cwe weakness ids - grammatech › sites › default › files › cwe-mapping.pdf3. for all cwe...
TRANSCRIPT
CWE WEAKNESS IDS MAPPED TO CODESONAR® C/C++ WARNING CLASSES
1 TECHNICAL WHITEPAPER
TRUSTED LEADERS OF SOFTWARE ASSURANCE AND ADVANCED CYBER-SECURITY SOLUTIONSWWW.GRAMMATECH.COM
CWE WEAKNESS IDS MAPPED TO CODESONAR® C/C++ WARNING CLASSES
CWE WEAKNESS IDS MAPPED TO CODESONAR® C/C++ WARNING CLASSES
2 TECHNICAL WHITEPAPER
INTRODUCTION
The Common Weakness Enumeration (CWE™) is a list of software weakness types. Creating the list is a community initiative aimed at creating specific and succinct definitions for each common weakness type.
Every CodeSonar warning report includes the numbers of any CWE weakness IDs that are closely mapped to the warning’s class. (The close mapping for a warning class is the set of categories—including CWE weakness IDs—that most closely match the class, if any).
You can configure CodeSonar to enable and disable warning classes mapped to specific CWE weakness IDs, or use build presets to enable all warning classes that are closely mapped to any CWE weakness IDs. In addition, you can use the CodeSonar search function to find warnings related to specific CWE weakness IDs.
CodeSonar 5.2p0 uses CWE 3.2, published January 3, 2019.
For more information on Common Weakness Enumeration:
https://cwe.mitre.org/data/index.html
The remainder of this document comprises two tables:
• A table showing the close mapping between CodeSonar C and C++ warning classes and CWE weakness IDs.
• A table showing the broad mapping between CodeSonar C and C++ warning classes and CWE weakness IDs. The broad CWE mapping for a CodeSonar warning class combines CWE weakness IDs from four sources:
1. The close CWE mapping for the class.
2. Other CWE weakness IDs that are related to the class in a meaningful way, but not eligible for the close mapping.
3. For all CWE weakness IDs from sources 1 and 2, all ancestors in the CWE hierarchy.
4. For all CWE weakness IDs from sources 1 and 2, all descendants in the CWE hierarchy.
A separate document, CWE Weakness IDs Mapped to CodeSonar® Java Warning Classes, lists the CodeSonar Java warning classes that are closely and broadly mapped to CWE weakness IDs.
GrammaTech, Inc. is a leading developer of software-assurance tools and advanced cyber-security solutions. GrammaTech helps organizations develop and release high quality software, free of harmful defects that cause system failures, enable data breaches, and increase corporate liabilities in today’s connected world. GrammaTech’s CodeSonar is used by embedded devel-opers worldwide.
CodeSonar and CodeSurfer are registered trademarks of GrammaTech, Inc.© 2020 GrammaTech, Inc. All rights reserved.
CWE WEAKNESS IDS MAPPED TO CODESONAR® C/C++ WARNING CLASSES
3 TECHNICAL WHITEPAPER
CWE CLOSE MAPPING: C/C++ (CODESONAR V5.2P0)
The following table lists the CodeSonar C/C++ warning classes that are closely mapped to CWE weakness IDs.
CWE Weakness ID and Name Closely Mapped CodeSonar C/C++ Classes
CWE-14 Compiler Removal of Code to Clear Buffers Use of memset
CWE-15 External Control of System or Configuration Setting Tainted Configuration Setting
CWE-20 Improper Input Validation Tainted Buffer Access
CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
Tainted Filename
CWE-73 External Control of File Name or Path Tainted Filename
CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
Command InjectionUntrusted Process CreationCommand Injection(Julia warning),CommandInjectionIntoFieldWarning(Julia warning),CommandInjectionWarning(Julia warning),CommandInjectionIntoFieldWarning(Julia warning),CommandInjectionWarning
CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
SQL Injection
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’)
LDAP Injection(Julia warning),LDAPAttributeInjectionIntoFieldWarning(Julia warning),LDAPAttributeInjectionWarning(Julia warning),LDAPFilterInjectionIntoFieldWarning(Julia warning),LDAPFilterInjectionWarning(Julia warning),LDAPAttributeInjectionIntoFieldWarning(Julia warning),LDAPAttributeInjectionWarning(Julia warning),LDAPFilterInjectionIntoFieldWarning(Julia warning),LDAPFilterInjectionWarning
CWE-99 Improper Control of Resource Identifiers (‘Resource Injec-tion’)
Tainted FilenameTainted Network AddressUntrusted Network HostUntrusted Network Port
CWE-114 Process Control Library InjectionUntrusted Library Load
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
High Risk LoopTainted Buffer AccessType OverrunType Underrun
CWE WEAKNESS IDS MAPPED TO CODESONAR® C/C++ WARNING CLASSES
4 TECHNICAL WHITEPAPER
CWE-120 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
Buffer OverrunUse of getoptUse of getpassUse of getsUse of getwdUse of OemToAnsiUse of OemToCharUse of recvmsgUse of strcatUse of StrCatChainWUse of strcmpUse of strcpyUse of strlenUse of strtrnsUse of syslogUse of strstr Use of strpbrk Use of strrchr Use of strchr Use of strcoll Use of strtok Use of strspn Use of strcspn
CWE-134 Use of Externally-Controlled Format String Format StringFormat String InjectionUse of FormatMessage
CWE-136 Type Errors Inappropriate Assignment TypeMismatched Operand Types
CWE-170 Improper Null Termination No Space For Null TerminatorUnterminated C String
CWE-187 Partial String Comparison (Julia warning),SuspiciousInheritanceOfEqualsWarning
CWE-190 Integer Overflow or Wraparound Addition Overflow of Allocation SizeAddition Overflow of SizeInteger Overflow of Allocation SizeMultiplication Overflow of Allocation SizeMultiplication Overflow of SizeSubtraction Underflow of Allocation SizeSubtraction Underflow of Size
CWE-191 Integer Underflow (Wrap or Wraparound) Subtraction Underflow of Allocation SizeSubtraction Underflow of Size
CWE-192 Integer Coercion Error Cast Alters ValueCoercion Alters ValueTruncation of Allocation SizeTruncation of Size
CWE WEAKNESS IDS MAPPED TO CODESONAR® C/C++ WARNING CLASSES
5 TECHNICAL WHITEPAPER
CWE-197 Numeric Truncation Error Truncation of Allocation SizeTruncation of Size
CWE-200 Information Exposure Tainted Write
CWE-227 Improper Fulfillment of API Contract (‘API Abuse’) GlobalHandle on GMEM_FIXED MemoryGlobalLock on GMEM_FIXED MemoryGlobalUnlock on GMEM_FIXED MemoryLocalHandle on LMEM_FIXED MemoryLocalLock on LMEM_FIXED MemoryLocalUnlock on LMEM_FIXED MemoryMAX_PATH ExceededNegative file descriptorPool Mismatchcosh on Low Number Arctangent Domain ErrorFloating Point Domain Error
Class is Serializable but its superclass doesn’t define a void constructor cosh on High Number Argument Too Low Undefined Power of Zero Logarithm on Negative Value Floating Point Range Error Raises FE_INVALID sqrt on Negative Value Logarithm on Zero
Class is Serializable but its superclass doesn’t define a void constructor Argument Too High Gamma on Zero
CWE-242 Use of Inherently Dangerous Function Use of getsUse of getwd
CWE-243 Creation of chroot Jail Without Changing Working Directory chroot without chdir
CWE-251 Often Misused: String Management Use of strcatUse of StrCatChainWUse of strcmpUse of strcpyUse of strlenUse of strtrnsUse of strpbrk Use of strrchr Use of strchr Use of strcoll Use of strtok Use of strspn Use of strcspn
CWE WEAKNESS IDS MAPPED TO CODESONAR® C/C++ WARNING CLASSES
6 TECHNICAL WHITEPAPER
CWE-252 Unchecked Return Value Ignored Return Value
CWE-256 Unprotected Storage of Credentials Plaintext Storage of Password
CWE-269 Improper Privilege Management Use of AddAccessAllowedAceUse of AddAccessDeniedAce
CWE-275 Permission Issues Write to Read Only File
CWE-281 Improper Preservation of Permissions Use of AddAccessAllowedAceUse of AddAccessDeniedAce
CWE-284 Improper Access Control Null Security Descriptor
CWE-311 Missing Encryption of Sensitive Data Plaintext Storage of Password
CWE-325 Missing Required Cryptographic Step Encryption without Padding
CWE-326 Inadequate Encryption Strength Use of cryptWeak Cryptography
CWE-327 Use of a Broken or Risky Cryptographic Algorithm Use of cryptWeak Cryptography
CWE-328 Reversible One-Way Hash Use of cryptWeak Cryptography
CWE-330 Use of Insufficiently Random Values Use of cryptUse of randUse of rand48 FunctionUse of randomWeak Cryptography
CWE-331 Insufficient Entropy Encryption without Padding
CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Use of cryptWeak Cryptography
CWE-364 Signal Handler Race Condition Data Race
CWE-366 Race Condition within a Thread Data Race
CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition File System Race Condition
CWE-369 Divide By Zero
Divide By Zero
Division By ZeroFloat Division By Zero
CWE-377 Insecure Temporary File Use of GetTempFileNameUse of mkstempUse of mktempUse of tmpfileUse of tmpnam
CWE-390 Detection of Error Condition Without Action Empty if Statement
CWE-391 Unchecked Error Condition Ignored Return Value
CWE-398 Indicator of Poor Code Quality Unused Value
CWE-400 Uncontrolled Resource Consumption (‘Resource Exhaus-tion’)
Excessive Stack DepthPotential Unbounded Loop
CWE-401 Missing Release of Memory after Effective Lifetime (‘Memory Leak’)
Leak
CWE WEAKNESS IDS MAPPED TO CODESONAR® C/C++ WARNING CLASSES
7 TECHNICAL WHITEPAPER
CWE-411 Resource Locking Problems Double LockDouble UnlockTry-lock that will never succeed
CWE-415 Double Free Double Free
CWE-416 Use After Free Use After Free
CWE-452 Initialization and Cleanup Errors Double Initialization
CWE-457 Use of Uninitialized Variable Uninitialized Variable
CWE-459 Incomplete Cleanup Leak
CWE-465 Pointer Issues High Risk LoopMisaligned ObjectPointer Before Beginning of ObjectPointer Past End of ObjectReturn Pointer to Freed
CWE-474 Use of Function with Inconsistent Implementations Use of gamma
CWE-475 Undefined Behavior for Input to API Overlapping Memory Regions
CWE-476 NULL Pointer Dereference Null Pointer DereferenceUnchecked Parameter Dereference
CWE-477 Use of Obsolete Functions Use of cuseridUse of LoadModuleUse of MoveFileUse of WinExecUse of dremUse of gamma
CWE-478 Missing Default Case in Switch Statement Missing default
CWE-481 Assigning instead of Comparing Assignment in ConditionalAssignment Result in Expression
CWE-484 Omitted Break Statement in Switch Missing break
CWE-485 Insufficient Encapsulation Scope Could Be File StaticScope Could Be Local Static
CWE-489 Leftover Debug Code Leftover Debug Code
CWE-506 Embedded Malicious Code Hardcoded DNS NameUntrusted Network Host
CWE-511 Logic/Time Bomb Potential Timebomb
CWE-546 Suspicious Comment Comment Suggests Code Unfinished
CWE-557CWE-557
Concurrency Issues Blocking in Critical Section
Concurrency Issues Deadlock
CWE-558 Use of getlogin() in Multithreaded Application Use of getlogin
CWE WEAKNESS IDS MAPPED TO CODESONAR® C/C++ WARNING CLASSES
8 TECHNICAL WHITEPAPER
CWE-561 Dead Code Unexercised CallUnexercised ComputationUnexercised ConditionalUnexercised Control FlowUnexercised Data FlowUnreachable CallUnreachable ComputationUnreachable ConditionalUnreachable Control FlowUnreachable Data FlowUnused LabelUnused MacroUnused ParameterUnused TagUnused Type
CWE-562 Return of Stack Variable Address Return Pointer to Local
CWE-563 Assignment to Variable without Use (‘Unused Variable’) Unused Value
CWE-570 Expression is Always False Redundant Condition
CWE-571 Expression is Always True Redundant Condition
CWE-587 Assignment of a Fixed Address to a Pointer Coercion: Integer Constant to Pointer
CWE-590 Free of Memory not on the Heap Free Non-Heap VariableFree Null PointerType Mismatch
CWE-605 Multiple Binds to the Same Port Use of SO_REUSEADDR
CWE-610 Externally Controlled Reference to a Resource in Another Sphere
Tainted FilenameTainted Network AddressUntrusted Network HostUntrusted Network Port
CWE-615 Information Exposure Through Comments Commented-out Code
CWE-628 Function Call with Incorrectly Specified Arguments cosh on Low NumberArctangent Domain ErrorFloating Point Domain Errorcosh on High NumberArgument Too LowUndefined Power of ZeroLogarithm on Negative ValueFloating Point Range ErrorRaises FE_INVALIDsqrt on Negative ValueLogarithm on ZeroArgument Too HighGamma on Zero
CWE-662 Improper Synchronization Blocking in Critical Section
CWE-664 Improper Control of a Resource Through its Lifetime Misaligned Object
CWE WEAKNESS IDS MAPPED TO CODESONAR® C/C++ WARNING CLASSES
9 TECHNICAL WHITEPAPER
CWE-665 Improper Initialization Missing Braces in InitializationOver-initialized ElementPartially Uninitialized AggregatePartially Uninitialized ArrayUninitialized VariableUnspecified Array Size with Designator Initialization
CWE-666 Operation on Resource in Wrong Phase of Lifetime Double CloseSocket In Wrong StateUse After Close
CWE-667 Improper Locking Conflicting Lock OrderMissing Lock ReleaseNested LocksUnknown Lock
CWE-672 Operation on a Resource after Expiration or Release Double CloseUse After CloseUse After Free
CWE-675 Duplicate Operations on Resource Double CloseDouble Initialization
CWE WEAKNESS IDS MAPPED TO CODESONAR® C/C++ WARNING CLASSES
10 TECHNICAL WHITEPAPER
CWE-676 Use of Potentially Dangerous Function chroot without chdirUse of _execUse of _spawnUse of <fenv.h> Exception Handling FunctionUse of <signal.h>Use of <stdio.h> Input/OutputUse of <stdio.h> Input/Output MacroUse of <tgmath.h>Use of <time.h> Time/Date FunctionUse of <wchar.h> Input/OutputUse of <wchar.h> Input/Output MacroUse of abortUse of AddAccessAllowedAceUse of AddAccessDeniedAceUse of AfxLoadLibraryUse of AfxParseURLUse of atofUse of atoiUse of atolUse of atollUse of bsearchUse of catopenUse of chrootUse of CoLoadLibraryUse of CreateFileUse of CreateProcessUse of CreateThreadUse of cryptUse of cuseridUse of execlpUse of execvpUse of exitUse of FormatMessageUse of getenvUse of getloginUse of getoptUse of getpassUse of GetTempFileNameUse of LoadLibraryUse of LoadModuleUse of longjmpUse of memsetUse of mkstempUse of mktempUse of MoveFileUse of OemToAnsiUse of OemToCharUse of popenUse of qsortUse of randUse of rand48 FunctionUse of randomUse of realpathUse of recvmsgUse of setjmpUse of setuidUse of SHCreateProcessAsUserWUse of ShellExecute
Use of signalUse of strcatUse of StrCatChainWUse of strcmpUse of strcpyUse of strlenUse of strtrnsUse of syslogUse of systemUse of t_openUse of tmpfileUse of tmpnamUse of ttynameUse of vforkUse of WinExecWeak CryptographyUse of strstr Use of strpbrk Use of strrchr Use of strchr Use of strcoll Use of strtok Use of strspn Use of strcspn
Continued...
CWE WEAKNESS IDS MAPPED TO CODESONAR® C/C++ WARNING CLASSES
11 TECHNICAL WHITEPAPER
CWE-680 Integer Overflow to Buffer Overflow Addition Overflow of Allocation SizeAddition Overflow of SizeInteger Overflow of Allocation SizeMultiplication Overflow of Allocation SizeMultiplication Overflow of SizeSubtraction Underflow of Allocation SizeSubtraction Underflow of SizeTruncation of Allocation SizeTruncation of Size
CWE-682 Incorrect Calculation Negative Shift AmountShift Amount Exceeds Bit Width
CWE-686 Function Call With Incorrect Argument Type Array Parameter MismatchGlobalHandle on GMEM_FIXED MemoryGlobalLock on GMEM_FIXED MemoryGlobalUnlock on GMEM_FIXED MemoryImplicit Function DeclarationLocalHandle on LMEM_FIXED MemoryLocalLock on LMEM_FIXED MemoryLocalUnlock on LMEM_FIXED MemoryNegative Character ValueType Mismatch
CWE-690 Unchecked Return Value to NULL Pointer Dereference Null Pointer DereferenceNull Test After Dereference
CWE-691 Insufficient Control Flow Management Use of longjmpUse of setjmp
CWE-696 Incorrect Behavior Order Null Test After Dereference
CWE-704 Incorrect Type Conversion or Cast Cast Alters ValueCast Removes const QualifierCast Removes volatile QualifierCast: Arithmetic Type/Void PointerCast: Non-integer Arithmetic Type/Object PointerCast: Object PointersCoercion Alters ValueConversion from Function PointerConversion to Function PointerConversion: Pointer to IncompleteConversion: Pointer/IntegerConversion: Void Pointer to Object PointerDangerous Function CastExpression Value Widened by AssignmentExpression Value Widened by Other OperandInappropriate Cast TypeInappropriate Cast Type: Expression
Non-Boolean argument formatted using %b format specifierVarargs Function Cast
CWE WEAKNESS IDS MAPPED TO CODESONAR® C/C++ WARNING CLASSES
12 TECHNICAL WHITEPAPER
CWE-710 Coding Standards Violation ## Follows # OperatorBasic Numerical Type UsedCode Before #includeCondition Contains Side EffectsConditional CompilationDynamic Allocation After InitializationFunction PointerFunction Pointer ConversionFunction Too LongGlobal Variable Declared with Different TypesGoto StatementInconsistent Enumerator InitializationLibrary Function OverrideLock/Unlock MismatchMacro Defined in Function BodyMacro Does Not End With } or )Macro Does Not Start With { or (Macro Name is C KeywordMacro Undefined in Function BodyMacro Uses # OperatorMacro Uses ## OperatorMacro Uses [] OperatorMacro Uses -> OperatorMacro Uses Unary * OperatorMultiple Declarations of a GlobalMultiple Declarations On LineMultiple Statements On LineNested Function DeclarationNo Matching #endifNo Matching #ifNon-distinct Identifiers: External NamesNon-distinct Identifiers: Macro/MacroNon-distinct Identifiers: Macro/OtherNon-distinct Identifiers: Nested ScopeNon-distinct Identifiers: Same ScopeNon-unique Identifiers: External NameNon-unique Identifiers: Internal NameNon-unique Identifiers: TagNon-unique Identifiers: TypedefNot All Warnings Are EnabledNot Enough AssertionsPointer Type Inside TypedefRecursionRecursive MacroTask Delay FunctionToo Many DereferencesToo Many ParametersToo Much Indirection in DeclarationUnbalanced ParenthesisUse of #undefUse of longjmpUse of setjmpUse of <stdlib.h> Allocator/Deallocator Macro Use of <stdlib.h> Allocator/DeallocatorVariadic MacroWarnings Not Treated As Errors
CWE WEAKNESS IDS MAPPED TO CODESONAR® C/C++ WARNING CLASSES
13 TECHNICAL WHITEPAPER
CWE-758 Reliance on Undefined, Unspecified, or Implementation-De-fined Behavior
Missing Return StatementMissing Return ValueNegative Shift AmountShift Amount Exceeds Bit WidthUninitialized VariableUse of <signal.h>Use of <stdio.h> Input/OutputUse of <stdio.h> Input/Output MacroUse of <tgmath.h>Use of <time.h> Time/Date FunctionUse of <wchar.h> Input/OutputUse of <wchar.h> Input/Output MacroUse of abortUse of atofUse of atoiUse of atolUse of atollUse of bsearchUse of exitUse of getenv
CWE-761 Free of Pointer not at Start of Buffer Misaligned ObjectPool MismatchType Mismatch
CWE-762 Mismatched Memory Management Routines Type Mismatch
CWE-763 Release of Invalid Pointer or Reference Misaligned Object
CWE-764CWE-764
Multiple Locks of a Critical Resource Double LockLocked Twice
CWE-765 Multiple Unlocks of a Critical Resource Double Unlock
CWE-771 Missing Reference to Active Allocated Resource Leak
CWE-772 Missing Release of Resource after Effective Lifetime Leak
CWE-773 Missing Reference to Active File Descriptor or Handle Leak
CWE-775 Missing Release of File Descriptor or Handle after Effective Lifetime
Leak
CWE-780 Use of RSA Algorithm without OAEP Encryption without Padding
CWE-785 Use of Path Manipulation Function without Maximum-sized Buffer
Use of realpath
CWE-786 Access of Memory Location Before Start of Buffer Buffer Underrun
CWE-788 Access of Memory Location After End of Buffer Buffer Overrun
CWE WEAKNESS IDS MAPPED TO CODESONAR® C/C++ WARNING CLASSES
14 TECHNICAL WHITEPAPER
CWE-789 Uncontrolled Memory Allocation Tainted Allocation Size
CWE-798 Use of Hard-coded Credentials Hardcoded AuthenticationHardcoded Crypto KeyHardcoded Crypto Salt
CWE-823 Use of Out-of-range Pointer Offset Pointer Arithmetic
CWE-832 Unlock of a Resource that is not Locked Missing Lock Acquisition
CWE-835 Loop with Unreachable Exit Condition (‘Infinite Loop’) Potential Unbounded Loop
CWE-843 Access of Resource Using Incompatible Type (‘Type Confu-sion’)
GlobalHandle on GMEM_FIXED MemoryGlobalLock on GMEM_FIXED MemoryGlobalUnlock on GMEM_FIXED MemoryLocalHandle on LMEM_FIXED MemoryLocalLock on LMEM_FIXED MemoryLocalUnlock on LMEM_FIXED MemoryType Mismatch
CWE-863 Incorrect Authorization Use of cuserid
CWE-863 Incorrect Authorization Use of getlogin
CWE-908 Use of Uninitialized Resource Uninitialized Variable
CWE-1064 Invokable Control Element with Signature Containing an Excessive Number of Parameters
Too Many Parameters
CWE-1126 Declaration of Variable with Unnecessarily Wide Scope Scope Could Be File StaticScope Could Be Local Static
CWE-1127 Compilation with Insufficient Warnings or Errors Not All Warnings Are EnabledWarnings Not Treated As Errors
CWE-1155 SEI CERT C Coding Standard - Guidelines 01. Preprocessor (PRE)
Preprocessing Directives in Macro ArgumentMacro Does Not Start With { or (Macro Does Not End With } or )Macro Uses # Operator## Follows # OperatorMacro Uses ## Operator
CWE WEAKNESS IDS MAPPED TO CODESONAR® C/C++ WARNING CLASSES
15 TECHNICAL WHITEPAPER
CWE-1156 SEI CERT C Coding Standard - Guidelines 02. Declarations and Initialization (DCL)
Non-unique Identifiers: External NameVariable Declared with Different TypesNon-distinct Identifiers: External NamesOctal ConstantIncomplete Function PrototypeDeclaration of Reserved NameScope Could Be File StaticInconsistent Object DeclarationsInconsistent Function DeclarationsNon-unique Identifiers: TagNon-distinct Identifiers: Macro/MacroNon-unique Identifiers: Internal NamePointer Type Inside TypedefScope Could Be Local StaticNon-unique Identifiers: TypedefCast Removes const QualifierTypographically Ambiguous IdentifiersReturn Pointer to LocalNon-distinct Identifiers: Macro/OtherConfusing Literal SuffixLibrary Function OverrideNon-distinct Identifiers: Same ScopeMultiple Declarations On LineNon-distinct Identifiers: Nested Scope
CWE WEAKNESS IDS MAPPED TO CODESONAR® C/C++ WARNING CLASSES
16 TECHNICAL WHITEPAPER
CWE-1157 SEI CERT C Coding Standard - Guidelines 03. Expressions (EXP)
Pointer ArithmeticEmpty while StatementRisky Integer PromotionIgnored Return ValueUse of <stdarg.h> FeatureEmpty if StatementAssignment Result in ExpressionArray Parameter MismatchNull Pointer DereferenceCast Removes const QualifierEmpty switch StatementInappropriate Operand TypeUninitialized VariableEmpty for StatementUnchecked Parameter DereferenceCondition Contains Side EffectsSide Effects in sizeofMissing ParenthesesAssignment in ConditionalRestrict Qualifier UsedEmpty Branch Statement
CWE-1158 SEI CERT C Coding Standard - Guidelines 04. Integers (INT) Negative Character ValueFloat Division By ZeroTruncation of SizeUntrusted Network HostNegative Shift AmountUntrusted Network PortTainted Network AddressCast Alters ValueSubtraction Underflow of Allocation SizeCast: Arithmetic Type/Void PointerInappropriate Operand TypeInconsistent Enumerator InitializationBit-field Signedness Not ExplicitCoercion: Integer Constant to PointerExpression Value Widened by Other OperandDivision By ZeroCoercion Alters ValueConversion: Pointer/IntegerTainted Allocation SizeTainted Buffer AccessShift Amount Exceeds Bit WidthExpression Value Widened by AssignmentTruncation of Allocation Size
CWE WEAKNESS IDS MAPPED TO CODESONAR® C/C++ WARNING CLASSES
17 TECHNICAL WHITEPAPER
CWE-1159 SEI CERT C Coding Standard - Guidelines 05. Floating Point (FLP)
cosh on Low NumberArctangent Domain ErrorFloating Point Domain Errorcosh on High NumberFloat-typed Loop CounterArgument Too LowUndefined Power of ZeroLogarithm on Negative ValueFloating Point Range ErrorRaises FE_INVALIDsqrt on Negative ValueLogarithm on ZeroMismatched Operand TypesArgument Too HighGamma on Zero
CWE-1160 SEI CERT C Coding Standard - Guidelines 06. Arrays (ARR) Type UnderrunBuffer UnderrunBuffer OverrunPointer Past End of ObjectType OverrunTainted Buffer AccessDeclaration of Flexible Array MemberPointer Before Beginning of Object
CWE WEAKNESS IDS MAPPED TO CODESONAR® C/C++ WARNING CLASSES
18 TECHNICAL WHITEPAPER
CWE-1161 SEI CERT C Coding Standard - Guidelines 07. Characters and Strings (STR)
Use of strcmpNegative Character ValueNon-const String LiteralUntrusted Library LoadFormat String InjectionUse of strlenCommand InjectionBuffer OverrunNo Space For Null TerminatorLDAP InjectionUse of strcatSQL InjectionLibrary InjectionUntrusted Process CreationType OverrunUse of OemToAnsiUse of strtrnsUse of OemToCharUse of strcpyUnterminated C StringUse of StrCatChainWUse of strstr Use of strpbrk Use of strrchr Use of strchr Use of strcoll Use of strtok Use of strspn Use of strcspn
CWE-1162 SEI CERT C Coding Standard - Guidelines 08. Memory Management (MEM)
LeakAddition Overflow of Allocation SizeMultiplication Overflow of Allocation SizeFree Non-Heap VariableInteger Overflow of Allocation SizeUse After FreeDouble Free
CWE WEAKNESS IDS MAPPED TO CODESONAR® C/C++ WARNING CLASSES
19 TECHNICAL WHITEPAPER
CWE-1163 SEI CERT C Coding Standard - Guidelines 09. Input Output (FIO)
LeakFile System Race ConditionUse of tmpnamUse of CreateFileFormat String InjectionUse of GetTempFileNameUse of mkstempUse of mktempUse of tmpfileTainted FilenameFormat StringUse After Close
CWE-1164 Irrelevant Code Function Call Has No EffectOver-initialized ElementUseless AssignmentRedundant ConditionTry-lock that will never succeedUnused Variable
CWE-1165 SEI CERT C Coding Standard - Guidelines 10. Environment (ENV)
Use of System
CWE-1166 SEI CERT C Coding Standard - Guidelines 11. Signals (SIG) Data raceUse of signal
CWE-1167 SEI CERT C Coding Standard - Guidelines 12. Error Han-dling (ERR)
Ignored Return ValueUse of atollUse of atoiUse of atofUse of atol
CWE-1168 SEI CERT C Coding Standard - Guidelines 13. Application Programming Interfaces (API)
LocalHandle on LMEM_FIXED MemoryType MismatchPool MismatchLocalLock on LMEM_FIXED MemoryCast Alters ValueLocalUnlock on LMEM_FIXED MemoryGlobalHandle on GMEM_FIXED MemoryGlobalLock on GMEM_FIXED MemoryUnchecked Parameter DereferenceCoercion Alters ValueGlobalUnlock on GMEM_FIXED Memory
CWE-1169 SEI CERT C Coding Standard - Guidelines 14. Concurrency (CON)
Use of tmpnamUse of randBlocking in Critical SectionData RaceMissing Lock ReleaseConflicting Lock OrderUse of ttynameUse of signalMissing Lock Acquisition
CWE WEAKNESS IDS MAPPED TO CODESONAR® C/C++ WARNING CLASSES
20 TECHNICAL WHITEPAPER
CWE-1170 SEI CERT C Coding Standard - Guidelines 48. Miscella-neous (MSC)
Use of cuseridFunction Call Has No EffectMissing Return StatementEmpty while StatementUnused MacroUnreachable Data FlowPotential Unbounded LoopNot Enough AssertionsUse of randNot All Warnings Are EnabledUnexercised CallUse of setjmpEmpty if StatementUnexercised ComputationUnexercised Control FlowUse of memsetHardcoded Crypto KeyUnreachable ConditionalHardcoded Crypto SaltUnexercised ConditionalEmpty switch StatementHardcoded AuthenticationUse of longjmpUseless AssignmentUse of WinExecUnused TagEmpty for StatementRedundant ConditionUnexercised Data FlowUnused LabelPlaintext Storage of PasswordUse of LoadModuleMissing breakUse of gammaMisplaced caseUnused ValueUnreachable CallUse of MoveFileUnused VariableUnreachable ComputationEmpty Branch StatementUnreachable Control Flow
CWE-1171 SEI CERT C Coding Standard - Guidelines 50. POSIX (POS) Blocking in Critical SectionData RaceUse of chrootConflicting Lock OrderUse of vforkchroot without chdir
CWE WEAKNESS IDS MAPPED TO CODESONAR® C/C++ WARNING CLASSES
21 TECHNICAL WHITEPAPER
CWE-1172 SEI CERT C Coding Standard - Guidelines 51. Microsoft Windows (WIN)
Use of CoLoadLibraryUse of CreateProcessUse of LoadLibraryUse of AfxLoadLibraryUse of CreateThread
CWE WEAKNESS IDS MAPPED TO CODESONAR® C/C++ WARNING CLASSES
22 TECHNICAL WHITEPAPER
CWE IDS BROADLY MAPPED TO ONE OR MORE CODESONAR C/C++ WARNING CLASSES (CODESONAR V5.2P0)
The following table lists the CWE IDs that are broadly mapped to one or more CodeSonar C/C++ warning classes.
CWE:2CWE:5CWE:6CWE:8CWE:9CWE:11CWE:13CWE:14CWE:15CWE:19CWE:20CWE:21CWE:22CWE:23CWE:24CWE:25CWE:26CWE:27CWE:28CWE:29CWE:30CWE:31CWE:32CWE:33CWE:34CWE:35CWE:36CWE:37CWE:38CWE:39CWE:40CWE:41CWE:42CWE:43CWE:44CWE:45CWE:46CWE:47CWE:48CWE:49CWE:50
CWE:51CWE:52CWE:53CWE:54CWE:55CWE:56CWE:57CWE:58CWE:59CWE:61CWE:62CWE:64CWE:65CWE:66CWE:67CWE:69CWE:72CWE:73CWE:74CWE:75CWE:76CWE:77CWE:78CWE:79CWE:80CWE:81CWE:82CWE:83CWE:84CWE:85CWE:86CWE:87CWE:88CWE:89CWE:90CWE:91CWE:93CWE:94CWE:95CWE:96CWE:97
CWE:98CWE:99CWE:102CWE:103CWE:104CWE:105CWE:106CWE:107CWE:108CWE:109CWE:110CWE:111CWE:112CWE:113CWE:114CWE:116CWE:117CWE:118CWE:119CWE:120CWE:121CWE:122CWE:123CWE:124CWE:125CWE:126CWE:127CWE:128CWE:129CWE:130CWE:131CWE:133CWE:134CWE:135CWE:136CWE:137CWE:138CWE:140CWE:141CWE:142CWE:143
CWE:144CWE:145CWE:146CWE:147CWE:148CWE:149CWE:150CWE:151CWE:152CWE:153CWE:154CWE:155CWE:156CWE:157CWE:158CWE:159CWE:160CWE:161CWE:162CWE:163CWE:164CWE:165CWE:166CWE:167CWE:168CWE:170CWE:171CWE:174CWE:178CWE:179CWE:180CWE:181CWE:187CWE:188CWE:189CWE:190CWE:191CWE:192CWE:193CWE:194CWE:195
CWE:196CWE:197CWE:198CWE:199CWE:200CWE:201CWE:202CWE:203CWE:204CWE:205CWE:206CWE:207CWE:208CWE:209CWE:210CWE:211CWE:212CWE:213CWE:214CWE:215CWE:216CWE:219CWE:220CWE:221CWE:222CWE:223CWE:224CWE:226CWE:227CWE:241CWE:242CWE:243CWE:244CWE:245CWE:246CWE:248CWE:250CWE:251CWE:252CWE:253CWE:254
CWE:255CWE:256CWE:257CWE:258CWE:259CWE:260CWE:261CWE:262CWE:263CWE:264CWE:265CWE:266CWE:267CWE:268CWE:269CWE:270CWE:271CWE:272CWE:273CWE:274CWE:275CWE:276CWE:277CWE:278CWE:279CWE:280CWE:281CWE:282CWE:283CWE:284CWE:285CWE:286CWE:287CWE:288CWE:289CWE:290CWE:291CWE:293CWE:294CWE:295CWE:296
CWE:297CWE:298CWE:299CWE:300CWE:301CWE:302CWE:303CWE:304CWE:305CWE:306CWE:307CWE:308CWE:309CWE:310CWE:311CWE:312CWE:313CWE:314CWE:315CWE:316CWE:317CWE:318CWE:319CWE:320CWE:321CWE:322CWE:323CWE:324CWE:325CWE:326CWE:327CWE:328CWE:329CWE:330CWE:331CWE:332CWE:333CWE:334CWE:335CWE:336CWE:337
CWE WEAKNESS IDS MAPPED TO CODESONAR® C/C++ WARNING CLASSES
23 TECHNICAL WHITEPAPER
CWE:338CWE:339CWE:340CWE:341CWE:342CWE:343CWE:344CWE:345CWE:346CWE:349CWE:350CWE:355CWE:356CWE:358CWE:359CWE:361CWE:362CWE:363CWE:364CWE:365CWE:366CWE:367CWE:368CWE:369CWE:370CWE:371CWE:372CWE:374CWE:375CWE:376CWE:377CWE:378CWE:379CWE:382CWE:383CWE:384CWE:385CWE:386CWE:387CWE:388CWE:389CWE:390CWE:391CWE:392
CWE:393CWE:395CWE:396CWE:397CWE:398CWE:399CWE:400CWE:401CWE:402CWE:403CWE:404CWE:405CWE:406CWE:407CWE:408CWE:409CWE:410CWE:411CWE:412CWE:413CWE:414CWE:415CWE:416CWE:417CWE:419CWE:420CWE:421CWE:422CWE:424CWE:425CWE:426CWE:427CWE:428CWE:430CWE:431CWE:432CWE:433CWE:434CWE:435CWE:438CWE:440CWE:441CWE:442CWE:446
CWE:447CWE:448CWE:449CWE:451CWE:452CWE:453CWE:454CWE:455CWE:456CWE:457CWE:459CWE:460CWE:462CWE:464CWE:465CWE:466CWE:467CWE:468CWE:469CWE:470CWE:471CWE:472CWE:473CWE:474CWE:475CWE:476CWE:477CWE:478CWE:479CWE:480CWE:481CWE:482CWE:483CWE:484CWE:485CWE:486CWE:487CWE:488CWE:489CWE:490CWE:491CWE:492CWE:493CWE:494
CWE:495CWE:496CWE:497CWE:498CWE:499CWE:500CWE:501CWE:502CWE:506CWE:507CWE:508CWE:509CWE:510CWE:511CWE:512CWE:514CWE:515CWE:520CWE:521CWE:522CWE:523CWE:524CWE:525CWE:526CWE:527CWE:528CWE:529CWE:530CWE:531CWE:532CWE:535CWE:536CWE:537CWE:538CWE:539CWE:540CWE:541CWE:543CWE:546CWE:547CWE:548CWE:549CWE:550CWE:551
CWE:552CWE:553CWE:554CWE:555CWE:556CWE:557CWE:558CWE:559CWE:560CWE:561CWE:562CWE:563CWE:564CWE:565CWE:566CWE:567CWE:568CWE:569CWE:570CWE:571CWE:572CWE:573CWE:574CWE:575CWE:576CWE:577CWE:578CWE:579CWE:580CWE:581CWE:582CWE:583CWE:584CWE:585CWE:586CWE:587CWE:588CWE:589CWE:590CWE:591CWE:593CWE:594CWE:595CWE:596
CWE:597CWE:598CWE:599CWE:600CWE:601CWE:602CWE:603CWE:605CWE:606CWE:607CWE:608CWE:609CWE:610CWE:611CWE:612CWE:613CWE:614CWE:615CWE:617CWE:618CWE:619CWE:620CWE:621CWE:622CWE:623CWE:624CWE:626CWE:627CWE:628CWE:629CWE:635CWE:636CWE:637CWE:638CWE:639CWE:640CWE:641CWE:642CWE:643CWE:645CWE:647CWE:648CWE:651CWE:652
CWE:653CWE:654CWE:655CWE:656CWE:657CWE:662CWE:663CWE:664CWE:665CWE:666CWE:667CWE:668CWE:669CWE:670CWE:671CWE:672CWE:673CWE:674CWE:675CWE:676CWE:680CWE:681CWE:682CWE:683CWE:684CWE:685CWE:686CWE:687CWE:688CWE:689CWE:690CWE:691CWE:692CWE:693CWE:694CWE:695CWE:696CWE:697CWE:698CWE:699CWE:700CWE:703CWE:704CWE:705
CWE WEAKNESS IDS MAPPED TO CODESONAR® C/C++ WARNING CLASSES
24 TECHNICAL WHITEPAPER
CWE:706CWE:707CWE:708CWE:710CWE:711CWE:712CWE:713CWE:714CWE:715CWE:717CWE:718CWE:719CWE:720CWE:721CWE:722CWE:723CWE:724CWE:725CWE:726CWE:727CWE:728CWE:729CWE:730CWE:731CWE:732CWE:733CWE:734CWE:735CWE:736CWE:737CWE:738CWE:739CWE:740CWE:741CWE:742CWE:743CWE:744CWE:745CWE:746CWE:747CWE:748CWE:749CWE:750CWE:751CWE:752CWE:753
CWE:754CWE:755CWE:758CWE:759CWE:760CWE:761CWE:762CWE:763CWE:764CWE:765CWE:766CWE:767CWE:768CWE:770CWE:771CWE:772CWE:773CWE:774CWE:775CWE:776CWE:778CWE:779CWE:780CWE:781CWE:782CWE:783CWE:784CWE:785CWE:786CWE:787CWE:788CWE:789CWE:790CWE:791CWE:792CWE:793CWE:794CWE:795CWE:796CWE:797CWE:798CWE:799CWE:800CWE:801CWE:802CWE:803
CWE:804CWE:805CWE:806CWE:807CWE:808CWE:809CWE:810CWE:811CWE:812CWE:813CWE:815CWE:816CWE:817CWE:818CWE:820CWE:821CWE:822CWE:823CWE:824CWE:825CWE:826CWE:827CWE:828CWE:829CWE:830CWE:831CWE:832CWE:833CWE:834CWE:835CWE:836CWE:837CWE:840CWE:841CWE:842CWE:843CWE:844CWE:845CWE:846CWE:847CWE:848CWE:849CWE:850CWE:851CWE:852CWE:853
CWE:854CWE:855CWE:857CWE:858CWE:859CWE:860CWE:861CWE:862CWE:863CWE:864CWE:865CWE:866CWE:867CWE:868CWE:871CWE:872CWE:873CWE:874CWE:875CWE:876CWE:877CWE:878CWE:879CWE:880CWE:882CWE:883CWE:884CWE:885CWE:886CWE:887CWE:888CWE:889CWE:890CWE:891CWE:892CWE:893CWE:894CWE:895CWE:896CWE:897CWE:898CWE:899CWE:900CWE:901CWE:902CWE:903
CWE:904CWE:905CWE:906CWE:907CWE:908CWE:909CWE:910CWE:911CWE:912CWE:913CWE:914CWE:915CWE:916CWE:917CWE:918CWE:920CWE:921CWE:922CWE:923CWE:925CWE:926CWE:927CWE:928CWE:929CWE:930CWE:931CWE:932CWE:933CWE:934CWE:935CWE:939CWE:940CWE:941CWE:942CWE:943CWE:944CWE:945CWE:946CWE:947CWE:949CWE:950CWE:954CWE:957CWE:958CWE:959CWE:960
CWE:961CWE:962CWE:963CWE:964CWE:966CWE:969CWE:970CWE:971CWE:972CWE:973CWE:974CWE:975CWE:976CWE:977CWE:978CWE:979CWE:980CWE:981CWE:982CWE:983CWE:984CWE:985CWE:986CWE:987CWE:988CWE:989CWE:990CWE:991CWE:992CWE:994CWE:995CWE:997CWE:998CWE:1000CWE:1001CWE:1002CWE:1003CWE:1004CWE:1005CWE:1006CWE:1007CWE:1008CWE:1009CWE:1010CWE:1011CWE:1012
CWE:1013CWE:1014CWE:1015CWE:1019CWE:1020CWE:1021CWE:1022CWE:1023CWE:1025CWE:1026CWE:1027CWE:1028CWE:1029CWE:1030CWE:1031CWE:1033CWE:1037CWE:1038CWE:1041CWE:1042CWE:1043CWE:1044CWE:1045CWE:1046CWE:1047CWE:1048CWE:1049CWE:1050CWE:1051CWE:1052CWE:1053CWE:1054CWE:1055CWE:1056CWE:1057CWE:1058CWE:1059CWE:1060CWE:1061CWE:1062CWE:1063CWE:1064CWE:1065CWE:1066CWE:1067CWE:1068
CWE WEAKNESS IDS MAPPED TO CODESONAR® C/C++ WARNING CLASSES
25 TECHNICAL WHITEPAPER
CWE:1069CWE:1070CWE:1071CWE:1072CWE:1073CWE:1074CWE:1075CWE:1076CWE:1078CWE:1079CWE:1080CWE:1082CWE:1083CWE:1084CWE:1085CWE:1086CWE:1087CWE:1088CWE:1089CWE:1090CWE:1091CWE:1092CWE:1093CWE:1094CWE:1095CWE:1096CWE:1097CWE:1098CWE:1099CWE:1100CWE:1101CWE:1102CWE:1103CWE:1104CWE:1105CWE:1106CWE:1107CWE:1108CWE:1109CWE:1110CWE:1111CWE:1112CWE:1113CWE:1114CWE:1115CWE:1116CWE:1117
CWE:1118CWE:1119CWE:1120CWE:1121CWE:1122CWE:1123CWE:1124CWE:1125CWE:1126CWE:1127CWE:1128CWE:1129CWE:1130CWE:1131CWE:1133CWE:1134CWE:1135CWE:1136CWE:1137CWE:1139CWE:1140CWE:1141CWE:1142CWE:1143CWE:1144CWE:1145CWE:1147CWE:1148CWE:1149CWE:1150CWE:1152CWE:1154CWE:1155CWE:1156CWE:1157CWE:1158CWE:1159CWE:1160CWE:1161CWE:1162CWE:1163CWE:1164CWE:1165CWE:1166CWE:1167CWE:1168CWE:1169
CWE:1170CWE:1171CWE:1172CWE:1173CWE:1174CWE:1176CWE:1177CWE:1187CWE:1188CWE:1200