Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

CERT Rule

Related Guidelines

EXP33-CCWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer
EXP33-CCWE-123, Write-what-where Condition
EXP33-CCWE-125, Out-of-bounds Read
EXP33-CCWE-665, Improper Initialization
EXP34-CCWE-476, NULL Pointer Dereference
EXP37-CCWE-628, Function Call with Incorrectly Specified Arguments
EXP37-CCWE-686, Function Call with Incorrect Argument Type
EXP39-CCWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer
EXP39-CCWE-123, Write-what-where Condition
EXP39-CCWE-125, Out-of-bounds Read
EXP45-CCWE-480, Use of Incorrect Operator
EXP46-CCWE-480, Use of incorrect operator
INT30-CCWE-190, Integer Overflow or Wraparound
INT31-CCWE-192, Integer Coercion Error
INT31-CCWE-197, Numeric Truncation Error
INT31-CCWE-681, Incorrect Conversion between Numeric Types
INT32-CCWE-129, Improper Validation of Array Index
INT32-CCWE-190, Integer Overflow or Wraparound
INT33-CCWE-369, Divide By Zero
INT35-CCWE-190, Integer Overflow or Wraparound
INT36-CCWE-466, Return of Pointer Value Outside of Expected Range
INT36-CCWE-587, Assignment of a Fixed Address to a Pointer
FLP32-CCWE-682, Incorrect Calculation
FLP34-CCWE-681, Incorrect Conversion between Numeric Types
ARR30-CCWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer
ARR30-CCWE-122, Heap-based Buffer Overflow
ARR30-CCWE-123, Write-what-where Condition
ARR30-CCWE-125, Out-of-bounds Read
ARR30-CCWE-129, Improper Validation of Array Index
ARR30-CCWE-788, Access of Memory Location after End of Buffer
ARR36-CCWE-469, Use of Pointer Subtraction to Determine Size
ARR37-CCWE-469, Use of Pointer Subtraction to Determine Size
ARR38-CCWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer
ARR38-CCWE-121, Stack-based Buffer Overflow
ARR38-CCWE-123, Write-what-where Condition
ARR38-CCWE-125, Out-of-bounds Read
ARR38-CCWE-805, Buffer Access with Incorrect Length Value
ARR39-CCWE-468, Incorrect Pointer Scaling
STR31-CCWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer
STR31-CCWE-120, Buffer Copy without Checking Size of Input ("Classic Buffer Overflow")
STR31-CCWE-123, Write-what-where Condition
STR31-CCWE-125, Out-of-bounds Read
STR31-CCWE-193, Off-by-one Error
STR32-CCWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer
STR32-CCWE-123, Write-what-where Condition
STR32-CCWE-125, Out-of-bounds Read
STR32-CCWE-170, Improper Null Termination
STR34-CCWE-704, Incorrect Type Conversion or Cast
STR37-CCWE-704, Incorrect Type Conversion or Cast
STR37-CCWE-686, Function Call with Incorrect Argument Type
MEM30-CCWE-415, Double Free
MEM30-CCWE-416, Use After Free
MEM31-CCWE-401, Improper Release of Memory Before Removing Last Reference ("Memory Leak")
MEM34-CCWE-590, Free of Memory Not on the Heap
MEM35-CCWE-131, Incorrect Calculation of Buffer Size
CWE-190, Integer Overflow or Wraparound
CWE-467
, Use of sizeof() on a Pointer Type
FIO30-CCWE-134, Uncontrolled Format String
FIO32-CCWE-67, Improper Handling of Windows Device Names
FIO37-CCWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer
FIO37-CCWE-123, Write-what-where Condition
FIO37-CCWE-125, Out-of-bounds Read
FIO37-CCWE-241, Improper Handling of Unexpected Data Type
FIO42-CCWE-404, Improper Resource Shutdown or Release
FIO47-CCWE-686, Function Call with Incorrect Argument Type
ENV32-CCWE-705, Incorrect Control Flow Scoping
ENV33-CCWE-78, Improper Neutralization of Special Elements Used in an OS Command (aka "OS Command Injection")
ENV33-CCWE-88, Argument Injection or Modification
SIG30-CCWE-479, Signal Handler Use of a Non-reentrant Function
SIG31-CCWE-662, Improper Synchronization
SIG34-CCWE-479, Signal Handler Use of a Non-reentrant Function
ERR30-CCWE-456, Missing Initialization of a Variable
ERR33-CCWE-252, Unchecked Return Value
ERR33-CCWE-253, Incorrect Check of Function Return Value
ERR33-CCWE-390, Detection of Error Condition without Action
ERR33-CCWE-391, Unchecked Error Condition
ERR33-CCWE-476, NULL Pointer Dereference
ERR34-CCWE-676, Use of potentially dangerous function
ERR34-CCWE-20, Insufficient input validation
CON31-CCWE-667, Improper Locking
CON35-CCWE-764, Multiple Locks of a Critical Resource
CON40-CCWE-366, Race Condition within a Thread
CON40-CCWE-413, Improper Resource Locking
CON40-CCWE-567, Unsynchronized Access to Shared Data in a Multithreaded Context
CON40-CCWE-667, Improper Locking
CON43-CCWE-366, Race condition within a thread
MSC30-CCWE-327, Use of a Broken or Risky Cryptographic Algorithm
MSC30-CCWE-330, Use of Insufficiently Random Values
MSC30-CCWE-331, Insufficient Entropy
MSC30-CCWE-338, Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
MSC32-CCWE-327, Use of a Broken or Risky Cryptographic Algorithm
MSC32-CCWE-330, Use of Insufficiently Random Values
MSC32-CCWE-331, Insufficient Entropy
MSC32-CCWE-338, Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
POS30-CCWE-170, Improper null termination
POS33-CCWE-242, Use of inherently dangerous function
POS34-CCWE-686, Function call with incorrect argument type
POS34-CCWE-562, Return of stack variable address
POS35-CCWE-363, Race condition enabling link following
POS35-CCWE-365, Race condition in switch
POS36-CCWE-250, Execution with unnecessary privileges
POS36-CCWE-696, Incorrect behavior order
POS37-CCWE-250, Execution with unnecessary privileges
POS37-CCWE-273, Failure to check whether privileges were dropped successfully
POS48-CCWE-667, Insufficient locking
POS51-CCWE-764, Multiple locks of critical resources
POS54-CCWE-252, Unchecked return value
POS54-CCWE-253, Incorrect check of function return value
POS54-CCWE-390, Detection of error condition without action
POS54-CCWE-391, Unchecked error condition
API00-CCWE ID -20, Insufficient input validation
API04-CCWE-754, Improper check for unusual or exceptional conditions
ARR00-CCWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer
ARR00-CCWE-123, Write-what-where Condition
ARR00-CCWE-125, Out-of-bounds Read
ARR00-CCWE-129, Unchecked array indexing
ARR01-CCWE-467, Use of sizeof() on a pointer type
ARR02-CCWE-665, Incorrect or incomplete initialization
CON06-CCWE-667, Improper Locking
CON07-CCWE-366, Race condition within a thread
CON07-CCWE-413, Improper resource locking
CON07-CCWE-567, Unsynchronized access to shared data in a multithreaded context
CON07-CCWE-667, Improper locking
CON08-CCWE-362, Concurrent execution using shared resource with improper synchronization ("race condition")
CON08-CCWE-366, Race condition within a thread
CON08-CCWE-662, Improper synchronization
DCL06-CCWE-547, Use of hard-coded, security-relevant constants
DCL10-CCWE-628, Function call with incorrectly specified arguments
ENV01-CCWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer
ENV01-CCWE-123, Write-what-where Condition
ENV01-CCWE-125, Out-of-bounds Read
ENV02-CCWE-462, Duplicate key in associative list (Alist)
ENV02-CCWE-807, Reliance on untrusted inputs in a security decision
ENV03-CCWE-78, Failure to sanitize data into an OS command (aka "OS command injection")
ENV03-CCWE-88, Argument injection or modification
ENV03-CCWE-426, Untrusted search path
ENV03-CCWE-471, Modification of Assumed-Immutable Data (MAID)
ENV03-CCWE-807, Reliance on intrusted inputs in a security decision
ERR00-CCWE-391, Unchecked error condition
ERR00-CCWE-544, Missing standardized error handling mechanism
ERR04-CCWE-705, Incorrect control flow scoping
ERR07-CCWE-20, Improper Input Validation
ERR07-CCWE-79, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ERR07-CCWE-89, Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
ERR07-CCWE-91, XML Injection (aka Blind XPath Injection)
ERR07-CCWE-94, Improper Control of Generation of Code ('Code Injection')
ERR07-CCWE-114, Process Control
ERR07-CCWE-601, URL Redirection to Untrusted Site ('Open Redirect')
ERR07-CCWE-676, Use of potentially dangerous function
EXP02-CCWE-768, Incorrect short circuit evaluation
EXP05-CCWE-704, Incorrect type conversion or cast
EXP08-CCWE-468, Incorrect pointer scaling
EXP09-CCWE-805, Buffer access with incorrect length value
EXP12-CCWE-754, Improper check for unusual or exceptional conditions
EXP15-CCWE-480, Use of incorrect operator
EXP16-CCWE-480, Use of incorrect operator
EXP16-CCWE-482, Comparing instead of assigning
FIO01-CCWE-73, External control of file name or path
FIO01-CCWE-367, Time-of-check, time-of-use race condition
FIO01-CCWE-676, Use of potentially dangerous function
FIO02-CCWE-22, Path traversal
FIO02-CCWE-23, Relative Path Traversal
FIO02-CCWE-28, Path Traversal: '..\filedir'
FIO02-CCWE-40, Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
FIO02-CCWE-41, Failure to resolve path equivalence
FIO02-CCWE-59, Failure to resolve links before file access (aka "link following")
FIO02-CCWE-73, External control of file name or path
FIO05-CCWE-37, Path issue—Slash absolute path
FIO05-CCWE-38, Path Issue—Backslash absolute path
FIO05-CCWE-39, Path Issue—Drive letter or Windows volume
FIO05-CCWE-62, UNIX hard link
FIO05-CCWE-64, Windows shortcut following (.LNK)
FIO05-CCWE-65, Windows hard link
FIO06-CCWE-276, Insecure default permissions
FIO06-CCWE-279, Insecure execution-assigned permissions
FIO06-CCWE-732, Incorrect permission assignment for critical resource
FIO15-CCWE-379, Creation of temporary file in directory with insecure permissions
FIO15-CCWE-552, Files or directories accessible to external parties
FIO21-CCWE-379, Creation of temporary file in directory with insecure permissions
FIO22-CCWE-403, UNIX file descriptor leak
FIO22-CCWE-404, Improper resource shutdown or release
FIO22-CCWE-770, Allocation of resources without limits or throttling
FIO24-CCWE-362, Concurrent Execution Using Shared Resource with Improper Synchronization ("Race Condition")
FIO24-CCWE-675, Duplicate Operations on Resource
FLP03-CCWE-369, Divide by zero
FLP06-CCWE-681, Incorrect conversion between numeric types
FLP06-CCWE-682, Incorrect calculation
INT02-CCWE-192, Integer coercion error
INT02-CCWE-197, Numeric truncation error
INT05-CCWE-192, Integer coercion error
INT05-CCWE-197, Numeric truncation error
INT07-CCWE-682, Incorrect calculation
INT10-CCWE-682, Incorrect calculation
INT10-CCWE-129, Unchecked array indexing
INT13-CCWE-682, Incorrect calculation
INT15-CCWE-681, Incorrect conversion between numeric types
INT18-CCWE-681, Incorrect conversion between numeric types
INT18-CCWE-190, Integer overflow (wrap or wraparound)
MEM00-CCWE-415, Double free
MEM00-CCWE-416, Use after free
MEM01-CCWE-415, Double free
MEM01-CCWE-416, Use after free
MEM03-CCWE-226, Sensitive information uncleared before release
MEM03-CCWE-244, Failure to clear heap memory before release ("heap inspection")
MEM04-CCWE-687, Function call with incorrectly specified argument value
MEM06-CCWE-591, Sensitive data storage in improperly locked memory
MEM06-CCWE-528, Information leak through core dump files
MEM07-CCWE-190, Integer overflow (wrap or wraparound)
MEM07-CCWE-128, Wrap-around error
MEM10-CCWE-20, Improper Input Validation
MEM10-CCWE-79, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
MEM10-CCWE-89, Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
MEM10-CCWE-91, XML Injection (aka Blind XPath Injection)
MEM10-CCWE-94, Improper Control of Generation of Code ('Code Injection')
MEM10-CCWE-114, Process Control
MEM10-CCWE-601, URL Redirection to Untrusted Site ('Open Redirect')
MEM11-CCWE-770, Allocation of resources without limits or throttling
MSC00-CCWE-563, Unused variable
MSC00-CCWE-570, Expression is always false
MSC00-CCWE-571, Expression is always true
MSC06-CCWE-14, Compiler removal of code to clear buffers
MSC07-CCWE-561, Dead code
MSC09-CCWE-116, Improper encoding or escaping of output
MSC10-CCWE-176, Failure to handle Unicode encoding
MSC10-CCWE-116, Improper encoding or escaping of output
MSC11-CCWE-190, Reachable assertion
MSC18-CCWE-259, Use of Hard-coded Password
MSC18-CCWE-261, Weak Cryptography for Passwords
MSC18-CCWE-311, Missing encryption of sensitive data
MSC18-CCWE-319, Cleartext Transmission of Sensitive Information
MSC18-CCWE-321, Use of Hard-coded Cryptographic Key
MSC18-CCWE-326, Inadequate encryption strength
MSC18-CCWE-798, Use of hard-coded credentials
MSC24-CCWE-20, Insufficient input validation
MSC24-CCWE-73, External control of file name or path
MSC24-CCWE-79, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
MSC24-CCWE-89, Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
MSC24-CCWE-91, XML Injection (aka Blind XPath Injection)
MSC24-CCWE-94, Improper Control of Generation of Code ('Code Injection')
MSC24-CCWE-114, Process Control
MSC24-CCWE-120, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
MSC24-CCWE-192, Integer coercion error
MSC24-CCWE-197, Numeric truncation error
MSC24-CCWE-367, Time-of-check, time-of-use race condition
MSC24-CCWE-464, Addition of data structure sentinel
MSC24-CCWE-601, URL Redirection to Untrusted Site ('Open Redirect')
MSC24-CCWE-676, Use of potentially dangerous function
POS01-CCWE-59, Failure to resolve links before file access (aka "link following")
POS01-CCWE-362, Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
POS01-CCWE-367, Time-of-check, time-of-use (TOCTOU) race condition
POS02-CCWE-250, Execution with unnecessary privileges
POS02-CCWE-272, Least privilege violation
PRE09-CCWE-684, Failure to provide specified functionality
SIG00-CCWE-662, Insufficient synchronization
STR02-CCWE-88, Argument injection or modification
STR02-CCWE-78, Failure to sanitize data into an OS command (aka "OS command injection")
STR03-CCWE-170, Improper null termination
STR03-CCWE-464, Addition of data structure sentinel
STR06-CCWE-464, Addition of data structure sentinel
WIN02-CCWE-250, Execution with unnecessary privileges
WIN02-CCWE-272, Least privilege violation
WIN04-CCWE-311, Missing encryption of sensitive data
WIN04-CCWE-319, Cleartext Transmission of Sensitive Information