DATASHEET

CWE Weakness Enforcement (All)

ENFORCEMENT FOR KW 2024.2

Note the CWEs listed are from CWE 4.12

Weaknesses

Rule Id

Description

C/C++

C#

Java

JavaScript

Python

Kotlin

CWE-20

Improper Input Validation

Yes

Yes

Yes

   

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Yes

Yes

Yes

   

CWE-23

Relative Path Traversal

Yes

     

CWE-73

External Control of File Name or Path

Yes

 

Yes

   

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  

Yes

   

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

Yes

     

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Yes

Yes

Yes

   

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Yes

Yes

Yes

   

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Yes

     

CWE-88

Argument Injection or Modification

Yes

     

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Yes

Yes

Yes

   

CWE-90

Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

  

Yes

   

CWE-94

Improper Control of Generation of Code ('Code Injection')

Yes

Yes

Yes

   

CWE-95

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

   

Yes

Yes

 

CWE-99

Improper Control of Resource Identifiers ('Resource Injection')

Yes

     

CWE-103

Struts: Incomplete validate() Method Definition

  

Yes

   

CWE-105

Struts: Form Field Without Validator

  

Yes

   

CWE-113

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

  

Yes

   

CWE-114

Process Control

Yes

 

Yes

   

CWE-117

Improper Output Neutralization for Logs

  

Yes

   

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

Yes

Yes

    

CWE-120

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Yes

     

CWE-121

Stack-based Buffer Overflow

Yes

     

CWE-122

Heap-based Buffer Overflow

Yes

     

CWE-124

Buffer Underwrite

Yes

     

CWE-125

Out-of-bounds Read

Yes

Yes

    

CWE-127

Buffer Under-read

Yes

     

CWE-129

Improper Validation of Array Index

Yes

 

Yes

   

CWE-131

Incorrect Calculation of Buffer Size

Yes

     

CWE-134

Use of Externally-Controlled Format String

Yes

     

CWE-135

Incorrect Calculation of Multi-Byte String Length

Yes

     

CWE-170

Improper NULL termination

Yes

     

CWE-176

Improper Handling of Unicode Encoding

Yes

     

CWE-190

Integer Overflow or Wraparound

Yes

Yes

Yes

   

CWE-192

Integer Coercion Error

Yes

Yes

    

CWE-193

Off-by-one Error

Yes

     

CWE-195

Signed to Unsigned Conversion Error

Yes

     

CWE-196

Unsigned to Signed Conversion Error

Yes

     

CWE-197

Numeric Truncation Error

Yes

     

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

Yes

Yes

Yes

   

CWE-226

Sensitive Information Uncleared Before Release

  

Yes

   

CWE-242

Use of Inherently Dangerous Function

Yes

     

CWE-245

J2EE Bad Practices: Direct Management of Connections

  

Yes

   

CWE-246

J2EE Bad Practices: Direct Use of Sockets

  

Yes

   

CWE-248

Uncaught Exception

  

Yes

   

CWE-250

Execution with Unnecessary Privileges

Yes

     

CWE-251

Often Misused: String Management

Yes

     

CWE-252

Unchecked Return Value

Yes

    

Yes

CWE-253

Incorrect Check of Function Return Value

Yes

     

CWE-256

Plaintext Storage of a Password

Yes

     

CWE-259

Use of Hard-coded Password

Yes

 

Yes

   

CWE-269

Improper Privilege Management

Yes

Yes

Yes

   

CWE-272

Least Privilege Violation

Yes

     

CWE-273

Improper Check for Dropped Privileges

Yes

     

CWE-276

Incorrect Default Permissions

Yes

     

CWE-284

Improper Access Control

Yes

     

CWE-287

Incorrect Authentication

Yes

 

Yes

   

CWE-290

Authentication Bypass by Spoofing

Yes

     

CWE-295

Improper Certificate Validation

 

Yes

Yes

 

Yes

 

CWE-306

Missing Authentication for Critical Function

  

Yes

   

CWE-307

Improper Restriction of Excessive Authentication Attempts

Yes

     

CWE-311

Missing Encryption of Sensitive Data

Yes

 

Yes

   

CWE-312

Cleartext Storage of Sensitive Information

Yes

     

CWE-315

Cleartext Storage of Sensitive Information in a Cookie

  

Yes

   

CWE-321

Use of Hard-coded Cryptographic Key

Yes

     

CWE-326

Inadequate Encryption Strength

Yes

 

Yes

   

CWE-327

Use of a Broken or Risky Cryptographic Algorithm

Yes

Yes

Yes

   

CWE-330

Use of Insufficiently Random Values

  

Yes

   

CWE-352

Cross-Site Request Forgery

 

Yes

Yes

   

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Yes

     

CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition

Yes

     

CWE-369

Divide By Zero

Yes

Yes

    

CWE-374

Passing Mutable Objects to an Untrusted Method

  

Yes

   

CWE-377

Insecure Temporary File

Yes

     

CWE-382

J2EE Bad Practices: Use of System.exit()

  

Yes

   

CWE-383

J2EE Bad Practices: Direct Use of Threads

  

Yes

   

CWE-384

Session Fixation

  

Yes

   

CWE-390

Detection of Error Condition Without Action

Yes

     

CWE-391

Unchecked Error Condition"

Yes

 

Yes

   

CWE-394

Unexpected Status Code or Return Value

Yes

     

CWE-396

Declaration of Catch for Generic Exception

  

Yes

  

Yes

CWE-397

Declaration of Throws for Generic Exception

  

 

  

Yes

CWE-398

Indicator of Poor Code Quality

 

Yes

    

CWE-400

Uncontrolled Resource Consumption

Yes

Yes

Yes

   

CWE-401

Missing Release of Memory after Effective Lifetime

Yes

     

CWE-403

Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')

Yes

     

CWE-404

Improper Resource Shutdown or Release

Yes

Yes

Yes

   

CWE-412

Unrestricted Externally Accessible Lock

Yes

     

CWE-413

Improper Resource Locking

Yes

     

CWE-415

Double Free

Yes

     

CWE-416

Use After Free

Yes

Yes

    

CWE-421

Race Condition During Access to Alternate Channel

Yes

     

CWE-426

Untrusted Search Path

Yes

Yes

Yes

   

CWE-434

Unrestricted Upload of File with Dangerous Type

  

Yes

   

CWE-457

Use of Uninitialized Variable

Yes

     

CWE-459

Incomplete Cleanup

  

Yes

   

CWE-464

Addition of Data Structure Sentinel

Yes

     

CWE-467

Use of sizeof() on a Pointer Type

Yes

     

CWE-468

Incorrect Pointer Scaling

Yes

     

CWE-472

External Control of Assumed-Immutable Web Parameter

  

Yes

   

CWE-476

NULL Pointer Dereference

Yes

Yes

Yes

   

CWE-478

Missing Default Case in Switch Statement

Yes

     

CWE-480

Use of Incorrect Operator

Yes

     

CWE-481

Assigning instead of Comparing

Yes

     

CWE-482

Comparing instead of Assigning

Yes

     

CWE-484

Omitted Break Statement in Switch

Yes

     

CWE-486

Comparison of Classes by Name

  

Yes

   

CWE-489

Leftover Debug Code

  

Yes

   

CWE-493

Critical Public Variable Without Final Modifier

  

Yes

   

CWE-497

Exposure of System Data to an Unauthorized Control Sphere

Yes

 

Yes

   

CWE-500

Public Static Field Not Marked Final

  

Yes

   

CWE-501

Trust Boundary Violation

  

Yes

   

CWE-502

Deserialization of Untrusted Data

 

Yes

Yes

   

CWE-522

Insufficiently Protected Credentials

Yes

 

Yes

   

CWE-539

Use of Persistent Cookies Containing Sensitive Information

Yes

     

CWE-548

Information Exposure Through Directory Listing

  

Yes

   

CWE-561

Dead Code

Yes

     

CWE-562

Return of Stack Variable Address

Yes

Yes

    

CWE-563

Assignment to Variable without Use

Yes

     

CWE-567

Unsynchronized Access to Shared Data in a Multithreaded Context

  

Yes

   

CWE-568

finalize() Method Without super.finalize()

  

Yes

   

CWE-570

Expression is Always False

Yes

Yes

Yes

  

Yes

CWE-571

Expression is Always True

Yes

 

Yes

  

Yes

CWE-576

EJB Bad Practices: Use of Java I/O

  

Yes

   

CWE-580

clone() Method Without super.clone()

  

Yes

   

CWE-581

Object Model Violation: Just One of Equals and Hashcode Defined

  

Yes

  

Yes

CWE-583

finalize() Method Declared Public

  

Yes

   

CWE-584

Return Inside Finally Block

  

 

  

Yes

CWE-590

Free of Memory not on the Heap

Yes

     

CWE-595

Comparison of Object References Instead of Object Contents

  

Yes

   

CWE-596

Incorrect Semantic Object Comparison

 

Yes

    

CWE-606

Unchecked Input for Loop Condition

Yes

     

CWE-611

Improper Restriction of XML External Entity Reference

Yes

Yes

Yes

   

CWE-614

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

Yes

 

Yes

   

CWE-628

Function Call with Incorrectly Specified Arguments

Yes

     

CWE-665

Improper Initialization

Yes

     

CWE-667

Improper Lockin

Yes

     

CWE-672

Operation on a Resource after Expiration or Release

Yes

Yes

    

CWE-676

Use of Potentially Dangerous Function

Yes

     

CWE-681

Incorrect Conversion between Numeric Types

Yes

     

CWE-682

Incorrect Calculation

Yes

     

CWE-686

Function Call With Incorrect Argument Type

Yes

     

CWE-690

Unchecked Return Value to NULL Pointer Dereference

Yes

     

CWE-704

Incorrect Type Conversion or Cast

Yes

Yes

   

Yes

CWE-732

Incorrect Permission Assignment for Critical Resource

Yes

Yes

Yes

   

CWE-754

Improper Check for Unusual or Exceptional Conditions

Yes

     

CWE-759

Use of a One-Way Hash without a Salt

  

Yes

   

CWE-762

Mismatched Memory Management Routines

Yes

     

CWE-764

Multiple Locks of a Critical Resource

Yes

     

CWE-765

Multiple Unlocks of a Critical Resource

Yes

     

CWE-768

Incorrect Short Circuit Evaluation

Yes

     

CWE-772

Missing Release of Resource after Effective Lifetime

Yes

Yes

Yes

   

CWE-783

Operator Precedence Logic Error

Yes

     

CWE-786

Access of Memory Location Before Start of Buffer

Yes

     

CWE-787

Out-of-bounds Write

Yes

Yes

    

CWE-788

Access of Memory Location After End of Buffer

Yes

     

CWE-798

Use of Hard-coded Credentials

Yes

     

CWE-805

Buffer Access with Incorrect Length Value

Yes

     

CWE-806

Buffer Access Using Size of Source Buffer

Yes

     

CWE-807

Reliance on Untrusted Inputs in a Security Decision

  

Yes

   

CWE-822

Untrusted Pointer Dereference

Yes

     

CWE-829

Inclusion of Functionality from Untrusted Control Sphere

  

Yes

   

CWE-832

Missing Lock

Yes

     

CWE-833

Deadlock

Yes

     

CWE-835

Loop with Unreachable Exit Condition ('Infinite Loop')

Yes

     

CWE-843

Access of Resource Using Incompatible Type ('Type Confusion')

Yes

     

CWE-862

Missing Authorization

 

Yes

Yes

   

CWE-896

SFP Primary Cluster: Tainted Input

Yes

Yes

    

CWE 910

Use of Expired File Descriptor

Yes

     

CWE-918

Server-Side Request Forgery (SSRF)

  

Yes

   

CWE-1004

Sensitive Cookie Without 'HttpOnly' Flag

  

Yes

   

CWE-1032

Security Misconfiguration

  

Yes

   

CWE-1035

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

  

Yes

   

CWE-1037

Processor Optimization Removal or Modification of Security-critical Code

Yes

     

CWE-1069

Empty Exception Block

  

 

  

Yes

CWE-1071

Empty Code Block

  

 

  

Yes

CWE-1099

Inconsistent Naming Conventions for Identifiers

  

 

  

Yes

CWE-1113

Inappropriate Comment Style

  

 

  

Yes

CWE-1114

Inappropriate Whitespace Style

  

 

  

Yes

CWE-1121

Excessive McCabe Cyclomatic Complexity

  

 

  

Yes

CWE-1124

Excessive Deep Nesting

  

 

  

Yes

CWE-1235

Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations

 

Yes

    

CWE-1335

Incorrect Bitwise Shift of Integer

Yes