DATASHEET

CWE C and C++ Rule Enforcement (2023)

ENFORCEMENT HELIX QAC 2024.2

CWE enforcement is measured against defined lists of weaknesses which do not all apply to every language.

2023 CWE Top 25 Most Dangerous Software Weaknesses

https://cwe.mitre.org/top25/archive/2023/2023_cwe_top25.html

Rank	CWE ID	Description	Enforced C	Enforced C++
[1]	CWE-787	Out-of-bounds Write	Yes	Yes
[2]	CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	N/A	N/A
[3]	CWE-89	Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	Yes	Yes
[4]	CWE-416	Use After Free	Yes	Yes
[5]	CWE-78	Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)	Yes	Yes
[6]	CWE-20	Improper Input Validation	Yes	Yes
[7]	CWE-125	Out-of-bounds Read	Yes	Yes
[8]	CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')	No	No
[9]	CWE-352	Cross-Site Request Forgery (CSRF)	N/A	N/A
[10]	CWE-434	Unrestricted Upload of File with Dangerous Type	N/A	N/A
[11]	CWE-862	Missing Authorization	No	No
[12]	CWE-476	NULL Pointer Dereference	Yes	Yes
[13]	CWE-287	Improper Authentication	N/A	N/A
[14]	CWE-190	Integer Overflow or Wraparound	Yes	Yes
[15]	CWE-502	Deserialization of Untrusted Data	N/A	N/A
[16]	CWE-77	Improper Neutralization of Special Elements used in a Command (‘Command Injection’)	No	No
[17]	CWE-119	Improper Restriction of Operations within the Bounds of a Memory Buffer	Yes	Yes
[18]	CWE-798	Use of Hard-coded Credentials	Yes	Yes
[19]	CWE-918	Server-Side Request Forgery (SSRF)	N/A	N/A
[20]	CWE-306	Missing Authentication for Critical Function	No	No
[21]	CWE-362	Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)	Yes	Yes
[22]	CWE-269	Improper Privilege Management	Yes	Yes
[23]	CWE-94	Improper Control of Generation of Code (‘Code Injection’)	N/A	N/A
[24]	CWE-863	Incorrect Authorization	No	No
[25]	CWE-276	Incorrect Default Permissions	N/A	N/A