CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities
New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > Community > Research > QUALITY: Quality Indicators  
ID

QUALITY: Quality Indicators
QUALITY: Quality Indicators

Total Nodes in this Report: 28    Report Generated On: 2007-09-12

ID: 107 Name: Struts: Unused Validation Form
URL: http://cwe.mitre.org/data/definitions/107.html
An unused validation form indicates that validation logic is not up-to-date.
ID: 109 Name: Struts: Validator Turned Off
URL: http://cwe.mitre.org/data/definitions/109.html
Automatic filtering via a Struts bean has been turned off.
ID: 215 Name: Information Leak Through Debug Information
URL: http://cwe.mitre.org/data/definitions/215.html
ID: 483 Name: Incorrect block delimitation
URL: http://cwe.mitre.org/data/definitions/483.html
In some languages, forgetting to explicitly delimit a block can result in a logic error that can, in turn, have security implications.
ID: 489 Name: Leftover Debug Code
URL: http://cwe.mitre.org/data/definitions/489.html
Debug code can create unintended entry points in an application.
ID: 513 Name: Nonmalicious
URL: http://cwe.mitre.org/data/definitions/513.html
ID: 544 Name: Missing Error Handling Mechanism
URL: http://cwe.mitre.org/data/definitions/544.html
The application does not contain a standard error handling mechanism. The application handles error messages individually, on a one by one basis. Such an approach is likely to result in inconsistent error handling. The causes of errors may be lost. More dangerously, detailed information about the causes of an error may be returned to the user.
ID: 546 Name: Suspicious Comment
URL: http://cwe.mitre.org/data/definitions/546.html
Many suspicious comments, such as BUG, HACK, FIXME, LATER, LATER2, TODO, in the code indicate missing security functionality and checking. Others indicate code problems that programmers should fix, such as hard-coded variables, error handling, not using stored procedures, and performance issues.
ID: 547 Name: Security-relevant Constants
URL: http://cwe.mitre.org/data/definitions/547.html
Using hard coded constants in security decisions can lead to mistakes during code maintenance or security policy change. If the developer does not find all occurrences of the hard coded constants, an incorrect policy decision may be made if the rest are changed. Making changes to these values will require code changes that may be difficult or impossible once you release the system to the field. In addition, these hard coded values may become available to attackers if the code is ever disclosed.
ID: 558 Name: Misused Authentication: getlogin (not reentrant)
URL: http://cwe.mitre.org/data/definitions/558.html
The getlogin() function returns a pointer to a string that contains the name of the user associated with the calling process. The function is not reentrant, meaning that if it is called from another process, the contents are not locked out and the value of the string can be changed by another process. This makes it very risky to use because the username can be changed by other processes, so the results of the function cannot be trusted.
ID: 560 Name: Often Misused: umask
URL: http://cwe.mitre.org/data/definitions/560.html
The mask specified by the argument umask() is often confused with the argument to chmod()
ID: 561 Name: Dead Code
URL: http://cwe.mitre.org/data/definitions/561.html
Dead code is source code that can never be executed in a running program. The surrounding code makes it impossible for a section of code to ever be executed.
ID: 562 Name: Stack Address Returned
URL: http://cwe.mitre.org/data/definitions/562.html
Returning the address of a stack variable will cause unintended program behavior, typically in the form of a crash.
ID: 563 Name: Unused Variable
URL: http://cwe.mitre.org/data/definitions/563.html
The variable's value is assigned but never used, making it a dead store. It is likely that the variable is simply vestigial, but it is also possible that the unused variable points out a bug.
ID: 570 Name: Expression is Always False
URL: http://cwe.mitre.org/data/definitions/570.html
The software contains an expression that will always evaluate to false.
ID: 571 Name: Expression is Always True
URL: http://cwe.mitre.org/data/definitions/571.html
The software contains an expression that will always evaluate to true.
ID: 576 Name: EJB Bad Practices: Use of JAVA I/O
URL: http://cwe.mitre.org/data/definitions/576.html
The program violates the Enterprise JavaBeans specification by using the java.io package.
ID: 577 Name: EJB Bad Practices: Use of Sockets
URL: http://cwe.mitre.org/data/definitions/577.html
The program violates the Enterprise JavaBeans specification by using sockets.
ID: 584 Name: Return Inside Finally Block
URL: http://cwe.mitre.org/data/definitions/584.html
A return statement inside a finally block will cause any exception that might be thrown in the try block to be discarded.
ID: 585 Name: Empty Synchronized Block
URL: http://cwe.mitre.org/data/definitions/585.html
The software contains an empty synchronized block.
ID: 587 Name: Assignment of a Fixed Address to a Pointer
URL: http://cwe.mitre.org/data/definitions/587.html
If a pointer is set to a specific address, other than 0(Which is almost always NULL), that address will probably not be valid.
ID: 588 Name: Attempt to Access Child of a Non-structure Pointer
URL: http://cwe.mitre.org/data/definitions/588.html
Casting a non-stucture type to a structure type and accessing a field can lead to memory access errors or data corruption.
ID: 589 Name: Call to Limited API
URL: http://cwe.mitre.org/data/definitions/589.html
An API function that does not exist on all versions of the target platform was identified. Some functions that offer security features supported by the OS are not available on all versions of the OS in common use. Likewise, functions are often deprecated or made obsolete for security reasons and should not be used.
ID: 594 Name: Persistence in J2EE Frameworks
URL: http://cwe.mitre.org/data/definitions/594.html
When the J2EE container attempts to write unserializable objects to disk there is no guarantee that the process will complete successfully.
ID: 595 Name: Incorrect Object Comparison: Syntactic
URL: http://cwe.mitre.org/data/definitions/595.html
Object references are compared rather than objects themselves
ID: 596 Name: Incorrect Object Comparison: Semantic
URL: http://cwe.mitre.org/data/definitions/596.html
Failure to sufficiently distinguish or equate two objects based on their conceptual content.
ID: 597 Name: Erroneous String Compare
URL: http://cwe.mitre.org/data/definitions/597.html
Strings should be compared with the equals() method, not == or !=
ID: 628 Name: Incorrectly Specified Arguments
URL: http://cwe.mitre.org/data/definitions/628.html
The product calls a function or routine with any of: (1) the wrong variable or reference; (2) an incorrect number of arguments; (3) incorrect order of arguments.
Back to top
Page Last Updated: January 17, 2017
 

Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2024, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.