The NSA Center for Assured Software (CAS) defines the following Weakness Classes in its "Static Analysis Tool Study - Methodology" [1]:
| Weakness Class | Example Weakness (CWE Entry [2]) |
|---|---|
| Authentication and Access Control | CWE-620: Unverified Password Change |
| Buffer Handling | CWE-121: Stack-based Buffer Overflow |
| Code Quality | CWE-561: Dead Code |
| Control Flow Management | CWE-362: Race Condition |
| Encryption and Randomness | CWE-328: Reversible One-Way Hash |
| Error Handling | CWE-252: Unchecked Return Value |
| File Handling | CWE-23: Relative Path Traversal |
| Information Leaks | CWE-534: Information Leak Through Debug Log Files |
| Initialization and Shutdown | CWE-415: Double Free |
| Injection | CWE-89: SQL Injection |
| Malicious Logic | CWE-506: Embedded Malicious Code |
| Miscellaneous | CWE-480: Use of Incorrect Operator |
| Number Handling | CWE-369: Divide by Zero |
| Pointer and Reference Handling | CWE-476: Null Pointer Dereference |