CWE: 78 OS Command Injection BadSource: listen_socket Read data using a listen socket (server side) GoodSource: Fixed string Sinks: popen BadSink : Execute command in data using popen() Flow Variant: 33 Data flow: use of a C++ reference to data within the same function

CWE: 78 OS Command Injection BadSource: environment Read input from an environment variable GoodSource: Fixed string Sink: w32spawnl BadSink : execute command with wspawnl Flow Variant: 52 Data flow: data passed as an argument from one function to another to another in three different source...

CWE: 78 OS Command Injection BadSource: environment Read input from an environment variable GoodSource: Fixed string Sinks: w32_spawnlp BadSink : execute command with wspawnlp Flow Variant: 61 Data flow: data returned from one function to another in different source files

CWE: 78 OS Command Injection BadSource: environment Read input from an environment variable GoodSource: Fixed string Sink: w32_spawnlp BadSink : execute command with wspawnlp Flow Variant: 11 Control flow: if(globalReturnsTrue()) and if(globalReturnsFalse())

CWE: 78 OS Command Injection BadSource: environment Read input from an environment variable GoodSource: Fixed string Sink: w32_spawnvp BadSink : execute command with spawnvp Flow Variant: 13 Control flow: if(GLOBAL_CONST_FIVE==5) and if(GLOBAL_CONST_FIVE!=5)

CWE: 78 OS Command Injection BadSource: environment Read input from an environment variable GoodSource: Fixed string Sinks: w32_execv BadSink : execute command with execv Flow Variant: 31 Data flow using a copy of data within the same function

CWE: 78 OS Command Injection BadSource: console Read input from the console GoodSource: Fixed string Sinks: w32_spawnvp BadSink : execute command with spawnvp Flow Variant: 43 Data flow: data flows using a C++ reference from one function to another in the same source file

CWE: 90 LDAP Injection BadSource: environment Read input from an environment variable GoodSource: Use a fixed string Sink: BadSink : data concatenated into LDAP search, which could result in LDAP Injection Flow Variant: 12 Control flow: if(globalReturnsTrueOrFalse())

CWE: 426 Untrusted Search Path BadSource: Dont specify the full path in the OS command GoodSource: Specify the full path in the OS command Sinks: system BadSink : Execute the _wsystem function Flow Variant: 62 Data flow: data flows using a C++ reference from one function to another in diffe...

CWE: 404 Improper Resource Shutdown or Release BadSource: freopen Open a file using freopen() Sinks: w32CloseHandle GoodSink: Close the file using fclose() BadSink : Close the file using CloseHandle Flow Variant: 17 Control flow: for loops

CWE: 36 Absolute Path Traversal BadSource: connect_socket Read data using a connect socket (client side) GoodSource: Full path and file name Sinks: w32CreateFile BadSink : Open the file named in data using CreateFile() Flow Variant: 63 Data flow: pointer to data passed from one function to a...

CWE: 36 Absolute Path Traversal BadSource: connect_socket Read data using a connect socket (client side) GoodSource: Full path and file name Sink: open BadSink : Open the file named in data using open() Flow Variant: 13 Control flow: if(GLOBAL_CONST_FIVE==5) and if(GLOBAL_CONST_FIVE!=5)

CWE: 36 Absolute Path Traversal BadSource: file Read input from a file GoodSource: Full path and file name Sink: w32CreateFile BadSink : Open the file named in data using CreateFile() Flow Variant: 42 Data flow: data returned from one function to another in the same source file

CWE: 284 Improper Access Control Sinks: RegCreateKeyEx GoodSink: Create a registry key using RegCreateKeyExW() without excessive privileges BadSink : Create a registry key using RegCreateKeyExW() with excessive privileges Flow Variant: 12 Control flow: if(globalReturnsTrueOrFalse())

CWE: 273 Improper Check for Dropped Privileges Sinks: RpcImpersonateClient GoodSink: Check the return value of RpcImpersonateClient() and handle it properly BadSink : Do not check if RpcImpersonateClient() fails Flow Variant: 16 Control flow: while(1)

CWE: 273 Improper Check for Dropped Privileges Sinks: RpcImpersonateClient GoodSink: Check the return value of RpcImpersonateClient() and handle it properly BadSink : Do not check if RpcImpersonateClient() fails Flow Variant: 14 Control flow: if(globalFive==5) and if(globalFive!=5)

CWE: 252 Unchecked Return Value Sinks: w32CreateNamedPipe GoodSink: Check the return value of CreateNamedPipeW() and handle it properly BadSink : Do not check if CreateNamedPipeW() fails Flow Variant: 16 Control flow: while(1)

CWE: 23 Relative Path Traversal BadSource: file Read input from a file GoodSource: Use a fixed file name Sink: fopen BadSink : Open the file named in data using fopen() Flow Variant: 11 Control flow: if(globalReturnsTrue()) and if(globalReturnsFalse())

CWE: 23 Relative Path Traversal BadSource: environment Read input from an environment variable GoodSource: Use a fixed file name Sinks: open BadSink : Open the file named in data using open() Flow Variant: 81 Data flow: data passed in a parameter to a virtual method called via a reference

CWE: 23 Relative Path Traversal BadSource: environment Read input from an environment variable GoodSource: Use a fixed file name Sink: open BadSink : Open the file named in data using open() Flow Variant: 08 Control flow: if(staticReturnsTrue()) and if(staticReturnsFalse())

CWE: 23 Relative Path Traversal BadSource: connect_socket Read data using a connect socket (client side) GoodSource: Use a fixed file name Sink: fopen BadSink : Open the file named in data using fopen() Flow Variant: 03 Control flow: if(5==5) and if(5!=5)

CWE: 23 Relative Path Traversal BadSource: listen_socket Read data using a listen socket (server side) GoodSource: Use a fixed file name Sinks: w32CreateFile BadSink : Open the file named in data using CreateFile() Flow Variant: 83 Data flow: data passed to class constructor and destructor b...

CWE: 226 Sensitive Information Uncleared Before Release Sinks: declare GoodSink: Clear the password buffer before releasing the memory from the stack BadSink : Release password from the stack without first clearing the buffer Flow Variant: 13 Control flow: if(GLOBAL_CONST_FIVE==5) and if(GLOB...

CWE: 134 Uncontrolled Format String BadSource: environment Read input from an environment variable GoodSource: Copy a fixed string into data Sinks: w32_vsnprintf GoodSink: vsnprintf with a format string BadSink : vsnprintf without a format string Flow Variant: 09 Control flow: if(GLOBAL_CON...

CWE: 114 Process Control BadSource: connect_socket Read data using a connect socket (client side) GoodSource: Hard code the full pathname to the library Sink: BadSink : Load a dynamic link library Flow Variant: 68 Data flow: data passed as a global variable from one function to another in di...