The following table includes the test configurations shipped in the [INSTALL]/configs/builtin directory.

Static Analysis

This group includes universal static analysis test configurations. See Security Compliance Pack for test configurations that enforce security coding standards.

Built-in Test ConfigurationDescription
Code SmellsRules based on the Code Smells document (available at http://xp.c2.com/CodeSmell.html) by Kent Beck and Martin Fowler.
Critical Rules

Includes most Severity 1 rules, as well as rules in the Flow Analysis Fast configuration.

Demo ConfigurationIncludes rules for demonstrating various techniques of code analysis. May not be suitable for large code bases.
Find Duplicated CodeApplies static code analysis rules that report duplicate code. Duplicate code may indicate poor application design and lead to maintainability issues.
Find Memory ProblemsIncludes rules for finding memory management issues in the code.
Find Unused CodeIncludes rules for identifying unused/dead code.
Flow Analysis StandardDetects complex runtime errors without requiring test cases or application execution. Defects detected include using uninitialized or invalid memory, null pointer dereferencing, array and buffer overflows, division by zero, memory and resource leaks, and dead code. This requires a special Flow Analysis license option.
Flow Analysis AggressiveIncludes rules for deep flow analysis of code. Significant amount of time may be required to run this configuration.
Flow Analysis FastIncludes rules for shallow depth of flow analysis, which limits the number of potentially acceptable defects from being reported.
Internationalize CodeApplies static code analysis to expose code that is likely to impede internationalization efforts.
MetricsComputes values for  several code metrics. 
Recommended Rules

The default configuration of recommended rules. Covers most Severity 1 and Severity 2 rules. Includes rules in the Flow Analysis Fast configuration.

Thread Safe ProgrammingRules that uncover code which will be dangerous to run in multi-threaded environments— as well as help prevent common threading problems such as deadlocks, race conditions, a missed notification, infinite loops, and data corruption.
TDD Best PracticesThe TDD (Test Driven Development)  Best Practices configuration includes rules based on the Code Smells document (available at http://xp.c2.com/CodeSmell.html), rules that check whether the JUnit test classes are comprehensive for the tested class, and rules from the Critical Rules test configuration.
JUnit 4 Best PracticesIncludes rules that help you improve the quality of your JUnit 4 unit tests.
JUnit 5 Best PracticesIncludes rules that help you improve the quality of your JUnit 5 unit tests.

Security Compliance Pack

This compliance pack includes test configurations that help you enforce security coding standards and practices. See Compliance Packs Rule Mapping for information how the standards are mapped to Jtest's rules.

(info) Security Compliance Pack requires dedicated license features to be activated. Contact Parasoft Support for more details on licensing.

Displaying compliance results on DTP

Some test configurations in this category have a corresponding "Compliance" extension on DTP, which allows you to view your security compliance status, generate compliance reports, and monitor the progress towards your security compliance goals. See the "Extensions for DTP" section in the DTP documentation for the list of available extensions, requirements, and usage.

Built-in Test ConfigurationDescription
CWE 4.9

Includes rules that find issues identified in the CWE standard v4.9.

(info) This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.

CWE Top 25 2022

Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard v.2022.

(info) This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.

CWE Top 25 2021

Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard v.2021.

(info) This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.

CWE Top 25 + On the Cusp 2022

Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard or included on the CWE Weaknesses On the Cusp list v.2022.

(info) This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.

CWE Top 25 + On the Cusp 2021

Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard or included on the CWE Weaknesses On the Cusp list v.2021.

(info) This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.

DISA-ASD-STIG

Includes rules that find issues identified in Application Security and Development STIG (Security Technical Implementation Guide) provided by Defense Information Systems Agency. See also DISA-ASD-STIG Known Limitation.

HIPAAIncludes rules that find issues identified by the HIPAA (Health Insurance Portability and Accountability Act) regulations.
OWASP API Security Top 10-2019

Includes rules that find issues identified in OWASP’s API Security Top 10.

(info) This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.

OWASP Top 10-2021

Includes rules that find web application security risks identified in the OWASP Top 10 - 2021.

(info) This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.

OWASP Top 10-2017

Includes rules that find web application security risks identified in the OWASP Top 10 - 2017.

(info) This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP.

PCI DSS 4.0Includes rules that find issues identified in PCI Data Security Standard version 4.0.
PCI DSS 3.2Includes rules that find issues identified in PCI Data Security Standard version 3.2.
CERT for JavaChecks rules for the CERT standard. This standard provides guidelines for secure coding.
CERT for Java GuidelinesChecks rules and recommendations for the CERT standard. This standard provides guidelines for secure coding.
UL 2900 Includes rules that find issues identified in the UL-2900 standard.
VVSG 2.0Includes rules that enforce the specifications and requirements defined in Voluntary Voting System Guidelines 2.0.

Unit Testing and Collecting Coverage

This group includes test configurations that allow you to run and collect coverage data for unit tests.

Built-in Test ConfigurationDescription
Calculate Application CoverageProcesses the application coverage data to generate a coverage.xml file. See Application Coverage.
Unit TestsIncludes the unit test execution data in the generated report file

Compliance Packs Rule Mapping

This section includes rule mapping for the CWE standard. The mapping information for other standards is available in the PDF rule mapping files shipped with Compliance Packs.

CWE Top 25 2022 Mapping

CWE ID

CWE name/description

Parasoft rule ID(s)

CWE-787

Out-of-bounds Write

  • CWE.787.ARRAY
  • CWE.787.ARRAYSEC

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE.79.EACM
  • CWE.79.TDDIG
  • CWE.79.TDRESP
  • CWE.79.TDXML
  • CWE.79.TDXSS
  • CWE.79.VPPD
  • CWE.79.ARXML

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

  • CWE.89.TDSQL
  • CWE.89.UPS

CWE-20

Improper Input Validation

  • CWE.20.ARRAY
  • CWE.20.INTOVERF
  • CWE.20.FREE
  • CWE.20.ARRAYSEC
  • CWE.20.TDALLOC
  • CWE.20.TDINPUT
  • CWE.20.TDLIB
  • CWE.20.TDLOG
  • CWE.20.TDRESP
  • CWE.20.TDRFL
  • CWE.20.BSA
  • CWE.20.CACO
  • CWE.20.CLP
  • CWE.20.ICO
  • CWE.20.IOF
  • CWE.20.CAI
  • CWE.20.NATV
  • CWE.20.SYSP
  • CWE.20.AEAF
  • CWE.20.CSVFV
  • CWE.20.NATIW
  • CWE.20.APIBS
  • CWE.20.BUSSB
  • CWE.20.UCO
  • CWE.20.DFV
  • CWE.20.EV
  • CWE.20.PLUGIN

CWE-125

Out-of-bounds Read

  • CWE.125.ARRAY
  • CWE.125.ARRAYSEC

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  • CWE.78.TDCMD

CWE-416

Use After Free

  • CWE.416.FREE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE.22.TDFNAMES

CWE-352

Cross-Site Request Forgery (CSRF)

  • CWE.352.EACM
  • CWE.352.TDRESP
  • CWE.352.TDXSS
  • CWE.352.VPPD
  • CWE.352.UOSC
  • CWE.352.DCSRFJAVA
  • CWE.352.DCSRFXML
  • CWE.352.REQMAP

CWE-434

Unrestricted Upload of File with Dangerous Type

  • CWE.434.TDFNAMES

CWE-476

NULL Pointer Dereference

  • CWE.476.NP
  • CWE.476.DEREF

CWE-502

Deserialization of Untrusted Data

  • CWE.502.SSSD
  • CWE.502.MASP
  • CWE.502.AUXD
  • CWE.502.SC
  • CWE.502.RWAF
  • CWE.502.VOBD

CWE-190

Integer Overflow or Wraparound

  • CWE.190.INTOVERF
  • CWE.190.BSA
  • CWE.190.CACO
  • CWE.190.CLP
  • CWE.190.ICO
  • CWE.190.IOF

CWE-287

Improper Authentication

  • CWE.287.TDPASSWD
  • CWE.287.UPWD
  • CWE.287.PLAIN
  • CWE.287.PCCF
  • CWE.287.PTPT
  • CWE.287.PWDPROP
  • CWE.287.PWDXML
  • CWE.287.UTAX
  • CWE.287.WCPWD
  • CWE.287.WPWD
  • CWE.287.CKTS
  • CWE.287.DNSL
  • CWE.287.HCCK
  • CWE.287.HCCS
  • CWE.287.HTTPRHA
  • CWE.287.HV
  • CWE.287.PBFA
  • CWE.287.SSM
  • CWE.287.USC
  • CWE.287.VSI
  • CWE.287.MLVP

CWE-798

Use of Hard-coded Credentials

  • CWE.798.HCCK
  • CWE.798.HCCS

CWE-862

Missing Authorization

  • CWE.862.PERMIT
  • CWE.862.LCA

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE.77.TDCMD

CWE-306

Missing Authentication for Critical Function

  • CWE.306.SSM

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE.119.ARRAY
  • CWE.119.FREE
  • CWE.119.ARRAYSEC
  • CWE.119.BSA
  • CWE.119.BUSSB

CWE-276

Incorrect Default Permissions

  • N/A

CWE-918

Server-Side Request Forgery (SSRF)

  • CWE.918.TDNET

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

  • CWE.362.TOCTOU
  • CWE.362.DCL

CWE-400

Uncontrolled Resource Consumption

  • CWE.400.LEAKS
  • CWE.400.TDALLOC
  • CWE.400.DMDS
  • CWE.400.ISTART

CWE-611

Improper Restriction of XML External Entity Reference

  • CWE.611.XMLVAL
  • CWE.611.DXXE

CWE-94

Improper Control of Generation of Code ('Code Injection')

  • CWE.94.TDCODE
  • CWE.94.DCEMSL
  • CWE.94.ASAPI

CWE Top 25 2021 Mapping

CWE ID

CWE name/description

Parasoft rule ID(s)

CWE-787

Out-of-bounds Write

  • CWE.787.ARRAY
  • CWE.787.ARRAYSEC

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE.79.TDXSS
  • CWE.79.EACM
  • CWE.79.VPPD
  • CWE.79.TDRESP
  • CWE.79.ARXML
  • CWE.79.TDXML
  • CWE.79.TDDIG

CWE-125

Out-of-bounds Read

  • CWE.125.ARRAY
  • CWE.125.ARRAYSEC

CWE-20

Improper Input Validation

  • CWE.20.TDLIB
  • CWE.20.APIBS
  • CWE.20.TDLOG
  • CWE.20.PLUGIN
  • CWE.20.EV
  • CWE.20.DFV
  • CWE.20.ARRAY
  • CWE.20.ARRAYSEC
  • CWE.20.FREE
  • CWE.20.BSA
  • CWE.20.BUSSB
  • CWE.20.TDRFL
  • CWE.20.NATV
  • CWE.20.NATIW
  • CWE.20.TDINPUT
  • CWE.20.TDRESP
  • CWE.20.IOF
  • CWE.20.ICO
  • CWE.20.CACO
  • CWE.20.INTOVERF
  • CWE.20.CLP
  • CWE.20.SYSP
  • CWE.20.UCO
  • CWE.20.CSVFV
  • CWE.20.AEAF
  • CWE.20.CAI
  • CWE.20.TDALLOC

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  • CWE.78.TDCMD

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

  • CWE.89.UPS
  • CWE.89.TDSQL

CWE-416

Use After Free

  • CWE.416.FREE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE.22.TDFNAMES

CWE-352

Cross-Site Request Forgery (CSRF)

  • CWE.352.TDXSS
  • CWE.352.VPPD
  • CWE.352.EACM
  • CWE.352.UOSC
  • CWE.352.TDRESP
  • CWE.352.DCSRFJAVA
  • CWE.352.DCSRFXML
  • CWE.352.REQMAP

CWE-434

Unrestricted Upload of File with Dangerous Type

  • CWE.434.TDFNAMES

CWE-306

Missing Authentication for Critical Function

  • CWE.306.SSM

CWE-190

Integer Overflow or Wraparound

  • CWE.190.IOF
  • CWE.190.BSA
  • CWE.190.ICO
  • CWE.190.CACO
  • CWE.190.INTOVERF
  • CWE.190.CLP

CWE-502

Deserialization of Untrusted Data

  • CWE.502.SC
  • CWE.502.RWAF
  • CWE.502.SSSD
  • CWE.502.MASP
  • CWE.502.AUXD
  • CWE.502.VOBD

CWE-287

Improper Authentication

  • CWE.287.HCCS
  • CWE.287.HCCK
  • CWE.287.PLAIN
  • CWE.287.HV
  • CWE.287.VSI
  • CWE.287.HTTPRHA
  • CWE.287.DNSL
  • CWE.287.MLVP
  • CWE.287.PWDPROP
  • CWE.287.USC
  • CWE.287.UTAX
  • CWE.287.PWDXML
  • CWE.287.TDPASSWD
  • CWE.287.UPWD
  • CWE.287.PCCF
  • CWE.287.PTPT
  • CWE.287.WCPWD
  • CWE.287.WPWD
  • CWE.287.SSM
  • CWE.287.PBFA
  • CWE.287.CKTS

CWE-476

NULL Pointer Dereference

  • CWE.476.NP
  • CWE.476.DEREF

CWE-798

Use of Hard-coded Credentials

  • CWE.798.HCCS
  • CWE.798.HCCK

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE.119.ARRAY
  • CWE.119.ARRAYSEC
  • CWE.119.FREE
  • CWE.119.BSA
  • CWE.119.BUSSB

CWE-862

Missing Authorization

  • CWE.862.PERMIT
  • CWE.862.LCA

CWE-276

Incorrect Default Permissions

  • N/A

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

  • CWE.200.CONSEN
  • CWE.200.SENSLOG
  • CWE.200.EWSSEC
  • CWE.200.PEO
  • CWE.200.ACPST
  • CWE.200.SENS
  • CWE.200.SIO

CWE-522

Insufficiently Protected Credentials

  • CWE.522.PWDPROP
  • CWE.522.USC
  • CWE.522.UTAX
  • CWE.522.PWDXML
  • CWE.522.PLAIN
  • CWE.522.TDPASSWD
  • CWE.522.UPWD
  • CWE.522.PCCF
  • CWE.522.PTPT
  • CWE.522.WCPWD
  • CWE.522.WPWD

CWE-732

Incorrect Permission Assignment for Critical Resource

  • CWE.732.SCHTTP
  • CWE.732.IDP

CWE-611

Improper Restriction of XML External Entity Reference

  • CWE.611.DXXE
  • CWE.611.XMLVAL

CWE-918

Server-Side Request Forgery (SSRF)

  • CWE.918.TDNET

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE.77.TDCMD

CWE Weaknesses On the Cusp 2022 Mapping

CWE ID

CWE name/description

Parasoft rule ID(s)

CWE-295

Improper Certificate Validation

  • CWE.295.HV
  • CWE.295.VSI

CWE-427

Uncontrolled Search Path Element

  • CWE.427.PBRTE

CWE-863

Incorrect Authorization

  • CWE.863.DSR
  • CWE.863.SRCD

CWE-269

Improper Privilege Management

  • CWE.269.DPANY
  • CWE.269.LDP
  • CWE.269.PCL

CWE-732

Incorrect Permission Assignment for Critical Resource

  • CWE.732.IDP
  • CWE.732.SCHTTP

CWE-843

Access of Resource Using Incompatible Type ('Type Confusion')

  • CWE.843.EQUS

CWE-668

Exposure of Resource to Wrong Sphere

  • CWE.668.SENS
  • CWE.668.SENSLOG
  • CWE.668.TDFNAMES
  • CWE.668.TDINPUT
  • CWE.668.TDLIB
  • CWE.668.TDPASSWD
  • CWE.668.RR
  • CWE.668.UPWD
  • CWE.668.MFP
  • CWE.668.IMM
  • CWE.668.PSFA
  • CWE.668.PLAIN
  • CWE.668.SYSP
  • CWE.668.SPFF
  • CWE.668.CONSEN
  • CWE.668.PEO
  • CWE.668.RA
  • CWE.668.SIF
  • CWE.668.SIO
  • CWE.668.ATF
  • CWE.668.PCCF
  • CWE.668.PTPT
  • CWE.668.PWDPROP
  • CWE.668.PWDXML
  • CWE.668.UTAX
  • CWE.668.WCPWD
  • CWE.668.WPWD
  • CWE.668.ACPST
  • CWE.668.APIBS
  • CWE.668.CLONE
  • CWE.668.EWSSEC
  • CWE.668.IDP
  • CWE.668.INNER
  • CWE.668.PBRTE
  • CWE.668.SCHTTP
  • CWE.668.SER
  • CWE.668.USC
  • CWE.668.UCO

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

  • CWE.200.SENS
  • CWE.200.SENSLOG
  • CWE.200.CONSEN
  • CWE.200.PEO
  • CWE.200.SIO
  • CWE.200.ACPST
  • CWE.200.EWSSEC

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

  • N/A

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

  • CWE.601.TDNET
  • CWE.601.TDRESP
  • CWE.601.VRD
  • CWE.601.UCO

CWE-401

Missing Release of Memory after Effective Lifetime

  • N/A

CWE-59

Improper Link Resolution Before File Access ('Link Following')

  • CWE.59.FOLLOW
  • CWE.59.LNK

CWE-522

Insufficiently Protected Credentials

  • CWE.522.TDPASSWD
  • CWE.522.UPWD
  • CWE.522.PLAIN
  • CWE.522.PCCF
  • CWE.522.PTPT
  • CWE.522.PWDPROP
  • CWE.522.PWDXML
  • CWE.522.UTAX
  • CWE.522.WCPWD
  • CWE.522.WPWD
  • CWE.522.USC

CWE-319

Cleartext Transmission of Sensitive Information

  • CWE.319.HTTPS
  • CWE.319.UOSC
  • CWE.319.USC

CWE-312

Cleartext Storage of Sensitive Information

  • CWE.312.PLAIN
  • CWE.312.PLC
  • CWE.312.PWDPROP

CWE Weaknesses On the Cusp 2021 Mapping

CWE ID

CWE name/description

Parasoft rule ID(s)

CWE-295

Improper Certificate Validation

  • CWE.295.HV
  • CWE.295.VSI

CWE-400

Uncontrolled Resource Consumption

  • CWE.400.DMDS
  • CWE.400.ISTART
  • CWE.400.TDALLOC
  • CWE.400.LEAKS

CWE-94

Improper Control of Generation of Code ('Code Injection')

  • CWE.94.DCEMSL
  • CWE.94.ASAPI
  • CWE.94.TDCODE

CWE-269

Improper Privilege Management

  • CWE.269.LDP
  • CWE.269.PCL
  • CWE.269.DPANY

CWE-917

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

  • N/A

CWE-59

Improper Link Resolution Before File Access ('Link Following')

  • CWE.59.LNK
  • CWE.59.FOLLOW

CWE-401

Missing Release of Memory after Effective Lifetime

  • N/A

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

  • CWE.362.DCL
  • CWE.362.TOCTOU

CWE-427

Uncontrolled Search Path Element

  • CWE.427.PBRTE

CWE-319

Cleartext Transmission of Sensitive Information

  • CWE.319.USC
  • CWE.319.HTTPS

CWE-843

Access of Resource Using Incompatible Type ('Type Confusion')

  • CWE.843.EQUS

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

  • CWE.601.TDNET
  • CWE.601.TDRESP
  • CWE.601.UCO
  • CWE.601.VRD

CWE-863

Incorrect Authorization

  • CWE.863.DSR
  • CWE.863.SRCD

CWE-532

Insertion of Sensitive Information into Log File

  • CWE.532.CONSEN
  • CWE.532.SENSLOG

CWE-770

Allocation of Resources Without Limits or Throttling

  • CWE.770.ISTART
  • CWE.770.TDALLOC

CWE 4.9 Mapping

CWE ID

CWE name/description

Parasoft rule ID(s)

CWE-6

J2EE Misconfiguration: Insufficient Session-ID Length

  • CWE.6.SLID

CWE-7

J2EE Misconfiguration: Missing Custom Error Page

  • CWE.7.SEP

CWE-8

J2EE Misconfiguration: Entity Bean Declared Remote

  • CWE.8.RR

CWE-9

J2EE Misconfiguration: Weak Access Permissions for EJB Methods

  • CWE.9.DPANY

CWE-15

External Control of System or Configuration Setting

  • CWE.15.SYSP
  • CWE.15.UCO

CWE-20

Improper Input Validation

  • CWE-111.NATV
  • CWE-111.NATIW
  • CWE-109.EV
  • CWE-106.PLUGIN
  • CWE-104.AEAF
  • CWE-102.DFV
  • CWE-129.ARRAY
  • CWE-129.ARRAYSEC
  • CWE-129.CAI
  • CWE-134.TDINPUT
  • CWE-113.TDRESP
  • CWE-470.TDRFL
  • CWE-470.APIBS
  • CWE-190.INTOVERF
  • CWE-190.BSA
  • CWE-190.CACO
  • CWE-190.CLP
  • CWE-190.ICO
  • CWE-190.IOF
  • CWE-114.TDLIB
  • CWE-114.APIBS
  • CWE-117.TDLOG
  • CWE-103.CSVFV
  • CWE-15.SYSP
  • CWE-15.UCO

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE.22.TDFNAMES

CWE-59

Improper Link Resolution Before File Access ('Link Following')

  • CWE-64.LNK
  • CWE-61.FOLLOW

CWE-61

UNIX Symbolic Link (Symlink) Following

  • CWE.61.FOLLOW

CWE-64

Windows Shortcut Following (.LNK)

  • CWE.64.LNK

CWE-73

External Control of File Name or Path

  • CWE-114.TDLIB
  • CWE-114.APIBS

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89.TDSQL
  • CWE-89.UPS
  • CWE-99.TDNET
  • CWE-94.DCEMSL
  • CWE-94.ASAPI
  • CWE-79.EACM
  • CWE-79.TDRESP
  • CWE-79.TDXSS
  • CWE-79.VPPD
  • CWE-78.TDCMD
  • CWE-91.TDXML

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE-78.TDCMD

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  • CWE.78.TDCMD

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE.79.EACM
  • CWE.79.TDRESP
  • CWE.79.TDXSS
  • CWE.79.VPPD
  • CWE-83.ARXML
  • CWE-80.TDDIG
  • CWE-80.TDXML
  • CWE-80.ARXML
  • CWE-81.ARXML

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

  • CWE.80.TDDIG
  • CWE.80.TDXML
  • CWE.80.ARXML

CWE-81

Improper Neutralization of Script in an Error Message Web Page

  • CWE.81.ARXML

CWE-83

Improper Neutralization of Script in Attributes in a Web Page

  • CWE.83.ARXML

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

  • CWE.89.TDSQL
  • CWE.89.UPS

CWE-90

Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

  • CWE.90.TDLDAP

CWE-91

XML Injection (aka Blind XPath Injection)

  • CWE.91.TDXML
  • CWE-652.TDXPATH
  • CWE-652.XPIJ
  • CWE-643.TDJXPATH
  • CWE-643.TDXPATH

CWE-93

Improper Neutralization of CRLF Sequences ('CRLF Injection')

  • CWE-113.TDRESP

CWE-94

Improper Control of Generation of Code ('Code Injection')

  • CWE.94.DCEMSL
  • CWE.94.ASAPI
  • CWE-95.TDCODE

CWE-95

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

  • CWE.95.TDCODE

CWE-99

Improper Control of Resource Identifiers ('Resource Injection')

  • CWE.99.TDNET

CWE-102

Struts: Duplicate Validation Forms

  • CWE.102.DFV

CWE-103

Struts: Incomplete validate() Method Definition

  • CWE.103.CSVFV

CWE-104

Struts: Form Bean Does Not Extend Validation Class

  • CWE.104.AEAF

CWE-106

Struts: Plug-in Framework not in Use

  • CWE.106.PLUGIN

CWE-109

Struts: Validator Turned Off

  • CWE.109.EV

CWE-111

Direct Use of Unsafe JNI

  • CWE.111.NATV
  • CWE.111.NATIW

CWE-113

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

  • CWE.113.TDRESP

CWE-114

Process Control

  • CWE.114.TDLIB
  • CWE.114.APIBS

CWE-116

Improper Encoding or Escaping of Output

  • CWE-644.TDRESP
  • CWE-838.SEO
  • CWE-117.TDLOG

CWE-117

Improper Output Neutralization for Logs

  • CWE.117.TDLOG

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE-125.ARRAY
  • CWE-125.ARRAYSEC
  • CWE-680.BSA
  • CWE-787.ARRAY
  • CWE-787.ARRAYSEC

CWE-125

Out-of-bounds Read

  • CWE.125.ARRAY
  • CWE.125.ARRAYSEC

CWE-129

Improper Validation of Array Index

  • CWE.129.ARRAY
  • CWE.129.ARRAYSEC
  • CWE.129.CAI

CWE-131

Incorrect Calculation of Buffer Size

  • CWE.131.ARRAY

CWE-134

Use of Externally-Controlled Format String

  • CWE.134.TDINPUT

CWE-185

Incorrect Regular Expression

  • CWE.185.REP

CWE-188

Reliance on Data/Memory Layout

  • CWE-198.PMRWLED

CWE-190

Integer Overflow or Wraparound

  • CWE.190.INTOVERF
  • CWE.190.BSA
  • CWE.190.CACO
  • CWE.190.CLP
  • CWE.190.ICO
  • CWE.190.IOF

CWE-191

Integer Underflow (Wrap or Wraparound)

  • CWE.191.INTOVERF
  • CWE.191.BSA

CWE-193

Off-by-one Error

  • CWE.193.AOBO

CWE-198

Use of Incorrect Byte Ordering

  • CWE.198.PMRWLED

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-532.SENSLOG
  • CWE-532.CONSEN
  • CWE-359.CONSEN
  • CWE-497.SENS
  • CWE-497.PEO
  • CWE-213.CONSEN
  • CWE-215.EWSSEC
  • CWE-209.SENS
  • CWE-209.PEO
  • CWE-209.SIO
  • CWE-209.ACPST

CWE-209

Generation of Error Message Containing Sensitive Information

  • CWE.209.SENS
  • CWE.209.PEO
  • CWE.209.SIO
  • CWE.209.ACPST

CWE-212

Improper Removal of Sensitive Information Before Storage or Transfer

  • CWE.212.FT

CWE-213

Exposure of Sensitive Information Due to Incompatible Policies

  • CWE.213.CONSEN

CWE-215

Insertion of Sensitive Information Into Debugging Code

  • CWE.215.EWSSEC

CWE-221

Information Loss or Omission

  • CWE-397.NTX
  • CWE-397.NTERR
  • CWE-396.NCE

CWE-223

Omission of Security-relevant Information

  • CWE-778.ENFL

CWE-245

J2EE Bad Practices: Direct Management of Connections

  • CWE.245.JDBCTEMPLATE

CWE-246

J2EE Bad Practices: Direct Use of Sockets

  • CWE.246.AUS
  • CWE.246.NSF
  • CWE.246.SS

CWE-248

Uncaught Exception

  • CWE-600.CETS

CWE-250

Execution with Unnecessary Privileges

  • CWE.250.LDP
  • CWE.250.PCL

CWE-252

Unchecked Return Value

  • CWE.252.CHECKRET
  • CWE.252.CRRV

CWE-256

Plaintext Storage of a Password

  • CWE.256.TDPASSWD
  • CWE.256.UPWD
  • CWE.256.PLAIN
  • CWE.256.PCCF
  • CWE.256.PTPT
  • CWE.256.PWDPROP
  • CWE.256.PWDXML
  • CWE.256.UTAX
  • CWE.256.WCPWD
  • CWE.256.WPWD

CWE-258

Empty Password in Configuration File

  • CWE.258.PWDPROP

CWE-260

Password in Configuration File

  • CWE.260.UTAX
  • CWE-555.PWDXML
  • CWE-258.PWDPROP

CWE-261

Weak Encoding for Password

  • CWE.261.CKTS

CWE-266

Incorrect Privilege Assignment

  • CWE-9.DPANY

CWE-269

Improper Privilege Management

  • CWE-250.LDP
  • CWE-250.PCL

CWE-279

Incorrect Execution-Assigned Permissions

  • CWE.279.IDP

CWE-284

Improper Access Control

  • CWE-863.DSR
  • CWE-863.SRCD
  • CWE-862.PERMIT
  • CWE-862.LCA
  • CWE-346.JXCORS

CWE-285

Improper Authorization

  • CWE-863.DSR
  • CWE-863.SRCD
  • CWE-862.PERMIT
  • CWE-862.LCA

CWE-287

Improper Authentication

  • CWE-521.MLVP
  • CWE-798.HCCS
  • CWE-290.HTTPRHA
  • CWE-295.HV
  • CWE-306.SSM
  • CWE-307.PBFA

CWE-290

Authentication Bypass by Spoofing

  • CWE.290.HTTPRHA
  • CWE-350.DNSL

CWE-295

Improper Certificate Validation

  • CWE.295.HV
  • CWE-297.VSI

CWE-297

Improper Validation of Certificate with Host Mismatch

  • CWE.297.VSI

CWE-306

Missing Authentication for Critical Function

  • CWE.306.SSM

CWE-307

Improper Restriction of Excessive Authentication Attempts

  • CWE.307.PBFA

CWE-311

Missing Encryption of Sensitive Data

  • CWE.311.SENS
  • CWE.311.PWDXML
  • CWE-312.PWDPROP
  • CWE-319.HTTPS
  • CWE-319.USC

CWE-312

Cleartext Storage of Sensitive Information

  • CWE.312.PWDPROP
  • CWE-315.PLC
  • CWE-313.PLAIN

CWE-313

Cleartext Storage in a File or on Disk

  • CWE.313.PLAIN

CWE-315

Cleartext Storage of Sensitive Information in a Cookie

  • CWE.315.PLC

CWE-319

Cleartext Transmission of Sensitive Information

  • CWE.319.HTTPS
  • CWE.319.USC
  • CWE-614.UOSC

CWE-321

Use of Hard-coded Cryptographic Key

  • CWE.321.HCCK

CWE-325

Missing Cryptographic Step

  • CWE.325.MCMDU
  • CWE.325.SIKG

CWE-326

Inadequate Encryption Strength

  • CWE-328.AISSAJAVA
  • CWE-328.AISSAXML
  • CWE-328.AUNC
  • CWE-328.ICA
  • CWE-328.MDSALT
  • CWE-328.SRD
  • CWE-261.CKTS

CWE-327

Use of a Broken or Risky Cryptographic Algorithm

  • CWE.327.ACMD
  • CWE-328.AISSAJAVA
  • CWE-328.AISSAXML
  • CWE-328.AUNC
  • CWE-328.ICA
  • CWE-328.MDSALT
  • CWE-328.SRD

CWE-328

Use of Weak Hash

  • CWE.328.AISSAJAVA
  • CWE.328.AISSAXML
  • CWE.328.AUNC
  • CWE.328.ICA
  • CWE.328.MDSALT
  • CWE.328.SRD

CWE-329

Generation of Predictable IV with CBC Mode

  • CWE.329.ENPP
  • CWE.329.IVR

CWE-330

Use of Insufficiently Random Values

  • CWE-338.SRD

CWE-334

Small Space of Random Values

  • CWE-6.SLID

CWE-335

Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

  • CWE-337.ENPP
  • CWE-336.ENPP

CWE-336

Same Seed in Pseudo-Random Number Generator (PRNG)

  • CWE.336.ENPP

CWE-337

Predictable Seed in Pseudo-Random Number Generator (PRNG)

  • CWE.337.ENPP

CWE-338

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

  • CWE.338.SRD

CWE-344

Use of Invariant Value in Dynamically Changing Context

  • CWE-798.HCCS

CWE-345

Insufficient Verification of Data Authenticity

  • CWE-352.EACM
  • CWE-352.TDRESP
  • CWE-352.TDXSS
  • CWE-352.VPPD
  • CWE-352.UOSC
  • CWE-352.DCSRFJAVA
  • CWE-352.DCSRFXML
  • CWE-352.REQMAP
  • CWE-346.JXCORS
  • CWE-347.VJFS

CWE-346

Origin Validation Error

  • CWE.346.JXCORS
  • CWE-1385.WS

CWE-347

Improper Verification of Cryptographic Signature

  • CWE.347.VJFS

CWE-350

Reliance on Reverse DNS Resolution for a Security-Critical Action

  • CWE.350.DNSL

CWE-352

Cross-Site Request Forgery (CSRF)

  • CWE.352.EACM
  • CWE.352.TDRESP
  • CWE.352.TDXSS
  • CWE.352.VPPD
  • CWE.352.UOSC
  • CWE.352.DCSRFJAVA
  • CWE.352.DCSRFXML
  • CWE.352.REQMAP

CWE-359

Exposure of Private Personal Information to an Unauthorized Actor

  • CWE.359.CONSEN

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

  • CWE.362.DCL
  • CWE-367.TOCTOU

CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition

  • CWE.367.TOCTOU

CWE-369

Divide By Zero

  • CWE.369.ZERO

CWE-375

Returning a Mutable Object to an Untrusted Caller

  • CWE.375.RA

CWE-377

Insecure Temporary File

  • CWE.377.ATF

CWE-382

J2EE Bad Practices: Use of System.exit()

  • CWE.382.EXIT
  • CWE.382.JVM

CWE-383

J2EE Bad Practices: Direct Use of Threads

  • CWE.383.THR

CWE-384

Session Fixation

  • CWE.384.ISL

CWE-390

Detection of Error Condition Without Action

  • CWE.390.LGE

CWE-391

Unchecked Error Condition

  • CWE.391.AECB

CWE-395

Use of NullPointerException Catch to Detect NULL Pointer Dereference

  • CWE.395.NCNPE

CWE-396

Declaration of Catch for Generic Exception

  • CWE.396.NCE

CWE-397

Declaration of Throws for Generic Exception

  • CWE.397.NTX
  • CWE.397.NTERR

CWE-400

Uncontrolled Resource Consumption

  • CWE.400.DMDS
  • CWE-771.LEAKS
  • CWE-770.ISTART

CWE-404

Improper Resource Shutdown or Release

  • CWE.404.COCO
  • CWE.404.ODBIL
  • CWE.404.CRWD
  • CWE-772.LEAKS
  • CWE-772.CLOSE
  • CWE-459.LEAKS

CWE-413

Improper Resource Locking

  • CWE.413.LORD

CWE-416

Use After Free

  • CWE.416.FREE

CWE-426

Untrusted Search Path

  • CWE.426.PBRTE

CWE-427

Uncontrolled Search Path Element

  • CWE.427.PBRTE

CWE-434

Unrestricted Upload of File with Dangerous Type

  • CWE.434.TDFNAMES

CWE-436

Interpretation Conflict

  • CWE-113.TDRESP

CWE-441

Unintended Proxy or Intermediary ('Confused Deputy')

  • CWE-918.TDNET

CWE-456

Missing Initialization of a Variable

  • CWE.456.LV

CWE-457

Use of Uninitialized Variable

  • CWE.457.NP
  • CWE.457.NOTEXPLINIT
  • CWE.457.NOTINITCTOR
  • CWE.457.UIRC

CWE-459

Incomplete Cleanup

  • CWE.459.LEAKS
  • CWE-568.FCF

CWE-470

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

  • CWE.470.TDRFL
  • CWE.470.APIBS

CWE-471

Modification of Assumed-Immutable Data (MAID)

  • CWE-607.IMM
  • CWE-607.RMO

CWE-476

NULL Pointer Dereference

  • CWE.476.NP
  • CWE.476.DEREF

CWE-477

Use of Obsolete Function

  • CWE.477.DPRAPI

CWE-478

Missing Default Case in Multiple Condition Expression

  • CWE.478.PDS

CWE-480

Use of Incorrect Operator

  • CWE-481.ASI

CWE-481

Assigning instead of Comparing

  • CWE.481.ASI

CWE-483

Incorrect Block Delimitation

  • CWE.483.BLK
  • CWE.483.EBI
  • CWE.483.EB

CWE-484

Omitted Break Statement in Switch

  • CWE.484.SBC
  • CWE.484.DAV

CWE-486

Comparison of Classes by Name

  • CWE.486.AUG
  • CWE.486.CMP

CWE-487

Reliance on Package-level Scope

  • CWE.487.AF

CWE-491

Public cloneable() Method Without Final ('Object Hijack')

  • CWE.491.CLONE

CWE-492

Use of Inner Class Containing Sensitive Data

  • CWE.492.INNER

CWE-493

Critical Public Variable Without Final Modifier

  • CWE-500.SPFF

CWE-495

Private Data Structure Returned From A Public Method

  • CWE.495.RA

CWE-496

Public Data Assigned to Private Array-Typed Field

  • CWE.496.CAP

CWE-497

Exposure of Sensitive System Information to an Unauthorized Control Sphere

  • CWE.497.SENS
  • CWE.497.PEO

CWE-499

Serializable Class Containing Sensitive Data

  • CWE.499.SIF
  • CWE.499.SER

CWE-500

Public Static Field Not Marked Final

  • CWE.500.SPFF

CWE-501

Trust Boundary Violation

  • CWE.501.TDSESSION

CWE-502

Deserialization of Untrusted Data

  • CWE.502.SSSD
  • CWE.502.MASP
  • CWE.502.AUXD
  • CWE.502.SC
  • CWE.502.RWAF
  • CWE.502.VOBD

CWE-506

Embedded Malicious Code

  • CWE.506.HCCK
  • CWE-511.RDM

CWE-511

Logic/Time Bomb

  • CWE.511.RDM

CWE-521

Weak Password Requirements

  • CWE.521.MLVP
  • CWE-258.PWDPROP

CWE-522

Insufficiently Protected Credentials

  • CWE-256.TDPASSWD
  • CWE-256.UPWD
  • CWE-256.PLAIN
  • CWE-256.PCCF
  • CWE-256.PTPT
  • CWE-256.PWDPROP
  • CWE-256.PWDXML
  • CWE-256.UTAX
  • CWE-256.WCPWD
  • CWE-256.WPWD
  • CWE-523.USC
  • CWE-260.UTAX

CWE-523

Unprotected Transport of Credentials

  • CWE.523.USC

CWE-532

Insertion of Sensitive Information into Log File

  • CWE.532.SENSLOG
  • CWE.532.CONSEN

CWE-538

Insertion of Sensitive Information into Externally-Accessible File or Directory

  • CWE-532.SENSLOG
  • CWE-532.CONSEN

CWE-543

Use of Singleton Pattern Without Synchronization in a Multithreaded Context

  • CWE.543.IASF
  • CWE.543.ILI

CWE-546

Suspicious Comment

  • CWE.546.TODOJAVA
  • CWE.546.TODOPROP
  • CWE.546.TODOXML

CWE-555

J2EE Misconfiguration: Plaintext Password in Configuration File

  • CWE.555.PWDXML

CWE-561

Dead Code

  • CWE.561.CC
  • CWE.561.DEREF
  • CWE.561.SWITCH
  • CWE.561.PM

CWE-563

Assignment to Variable without Use

  • CWE.563.POVR
  • CWE.563.VOVR
  • CWE.563.UPPF
  • CWE.563.AURV
  • CWE.563.PF
  • CWE.563.UP

CWE-568

finalize() Method Without super.finalize()

  • CWE.568.FCF

CWE-570

Expression is Always False

  • CWE.570.CC
  • CWE.570.UCIF

CWE-571

Expression is Always True

  • CWE.571.CC
  • CWE.571.UCIF

CWE-572

Call to Thread run() instead of start()

  • CWE.572.IRUN

CWE-573

Improper Following of Specification by Caller

  • CWE-581.OVERRIDE
  • CWE-104.AEAF
  • CWE-103.CSVFV
  • CWE-577.AUS
  • CWE-580.SCLONE
  • CWE-325.MCMDU
  • CWE-325.SIKG
  • CWE-568.FCF
  • CWE-579.ONS
  • CWE-579.SNSO
  • CWE-578.ACL
  • CWE-329.ENPP
  • CWE-329.IVR

CWE-576

EJB Bad Practices: Use of Java I/O

  • CWE.576.JIO

CWE-577

EJB Bad Practices: Use of Sockets

  • CWE.577.AUS

CWE-578

EJB Bad Practices: Use of Class Loader

  • CWE.578.ACL

CWE-579

J2EE Bad Practices: Non-serializable Object Stored in Session

  • CWE.579.ONS
  • CWE.579.SNSO

CWE-580

clone() Method Without super.clone()

  • CWE.580.SCLONE

CWE-581

Object Model Violation: Just One of Equals and Hashcode Defined

  • CWE.581.OVERRIDE

CWE-582

Array Declared Public, Final, and Static

  • CWE.582.IMM
  • CWE.582.PSFA

CWE-583

finalize() Method Declared Public

  • CWE.583.MFP

CWE-584

Return Inside Finally Block

  • CWE.584.ARCF

CWE-585

Empty Synchronized Block

  • CWE.585.SNE

CWE-586

Explicit Call to Finalize()

  • CWE.586.NCF

CWE-594

J2EE Framework: Saving Unserializable Objects to Disk

  • CWE.594.SIVS

CWE-595

Comparison of Object References Instead of Object Contents

  • CWE.595.UEIC

CWE-600

Uncaught Exception in Servlet

  • CWE.600.CETS

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

  • CWE.601.TDNET
  • CWE.601.TDRESP
  • CWE.601.VRD
  • CWE.601.UCO

CWE-605

Multiple Binds to the Same Port

  • CWE.605.HCNA

CWE-607

Public Static Final Field References Mutable Object

  • CWE.607.IMM
  • CWE.607.RMO

CWE-609

Double-Checked Locking

  • CWE.609.DCL

CWE-610

Externally Controlled Reference to a Resource in Another Sphere

  • CWE-601.TDNET
  • CWE-601.TDRESP
  • CWE-601.VRD
  • CWE-601.UCO
  • CWE-470.TDRFL
  • CWE-470.APIBS
  • CWE-918.TDNET
  • CWE-15.SYSP
  • CWE-15.UCO
  • CWE-384.ISL
  • CWE-611.XMLVAL
  • CWE-611.DXXE

CWE-611

Improper Restriction of XML External Entity Reference

  • CWE.611.XMLVAL
  • CWE.611.DXXE

CWE-613

Insufficient Session Expiration

  • CWE.613.RUIM
  • CWE.613.STTL

CWE-614

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

  • CWE.614.UOSC

CWE-617

Reachable Assertion

  • CWE.617.ASSERT

CWE-642

External Control of Critical State Data

  • CWE-15.SYSP
  • CWE-15.UCO
  • CWE-426.PBRTE

CWE-643

Improper Neutralization of Data within XPath Expressions ('XPath Injection')

  • CWE.643.TDJXPATH
  • CWE.643.TDXPATH

CWE-644

Improper Neutralization of HTTP Headers for Scripting Syntax

  • CWE.644.TDRESP

CWE-652

Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')

  • CWE.652.TDXPATH
  • CWE.652.XPIJ

CWE-657

Violation of Secure Design Principles

  • CWE-250.LDP
  • CWE-250.PCL

CWE-662

Improper Synchronization

  • CWE.662.DIFCS
  • CWE-543.IASF
  • CWE-543.ILI
  • CWE-833.ORDER
  • CWE-833.TSHL
  • CWE-833.CSFS
  • CWE-833.RLF
  • CWE-833.STR
  • CWE-833.UWNA
  • CWE-764.DLOCK
  • CWE-667.LOCK
  • CWE-667.CLOSE

CWE-664

Improper Control of a Resource Through its Lifetime

  • CWE-487.AF
  • CWE-580.SCLONE
  • CWE-662.DIFCS
  • CWE-704.AGBPT
  • CWE-704.CPTS
  • CWE-495.RA
  • CWE-496.CAP
  • CWE-400.DMDS
  • CWE-404.COCO
  • CWE-404.ODBIL
  • CWE-404.CRWD
  • CWE-501.TDSESSION
  • CWE-749.DPAM
  • CWE-749.DPPM
  • CWE-749.SPAM

CWE-665

Improper Initialization

  • CWE-456.LV
  • CWE-770.ISTART
  • CWE-457.NP
  • CWE-457.NOTEXPLINIT
  • CWE-457.NOTINITCTOR
  • CWE-457.UIRC

CWE-666

Operation on Resource in Wrong Phase of Lifetime

  • CWE-605.HCNA

CWE-667

Improper Locking

  • CWE.667.LOCK
  • CWE.667.CLOSE
  • CWE-413.LORD
  • CWE-832.LORD
  • CWE-833.ORDER
  • CWE-833.TSHL
  • CWE-833.CSFS
  • CWE-833.RLF
  • CWE-833.STR
  • CWE-833.UWNA
  • CWE-609.DCL
  • CWE-764.DLOCK

CWE-668

Exposure of Resource to Wrong Sphere

  • CWE-22.TDFNAMES
  • CWE-375.RA
  • CWE-377.ATF
  • CWE-499.SIF
  • CWE-499.SER
  • CWE-134.TDINPUT
  • CWE-491.CLONE
  • CWE-492.INNER
  • CWE-427.PBRTE
  • CWE-426.PBRTE
  • CWE-8.RR
  • CWE-582.IMM
  • CWE-582.PSFA
  • CWE-583.MFP

CWE-669

Incorrect Resource Transfer Between Spheres

  • CWE-829.TDFILES
  • CWE-829.TDFNAMES
  • CWE-829.TDLIB
  • CWE-829.TDXPATH
  • CWE-434.TDFNAMES
  • CWE-212.FT

CWE-670

Always-Incorrect Control Flow Implementation

  • CWE-483.BLK
  • CWE-483.EBI
  • CWE-483.EB
  • CWE-484.SBC
  • CWE-484.DAV
  • CWE-617.ASSERT

CWE-671

Lack of Administrator Control over Security

  • CWE-798.HCCS

CWE-672

Operation on a Resource after Expiration or Release

  • CWE-416.FREE
  • CWE-613.RUIM
  • CWE-613.STTL

CWE-673

External Influence of Sphere Definition

  • CWE-426.PBRTE

CWE-674

Uncontrolled Recursion

  • CWE.674.FLRC

CWE-675

Multiple Operations on Resource in Single-Operation Context

  • CWE-764.DLOCK
  • CWE-605.HCNA

CWE-676

Use of Potentially Dangerous Function

  • CWE.676.SRD

CWE-680

Integer Overflow to Buffer Overflow

  • CWE.680.BSA

CWE-681

Incorrect Conversion between Numeric Types

  • CWE.681.CLP
  • CWE.681.IDCD

CWE-682

Incorrect Calculation

  • CWE-369.ZERO
  • CWE-131.ARRAY
  • CWE-191.INTOVERF
  • CWE-191.BSA
  • CWE-190.INTOVERF
  • CWE-190.BSA
  • CWE-190.CACO
  • CWE-190.CLP
  • CWE-190.ICO
  • CWE-190.IOF
  • CWE-193.AOBO

CWE-691

Insufficient Control Flow Management

  • CWE.691.ANL
  • CWE-362.DCL
  • CWE-94.DCEMSL
  • CWE-94.ASAPI
  • CWE-841.PERMIT
  • CWE-662.DIFCS
  • CWE-674.FLRC
  • CWE-749.DPAM
  • CWE-749.DPPM
  • CWE-749.SPAM

CWE-693

Protection Mechanism Failure

  • CWE-807.PLC
  • CWE-807.HGRSI
  • CWE-807.UOSC
  • CWE-311.SENS
  • CWE-311.PWDXML
  • CWE-327.ACMD
  • CWE-778.ENFL

CWE-694

Use of Multiple Resources with Duplicate Identifier

  • CWE-102.DFV

CWE-695

Use of Low-Level Functionality

  • CWE-111.NATV
  • CWE-111.NATIW
  • CWE-245.JDBCTEMPLATE
  • CWE-383.THR
  • CWE-246.AUS
  • CWE-246.NSF
  • CWE-246.SS
  • CWE-576.JIO

CWE-697

Incorrect Comparison

  • CWE-185.REP
  • CWE-581.OVERRIDE

CWE-703

Improper Check or Handling of Exceptional Conditions

  • CWE-391.AECB
  • CWE-755.CIET
  • CWE-397.NTX
  • CWE-397.NTERR

CWE-704

Incorrect Type Conversion or Cast

  • CWE.704.AGBPT
  • CWE.704.CPTS
  • CWE-681.CLP
  • CWE-681.IDCD
  • CWE-843.EQUS

CWE-705

Incorrect Control Flow Scoping

  • CWE-397.NTX
  • CWE-397.NTERR
  • CWE-396.NCE
  • CWE-395.NCNPE
  • CWE-382.EXIT
  • CWE-382.JVM
  • CWE-584.ARCF

CWE-706

Use of Incorrectly-Resolved Name or Reference

  • CWE-22.TDFNAMES

CWE-710

Improper Adherence to Coding Standards

  • CWE-484.SBC
  • CWE-484.DAV
  • CWE-476.NP
  • CWE-476.DEREF
  • CWE-477.DPRAPI
  • CWE-594.SIVS
  • CWE-571.CC
  • CWE-571.UCIF
  • CWE-570.CC
  • CWE-570.UCIF

CWE-732

Incorrect Permission Assignment for Critical Resource

  • CWE-1004.SCHTTP
  • CWE-279.IDP

CWE-749

Exposed Dangerous Method or Function

  • CWE.749.DPAM
  • CWE.749.DPPM
  • CWE.749.SPAM

CWE-754

Improper Check for Unusual or Exceptional Conditions

  • CWE-476.NP
  • CWE-476.DEREF
  • CWE-391.AECB
  • CWE-252.CHECKRET
  • CWE-252.CRRV

CWE-755

Improper Handling of Exceptional Conditions

  • CWE.755.CIET
  • CWE-396.NCE
  • CWE-395.NCNPE
  • CWE-390.LGE
  • CWE-209.SENS
  • CWE-209.PEO
  • CWE-209.SIO
  • CWE-209.ACPST

CWE-756

Missing Custom Error Page

  • CWE-7.SEP

CWE-759

Use of a One-Way Hash without a Salt

  • CWE.759.MDSALT

CWE-764

Multiple Locks of a Critical Resource

  • CWE.764.DLOCK

CWE-770

Allocation of Resources Without Limits or Throttling

  • CWE.770.ISTART
  • CWE-789.TDALLOC

CWE-771

Missing Reference to Active Allocated Resource

  • CWE.771.LEAKS

CWE-772

Missing Release of Resource after Effective Lifetime

  • CWE.772.LEAKS
  • CWE.772.CLOSE

CWE-778

Insufficient Logging

  • CWE.778.ENFL

CWE-787

Out-of-bounds Write

  • CWE.787.ARRAY
  • CWE.787.ARRAYSEC

CWE-789

Memory Allocation with Excessive Size Value

  • CWE.789.TDALLOC

CWE-798

Use of Hard-coded Credentials

  • CWE.798.HCCS
  • CWE-321.HCCK

CWE-799

Improper Control of Interaction Frequency

  • CWE-307.PBFA

CWE-805

Buffer Access with Incorrect Length Value

  • CWE-806.BUSSB

CWE-806

Buffer Access Using Size of Source Buffer

  • CWE.806.BUSSB

CWE-807

Reliance on Untrusted Inputs in a Security Decision

  • CWE.807.PLC
  • CWE.807.HGRSI
  • CWE.807.UOSC
  • CWE-350.DNSL

CWE-820

Missing Synchronization

  • CWE-543.IASF
  • CWE-543.ILI

CWE-821

Incorrect Synchronization

  • CWE-572.IRUN

CWE-825

Expired Pointer Dereference

  • CWE-416.FREE

CWE-829

Inclusion of Functionality from Untrusted Control Sphere

  • CWE.829.TDFILES
  • CWE.829.TDFNAMES
  • CWE.829.TDLIB
  • CWE.829.TDXPATH

CWE-832

Unlock of a Resource that is not Locked

  • CWE.832.LORD

CWE-833

Deadlock

  • CWE.833.ORDER
  • CWE.833.TSHL
  • CWE.833.CSFS
  • CWE.833.RLF
  • CWE.833.STR
  • CWE.833.UWNA

CWE-834

Excessive Iteration

  • CWE-835.PCIF
  • CWE-835.AIL

CWE-835

Loop with Unreachable Exit Condition ('Infinite Loop')

  • CWE.835.PCIF
  • CWE.835.AIL

CWE-836

Use of Password Hash Instead of Password for Authentication

  • CWE.836.PLAIN

CWE-838

Inappropriate Encoding for Output Context

  • CWE.838.SEO

CWE-841

Improper Enforcement of Behavioral Workflow

  • CWE.841.PERMIT

CWE-843

Access of Resource Using Incompatible Type ('Type Confusion')

  • CWE.843.EQUS

CWE-862

Missing Authorization

  • CWE.862.PERMIT
  • CWE.862.LCA

CWE-863

Incorrect Authorization

  • CWE.863.DSR
  • CWE.863.SRCD

CWE-908

Use of Uninitialized Resource

  • CWE-457.NP
  • CWE-457.NOTEXPLINIT
  • CWE-457.NOTINITCTOR
  • CWE-457.UIRC

CWE-909

Missing Initialization of Resource

  • CWE-456.LV

CWE-912

Hidden Functionality

  • CWE-506.HCCK

CWE-913

Improper Control of Dynamically-Managed Code Resources

  • CWE-470.TDRFL
  • CWE-470.APIBS
  • CWE-502.SSSD
  • CWE-502.MASP
  • CWE-502.AUXD
  • CWE-502.SC
  • CWE-502.RWAF
  • CWE-502.VOBD
  • CWE-94.DCEMSL
  • CWE-94.ASAPI

CWE-916

Use of Password Hash With Insufficient Computational Effort

  • CWE-759.MDSALT

CWE-918

Server-Side Request Forgery (SSRF)

  • CWE.918.TDNET

CWE-922

Insecure Storage of Sensitive Information

  • CWE-312.PWDPROP

CWE-923

Improper Restriction of Communication Channel to Intended Endpoints

  • CWE-297.VSI

CWE-943

Improper Neutralization of Special Elements in Data Query Logic

  • CWE-652.TDXPATH
  • CWE-652.XPIJ
  • CWE-90.TDLDAP
  • CWE-643.TDJXPATH
  • CWE-643.TDXPATH
  • CWE-89.TDSQL
  • CWE-89.UPS

CWE-1004

Sensitive Cookie Without 'HttpOnly' Flag

  • CWE.1004.SCHTTP

CWE-1023

Incomplete Comparison with Missing Factors

  • CWE-478.PDS

CWE-1025

Comparison Using Wrong Factors

  • CWE-595.UEIC
  • CWE-486.AUG
  • CWE-486.CMP

CWE-1071

Empty Code Block

  • CWE-585.SNE

CWE-1076

Insufficient Adherence to Expected Conventions

  • CWE-586.NCF

CWE-1078

Inappropriate Source Code Style or Formatting

  • CWE-546.TODOJAVA
  • CWE-546.TODOPROP
  • CWE-546.TODOXML

CWE-1164

Irrelevant Code

  • CWE-561.CC
  • CWE-561.DEREF
  • CWE-561.SWITCH
  • CWE-561.PM
  • CWE-563.POVR
  • CWE-563.VOVR
  • CWE-563.UPPF
  • CWE-563.AURV
  • CWE-563.PF
  • CWE-563.UP

CWE-1173

Improper Use of Validation Framework

  • CWE-109.EV
  • CWE-106.PLUGIN
  • CWE-102.DFV

CWE-1177

Use of Prohibited Code

  • CWE-676.SRD

CWE-1204

Generation of Weak Initialization Vector (IV)

  • CWE-329.ENPP
  • CWE-329.IVR

CWE-1284

Improper Validation of Specified Quantity in Input

  • CWE-789.TDALLOC

CWE-1285

Improper Validation of Specified Index, Position, or Offset in Input

  • CWE-129.ARRAY
  • CWE-129.ARRAYSEC
  • CWE-129.CAI

CWE-1385

Missing Origin Validation in WebSockets

  • CWE.1385.WS

CWE-1390

Weak Authentication

  • CWE-261.CKTS
  • CWE-290.HTTPRHA
  • CWE-836.PLAIN
  • CWE-307.PBFA

CWE-1391

Use of Weak Credentials

  • CWE-521.MLVP
  • CWE-798.HCCS

  • No labels