The code contains comments that suggest the presence of bugs, incomplete functionality, or weaknesses.
Extended Description
Many suspicious comments, such as BUG, HACK, FIXME, LATER, LATER2, TODO, in the code indicate missing security functionality and checking. Others indicate code problems that programmers should fix, such as hard-coded variables, error handling, not using stored procedures, and performance issues.
Time of Introduction
Implementation
Common Consequences
Scope
Effect
Other
Technical Impact: Quality degradation
Demonstrative Examples
Example 1
The following excerpt demonstrates the use of a suspicious comment
in an incomplete code block that may have security
repercussions.
(Bad Code)
Example
Language: Java
if (user == null) {
// TODO: Handle null user condition.
}
Potential Mitigations
Remove comments that suggest the presence of bugs, incomplete
functionality, or weaknesses, before deploying the application.