Builtin Test Configurations

The following table includes the test configurations shipped in the <INSTALL_DIR>\configs\builtin directory.

Static Analysis

This group includes universal static analysis test configurations. See Security Compliance Pack for test configurations that enforce security coding standards.

Built-in Test Configuration	Description
Android Guidelines	Includes rules recommended for Android developers, based on Google Java Style Guide (available at https://google.github.io/styleguide/javaguide.html).
Code Smells	Rules based on the Code Smells document (available at http://xp.c2.com/CodeSmell.html) by Kent Beck and Martin Fowler.
Critical Rules	Includes most Severity 1 rules, as well as rules in the Flow Analysis Fast configuration.
Demo Configuration	Includes rules for demonstrating various techniques of code analysis. May not be suitable for large code bases.
Find Duplicated Code	Applies static code analysis rules that report duplicate code. Duplicate code may indicate poor application design and lead to maintainability issues.
Find Memory Problems	Includes rules for finding memory management issues in the code.
Find Unused Code	Includes rules for identifying unused/dead code.
Flow Analysis Standard	Detects complex runtime errors without requiring test cases or application execution. Defects detected include using uninitialized or invalid memory, null pointer dereferencing, array and buffer overflows, division by zero, memory and resource leaks, and dead code. This requires a special Flow Analysis license option.
Flow Analysis Aggressive	Includes rules for deep flow analysis of code. Significant amount of time may be required to run this configuration.
Flow Analysis Fast	Includes rules for shallow depth of flow analysis, which limits the number of potentially acceptable defects from being reported.
Internationalize Code	Applies static code analysis to expose code that is likely to impede internationalization efforts.
Metrics	Computes values for several code metrics.
Recommended Rules	The default configuration of recommended rules. Covers most Severity 1 and Severity 2 rules. Includes rules in the Flow Analysis Fast configuration.
Thread Safe Programming	Rules that uncover code which will be dangerous to run in multi-threaded environments— as well as help prevent common threading problems such as deadlocks, race conditions, a missed notification, infinite loops, and data corruption.
TDD Best Practices	The TDD (Test Driven Development) Best Practices configuration includes rules based on the Code Smells document (available at http://xp.c2.com/CodeSmell.html), rules that check whether the JUnit test classes are comprehensive for the tested class, and rules from the Critical Rules test configuration.
JUnit 4 Best Practices	Includes rules that help you improve the quality of your JUnit 4 unit tests.
JUnit 5 Best Practices	Includes rules that help you improve the quality of your JUnit 5 unit tests.

Security Compliance Pack

This compliance pack includes test configurations that help you enforce security coding standards and practices. See Compliance Packs Rule Mapping for information how the standards are mapped to Jtest's rules.

Security Compliance Pack requires dedicated license features to be activated. Contact Parasoft Support for more details on licensing.

Displaying compliance results on DTP

Some test configurations in this category have a corresponding "Compliance" extension on DTP, which allows you to view your security compliance status, generate compliance reports, and monitor the progress towards your security compliance goals. See the "Extensions for DTP" section in the DTP documentation for the list of available extensions, requirements, and usage.

Built-in Test Configuration	Description
CWE 4.17	Includes rules that find issues identified in the CWE standard v4.17. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.
CWE Top 25 2024	Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard v.2024. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.
CWE Top 25 2023	Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard v.2023. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.
CWE Top 25 + On the Cusp 2024	Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard or included on the CWE Weaknesses On the Cusp list v.2024. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.
CWE Top 25 + On the Cusp 2023	Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard or included on the CWE Weaknesses On the Cusp list v.2023. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.
DISA-ASD-STIG	Includes rules that find issues identified in Application Security and Development STIG (Security Technical Implementation Guide) provided by Defense Information Systems Agency. See also DISA-ASD-STIG Known Limitation.
HIPAA	Includes rules that find issues identified by the HIPAA (Health Insurance Portability and Accountability Act) regulations.
OWASP API Security Top 10-2023	Includes rules that find issues identified in OWASP’s API Security Top 10 - 2023. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.
OWASP API Security Top 10-2019	Includes rules that find issues identified in OWASP’s API Security Top 10 - 2019. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.
OWASP ASVS 4.0.3	Includes rules that enforce the requirements defined in the ASVS (Application Security Verification Standard).
OWASP Top 10-2021	Includes rules that find web application security risks identified in the OWASP Top 10 - 2021. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.
OWASP Top 10-2017	Includes rules that find web application security risks identified in the OWASP Top 10 - 2017. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.
PCI DSS 4.0	Includes rules that find issues identified in PCI Data Security Standard version 4.0.
PCI DSS 3.2	Includes rules that find issues identified in PCI Data Security Standard version 3.2.
CERT for Java	Checks rules for the CERT standard. This standard provides guidelines for secure coding.
CERT for Java Guidelines	Checks rules and recommendations for the CERT standard. This standard provides guidelines for secure coding.
UL 2900	Includes rules that find issues identified in the UL-2900 standard.
VVSG 2.0	Includes rules that enforce the specifications and requirements defined in Voluntary Voting System Guidelines 2.0.

Unit Testing and Collecting Coverage

This group includes test configurations that allow you to run and collect coverage data for unit tests.

Built-in Test Configuration	Description
Calculate Application Coverage	Processes the application coverage data to generate a coverage.xml file. See Application Coverage.
Unit Tests	Includes the unit test execution data in the generated report file

Compliance Packs Rule Mapping

This section includes rule mapping for the CWE standard. The mapping information for other standards is available in the PDF rule mapping files shipped with Compliance Packs.

CWE Top 25 2024 Mapping

ID	Name/description	Parasoft rule ID(s)
CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	CWE.79.EACM CWE.79.TDDIG CWE.79.TDRESP CWE.79.TDXML CWE.79.TDXSS CWE.79.VPPD CWE.79.ARXML
CWE-787	Out-of-bounds Write	CWE.787.ARRAY CWE.787.ARRAYSEC
CWE-89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')	CWE.89.TDSQL CWE.89.UPS
CWE-352	Cross-Site Request Forgery (CSRF)	CWE.352.EACM CWE.352.TDRESP CWE.352.TDXSS CWE.352.VPPD CWE.352.UOSC CWE.352.DCSRFJAVA CWE.352.DCSRFXML CWE.352.REQMAP
CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')	CWE.22.TDFNAMES
CWE-125	Out-of-bounds Read	CWE.125.ARRAY CWE.125.ARRAYSEC
CWE-78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')	CWE.78.TDCMD
CWE-416	Use After Free	CWE.416.FREE
CWE-862	Missing Authorization	CWE.862.PERMIT CWE.862.LCA
CWE-434	Unrestricted Upload of File with Dangerous Type	CWE.434.TDFNAMES
CWE-94	Improper Control of Generation of Code ('Code Injection')	CWE.94.TDCODE CWE.94.DCEMSL CWE.94.ASAPI
CWE-20	Improper Input Validation	CWE.20.ARRAY CWE.20.INTWRAP CWE.20.FREE CWE.20.ARRAYSEC CWE.20.TDINPUT CWE.20.TDLIB CWE.20.TDLOG CWE.20.TDRESP CWE.20.TDRFL CWE.20.BSA CWE.20.CACO CWE.20.CLP CWE.20.ICO CWE.20.IOF CWE.20.CAI CWE.20.NATV CWE.20.SYSP CWE.20.AEAF CWE.20.CSVFV CWE.20.NATIW CWE.20.APIBS CWE.20.BUSSB CWE.20.UCO CWE.20.DFV CWE.20.EV CWE.20.PLUGIN
CWE-77	Improper Neutralization of Special Elements used in a Command ('Command Injection')	CWE.77.TDCMD
CWE-287	Improper Authentication	CWE.287.TDPASSWD CWE.287.UPWD CWE.287.PLAIN CWE.287.PCCF CWE.287.PTPT CWE.287.PWDPROP CWE.287.PWDXML CWE.287.UTAX CWE.287.WCPWD CWE.287.WPWD CWE.287.CKTS CWE.287.DNSL CWE.287.HCCK CWE.287.HCCS CWE.287.HTTPRHA CWE.287.HV CWE.287.PBFA CWE.287.SSM CWE.287.USC CWE.287.VSI CWE.287.MLVP
CWE-269	Improper Privilege Management	CWE.269.DPANY CWE.269.LDP CWE.269.PCL
CWE-502	Deserialization of Untrusted Data	CWE.502.SSSD CWE.502.MASP CWE.502.AUXD CWE.502.SC CWE.502.RWAF CWE.502.VOBD
CWE-200	Exposure of Sensitive Information to an Unauthorized Actor	CWE.200.SENS CWE.200.SENSLOG CWE.200.CONSEN CWE.200.PEO CWE.200.SIO CWE.200.ACPST CWE.200.EWSSEC
CWE-863	Incorrect Authorization	CWE.863.DSR CWE.863.SRCD
CWE-918	Server-Side Request Forgery (SSRF)	CWE.918.TDNET
CWE-119	Improper Restriction of Operations within the Bounds of a Memory Buffer	CWE.119.ARRAY CWE.119.FREE CWE.119.ARRAYSEC CWE.119.BUSSB
CWE-476	NULL Pointer Dereference	CWE.476.NP
CWE-798	Use of Hard-coded Credentials	CWE.798.HCCK CWE.798.HCCS
CWE-190	Integer Overflow or Wraparound	CWE.190.INTWRAP CWE.190.BSA CWE.190.CACO CWE.190.CLP CWE.190.ICO CWE.190.IOF
CWE-400	Uncontrolled Resource Consumption	CWE.400.LEAKS CWE.400.TDALLOC CWE.400.USB CWE.400.DMDS CWE.400.ISTART
CWE-306	Missing Authentication for Critical Function	CWE.306.SSM

CWE Top 25 2023 Mapping

ID	Name/description	Parasoft rule ID(s)
CWE-787	Out-of-bounds Write	CWE.787.ARRAY CWE.787.ARRAYSEC
CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	CWE.79.EACM CWE.79.TDDIG CWE.79.TDRESP CWE.79.TDXML CWE.79.TDXSS CWE.79.VPPD CWE.79.ARXML
CWE-89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')	CWE.89.TDSQL CWE.89.UPS
CWE-416	Use After Free	CWE.416.FREE
CWE-78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')	CWE.78.TDCMD
CWE-20	Improper Input Validation	CWE.20.ARRAY CWE.20.INTOVERF CWE.20.FREE CWE.20.ARRAYSEC CWE.20.TDINPUT CWE.20.TDLIB CWE.20.TDLOG CWE.20.TDRESP CWE.20.TDRFL CWE.20.BSA CWE.20.CACO CWE.20.CLP CWE.20.ICO CWE.20.IOF CWE.20.CAI CWE.20.NATV CWE.20.SYSP CWE.20.AEAF CWE.20.CSVFV CWE.20.NATIW CWE.20.APIBS CWE.20.BUSSB CWE.20.UCO CWE.20.DFV CWE.20.EV CWE.20.PLUGIN
CWE-125	Out-of-bounds Read	CWE.125.ARRAY CWE.125.ARRAYSEC
CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')	CWE.22.TDFNAMES
CWE-352	Cross-Site Request Forgery (CSRF)	CWE.352.EACM CWE.352.TDRESP CWE.352.TDXSS CWE.352.VPPD CWE.352.UOSC CWE.352.DCSRFJAVA CWE.352.DCSRFXML CWE.352.REQMAP
CWE-434	Unrestricted Upload of File with Dangerous Type	CWE.434.TDFNAMES
CWE-862	Missing Authorization	CWE.862.PERMIT CWE.862.LCA
CWE-476	NULL Pointer Dereference	CWE.476.NP CWE.476.DEREF
CWE-287	Improper Authentication	CWE.287.TDPASSWD CWE.287.UPWD CWE.287.PLAIN CWE.287.PCCF CWE.287.PTPT CWE.287.PWDPROP CWE.287.PWDXML CWE.287.UTAX CWE.287.WCPWD CWE.287.WPWD CWE.287.CKTS CWE.287.DNSL CWE.287.HCCK CWE.287.HCCS CWE.287.HTTPRHA CWE.287.HV CWE.287.PBFA CWE.287.SSM CWE.287.USC CWE.287.VSI CWE.287.MLVP
CWE-190	Integer Overflow or Wraparound	CWE.190.INTOVERF CWE.190.BSA CWE.190.CACO CWE.190.CLP CWE.190.ICO CWE.190.IOF
CWE-502	Deserialization of Untrusted Data	CWE.502.SSSD CWE.502.MASP CWE.502.AUXD CWE.502.SC CWE.502.RWAF CWE.502.VOBD
CWE-77	Improper Neutralization of Special Elements used in a Command ('Command Injection')	CWE.77.TDCMD
CWE-119	Improper Restriction of Operations within the Bounds of a Memory Buffer	CWE.119.ARRAY CWE.119.FREE CWE.119.ARRAYSEC CWE.119.BUSSB
CWE-798	Use of Hard-coded Credentials	CWE.798.HCCK CWE.798.HCCS
CWE-918	Server-Side Request Forgery (SSRF)	CWE.918.TDNET
CWE-306	Missing Authentication for Critical Function	CWE.306.SSM
CWE-362	Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')	CWE.362.TOCTOU CWE.362.DCL
CWE-269	Improper Privilege Management	CWE.269.DPANY CWE.269.LDP CWE.269.PCL
CWE-94	Improper Control of Generation of Code ('Code Injection')	CWE.94.TDCODE CWE.94.DCEMSL CWE.94.ASAPI
CWE-863	Incorrect Authorization	CWE.863.DSR CWE.863.SRCD
CWE-276	Incorrect Default Permissions	CWE.276.ASNF CWE.276.CFAP

CWE Weaknesses On the Cusp 2024 Mapping

ID	Name/description	Parasoft rule ID(s)
CWE-770	Allocation of Resources Without Limits or Throttling	CWE.770.TDALLOC CWE.770.ISTART
CWE-668	Exposure of Resource to Wrong Sphere	CWE.668.SENS CWE.668.SENSLOG CWE.668.TDINPUT CWE.668.TDLIB CWE.668.TDPASSWD CWE.668.RR CWE.668.UPWD CWE.668.MFP CWE.668.IMM CWE.668.PSFA CWE.668.PLAIN CWE.668.SYSP CWE.668.SPFF CWE.668.CONSEN CWE.668.PEO CWE.668.RA CWE.668.SIF CWE.668.SIO CWE.668.ATF CWE.668.PCCF CWE.668.PTPT CWE.668.PWDPROP CWE.668.PWDXML CWE.668.UTAX CWE.668.WCPWD CWE.668.WPWD CWE.668.ACPST CWE.668.APIBS CWE.668.ASNF CWE.668.CFAP CWE.668.CKTS CWE.668.CLONE CWE.668.EWSSEC CWE.668.IDP CWE.668.INNER CWE.668.PBRTE CWE.668.SCHTTP CWE.668.SER CWE.668.USC CWE.668.UCO
CWE-74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')	CWE.74.EACM CWE.74.TDCMD CWE.74.TDCODE CWE.74.TDDIG CWE.74.TDJXPATH CWE.74.TDLDAP CWE.74.TDNET CWE.74.TDRESP CWE.74.TDSQL CWE.74.TDXML CWE.74.TDXPATH CWE.74.TDXSS CWE.74.VPPD CWE.74.UPS CWE.74.XPIJ CWE.74.DCEMSL CWE.74.ARXML CWE.74.ASAPI CWE.74.DFV
CWE-427	Uncontrolled Search Path Element	CWE.427.PBRTE
CWE-639	Authorization Bypass Through User-Controlled Key	N/A
CWE-532	Insertion of Sensitive Information into Log File	CWE.532.SENSLOG CWE.532.CONSEN
CWE-732	Incorrect Permission Assignment for Critical Resource	CWE.732.ASNF CWE.732.CFAP CWE.732.IDP CWE.732.SCHTTP
CWE-601	URL Redirection to Untrusted Site ('Open Redirect')	CWE.601.TDNET CWE.601.TDRESP CWE.601.VRD CWE.601.UCO
CWE-362	Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')	CWE.362.TOCTOU CWE.362.DCL
CWE-522	Insufficiently Protected Credentials	CWE.522.TDPASSWD CWE.522.UPWD CWE.522.PLAIN CWE.522.PCCF CWE.522.PTPT CWE.522.PWDPROP CWE.522.PWDXML CWE.522.UTAX CWE.522.WCPWD CWE.522.WPWD CWE.522.CKTS CWE.522.USC
CWE-276	Incorrect Default Permissions	CWE.276.ASNF CWE.276.CFAP
CWE-203	Observable Discrepancy	N/A
CWE-59	Improper Link Resolution Before File Access ('Link Following')	CWE.59.FOLLOW CWE.59.LNK
CWE-843	Access of Resource Using Incompatible Type ('Type Confusion')	CWE.843.EQUS
CWE-312	Cleartext Storage of Sensitive Information	CWE.312.PLAIN CWE.312.PLC CWE.312.PWDPROP

CWE Weaknesses On the Cusp 2023 Mapping

ID	Name/description	Parasoft rule ID(s)
CWE-617	Reachable Assertion	CWE.617.ASSERT
CWE-427	Uncontrolled Search Path Element	CWE.427.PBRTE
CWE-611	Improper Restriction of XML External Entity Reference	CWE.611.XMLVAL CWE.611.DXXE
CWE-770	Allocation of Resources Without Limits or Throttling	CWE.770.TDALLOC CWE.770.ISTART
CWE-200	Exposure of Sensitive Information to an Unauthorized Actor	CWE.200.SENS CWE.200.SENSLOG CWE.200.CONSEN CWE.200.PEO CWE.200.SIO CWE.200.ACPST CWE.200.EWSSEC
CWE-732	Incorrect Permission Assignment for Critical Resource	CWE.732.ASNF CWE.732.CFAP CWE.732.IDP CWE.732.SCHTTP
CWE-601	URL Redirection to Untrusted Site ('Open Redirect')	CWE.601.TDNET CWE.601.TDRESP CWE.601.VRD CWE.601.UCO
CWE-1321	Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')	N/A
CWE-295	Improper Certificate Validation	CWE.295.HV CWE.295.VSI
CWE-522	Insufficiently Protected Credentials	CWE.522.TDPASSWD CWE.522.UPWD CWE.522.PLAIN CWE.522.PCCF CWE.522.PTPT CWE.522.PWDPROP CWE.522.PWDXML CWE.522.UTAX CWE.522.WCPWD CWE.522.WPWD CWE.522.CKTS CWE.522.USC
CWE-401	Missing Release of Memory after Effective Lifetime	N/A
CWE-400	Uncontrolled Resource Consumption	CWE.400.LEAKS CWE.400.TDALLOC CWE.400.USB CWE.400.DMDS CWE.400.ISTART
CWE-639	Authorization Bypass Through User-Controlled Key	N/A
CWE-59	Improper Link Resolution Before File Access ('Link Following')	CWE.59.FOLLOW CWE.59.LNK
CWE-668	Exposure of Resource to Wrong Sphere	CWE.668.ASNF CWE.668.CFAP CWE.668.SENS CWE.668.SENSLOG CWE.668.TDFNAMES CWE.668.TDINPUT CWE.668.TDLIB CWE.668.TDPASSWD CWE.668.RR CWE.668.UPWD CWE.668.MFP CWE.668.IMM CWE.668.PSFA CWE.668.PLAIN CWE.668.SYSP CWE.668.SPFF CWE.668.CONSEN CWE.668.PEO CWE.668.RA CWE.668.SIF CWE.668.SIO CWE.668.ATF CWE.668.PCCF CWE.668.PTPT CWE.668.PWDPROP CWE.668.PWDXML CWE.668.UTAX CWE.668.WCPWD CWE.668.WPWD CWE.668.ACPST CWE.668.APIBS CWE.668.CKTS CWE.668.CLONE CWE.668.EWSSEC CWE.668.IDP CWE.668.INNER CWE.668.PBRTE CWE.668.SCHTTP CWE.668.SER CWE.668.USC CWE.668.UCO

CWE 4.17 Mapping

ID	Name/description	Parasoft rule ID(s)
CWE-6	J2EE Misconfiguration: Insufficient Session-ID Length	CWE.6.SLID
CWE-7	J2EE Misconfiguration: Missing Custom Error Page	CWE.7.SEP
CWE-8	J2EE Misconfiguration: Entity Bean Declared Remote	CWE.8.RR
CWE-9	J2EE Misconfiguration: Weak Access Permissions for EJB Methods	CWE.9.DPANY
CWE-15	External Control of System or Configuration Setting	CWE.15.SYSP CWE.15.UCO
CWE-20	Improper Input Validation	CWE-111.NATV CWE-111.NATIW CWE-109.EV CWE-106.PLUGIN CWE-104.AEAF CWE-102.DFV CWE-103.CSVFV CWE-134.TDINPUT CWE-113.TDRESP CWE-470.TDRFL CWE-470.APIBS CWE-190.INTWRAP CWE-190.BSA CWE-190.CACO CWE-190.CLP CWE-190.ICO CWE-190.IOF CWE-114.TDLIB CWE-114.APIBS CWE-117.TDLOG CWE-129.ARRAY CWE-129.ARRAYSEC CWE-129.CAI CWE-15.SYSP CWE-15.UCO
CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')	CWE.22.TDFNAMES
CWE-59	Improper Link Resolution Before File Access ('Link Following')	CWE-64.LNK CWE-61.FOLLOW
CWE-61	UNIX Symbolic Link (Symlink) Following	CWE.61.FOLLOW
CWE-64	Windows Shortcut Following (.LNK)	CWE.64.LNK
CWE-73	External Control of File Name or Path	CWE-114.TDLIB CWE-114.APIBS
CWE-74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')	CWE-89.TDSQL CWE-89.UPS CWE-99.TDNET CWE-94.DCEMSL CWE-94.ASAPI CWE-79.EACM CWE-79.TDRESP CWE-79.TDXSS CWE-79.VPPD CWE-78.TDCMD CWE-91.TDXML
CWE-77	Improper Neutralization of Special Elements used in a Command ('Command Injection')	CWE-78.TDCMD
CWE-78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')	CWE.78.TDCMD
CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	CWE.79.EACM CWE.79.TDRESP CWE.79.TDXSS CWE.79.VPPD CWE-83.ARXML CWE-80.TDDIG CWE-80.TDXML CWE-80.ARXML CWE-81.ARXML
CWE-80	Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)	CWE.80.TDDIG CWE.80.TDXML CWE.80.ARXML
CWE-81	Improper Neutralization of Script in an Error Message Web Page	CWE.81.ARXML
CWE-83	Improper Neutralization of Script in Attributes in a Web Page	CWE.83.ARXML
CWE-89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')	CWE.89.TDSQL CWE.89.UPS
CWE-90	Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')	CWE.90.TDLDAP
CWE-91	XML Injection (aka Blind XPath Injection)	CWE.91.TDXML CWE-652.TDXPATH CWE-652.XPIJ CWE-643.TDJXPATH CWE-643.TDXPATH
CWE-93	Improper Neutralization of CRLF Sequences ('CRLF Injection')	CWE-113.TDRESP
CWE-94	Improper Control of Generation of Code ('Code Injection')	CWE.94.DCEMSL CWE.94.ASAPI CWE-95.TDCODE
CWE-95	Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')	CWE.95.TDCODE
CWE-99	Improper Control of Resource Identifiers ('Resource Injection')	CWE.99.TDNET
CWE-102	Struts: Duplicate Validation Forms	CWE.102.DFV
CWE-103	Struts: Incomplete validate() Method Definition	CWE.103.CSVFV
CWE-104	Struts: Form Bean Does Not Extend Validation Class	CWE.104.AEAF
CWE-106	Struts: Plug-in Framework not in Use	CWE.106.PLUGIN
CWE-109	Struts: Validator Turned Off	CWE.109.EV
CWE-111	Direct Use of Unsafe JNI	CWE.111.NATV CWE.111.NATIW
CWE-113	Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')	CWE.113.TDRESP
CWE-114	Process Control	CWE.114.TDLIB CWE.114.APIBS
CWE-116	Improper Encoding or Escaping of Output	CWE-644.TDRESP CWE-838.SEO CWE-117.TDLOG
CWE-117	Improper Output Neutralization for Logs	CWE.117.TDLOG
CWE-119	Improper Restriction of Operations within the Bounds of a Memory Buffer	CWE-125.ARRAY CWE-125.ARRAYSEC CWE-787.ARRAY CWE-787.ARRAYSEC
CWE-125	Out-of-bounds Read	CWE.125.ARRAY CWE.125.ARRAYSEC
CWE-128	Wrap-around Error	CWE.128.CACO
CWE-129	Improper Validation of Array Index	CWE.129.ARRAY CWE.129.ARRAYSEC CWE.129.CAI
CWE-131	Incorrect Calculation of Buffer Size	CWE.131.ARRAY
CWE-134	Use of Externally-Controlled Format String	CWE.134.TDINPUT
CWE-172	Encoding Error	CWE-173.SEO CWE-176.NCUCP
CWE-173	Improper Handling of Alternate Encoding	CWE.173.SEO
CWE-176	Improper Handling of Unicode Encoding	CWE.176.NCUCP
CWE-185	Incorrect Regular Expression	CWE.185.REP
CWE-188	Reliance on Data/Memory Layout	CWE-198.PMRWLED
CWE-190	Integer Overflow or Wraparound	CWE.190.INTWRAP CWE.190.BSA CWE.190.CACO CWE.190.CLP CWE.190.ICO CWE.190.IOF CWE-680.BSA
CWE-191	Integer Underflow (Wrap or Wraparound)	CWE.191.INTWRAP CWE.191.BSA
CWE-193	Off-by-one Error	CWE.193.AOBO
CWE-197	Numeric Truncation Error	CWE.197.INTDL
CWE-198	Use of Incorrect Byte Ordering	CWE.198.PMRWLED
CWE-200	Exposure of Sensitive Information to an Unauthorized Actor	CWE-532.SENSLOG CWE-532.CONSEN CWE-359.CONSEN CWE-497.SENS CWE-497.PEO CWE-213.CONSEN CWE-215.EWSSEC CWE-209.SENS CWE-209.PEO CWE-209.SIO CWE-209.ACPST
CWE-209	Generation of Error Message Containing Sensitive Information	CWE.209.SENS CWE.209.PEO CWE.209.SIO CWE.209.ACPST
CWE-212	Improper Removal of Sensitive Information Before Storage or Transfer	CWE.212.FT
CWE-213	Exposure of Sensitive Information Due to Incompatible Policies	CWE.213.CONSEN
CWE-215	Insertion of Sensitive Information Into Debugging Code	CWE.215.EWSSEC
CWE-221	Information Loss or Omission	CWE-397.NTX CWE-397.NTERR CWE-396.NCE
CWE-223	Omission of Security-relevant Information	CWE-778.ENFL
CWE-245	J2EE Bad Practices: Direct Management of Connections	CWE.245.JDBCTEMPLATE
CWE-246	J2EE Bad Practices: Direct Use of Sockets	CWE.246.AUS CWE.246.NSF CWE.246.SS
CWE-248	Uncaught Exception	CWE-600.CETS
CWE-250	Execution with Unnecessary Privileges	CWE.250.LDP CWE.250.PCL
CWE-252	Unchecked Return Value	CWE.252.CHECKRET CWE.252.CRRV
CWE-256	Plaintext Storage of a Password	CWE.256.TDPASSWD CWE.256.UPWD CWE.256.PLAIN CWE.256.PCCF CWE.256.PTPT CWE.256.PWDPROP CWE.256.PWDXML CWE.256.UTAX CWE.256.WCPWD CWE.256.WPWD
CWE-258	Empty Password in Configuration File	CWE.258.PWDPROP
CWE-260	Password in Configuration File	CWE.260.UTAX CWE-555.PWDXML CWE-258.PWDPROP
CWE-261	Weak Encoding for Password	CWE.261.CKTS
CWE-266	Incorrect Privilege Assignment	CWE-9.DPANY
CWE-269	Improper Privilege Management	CWE-250.LDP CWE-250.PCL
CWE-276	Incorrect Default Permissions	CWE.276.ASNF CWE.276.CFAP
CWE-279	Incorrect Execution-Assigned Permissions	CWE.279.IDP
CWE-284	Improper Access Control	CWE-863.DSR CWE-863.SRCD CWE-862.PERMIT CWE-862.LCA CWE-749.DPAM CWE-749.DPPM CWE-749.SPAM CWE-346.JXCORS
CWE-285	Improper Authorization	CWE-863.DSR CWE-863.SRCD CWE-862.PERMIT CWE-862.LCA
CWE-287	Improper Authentication	CWE-521.MLVP CWE-798.HCCS CWE-290.HTTPRHA CWE-295.HV CWE-306.SSM CWE-307.PBFA
CWE-290	Authentication Bypass by Spoofing	CWE.290.HTTPRHA CWE-350.DNSL
CWE-295	Improper Certificate Validation	CWE.295.HV CWE-297.VSI
CWE-297	Improper Validation of Certificate with Host Mismatch	CWE.297.VSI
CWE-306	Missing Authentication for Critical Function	CWE.306.SSM
CWE-307	Improper Restriction of Excessive Authentication Attempts	CWE.307.PBFA
CWE-311	Missing Encryption of Sensitive Data	CWE.311.SENS CWE.311.PWDXML CWE-312.PWDPROP CWE-319.HTTPS CWE-319.USC
CWE-312	Cleartext Storage of Sensitive Information	CWE.312.PWDPROP CWE-315.PLC CWE-313.PLAIN
CWE-313	Cleartext Storage in a File or on Disk	CWE.313.PLAIN
CWE-315	Cleartext Storage of Sensitive Information in a Cookie	CWE.315.PLC
CWE-319	Cleartext Transmission of Sensitive Information	CWE.319.HTTPS CWE.319.USC CWE-614.UOSC CWE-1428.UHTTPS
CWE-321	Use of Hard-coded Cryptographic Key	CWE.321.HCCK
CWE-325	Missing Cryptographic Step	CWE.325.MCMDU CWE.325.SIKG
CWE-326	Inadequate Encryption Strength	CWE-328.AISSAJAVA CWE-328.AISSAXML CWE-328.AUNC CWE-328.ICA CWE-328.MDSALT CWE-328.SRD
CWE-327	Use of a Broken or Risky Cryptographic Algorithm	CWE.327.ACMD CWE-328.AISSAJAVA CWE-328.AISSAXML CWE-328.AUNC CWE-328.ICA CWE-328.MDSALT CWE-328.SRD
CWE-328	Use of Weak Hash	CWE.328.AISSAJAVA CWE.328.AISSAXML CWE.328.AUNC CWE.328.ICA CWE.328.MDSALT CWE.328.SRD
CWE-329	Generation of Predictable IV with CBC Mode	CWE.329.ENPP CWE.329.IVR
CWE-330	Use of Insufficiently Random Values	CWE-338.SRD
CWE-334	Small Space of Random Values	CWE-6.SLID
CWE-335	Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)	CWE-337.ENPP CWE-336.ENPP
CWE-336	Same Seed in Pseudo-Random Number Generator (PRNG)	CWE.336.ENPP
CWE-337	Predictable Seed in Pseudo-Random Number Generator (PRNG)	CWE.337.ENPP
CWE-338	Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)	CWE.338.SRD
CWE-344	Use of Invariant Value in Dynamically Changing Context	CWE-798.HCCS
CWE-345	Insufficient Verification of Data Authenticity	CWE-352.EACM CWE-352.TDRESP CWE-352.TDXSS CWE-352.VPPD CWE-352.UOSC CWE-352.DCSRFJAVA CWE-352.DCSRFXML CWE-352.REQMAP CWE-346.JXCORS CWE-347.VJFS
CWE-346	Origin Validation Error	CWE.346.JXCORS CWE-1385.WS
CWE-347	Improper Verification of Cryptographic Signature	CWE.347.VJFS
CWE-350	Reliance on Reverse DNS Resolution for a Security-Critical Action	CWE.350.DNSL
CWE-352	Cross-Site Request Forgery (CSRF)	CWE.352.EACM CWE.352.TDRESP CWE.352.TDXSS CWE.352.VPPD CWE.352.UOSC CWE.352.DCSRFJAVA CWE.352.DCSRFXML CWE.352.REQMAP
CWE-359	Exposure of Private Personal Information to an Unauthorized Actor	CWE.359.CONSEN
CWE-362	Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')	CWE.362.DCL CWE-367.TOCTOU
CWE-367	Time-of-check Time-of-use (TOCTOU) Race Condition	CWE.367.TOCTOU
CWE-369	Divide By Zero	CWE.369.ZERO
CWE-375	Returning a Mutable Object to an Untrusted Caller	CWE.375.RA
CWE-377	Insecure Temporary File	CWE.377.ATF
CWE-382	J2EE Bad Practices: Use of System.exit()	CWE.382.EXIT CWE.382.JVM
CWE-383	J2EE Bad Practices: Direct Use of Threads	CWE.383.THR
CWE-384	Session Fixation	CWE.384.ISL
CWE-390	Detection of Error Condition Without Action	CWE.390.LGE
CWE-391	Unchecked Error Condition	CWE.391.AECB
CWE-395	Use of NullPointerException Catch to Detect NULL Pointer Dereference	CWE.395.NCNPE
CWE-396	Declaration of Catch for Generic Exception	CWE.396.NCE
CWE-397	Declaration of Throws for Generic Exception	CWE.397.NTX CWE.397.NTERR
CWE-400	Uncontrolled Resource Consumption	CWE.400.DMDS CWE-771.LEAKS CWE-770.ISTART
CWE-404	Improper Resource Shutdown or Release	CWE.404.COCO CWE.404.ODBIL CWE.404.CRWD CWE-772.LEAKS CWE-772.CLOSE CWE-459.LEAKS
CWE-413	Improper Resource Locking	CWE.413.LORD
CWE-416	Use After Free	CWE.416.FREE
CWE-426	Untrusted Search Path	CWE.426.PBRTE
CWE-427	Uncontrolled Search Path Element	CWE.427.PBRTE
CWE-434	Unrestricted Upload of File with Dangerous Type	CWE.434.TDFNAMES
CWE-436	Interpretation Conflict	CWE-113.TDRESP
CWE-441	Unintended Proxy or Intermediary ('Confused Deputy')	CWE-918.TDNET
CWE-456	Missing Initialization of a Variable	CWE.456.LV
CWE-457	Use of Uninitialized Variable	CWE.457.NP CWE.457.NOTEXPLINIT CWE.457.NOTINITCTOR CWE.457.UIRC
CWE-459	Incomplete Cleanup	CWE.459.LEAKS CWE-568.FCF
CWE-470	Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')	CWE.470.TDRFL CWE.470.APIBS
CWE-471	Modification of Assumed-Immutable Data (MAID)	CWE-607.IMM CWE-607.RMO
CWE-476	NULL Pointer Dereference	CWE.476.NP
CWE-477	Use of Obsolete Function	CWE.477.DPRAPI
CWE-478	Missing Default Case in Multiple Condition Expression	CWE.478.PDS
CWE-480	Use of Incorrect Operator	CWE-481.ASI
CWE-481	Assigning instead of Comparing	CWE.481.ASI
CWE-483	Incorrect Block Delimitation	CWE.483.BLK CWE.483.EBI CWE.483.EB
CWE-484	Omitted Break Statement in Switch	CWE.484.SBC CWE.484.DAV
CWE-486	Comparison of Classes by Name	CWE.486.AUG CWE.486.CMP
CWE-487	Reliance on Package-level Scope	CWE.487.AF
CWE-491	Public cloneable() Method Without Final ('Object Hijack')	CWE.491.CLONE
CWE-492	Use of Inner Class Containing Sensitive Data	CWE.492.INNER
CWE-493	Critical Public Variable Without Final Modifier	CWE-500.SPFF
CWE-495	Private Data Structure Returned From A Public Method	CWE.495.RA
CWE-496	Public Data Assigned to Private Array-Typed Field	CWE.496.CAP
CWE-497	Exposure of Sensitive System Information to an Unauthorized Control Sphere	CWE.497.SENS CWE.497.PEO
CWE-499	Serializable Class Containing Sensitive Data	CWE.499.SIF CWE.499.SER
CWE-500	Public Static Field Not Marked Final	CWE.500.SPFF
CWE-501	Trust Boundary Violation	CWE.501.TDSESSION
CWE-502	Deserialization of Untrusted Data	CWE.502.SSSD CWE.502.MASP CWE.502.AUXD CWE.502.SC CWE.502.RWAF CWE.502.VOBD
CWE-506	Embedded Malicious Code	CWE.506.HCCK CWE-511.RDM
CWE-511	Logic/Time Bomb	CWE.511.RDM
CWE-521	Weak Password Requirements	CWE.521.MLVP CWE-258.PWDPROP
CWE-522	Insufficiently Protected Credentials	CWE-523.USC CWE-261.CKTS CWE-260.UTAX CWE-256.TDPASSWD CWE-256.UPWD CWE-256.PLAIN CWE-256.PCCF CWE-256.PTPT CWE-256.PWDPROP CWE-256.PWDXML CWE-256.UTAX CWE-256.WCPWD CWE-256.WPWD
CWE-523	Unprotected Transport of Credentials	CWE.523.USC
CWE-532	Insertion of Sensitive Information into Log File	CWE.532.SENSLOG CWE.532.CONSEN
CWE-538	Insertion of Sensitive Information into Externally-Accessible File or Directory	CWE-532.SENSLOG CWE-532.CONSEN
CWE-543	Use of Singleton Pattern Without Synchronization in a Multithreaded Context	CWE.543.IASF CWE.543.ILI
CWE-546	Suspicious Comment	CWE.546.TODOJAVA CWE.546.TODOPROP CWE.546.TODOXML
CWE-555	J2EE Misconfiguration: Plaintext Password in Configuration File	CWE.555.PWDXML
CWE-561	Dead Code	CWE.561.CC CWE.561.SWITCH CWE.561.PM
CWE-563	Assignment to Variable without Use	CWE.563.VOVR CWE.563.UPPF CWE.563.AURV CWE.563.PF CWE.563.UP
CWE-568	finalize() Method Without super.finalize()	CWE.568.FCF
CWE-570	Expression is Always False	CWE.570.CC CWE.570.UCIF
CWE-571	Expression is Always True	CWE.571.CC CWE.571.UCIF
CWE-572	Call to Thread run() instead of start()	CWE.572.IRUN
CWE-573	Improper Following of Specification by Caller	CWE-581.OVERRIDE CWE-104.AEAF CWE-103.CSVFV CWE-577.AUS CWE-580.SCLONE CWE-325.MCMDU CWE-325.SIKG CWE-568.FCF CWE-579.ONS CWE-579.SNSO CWE-578.ACL CWE-329.ENPP CWE-329.IVR
CWE-576	EJB Bad Practices: Use of Java I/O	CWE.576.JIO
CWE-577	EJB Bad Practices: Use of Sockets	CWE.577.AUS
CWE-578	EJB Bad Practices: Use of Class Loader	CWE.578.ACL
CWE-579	J2EE Bad Practices: Non-serializable Object Stored in Session	CWE.579.ONS CWE.579.SNSO
CWE-580	clone() Method Without super.clone()	CWE.580.SCLONE
CWE-581	Object Model Violation: Just One of Equals and Hashcode Defined	CWE.581.OVERRIDE
CWE-582	Array Declared Public, Final, and Static	CWE.582.IMM CWE.582.PSFA
CWE-583	finalize() Method Declared Public	CWE.583.MFP
CWE-584	Return Inside Finally Block	CWE.584.ARCF
CWE-585	Empty Synchronized Block	CWE.585.SNE
CWE-586	Explicit Call to Finalize()	CWE.586.NCF
CWE-594	J2EE Framework: Saving Unserializable Objects to Disk	CWE.594.SIVS
CWE-595	Comparison of Object References Instead of Object Contents	CWE.595.UEIC
CWE-600	Uncaught Exception in Servlet	CWE.600.CETS
CWE-601	URL Redirection to Untrusted Site ('Open Redirect')	CWE.601.TDNET CWE.601.TDRESP CWE.601.VRD CWE.601.UCO
CWE-605	Multiple Binds to the Same Port	CWE.605.HCNA
CWE-607	Public Static Final Field References Mutable Object	CWE.607.IMM CWE.607.RMO
CWE-609	Double-Checked Locking	CWE.609.DCL
CWE-610	Externally Controlled Reference to a Resource in Another Sphere	CWE-601.TDNET CWE-601.TDRESP CWE-601.VRD CWE-601.UCO CWE-470.TDRFL CWE-470.APIBS CWE-918.TDNET CWE-15.SYSP CWE-15.UCO CWE-384.ISL CWE-611.XMLVAL CWE-611.DXXE
CWE-611	Improper Restriction of XML External Entity Reference	CWE.611.XMLVAL CWE.611.DXXE
CWE-613	Insufficient Session Expiration	CWE.613.RUIM CWE.613.STTL
CWE-614	Sensitive Cookie in HTTPS Session Without 'Secure' Attribute	CWE.614.UOSC
CWE-617	Reachable Assertion	CWE.617.ASSERT
CWE-642	External Control of Critical State Data	CWE-15.SYSP CWE-15.UCO CWE-426.PBRTE
CWE-643	Improper Neutralization of Data within XPath Expressions ('XPath Injection')	CWE.643.TDJXPATH CWE.643.TDXPATH
CWE-644	Improper Neutralization of HTTP Headers for Scripting Syntax	CWE.644.TDRESP
CWE-652	Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')	CWE.652.TDXPATH CWE.652.XPIJ
CWE-657	Violation of Secure Design Principles	CWE-250.LDP CWE-250.PCL
CWE-662	Improper Synchronization	CWE.662.DIFCS CWE-543.IASF CWE-543.ILI CWE-833.ORDER CWE-833.TSHL CWE-833.CSFS CWE-833.RLF CWE-833.STR CWE-833.UWNA CWE-764.DLOCK CWE-667.LOCK CWE-667.CLOSE
CWE-664	Improper Control of a Resource Through its Lifetime	CWE-487.AF CWE-580.SCLONE CWE-662.DIFCS CWE-704.AGBPT CWE-704.CPTS CWE-495.RA CWE-496.CAP CWE-400.DMDS CWE-404.COCO CWE-404.ODBIL CWE-404.CRWD CWE-501.TDSESSION
CWE-665	Improper Initialization	CWE-456.LV CWE-770.ISTART CWE-457.NP CWE-457.NOTEXPLINIT CWE-457.NOTINITCTOR CWE-457.UIRC
CWE-666	Operation on Resource in Wrong Phase of Lifetime	CWE-605.HCNA
CWE-667	Improper Locking	CWE.667.LOCK CWE.667.CLOSE CWE-413.LORD CWE-832.LORD CWE-833.ORDER CWE-833.TSHL CWE-833.CSFS CWE-833.RLF CWE-833.STR CWE-833.UWNA CWE-609.DCL CWE-764.DLOCK
CWE-668	Exposure of Resource to Wrong Sphere	CWE-375.RA CWE-377.ATF CWE-499.SIF CWE-499.SER CWE-134.TDINPUT CWE-491.CLONE CWE-492.INNER CWE-427.PBRTE CWE-426.PBRTE CWE-8.RR CWE-582.IMM CWE-582.PSFA CWE-583.MFP
CWE-669	Incorrect Resource Transfer Between Spheres	CWE-829.TDFILES CWE-829.TDFNAMES CWE-829.TDLIB CWE-829.TDXPATH CWE-434.TDFNAMES CWE-212.FT
CWE-670	Always-Incorrect Control Flow Implementation	CWE-483.BLK CWE-483.EBI CWE-483.EB CWE-484.SBC CWE-484.DAV CWE-617.ASSERT
CWE-671	Lack of Administrator Control over Security	CWE-798.HCCS
CWE-672	Operation on a Resource after Expiration or Release	CWE-416.FREE CWE-613.RUIM CWE-613.STTL
CWE-673	External Influence of Sphere Definition	CWE-426.PBRTE
CWE-674	Uncontrolled Recursion	CWE.674.FLRC
CWE-675	Multiple Operations on Resource in Single-Operation Context	CWE-764.DLOCK CWE-605.HCNA
CWE-676	Use of Potentially Dangerous Function	CWE.676.SRD
CWE-680	Integer Overflow to Buffer Overflow	CWE.680.BSA
CWE-681	Incorrect Conversion between Numeric Types	CWE.681.INTVC CWE.681.CLP CWE.681.IDCD CWE-197.INTDL
CWE-682	Incorrect Calculation	CWE-369.ZERO CWE-131.ARRAY CWE-128.CACO CWE-191.INTWRAP CWE-191.BSA CWE-190.INTWRAP CWE-190.BSA CWE-190.CACO CWE-190.CLP CWE-190.ICO CWE-190.IOF CWE-193.AOBO
CWE-691	Insufficient Control Flow Management	CWE.691.ANL CWE-362.DCL CWE-841.PERMIT CWE-662.DIFCS
CWE-693	Protection Mechanism Failure	CWE-807.PLC CWE-807.HGRSI CWE-807.UOSC CWE-311.SENS CWE-311.PWDXML CWE-327.ACMD
CWE-694	Use of Multiple Resources with Duplicate Identifier	CWE-102.DFV
CWE-695	Use of Low-Level Functionality	CWE-111.NATV CWE-111.NATIW CWE-245.JDBCTEMPLATE CWE-383.THR CWE-246.AUS CWE-246.NSF CWE-246.SS CWE-576.JIO
CWE-697	Incorrect Comparison	CWE-185.REP CWE-581.OVERRIDE CWE-1077.DCF
CWE-703	Improper Check or Handling of Exceptional Conditions	CWE-397.NTX CWE-397.NTERR CWE-391.AECB CWE-755.CIET
CWE-704	Incorrect Type Conversion or Cast	CWE.704.AGBPT CWE.704.CPTS CWE-681.INTVC CWE-681.CLP CWE-681.IDCD CWE-843.EQUS
CWE-705	Incorrect Control Flow Scoping	CWE-397.NTX CWE-397.NTERR CWE-396.NCE CWE-395.NCNPE CWE-382.EXIT CWE-382.JVM CWE-584.ARCF
CWE-706	Use of Incorrectly-Resolved Name or Reference	CWE-22.TDFNAMES
CWE-710	Improper Adherence to Coding Standards	CWE-484.SBC CWE-484.DAV CWE-476.NP CWE-477.DPRAPI CWE-571.CC CWE-571.UCIF CWE-570.CC CWE-570.UCIF CWE-1066.OROM CWE-1126.DVCU
CWE-732	Incorrect Permission Assignment for Critical Resource	CWE-276.ASNF CWE-276.CFAP CWE-1004.SCHTTP CWE-279.IDP
CWE-749	Exposed Dangerous Method or Function	CWE.749.DPAM CWE.749.DPPM CWE.749.SPAM
CWE-754	Improper Check for Unusual or Exceptional Conditions	CWE-476.NP CWE-391.AECB CWE-252.CHECKRET CWE-252.CRRV
CWE-755	Improper Handling of Exceptional Conditions	CWE.755.CIET CWE-396.NCE CWE-395.NCNPE CWE-390.LGE CWE-209.SENS CWE-209.PEO CWE-209.SIO CWE-209.ACPST
CWE-756	Missing Custom Error Page	CWE-7.SEP
CWE-758	Reliance on Undefined, Unspecified, or Implementation-Defined Behavior	CWE-1102.DNHCP CWE-1102.LNSP CWE-1102.PEER
CWE-759	Use of a One-Way Hash without a Salt	CWE.759.MDSALT
CWE-764	Multiple Locks of a Critical Resource	CWE.764.DLOCK
CWE-770	Allocation of Resources Without Limits or Throttling	CWE.770.ISTART CWE-789.TDALLOC
CWE-771	Missing Reference to Active Allocated Resource	CWE.771.LEAKS
CWE-772	Missing Release of Resource after Effective Lifetime	CWE.772.LEAKS CWE.772.CLOSE
CWE-778	Insufficient Logging	CWE.778.ENFL
CWE-787	Out-of-bounds Write	CWE.787.ARRAY CWE.787.ARRAYSEC
CWE-789	Memory Allocation with Excessive Size Value	CWE.789.TDALLOC
CWE-798	Use of Hard-coded Credentials	CWE.798.HCCS CWE-321.HCCK
CWE-799	Improper Control of Interaction Frequency	CWE-307.PBFA
CWE-805	Buffer Access with Incorrect Length Value	CWE-806.BUSSB
CWE-806	Buffer Access Using Size of Source Buffer	CWE.806.BUSSB
CWE-807	Reliance on Untrusted Inputs in a Security Decision	CWE.807.PLC CWE.807.HGRSI CWE.807.UOSC CWE-350.DNSL
CWE-820	Missing Synchronization	CWE-543.IASF CWE-543.ILI
CWE-821	Incorrect Synchronization	CWE-572.IRUN
CWE-825	Expired Pointer Dereference	CWE-416.FREE
CWE-829	Inclusion of Functionality from Untrusted Control Sphere	CWE.829.TDFILES CWE.829.TDFNAMES CWE.829.TDLIB CWE.829.TDXPATH
CWE-832	Unlock of a Resource that is not Locked	CWE.832.LORD
CWE-833	Deadlock	CWE.833.ORDER CWE.833.TSHL CWE.833.CSFS CWE.833.RLF CWE.833.STR CWE.833.UWNA
CWE-834	Excessive Iteration	CWE-674.FLRC CWE-835.PCIF CWE-835.AIL
CWE-835	Loop with Unreachable Exit Condition ('Infinite Loop')	CWE.835.PCIF CWE.835.AIL
CWE-836	Use of Password Hash Instead of Password for Authentication	CWE.836.PLAIN
CWE-838	Inappropriate Encoding for Output Context	CWE.838.SEO
CWE-841	Improper Enforcement of Behavioral Workflow	CWE.841.PERMIT
CWE-843	Access of Resource Using Incompatible Type ('Type Confusion')	CWE.843.EQUS
CWE-862	Missing Authorization	CWE.862.PERMIT CWE.862.LCA
CWE-863	Incorrect Authorization	CWE.863.DSR CWE.863.SRCD
CWE-908	Use of Uninitialized Resource	CWE-457.NP CWE-457.NOTEXPLINIT CWE-457.NOTINITCTOR CWE-457.UIRC
CWE-909	Missing Initialization of Resource	CWE-456.LV
CWE-912	Hidden Functionality	CWE-506.HCCK
CWE-913	Improper Control of Dynamically-Managed Code Resources	CWE-470.TDRFL CWE-470.APIBS CWE-502.SSSD CWE-502.MASP CWE-502.AUXD CWE-502.SC CWE-502.RWAF CWE-502.VOBD CWE-94.DCEMSL CWE-94.ASAPI
CWE-916	Use of Password Hash With Insufficient Computational Effort	CWE-759.MDSALT
CWE-918	Server-Side Request Forgery (SSRF)	CWE.918.TDNET
CWE-922	Insecure Storage of Sensitive Information	CWE-312.PWDPROP
CWE-923	Improper Restriction of Communication Channel to Intended Endpoints	CWE-297.VSI
CWE-943	Improper Neutralization of Special Elements in Data Query Logic	CWE-652.TDXPATH CWE-652.XPIJ CWE-90.TDLDAP CWE-643.TDJXPATH CWE-643.TDXPATH CWE-89.TDSQL CWE-89.UPS
CWE-1004	Sensitive Cookie Without 'HttpOnly' Flag	CWE.1004.SCHTTP
CWE-1023	Incomplete Comparison with Missing Factors	CWE-478.PDS
CWE-1025	Comparison Using Wrong Factors	CWE-595.UEIC CWE-486.AUG CWE-486.CMP
CWE-1046	Creation of Immutable Text Using String Concatenation	CWE.1046.USB
CWE-1051	Initialization with Hard-Coded Network Resource Configuration Data	CWE.1051.HCNA
CWE-1066	Missing Serialization Control Element	CWE.1066.OROM
CWE-1069	Empty Exception Block	CWE.1069.AECB
CWE-1071	Empty Code Block	CWE-1069.AECB CWE-585.SNE
CWE-1075	Unconditional Control Flow Transfer outside of Switch Block	CWE.1075.ABCL
CWE-1076	Insufficient Adherence to Expected Conventions	CWE-594.SIVS CWE-586.NCF
CWE-1077	Floating Point Comparison with Incorrect Operator	CWE.1077.DCF
CWE-1078	Inappropriate Source Code Style or Formatting	CWE-546.TODOJAVA CWE-546.TODOPROP CWE-546.TODOXML CWE-1115.MCH CWE-1106.USN
CWE-1102	Reliance on Machine-Dependent Data Representation	CWE.1102.DNHCP CWE.1102.LNSP CWE.1102.PEER
CWE-1106	Insufficient Use of Symbolic Constants	CWE.1106.USN
CWE-1115	Source Code Element without Standard Prologue	CWE.1115.MCH
CWE-1120	Excessive Code Complexity	CWE-1075.ABCL
CWE-1126	Declaration of Variable with Unnecessarily Wide Scope	CWE.1126.DVCU
CWE-1164	Irrelevant Code	CWE-561.CC CWE-561.SWITCH CWE-561.PM CWE-563.VOVR CWE-563.UPPF CWE-563.AURV CWE-563.PF CWE-563.UP
CWE-1173	Improper Use of Validation Framework	CWE-109.EV CWE-106.PLUGIN CWE-102.DFV
CWE-1176	Inefficient CPU Computation	CWE-1046.USB
CWE-1177	Use of Prohibited Code	CWE-676.SRD
CWE-1204	Generation of Weak Initialization Vector (IV)	CWE-329.ENPP CWE-329.IVR
CWE-1285	Improper Validation of Specified Index, Position, or Offset in Input	CWE-129.ARRAY CWE-129.ARRAYSEC CWE-129.CAI
CWE-1385	Missing Origin Validation in WebSockets	CWE.1385.WS
CWE-1390	Weak Authentication	CWE-290.HTTPRHA CWE-836.PLAIN CWE-307.PBFA
CWE-1391	Use of Weak Credentials	CWE-798.HCCS CWE-521.MLVP
CWE-1419	Incorrect Initialization of Resource	CWE-1051.HCNA
CWE-1428	Reliance on HTTP instead of HTTPS	CWE.1428.UHTTPS

Page tree