CWE: 78 OS Command Injection BadSource: file Read input from a file GoodSource: Fixed string Sinks: w32_spawnv BadSink : execute command with wspawnv Flow Variant: 34 Data flow: use of a union containing two methods of accessing the same data (within the same function)

CWE: 78 OS Command Injection BadSource: listen_socket Read data using a listen socket (server side) GoodSource: Fixed string Sinks: w32_execvp BadSink : execute command with execvp Flow Variant: 43 Data flow: data flows using a C++ reference from one function to another in the same source file

CWE: 416 Use After Free BadSource: Allocate data using malloc(), initialize memory block, and Deallocate data using free() GoodSource: Allocate data using malloc() and initialize memory block Sinks: GoodSink: Do nothing BadSink : Use data Flow Variant: 03 Control flow: if(5==5) and if(5!=5)

CWE: 89 SQL Injection BadSource: URLConnection Read a string from a web server with URLConnection GoodSource: A hardcoded string Sinks: executeUpdate GoodSink: prepared sqlstatement, executeUpdate BadSink : raw query used in executeUpdate Flow Variant: 71 Data flow: data passed as an Object...

CWE: 83 Cross Site Scripting (XSS) in attributes; Examples(replace QUOTE with an actual double quote): ?img_loc=http://www.google.comQUOTE%20onerror=QUOTEalert(1) and ?img_loc=http://www.google.comQUOTE%20onerror=QUOTEjavascript:alert(1) BadSource: Environment Read a string from an environment v...

CWE: 369 Divide by zero BadSource: random Set data to a random value GoodSource: A hardcoded non-zero, non-min, non-max, even number Sinks: divide GoodSink: Check for zero before dividing BadSink : Dividing by a value that may be zero Flow Variant: 61 Data flow: data returned from one metho...

CWE: 190 Integer Overflow BadSource: URLConnection Read data from a web server with URLConnection GoodSource: A hardcoded non-zero, non-min, non-max, even number Sinks: multiply GoodSink: Ensure there will not be an overflow before performing the multiplication BadSink : Unchecked multiplica...

CWE: 789 Uncontrolled Memory Allocation BadSource: listen_socket Read data using a listen socket (server side) GoodSource: Small number greater than zero Sinks: GoodSink: Allocate memory with malloc() and check the size of the memory to be allocated BadSink : Allocate memory with malloc(), b...

CWE: 762 Mismatched Memory Management Routines BadSource: Allocate data using new GoodSource: Allocate data using new [] Sinks: GoodSink: Deallocate data using delete BadSink : Deallocate data using delete [] Flow Variant: 66 Data flow: data passed in an array from one function to another ...

CWE: 758 Undefined Behavior Sinks: alloca_use GoodSink: Initialize then use data BadSink : Use data from alloca without initialization Flow Variant: 11 Control flow: if(global_returns_t()) and if(global_returns_f())

CWE: 590 Free of Invalid Pointer Not on the Heap BadSource: declare Data buffer is declared on the stack GoodSource: Allocate memory on the heap Sink: BadSink : Print then free data Flow Variant: 06 Control flow: if(static_const_five==5) and if(static_const_five!=5)

CWE: 467 Use of sizeof() on a Pointer Type BadSource: Initialize the source buffer using the size of a pointer GoodSource: Initialize the source buffer using the size of the DataElementType Sink: BadSink : Print then free data Flow Variant: 12 Control flow: if(global_returns_t_or_f())

CWE: 427 Uncontrolled Search Path Element BadSource: fromFile Read input from a file GoodSource: Use a hardcoded path Sink: BadSink : Set the environment variable Flow Variant: 06 Control flow: if(static_const_five==5) and if(static_const_five!=5)

CWE: 404 Improper Resource Shutdown or Release BadSource: Open a file using CreateFile() Sinks: fclose GoodSink: Close the file using CloseHandle() BadSink : Close the file using fclose() Flow Variant: 12 Control flow: if(global_returns_t_or_f())

CWE: 401 Memory Leak Sinks: GoodSink: Ensure the memory block pointed to by data is always freed BadSink : malloc() and use then realloc() and use data before free() Flow Variant: 10 Control flow: if(global_t) and if(global_f)

CWE: 390 Detection of Error Condition Without Action Sinks: sqrt GoodSink: Check to see if sqrt() failed and handle errors properly BadSink : Check to see if sqrt() failed, but fail to handle errors Flow Variant: 03 Control flow: if(5==5) and if(5!=5)

CWE: 369 Divide By Zero BadSource: rand Set data to result of rand(), which may be zero GoodSource: Non-zero Sinks: divide BadSink : Divide a constant by data Flow Variant: 45 Data flow: data passed as a static global variable from one function to another in the same source file

CWE: 23 Relative Path Traversal BadSource: connect_socket Read data using a connect socket (client side) GoodSource: File name without a period or slash Sink: w32CreateFile BadSink : Flow Variant: 02 Control flow: if(1) and if(0)

CWE: 190 Integer Overflow BadSource: rand Set data to result of rand() GoodSource: Small, non-zero Sinks: multiply GoodSink: Ensure there is no overflow before performing the multiplication BadSink : Multiply data by 2 Flow Variant: 66 Data flow: data passed in an array from one function to...

CWE: 134 Uncontrolled Format String BadSource: fromConsole Read input from the console GoodSource: Copy a fixed string into data Sinks: vprintf GoodSink: vwprintf with a format string BadSink : vwprintf without a format string Flow Variant: 65 Data/control flow: data passed as an argument f...

CWE: 134 Uncontrolled Format String BadSource: listen_socket Read data using a listen socket (server side) GoodSource: Copy a fixed string into data Sinks: fprintf GoodSink: fprintf with "%s" as the second argument and data as the third BadSink : fprintf with data as the second argument Flo...

CWE: 134 Uncontrolled Format String BadSource: Environment Read input from an environment variable GoodSource: Copy a fixed string into data Sinks: snprintf GoodSink: snprintf with "%s" as the third argument and data as the fourth BadSink : snprintf with data as the third argument Flow Vari...

CWE: 127 Buffer Under-read BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sink: memmove BadSink : Copy data to string using memmove Flow Variant: 16 Control flow: while(1) and while(0)

CWE: 124 Buffer Underwrite BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sinks: cpy BadSink : Copy string to data using strcpy Flow Variant: 63 Data flow: pointer to data passed from one function to another in d...

CWE: 122 Heap Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sinks: loop BadSink : Copy data to string using a loop Flow Variant: 31 Data flow using a copy of data within the same function