CWE: 680 Integer Overflow to Buffer Overflow BadSource: listen_socket Read data using a listen socket (server side) GoodSource: Small number greater than zero that will not cause an integer overflow in the sink Sink: BadSink : Attempt to allocate array using length value from source Flow Var...

CWE: 674 Uncontrolled Recursion Sinks: unbounded_recursive_call GoodSink: Limit recursion to a managed level BadSink : Recursion not limited to a managed level Flow Variant: 05 Control flow: if(static_t) and if(static_f)

CWE: 590 Free of Invalid Pointer Not on the Heap BadSource: alloca Data buffer is allocated on the stack with alloca() GoodSource: Allocate memory on the heap Sink: BadSink : Print then free data Flow Variant: 52 Data flow: data passed as an argument from one function to another to another i...

CWE: 457 Use of Uninitialized Variable BadSource: no_init Don't initialize data GoodSource: Initialize data Sinks: use GoodSink: Initialize then use data BadSink : Use data Flow Variant: 05 Control flow: if(static_t) and if(static_f)

CWE: 416 Use After Free BadSource: Allocate data using new, initialize memory block, and Deallocate data using delete GoodSource: Allocate data using new and initialize memory block Sinks: GoodSink: Do nothing BadSink : Use data after free() Flow Variant: 17 Control flow: for loops

CWE: 416 Use After Free BadSource: Allocate data using malloc(), initialize memory block, and Deallocate data using free() GoodSource: Allocate data using malloc() and initialize memory block Sinks: GoodSink: Do nothing BadSink : Use data Flow Variant: 45 Data flow: data passed as a static...

CWE: 415 Double Free BadSource: Allocate data using malloc() and Deallocate data using free() GoodSource: Allocate data using malloc() Sinks: GoodSink: do nothing BadSink : Deallocate data using free() Flow Variant: 54 Data flow: data passed as an argument from one function through three o...

CWE: 415 Double Free BadSource: Allocate data using malloc() and Deallocate data using free() GoodSource: Allocate data using malloc() Sinks: GoodSink: do nothing BadSink : Deallocate data using free() Flow Variant: 54 Data flow: data passed as an argument from one function through three o...

CWE: 400 Resource Exhaustion BadSource: connect_socket Read data using a connect socket (client side) GoodSource: Assign count to be a relatively small number Sinks: for_loop GoodSink: Validate count before using it as the loop variant in a for loop BadSink : Use count as the loop variant in...

CWE: 390 Detection of Error Condition Without Action Sinks: fprintf GoodSink: Check if fprintf() failed and handle errors properly BadSink : Check to see if fprintf() failed, but do nothing about it Flow Variant: 19 Control flow: Dead code after a return

CWE: 369 Divide By Zero BadSource: zero Fixed value of zero GoodSource: Non-zero Sinks: BadSink : Divide a constant by data Flow Variant: 31 Data flow using a copy of data within the same function

CWE: 197 Numeric Truncation Error BadSource: fscanf Read data from the console using fscanf() GoodSource: Less than CHAR_MAX Sink: to_char BadSink : Convert data to a char Flow Variant: 51 Data flow: data passed as an argument from one function to another in different source files

CWE: 194 Unexpected Sign Extension BadSource: negative Set data to a fixed negative number GoodSource: Positive integer Sinks: strncpy BadSink : Copy strings using strncpy() with the length of data Flow Variant: 66 Data flow: data passed in an array from one function to another in different ...

CWE: 187 Partial Comparison BadSource: substring Provide a password that is a shortened version of the actual password GoodSource: Provide a matching password Sinks: ncmp_correct_pw GoodSink: Compare the 2 passwords correctly BadSink : use strncmp() to do password match, but use the length o...

CWE: 187 Partial Comparison BadSource: connect_socket Read data using a connect socket (client side) GoodSource: Provide a matching password Sinks: ncmp_correct_pw GoodSink: Compare the 2 passwords correctly BadSink : use strncmp() to do password match, but use the length of the correct pass...

CWE: 187 Partial Comparison BadSource: Environment Read input from an environment variable GoodSource: Provide a matching password Sinks: str GoodSink: Compare the 2 passwords correctly BadSink : use strstr() to do password match, which is a partial comparison Flow Variant: 18 Control flow:...

CWE: 134 Uncontrolled Format String BadSource: fromConsole Read input from the console GoodSource: Copy a fixed string into data Sinks: snprintf GoodSink: snprintf with "%s" as the third argument and data as the fourth BadSink : snprintf with data as the third argument Flow Variant: 02 Cont...

CWE: 134 Uncontrolled Format String BadSource: connect_socket Read data using a connect socket (client side) GoodSource: Copy a fixed string into data Sinks: printf GoodSink: printf with "%s" as the first argument and data as the second BadSink : printf with only data as an argument Flow Va...

CWE: 127 Buffer Under-read BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sinks: cpy BadSink : Copy data to string using strcpy Flow Variant: 31 Data flow using a copy of data within the same function

CWE: 126 Buffer Over-read BadSource: Set data pointer to a small buffer GoodSource: Set data pointer to a large buffer Sink: memmove BadSink : Copy data to string using memmove Flow Variant: 17 Control flow: for loops

CWE: 124 Buffer Underwrite BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sink: memcpy BadSink : Copy string to data using memcpy Flow Variant: 19 Control flow: Dead code after a return

CWE: 122 Heap Based Buffer Overflow BadSource: Allocate using new[] and set data pointer to a small buffer GoodSource: Allocate using new[] and set data pointer to a large buffer Sinks: memcpy BadSink : Copy string to data using memcpy Flow Variant: 44 Data/control flow: data passed as an a...

CWE: 122 Heap Based Buffer Overflow BadSource: Allocate using new[] and set data pointer to a small buffer GoodSource: Allocate using new[] and set data pointer to a large buffer Sink: snprintf BadSink : Copy string to data using snprintf Flow Variant: 32 Data flow using two pointers to the...

CWE: 122 Heap Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sink: loop BadSink : Copy data to string using a loop Flow Variant: 14 Control flow: if(global_five==5) and if(global_five!=5)

CWE: 122 Heap Based Buffer Overflow BadSource: Allocate using malloc() and set data pointer to a small buffer GoodSource: Allocate using malloc() and set data pointer to a large buffer Sink: cat BadSink : Copy string to data using strcat Flow Variant: 07 Control flow: if(static_five==5) and...