Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Built-in Test ConfigurationDescription
CWE 4.15

Includes rules that find issues identified in the CWE standard v4.15.

(info) This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.

CWE Top 25 20242023

Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard v.20242023

(info) This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.

CWE Top 25 20232022

Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard v.20232022

(info) This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.

CWE Top 25 + On the Cusp 20242023

Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard or included on the CWE Weaknesses On the Cusp list v.20242023.

(info) This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.

CWE Top 25 + On the Cusp 20232022

Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard or included on the CWE Weaknesses On the Cusp list v.20232022.

(info) This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.

DISA-ASD-STIGIncludes rules that find issues identified in Application Security and Development STIG (Security Technical Implementation Guide) v.5 provided by Defense Information Systems Agency.
HIPAAIncludes rules that find issues identified by the HIPAA (Health Insurance Portability and Accountability Act) regulations.
OWASP API Security Top 10-2023

Includes rules that find issues identified in OWASP’s API Security Top 10 - 2023.

(info) This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.

OWASP API Security Top 10-2019

Includes rules that find issues identified in OWASP’s API Security Top 10 - 2019.

(info) This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.

OWASP ASVS 4.0.3

Includes rules that enforce the requirements defined in the ASVS (Application Security Verification Standard).

OWASP Top 10-2021

Includes rules that find web application security risks identified in the OWASP Top 10 - 2021.

(info) This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.

OWASP Top 10-2017

Includes rules that find web application security risks identified in the OWASP Top 10 - 2017.

(info) This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.

PCI DSS 4.0Includes rules that find issues identified in PCI Data Security Standard version 4.0.
PCI DSS 3.2Includes rules that find issues identified in PCI Data Security Standard version 3.2.
Security AssessmentGeneral test configuration that finds security issues.
UL 2900Includes rules that find issues identified in the UL-2900 standard.
Microsoft Secure Coding GuidelinesIncludes rules that enforce Microsoft Secure Coding Guidelines.
VVSG 2.0Includes rules that enforce the specifications and requirements defined in Voluntary Voting System Guidelines 2.0.

...

This section includes rule mapping for the CWE standard. The mapping information for other standards is available in the PDF rule mapping files shipped with Compliance Packs.

CWE Top 25 2023 Mapping

CWE ID

CWE name/description

Parasoft rule ID(s)

CWE-787

Out-of-bounds Write

  • CWE.787.ARRAY

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE.79.VPPD
  • CWE.79.TDRESP
  • CWE.79.TDXSS
  • CWE.79.AXSSE
  • CWE.79.CSP

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

  • CWE.89.TDSQL
  • CWE.89.TDSQLC

CWE-416

Use After Free

  • CWE.416.DISP
  • CWE.416.FIN

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  • CWE.78.TDCMD

CWE-20

Improper Input Validation

  • CWE.20.ARRAY
  • CWE.20.VPPD
  • CWE.20.TDNET
  • CWE.20.TDFNAMES
  • CWE.20.TDCMD
  • CWE.20.TDRESP
  • CWE.20.TDXSS
  • CWE.20.TDSQL
  • CWE.20.TDSQLC

CWE-125

Out-of-bounds Read

  • CWE.125.ARRAY

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE.22.TDFNAMES

CWE-352

Cross-Site Request Forgery (CSRF)

  • CWE.352.VPPD
  • CWE.352.TDRESP
  • CWE.352.VAFT
  • CWE.352.CA3147
  • CWE.352.CA5391

CWE-434

Unrestricted Upload of File with Dangerous Type

  • CWE.434.TDFNAMES

CWE-862

Missing Authorization

  • CWE.862.UAA

CWE-476

NULL Pointer Dereference

  • CWE.476.NR
  • CWE.476.DEREF
  • CWE.476.CNFA

CWE-287

Improper Authentication

  • CWE.287.TDPASSWD
  • CWE.287.AAM
  • CWE.287.UAAMC
  • CWE.287.LUAFLA
  • CWE.287.IIPHEU
  • CWE.287.CA5359
  • CWE.287.CA5403
  • CWE.287.CA5376
  • CWE.287.CA5390

CWE-190

Integer Overflow or Wraparound

  • CWE.190.AIWIL
  • CWE.190.AIOAC
  • CWE.190.INTWRAP
  • CWE.190.INTDL
  • CWE.190.INTVC

CWE-502

Deserialization of Untrusted Data

  • CWE.502.IIDC
  • CWE.502.UIS
  • CWE.502.IDC
  • CWE.502.MGODWSPA
  • CWE.502.CA2350
  • CWE.502.CA2351
  • CWE.502.CA2352
  • CWE.502.CA2353
  • CWE.502.CA2354
  • CWE.502.CA2355
  • CWE.502.CA2356
  • CWE.502.CA2361
  • CWE.502.CA2362

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE.77.TDCMD

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE.119.ARRAY

CWE-798

Use of Hard-coded Credentials

  • CWE.798.HARDCONN
  • CWE.798.HPW
  • CWE.798.CA5403

CWE-918

Server-Side Request Forgery (SSRF)

  • CWE.918.TDNET
  • CWE.918.CA3147
  • CWE.918.CA5368
  • CWE.918.CA5391
  • CWE.918.CA5395

CWE-306

Missing Authentication for Critical Function

  • N/A

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

  • CWE.362.LOCKSETGET
  • CWE.362.DIFCS

CWE-269

Improper Privilege Management

  • CWE.269.IDENTITY
  • CWE.269.CA5375
  • CWE.269.CA5377

CWE-94

Improper Control of Generation of Code ('Code Injection')

  • CWE.94.TDCODE

CWE-863

Incorrect Authorization

  • CWE.863.AAM
  • CWE.863.UAAMC
  • CWE.863.AUTH

CWE-276

Incorrect Default Permissions

  • N/A

CWE Weaknesses On the Cusp 2023 Mapping

CWE ID

CWE name/description

Parasoft rule ID(s

)

CWE-787

Out-of-bounds Write

  • CWE.787.ARRAY

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'

)

  • CWE.79.SCS0029
  • CWE.79.VPPD
  • CWE.79.TDRESP
  • CWE.79.TDXSS
  • CWE.79.AXSSE
  • CWE.79.CSP

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

  • CWE.89.TDSQL
  • CWE.89.TDSQLC

CWE-416

Use After Free

  • CWE.416.DISP
  • CWE.416.FIN

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  • CWE.78.TDCMD

CWE-20

Improper Input Validation

  • CWE.20.ARRAY
  • CWE.20.VPPD
  • CWE.20.TDNET
  • CWE.20.TDFNAMES
  • CWE.20.TDCMD
  • CWE.20.TDRESP
  • CWE.20.TDXSS
  • CWE.20.TDSQL
  • CWE.20.TDSQLC
  • CWE.20.SCS0017
  • CWE.20.SCS0021
  • CWE.20.SCS0030
  • CWE.20.SCS0022

CWE-125

Out-of-bounds Read

  • CWE.125.ARRAY

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE.22.TDFNAMES
  • CWE.22.SCS0018

CWE-352

Cross-Site Request Forgery (CSRF)

  • CWE.352.VPPD
  • CWE.352.TDRESP
  • CWE.352.VAFT
  • CWE.352.CA3147
  • CWE.352.CA5391
  • CWE.352.SCS0016

CWE-434

Unrestricted Upload of File with Dangerous Type

  • CWE.434.TDFNAMES

CWE-862

Missing Authorization

  • CWE.862.UAA
  • CWE.862.SCS0019

CWE-476

NULL Pointer Dereference

  • CWE.476.NR
  • CWE.476.CNFA

CWE-287

Improper Authentication

  • CWE.287.TDPASSWD
  • CWE.287.AAM
  • CWE.287.UAAMC
  • CWE.287.LUAFLA
  • CWE.287.IIPHEU
  • CWE.287.CA5359
  • CWE.287.CA5403
  • CWE.287.CA5376
  • CWE.287.CA5390
  • CWE.287.SCS0032
  • CWE.287.SCS0033
  • CWE.287.SCS0034

CWE-190

Integer Overflow or Wraparound

  • CWE.190.AIWIL
  • CWE.190.AIOAC
  • CWE.190.INTWRAP

CWE-502

Deserialization of Untrusted Data

  • CWE.502.IIDC
  • CWE.502.UIS
  • CWE.502.IDC
  • CWE.502.MGODWSPA
  • CWE.502.CA2350
  • CWE.502.CA2351
  • CWE.502.CA2352
  • CWE.502.CA2353
  • CWE.502.CA2354
  • CWE.502.CA2355
  • CWE.502.CA2356
  • CWE.502.CA2361
  • CWE.502.CA2362
  • CWE.502.SCS0028

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE.77.TDCMD

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE.119.ARRAY

CWE-798

Use of Hard-coded Credentials

  • CWE.798.HPWCS
  • CWE.798.HARDCONN
  • CWE.798.HPW
  • CWE.798.SCS0015
  • CWE.798.CA5403

CWE-918

Server-Side Request Forgery (SSRF)

  • CWE.918.TDNET
  • CWE.918.CA3147
  • CWE.918.CA5368
  • CWE.918.CA5391
  • CWE.918.CA5395

CWE-306

Missing Authentication for Critical Function

  • N/A

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

  • CWE.362.LOCKSETGET
  • CWE.362.DIFCS

CWE-269

Improper Privilege Management

  • CWE.269.IDENTITY
  • CWE.269.CA5375
  • CWE.269.CA5377

CWE-94

Improper Control of Generation of Code ('Code Injection')

  • CWE.94.TDCODE

CWE-863

Incorrect Authorization

  • CWE.863.AAM
  • CWE.863.UAAMC
  • CWE.863.AUTH

CWE-276

Incorrect Default Permissions

N/A

CWE-617

Reachable Assertion

  • CWE.617.ATA

CWE-427

Uncontrolled Search Path Element

  • CWE.427.CA5393

CWE-611

Improper Restriction of XML External Entity Reference

  • CWE.611.PDTDP
  • CWE.611.USXRS
  • CWE.611.CA3061
  • CWE.611.CA3075
  • CWE.611.CA3077
  • CWE.611.CA5366
  • CWE.611.CA5369
  • CWE.611.CA5370
  • CWE.611.CA5371
  • CWE.611.CA5372

CWE-770

Allocation of Resources Without Limits or Throttling

  • CWE.770.UHCF
  • CWE.770.CA2014
  • CWE.770.TDALLOC

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

  • CWE.200.SELSPLAT
  • CWE.200.SDE
  • CWE.200.SENS
  • CWE.200.PEO
  • CWE.200.ACPST
  • CWE.200.ALSI
  • CWE.200.SENSLOG
  • CWE.200.CSG
  • CWE.200.CA3004

CWE-732

Incorrect Permission Assignment for Critical Resource

  • CWE.732.ADSVSP
  • CWE.732.CA5396

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

  • CWE.601.TDNET
  • CWE.601.TDRESP

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

  • N/A

CWE-295

Improper Certificate Validation

  • CWE.295.DNICV
  • CWE.295.CA5359
  • CWE.295.CA5403
  • CWE.295.CA5399
  • CWE.295.CA5400

CWE-522

Insufficiently Protected Credentials

  • CWE.522.TDPASSWD

CWE-401

Missing Release of Memory after Effective Lifetime

  • N/A

CWE-400

Uncontrolled Resource Consumption

  • CWE.400.CA5362
  • CWE.400.UHCF
  • CWE.400.CA2014
  • CWE.400.TDALLOC
  • CWE.400.LEAKS
  • CWE.400.TDLOG

CWE-639

Authorization Bypass Through User-Controlled Key

  • N/A

CWE-59

Improper Link Resolution Before File Access ('Link Following')

  • CWE.59.VLT

CWE-668

Exposure of Resource to Wrong Sphere

  • CWE.668.TDINPUT
  • CWE.668.TDFNAMES
  • CWE.668.PBRTE
  • CWE.668.CA5393
  • CWE.668.CSG
  • CWE.668.CA3004
  • CWE.668.SELSPLAT
  • CWE.668.SDE
  • CWE.668.SENS
  • CWE.668.PEO
  • CWE.668.ACPST
  • CWE.668.ALSI
  • CWE.668.SENSLOG
  • CWE.668.TDPASSWD
  • CWE.668.ADSVSP
  • CWE.668.CA5396
  • CWE.668.SCS0018
  • CWE.668.SCS0024

CWE Top 25 2022 Mapping

CWE ID

CWE name/description

Parasoft rule ID(s)

CWE-787

Out-of-bounds Write

  • CWE.787.ARRAY

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE.79.VPPD
  • CWE.79.TDRESP
  • CWE.79.TDXSS
  • CWE.79.AXSSE
  • CWE.79.CSP

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

  • CWE.89.TDSQL
  • CWE.89.TDSQLC

CWE-20

Improper Input Validation

  • CWE.20.ARRAY
  • CWE.20.VPPD
  • CWE.20.TDNET
  • CWE.20.TDFNAMES
  • CWE.20.TDCMD
  • CWE.20.TDRESP
  • CWE.20.TDXSS
  • CWE.20.TDSQL
  • CWE.20.TDSQLC

CWE-125

Out-of-bounds Read

  • CWE.125.ARRAY

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  • CWE.78.TDCMD

CWE-416

Use After Free

  • CWE.416.DISP
  • CWE.416.FIN

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE.22.TDFNAMES

CWE-352

Cross-Site Request Forgery (CSRF)

  • CWE.352.VPPD
  • CWE.352.TDRESP
  • CWE.352.VAFT
  • CWE.352.CA3147
  • CWE.352.CA5391

CWE-434

Unrestricted Upload of File with Dangerous Type

  • CWE.434.TDFNAMES

CWE-476

NULL Pointer Dereference

  • CWE.476.NR
  • CWE.476.DEREF
  • CWE.476.CNFA

CWE-502

Deserialization of Untrusted Data

  • CWE.502.IIDC
  • CWE.502.UIS
  • CWE.502.IDC
  • CWE.502.MGODWSPA
  • CWE.502.CA2350
  • CWE.502.CA2351
  • CWE.502.CA2352
  • CWE.502.CA2353
  • CWE.502.CA2354
  • CWE.502.CA2355
  • CWE.502.CA2356
  • CWE.502.CA2361
  • CWE.502.CA2362

CWE-190

Integer Overflow or Wraparound

  • CWE.190.AIWIL
  • CWE.190.AIOAC
  • CWE.190.INTOVERF

CWE-287

Improper Authentication

  • CWE.287.TDPASSWD
  • CWE.287.AAM
  • CWE.287.UAAMC
  • CWE.287.LUAFLA
  • CWE.287.IIPHEU
  • CWE.287.CA5359
  • CWE.287.CA5403
  • CWE.287.CA5376
  • CWE.287.CA5390

CWE-798

Use of Hard-coded Credentials

  • CWE.798.HARDCONN
  • CWE.798.HPW
  • CWE.798.CA5403

CWE-862

Missing Authorization

  • CWE.862.UAA

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE.77.TDCMD

CWE-306

Missing Authentication for Critical Function

  • N/A

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE.119.ARRAY

CWE-276

Incorrect Default Permissions

  • N/A

CWE-918

Server-Side Request Forgery (SSRF)

  • CWE.918.TDNET
  • CWE.918.CA3147
  • CWE.918.CA5368
  • CWE.918.CA5391
  • CWE.918.CA5395

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

  • CWE.362.LOCKSETGET
  • CWE.362.DIFCS

CWE-400

Uncontrolled Resource Consumption

  • CWE.400.LEAKS
  • CWE.400.TDLOG
  • CWE.400.CA5362

CWE-611

Improper Restriction of XML External Entity Reference

  • CWE.611.PDTDP
  • CWE.611.USXRS
  • CWE.611.CA3061
  • CWE.611.CA3075
  • CWE.611.CA3077
  • CWE.611.CA5366
  • CWE.611.CA5369
  • CWE.611.CA5370
  • CWE.611.CA5371
  • CWE.611.CA5372

CWE-94

Improper Control of Generation of Code ('Code Injection')

  • CWE.94.TDCODE

CWE Weaknesses On the Cusp 2022 Mapping

CWE ID

CWE name/description

Parasoft rule ID(s)

CWE-295

Improper Certificate Validation

  • CWE.295.TDCODE

CWE-427

Uncontrolled Search Path Element

  • CWE.427.DNICV
  • CWE.427.CA5359
  • CWE.427.CA5403

CWE-863

Incorrect Authorization

  • CWE.863.CA5393

CWE-269

Improper Privilege Management

  • CWE.269.AAM
  • CWE.269.UAAMC
  • CWE.269.AUTH

CWE-732

Incorrect Permission Assignment for Critical Resource

  • CWE.732.IDENTITY
  • CWE.732.CA5375
  • CWE.732.CA5377

CWE-843

Access of Resource Using Incompatible Type ('Type Confusion')

  • CWE.843.ADSVSP
  • CWE.843.CA5396

CWE-668

Exposure of Resource to Wrong Sphere

  • N/A

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

  • N/A

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

  • CWE.1321.SDE
  • CWE.1321.SENS
  • CWE.1321.PEO
  • CWE.1321.ACPST
  • CWE.1321.CSG
  • CWE.1321.SENSLOG
  • CWE.1321.CA3004

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

  • N/A

CWE-401

Missing Release of Memory after Effective Lifetime

  • CWE.401.TDNET
  • CWE.401.TDRESP

CWE-59

Improper Link Resolution Before File Access ('Link Following')

  • N/A

CWE-522

Insufficiently Protected Credentials

  • CWE.522.VLT

CWE-319

Cleartext Transmission of Sensitive Information

  • CWE.319.TDPASSWD

CWE-312

Cleartext Storage of Sensitive Information

  • N/A

CWE 4.15 Mapping

CWE ID

CWE name/description

Parasoft rule ID(s)

CWE-20

Improper Input Validation

  • CWE.20.VPPD
  • CWE.20.TDNET
  • CWE.20.TDFNAMES
  • CWE.20.TDCMD
  • CWE.20.TDRESP
  • CWE.20.TDXSS
  • CWE.20.TDSQL
  • CWE.20.TDSQLC

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE.22.SCS0018
  • CWE.22.TDFNAMES

CWE-64

Windows Shortcut Following (.LNK)

  • CWE.64.VLT

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  • CWE.78.TDCMD

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE.79.SCS0029
  • CWE.79.TDXSS
  • CWE.79.AXSSE
  • CWE.79.CSP

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

  • CWE.80.VPPD
  • CWE.80.TDRESP

CWE-88

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

  • CWE.88.TDCMD
  • CWE.88.VPPD

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

  • CWE.89.TDSQL
  • CWE.89.TDSQLC

CWE-90

Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

  • CWE.90.SCS0031
  • CWE.90.SCS0026
  • CWE.90.TDLDAP

CWE-95

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

  • CWE.95.TDCODE

CWE-99

Improper Control of Resource Identifiers ('Resource Injection')

  • CWE.99.TDFNAMES
  • CWE.99.TDNET

CWE-120

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

  • CWE.120.AUK

CWE-125

Out-of-bounds Read

  • CWE.125.ARRAY

CWE-129

Improper Validation of Array Index

  • CWE.129.ARRAY

CWE-131

Incorrect Calculation of Buffer Size

  • CWE.131.AUK

CWE-134

Use of Externally-Controlled Format String

  • CWE.134.TDINPUT

CWE-190

Integer Overflow or Wraparound

  • CWE.190.AIWIL
  • CWE.190.AIOAC
  • CWE.190.INTWRAP

CWE-191

Integer Underflow (Wrap or Wraparound)

  • CWE.191.AIWIL
  • CWE.191.AIOAC
  • CWE.191.INTWRAP

CWE-197

Numeric Truncation Error

  • CWE.197.ECLSII
  • CWE.197.INTDL

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

  • CWE.200.CSG
  • CWE.200.CA3004

CWE-201

Insertion of Sensitive Information Into Sent Data

  • CWE.201.SELSPLAT

CWE-209

Generation of Error Message Containing Sensitive Information

  • CWE.209.SDE
  • CWE.209.SENS
  • CWE.209.PEO
  • CWE.209.ACPST

CWE-212

Improper Removal of Sensitive Information Before Storage or Transfer

  • CWE.212.CSG

CWE-250

Execution with Unnecessary Privileges

  • CWE.250.AUEP
  • CWE.250.CA5375
  • CWE.250.CA5377

CWE-252

Unchecked Return Value

  • CWE.252.RETVAL
  • CWE.252.CHECKRET

CWE-256

Plaintext Storage of a Password

  • CWE.256.TDPASSWD

CWE-259

Use of Hard-coded Password

  • CWE.259.HPW
  • CWE.259.SCS0015

CWE-260

Password in Configuration File

  • CWE.260.HPWCS

CWE-269

Improper Privilege Management

  • CWE.269.IDENTITY

CWE-287

Improper Authentication

  • CWE.287.AAM
  • CWE.287.UAAMC

CWE-294

Authentication Bypass by Capture-replay

  • CWE.294.CA5376

CWE-295

Improper Certificate Validation

  • CWE.295.DNICV
  • CWE.295.CA5359
  • CWE.295.CA5403

CWE-299

Improper Check for Certificate Revocation

  • CWE.299.CA5399
  • CWE.299.CA5400

CWE-307

Improper Restriction of Excessive Authentication Attempts

  • CWE.307.LUAFLA

CWE-311

Missing Encryption of Sensitive Data

  • CWE.311.SCS0023

CWE-316

Cleartext Storage of Sensitive Information in Memory

  • CWE.316.RSFSS
  • CWE.316.SSFP

CWE-319

Cleartext Transmission of Sensitive Information

  • CWE.319.RHTTPS

CWE-321

Use of Hard-coded Cryptographic Key

  • CWE.321.CA5390

CWE-326

Inadequate Encryption Strength

  • CWE.326.RSAKS

CWE-327

Use of a Broken or Risky Cryptographic Algorithm

  • CWE.327.SCS0010
  • CWE.327.SCS0013
  • CWE.327.DNCCKS
  • CWE.327.ACCA

CWE-328

Use of Weak Hash

  • CWE.328.SCS0006

CWE-329

Generation of Predictable IV with CBC Mode

  • CWE.329.ACCA

CWE-338

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

  • CWE.338.USSCR

CWE-350

Reliance on Reverse DNS Resolution for a Security-Critical Action

  • CWE.350.IIPHEU

CWE-352

Cross-Site Request Forgery (CSRF)

  • CWE.352.VPPD
  • CWE.352.TDRESP
  • CWE.352.CA3147
  • CWE.352.CA5391
  • CWE.352.SCS0016

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

  • CWE.362.LOCKSETGET
  • CWE.362.DIFCS

CWE-369

Divide By Zero

  • CWE.369.ZERO

CWE-391

Unchecked Error Condition

  • CWE.391.LGE

CWE-395

Use of NullPointerException Catch to Detect NULL Pointer Dereference

  • CWE.395.NCNRE

CWE-396

Declaration of Catch for Generic Exception

  • CWE.396.NCSAE

CWE-397

Declaration of Throws for Generic Exception

  • CWE.397.NTSAE

CWE-400

Uncontrolled Resource Consumption

  • CWE.400.CA5362

CWE-402

Transmission of Private Resources into a New Sphere ('Resource Leak')

  • CWE.402.CSG

CWE-412

Unrestricted Externally Accessible Lock

  • CWE.412.NLT

CWE-416

Use After Free

  • CWE.416.DISP
  • CWE.416.FIN

CWE-426

Untrusted Search Path

  • CWE.426.PBRTE

CWE-427

Uncontrolled Search Path Element

  • CWE.427.CA5393

CWE-434

Unrestricted Upload of File with Dangerous Type

  • CWE.434.TDFNAMES

CWE-456

Missing Initialization of a Variable

  • CWE.456.NOTEXPLINIT

CWE-457

Use of Uninitialized Variable

  • CWE.457.NOTEXPLINIT

CWE-470

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

  • CWE.470.TDRFL

CWE-472

External Control of Assumed-Immutable Web Parameter

  • CWE.472.SCS0024

CWE-476

NULL Pointer Dereference

  • CWE.476.NR
  • CWE.476.CNFA

CWE-480

Use of Incorrect Operator

  • CWE.480.PUO

CWE-481

Assigning instead of Comparing

  • CWE.481.AWC

CWE-494

Download of Code Without Integrity Check

  • CWE.494.IREC

CWE-499

Serializable Class Containing Sensitive Data

  • CWE.499.CSG

CWE-502

Deserialization of Untrusted Data

  • CWE.502.IIDC
  • CWE.502.UIS
  • CWE.502.IDC
  • CWE.502.MGODWSPA
  • CWE.502.CA2300
  • CWE.502.CA2350
  • CWE.502.CA2351
  • CWE.502.CA2352
  • CWE.502.CA2353
  • CWE.502.CA2354
  • CWE.502.CA2355
  • CWE.502.CA2356
  • CWE.502.CA2361
  • CWE.502.CA2362
  • CWE.502.SCS0028

CWE-521

Weak Password Requirements

  • CWE.521.SCS0032
  • CWE.521.SCS0033
  • CWE.521.SCS0034

CWE-532

Insertion of Sensitive Information into Log File

  • CWE.532.ALSI
  • CWE.532.SENSLOG

CWE-546

Suspicious Comment

  • CWE.546.TODO

CWE-554

ASP.NET Misconfiguration: Not Using Input Validation Framework

  • CWE.554.SCS0017
  • CWE.554.SCS0021
  • CWE.554.SCS0030
  • CWE.554.SCS0022

CWE-561

Dead Code

  • CWE.561.UC

CWE-563

Assignment to Variable without Use

  • CWE.563.VOVR

CWE-570

Expression is Always False

  • CWE.570.CC

CWE-571

Expression is Always True

  • CWE.571.CC

CWE-595

Comparison of Object References Instead of Object Contents

  • CWE.595.REVT

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

  • CWE.601.TDNET
  • CWE.601.TDRESP

CWE-611

Improper Restriction of XML External Entity Reference

  • CWE.611.PDTDP
  • CWE.611.USXRS
  • CWE.611.CA3061
  • CWE.611.CA3075
  • CWE.611.CA3077
  • CWE.611.CA5366
  • CWE.611.CA5369
  • CWE.611.CA5370
  • CWE.611.CA5371
  • CWE.611.CA5372

CWE-613

Insufficient Session Expiration

  • CWE.613.ISE

CWE-614

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

  • CWE.614.SCS0008

CWE-617

Reachable Assertion

  • CWE.617.ATA

CWE-624

Executable Regular Expression Error

  • CWE.624.CA3012

CWE-638

Not Using Complete Mediation

  • CWE.638.SCS0019

CWE-643

Improper Neutralization of Data within XPath Expressions ('XPath Injection')

  • CWE.643.SCS0003

CWE-662

Improper Synchronization

  • CWE.662.DIFCS

CWE-676

Use of Potentially Dangerous Function

  • CWE.676.APDM

CWE-681

Incorrect Conversion between Numeric Types

  • CWE.681.ECLTS
  • CWE.681.INTDL
  • CWE.681.INTVC

CWE-732

Incorrect Permission Assignment for Critical Resource

  • CWE.732.ADSVSP

CWE-759

Use of a One-Way Hash without a Salt

  • CWE.759.SALT

CWE-760

Use of a One-Way Hash with a Predictable Salt

  • CWE.760.SALT

CWE-770

Allocation of Resources Without Limits or Throttling

  • CWE.770.UHCF
  • CWE.770.CA2014

CWE-771

Missing Reference to Active Allocated Resource

  • CWE.771.LEAKS

CWE-772

Missing Release of Resource after Effective Lifetime

  • CWE.772.LEAKS

CWE-778

Insufficient Logging

  • CWE.778.GEL

CWE-779

Logging of Excessive Data

  • CWE.779.TDLOG

CWE-780

Use of RSA Algorithm without OAEP

  • CWE.780.UOWR

CWE-787

Out-of-bounds Write

  • CWE.787.ARRAY

CWE-789

Memory Allocation with Excessive Size Value

  • CWE.789.TDALLOC

CWE-798

Use of Hard-coded Credentials

  • CWE.798.HARDCONN
  • CWE.798.CA5403
  • CWE.798.HPWCS

CWE-807

Reliance on Untrusted Inputs in a Security Decision

  • CWE.807.AUTH

CWE-827

Improper Control of Document Type Definition

  • CWE.827.PDTDP

CWE-829

Inclusion of Functionality from Untrusted Control Sphere

  • CWE.829.DMSC
  • CWE.829.ADLL

CWE-833

Deadlock

  • CWE.833.ORDER

CWE-835

Loop with Unreachable Exit Condition ('Infinite Loop')

  • CWE.835.IVFLC
  • CWE.835.IVFLI
  • CWE.835.NSIVFLN

CWE-838

Inappropriate Encoding for Output Context

  • CWE.838.AIHUE
  • CWE.838.CA1054
  • CWE.838.CA1055
  • CWE.838.CA1056
  • CWE.838.CA5365

CWE-862

Missing Authorization

  • CWE.862.UAA

CWE-863

Incorrect Authorization

  • CWE.863.AAM
  • CWE.863.UAAMC
  • CWE.863.AUTH

CWE-918

Server-Side Request Forgery (SSRF)

  • CWE.918.TDNET
  • CWE.918.CA3147
  • CWE.918.CA5368
  • CWE.918.CA5391
  • CWE.918.CA5395

CWE-1004

Sensitive Cookie Without 'HttpOnly' Flag

  • CWE.1004.CA5396

CWE-1386

Insecure Operation on Windows Junction / Mount Point

  • CWE.1386.VLT