Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

CERT Rule

Related Guidelines

STR34-CCWE-704, Incorrect Type Conversion or Cast
MSC41-CCWE-259, Use of Hard-Coded Password
MSC41-CCWE-798, Use of Hard-Coded Credentials
API00-CCWE-476
API07-CCWE-192
API07-CCWE-227
API07-CCWE-590
API07-CCWE-686
API07-CCWE-704
API07-CCWE-761
API07-CCWE-762
API07-CCWE-843
ARR01-CCWE-569
ARR01-CCWE-783
CON05-CCWE-557
CON05-CCWE-662
CON07-CCWE-366, Race condition within a thread
CON07-CCWE-413, Improper resource locking
CON07-CCWE-567, Unsynchronized access to shared data in a multithreaded context
CON07-CCWE-667, Improper locking
CON08-CCWE-362, Concurrent execution using shared resource with improper synchronization ("race condition")
CON08-CCWE-366, Race condition within a thread
CON08-CCWE-662, Improper synchronization
DCL06-CCWE-547, Use of hard-coded, security-relevant constants
DCL10-CCWE-628, Function call with incorrectly specified arguments
ENV01-CCWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer
ENV01-CCWE-123, Write-what-where Condition
ENV01-CCWE-125, Out-of-bounds Read
ENV02-CCWE-462, Duplicate key in associative list (Alist)
ENV02-CCWE-807, Reliance on untrusted inputs in a security decision
ENV03-CCWE-78, Failure to sanitize data into an OS command (aka "OS command injection")
ENV03-CCWE-88, Argument injection or modification
ENV03-CCWE-426, Untrusted search path
ENV03-CCWE-471, Modification of Assumed-Immutable Data (MAID)
ENV03-CCWE-807, Reliance on intrusted inputs in a security decision
ERR00-CCWE-391, Unchecked error condition
ERR00-CCWE-544, Missing standardized error handling mechanism
ERR04-CCWE-705, Incorrect control flow scoping
ERR07-CCWE-20, Improper Input Validation
ERR07-CCWE-79, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ERR07-CCWE-89, Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
ERR07-CCWE-91, XML Injection (aka Blind XPath Injection)
ERR07-CCWE-94, Improper Control of Generation of Code ('Code Injection')
ERR07-CCWE-114, Process Control
ERR07-CCWE-601, URL Redirection to Untrusted Site ('Open Redirect')
ERR07-CCWE-676, Use of potentially dangerous function
EXP02-CCWE-768, Incorrect short circuit evaluation
EXP05-CCWE-704, Incorrect type conversion or cast
EXP08-CCWE-468, Incorrect pointer scaling
EXP09-CCWE-805, Buffer access with incorrect length value
EXP12-CCWE-754, Improper check for unusual or exceptional conditions
EXP15-CCWE-480, Use of incorrect operator
EXP16-CCWE-480, Use of incorrect operator
EXP16-CCWE-482, Comparing instead of assigning
FIO01-CCWE-73, External control of file name or path
FIO01-CCWE-367, Time-of-check, time-of-use race condition
FIO01-CCWE-676, Use of potentially dangerous function
FIO02-CCWE-22, Path traversal
FIO02-CCWE-23, Relative Path Traversal
FIO02-CCWE-28, Path Traversal: '..\filedir'
FIO02-CCWE-40, Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
FIO02-CCWE-41, Failure to resolve path equivalence
FIO02-CCWE-59, Failure to resolve links before file access (aka "link following")
FIO02-CCWE-73, External control of file name or path
FIO05-CCWE-37, Path issue—Slash absolute path
FIO05-CCWE-38, Path Issue—Backslash absolute path
FIO05-CCWE-39, Path Issue—Drive letter or Windows volume
FIO05-CCWE-62, UNIX hard link
FIO05-CCWE-64, Windows shortcut following (.LNK)
FIO05-CCWE-65, Windows hard link
FIO06-CCWE-276, Insecure default permissions
FIO06-CCWE-279, Insecure execution-assigned permissions
FIO06-CCWE-732, Incorrect permission assignment for critical resource
FIO15-CCWE-379, Creation of temporary file in directory with insecure permissions
FIO15-CCWE-552, Files or directories accessible to external parties
FIO21-CCWE-379, Creation of temporary file in directory with insecure permissions
FIO22-CCWE-403, UNIX file descriptor leak
FIO22-CCWE-404, Improper resource shutdown or release
FIO22-CCWE-770, Allocation of resources without limits or throttling
FIO24-CCWE-362, Concurrent Execution Using Shared Resource with Improper Synchronization ("Race Condition")
FIO24-CCWE-675, Duplicate Operations on Resource
FLP03-CCWE-369, Divide by zero
FLP06-CCWE-681, Incorrect conversion between numeric types
FLP06-CCWE-682, Incorrect calculation
INT02-CCWE-192, Integer coercion error
INT02-CCWE-197, Numeric truncation error
INT05-CCWE-192, Integer coercion error
INT05-CCWE-197, Numeric truncation error
INT07-CCWE-682, Incorrect calculation
INT10-CCWE-682, Incorrect calculation
INT10-CCWE-129, Unchecked array indexing
INT13-CCWE-682, Incorrect calculation
INT15-CCWE-681, Incorrect conversion between numeric types
INT18-CCWE-681, Incorrect conversion between numeric types
INT18-CCWE-190, Integer overflow (wrap or wraparound)
MEM00-CCWE-415, Double free
MEM00-CCWE-416, Use after free
MEM01-CCWE-415, Double free
MEM01-CCWE-416, Use after free
MEM03-CCWE-226, Sensitive information uncleared before release
MEM03-CCWE-244, Failure to clear heap memory before release ("heap inspection")
MEM04-CCWE-687, Function call with incorrectly specified argument value
MEM06-CCWE-591, Sensitive data storage in improperly locked memory
MEM06-CCWE-528, Information leak through core dump files
MEM07-CCWE-190, Integer overflow (wrap or wraparound)
MEM07-CCWE-128, Wrap-around error
MEM10-CCWE-20, Improper Input Validation
MEM10-CCWE-79, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
MEM10-CCWE-89, Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
MEM10-CCWE-91, XML Injection (aka Blind XPath Injection)
MEM10-CCWE-94, Improper Control of Generation of Code ('Code Injection')
MEM10-CCWE-114, Process Control
MEM10-CCWE-601, URL Redirection to Untrusted Site ('Open Redirect')
MEM11-CCWE-770, Allocation of resources without limits or throttling
MSC00-CCWE-563, Unused variable
MSC00-CCWE-570, Expression is always false
MSC00-CCWE-571, Expression is always true
MSC06-CCWE-14, Compiler removal of code to clear buffers
MSC07-CCWE-561, Dead code
MSC09-CCWE-116, Improper encoding or escaping of output
MSC10-CCWE-176, Failure to handle Unicode encoding
MSC10-CCWE-116, Improper encoding or escaping of output
MSC11-CCWE-190, Reachable assertion
MSC18-CCWE-259, Use of Hard-coded Password
MSC18-CCWE-261, Weak Cryptography for Passwords
MSC18-CCWE-311, Missing encryption of sensitive data
MSC18-CCWE-319, Cleartext Transmission of Sensitive Information
MSC18-CCWE-321, Use of Hard-coded Cryptographic Key
MSC18-CCWE-326, Inadequate encryption strength
MSC18-CCWE-798, Use of hard-coded credentials
MSC24-CCWE-20, Insufficient input validation
MSC24-CCWE-73, External control of file name or path
MSC24-CCWE-79, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
MSC24-CCWE-89, Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
MSC24-CCWE-91, XML Injection (aka Blind XPath Injection)
MSC24-CCWE-94, Improper Control of Generation of Code ('Code Injection')
MSC24-CCWE-114, Process Control
MSC24-CCWE-120, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
MSC24-CCWE-192, Integer coercion error
MSC24-CCWE-197, Numeric truncation error
MSC24-CCWE-367, Time-of-check, time-of-use race condition
MSC24-CCWE-464, Addition of data structure sentinel
MSC24-CCWE-601, URL Redirection to Untrusted Site ('Open Redirect')
MSC24-CCWE-676, Use of potentially dangerous function
POS01-CCWE-59, Failure to resolve links before file access (aka "link following")
POS01-CCWE-362, Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
POS01-CCWE-367, Time-of-check, time-of-use (TOCTOU) race condition
POS02-CCWE-250, Execution with unnecessary privileges
POS02-CCWE-272, Least privilege violation
PRE09-CCWE-684, Failure to provide specified functionality
SIG00-CCWE-662, Insufficient synchronization
STR02-CCWE-88, Argument injection or modification
STR02-CCWE-78, Failure to sanitize data into an OS command (aka "OS command injection")
STR03-CCWE-170, Improper null termination
STR03-CCWE-464, Addition of data structure sentinel
STR06-CCWE-464, Addition of data structure sentinel
WIN02-CCWE-250, Execution with unnecessary privileges
WIN02-CCWE-272, Least privilege violation
WIN04-CCWE-311, Missing encryption of sensitive data
WIN04-CCWE-319, Cleartext Transmission of Sensitive Information