CWE: 789 Uncontrolled Memory Allocation BadSource: rand Set data to result of rand(), which may be zero GoodSource: Small number greater than zero Sinks: GoodSink: Allocate memory with new [] and check the size of the memory to be allocated BadSink : Allocate memory with new [], but incorrec...

CWE: 762 Mismatched Memory Management Routines BadSource: realloc Allocate data using realloc() GoodSource: Allocate data using new [] Sinks: GoodSink: Deallocate data using free() BadSink : Deallocate data using delete [] Flow Variant: 64 Data flow: void pointer to data passed from one fun...

CWE: 590 Free Memory Not on Heap BadSource: declare Data buffer is declared on the stack GoodSource: Allocate memory on the heap Sink: BadSink : Print then free data Flow Variant: 03 Control flow: if(5==5) and if(5!=5)

CWE: 563 Unused Variable BadSource: Initialize data GoodSource: Initialize and use data Sinks: GoodSink: Use data BadSink : Initialize and use data Flow Variant: 73 Data flow: data passed in a list from one function to another in different source files

CWE: 415 Double Free BadSource: Allocate data using new and Deallocae data using delete GoodSource: Allocate data using new Sinks: GoodSink: do nothing BadSink : Deallocate data using delete Flow Variant: 65 Data/control flow: data passed as an argument from one function to a function in a...

CWE: 415 Double Free BadSource: Allocate data using new and Deallocae data using delete GoodSource: Allocate data using new Sinks: GoodSink: do nothing BadSink : Deallocate data using delete Flow Variant: 32 Data flow using two pointers to the same value within the same function

CWE: 397 Declaration of Throws for Generic Exception. In this functional variant, we actually throw a generic exception. Sinks: throw_exception GoodSink: Throw a specific exception (range_error) BadSink : Throw std::exception class, which is very generic Flow Variant: 01 Baseline

CWE: 36 Absolute Path Traversal BadSource: listen_socket Read data using a listen socket (server side) GoodSource: Full path and file name Sinks: open BadSink : Open the file named in data using open() Flow Variant: 66 Data flow: data passed in an array from one function to another in differ...

CWE: 36 Absolute Path Traversal BadSource: environment Read input from an environment variable GoodSource: Full path and file name Sink: open BadSink : Open the file named in data using open() Flow Variant: 52 Data flow: data passed as an argument from one function to another to another in t...

CWE: 36 Absolute Path Traversal BadSource: environment Read input from an environment variable GoodSource: Full path and file name Sink: ifstream BadSink : Open the file named in data using ifstream::open() Flow Variant: 52 Data flow: data passed as an argument from one function to another t...

CWE: 23 Relative Path Traversal BadSource: file Read input from a file GoodSource: Use a fixed file name Sink: open BadSink : Open the file named in data using open() Flow Variant: 21 Control flow: Flow controlled by value of a static global variable. All functions contained in one file.

CWE: 23 Relative Path Traversal BadSource: file Read input from a file GoodSource: Use a fixed file name Sink: ofstream BadSink : Open the file named in data using ofstream::open() Flow Variant: 42 Data flow: data returned from one function to another in the same source file

CWE: 23 Relative Path Traversal BadSource: environment Read input from an environment variable GoodSource: Use a fixed file name Sink: open BadSink : Open the file named in data using open() Flow Variant: 15 Control flow: switch(6)

CWE: 190 Integer Overflow BadSource: rand Set data to result of rand() GoodSource: Set data to a small, non-zero number (two) Sinks: multiply GoodSink: Ensure there will not be an overflow before multiplying data by 2 BadSink : If data is positive, multiply by 2, which can cause an overflow ...

CWE: 127 Buffer Under-read BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sinks: memcpy BadSink : Copy data to string using memcpy Flow Variant: 72 Data flow: data passed in a vector from one function to another ...

CWE: 126 Buffer Over-read BadSource: Use a small buffer GoodSource: Use a large buffer Sink: memmove BadSink : Copy data to string using memmove Flow Variant: 03 Control flow: if(5==5) and if(5!=5)

CWE: 126 Buffer Over-read BadSource: Use a small buffer GoodSource: Use a large buffer Sinks: memmove BadSink : Copy data to string using memmove Flow Variant: 73 Data flow: data passed in a list from one function to another in different source files

CWE: 126 Buffer Overread BadSource: large Large index value that is greater than 10-1 GoodSource: Larger than zero but less than 10 Sinks: GoodSink: Ensure the array index is valid BadSink : Improperly check the array index by not checking the upper bound Flow Variant: 43 Data flow: data fl...

CWE: 124 Buffer Underwrite BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sinks: ncpy BadSink : Copy string to data using wcsncpy Flow Variant: 81 Data flow: data passed in a parameter to a virtual method called ...

CWE: 122 Heap Based Buffer Overflow BadSource: Allocate using new[] and set data pointer to a small buffer GoodSource: Allocate using new[] and set data pointer to a large buffer Sinks: cat BadSink : Copy string to data using wcscat Flow Variant: 66 Data flow: data passed in an array from o...

CWE: 122 Heap Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sink: snprintf BadSink : Copy data to string using snprintf Flow Variant: 16 Control flow: while(1)

CWE: 122 Heap Based Buffer Overflow BadSource: Allocate using new[] and set data pointer to a small buffer GoodSource: Allocate using new[] and set data pointer to a large buffer Sink: memmove BadSink : Copy string to data using memmove Flow Variant: 03 Control flow: if(5==5) and if(5!=5)

CWE: 122 Heap Based Buffer Overflow BadSource: Allocate using new[] and set data pointer to a small buffer GoodSource: Allocate using new[] and set data pointer to a large buffer Sink: memcpy BadSink : Copy int array to data using memcpy Flow Variant: 02 Control flow: if(1) and if(0)

CWE: 122 Heap Based Buffer Overflow BadSource: Allocate memory for a string, but do not allocate space for NULL terminator GoodSource: Allocate enough memory for a string and the NULL terminator Sinks: memmove BadSink : Copy string to data using memmove() Flow Variant: 33 Data flow: use of ...

CWE: 122 Heap Based Buffer Overflow BadSource: Allocate memory for a string, but do not allocate space for NULL terminator GoodSource: Allocate enough memory for a string and the NULL terminator Sink: loop BadSink : Copy array to data using a loop Flow Variant: 15 Control flow: switch(6)