...
This section includes rule mapping for the CWE standard. The mapping information for other standards is available in the PDF rule mapping files shipped with Compliance Packs.
CWE Top 25 Mapping
CWE ID | CWE |
---|
name/description | Parasoft rule ID(s) | |
---|---|---|
CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer |
|
CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|
CWE-20 | Improper Input Validation |
|
| ||
CWE-200 | Information Exposure |
|
CWE-125 | Out-of-bounds Read |
|
CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
|
CWE-416 | Use After Free |
|
CWE-190 | Integer Overflow or Wraparound |
|
CWE-352 | Cross-Site Request Forgery (CSRF) |
|
CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
|
CWE-787 | Out-of-bounds Write |
|
CWE-287 | Improper Authentication |
|
CWE-476 | NULL Pointer Dereference |
|
CWE-732 | Incorrect Permission Assignment for Critical Resource |
|
CWE-434 | Unrestricted Upload of File with Dangerous Type |
|
CWE-611 | Improper Restriction of XML External Entity Reference |
|
CWE-94 | Improper Control of Generation of Code ('Code Injection') |
| ||
CWE-798 | Use of Hard-coded Credentials |
|
CWE-400 | Uncontrolled Resource Consumption |
|
CWE-772 | Missing Release of Resource after Effective Lifetime |
|
CWE-426 | Untrusted Search Path |
| ||
CWE-502 | Deserialization of Untrusted Data |
|
CWE-269 | Improper Privilege Management |
| ||
CWE-295 | Improper Certificate Validation |
|
CWE Weaknesses On the Cusp Mapping
CWE ID | CWE name/description | Parasoft rule ID(s) |
---|---|---|
CWE-835 | Loop with Unreachable Exit Condition ('Infinite Loop') |
|
CWE-522 | Insufficiently Protected Credentials |
| ||
CWE-704 | Incorrect Type Conversion or Cast |
|
CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
|
CWE-918 | Server-Side Request Forgery (SSRF) |
| ||
CWE-415 | Double Free |
|
CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') |
|
CWE-863 | Incorrect Authorization |
|
CWE-862 | Missing Authorization |
|
CWE-532 | Inclusion of Sensitive Information in Log Files |
| ||
CWE-306 | Missing Authentication for Critical Function |
|
CWE-384 | Session Fixation |
|
CWE-326 | Inadequate Encryption Strength |
|
CWE-770 | Allocation of Resources Without Limits or Throttling |
|
| |
CWE-617 | Reachable Assertion |
|
CWE 4.0 Mapping
CWE ID | CWE name/description | Parasoft rule ID(s) |
---|---|---|
CWE-20 | Improper Input Validation |
|
| ||
CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
|
CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
|
CWE |
-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|
CWE-80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) |
|
CWE-88 | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') |
|
CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
|
CWE-90 | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') |
|
CWE-94 | Improper Control of Generation of Code ('Code Injection') |
|
CWE-95 | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
|
CWE-99 | Improper Control of Resource Identifiers ('Resource Injection') |
|
CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer |
|
CWE-120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
|
CWE-125 | Out-of-bounds Read |
|
CWE-129 | Improper Validation of Array Index |
|
CWE-131 | Incorrect Calculation of Buffer Size |
|
CWE-134 | Use of Externally-Controlled Format String |
|
CWE-190 | Integer Overflow or Wraparound |
|
CWE-191 | Integer Underflow (Wrap or Wraparound) |
|
CWE-197 | Numeric Truncation Error |
|
CWE-200 | Information Exposure |
|
CWE-201 | Information Exposure Through Sent Data |
|
CWE-209 | Information Exposure Through an Error Message |
|
CWE-212 | Improper Cross-boundary Removal of Sensitive Data |
|
CWE-250 | Execution with Unnecessary Privileges |
|
CWE-252 | Unchecked Return Value |
|
CWE-256 | Unprotected Storage of Credentials |
|
CWE-259 | Use of Hard-coded Password |
|
CWE-269 | Improper Privilege Management |
|
CWE-285 | Improper Authorization |
|
CWE-287 | Improper Authentication |
|
CWE-295 | Improper Certificate Validation |
|
CWE-306 | Missing Authentication for Critical Function |
|
CWE-307 | Improper Restriction of Excessive Authentication Attempts |
|
CWE-316 | Cleartext Storage of Sensitive Information in Memory |
|
CWE-326 | Inadequate Encryption Strength |
|
CWE-327 | Use of a Broken or Risky Cryptographic Algorithm |
|
CWE-328 | Reversible One-Way Hash |
|
CWE-329 | Not Using a Random IV with CBC Mode |
|
CWE-330 | Use of Insufficiently Random Values |
|
CWE-350 | Reliance on Reverse DNS Resolution for a Security-Critical Action |
|
CWE-352 | Cross-Site Request Forgery (CSRF) |
|
CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
|
CWE-369 | Divide By Zero |
|
CWE-391 | Unchecked Error Condition |
|
CWE-395 | Use of NullPointerException Catch to Detect NULL Pointer Dereference |
|
CWE-396 | Declaration of Catch for Generic Exception |
|
CWE-397 | Declaration of Throws for Generic Exception |
|
CWE-400 | Uncontrolled Resource Consumption |
|
CWE-401 | Missing Release of Memory after Effective Lifetime |
|
CWE-402 | Transmission of Private Resources into a New Sphere ('Resource Leak') |
|
CWE-412 | Unrestricted Externally Accessible Lock |
|
CWE-416 | Use After Free |
|
CWE-426 | Untrusted Search Path |
|
CWE-434 | Unrestricted Upload of File with Dangerous Type |
|
CWE-456 | Missing Initialization of a Variable |
|
CWE-457 | Use of Uninitialized Variable |
|
CWE-470 | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') |
|
CWE-476 | NULL Pointer Dereference |
|
CWE-480 | Use of Incorrect Operator |
|
CWE-481 | Assigning instead of Comparing |
|
CWE-494 | Download of Code Without Integrity Check |
|
CWE-499 | Serializable Class Containing Sensitive Data |
|
CWE-502 | Deserialization of Untrusted Data |
|
| ||
CWE-522 | Insufficiently Protected Credentials |
|
CWE-532 | Inclusion of Sensitive Information in Log Files |
|
|
| ||
CWE-546 | Suspicious Comment |
|
CWE-561 | Dead Code |
|
CWE-563 | Assignment to Variable without Use |
|
CWE-570 | Expression is Always False |
|
CWE-571 | Expression is Always True |
|
CWE-595 | Comparison of Object References Instead of Object Contents |
|
CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') |
|
CWE-611 | Improper Restriction of XML External Entity Reference |
|
CWE-613 | Insufficient Session Expiration |
|
CWE-617 | Reachable Assertion |
|
CWE-662 | Improper Synchronization |
|
CWE-676 | Use of Potentially Dangerous Function |
|
CWE-681 | Incorrect Conversion between Numeric Types |
|
CWE-704 | Incorrect Type Conversion or Cast |
|
CWE-732 | Incorrect Permission Assignment for Critical Resource |
|
CWE-759 | Use of a One-Way Hash without a Salt |
|
CWE-760 | Use of a One-Way Hash with a Predictable Salt |
|
CWE-770 | Allocation of Resources Without Limits or Throttling |
|
| ||
CWE-772 | Missing Release of Resource after Effective Lifetime |
|
CWE-780 | Use of RSA Algorithm without OAEP |
|
CWE-787 | Out-of-bounds Write |
|
CWE-789 | Uncontrolled Memory Allocation |
|
CWE-798 | Use of Hard-coded Credentials |
|
CWE-807 | Reliance on Untrusted Inputs in a Security Decision |
|
CWE-827 | Improper Control of Document Type Definition |
|
CWE-829 | Inclusion of Functionality from Untrusted Control Sphere |
|
CWE-833 | Deadlock |
|
CWE-835 | Loop with Unreachable Exit Condition ('Infinite Loop') |
|
CWE-838 | Inappropriate Encoding for Output Context |
|
CWE-862 | Missing Authorization |
|
CWE-863 | Incorrect Authorization |
|
CWE-918 | Server-Side Request Forgery (SSRF) |
|