CWE: 78 OS Command Injection BadSource: environment Read input from an environment variable GoodSource: Fixed string Sinks: w32spawnl BadSink : execute command with spawnl Flow Variant: 74 Data flow: data passed in a map from one function to another in different source files

CWE: 78 OS Command Injection BadSource: console Read input from the console GoodSource: Fixed string Sink: w32_spawnv BadSink : execute command with spawnv Flow Variant: 41 Data flow: data passed as an argument from one function to another in the same source file

CWE: 78 OS Command Injection BadSource: connect_socket Read data using a connect socket (client side) GoodSource: Fixed string Sink: w32_spawnvp BadSink : execute command with spawnvp Flow Variant: 04 Control flow: if(STATIC_CONST_TRUE) and if(STATIC_CONST_FALSE)

CWE: 122 Heap Based Buffer Overflow BadSource: Allocate using new[] and set data pointer to a small buffer GoodSource: Allocate using new[] and set data pointer to a large buffer Sinks: snprintf BadSink : Copy string to data using snprintf Flow Variant: 73 Data flow: data passed in a list f...

CWE: 90 LDAP Injection BadSource: console Read input from the console GoodSource: Use a fixed string Sink: BadSink : data concatenated into LDAP search, which could result in LDAP Injection Flow Variant: 17 Control flow: for loops

CWE: 90 LDAP Injection BadSource: connect_socket Read data using a connect socket (client side) GoodSource: Use a fixed string Sink: BadSink : data concatenated into LDAP search, which could result in LDAP Injection Flow Variant: 13 Control flow: if(GLOBAL_CONST_FIVE==5) and if(GLOBAL_CONST_...

CWE: 90 LDAP Injection BadSource: listen_socket Read data using a listen socket (server side) GoodSource: Use a fixed string Sinks: BadSink : data concatenated into LDAP search, which could result in LDAP Injection Flow Variant: 33 Data flow: use of a C++ reference to data within the same fu...

CWE: 90 LDAP Injection BadSource: file Read input from a file GoodSource: Use a fixed string Sink: BadSink : data concatenated into LDAP search, which could result in LDAP Injection Flow Variant: 01 Baseline

CWE: 78 OS Command Injection BadSource: file Read input from a file GoodSource: Fixed string Sinks: system BadSink : Execute command in data using system() Flow Variant: 83 Data flow: data passed to class constructor and destructor by declaring the class object on the stack

CWE: 506 Embedded Malicious Code Sinks: screen_capture BadSink : Capture the screen and save it to a file BadOnly (No GoodSink) Flow Variant: 10 Control flow: if(globalTrue)

CWE: 36 Absolute Path Traversal BadSource: listen_socket Read data using a listen socket (server side) GoodSource: Full path and file name Sinks: open BadSink : Open the file named in data using open() Flow Variant: 31 Data flow using a copy of data within the same function

CWE: 36 Absolute Path Traversal BadSource: environment Read input from an environment variable GoodSource: Full path and file name Sink: w32CreateFile BadSink : Open the file named in data using CreateFile() Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)

CWE: 36 Absolute Path Traversal BadSource: environment Read input from an environment variable GoodSource: Full path and file name Sinks: open BadSink : Open the file named in data using open() Flow Variant: 84 Data flow: data passed to class constructor and destructor by declaring the class...

CWE: 36 Absolute Path Traversal BadSource: connect_socket Read data using a connect socket (client side) GoodSource: Full path and file name Sinks: fopen BadSink : Open the file named in data using fopen() Flow Variant: 72 Data flow: data passed in a vector from one function to another in di...

CWE: 325 Missing Required Cryptographic Step Sinks: CryptCreateHash GoodSink: All required cryptographic steps are present BadSink : Missing call to CryptCreateHash() Flow Variant: 12 Control flow: if(globalReturnsTrueOrFalse())

CWE: 321 Use of Hard-coded Cryptographic Key BadSource: Copy a hardcoded value into cryptoKey GoodSource: Read cryptoKey from the console Sink: BadSink : Hash cryptoKey and use the value to encrypt a string Flow Variant: 11 Control flow: if(globalReturnsTrue()) and if(globalReturnsFalse())

CWE: 272 Least Privilege Violation Sinks: SHRegCreateUSKey GoodSink: Create a registry key using SHRegCreateUSKeyW() and SHREGSET_HKCU BadSink : Create a registry key using SHRegCreateUSKeyW() and SHREGSET_HKLM Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)

CWE: 252 Unchecked Return Value Sinks: w32CreateNamedPipe GoodSink: Check the return value of CreateNamedPipeA() and handle it properly BadSink : Do not check if CreateNamedPipeA() fails Flow Variant: 01 Baseline

CWE: 23 Relative Path Traversal BadSource: console Read input from the console GoodSource: Use a fixed file name Sink: fopen BadSink : Open the file named in data using fopen() Flow Variant: 51 Data flow: data passed as an argument from one function to another in different source files

CWE: 23 Relative Path Traversal BadSource: connect_socket Read data using a connect socket (client side) GoodSource: Use a fixed file name Sink: w32CreateFile BadSink : Open the file named in data using CreateFile() Flow Variant: 11 Control flow: if(globalReturnsTrue()) and if(globalReturnsF...

CWE: 226 Sensitive Information Uncleared Before Release Sinks: declare GoodSink: Clear the password buffer before releasing the memory from the stack BadSink : Release password from the stack without first clearing the buffer Flow Variant: 08 Control flow: if(staticReturnsTrue()) and if(stati...

CWE: 134 Uncontrolled Format String BadSource: listen_socket Read data using a listen socket (server side) GoodSource: Copy a fixed string into data Sinks: w32_vsnprintf GoodSink: _vsnwprintf with a format string BadSink : _vsnwprintf without a format string Flow Variant: 16 Control flow: w...

CWE: 114 Process Control BadSource: environment Read input from an environment variable GoodSource: Hard code the full pathname to the library Sink: BadSink : Load a dynamic link library Flow Variant: 53 Data flow: data passed as an argument from one function through two others to a fourth; ...

CWE: 114 Process Control BadSource: file Read input from a file GoodSource: Hard code the full pathname to the library Sink: BadSink : Load a dynamic link library Flow Variant: 22 Control flow: Flow controlled by value of a global variable. Sink functions are in a separate file from sources.

CWE: 114 Process Control BadSource: connect_socket Read data using a connect socket (client side) GoodSource: Hard code the full pathname to the library Sink: BadSink : Load a dynamic link library Flow Variant: 13 Control flow: if(GLOBAL_CONST_FIVE==5) and if(GLOBAL_CONST_FIVE!=5)