...
Each rule and recommendation has an assigned Priority. Priorities are assigned using a metric based on Failure Mode, Effects, and Criticality Analysis (FMECA) [IEC 60812]. Three values are assigned for each rule on a scale of 1 to 3 for the following:
Severity—How serious are the consequences of the rule being ignored?
Value
Meaning
Examples of Vulnerability
1
low
denial-of-service attack, abnormal termination
2
medium
data integrity violation, unintentional information disclosure
3
high
run arbitrary code
...
Where applicable, guidelines provide information on analyzer tools that can automatically diagnose violations of secure coding guidelines. Most automated analyses for the Perl programming language are neither sound nor complete, so the inclusion of a tool in this section typically means that this tool can diagnose some violations of this particular rule. Currently, there is no conformance test suite available that can be used to access the false-positive and false-negative rates of analyzers when checking conformance for a particular guideline against source code (although CERT has announced it will coordinate the development of a freely available, open source licensed source–licensed conformance test).
Because of the lack of an existing conformance test, the information in these sections may be
...
The risk analysis section also contains a link to search for related vulnerabilities on the CERT website. Whenever possible, CERT Vulnerability Notes are tagged with a keyword corresponding to the unique ID of the coding guideline. This search provides you with an up-to-date list of real-world vulnerabilities that have been determined to be at least partially caused by a violation of this specific guideline. These vulnerabilities are labeled as such only when the vulnerability analysis team at the CERT/CC is able to evaluate the source code and precisely determine the cause of the vulnerability. Because many vulnerability notes refer to vulnerabilities in closed-source software systems, it is not always possible to provide this additional analysis. Consequently, the related vulnerabilities field tends to be somewhat sparsely populated.
...