CWE: 126 Buffer Over-read BadSource: Use a small buffer GoodSource: Use a large buffer Sink: loop BadSink : Copy data to string using a loop Flow Variant: 32 Data flow using two pointers to the same value within the same function

CWE: 124 Buffer Underwrite BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sink: loop BadSink : Copy string to data using a loop Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)

CWE: 122 Heap Based Buffer Overflow BadSource: listen_socket Read data using a listen socket (server side) GoodSource: Larger than zero but less than 10 Sinks: GoodSink: Ensure the array index is valid BadSink : Improperly check the array index by not checking the upper bound Flow Variant: ...

CWE: 122 Heap Based Buffer Overflow BadSource: Allocate memory without using sizeof(int) GoodSource: Allocate memory using sizeof(int) Sink: loop BadSink : Copy array to data using a loop Flow Variant: 06 Control flow: if(STATIC_CONST_FIVE==5) and if(STATIC_CONST_FIVE!=5)

CWE: 121 Stack Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sink: snprintf BadSink : Copy data to string using snprintf Flow Variant: 42 Data flow: data returned from one function to another in the same source file

CWE: 80 Cross Site Scripting (XSS) BadSource: Environment Read a string from an environment variable GoodSource: A hardcoded string Sinks: Servlet BadSink : querystring parameter not sanitized Flow Variant: 67 Data flow: data passed in a class from one method to another in different source f...

CWE: 760 Use of one-way hash with a predictable salt BadSource: Environment Read a string from an environment variable GoodSource: A hardcoded string Sinks: GoodSink: use a sufficiently random salt BadSink : SHA512 with a predictable salt Flow Variant: 67 Data flow: data passed in a class f...

CWE: 690 Unchecked return value is null, leading to a null pointer dereference. BadSource: System_getProperty Set data to return of System.getProperty GoodSource: Set data to fixed, non-null String Sinks: equals GoodSink: Call equals() on string literal (that is not null) BadSink : Call equa...

CWE: 369 Divide by zero BadSource: console_readLine Read data from the console using readLine GoodSource: A hardcoded non-zero, non-min, non-max, even number Sinks: modulo GoodSink: Check for zero before modulo BadSink : Modulo by a value that may be zero Flow Variant: 05 Control flow: if(p...

CWE: 369 Divide by zero BadSource: PropertiesFile Read a value from a .properties file GoodSource: A hardcoded non-zero, non-min, non-max, even number Sinks: divide GoodSink: Check for zero before dividing BadSink : Dividing by a value that may be zero Flow Variant: 45 Data flow: data passe...

CWE: 191 Integer Underflow BadSource: fromDB Read data from a database connection GoodSource: A hardcoded non-zero, non-min, non-max, even number Sinks: subtract GoodSink: Ensure there will not be an underflow before performing the subtraction BadSink : Unchecked subtraction can lead to unde...

CWE: 113 HTTP Response Splitting BadSource: URLConnection Read a string from a web server with URLConnection GoodSource: A hardcoded string Sinks: addCookieServlet GoodSink: URLEncode input BadSink : querystring to addCookie() Flow Variant: 15 Control flow: switch(6) and switch(7)

CWE: 789 Uncontrolled Memory Allocation BadSource: connect_socket Read data using a connect socket (client side) GoodSource: Small number greater than zero Sinks: GoodSink: Allocate memory with malloc() and check the size of the memory to be allocated BadSink : Allocate memory with malloc(),...

CWE: 680 Integer Overflow to Buffer Overflow BadSource: fgets Read data from the console using fgets() GoodSource: Small number greater than zero that will not cause an integer overflow in the sink Sink: BadSink : Attempt to allocate array using length value from source Flow Variant: 14 Cont...

CWE: 590 Free of Invalid Pointer Not on the Heap BadSource: alloca Data buffer is allocated on the stack with alloca() GoodSource: Allocate memory on the heap Sinks: BadSink : Print then free data Flow Variant: 64 Data flow: void pointer to data passed from one function to another in differe...

CWE: 469 Use Of Pointer Subtraction To Determine Size Sinks: memmove GoodSink: using correct pointer subtraction to determine length in memmove() BadSink : Beginning and end pointers are switched leading to an incorrect length in memmove() Flow Variant: 17 Control flow: for loops

CWE: 426 Untrusted Search Path BadSource: Don't specify the full path in the OS command GoodSource: Specify the full path in the OS command Sink: system BadSink : Execute the _wsystem function Flow Variant: 32 Data flow using two pointers to the same value within the same function

CWE: 401 Memory Leak BadSource: Allocate data using new GoodSource: Allocate data on the stack Sinks: GoodSink: call delete on data BadSink : no deallocation of data Flow Variant: 68 Data flow: data passed as a global variable from one function to another in different source files

CWE: 252 Unchecked Return Value Sinks: w32ImpersonateNamedPipeClient GoodSink: Check the return value of CreateNamedPipeA() and handle it properly BadSink : Do not check if CreateNamedPipeA() fails Flow Variant: 15 Control flow: switch(6)

CWE: 252 Unchecked Return Value Sinks: w32CreateMutex GoodSink: Check the return value of CreateMutexA() and handle it properly BadSink : Do not check if CreateMutexA() fails Flow Variant: 09 Control flow: if(global_const_t) and if(global_const_f)

CWE: 23 Relative Path Traversal BadSource: connect_socket Read data using a connect socket (client side) GoodSource: File name without a period or slash Sinks: fopen BadSink : Flow Variant: 31 Data flow using a copy of data within the same function

CWE: 23 Relative Path Traversal BadSource: fromFile Read input from a file GoodSource: File name without a period or slash Sink: fopen BadSink : Flow Variant: 15 Control flow: switch(6)

CWE: 190 Integer Overflow BadSource: fixed Fixed value GoodSource: Small, non-zero Sinks: multiply GoodSink: Ensure there is no overflow before performing the multiplication BadSink : Multiply data by 2 Flow Variant: 42 Data flow: data returned from one function to another in the same sourc...

CWE: 187 Partial Comparison BadSource: connect_socket Read data using a connect socket (client side) GoodSource: Provide a matching password Sinks: str GoodSink: Compare the 2 passwords correctly BadSink : use wcsstr() to do password match, which is a partial comparison Flow Variant: 45 Dat...

CWE: 124 Buffer Underwrite BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sinks: memcpy BadSink : Copy string to data using memcpy Flow Variant: 44 Data/control flow: data passed as an argument from one function ...