CWE Top 25 2024 Mapping

ID

Name/description

Parasoft rule ID(s)

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE.79.EACM
  • CWE.79.TDDIG
  • CWE.79.TDRESP
  • CWE.79.TDXML
  • CWE.79.TDXSS
  • CWE.79.VPPD
  • CWE.79.ARXML

CWE-787

Out-of-bounds Write

  • CWE.787.ARRAY
  • CWE.787.ARRAYSEC

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

  • CWE.89.TDSQL
  • CWE.89.UPS

CWE-352

Cross-Site Request Forgery (CSRF)

  • CWE.352.EACM
  • CWE.352.TDRESP
  • CWE.352.TDXSS
  • CWE.352.VPPD
  • CWE.352.UOSC
  • CWE.352.DCSRFJAVA
  • CWE.352.DCSRFXML
  • CWE.352.REQMAP

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE.22.TDFNAMES

CWE-125

Out-of-bounds Read

  • CWE.125.ARRAY
  • CWE.125.ARRAYSEC

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  • CWE.78.TDCMD

CWE-416

Use After Free

  • CWE.416.FREE

CWE-862

Missing Authorization

  • CWE.862.PERMIT
  • CWE.862.LCA

CWE-434

Unrestricted Upload of File with Dangerous Type

  • CWE.434.TDFNAMES

CWE-94

Improper Control of Generation of Code ('Code Injection')

  • CWE.94.TDCODE
  • CWE.94.DCEMSL
  • CWE.94.ASAPI

CWE-20

Improper Input Validation

  • CWE.20.ARRAY
  • CWE.20.INTWRAP
  • CWE.20.FREE
  • CWE.20.ARRAYSEC
  • CWE.20.TDINPUT
  • CWE.20.TDLIB
  • CWE.20.TDLOG
  • CWE.20.TDRESP
  • CWE.20.TDRFL
  • CWE.20.BSA
  • CWE.20.CACO
  • CWE.20.CLP
  • CWE.20.ICO
  • CWE.20.IOF
  • CWE.20.CAI
  • CWE.20.NATV
  • CWE.20.SYSP
  • CWE.20.AEAF
  • CWE.20.CSVFV
  • CWE.20.NATIW
  • CWE.20.APIBS
  • CWE.20.BUSSB
  • CWE.20.UCO
  • CWE.20.DFV
  • CWE.20.EV
  • CWE.20.PLUGIN

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE.77.TDCMD

CWE-287

Improper Authentication

  • CWE.287.TDPASSWD
  • CWE.287.UPWD
  • CWE.287.PLAIN
  • CWE.287.PCCF
  • CWE.287.PTPT
  • CWE.287.PWDPROP
  • CWE.287.PWDXML
  • CWE.287.UTAX
  • CWE.287.WCPWD
  • CWE.287.WPWD
  • CWE.287.CKTS
  • CWE.287.DNSL
  • CWE.287.HCCK
  • CWE.287.HCCS
  • CWE.287.HTTPRHA
  • CWE.287.HV
  • CWE.287.PBFA
  • CWE.287.SSM
  • CWE.287.USC
  • CWE.287.VSI
  • CWE.287.MLVP

CWE-269

Improper Privilege Management

  • CWE.269.DPANY
  • CWE.269.LDP
  • CWE.269.PCL

CWE-502

Deserialization of Untrusted Data

  • CWE.502.SSSD
  • CWE.502.MASP
  • CWE.502.AUXD
  • CWE.502.SC
  • CWE.502.RWAF
  • CWE.502.VOBD

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

  • CWE.200.SENS
  • CWE.200.SENSLOG
  • CWE.200.CONSEN
  • CWE.200.PEO
  • CWE.200.SIO
  • CWE.200.ACPST
  • CWE.200.EWSSEC

CWE-863

Incorrect Authorization

  • CWE.863.DSR
  • CWE.863.SRCD

CWE-918

Server-Side Request Forgery (SSRF)

  • CWE.918.TDNET

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE.119.ARRAY
  • CWE.119.FREE
  • CWE.119.ARRAYSEC
  • CWE.119.BUSSB

CWE-476

NULL Pointer Dereference

  • CWE.476.NP

CWE-798

Use of Hard-coded Credentials

  • CWE.798.HCCK
  • CWE.798.HCCS

CWE-190

Integer Overflow or Wraparound

  • CWE.190.INTWRAP
  • CWE.190.BSA
  • CWE.190.CACO
  • CWE.190.CLP
  • CWE.190.ICO
  • CWE.190.IOF

CWE-400

Uncontrolled Resource Consumption

  • CWE.400.LEAKS
  • CWE.400.TDALLOC
  • CWE.400.USB
  • CWE.400.DMDS
  • CWE.400.ISTART

CWE-306

Missing Authentication for Critical Function

  • CWE.306.SSM