DATASHEET
CWE C++ Enforcement
ENFORCEMENT HELIX QAC 2024.2
Note the CWEs listed are from CWE 4.12
ALL WEAKNESSES
Rule ID | Description |
|---|---|
CWE-14 | Compiler Removal of Code to Clear Buffers |
CWE-20 | Improper Input Validation |
CWE-78 | Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') |
CWE-80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) |
CWE-88 | Argument Injection or Modification |
CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
CWE-99 | Improper Control of Resource Identifiers ('Resource Injection') |
CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer |
CWE-120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
CWE-121 | Stack-based Buffer Overflow |
CWE-122 | Heap-based Buffer Overflow |
CWE-124 | Buffer Underwrite |
CWE-125 | Out-of-bounds Read |
CWE-126 | Buffer Over-read |
CWE-127 | Buffer Under-read |
CWE-128 | Wrap-around Error |
CWE-129 | Improper Validation of Array Index |
CWE-130 | Improper Handling of Length Parameter Inconsistency |
CWE-131 | Incorrect Calculation of Buffer Size |
CWE-170 | Improper NULL termination |
CWE-176 | Improper Handling of Unicode Encoding |
CWE-187 | Partial Comparison |
CWE-188 | Reliance on Data/Memory Layout |
CWE-190 | Integer Overflow or Wraparound |
CWE-191 | Integer Underflow (Wrap or Wraparound) |
CWE-192 | Integer Coercion Error |
CWE-193 | Off-by-one Error |
CWE-194 | Unexpected Sign Extension |
CWE-195 | Signed to Unsigned Conversion Error |
CWE-196 | Unsigned to Signed Conversion Error |
CWE-197 | Numeric Truncation Error |
CWE-242 | Use of Inherently Dangerous Function |
CWE-243 | Creation of chroot Jail Without Changing Working Directory |
CWE-244 | Improper Clearing of Heap Memory Before Release ('Heap Inspection') |
CWE-248 | Uncaught Exception |
CWE-259 | Use of Hard-coded Password |
CWE-321 | Use of Hard-coded Cryptographic Key |
CWE-324 | Use of a Key Past its Expiration Date |
CWE-336 | Same seed in Pseudo-Random Number Generator (PRNG) |
CWE-337 | Predictable seed in Pseudo-Random Number Generator (PRNG) |
CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization |
CWE-364 | Signal Handler Race Condition |
CWE-367 | Time-of-check Time-of-use (TOCTOU) Race Condition |
CWE-375 | Returning a Mutable Object to an Untrusted Caller |
CWE-397 | Declaration of Throws for Generic Exception |
CWE-401 | Improper Release of Memory Before Removing Last Reference ('Memory Leak') |
CWE-412 | Unrestricted Externally Accessible Lock |
CWE-413 | Improper Resource Locking |
CWE-415 | Double Free |
CWE-416 | Use After Free |
CWE-457 | Use of Uninitialized Variable |
CWE-460 | Improper Cleanup on Thrown Exception |
CWE-466 | Return of Pointer Value Outside of Expected Range |
CWE-467 | Use of sizeof() on a Pointer Type |
CWE-468 | Incorrect Pointer Scaling |
CWE-469 | Use of Pointer Subtraction to Determine Size |
CWE-476 | NULL Pointer Dereference |
CWE-478 | Missing Default Case in Switch Statement |
CWE-479 | Unsafe Function Call from a Signal Handler |
CWE-480 | Use of Incorrect Operator |
CWE-481 | Assigning instead of Comparing |
CWE-482 | Comparing instead of Assigning |
CWE-483 | Incorrect Block Delimitation |
CWE-484 | Omitted Break Statement in Switch |
CWE-489 | Active Debug Code |
CWE-493 | Critical Public Variable Without Final Modifier |
CWE-495 | Private Array-Typed Field Returned From A Public Method |
CWE-500 | Public Static Field Not Marked Final |
CWE-543 | Use of Singleton Pattern Without Synchronization in a Multithreaded Context |
CWE-558 | Use of getlogin() in Multithreaded Application |
CWE-562 | Return of Stack Variable Address |
CWE-587 | Assignment of a Fixed Address to a Pointer |
CWE-606 | Unchecked Input for Loop Condition |
CWE-676 | Use of Potentially Dangerous Function |
CWE-690 | Unchecked Return Value to NULL Pointer Dereference |
CWE-704 | Incorrect Type Conversion or Cast |
CWE-733 | Compiler Optimization Removal or Modification of Security-critical Code |
CWE-762 | Mismatched Memory Management Routines |
CWE-766 | Critical Variable Declared Public |
CWE-767 | Access to Critical Private Variable via Public Method |
CWE-781 | Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code |
CWE-782 | Exposed IOCTL with Insufficient Access Control |
CWE-783 | Operator Precedence Logic Error |
CWE-785 | Use of Path Manipulation Function without Maximum-sized Buffer |
CWE-787 | Out-of-bounds Write |
CWE-798 | Use of Hard-coded Credentials |
CWE-805 | Buffer Access with Incorrect Length Value |
CWE-806 | Buffer Access Using Size of Source Buffer |
CWE-839 | Numeric Range Comparison Without Minimum Check |
CWE-843 | Access of Resource Using Incompatible Type |
CWE-910 | Use of Expired File Descriptor |
CWE-911 | Improper Update of Reference Count |
CWE-659 - Weaknesses in Software Written in C++
CWE-ID | Description | Enforced |
|---|---|---|
CWE-14 | Compiler Removal of Code to Clear Buffers | Yes |
CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | Yes |
CWE-120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | Yes |
CWE-121 | Stack-based Buffer Overflow | Yes |
CWE-122 | Heap-based Buffer Overflow | Yes |
CWE-123 | Write-what-where Condition | No |
CWE-124 | Buffer Underwrite ('Buffer Underflow') | Yes |
CWE-125 | Out-of-bounds Read | Yes |
CWE-126 | Buffer Over-read | Yes |
CWE-127 | Buffer Under-read | Yes |
CWE-128 | Wrap-around Error | Yes |
CWE-129 | Improper Validation of Array Index | Yes |
CWE-130 | Improper Handling of Length Parameter Inconsistency | Yes |
CWE-131 | Incorrect Calculation of Buffer Size | Yes |
CWE-134 | Use of Externally-Controlled Format String | No |
CWE-135 | Incorrect Calculation of Multi-Byte String Length | No |
CWE-170 | Improper Null Termination | Yes |
CWE-188 | Reliance on Data/Memory Layout | Yes |
CWE-191 | Integer Underflow (Wrap or Wraparound) | Yes |
CWE-192 | Integer Coercion Error | Yes |
CWE-194 | Unexpected Sign Extension | Yes |
CWE-195 | Signed to Unsigned Conversion Error | Yes |
CWE-196 | Unsigned to Signed Conversion Error | Yes |
CWE-197 | Numeric Truncation Error | Yes |
CWE-242 | Use of Inherently Dangerous Function | Yes |
CWE-243 | Creation of chroot Jail Without Changing Working Directory | Yes |
CWE-244 | Improper Clearing of Heap Memory Before Release ('Heap Inspection') | Yes |
CWE-248 | Uncaught Exception | Yes |
CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | Yes |
CWE-364 | Signal Handler Race Condition | Yes |
CWE-366 | Race Condition within a Thread | No |
CWE-374 | Passing Mutable Objects to an Untrusted Method | No |
CWE-375 | Returning a Mutable Object to an Untrusted Caller | Yes |
CWE-396 | Declaration of Catch for Generic Exception | No |
CWE-397 | Declaration of Throws for Generic Exception | Yes |
CWE-401 | Missing Release of Memory after Effective Lifetime | Yes |
CWE-415 | Double Free | Yes |
CWE-416 | Use After Free | Yes |
CWE-457 | Use of Uninitialized Variable | Yes |
CWE-460 | Improper Cleanup on Thrown Exception | Yes |
CWE-462 | Duplicate Key in Associative List (Alist) | No |
CWE-463 | Deletion of Data Structure Sentinel | No |
CWE-464 | Addition of Data Structure Sentinel | No |
CWE-466 | Return of Pointer Value Outside of Expected Range | Yes |
CWE-467 | Use of sizeof() on a Pointer Type | Yes |
CWE-468 | Incorrect Pointer Scaling | Yes |
CWE-469 | Use of Pointer Subtraction to Determine Size | Yes |
CWE-476 | NULL Pointer Dereference | Yes |
CWE-478 | Missing Default Case in Multiple Condition Expression | Yes |
CWE-479 | Signal Handler Use of a Non-reentrant Function | Yes |
CWE-480 | Use of Incorrect Operator | Yes |
CWE-481 | Assigning instead of Comparing | Yes |
CWE-482 | Comparing instead of Assigning | Yes |
CWE-483 | Incorrect Block Delimitation | Yes |
CWE-484 | Omitted Break Statement in Switch | Yes |
CWE-493 | Critical Public Variable Without Final Modifier | Yes |
CWE-495 | Private Data Structure Returned From A Public Method | Yes |
CWE-496 | Public Data Assigned to Private Array-Typed Field | No |
CWE-498 | Cloneable Class Containing Sensitive Information | No |
CWE-500 | Public Static Field Not Marked Final | Yes |
CWE-543 | Use of Singleton Pattern Without Synchronization in a Multithreaded Context | Yes |
CWE-558 | Use of getlogin() in Multithreaded Application | Yes |
CWE-562 | Return of Stack Variable Address | Yes |
CWE-587 | Assignment of a Fixed Address to a Pointer | Yes |
CWE-676 | Use of Potentially Dangerous Function | Yes |
CWE-690 | Unchecked Return Value to NULL Pointer Dereference | Yes |
CWE-704 | Incorrect Type Conversion or Cast | Yes |
CWE-733 | Compiler Optimization Removal or Modification of Security-critical Code | Assisted |
CWE-762 | Mismatched Memory Management Routines | Yes |
CWE-766 | Critical Data Element Declared Public | Yes |
CWE-767 | Access to Critical Private Variable via Public Method | Yes |
CWE-781 | Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code | Yes |
CWE-782 | Exposed IOCTL with Insufficient Access Control | Yes |
CWE-783 | Operator Precedence Logic Error | Yes |
CWE-785 | Use of Path Manipulation Function without Maximum-sized Buffer | Yes |
CWE-787 | Out-of-bounds Write | Yes |
CWE-789 | Memory Allocation with Excessive Size Value | No |
CWE-805 | Buffer Access with Incorrect Length Value | Yes |
CWE-806 | Buffer Access Using Size of Source Buffer | Yes |
CWE-839 | Numeric Range Comparison Without Minimum Check | Yes |
CWE-843 | Access of Resource Using Incompatible Type ('Type Confusion') | Yes |
CWE-910 | Use of Expired File Descriptor | Yes |
CWE-911 | Improper Update of Reference Count | Yes |
CWE-1325 | Improperly Controlled Sequential Memory Allocation | No |
CWE-1335 | Incorrect Bitwise Shift of Integer | No |
CWE-1341 | Multiple Releases of Same Resource or Handle | No |
CWE-868 - Weaknesses Addressed by the SEI CERT C Coding Standard
Rule ID | Description | Enforced |
|---|---|---|
CWE-869- Rule 01. Preprocessors (PRE) | No | |
CWE-870 - Rule 02. Declarations and Initialization (DCL) | No | |
CWE-871 - Rule 03. Expressions (EXP) | No | |
CWE-476 | NULL Pointer Dereference | Yes |
CWE-480 | Use of Incorrect Operator | Yes |
CWE-768 | Incorrect Short Circuit Evaluation | No |
CWE-872 - Rule 04. Integers (INT) | No | |
CWE-20 | Improper Input Validation | Yes |
CWE-129 | Improper Validation of Array Index | Yes |
CWE-190 | Integer Overflow or Wraparound | Yes |
CWE-192 | Integer Coercion Error | Yes |
CWE-197 | Numeric Truncation Error | Yes |
CWE-369 | Divide By Zero | No |
CWE-466 | Return of Pointer Value Outside of Expected Range | Yes |
CWE-587 | Assignment of a Fixed Address to a Pointer | Yes |
CWE-606 | Unchecked Input for Loop Condition | Yes |
CWE-676 | Use of Potentially Dangerous Function | Yes |
CWE-681 | Incorrect Conversion between Numeric Types | No |
CWE-682 | Incorrect Calculation | No |
CWE-872 | Incorrect Type Conversion or Cast | No |
CWE-873 - Rule 05. Floating Point Arithmetic (FLP) | No | |
CWE-369 | Divide By Zero | No |
CWE-681 | Incorrect Conversion between Numeric Types | No |
CWE-682 | Incorrect Calculation | No |
CWE-686 | Function Call With Incorrect Argument Type | No |
CWE-874 - Rule 06. Arrays and the STL(ARR) | No | |
CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | Yes |
CWE-129 | Improper Validation of Array Index | Yes |
CWE-467 | Use of sizeof() on a Pointer Type | Yes |
CWE-469 | Use of Pointer Subtraction to Determine Size | Yes |
CWE-665 | Improper Initialization | No |
CWE-805 | Buffer Access with Incorrect Length Value | Yes |
CWE-875 - Rule 07. Characters and String (STR) | No | |
CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | Yes |
CWE-88 | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') | Yes |
CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | Yes |
CWE-120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | Yes |
CWE-170 | Improper Null Termination | No |
CWE-193 | Off-by-one Error | Yes |
CWE-464 | Addition of Data Structure Sentinel | No |
CWE-686 | Function Call With Incorrect Argument Type | No |
CWE-704 | Incorrect Type Conversion or Cast | Yes |
CWE-876 - Rule 08. Memory management (MEM) | No | |
CWE-20 | Improper Input Validation | Yes |
CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | Yes |
CWE-128 | Wrap-around Error | Yes |
CWE-131 | Incorrect Calculation of Buffer Size | Yes |
CWE-190 | Integer Overflow or Wraparound | Yes |
CWE-226 | Sensitive Information in Resource Not Removed Before Reuse | No |
CWE-244 | Improper Clearing of Heap Memory Before Release ('Heap Inspection') | Yes |
CWE-252 | Unchecked Return Value | No |
CWE-391 | Unchecked Error Condition | No |
CWE-404 | Improper Resource Shutdown or Release | No |
CWE-415 | Double Free | Yes |
CWE-416 | Use After Free | Yes |
CWE-476 | NULL Pointer Dereference | Yes |
CWE-528 | Exposure of Core Dump File to an Unauthorized Control Sphere | No |
CWE-590 | Free of Memory not on the Heap | No |
CWE-591 | Sensitive Data Storage in Improperly Locked Memory | No |
CWE-665 | Improper Initialization | No |
CWE-687 | Function Call With Incorrectly Specified Argument Value | No |
CWE-690 | Unchecked Return Value to NULL Pointer Dereference | Yes |
CWE-703 | Improper Check or Handling of Exceptional Conditions | No |
CWE-754 | Improper Check for Unusual or Exceptional Conditions | No |
CWE-762 | Mismatched Memory Management Routines | Yes |
CWE-770 | Allocation of Resources Without Limits or Throttling | No |
CWE-822 | Untrusted Pointer Dereference | No |
CWE-877- Rule 09. Input Output (FIO) | No | |
CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | No |
CWE-37 | Path Traversal: '/absolute/pathname/here' | No |
CWE-38 | Path Traversal: '\absolute\pathname\here' | No |
CWE-39 | Path Traversal: 'C:dirname' | No |
CWE-41 | Improper Resolution of Path Equivalence | No |
CWE-59 | Improper Link Resolution Before File Access ('Link Following') | No |
CWE-62 | UNIX Hard Link | No |
CWE-64 | Windows Shortcut Following (.LNK) | No |
CWE-65 | Windows Hard Link | No |
CWE-67 | Improper Handling of Windows Device Names | No |
CWE-73 | External Control of File Name or Path | No |
CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | Yes |
CWE-134 | Use of Externally-Controlled Format String | No |
CWE-241 | Improper Handling of Unexpected Data Type | No |
CWE-276 | Incorrect Default Permissions | No |
CWE-279 | Incorrect Execution-Assigned Permissions | No |
CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | Yes |
CWE-367 | Time-of-check Time-of-use (TOCTOU) Race Condition | No |
CWE-379 | Creation of Temporary File in Directory with Insecure Permissions | No |
CWE-391 | Unchecked Error Condition | No |
CWE-403 | Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak') | No |
CWE-404 | Improper Resource Shutdown or Release | No |
CWE-552 | Files or Directories Accessible to External Parties | No |
CWE-675 | Multiple Operations on Resource in Single-Operation Context | No |
CWE-676 | Use of Potentially Dangerous Function | Yes |
CWE-732 | Incorrect Permission Assignment for Critical Resource | No |
CWE-770 | Allocation of Resources Without Limits or Throttling | No |
CWE-878 - Rule 10. Environment (ENV) | No | |
CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | Yes |
CWE-88 | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') | Yes |
CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | Yes |
CWE-426 | Untrusted Search Path | No |
CWE-462 | Duplicate Key in Associative List (Alist) | No |
CWE-705 | Incorrect Control Flow Scoping | No |
CWE-807 | Reliance on Untrusted Inputs in a Security Decision | No |
CWE-879 - Rule 11. Signals (SIG) | No | |
CWE-479 | Signal Handler Use of a Non-reentrant Function | Yes |
CWE-662 | Improper Synchronization | No |
CWE-880 - Rule 12. Exceptions and Error Handling (ERR) | No | |
CWE-209 | Generation of Error Message Containing Sensitive Information | No |
CWE-390 | Detection of Error Condition Without Action | No |
CWE-391 | Unchecked Error Condition | No |
CWE-460 | Improper Cleanup on Thrown Exception | Yes |
CWE-497 | Exposure of Sensitive System Information to an Unauthorized Control Sphere | No |
CWE-544 | Missing Standardized Error Handling Mechanism | No |
CWE-703 | Improper Check or Handling of Exceptional Conditions | No |
CWE-705 | Incorrect Control Flow Scoping | No |
CWE-754 | Improper Check for Unusual or Exceptional Conditions | No |
CWE-755 | Improper Handling of Exceptional Conditions | No |
CWE-881 - Rule 13. Object Oriented Programming (OOP) | No | |
CWE-882 - Rule 14. Concurrency (CON) | No | |
CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | Yes |
CWE-366 | Race Condition within a Thread | No |
CWE-404 | Improper Resource Shutdown or Release | No |
CWE-488 | Exposure of Data Element to Wrong Session | No |
CWE-772 | Missing Release of Resource after Effective Lifetime | No |
CWE-883 - Rule 48. Miscellaneous (MISC) | No | |
CWE-14 | Compiler Removal of Code to Clear Buffers | Yes |
CWE-20 | Improper Input Validation | Yes |
CWE-116 | Improper Encoding or Escaping of Output | No |
CWE-176 | Improper Handling of Unicode Encoding | Yes |
CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | No |
CWE-330 | Use of Insufficiently Random Values | No |
CWE-480 | Use of Incorrect Operator | Yes |
CWE-482 | Comparing instead of Assigning | Yes |
CWE-561 | Dead Code | No |
CWE-563 | Assignment to Variable without Use | No |
CWE-570 | Expression is Always False | No |
CWE-571 | Expression is Always True | No |
CWE-697 | Incorrect Comparison | No |
CWE-704 | Incorrect Type Conversion or Cast | Yes |