  • N/A

CWE-312

Cleartext Storage of Sensitive Information

  • CWE.312.RSFSS
  • CWE.312.SSFP

...

-200

Exposure of Sensitive Information to an Unauthorized Actor

  • CWE.200.SELSPLAT
  • CWE.200.SDE
  • CWE.200.SENS
  • CWE.200.PEO
  • CWE.200.ACPST
  • CWE.200.ALSI
  • CWE.200.SENSLOG
  • CWE.200.CSG
  • CWE.200.CA3004

CWE-732

Incorrect Permission Assignment for Critical Resource

  • CWE.732.ADSVSP
  • CWE.732.CA5396

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

  • CWE.601.TDNET
  • CWE.601.TDRESP

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

  • N/A

CWE-295

Improper Certificate Validation

  • CWE.295.DNICV
  • CWE.295.CA5359
  • CWE.295.CA5403
  • CWE.295.CA5399
  • CWE.295.CA5400

CWE-522

Insufficiently Protected Credentials

  • CWE.522.TDPASSWD

CWE-401

Missing Release of Memory after Effective Lifetime

  • N/A

CWE-400

Uncontrolled Resource Consumption

  • CWE.400.CA5362
  • CWE.400.UHCF
  • CWE.400.CA2014
  • CWE.400.TDALLOC
  • CWE.400.LEAKS
  • CWE.400.TDLOG

CWE-639

Authorization Bypass Through User-Controlled Key

  • N/A

CWE-59

Improper Link Resolution Before File Access ('Link Following')

  • CWE.59.VLT

CWE-668

Exposure of Resource to Wrong Sphere

  • CWE.668.TDINPUT
  • CWE.668.TDFNAMES
  • CWE.668.PBRTE
  • CWE.668.CA5393
  • CWE.668.CSG
  • CWE.668.CA3004
  • CWE.668.SELSPLAT
  • CWE.668.SDE
  • CWE.668.SENS
  • CWE.668.PEO
  • CWE.668.ACPST
  • CWE.668.ALSI
  • CWE.668.SENSLOG
  • CWE.668.TDPASSWD
  • CWE.668.ADSVSP
  • CWE.668.CA5396
  • CWE.668.SCS0018
  • CWE.668.SCS0024

CWE Top 25 2022 Mapping

CWE ID

CWE name/description

Parasoft rule ID(s)

CWE-787

Out-of-bounds Write

  • CWE.787.ARRAY

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE.79.VPPD
  • CWE.79.TDRESP
  • CWE.79.TDXSS
  • CWE.79.AXSSE
  • CWE.79.CSP

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

  • CWE.89.TDSQL
  • CWE.89.TDSQLC

CWE-20

Improper Input Validation

  • CWE.20.ARRAY
  • CWE.20.VPPD
  • CWE.20.TDNET
  • CWE.20.TDFNAMES
  • CWE.20.TDCMD
  • CWE.20.TDRESP
  • CWE.20.TDXSS
  • CWE.20.TDSQL
  • CWE.20.TDSQLC

CWE-125

Out-of-bounds Read

  • CWE.125.ARRAY

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  • CWE.78.TDCMD

CWE-416

Use After Free

  • CWE.416.DISP
  • CWE.416.FIN

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE.22.TDFNAMES

CWE-352

Cross-Site Request Forgery (CSRF)

  • CWE.352.VPPD
  • CWE.352.TDRESP
  • CWE.352.VAFT
  • CWE.352.CA3147
  • CWE.352.CA5391

CWE-434

Unrestricted Upload of File with Dangerous Type

  • CWE.434.TDFNAMES

CWE-476

NULL Pointer Dereference

  • CWE.476.NR
  • CWE.476.DEREF
  • CWE.476.CNFA

CWE-502

Deserialization of Untrusted Data

  • CWE.502.IIDC
  • CWE.502.UIS
  • CWE.502.IDC
  • CWE.502.MGODWSPA
  • CWE.502.CA2350
  • CWE.502.CA2351
  • CWE.502.CA2352
  • CWE.502.CA2353
  • CWE.502.CA2354
  • CWE.502.CA2355
  • CWE.502.CA2356
  • CWE.502.CA2361
  • CWE.502.CA2362

CWE-190

Integer Overflow or Wraparound

  • CWE.190.AIWIL
  • CWE.190.AIOAC
  • CWE.190.INTOVERF

CWE-287

Improper Authentication

  • CWE.287.TDPASSWD
  • CWE.287.AAM
  • CWE.287.UAAMC
  • CWE.287.LUAFLA
  • CWE.287.IIPHEU
  • CWE.287.CA5359
  • CWE.287.CA5403
  • CWE.287.CA5376
  • CWE.287.CA5390

CWE-798

Use of Hard-coded Credentials

  • CWE.798.HARDCONN
  • CWE.798.HPW
  • CWE.798.CA5403

CWE-862

Missing Authorization

  • CWE.862.UAA

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE.77.TDCMD

CWE-306

Missing Authentication for Critical Function

  • N/A

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE.119.ARRAY

CWE-276

Incorrect Default Permissions

  • N/A

CWE-918

Server-Side Request Forgery (SSRF)

  • CWE.918.TDNET
  • CWE.918.CA3147
  • CWE.918.CA5368
  • CWE.918.CA5391
  • CWE.918.CA5395

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

  • CWE.362.LOCKSETGET
  • CWE.362.DIFCS

CWE-400

Uncontrolled Resource Consumption

  • CWE.400.LEAKS
  • CWE.400.TDLOG
  • CWE.400.CA5362

CWE-611

Improper Restriction of XML External Entity Reference

  • CWE.611.PDTDP
  • CWE.611.USXRS
  • CWE.611.CA3061
  • CWE.611.CA3075
  • CWE.611.CA3077
  • CWE.611.CA5366
  • CWE.611.CA5369
  • CWE.611.CA5370
  • CWE.611.CA5371
  • CWE.611.CA5372

CWE-94

Improper Control of Generation of Code ('Code Injection')

  • CWE.94.TDCODE

CWE Weaknesses On the Cusp 2022 Mapping

CWE ID

CWE name/description

Parasoft rule ID(s)

CWE-

787Out-of-bounds Write

295

Improper Certificate Validation

  • CWE.
787
  • 295.
ARRAY
  • TDCODE

CWE-

79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

427

Uncontrolled Search Path Element

  • CWE.427.DNICV
  • CWE.
79
  • 427.
VPPD
  • CA5359
  • CWE.
79
  • 427.
TDRESP
  • CA5403

CWE

.79.TDXSS

-863

Incorrect Authorization

CWE.79.AXSSE

  • CWE.
79
  • 863.
CSP
  • CA5393

CWE-

89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

269

Improper Privilege Management

  • CWE.269.AAM
  • CWE.
89
  • 269.
TDSQL
  • UAAMC
  • CWE.
89
  • 269.
TDSQLC
  • AUTH

CWE-

416Use After Free

732

Incorrect Permission Assignment for Critical Resource

  • CWE.
416
  • 732.
DISP
  • IDENTITY
  • CWE
.416.FIN
  • .732.CA5375
  • CWE.732.CA5377

CWE-

78

843

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection

Access of Resource Using Incompatible Type ('Type Confusion')

  • CWE.
78
  • 843.
TDCMD
  • ADSVSP
  • CWE
-20

Improper Input Validation

  • CWE.20.ARRAY
  • CWE.20.VPPD
  • CWE.20.TDNET
  • CWE.20.TDFNAMES
  • CWE.20.TDCMD
  • CWE.20.TDRESP
  • CWE.20.TDXSS
  • CWE.20.TDSQL
  • CWE.20.TDSQLC

CWE-125

Out-of-bounds Read

  • CWE.125.ARRAY

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE.22.TDFNAMES

CWE-352

Cross-Site Request Forgery (CSRF)

  • CWE.352.VPPD
  • CWE.352.TDRESP
  • CWE.352.VAFT
  • CWE.352.CA3147
  • CWE.352.CA5391

CWE-434

Unrestricted Upload of File with Dangerous Type

  • CWE.434.TDFNAMES

CWE-862

Missing Authorization

  • CWE.862.UAA

CWE-476

NULL Pointer Dereference

  • CWE.476.NR
  • CWE.476.DEREF
  • CWE.476.CNFA

CWE-287

Improper Authentication

  • CWE.287.TDPASSWD
  • CWE.287.AAM
  • CWE.287.UAAMC
  • CWE.287.LUAFLA
  • CWE.287.IIPHEU
  • CWE.287.CA5359
  • CWE.287.CA5403
  • CWE.287.CA5376
  • CWE.287.CA5390

CWE-190

Integer Overflow or Wraparound

  • CWE.190.AIWIL
  • CWE.190.AIOAC
  • CWE.190.INTWRAP
  • CWE.190.INTDL
  • CWE.190.INTVC

CWE-502

Deserialization of Untrusted Data

  • CWE.502.IIDC
  • CWE.502.UIS
  • CWE.502.IDC
  • CWE.502.MGODWSPA
  • CWE.502.CA2350
  • CWE.502.CA2351
  • CWE.502.CA2352
  • CWE.502.CA2353
  • CWE.502.CA2354
  • CWE.502.CA2355
  • CWE.502.CA2356
  • CWE.502.CA2361
  • CWE.502.CA2362

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE.77.TDCMD

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE.119.ARRAY

CWE-798

Use of Hard-coded Credentials

  • CWE.798.HARDCONN
  • CWE.798.HPW
  • CWE.798.CA5403

CWE-918

Server-Side Request Forgery (SSRF)

  • CWE.918.TDNET
  • CWE.918.CA3147
  • CWE.918.CA5368
  • CWE.918.CA5391
  • CWE.918.CA5395

CWE-306

Missing Authentication for Critical Function

  • N/A

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

  • CWE.362.LOCKSETGET
  • CWE.362.DIFCS

CWE-269

Improper Privilege Management

  • CWE.269.IDENTITY
  • CWE.269.CA5375
  • CWE.269.CA5377

CWE-94

Improper Control of Generation of Code ('Code Injection')

  • CWE.94.TDCODE

CWE-863

Incorrect Authorization

  • CWE.863.AAM
  • CWE.863.UAAMC
  • CWE.863.AUTH

CWE-276

Incorrect Default Permissions

  • N/A

CWE Weaknesses On the Cusp 2023 Mapping

  • .843.CA5396

CWE-668

Exposure of Resource to Wrong Sphere

  • N/A

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

  • N/A

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

  • CWE.1321.SDE
  • CWE.1321.SENS
  • CWE.1321.PEO
  • CWE.1321.ACPST
  • CWE.1321.CSG
  • CWE.1321.SENSLOG
  • CWE.1321.CA3004

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

  • N/A

CWE-401

Missing Release of Memory after Effective Lifetime

  • CWE.401.TDNET
  • CWE.401.TDRESP

CWE-59

Improper Link Resolution Before File Access ('Link Following')

  • N/A

CWE-522

Insufficiently Protected Credentials

  • CWE.522.VLT

CWE-319

Cleartext Transmission of Sensitive Information

  • CWE.319.TDPASSWD

CWE-312

Cleartext Storage of Sensitive Information

  • N/A

CWE ID

CWE name/description

Parasoft rule ID(s)

CWE-617

Reachable Assertion

  • CWE.617.ATA

CWE-427

Uncontrolled Search Path Element

  • CWE.427.CA5393

CWE-611

Improper Restriction of XML External Entity Reference

  • CWE.611.PDTDP
  • CWE.611.USXRS
  • CWE.611.CA3061
  • CWE.611.CA3075
  • CWE.611.CA3077
  • CWE.611.CA5366
  • CWE.611.CA5369
  • CWE.611.CA5370
  • CWE.611.CA5371
  • CWE.611.CA5372

CWE-770

Allocation of Resources Without Limits or Throttling

  • CWE.770.UHCF
  • CWE.770.CA2014
  • CWE.770.TDALLOC

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

  • CWE.200.SELSPLAT
  • CWE.200.SDE
  • CWE.200.SENS
  • CWE.200.PEO
  • CWE.200.ACPST
  • CWE.200.ALSI
  • CWE.200.SENSLOG
  • CWE.200.CSG
  • CWE.200.CA3004

CWE-732

Incorrect Permission Assignment for Critical Resource

  • CWE.732.ADSVSP
  • CWE.732.CA5396

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

  • CWE.601.TDNET
  • CWE.601.TDRESP

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

  • N/A

CWE-295

Improper Certificate Validation

  • CWE.295.DNICV
  • CWE.295.CA5359
  • CWE.295.CA5403
  • CWE.295.CA5399
  • CWE.295.CA5400

CWE-522

Insufficiently Protected Credentials

  • CWE.522.TDPASSWD

CWE-401

Missing Release of Memory after Effective Lifetime

  • N/A

CWE-400

Uncontrolled Resource Consumption

  • CWE.400.CA5362
  • CWE.400.UHCF
  • CWE.400.CA2014
  • CWE.400.TDALLOC
  • CWE.400.LEAKS
  • CWE.400.TDLOG

CWE-639

Authorization Bypass Through User-Controlled Key

  • N/A

CWE-59

Improper Link Resolution Before File Access ('Link Following')

  • CWE.59.VLT

CWE-668

Exposure of Resource to Wrong Sphere

  • CWE.668.TDINPUT
  • CWE.668.TDFNAMES
  • CWE.668.PBRTE
  • CWE.668.CA5393
  • CWE.668.CSG
  • CWE.668.CA3004
  • CWE.668.SELSPLAT
  • CWE.668.SDE
  • CWE.668.SENS
  • CWE.668.PEO
  • CWE.668.ACPST
  • CWE.668.ALSI
  • CWE.668.SENSLOG
  • CWE.668.TDPASSWD
  • CWE.668.ADSVSP
    • CWE.668.CA5396

    CWE 4.15 Mapping

    CWE ID

    CWE name/description

    Parasoft rule ID(s)

    CWE-20

    Improper Input Validation

    • CWE.20.VPPD
    • CWE.20.TDNET
    • CWE.20.TDFNAMES
    • CWE.20.TDCMD
    • CWE.20.TDRESP
    • CWE.20.TDXSS
    • CWE.20.TDSQL
    • CWE.20.TDSQLC

    CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

    • CWE.22.SCS0018
    • CWE.22.TDFNAMES

    CWE-64

    Windows Shortcut Following (.LNK)

    • CWE.64.VLT

    CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

    • CWE.78.TDCMD

    CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    • CWE.79.SCS0029
    • CWE.79.TDXSS
    • CWE.79.AXSSE
    • CWE.79.CSP

    CWE-80

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

    • CWE.80.VPPD
    • CWE.80.TDRESP

    CWE-88

    Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

    • CWE.88.TDCMD
    • CWE.88.VPPD

    CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

    • CWE.89.TDSQL
    • CWE.89.TDSQLC

    CWE-90

    Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

    • CWE.90.SCS0031
    • CWE.90.SCS0026
    • CWE.90.TDLDAP

    CWE-95

    Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

    • CWE.95.TDCODE

    CWE-99

    Improper Control of Resource Identifiers ('Resource Injection')

    • CWE.99.TDFNAMES
    • CWE.99.TDNET

    CWE-120

    Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

    • CWE.120.AUK

    CWE-125

    Out-of-bounds Read

    • CWE.125.ARRAY

    CWE-129

    Improper Validation of Array Index

    • CWE.129.ARRAY

    CWE-131

    Incorrect Calculation of Buffer Size

    • CWE.131.AUK

    CWE-134

    Use of Externally-Controlled Format String

    • CWE.134.TDINPUT

    CWE-190

    Integer Overflow or Wraparound

    • CWE.190.AIWIL
    • CWE.190.AIOAC
    • CWE.190.INTWRAP

    CWE-191

    Integer Underflow (Wrap or Wraparound)

    • CWE.191.AIWIL
    • CWE.191.AIOAC
    • CWE.191.INTWRAP

    CWE-197

    Numeric Truncation Error

    • CWE.197.ECLSII
    • CWE.197.INTDL

    CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

    • CWE.200.CSG
    • CWE.200.CA3004

    CWE-201

    Insertion of Sensitive Information Into Sent Data

    • CWE.201.SELSPLAT

    CWE-209

    Generation of Error Message Containing Sensitive Information

    • CWE.209.SDE
    • CWE.209.SENS
    • CWE.209.PEO
    • CWE.209.ACPST

    CWE-212

    Improper Removal of Sensitive Information Before Storage or Transfer

    • CWE.212.CSG

    CWE-250

    Execution with Unnecessary Privileges

    • CWE.250.AUEP
    • CWE.250.CA5375
    • CWE.250.CA5377

    CWE-252

    Unchecked Return Value

    • CWE.252.RETVAL
    • CWE.252.CHECKRET

    CWE-256

    Plaintext Storage of a Password

    • CWE.256.TDPASSWD

    CWE-259

    Use of Hard-coded Password

    • CWE.259.HPW
    • CWE.259.SCS0015

    CWE-260

    Password in Configuration File

    • CWE.260.HPWCS

    CWE-269

    Improper Privilege Management

    • CWE.269.IDENTITY

    CWE-287

    Improper Authentication

    • CWE.287.AAM
    • CWE.287.UAAMC

    CWE-294

    Authentication Bypass by Capture-replay

    • CWE.294.CA5376

    CWE-295

    Improper Certificate Validation

    • CWE.295.DNICV
    • CWE.295.CA5359
    • CWE.295.CA5403

    CWE-299

    Improper Check for Certificate Revocation

    • CWE.299.CA5399
    • CWE.299.CA5400

    CWE-307

    Improper Restriction of Excessive Authentication Attempts

    • CWE.307.LUAFLA

    CWE-311

    Missing Encryption of Sensitive Data

    • CWE.311.SCS0023

    CWE-316

    Cleartext Storage of Sensitive Information in Memory

    • CWE.316.RSFSS
    • CWE.316.SSFP

    CWE-319

    Cleartext Transmission of Sensitive Information

    • CWE.319.RHTTPS

    CWE-321

    Use of Hard-coded Cryptographic Key

    • CWE.321.CA5390

    CWE-326

    Inadequate Encryption Strength

    • CWE.326.RSAKS

    CWE-327

    Use of a Broken or Risky Cryptographic Algorithm

    • CWE.327.SCS0010
    • CWE.327.SCS0013
    • CWE.327.DNCCKS
    • CWE.327.ACCA

    CWE-328

    Use of Weak Hash

    • CWE.328.SCS0006

    CWE-329

    Generation of Predictable IV with CBC Mode

    • CWE.329.ACCA

    CWE-338

    Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

    • CWE.338.USSCR

    CWE-350

    Reliance on Reverse DNS Resolution for a Security-Critical Action

    • CWE.350.IIPHEU

    CWE-352

    Cross-Site Request Forgery (CSRF)

    • CWE.352.VPPD
    • CWE.352.TDRESP
    • CWE.352.CA3147
    • CWE.352.CA5391
    • CWE.352.SCS0016

    CWE-362

    Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

    • CWE.362.LOCKSETGET
    • CWE.362.DIFCS

    CWE-369

    Divide By Zero

    • CWE.369.ZERO

    CWE-391

    Unchecked Error Condition

    • CWE.391.LGE

    CWE-395

    Use of NullPointerException Catch to Detect NULL Pointer Dereference

    • CWE.395.NCNRE

    CWE-396

    Declaration of Catch for Generic Exception

    • CWE.396.NCSAE

    CWE-397

    Declaration of Throws for Generic Exception

    • CWE.397.NTSAE

    CWE-400

    Uncontrolled Resource Consumption

    • CWE.400.CA5362

    CWE-402

    Transmission of Private Resources into a New Sphere ('Resource Leak')

    • CWE.402.CSG

    CWE-412

    Unrestricted Externally Accessible Lock

    • CWE.412.NLT

    CWE-416

    Use After Free

    • CWE.416.DISP
    • CWE.416.FIN

    CWE-426

    Untrusted Search Path

    • CWE.426.PBRTE

    CWE-427

    Uncontrolled Search Path Element

    • CWE.427.CA5393

    CWE-434

    Unrestricted Upload of File with Dangerous Type

    • CWE.434.TDFNAMES

    CWE-456

    Missing Initialization of a Variable

    • CWE.456.NOTEXPLINIT

    CWE-457

    Use of Uninitialized Variable

    • CWE.457.NOTEXPLINIT

    CWE-470

    Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

    • CWE.470.TDRFL

    CWE-472

    External Control of Assumed-Immutable Web Parameter

    • CWE.472.SCS0024

    CWE-476

    NULL Pointer Dereference

    • CWE.476.NR
    • CWE.476.CNFA

    CWE-480

    Use of Incorrect Operator

    • CWE.480.PUO

    CWE-481

    Assigning instead of Comparing

    • CWE.481.AWC

    CWE-494

    Download of Code Without Integrity Check

    • CWE.494.IREC

    CWE-499

    Serializable Class Containing Sensitive Data

    • CWE.499.CSG

    CWE-502

    Deserialization of Untrusted Data

    • CWE.502.IIDC
    • CWE.502.UIS
    • CWE.502.IDC
    • CWE.502.MGODWSPA
    • CWE.502.CA2300
    • CWE.502.CA2350
    • CWE.502.CA2351
    • CWE.502.CA2352
    • CWE.502.CA2353
    • CWE.502.CA2354
    • CWE.502.CA2355
    • CWE.502.CA2356
    • CWE.502.CA2361
    • CWE.502.CA2362
    • CWE.502.SCS0028

    CWE-521

    Weak Password Requirements

    • CWE.521.SCS0032
    • CWE.521.SCS0033
    • CWE.521.SCS0034

    CWE-532

    Insertion of Sensitive Information into Log File

    • CWE.532.ALSI
    • CWE.532.SENSLOG

    CWE-546

    Suspicious Comment

    • CWE.546.TODO

    CWE-554

    ASP.NET Misconfiguration: Not Using Input Validation Framework

    • CWE.554.SCS0017
    • CWE.554.SCS0021
    • CWE.554.SCS0030
    • CWE.554.SCS0022

    CWE-561

    Dead Code

    • CWE.561.UC

    CWE-563

    Assignment to Variable without Use

    • CWE.563.VOVR

    CWE-570

    Expression is Always False

    • CWE.570.CC

    CWE-571

    Expression is Always True

    • CWE.571.CC

    CWE-595

    Comparison of Object References Instead of Object Contents

    • CWE.595.REVT

    CWE-601

    URL Redirection to Untrusted Site ('Open Redirect')

    • CWE.601.TDNET
    • CWE.601.TDRESP

    CWE-611

    Improper Restriction of XML External Entity Reference

    • CWE.611.PDTDP
    • CWE.611.USXRS
    • CWE.611.CA3061
    • CWE.611.CA3075
    • CWE.611.CA3077
    • CWE.611.CA5366
    • CWE.611.CA5369
    • CWE.611.CA5370
    • CWE.611.CA5371
    • CWE.611.CA5372

    CWE-613

    Insufficient Session Expiration

    • CWE.613.ISE

    CWE-614

    Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

    • CWE.614.SCS0008

    CWE-617

    Reachable Assertion

    • CWE.617.ATA

    CWE-624

    Executable Regular Expression Error

    • CWE.624.CA3012

    CWE-638

    Not Using Complete Mediation

    • CWE.638.SCS0019

    CWE-643

    Improper Neutralization of Data within XPath Expressions ('XPath Injection')

    • CWE.643.SCS0003

    CWE-662

    Improper Synchronization

    • CWE.662.DIFCS

    CWE-676

    Use of Potentially Dangerous Function

    • CWE.676.APDM

    CWE-681

    Incorrect Conversion between Numeric Types

    • CWE.681.ECLTS
    • CWE.681.INTDL
    • CWE.681.INTVC

    CWE-732

    Incorrect Permission Assignment for Critical Resource

    • CWE.732.ADSVSP

    CWE-759

    Use of a One-Way Hash without a Salt

    • CWE.759.SALT

    CWE-760

    Use of a One-Way Hash with a Predictable Salt

    • CWE.760.SALT

    CWE-770

    Allocation of Resources Without Limits or Throttling

    • CWE.770.UHCF
    • CWE.770.CA2014

    CWE-771

    Missing Reference to Active Allocated Resource

    • CWE.771.LEAKS

    CWE-772

    Missing Release of Resource after Effective Lifetime

    • CWE.772.LEAKS

    CWE-778

    Insufficient Logging

    • CWE.778.GEL

    CWE-779

    Logging of Excessive Data

    • CWE.779.TDLOG

    CWE-780

    Use of RSA Algorithm without OAEP

    • CWE.780.UOWR

    CWE-787

    Out-of-bounds Write

    • CWE.787.ARRAY

    CWE-789

    Memory Allocation with Excessive Size Value

    • CWE.789.TDALLOC

    CWE-798

    Use of Hard-coded Credentials

    • CWE.798.HARDCONN
    • CWE.798.CA5403
    • CWE.798.HPWCS

    CWE-807

    Reliance on Untrusted Inputs in a Security Decision

    • CWE.807.AUTH

    CWE-827

    Improper Control of Document Type Definition

    • CWE.827.PDTDP

    CWE-829

    Inclusion of Functionality from Untrusted Control Sphere

    • CWE.829.DMSC
    • CWE.829.ADLL

    CWE-833

    Deadlock

    • CWE.833.ORDER

    CWE-835

    Loop with Unreachable Exit Condition ('Infinite Loop')

    • CWE.835.IVFLC
    • CWE.835.IVFLI
    • CWE.835.NSIVFLN

    CWE-838

    Inappropriate Encoding for Output Context

    • CWE.838.AIHUE
    • CWE.838.CA1054
    • CWE.838.CA1055
    • CWE.838.CA1056
    • CWE.838.CA5365

    CWE-862

    Missing Authorization

    • CWE.862.UAA

    CWE-863

    Incorrect Authorization

    • CWE.863.AAM
    • CWE.863.UAAMC
    • CWE.863.AUTH

    CWE-918

    Server-Side Request Forgery (SSRF)

    • CWE.918.TDNET
    • CWE.918.CA3147
    • CWE.918.CA5368
    • CWE.918.CA5391
    • CWE.918.CA5395

    CWE-1004

    Sensitive Cookie Without 'HttpOnly' Flag

    • CWE.1004.CA5396

    CWE-1386

    Insecure Operation on Windows Junction / Mount Point

    • CWE.1386.VLT