Category: Comprehensive Categorization: Poor Coding Practices
Incomplete
Summary
Weaknesses in this category are related to poor coding practices.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1007 | Insufficient Visual Distinction of Homoglyphs Presented to User | The product displays information or identifiers to a user, but the display mechanism does not make it easy for the user to distinguish between visually similar or identical glyphs (homoglyphs), which may cause the user to misinterpret a glyph and perform an unintended, insecure action. |
| CWE-103 | Struts: Incomplete validate() Method Definition | The product has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate(). |
| CWE-104 | Struts: Form Bean Does Not Extend Validation Class | If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation. |
| CWE-1041 | Use of Redundant Code | The product has multiple functions, methods, procedures, macros, etc. that contain the same code. |
| CWE-1043 | Data Element Aggregating an Excessively Large Number of Non-Primitive Elements | The product uses a data element that has an excessively large number of sub-elements with non-primitive data types such as structures or aggregated objects. |
| CWE-1044 | Architecture with Number of Horizontal Layers Outside of Expected Range | The product's architecture contains too many - or too few - horizontal layers. |
| CWE-1045 | Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor | A parent class has a virtual destructor method, but the parent has a child class that does not have a virtual destructor. |
| CWE-1047 | Modules with Circular Dependencies | The product contains modules in which one module has references that cycle back to itself, i.e., there are circular dependencies. |
| CWE-1048 | Invokable Control Element with Large Number of Outward Calls | The code contains callable control elements that contain an excessively large number of references to other application objects external to the context of the callable, i.e. a Fan-Out value that is excessively large. |
| CWE-1053 | Missing Documentation for Design | The product does not have documentation that represents how it is designed. |
| CWE-1054 | Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer | The code at one architectural layer invokes code that resides at a deeper layer than the adjacent layer, i.e., the invocation skips at least one layer, and the invoked code is not part of a vertical utility layer that can be referenced from any horizontal layer. |
| CWE-1055 | Multiple Inheritance from Concrete Classes | The product contains a class with inheritance from more than one concrete class. |
| CWE-1056 | Invokable Control Element with Variadic Parameters | A named-callable or method control element has a signature that supports a variable (variadic) number of parameters or arguments. |
| CWE-1057 | Data Access Operations Outside of Expected Data Manager Component | The product uses a dedicated, central data manager component as required by design, but it contains code that performs data-access operations that do not use this data manager. |
| CWE-1059 | Insufficient Technical Documentation | The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of all the relevant software/hardware elements of the product, such as its usage, structure, architectural components, interfaces, design, implementation, configuration, operation, etc. |
| CWE-1060 | Excessive Number of Inefficient Server-Side Data Accesses | The product performs too many data queries without using efficient data processing functionality such as stored procedures. |
| CWE-1061 | Insufficient Encapsulation | The product does not sufficiently hide the internal representation and implementation details of data or methods, which might allow external components or modules to modify data unexpectedly, invoke unexpected functionality, or introduce dependencies that the programmer did not intend. |
| CWE-1062 | Parent Class with References to Child Class | The code has a parent class that contains references to a child class, its methods, or its members. |
| CWE-1064 | Invokable Control Element with Signature Containing an Excessive Number of Parameters | The product contains a function, subroutine, or method whose signature has an unnecessarily large number of parameters/arguments. |
| CWE-1065 | Runtime Resource Management Control Element in a Component Built to Run on Application Servers | The product uses deployed components from application servers, but it also uses low-level functions/methods for management of resources, instead of the API provided by the application server. |
| CWE-1066 | Missing Serialization Control Element | The product contains a serializable data element that does not have an associated serialization method. |
| CWE-1068 | Inconsistency Between Implementation and Documented Design | The implementation of the product is not consistent with the design as described within the relevant documentation. |
| CWE-1069 | Empty Exception Block | An invokable code block contains an exception handling block that does not contain any code, i.e. is empty. |
| CWE-107 | Struts: Unused Validation Form | An unused validation form indicates that validation logic is not up-to-date. |
| CWE-1070 | Serializable Data Element Containing non-Serializable Item Elements | The product contains a serializable, storable data element such as a field or member, but the data element contains member elements that are not serializable. |
| CWE-1071 | Empty Code Block | The source code contains a block that does not contain any code, i.e., the block is empty. |
| CWE-1074 | Class with Excessively Deep Inheritance | A class has an inheritance level that is too high, i.e., it has a large number of parent classes. |
| CWE-1075 | Unconditional Control Flow Transfer outside of Switch Block | The product performs unconditional control transfer (such as a "goto") in code outside of a branching structure such as a switch block. |
| CWE-1076 | Insufficient Adherence to Expected Conventions | The product's architecture, source code, design, documentation, or other artifact does not follow required conventions. |
| CWE-1078 | Inappropriate Source Code Style or Formatting | The source code does not follow desired style or formatting for indentation, white space, comments, etc. |
| CWE-1079 | Parent Class without Virtual Destructor Method | A parent class contains one or more child classes, but the parent class does not have a virtual destructor method. |
| CWE-1080 | Source Code File with Excessive Number of Lines of Code | A source code file has too many lines of code. |
| CWE-1082 | Class Instance Self Destruction Control Element | The code contains a class instance that calls the method or function to delete or destroy itself. |
| CWE-1083 | Data Access from Outside Expected Data Manager Component | The product is intended to manage data access through a particular data manager component such as a relational or non-SQL database, but it contains code that performs data access operations without using that component. |
| CWE-1085 | Invokable Control Element with Excessive Volume of Commented-out Code | A function, method, procedure, etc. contains an excessive amount of code that has been commented out within its body. |
| CWE-1086 | Class with Excessive Number of Child Classes | A class contains an unnecessarily large number of children. |
| CWE-1087 | Class with Virtual Method without a Virtual Destructor | A class contains a virtual method, but the method does not have an associated virtual destructor. |
| CWE-1090 | Method Containing Access of a Member Element from Another Class | A method for a class performs an operation that directly accesses a member element from another class. |
| CWE-1092 | Use of Same Invokable Control Element in Multiple Architectural Layers | The product uses the same control element across multiple architectural layers. |
| CWE-1093 | Excessively Complex Data Representation | The product uses an unnecessarily complex internal representation for its data structures or interrelationships between those structures. |
| CWE-1095 | Loop Condition Value Update within the Loop | The product uses a loop with a control flow condition based on a value that is updated within the body of the loop. |
| CWE-1097 | Persistent Storable Data Element without Associated Comparison Control Element | The product uses a storable data element that does not have all of the associated functions or methods that are necessary to support comparison. |
| CWE-1098 | Data Element containing Pointer Item without Proper Copy Control Element | The code contains a data element with a pointer that does not have an associated copy or constructor method. |
| CWE-1099 | Inconsistent Naming Conventions for Identifiers | The product's code, documentation, or other artifacts do not consistently use the same naming conventions for variables, callables, groups of related callables, I/O capabilities, data types, file names, or similar types of elements. |
| CWE-11 | ASP.NET Misconfiguration: Creating Debug Binary | Debugging messages help attackers learn about the system and plan a form of attack. |
| CWE-110 | Struts: Validator Without Form Field | Validation fields that do not appear in forms they are associated with indicate that the validation logic is out of date. |
| CWE-1100 | Insufficient Isolation of System-Dependent Functions | The product or code does not isolate system-dependent functionality into separate standalone modules. |
| CWE-1101 | Reliance on Runtime Component in Generated Code | The product uses automatically-generated code that cannot be executed without a specific runtime support component. |
| CWE-1102 | Reliance on Machine-Dependent Data Representation | The code uses a data representation that relies on low-level data representation or constructs that may vary across different processors, physical machines, OSes, or other physical components. |
| CWE-1103 | Use of Platform-Dependent Third Party Components | The product relies on third-party components that do not provide equivalent functionality across all desirable platforms. |
| CWE-1105 | Insufficient Encapsulation of Machine-Dependent Functionality | The product or code uses machine-dependent functionality, but it does not sufficiently encapsulate or isolate this functionality from the rest of the code. |
| CWE-1106 | Insufficient Use of Symbolic Constants | The source code uses literal constants that may need to change or evolve over time, instead of using symbolic constants. |
| CWE-1107 | Insufficient Isolation of Symbolic Constant Definitions | The source code uses symbolic constants, but it does not sufficiently place the definitions of these constants into a more centralized or isolated location. |
| CWE-1108 | Excessive Reliance on Global Variables | The code is structured in a way that relies too much on using or setting global variables throughout various points in the code, instead of preserving the associated information in a narrower, more local context. |
| CWE-1109 | Use of Same Variable for Multiple Purposes | The code contains a callable, block, or other code element in which the same variable is used to control more than one unique task or store more than one instance of data. |
| CWE-111 | Direct Use of Unsafe JNI | When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that code, even if those weaknesses cannot occur in Java. |
| CWE-1110 | Incomplete Design Documentation | The product's design documentation does not adequately describe control flow, data flow, system initialization, relationships between tasks, components, rationales, or other important aspects of the design. |
| CWE-1111 | Incomplete I/O Documentation | The product's documentation does not adequately define inputs, outputs, or system/software interfaces. |
| CWE-1112 | Incomplete Documentation of Program Execution | The document does not fully define all mechanisms that are used to control or influence how product-specific programs are executed. |
| CWE-1113 | Inappropriate Comment Style | The source code uses comment styles or formats that are inconsistent or do not follow expected standards for the product. |
| CWE-1114 | Inappropriate Whitespace Style | The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product. |
| CWE-1115 | Source Code Element without Standard Prologue | The source code contains elements such as source files that do not consistently provide a prologue or header that has been standardized for the project. |
| CWE-1116 | Inaccurate Comments | The source code contains comments that do not accurately describe or explain aspects of the portion of the code with which the comment is associated. |
| CWE-1117 | Callable with Insufficient Behavioral Summary | The code contains a function or method whose signature and/or associated inline documentation does not sufficiently describe the callable's inputs, outputs, side effects, assumptions, or return codes. |
| CWE-1118 | Insufficient Documentation of Error Handling Techniques | The documentation does not sufficiently describe the techniques that are used for error handling, exception processing, or similar mechanisms. |
| CWE-1119 | Excessive Use of Unconditional Branching | The code uses too many unconditional branches (such as "goto"). |
| CWE-1120 | Excessive Code Complexity | The code is too complex, as calculated using a well-defined, quantitative measure. |
| CWE-1121 | Excessive McCabe Cyclomatic Complexity | The code contains McCabe cyclomatic complexity that exceeds a desirable maximum. |
| CWE-1122 | Excessive Halstead Complexity | The code is structured in a way that a Halstead complexity measure exceeds a desirable maximum. |
| CWE-1123 | Excessive Use of Self-Modifying Code | The product uses too much self-modifying code. |
| CWE-1124 | Excessively Deep Nesting | The code contains a callable or other code grouping in which the nesting / branching is too deep. |
| CWE-1125 | Excessive Attack Surface | The product has an attack surface whose quantitative measurement exceeds a desirable maximum. |
| CWE-1126 | Declaration of Variable with Unnecessarily Wide Scope | The source code declares a variable in one scope, but the variable is only used within a narrower scope. |
| CWE-1127 | Compilation with Insufficient Warnings or Errors | The code is compiled without sufficient warnings enabled, which may prevent the detection of subtle bugs or quality issues. |
| CWE-1164 | Irrelevant Code | The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness. |
| CWE-1177 | Use of Prohibited Code | The product uses a function, library, or third party component that has been explicitly prohibited, whether by the developer or the customer. |
| CWE-1209 | Failure to Disable Reserved Bits | The reserved bits in a hardware design are not disabled prior to production. Typically, reserved bits are used for future capabilities and should not support any functional logic in the design. However, designers might covertly use these bits to debug or further develop new capabilities in production hardware. Adversaries with access to these bits will write to them in hopes of compromising hardware state. |
| CWE-1245 | Improper Finite State Machines (FSMs) in Hardware Logic | Faulty finite state machines (FSMs) in the hardware logic allow an attacker to put the system in an undefined state, to cause a denial of service (DoS) or gain privileges on the victim's system. |
| CWE-1341 | Multiple Releases of Same Resource or Handle | The product attempts to close or release a resource or handle more than once, without any successful open between the close operations. |
| CWE-1357 | Reliance on Insufficiently Trustworthy Component | The product is built from multiple separate components, but it uses a component that is not sufficiently trusted to meet expectations for security, reliability, updateability, and maintainability. |
| CWE-1434 | Insecure Setting of Generative AI/ML Model Inference Parameters | The product has a component that relies on a generative AI/ML model configured with inference parameters that produce an unacceptably high rate of erroneous or unexpected outputs. |
| CWE-242 | Use of Inherently Dangerous Function | The product calls a function that can never be guaranteed to work safely. |
| CWE-245 | J2EE Bad Practices: Direct Management of Connections | The J2EE application directly manages connections, instead of using the container's connection management facilities. |
| CWE-246 | J2EE Bad Practices: Direct Use of Sockets | The J2EE application directly uses sockets instead of using framework method calls. |
| CWE-253 | Incorrect Check of Function Return Value | The product incorrectly checks a return value from a function, which prevents it from detecting errors or exceptional conditions. |
| CWE-358 | Improperly Implemented Security Check for Standard | The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique. |
| CWE-383 | J2EE Bad Practices: Direct Use of Threads | Thread management in a Web application is forbidden in some circumstances and is always highly error prone. |
| CWE-392 | Missing Report of Error Condition | The product encounters an error but does not provide a status code or return value to indicate that an error has occurred. |
| CWE-393 | Return of Wrong Status Code | A function or operation returns an incorrect return value or status code that does not indicate the true result of execution, causing the product to modify its behavior based on the incorrect result. |
| CWE-440 | Expected Behavior Violation | A feature, API, or function does not perform according to its specification. |
| CWE-446 | UI Discrepancy for Security Feature | The user interface does not correctly enable or configure a security feature, but the interface provides feedback that causes the user to believe that the feature is in a secure state. |
| CWE-448 | Obsolete Feature in UI | A UI function is obsolete and the product does not warn the user. |
| CWE-449 | The UI Performs the Wrong Action | The UI performs the wrong action with respect to the user's request. |
| CWE-451 | User Interface (UI) Misrepresentation of Critical Information | The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks. |
| CWE-462 | Duplicate Key in Associative List (Alist) | Duplicate keys in associative lists can lead to non-unique keys being mistaken for an error. |
| CWE-474 | Use of Function with Inconsistent Implementations | The code uses a function that has inconsistent implementations across operating systems and versions. |
| CWE-475 | Undefined Behavior for Input to API | The behavior of this function is undefined unless its control parameter is set to a specific value. |
| CWE-476 | NULL Pointer Dereference | The product dereferences a pointer that it expects to be valid but is NULL. |
| CWE-477 | Use of Obsolete Function | The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained. |
| CWE-484 | Omitted Break Statement in Switch | The product omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition. |
| CWE-489 | Active Debug Code | The product is released with debugging code still enabled or active. |
| CWE-506 | Embedded Malicious Code | The product contains code that appears to be malicious in nature. |
| CWE-507 | Trojan Horse | The product appears to contain benign or useful functionality, but it also contains code that is hidden from normal operation that violates the intended security policy of the user or the system administrator. |
| CWE-508 | Non-Replicating Malicious Code | Non-replicating malicious code only resides on the target system or product that is attacked; it does not attempt to spread to other systems. |
| CWE-509 | Replicating Malicious Code (Virus or Worm) | Replicating malicious code, including viruses and worms, will attempt to attack other systems once it has successfully compromised the target system or the product. |
| CWE-510 | Trapdoor | A trapdoor is a hidden piece of code that responds to a special input, allowing its user access to resources without passing through the normal security enforcement mechanism. |
| CWE-511 | Logic/Time Bomb | The product contains code that is designed to disrupt the legitimate operation of the product (or its environment) when a certain time passes, or when a certain logical condition is met. |
| CWE-512 | Spyware | The product collects personally identifiable information about a human user or the user's activities, but the product accesses this information using other resources besides itself, and it does not require that user's explicit approval or direct input into the product. |
| CWE-546 | Suspicious Comment | The code contains comments that suggest the presence of bugs, incomplete functionality, or weaknesses. |
| CWE-547 | Use of Hard-coded, Security-relevant Constants | The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. |
| CWE-560 | Use of umask() with chmod-style Argument | The product calls umask() with an incorrect argument that is specified as if it is an argument to chmod(). |
| CWE-561 | Dead Code | The product contains dead code, which can never be executed. |
| CWE-563 | Assignment to Variable without Use | The variable's value is assigned but never used, making it a dead store. |
| CWE-570 | Expression is Always False | The product contains an expression that will always evaluate to false. |
| CWE-571 | Expression is Always True | The product contains an expression that will always evaluate to true. |
| CWE-573 | Improper Following of Specification by Caller | The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform. |
| CWE-575 | EJB Bad Practices: Use of AWT Swing | The product violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing. |
| CWE-576 | EJB Bad Practices: Use of Java I/O | The product violates the Enterprise JavaBeans (EJB) specification by using the java.io package. |
| CWE-577 | EJB Bad Practices: Use of Sockets | The product violates the Enterprise JavaBeans (EJB) specification by using sockets. |
| CWE-578 | EJB Bad Practices: Use of Class Loader | The product violates the Enterprise JavaBeans (EJB) specification by using the class loader. |
| CWE-579 | J2EE Bad Practices: Non-serializable Object Stored in Session | The product stores a non-serializable object as an HttpSession attribute, which can hurt reliability. |
| CWE-581 | Object Model Violation: Just One of Equals and Hashcode Defined | The product does not maintain equal hashcodes for equal objects. |
| CWE-585 | Empty Synchronized Block | The product contains an empty synchronized block. |
| CWE-586 | Explicit Call to Finalize() | The product makes an explicit call to the finalize() method from outside the finalizer. |
| CWE-589 | Call to Non-ubiquitous API | The product uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial of service or other consequences. |
| CWE-594 | J2EE Framework: Saving Unserializable Objects to Disk | When the J2EE container attempts to write unserializable objects to disk there is no guarantee that the process will complete successfully. |
| CWE-605 | Multiple Binds to the Same Port | When multiple sockets are allowed to bind to the same port, other services on that port may be stolen or spoofed. |
| CWE-628 | Function Call with Incorrectly Specified Arguments | The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses. |
| CWE-675 | Multiple Operations on Resource in Single-Operation Context | The product performs the same operation on a resource two or more times, when the operation should only be applied once. |
| CWE-676 | Use of Potentially Dangerous Function | The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely. |
| CWE-683 | Function Call With Incorrect Order of Arguments | The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses. |
| CWE-684 | Incorrect Provision of Specified Functionality | The code does not function according to its published specifications, potentially leading to incorrect usage. |
| CWE-685 | Function Call With Incorrect Number of Arguments | The product calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior and resultant weaknesses. |
| CWE-686 | Function Call With Incorrect Argument Type | The product calls a function, procedure, or routine, but the caller specifies an argument that is the wrong data type, which may lead to resultant weaknesses. |
| CWE-687 | Function Call With Incorrectly Specified Argument Value | The product calls a function, procedure, or routine, but the caller specifies an argument that contains the wrong value, which may lead to resultant weaknesses. |
| CWE-688 | Function Call With Incorrect Variable or Reference as Argument | The product calls a function, procedure, or routine, but the caller specifies the wrong variable or reference as one of the arguments, which may lead to undefined behavior and resultant weaknesses. |
| CWE-695 | Use of Low-Level Functionality | The product uses low-level functionality that is explicitly prohibited by the framework or specification under which the product is supposed to operate. |
| CWE-710 | Improper Adherence to Coding Standards | The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities. |
| CWE-758 | Reliance on Undefined, Unspecified, or Implementation-Defined Behavior | The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity. |
| CWE-766 | Critical Data Element Declared Public | The product declares a critical variable, field, or member to be public when intended security policy requires it to be private. |
| CWE-785 | Use of Path Manipulation Function without Maximum-sized Buffer | The product invokes a function for normalizing paths or file names, but it provides an output buffer that is smaller than the maximum possible size, such as PATH_MAX. |
| CWE-912 | Hidden Functionality | The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators. |
| CWE-1400 | Comprehensive Categorization for Software Assurance Trends |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330].
Comment:
See member weaknesses of this category.