Category: Bad Coding Practices
Draft
Summary
Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1041 | Use of Redundant Code | The product has multiple functions, methods, procedures, macros, etc. that contain the same code. |
| CWE-1043 | Data Element Aggregating an Excessively Large Number of Non-Primitive Elements | The product uses a data element that has an excessively large number of sub-elements with non-primitive data types such as structures or aggregated objects. |
| CWE-1044 | Architecture with Number of Horizontal Layers Outside of Expected Range | The product's architecture contains too many - or too few - horizontal layers. |
| CWE-1045 | Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor | A parent class has a virtual destructor method, but the parent has a child class that does not have a virtual destructor. |
| CWE-1046 | Creation of Immutable Text Using String Concatenation | The product creates an immutable text string using string concatenation operations. |
| CWE-1048 | Invokable Control Element with Large Number of Outward Calls | The code contains callable control elements that contain an excessively large number of references to other application objects external to the context of the callable, i.e. a Fan-Out value that is excessively large. |
| CWE-1049 | Excessive Data Query Operations in a Large Data Table | The product performs a data query with a large number of joins and sub-queries on a large data table. |
| CWE-1050 | Excessive Platform Resource Consumption within a Loop | The product has a loop body or loop condition that contains a control element that directly or indirectly consumes platform resources, e.g. messaging, sessions, locks, or file descriptors. |
| CWE-1063 | Creation of Class Instance within a Static Code Block | A static code block creates an instance of a class. |
| CWE-1065 | Runtime Resource Management Control Element in a Component Built to Run on Application Servers | The product uses deployed components from application servers, but it also uses low-level functions/methods for management of resources, instead of the API provided by the application server. |
| CWE-1066 | Missing Serialization Control Element | The product contains a serializable data element that does not have an associated serialization method. |
| CWE-1067 | Excessive Execution of Sequential Searches of Data Resource | The product contains a data query against an SQL table or view that is configured in a way that does not utilize an index and may cause sequential searches to be performed. |
| CWE-1070 | Serializable Data Element Containing non-Serializable Item Elements | The product contains a serializable, storable data element such as a field or member, but the data element contains member elements that are not serializable. |
| CWE-1071 | Empty Code Block | The source code contains a block that does not contain any code, i.e., the block is empty. |
| CWE-1072 | Data Resource Access without Use of Connection Pooling | The product accesses a data resource through a database without using a connection pooling capability. |
| CWE-1073 | Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses | The product contains a client with a function or method that contains a large number of data accesses/queries that are sent through a data manager, i.e., does not use efficient database capabilities. |
| CWE-1079 | Parent Class without Virtual Destructor Method | A parent class contains one or more child classes, but the parent class does not have a virtual destructor method. |
| CWE-1082 | Class Instance Self Destruction Control Element | The code contains a class instance that calls the method or function to delete or destroy itself. |
| CWE-1084 | Invokable Control Element with Excessive File or Data Access Operations | A function or method contains too many operations that utilize a data manager or file resource. |
| CWE-1085 | Invokable Control Element with Excessive Volume of Commented-out Code | A function, method, procedure, etc. contains an excessive amount of code that has been commented out within its body. |
| CWE-1087 | Class with Virtual Method without a Virtual Destructor | A class contains a virtual method, but the method does not have an associated virtual destructor. |
| CWE-1089 | Large Data Table with Excessive Number of Indices | The product uses a large data table that contains an excessively large number of indices. |
| CWE-1092 | Use of Same Invokable Control Element in Multiple Architectural Layers | The product uses the same control element across multiple architectural layers. |
| CWE-1094 | Excessive Index Range Scan for a Data Resource | The product contains an index range scan for a large data table, but the scan can cover a large number of rows. |
| CWE-1097 | Persistent Storable Data Element without Associated Comparison Control Element | The product uses a storable data element that does not have all of the associated functions or methods that are necessary to support comparison. |
| CWE-1098 | Data Element containing Pointer Item without Proper Copy Control Element | The code contains a data element with a pointer that does not have an associated copy or constructor method. |
| CWE-1099 | Inconsistent Naming Conventions for Identifiers | The product's code, documentation, or other artifacts do not consistently use the same naming conventions for variables, callables, groups of related callables, I/O capabilities, data types, file names, or similar types of elements. |
| CWE-1101 | Reliance on Runtime Component in Generated Code | The product uses automatically-generated code that cannot be executed without a specific runtime support component. |
| CWE-1102 | Reliance on Machine-Dependent Data Representation | The code uses a data representation that relies on low-level data representation or constructs that may vary across different processors, physical machines, OSes, or other physical components. |
| CWE-1103 | Use of Platform-Dependent Third Party Components | The product relies on third-party components that do not provide equivalent functionality across all desirable platforms. |
| CWE-1104 | Use of Unmaintained Third Party Components | The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer. |
| CWE-1106 | Insufficient Use of Symbolic Constants | The source code uses literal constants that may need to change or evolve over time, instead of using symbolic constants. |
| CWE-1107 | Insufficient Isolation of Symbolic Constant Definitions | The source code uses symbolic constants, but it does not sufficiently place the definitions of these constants into a more centralized or isolated location. |
| CWE-1108 | Excessive Reliance on Global Variables | The code is structured in a way that relies too much on using or setting global variables throughout various points in the code, instead of preserving the associated information in a narrower, more local context. |
| CWE-1109 | Use of Same Variable for Multiple Purposes | The code contains a callable, block, or other code element in which the same variable is used to control more than one unique task or store more than one instance of data. |
| CWE-1113 | Inappropriate Comment Style | The source code uses comment styles or formats that are inconsistent or do not follow expected standards for the product. |
| CWE-1114 | Inappropriate Whitespace Style | The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product. |
| CWE-1115 | Source Code Element without Standard Prologue | The source code contains elements such as source files that do not consistently provide a prologue or header that has been standardized for the project. |
| CWE-1116 | Inaccurate Comments | The source code contains comments that do not accurately describe or explain aspects of the portion of the code with which the comment is associated. |
| CWE-1117 | Callable with Insufficient Behavioral Summary | The code contains a function or method whose signature and/or associated inline documentation does not sufficiently describe the callable's inputs, outputs, side effects, assumptions, or return codes. |
| CWE-1126 | Declaration of Variable with Unnecessarily Wide Scope | The source code declares a variable in one scope, but the variable is only used within a narrower scope. |
| CWE-1127 | Compilation with Insufficient Warnings or Errors | The code is compiled without sufficient warnings enabled, which may prevent the detection of subtle bugs or quality issues. |
| CWE-1235 | Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations | The code uses boxed primitives, which may introduce inefficiencies into performance-critical operations. |
| CWE-358 | Improperly Implemented Security Check for Standard | The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique. |
| CWE-360 | Trust of System Event Data | Security based on event locations are insecure and can be spoofed. |
| CWE-478 | Missing Default Case in Multiple Condition Expression | The code does not have a default case in an expression with multiple conditions, such as a switch statement. |
| CWE-487 | Reliance on Package-level Scope | Java packages are not inherently closed; therefore, relying on them for code security is not a good practice. |
| CWE-489 | Active Debug Code | The product is released with debugging code still enabled or active. |
| CWE-547 | Use of Hard-coded, Security-relevant Constants | The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. |
| CWE-561 | Dead Code | The product contains dead code, which can never be executed. |
| CWE-562 | Return of Stack Variable Address | A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash. |
| CWE-563 | Assignment to Variable without Use | The variable's value is assigned but never used, making it a dead store. |
| CWE-581 | Object Model Violation: Just One of Equals and Hashcode Defined | The product does not maintain equal hashcodes for equal objects. |
| CWE-586 | Explicit Call to Finalize() | The product makes an explicit call to the finalize() method from outside the finalizer. |
| CWE-605 | Multiple Binds to the Same Port | When multiple sockets are allowed to bind to the same port, other services on that port may be stolen or spoofed. |
| CWE-628 | Function Call with Incorrectly Specified Arguments | The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses. |
| CWE-654 | Reliance on a Single Factor in a Security Decision | A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality. |
| CWE-656 | Reliance on Security Through Obscurity | The product uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism. |
| CWE-694 | Use of Multiple Resources with Duplicate Identifier | The product uses multiple resources that can have the same identifier, in a context in which unique identifiers are required. |
| CWE-807 | Reliance on Untrusted Inputs in a Security Decision | The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. |
| CWE-699 | Software Development | This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.