CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.8)  

Presentation Filter:

CWE-398: Indicator of Poor Code Quality

 
Indicator of Poor Code Quality
Weakness ID: 398 (Weakness Class)Status: Draft
+ Description

Description Summary

The code has features that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained.

Extended Description

Programs are more likely to be secure when good development practices are followed. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code.

+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Common Consequences
ScopeEffect
Other

Technical Impact: Quality degradation

+ Detection Methods

Architecture / Design Review

According to SOAR, the following detection techniques may be useful:

Highly cost effective:

  • Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)

  • Formal Methods / Correct-By-Construction

Cost effective for partial coverage:

  • Attack Modeling

Effectiveness: SOAR High

Automated Static Analysis - Binary / Bytecode

According to SOAR, the following detection techniques may be useful:

Highly cost effective:

  • Binary / Bytecode Quality Analysis

  • Compare binary / bytecode to application permission manifest

Effectiveness: SOAR High

Dynamic Analysis with manual results interpretation

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:

  • Automated Monitored Execution

Effectiveness: SOAR Partial

Automated Static Analysis

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:

  • Permission Manifest Analysis

Effectiveness: SOAR Partial

Automated Static Analysis - Source Code

According to SOAR, the following detection techniques may be useful:

Highly cost effective:

  • Source Code Quality Analyzer

Cost effective for partial coverage:

  • Warning Flags

  • Source code Weakness Analyzer

  • Context-configured Source Code Weakness Analyzer

Effectiveness: SOAR High

Dynamic Analysis with automated results interpretation

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:

  • Web Application Scanner

  • Web Services Scanner

  • Database Scanners

Effectiveness: SOAR Partial

Manual Static Analysis - Source Code

According to SOAR, the following detection techniques may be useful:

Highly cost effective:

  • Manual Source Code Review (not inspections)

Cost effective for partial coverage:

  • Focused Manual Spotcheck - Focused manual analysis of source

Effectiveness: SOAR High

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory18Source Code
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class710Coding Standards Violation
Research Concepts (primary)1000
ChildOfCategoryCategory978SFP Secondary Cluster: Implementation
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant107Struts: Unused Validation Form
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant110Struts: Validator Without Form Field
Research Concepts (primary)1000
ParentOfCategoryCategory399Resource Management Errors
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base401Improper Release of Memory Before Removing Last Reference ('Memory Leak')
Seven Pernicious Kingdoms (primary)700
ParentOfWeakness BaseWeakness Base404Improper Resource Shutdown or Release
Development Concepts699
Seven Pernicious Kingdoms (primary)700
ParentOfWeakness VariantWeakness Variant415Double Free
Seven Pernicious Kingdoms (primary)700
ParentOfWeakness BaseWeakness Base416Use After Free
Seven Pernicious Kingdoms (primary)700
ParentOfWeakness VariantWeakness Variant457Use of Uninitialized Variable
Seven Pernicious Kingdoms (primary)700
ParentOfWeakness BaseWeakness Base474Use of Function with Inconsistent Implementations
Development Concepts (primary)699
Seven Pernicious Kingdoms (primary)700
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base475Undefined Behavior for Input to API
Development Concepts (primary)699
Seven Pernicious Kingdoms (primary)700
ParentOfWeakness BaseWeakness Base476NULL Pointer Dereference
Development Concepts (primary)699
Seven Pernicious Kingdoms (primary)700
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base477Use of Obsolete Functions
Development Concepts (primary)699
Seven Pernicious Kingdoms (primary)700
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant478Missing Default Case in Switch Statement
Development Concepts (primary)699
ParentOfWeakness VariantWeakness Variant483Incorrect Block Delimitation
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base484Omitted Break Statement in Switch
Development Concepts (primary)699
Research Concepts1000
ParentOfWeakness VariantWeakness Variant546Suspicious Comment
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant547Use of Hard-coded, Security-relevant Constants
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant561Dead Code
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base562Return of Stack Variable Address
Development Concepts (primary)699
Research Concepts1000
ParentOfWeakness VariantWeakness Variant563Assignment to Variable without Use ('Unused Variable')
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfCategoryCategory569Expression Issues
Development Concepts (primary)699
ParentOfWeakness VariantWeakness Variant585Empty Synchronized Block
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant586Explicit Call to Finalize()
Development Concepts (primary)699
ParentOfWeakness VariantWeakness Variant617Reachable Assertion
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base676Use of Potentially Dangerous Function
Development Concepts (primary)699
Research Concepts (primary)1000
MemberOfViewView700Seven Pernicious Kingdoms
Seven Pernicious Kingdoms (primary)700
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
7 Pernicious KingdomsCode Quality
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
7 Pernicious KingdomsExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Description, Relationships, Taxonomy_Mappings
2009-10-29CWE Content TeamMITREInternal
updated Relationships
2010-12-13CWE Content TeamMITREInternal
updated Relationships
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2011-06-27CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Relationships
2014-07-30CWE Content TeamMITREInternal
updated Detection_Factors, Relationships
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Code Quality
Page Last Updated: July 30, 2014