The following table includes the test configurations shipped in the [INSTALL]/configs/builtin directory.
Static Analysis
This group includes universal static analysis test configurations. See Security Compliance Pack for test configurations that enforce security coding standards.
Built-in Test Configuration | Description |
---|---|
Code Smells | Rules based on the Code Smells document (available at http://xp.c2.com/CodeSmell.html) by Kent Beck and Martin Fowler. |
Critical Rules | Includes most Severity 1 rules, as well as rules in the Flow Analysis Fast configuration. |
Demo Configuration | Includes rules for demonstrating various techniques of code analysis. May not be suitable for large code bases. |
Find Duplicated Code | Applies static code analysis rules that report duplicate code. Duplicate code may indicate poor application design and lead to maintainability issues. |
Find Memory Problems | Includes rules for finding memory management issues in the code. |
Find Unused Code | Includes rules for identifying unused/dead code. |
Flow Analysis Standard | Detects complex runtime errors without requiring test cases or application execution. Defects detected include using uninitialized or invalid memory, null pointer dereferencing, array and buffer overflows, division by zero, memory and resource leaks, and dead code. This requires a special Flow Analysis license option. |
Flow Analysis Aggressive | Includes rules for deep flow analysis of code. Significant amount of time may be required to run this configuration. |
Flow Analysis Fast | Includes rules for shallow depth of flow analysis, which limits the number of potentially acceptable defects from being reported. |
Internationalize Code | Applies static code analysis to expose code that is likely to impede internationalization efforts. |
Metrics | Computes values for several code metrics. |
Recommended Rules | The default configuration of recommended rules. Covers most Severity 1 and Severity 2 rules. Includes rules in the Flow Analysis Fast configuration. |
Thread Safe Programming | Rules that uncover code which will be dangerous to run in multi-threaded environments— as well as help prevent common threading problems such as deadlocks, race conditions, a missed notification, infinite loops, and data corruption. |
TDD Best Practices | The TDD (Test Driven Development) Best Practices configuration includes rules based on the Code Smells document (available at http://xp.c2.com/CodeSmell.html), rules that check whether the JUnit test classes are comprehensive for the tested class, and rules from the Critical Rules test configuration. |
JUnit 4 Best Practices | Includes rules that help you improve the quality of your JUnit 4 unit tests. |
JUnit 5 Best Practices | Includes rules that help you improve the quality of your JUnit 5 unit tests. |
Security Compliance Pack
This compliance pack includes test configurations that help you enforce security coding standards and practices. See Compliance Packs Rule Mapping for information how the standards are mapped to Jtest's rules.
Security Compliance Pack requires dedicated license features to be activated. Contact Parasoft Support for more details on licensing.
Built-in Test Configuration | Description |
---|---|
CWE 4.9 | Includes rules that find issues identified in the CWE standard v4.9. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
CWE Top 25 2022 | Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard v.2022. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
CWE Top 25 2021 | Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard v.2021. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
CWE Top 25 + On the Cusp 2022 | Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard or included on the CWE Weaknesses On the Cusp list v.2022. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
CWE Top 25 + On the Cusp 2021 | Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard or included on the CWE Weaknesses On the Cusp list v.2021. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
DISA-ASD-STIG | Includes rules that find issues identified in Application Security and Development STIG (Security Technical Implementation Guide) provided by Defense Information Systems Agency. See also DISA-ASD-STIG Known Limitation. |
HIPAA | Includes rules that find issues identified by the HIPAA (Health Insurance Portability and Accountability Act) regulations. |
OWASP API Security Top 10-2019 | Includes rules that find issues identified in OWASP’s API Security Top 10. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
OWASP Top 10-2021 | Includes rules that find web application security risks identified in the OWASP Top 10 - 2021. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
OWASP Top 10-2017 | Includes rules that find web application security risks identified in the OWASP Top 10 - 2017. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
PCI DSS 4.0 | Includes rules that find issues identified in PCI Data Security Standard version 4.0. |
PCI DSS 3.2 | Includes rules that find issues identified in PCI Data Security Standard version 3.2. |
CERT for Java | Checks rules for the CERT standard. This standard provides guidelines for secure coding. |
CERT for Java Guidelines | Checks rules and recommendations for the CERT standard. This standard provides guidelines for secure coding. |
UL 2900 | Includes rules that find issues identified in the UL-2900 standard. |
VVSG 2.0 | Includes rules that enforce the specifications and requirements defined in Voluntary Voting System Guidelines 2.0. |
Unit Testing and Collecting Coverage
This group includes test configurations that allow you to run and collect coverage data for unit tests.
Built-in Test Configuration | Description |
---|---|
Calculate Application Coverage | Processes the application coverage data to generate a coverage.xml file. See Application Coverage. |
Unit Tests | Includes the unit test execution data in the generated report file |
Compliance Packs Rule Mapping
This section includes rule mapping for the CWE standard. The mapping information for other standards is available in the PDF rule mapping files shipped with Compliance Packs.
CWE Top 25 2022 Mapping
CWE ID | CWE name/description | Parasoft rule ID(s) |
---|---|---|
CWE-787 | Out-of-bounds Write |
|
CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|
CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
|
CWE-20 | Improper Input Validation |
|
CWE-125 | Out-of-bounds Read |
|
CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
|
CWE-416 | Use After Free |
|
CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
CWE-352 | Cross-Site Request Forgery (CSRF) |
|
CWE-434 | Unrestricted Upload of File with Dangerous Type |
|
CWE-476 | NULL Pointer Dereference |
|
CWE-502 | Deserialization of Untrusted Data |
|
CWE-190 | Integer Overflow or Wraparound |
|
CWE-287 | Improper Authentication |
|
CWE-798 | Use of Hard-coded Credentials |
|
CWE-862 | Missing Authorization |
|
CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
|
CWE-306 | Missing Authentication for Critical Function |
|
CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer |
|
CWE-276 | Incorrect Default Permissions |
|
CWE-918 | Server-Side Request Forgery (SSRF) |
|
CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
|
CWE-400 | Uncontrolled Resource Consumption |
|
CWE-611 | Improper Restriction of XML External Entity Reference |
|
CWE-94 | Improper Control of Generation of Code ('Code Injection') |
|
CWE Top 25 2021 Mapping
CWE ID | CWE name/description | Parasoft rule ID(s) |
---|---|---|
CWE-787 | Out-of-bounds Write |
|
CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|
CWE-125 | Out-of-bounds Read |
|
CWE-20 | Improper Input Validation |
|
CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
|
CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
|
CWE-416 | Use After Free |
|
CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
CWE-352 | Cross-Site Request Forgery (CSRF) |
|
CWE-434 | Unrestricted Upload of File with Dangerous Type |
|
CWE-306 | Missing Authentication for Critical Function |
|
CWE-190 | Integer Overflow or Wraparound |
|
CWE-502 | Deserialization of Untrusted Data |
|
CWE-287 | Improper Authentication |
|
CWE-476 | NULL Pointer Dereference |
|
CWE-798 | Use of Hard-coded Credentials |
|
CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer |
|
CWE-862 | Missing Authorization |
|
CWE-276 | Incorrect Default Permissions |
|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
|
CWE-522 | Insufficiently Protected Credentials |
|
CWE-732 | Incorrect Permission Assignment for Critical Resource |
|
CWE-611 | Improper Restriction of XML External Entity Reference |
|
CWE-918 | Server-Side Request Forgery (SSRF) |
|
CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
|
CWE Weaknesses On the Cusp 2022 Mapping
CWE ID | CWE name/description | Parasoft rule ID(s) |
---|---|---|
CWE-295 | Improper Certificate Validation |
|
CWE-427 | Uncontrolled Search Path Element |
|
CWE-863 | Incorrect Authorization |
|
CWE-269 | Improper Privilege Management |
|
CWE-732 | Incorrect Permission Assignment for Critical Resource |
|
CWE-843 | Access of Resource Using Incompatible Type ('Type Confusion') |
|
CWE-668 | Exposure of Resource to Wrong Sphere |
|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
|
CWE-1321 | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') |
|
CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') |
|
CWE-401 | Missing Release of Memory after Effective Lifetime |
|
CWE-59 | Improper Link Resolution Before File Access ('Link Following') |
|
CWE-522 | Insufficiently Protected Credentials |
|
CWE-319 | Cleartext Transmission of Sensitive Information |
|
CWE-312 | Cleartext Storage of Sensitive Information |
|
CWE Weaknesses On the Cusp 2021 Mapping
CWE ID | CWE name/description | Parasoft rule ID(s) |
---|---|---|
CWE-295 | Improper Certificate Validation |
|
CWE-400 | Uncontrolled Resource Consumption |
|
CWE-94 | Improper Control of Generation of Code ('Code Injection') |
|
CWE-269 | Improper Privilege Management |
|
CWE-917 | Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') |
|
CWE-59 | Improper Link Resolution Before File Access ('Link Following') |
|
CWE-401 | Missing Release of Memory after Effective Lifetime |
|
CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
|
CWE-427 | Uncontrolled Search Path Element |
|
CWE-319 | Cleartext Transmission of Sensitive Information |
|
CWE-843 | Access of Resource Using Incompatible Type ('Type Confusion') |
|
CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') |
|
CWE-863 | Incorrect Authorization |
|
CWE-532 | Insertion of Sensitive Information into Log File |
|
CWE-770 | Allocation of Resources Without Limits or Throttling |
|
CWE 4.9 Mapping
CWE ID | CWE name/description | Parasoft rule ID(s) |
---|---|---|
CWE-6 | J2EE Misconfiguration: Insufficient Session-ID Length |
|
CWE-7 | J2EE Misconfiguration: Missing Custom Error Page |
|
CWE-8 | J2EE Misconfiguration: Entity Bean Declared Remote |
|
CWE-9 | J2EE Misconfiguration: Weak Access Permissions for EJB Methods |
|
CWE-15 | External Control of System or Configuration Setting |
|
CWE-20 | Improper Input Validation |
|
CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
CWE-59 | Improper Link Resolution Before File Access ('Link Following') |
|
CWE-61 | UNIX Symbolic Link (Symlink) Following |
|
CWE-64 | Windows Shortcut Following (.LNK) |
|
CWE-73 | External Control of File Name or Path |
|
CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
|
CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
|
CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
|
CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|
CWE-80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) |
|
CWE-81 | Improper Neutralization of Script in an Error Message Web Page |
|
CWE-83 | Improper Neutralization of Script in Attributes in a Web Page |
|
CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
|
CWE-90 | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') |
|
CWE-91 | XML Injection (aka Blind XPath Injection) |
|
CWE-93 | Improper Neutralization of CRLF Sequences ('CRLF Injection') |
|
CWE-94 | Improper Control of Generation of Code ('Code Injection') |
|
CWE-95 | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
|
CWE-99 | Improper Control of Resource Identifiers ('Resource Injection') |
|
CWE-102 | Struts: Duplicate Validation Forms |
|
CWE-103 | Struts: Incomplete validate() Method Definition |
|
CWE-104 | Struts: Form Bean Does Not Extend Validation Class |
|
CWE-106 | Struts: Plug-in Framework not in Use |
|
CWE-109 | Struts: Validator Turned Off |
|
CWE-111 | Direct Use of Unsafe JNI |
|
CWE-113 | Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') |
|
CWE-114 | Process Control |
|
CWE-116 | Improper Encoding or Escaping of Output |
|
CWE-117 | Improper Output Neutralization for Logs |
|
CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer |
|
CWE-125 | Out-of-bounds Read |
|
CWE-129 | Improper Validation of Array Index |
|
CWE-131 | Incorrect Calculation of Buffer Size |
|
CWE-134 | Use of Externally-Controlled Format String |
|
CWE-185 | Incorrect Regular Expression |
|
CWE-188 | Reliance on Data/Memory Layout |
|
CWE-190 | Integer Overflow or Wraparound |
|
CWE-191 | Integer Underflow (Wrap or Wraparound) |
|
CWE-193 | Off-by-one Error |
|
CWE-198 | Use of Incorrect Byte Ordering |
|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
|
CWE-209 | Generation of Error Message Containing Sensitive Information |
|
CWE-212 | Improper Removal of Sensitive Information Before Storage or Transfer |
|
CWE-213 | Exposure of Sensitive Information Due to Incompatible Policies |
|
CWE-215 | Insertion of Sensitive Information Into Debugging Code |
|
CWE-221 | Information Loss or Omission |
|
CWE-223 | Omission of Security-relevant Information |
|
CWE-245 | J2EE Bad Practices: Direct Management of Connections |
|
CWE-246 | J2EE Bad Practices: Direct Use of Sockets |
|
CWE-248 | Uncaught Exception |
|
CWE-250 | Execution with Unnecessary Privileges |
|
CWE-252 | Unchecked Return Value |
|
CWE-256 | Plaintext Storage of a Password |
|
CWE-258 | Empty Password in Configuration File |
|
CWE-260 | Password in Configuration File |
|
CWE-261 | Weak Encoding for Password |
|
CWE-266 | Incorrect Privilege Assignment |
|
CWE-269 | Improper Privilege Management |
|
CWE-279 | Incorrect Execution-Assigned Permissions |
|
CWE-284 | Improper Access Control |
|
CWE-285 | Improper Authorization |
|
CWE-287 | Improper Authentication |
|
CWE-290 | Authentication Bypass by Spoofing |
|
CWE-295 | Improper Certificate Validation |
|
CWE-297 | Improper Validation of Certificate with Host Mismatch |
|
CWE-306 | Missing Authentication for Critical Function |
|
CWE-307 | Improper Restriction of Excessive Authentication Attempts |
|
CWE-311 | Missing Encryption of Sensitive Data |
|
CWE-312 | Cleartext Storage of Sensitive Information |
|
CWE-313 | Cleartext Storage in a File or on Disk |
|
CWE-315 | Cleartext Storage of Sensitive Information in a Cookie |
|
CWE-319 | Cleartext Transmission of Sensitive Information |
|
CWE-321 | Use of Hard-coded Cryptographic Key |
|
CWE-325 | Missing Cryptographic Step |
|
CWE-326 | Inadequate Encryption Strength |
|
CWE-327 | Use of a Broken or Risky Cryptographic Algorithm |
|
CWE-328 | Use of Weak Hash |
|
CWE-329 | Generation of Predictable IV with CBC Mode |
|
CWE-330 | Use of Insufficiently Random Values |
|
CWE-334 | Small Space of Random Values |
|
CWE-335 | Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) |
|
CWE-336 | Same Seed in Pseudo-Random Number Generator (PRNG) |
|
CWE-337 | Predictable Seed in Pseudo-Random Number Generator (PRNG) |
|
CWE-338 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) |
|
CWE-344 | Use of Invariant Value in Dynamically Changing Context |
|
CWE-345 | Insufficient Verification of Data Authenticity |
|
CWE-346 | Origin Validation Error |
|
CWE-347 | Improper Verification of Cryptographic Signature |
|
CWE-350 | Reliance on Reverse DNS Resolution for a Security-Critical Action |
|
CWE-352 | Cross-Site Request Forgery (CSRF) |
|
CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor |
|
CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
|
CWE-367 | Time-of-check Time-of-use (TOCTOU) Race Condition |
|
CWE-369 | Divide By Zero |
|
CWE-375 | Returning a Mutable Object to an Untrusted Caller |
|
CWE-377 | Insecure Temporary File |
|
CWE-382 | J2EE Bad Practices: Use of System.exit() |
|
CWE-383 | J2EE Bad Practices: Direct Use of Threads |
|
CWE-384 | Session Fixation |
|
CWE-390 | Detection of Error Condition Without Action |
|
CWE-391 | Unchecked Error Condition |
|
CWE-395 | Use of NullPointerException Catch to Detect NULL Pointer Dereference |
|
CWE-396 | Declaration of Catch for Generic Exception |
|
CWE-397 | Declaration of Throws for Generic Exception |
|
CWE-400 | Uncontrolled Resource Consumption |
|
CWE-404 | Improper Resource Shutdown or Release |
|
CWE-413 | Improper Resource Locking |
|
CWE-416 | Use After Free |
|
CWE-426 | Untrusted Search Path |
|
CWE-427 | Uncontrolled Search Path Element |
|
CWE-434 | Unrestricted Upload of File with Dangerous Type |
|
CWE-436 | Interpretation Conflict |
|
CWE-441 | Unintended Proxy or Intermediary ('Confused Deputy') |
|
CWE-456 | Missing Initialization of a Variable |
|
CWE-457 | Use of Uninitialized Variable |
|
CWE-459 | Incomplete Cleanup |
|
CWE-470 | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') |
|
CWE-471 | Modification of Assumed-Immutable Data (MAID) |
|
CWE-476 | NULL Pointer Dereference |
|
CWE-477 | Use of Obsolete Function |
|
CWE-478 | Missing Default Case in Multiple Condition Expression |
|
CWE-480 | Use of Incorrect Operator |
|
CWE-481 | Assigning instead of Comparing |
|
CWE-483 | Incorrect Block Delimitation |
|
CWE-484 | Omitted Break Statement in Switch |
|
CWE-486 | Comparison of Classes by Name |
|
CWE-487 | Reliance on Package-level Scope |
|
CWE-491 | Public cloneable() Method Without Final ('Object Hijack') |
|
CWE-492 | Use of Inner Class Containing Sensitive Data |
|
CWE-493 | Critical Public Variable Without Final Modifier |
|
CWE-495 | Private Data Structure Returned From A Public Method |
|
CWE-496 | Public Data Assigned to Private Array-Typed Field |
|
CWE-497 | Exposure of Sensitive System Information to an Unauthorized Control Sphere |
|
CWE-499 | Serializable Class Containing Sensitive Data |
|
CWE-500 | Public Static Field Not Marked Final |
|
CWE-501 | Trust Boundary Violation |
|
CWE-502 | Deserialization of Untrusted Data |
|
CWE-506 | Embedded Malicious Code |
|
CWE-511 | Logic/Time Bomb |
|
CWE-521 | Weak Password Requirements |
|
CWE-522 | Insufficiently Protected Credentials |
|
CWE-523 | Unprotected Transport of Credentials |
|
CWE-532 | Insertion of Sensitive Information into Log File |
|
CWE-538 | Insertion of Sensitive Information into Externally-Accessible File or Directory |
|
CWE-543 | Use of Singleton Pattern Without Synchronization in a Multithreaded Context |
|
CWE-546 | Suspicious Comment |
|
CWE-555 | J2EE Misconfiguration: Plaintext Password in Configuration File |
|
CWE-561 | Dead Code |
|
CWE-563 | Assignment to Variable without Use |
|
CWE-568 | finalize() Method Without super.finalize() |
|
CWE-570 | Expression is Always False |
|
CWE-571 | Expression is Always True |
|
CWE-572 | Call to Thread run() instead of start() |
|
CWE-573 | Improper Following of Specification by Caller |
|
CWE-576 | EJB Bad Practices: Use of Java I/O |
|
CWE-577 | EJB Bad Practices: Use of Sockets |
|
CWE-578 | EJB Bad Practices: Use of Class Loader |
|
CWE-579 | J2EE Bad Practices: Non-serializable Object Stored in Session |
|
CWE-580 | clone() Method Without super.clone() |
|
CWE-581 | Object Model Violation: Just One of Equals and Hashcode Defined |
|
CWE-582 | Array Declared Public, Final, and Static |
|
CWE-583 | finalize() Method Declared Public |
|
CWE-584 | Return Inside Finally Block |
|
CWE-585 | Empty Synchronized Block |
|
CWE-586 | Explicit Call to Finalize() |
|
CWE-594 | J2EE Framework: Saving Unserializable Objects to Disk |
|
CWE-595 | Comparison of Object References Instead of Object Contents |
|
CWE-600 | Uncaught Exception in Servlet |
|
CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') |
|
CWE-605 | Multiple Binds to the Same Port |
|
CWE-607 | Public Static Final Field References Mutable Object |
|
CWE-609 | Double-Checked Locking |
|
CWE-610 | Externally Controlled Reference to a Resource in Another Sphere |
|
CWE-611 | Improper Restriction of XML External Entity Reference |
|
CWE-613 | Insufficient Session Expiration |
|
CWE-614 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute |
|
CWE-617 | Reachable Assertion |
|
CWE-642 | External Control of Critical State Data |
|
CWE-643 | Improper Neutralization of Data within XPath Expressions ('XPath Injection') |
|
CWE-644 | Improper Neutralization of HTTP Headers for Scripting Syntax |
|
CWE-652 | Improper Neutralization of Data within XQuery Expressions ('XQuery Injection') |
|
CWE-657 | Violation of Secure Design Principles |
|
CWE-662 | Improper Synchronization |
|
CWE-664 | Improper Control of a Resource Through its Lifetime |
|
CWE-665 | Improper Initialization |
|
CWE-666 | Operation on Resource in Wrong Phase of Lifetime |
|
CWE-667 | Improper Locking |
|
CWE-668 | Exposure of Resource to Wrong Sphere |
|
CWE-669 | Incorrect Resource Transfer Between Spheres |
|
CWE-670 | Always-Incorrect Control Flow Implementation |
|
CWE-671 | Lack of Administrator Control over Security |
|
CWE-672 | Operation on a Resource after Expiration or Release |
|
CWE-673 | External Influence of Sphere Definition |
|
CWE-674 | Uncontrolled Recursion |
|
CWE-675 | Multiple Operations on Resource in Single-Operation Context |
|
CWE-676 | Use of Potentially Dangerous Function |
|
CWE-680 | Integer Overflow to Buffer Overflow |
|
CWE-681 | Incorrect Conversion between Numeric Types |
|
CWE-682 | Incorrect Calculation |
|
CWE-691 | Insufficient Control Flow Management |
|
CWE-693 | Protection Mechanism Failure |
|
CWE-694 | Use of Multiple Resources with Duplicate Identifier |
|
CWE-695 | Use of Low-Level Functionality |
|
CWE-697 | Incorrect Comparison |
|
CWE-703 | Improper Check or Handling of Exceptional Conditions |
|
CWE-704 | Incorrect Type Conversion or Cast |
|
CWE-705 | Incorrect Control Flow Scoping |
|
CWE-706 | Use of Incorrectly-Resolved Name or Reference |
|
CWE-710 | Improper Adherence to Coding Standards |
|
CWE-732 | Incorrect Permission Assignment for Critical Resource |
|
CWE-749 | Exposed Dangerous Method or Function |
|
CWE-754 | Improper Check for Unusual or Exceptional Conditions |
|
CWE-755 | Improper Handling of Exceptional Conditions |
|
CWE-756 | Missing Custom Error Page |
|
CWE-759 | Use of a One-Way Hash without a Salt |
|
CWE-764 | Multiple Locks of a Critical Resource |
|
CWE-770 | Allocation of Resources Without Limits or Throttling |
|
CWE-771 | Missing Reference to Active Allocated Resource |
|
CWE-772 | Missing Release of Resource after Effective Lifetime |
|
CWE-778 | Insufficient Logging |
|
CWE-787 | Out-of-bounds Write |
|
CWE-789 | Memory Allocation with Excessive Size Value |
|
CWE-798 | Use of Hard-coded Credentials |
|
CWE-799 | Improper Control of Interaction Frequency |
|
CWE-805 | Buffer Access with Incorrect Length Value |
|
CWE-806 | Buffer Access Using Size of Source Buffer |
|
CWE-807 | Reliance on Untrusted Inputs in a Security Decision |
|
CWE-820 | Missing Synchronization |
|
CWE-821 | Incorrect Synchronization |
|
CWE-825 | Expired Pointer Dereference |
|
CWE-829 | Inclusion of Functionality from Untrusted Control Sphere |
|
CWE-832 | Unlock of a Resource that is not Locked |
|
CWE-833 | Deadlock |
|
CWE-834 | Excessive Iteration |
|
CWE-835 | Loop with Unreachable Exit Condition ('Infinite Loop') |
|
CWE-836 | Use of Password Hash Instead of Password for Authentication |
|
CWE-838 | Inappropriate Encoding for Output Context |
|
CWE-841 | Improper Enforcement of Behavioral Workflow |
|
CWE-843 | Access of Resource Using Incompatible Type ('Type Confusion') |
|
CWE-862 | Missing Authorization |
|
CWE-863 | Incorrect Authorization |
|
CWE-908 | Use of Uninitialized Resource |
|
CWE-909 | Missing Initialization of Resource |
|
CWE-912 | Hidden Functionality |
|
CWE-913 | Improper Control of Dynamically-Managed Code Resources |
|
CWE-916 | Use of Password Hash With Insufficient Computational Effort |
|
CWE-918 | Server-Side Request Forgery (SSRF) |
|
CWE-922 | Insecure Storage of Sensitive Information |
|
CWE-923 | Improper Restriction of Communication Channel to Intended Endpoints |
|
CWE-943 | Improper Neutralization of Special Elements in Data Query Logic |
|
CWE-1004 | Sensitive Cookie Without 'HttpOnly' Flag |
|
CWE-1023 | Incomplete Comparison with Missing Factors |
|
CWE-1025 | Comparison Using Wrong Factors |
|
CWE-1071 | Empty Code Block |
|
CWE-1076 | Insufficient Adherence to Expected Conventions |
|
CWE-1078 | Inappropriate Source Code Style or Formatting |
|
CWE-1164 | Irrelevant Code |
|
CWE-1173 | Improper Use of Validation Framework |
|
CWE-1177 | Use of Prohibited Code |
|
CWE-1204 | Generation of Weak Initialization Vector (IV) |
|
CWE-1284 | Improper Validation of Specified Quantity in Input |
|
CWE-1285 | Improper Validation of Specified Index, Position, or Offset in Input |
|
CWE-1385 | Missing Origin Validation in WebSockets |
|
CWE-1390 | Weak Authentication |
|
CWE-1391 | Use of Weak Credentials |
|