CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (3.2)  
ID

CWE VIEW: CISQ Quality Measures (2016)

View ID: 1128
Type: Graph
Status: Incomplete
Downloads: Booklet | CSV | XML
+ Objective
CWE nodes in this view (graph) are associated with the Consortium for IT Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards.
+ Audience
StakeholderDescription
Software DevelopersThis view outlines the most important software quality issues as identified by the CISQ Automated Quality Characteristic Measures from 2016; it provides a good starting point for application developers who wish to learn more about, or improve their own code quality.
Software DesignersThis view outlines the most important software quality issues as identified by the CISQ Automated Quality Characteristic Measures from 2016; it provides a good starting point for software designers to ensure that code quality issues are considered during the design process.
Software VendorsThis view outlines the most important software quality issues as identified by the CISQ Automated Quality Characteristic Measures from 2016; it provides a good starting point for software vendors who wish to mark the quality of their software.
Assessment VendorsThis view outlines the most important software quality issues as identified by the CISQ Automated Quality Characteristic Measures from 2016; it provides a good starting point for assessment vendors who wish to understand what constitutes software with good code quality, using quality issues that are automatically detectable.
+ Relationships
The following graph shows the tree-like relationships between weaknesses that exist at different levels of abstraction. At the highest level, categories and classes exist to group weaknesses. A category is a CWE entry that contains a set of other entries that share a common characteristic. Classes are weaknesses that are described in a very abstract fashion, typically independent of any specific language or technology and are more general than a base weakness. Within classes, base level weaknesses are used to present a more specific type of weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. A variant is a weakness that is described at a very low level of detail, typically limited to a specific language or technology. A chain is a set of weaknesses that must be reachable consecutively in order to produce an exploitable vulnerability. A composite is a set of weaknesses that must all be present simultaneously in order to produce an exploitable vulnerability.
Show Details:
1128 - CISQ Quality Measures (2016)
+CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic.CISQ Quality Measures - Reliability - (1129)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures - Reliability)
Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - (120)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures - Reliability) > 120 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'))
The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.buffer overrunUnbounded Transfer
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Unchecked Return Value - (252)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures - Reliability) > 252 (Unchecked Return Value)
The software does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Declaration of Catch for Generic Exception - (396)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures - Reliability) > 396 (Declaration of Catch for Generic Exception)
Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Declaration of Throws for Generic Exception - (397)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures - Reliability) > 397 (Declaration of Throws for Generic Exception)
Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Missing Initialization of a Variable - (456)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures - Reliability) > 456 (Missing Initialization of a Variable)
The software does not initialize critical variables, which causes the execution environment to use unexpected values.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Uncontrolled Recursion - (674)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures - Reliability) > 674 (Uncontrolled Recursion)
The product does not properly control the amount of recursion that takes place, which consumes excessive resources, such as allocated memory or the program stack.Stack Exhaustion
*ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.Incorrect Type Conversion or Cast - (704)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures - Reliability) > 704 (Incorrect Type Conversion or Cast)
The software does not correctly convert an object, resource, or structure from one type to a different type.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Missing Release of Resource after Effective Lifetime - (772)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures - Reliability) > 772 (Missing Release of Resource after Effective Lifetime)
The software does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Access of Memory Location After End of Buffer - (788)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures - Reliability) > 788 (Access of Memory Location After End of Buffer)
The software reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer.
*VariantVariant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor - (1045)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures - Reliability) > 1045 (Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor)
A parent class has a virtual destructor method, but the parent has a child class that does not have a virtual destructor.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Modules with Circular Dependencies - (1047)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures - Reliability) > 1047 (Modules with Circular Dependencies)
The software contains modules in which one module has references that cycle back to itself, i.e., there are circular dependencies.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Initialization with Hard-Coded Network Resource Configuration Data - (1051)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures - Reliability) > 1051 (Initialization with Hard-Coded Network Resource Configuration Data)
The software initializes data using hard-coded values that act as as network resource identifiers.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Invokable Control Element with Variadic Parameters - (1056)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures - Reliability) > 1056 (Invokable Control Element with Variadic Parameters)
A named-callable or method control element has a signature that supports a variable (variadic) number of parameters or arguments.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element - (1058)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures - Reliability) > 1058 (Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element)
The code contains a function or method that operates in a multi-threaded environment but owns an unsafe non-final static storable or member data element.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Parent Class with References to Child Class - (1062)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures - Reliability) > 1062 (Parent Class with References to Child Class)
The code has a parent class that contains references to a child class, its methods, or its members.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Runtime Resource Management Control Element in a Component Built to Run on Application Servers - (1065)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures - Reliability) > 1065 (Runtime Resource Management Control Element in a Component Built to Run on Application Servers)
The application uses deployed components from application servers, but it also uses low-level functions/methods for management of resources, instead of the API provided by the application server.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Missing Serialization Control Element - (1066)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures - Reliability) > 1066 (Missing Serialization Control Element)
The software contains a serializable data element that does not have an associated serialization method.
*VariantVariant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.Empty Exception Block - (1069)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures - Reliability) > 1069 (Empty Exception Block)
An invokable code block contains an exception handling block that does not contain any code, i.e. is empty.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Serializable Data Element Containing non-Serializable Item Elements - (1070)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures - Reliability) > 1070 (Serializable Data Element Containing non-Serializable Item Elements)
The software contains a serializable, storable data element such as a field or member, but the data element contains member elements that are not serializable.
*VariantVariant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.Floating Point Comparison with Incorrect Operator - (1077)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures - Reliability) > 1077 (Floating Point Comparison with Incorrect Operator)
The code performs a comparison such as an equality test between two float (floating point) values, but it uses comparison operators that do not account for the possibility of loss of precision.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Parent Class without Virtual Destructor Method - (1079)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures - Reliability) > 1079 (Parent Class without Virtual Destructor Method)
A parent class contains one or more child classes, but the parent class does not have a virtual destructor method.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Class Instance Self Destruction Control Element - (1082)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures - Reliability) > 1082 (Class Instance Self Destruction Control Element)
The code contains a class instance that calls the method or function to delete or destroy itself.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Data Access from Outside Expected Data Manager Component - (1083)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures - Reliability) > 1083 (Data Access from Outside Expected Data Manager Component)
The software is intended to manage data access through a particular data manager component such as a relational or non-SQL database, but it contains code that performs data access operations without using that component.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Class with Virtual Method without a Virtual Destructor - (1087)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures - Reliability) > 1087 (Class with Virtual Method without a Virtual Destructor)
A class contains a virtual method, but the method does not have an associated virtual destructor.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Synchronous Access of Remote Resource without Timeout - (1088)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures - Reliability) > 1088 (Synchronous Access of Remote Resource without Timeout)
The code has a synchronous call to a remote resource, but there is no timeout for the call, or the timeout is set to infinite.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Persistent Storable Data Element without Associated Comparison Control Element - (1097)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures - Reliability) > 1097 (Persistent Storable Data Element without Associated Comparison Control Element)
The software uses a storable data element that does not have all of the associated functions or methods that are necessary to support comparison.
*VariantVariant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.Singleton Class Instance Creation without Proper Locking or Synchronization - (1096)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures - Reliability) > 1096 (Singleton Class Instance Creation without Proper Locking or Synchronization)
The software implements a Singleton design pattern but does not use appropriate locking or other synchronization mechanism to ensure that the singleton class is only instantiated once.
*VariantVariant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.Data Element containing Pointer Item without Proper Copy Control Element - (1098)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures - Reliability) > 1098 (Data Element containing Pointer Item without Proper Copy Control Element)
The code contains a data element with a pointer that does not have an associated copy or constructor method.
+CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic.CISQ Quality Measures - Maintainability - (1130)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures - Maintainability)
Weaknesses in this category are related to the CISQ Quality Measures for Maintainability. Presence of these weaknesses could reduce the maintainability of the software.
*VariantVariant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.Dead Code - (561)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures - Maintainability) > 561 (Dead Code)
The software contains dead code, which can never be executed.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Use of Redundant Code - (1041)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures - Maintainability) > 1041 (Use of Redundant Code)
The software has multiple functions, methods, procedures, macros, etc. that contain the same code.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Architecture with Number of Horizontal Layers Outside of Expected Range - (1044)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures - Maintainability) > 1044 (Architecture with Number of Horizontal Layers Outside of Expected Range)
The software's architecture contains too many - or too few - horizontal layers.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Modules with Circular Dependencies - (1047)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures - Maintainability) > 1047 (Modules with Circular Dependencies)
The software contains modules in which one module has references that cycle back to itself, i.e., there are circular dependencies.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Invokable Control Element with Large Number of Outward Calls - (1048)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures - Maintainability) > 1048 (Invokable Control Element with Large Number of Outward Calls)
The code contains callable control elements that contain an excessively large number of references to other application objects external to the context of the callable, i.e. a Fan-Out value that is excessively large.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Excessive Use of Hard-Coded Literals in Initialization - (1052)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures - Maintainability) > 1052 (Excessive Use of Hard-Coded Literals in Initialization)
The software initializes a data element using a hard-coded literal that is not a simple integer or static constant element.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer - (1054)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures - Maintainability) > 1054 (Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer)
The code at one architectural layer invokes code that resides at a deeper layer than the adjacent layer, i.e., the invocation skips at least one layer, and the invoked code is not part of a vertical utility layer that can be referenced from any horizontal layer.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Multiple Inheritance from Concrete Classes - (1055)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures - Maintainability) > 1055 (Multiple Inheritance from Concrete Classes)
The software contains a class with inheritance from more than one concrete class.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Invokable Control Element with Signature Containing an Excessive Number of Parameters - (1064)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures - Maintainability) > 1064 (Invokable Control Element with Signature Containing an Excessive Number of Parameters)
The software contains a function, subroutine, or method whose signature has an unnecessarily large number of parameters/arguments.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Class with Excessively Deep Inheritance - (1074)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures - Maintainability) > 1074 (Class with Excessively Deep Inheritance)
A class has an inheritance level that is too high, i.e., it has a large number of parent classes.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Unconditional Control Flow Transfer outside of Switch Block - (1075)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures - Maintainability) > 1075 (Unconditional Control Flow Transfer outside of Switch Block)
The software performs unconditional control transfer (such as a "goto") in code outside of a branching structure such as a switch block.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Source Code File with Excessive Number of Lines of Code - (1080)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures - Maintainability) > 1080 (Source Code File with Excessive Number of Lines of Code)
A source code file has too many lines of code.
*VariantVariant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.Critical Data Element Declared Public - (766)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures - Maintainability) > 766 (Critical Data Element Declared Public)
The software declares a critical variable, field, or member to be public when intended security policy requires it to be private.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Invokable Control Element with Excessive File or Data Access Operations - (1084)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures - Maintainability) > 1084 (Invokable Control Element with Excessive File or Data Access Operations)
A function or method contains too many operations that utilize a data manager or file resource.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Invokable Control Element with Excessive Volume of Commented-out Code - (1085)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures - Maintainability) > 1085 (Invokable Control Element with Excessive Volume of Commented-out Code)
A function, method, procedure, etc. contains an excessive amount of code that has been commented out within its body.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Class with Excessive Number of Child Classes - (1086)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures - Maintainability) > 1086 (Class with Excessive Number of Child Classes)
A class contains an unnecessarily large number of children.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Method Containing Access of a Member Element from Another Class - (1090)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures - Maintainability) > 1090 (Method Containing Access of a Member Element from Another Class)
A method for a class performs an operation that directly accesses a member element from another class.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Use of Same Invokable Control Element in Multiple Architectural Layers - (1092)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures - Maintainability) > 1092 (Use of Same Invokable Control Element in Multiple Architectural Layers)
The software uses the same control element across multiple architectural layers.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Loop Condition Value Update within the Loop - (1095)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures - Maintainability) > 1095 (Loop Condition Value Update within the Loop)
The software uses a loop with a control flow condition based on a value that is updated within the body of the loop.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Excessive McCabe Cyclomatic Complexity - (1121)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures - Maintainability) > 1121 (Excessive McCabe Cyclomatic Complexity)
The code contains McCabe cyclomatic complexity that exceeds a desirable maximum.
+CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic.CISQ Quality Measures - Security - (1131)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures - Security)
Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software.
*ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - (22)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures - Security) > 22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Directory traversalPath traversal
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - (78)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures - Security) > 78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Shell injectionShell metacharacters
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - (79)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures - Security) > 79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.XSSHTML InjectionCSS
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - (89)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures - Security) > 89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Improper Control of Resource Identifiers ('Resource Injection') - (99)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures - Security) > 99 (Improper Control of Resource Identifiers ('Resource Injection'))
The software receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.Insecure Direct Object Reference
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - (120)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures - Security) > 120 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'))
The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.buffer overrunUnbounded Transfer
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Improper Validation of Array Index - (129)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures - Security) > 129 (Improper Validation of Array Index)
The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.out-of-bounds array indexindex-out-of-rangearray index underflow
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Use of Externally-Controlled Format String - (134)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures - Security) > 134 (Use of Externally-Controlled Format String)
The software uses a function that accepts a format string as an argument, but the format string originates from an external source.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Unchecked Return Value - (252)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures - Security) > 252 (Unchecked Return Value)
The software does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Use of a Broken or Risky Cryptographic Algorithm - (327)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures - Security) > 327 (Use of a Broken or Risky Cryptographic Algorithm)
The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Declaration of Catch for Generic Exception - (396)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures - Security) > 396 (Declaration of Catch for Generic Exception)
Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Declaration of Throws for Generic Exception - (397)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures - Security) > 397 (Declaration of Throws for Generic Exception)
Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Unrestricted Upload of File with Dangerous Type - (434)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures - Security) > 434 (Unrestricted Upload of File with Dangerous Type)
The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.Unrestricted File Upload
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Missing Initialization of a Variable - (456)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures - Security) > 456 (Missing Initialization of a Variable)
The software does not initialize critical variables, which causes the execution environment to use unexpected values.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Unchecked Input for Loop Condition - (606)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures - Security) > 606 (Unchecked Input for Loop Condition)
The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service because of excessive looping.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Improper Locking - (667)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures - Security) > 667 (Improper Locking)
The software does not properly acquire a lock on a resource, or it does not properly release a lock on a resource, leading to unexpected resource state changes and behaviors.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Operation on a Resource after Expiration or Release - (672)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures - Security) > 672 (Operation on a Resource after Expiration or Release)
The software uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.
*ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.Incorrect Conversion between Numeric Types - (681)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures - Security) > 681 (Incorrect Conversion between Numeric Types)
When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Missing Release of Resource after Effective Lifetime - (772)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures - Security) > 772 (Missing Release of Resource after Effective Lifetime)
The software does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.
*VariantVariant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.Uncontrolled Memory Allocation - (789)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures - Security) > 789 (Uncontrolled Memory Allocation)
The product allocates memory based on an untrusted size value, but it does not validate or incorrectly validates the size, allowing arbitrary amounts of memory to be allocated.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Use of Hard-coded Credentials - (798)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures - Security) > 798 (Use of Hard-coded Credentials)
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Loop with Unreachable Exit Condition ('Infinite Loop') - (835)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures - Security) > 835 (Loop with Unreachable Exit Condition ('Infinite Loop'))
The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
+CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic.CISQ Quality Measures - Performance - (1132)
1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures - Performance)
Weaknesses in this category are related to the CISQ Quality Measures for Performance. Presence of these weaknesses could reduce the performance of the software.
*VariantVariant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.Static Member Data Element outside of a Singleton Class Element - (1042)
1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures - Performance) > 1042 (Static Member Data Element outside of a Singleton Class Element)
The code contains a member element that is declared as static (but not final), in which its parent class element is not a singleton class - that is, a class element that can be used only once in the 'to' association of a Create action.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Data Element Aggregating an Excessively Large Number of Non-Primitive Elements - (1043)
1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures - Performance) > 1043 (Data Element Aggregating an Excessively Large Number of Non-Primitive Elements)
The software uses a data element that has an excessively large number of sub-elements with non-primitive data types such as structures or aggregated objects.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Creation of Immutable Text Using String Concatenation - (1046)
1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures - Performance) > 1046 (Creation of Immutable Text Using String Concatenation)
The software creates an immutable text string using string concatenation operations.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Excessive Data Query Operations in a Large Data Table - (1049)
1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures - Performance) > 1049 (Excessive Data Query Operations in a Large Data Table)
The software performs a data query with a large number of joins and sub-queries on a large data table.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Excessive Platform Resource Consumption within a Loop - (1050)
1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures - Performance) > 1050 (Excessive Platform Resource Consumption within a Loop)
The software has a loop body or loop condition that contains a control element that directly or indirectly consumes platform resources, e.g. messaging, sessions, locks, or file descriptors.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Data Access Operations Outside of Expected Data Manager Component - (1057)
1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures - Performance) > 1057 (Data Access Operations Outside of Expected Data Manager Component)
The software uses a dedicated, central data manager component as required by design, but it contains code that performs data-access operations that do not use this data manager.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Excessive Number of Inefficient Server-Side Data Accesses - (1060)
1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures - Performance) > 1060 (Excessive Number of Inefficient Server-Side Data Accesses)
The software performs too many data queries without using efficient data processing functionality such as stored procedures.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Creation of Class Instance within a Static Code Block - (1063)
1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures - Performance) > 1063 (Creation of Class Instance within a Static Code Block)
A static code block creates an instance of a class.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Excessive Execution of Sequential Searches of Data Resource - (1067)
1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures - Performance) > 1067 (Excessive Execution of Sequential Searches of Data Resource)
The software contains a data query against an SQL table or view that is configured in a way that does not utilize an index and may cause sequential searches to be performed.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Data Resource Access without Use of Connection Pooling - (1072)
1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures - Performance) > 1072 (Data Resource Access without Use of Connection Pooling)
The software accesses a data resource through a database without using a connection pooling capability.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses - (1073)
1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures - Performance) > 1073 (Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses)
The software contains a client with a function or method that contains a large number of data accesses/queries that are sent through a data manager, i.e., does not use efficient database capabilities.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Large Data Table with Excessive Number of Indices - (1089)
1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures - Performance) > 1089 (Large Data Table with Excessive Number of Indices)
The software uses a large data table that contains an excessively large number of indices.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Use of Object without Invoking Destructor Method - (1091)
1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures - Performance) > 1091 (Use of Object without Invoking Destructor Method)
The software contains a method that accesses an object but does not later invoke the element's associated finalize/destructor method.
*BaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.Excessive Index Range Scan for a Data Resource - (1094)
1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures - Performance) > 1094 (Excessive Index Range Scan for a Data Resource)
The software contains an index range scan for a large data table, but the scan can cover a large number of rows.
+ References
[REF-968] Consortium for IT Software Quality (CISQ). "Automated Quality Characteristic Measures". 2016. <http://it-cisq.org/standards/automated-quality-characteristic-measures/>.
+ View Metrics
CWEs in this viewTotal CWEs
Weaknesses77out of 806
Categories4out of 289
Views0out of 36
Total81out of1131
+ Content History
Submissions
Submission DateSubmitterOrganization
2018-07-23CWE Content TeamMITRE
View constructed using Common Quality Enumeration (CQE) draft 0.9, constructed using view 9001.

More information is available — Please select a different filter.
Page Last Updated: January 03, 2019