CWE: 78 OS Command Injection BadSource: listen_socket Read data using a listen socket (server side) GoodSource: Fixed string Sink: w32_execvp BadSink : execute command with wexecvp Flow Variant: 08 Control flow: if(staticReturnsTrue()) and if(staticReturnsFalse())

CWE: 78 OS Command Injection BadSource: environment Read input from an environment variable GoodSource: Fixed string Sinks: execl BadSink : execute command with wexecl Flow Variant: 62 Data flow: data flows using a C++ reference from one function to another in different source files

CWE: 78 OS Command Injection BadSource: environment Read input from an environment variable GoodSource: Fixed string Sink: execl BadSink : execute command with execl Flow Variant: 11 Control flow: if(globalReturnsTrue()) and if(globalReturnsFalse())

CWE: 78 OS Command Injection BadSource: console Read input from the console GoodSource: Fixed string Sink: w32_spawnv BadSink : execute command with spawnv Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)

CWE: 789 Uncontrolled Memory Allocation BadSource: listen_socket Read data using a listen socket (server side) GoodSource: Small number greater than zero Sinks: GoodSink: Allocate memory with malloc() and check the size of the memory to be allocated BadSink : Allocate memory with malloc(), b...

CWE: 789 Uncontrolled Memory Allocation BadSource: listen_socket Read data using a listen socket (server side) GoodSource: Small number greater than zero Sinks: GoodSink: Allocate memory with malloc() and check the size of the memory to be allocated BadSink : Allocate memory with malloc(), b...

CWE: 762 Mismatched Memory Management Routines BadSource: malloc Allocate data using malloc() GoodSource: Allocate data using new Sinks: GoodSink: Deallocate data using free() BadSink : Deallocate data using delete Flow Variant: 33 Data flow: use of a C++ reference to data within the same f...

CWE: 761 Free Pointer not at Start of Buffer BadSource: file Read input from a file Sinks: GoodSink: free() memory correctly at the start of the buffer BadSink : free() memory not at the start of the buffer Flow Variant: 81 Data flow: data passed in a parameter to an virtual method called vi...

CWE: 761 Free Pointer not at Start of Buffer BadSource: environment Read input from an environment variable Sinks: GoodSink: free() memory correctly at the start of the buffer BadSink : free() memory not at the start of the buffer Flow Variant: 13 Control flow: if(GLOBAL_CONST_FIVE==5) and i...

CWE: 457 Use of Uninitialized Variable BadSource: no_init Dont initialize data GoodSource: Initialize data Sinks: use GoodSink: Initialize then use data BadSink : Use data Flow Variant: 02 Control flow: if(1) and if(0)

CWE: 401 Memory Leak BadSource: malloc Allocate data using malloc() GoodSource: Allocate data on the stack Sinks: GoodSink: call free() on data BadSink : no deallocation of data Flow Variant: 03 Control flow: if(5==5) and if(5!=5)

CWE: 195 Signed to Unsigned Conversion Error BadSource: fgets Read data from the console using fgets() GoodSource: Positive integer Sink: malloc BadSink : Allocate memory using malloc() with the size of data Flow Variant: 54 Data flow: data passed as an argument from one function through thr...

CWE: 122 Heap Based Buffer Overflow Sinks: type_overrun_memcpy GoodSink: Perform the memcpy() and prevent overwriting part of the structure BadSink : Overwrite part of the structure by incorrectly using the sizeof(struct) in memcpy() Flow Variant: 18 Control flow: goto statements

CWE: 760 Use of one-way hash with a predictable salt BadSource: getParameterServlet Read data from a querystring using getParameter GoodSource: A hardcoded string Sinks: GoodSink: use a sufficiently random salt BadSink : SHA512 with a predictable salt Flow Variant: 51 Data flow: data passed...

CWE: 470 Unsafe Reflection BadSource: listen_tcp Read data using a listening tcp connection GoodSource: Hardcoded class to load Sinks: GoodSink: instantiate only certain fixed classes BadSink : instantiate arbitrary class Flow Variant: 03 Control flow: if(5==5) and if(5!=5)

CWE: 113 HTTP Response Splitting BadSource: URLConnection Read a string from a web server with URLConnection GoodSource: A hardcoded string Sinks: setHeaderServlet GoodSink: URLEncode input BadSink : querystring to setHeader() Flow Variant: 19 Control flow: Dead code after an if(true) return

CWE: 762 Mismatched Memory Management Routines BadSource: malloc Allocate data using malloc() GoodSource: Allocate data using new [] Sinks: GoodSink: Deallocate data using free() BadSink : Deallocate data using delete [] Flow Variant: 09 Control flow: if(global_const_t) and if(global_const_f)

CWE: 762 Mismatched Memory Management Routines BadSource: calloc Allocate data using calloc() GoodSource: Allocate data using new [] Sinks: GoodSink: Deallocate data using free() BadSink : Deallocate data using delete [] Flow Variant: 06 Control flow: if(static_const_five==5) and if(static_...

CWE: 590 Free of Invalid Pointer Not on the Heap BadSource: declare Data buffer is declared on the stack GoodSource: Allocate memory on the heap Sink: BadSink : Print then free data Flow Variant: 02 Control flow: if(1) and if(0)

CWE: 590 Free of Invalid Pointer Not on the Heap BadSource: alloca Data buffer is allocated on the stack with alloca() GoodSource: Allocate memory on the heap Sink: BadSink : Print then free data Flow Variant: 68 Data flow: data passed as a global variable from one function to another in dif...

CWE: 401 Memory Leak BadSource: malloc Allocate data using malloc() GoodSource: Allocate data on the stack Sinks: GoodSink: call free() on data BadSink : no deallocation of data Flow Variant: 07 Control flow: if(static_five==5) and if(static_five!=5)

CWE: 390 Detection of Error Condition Without Action Sinks: fopen GoodSink: Check to see if _wfopen() failed, and handle errors properly BadSink : Check to see if _wfopen() failed, but fail to handle errors Flow Variant: 16 Control flow: while(1) and while(0)

CWE: 134 Uncontrolled Format String BadSource: connect_socket Read data using a connect socket (client side) GoodSource: Copy a fixed string into data Sinks: vsnprintf GoodSink: vsnprintf with a format string BadSink : vsnprintf without a format string Flow Variant: 09 Control flow: if(glob...

CWE: 126 Buffer Over-read BadSource: Set data pointer to a small buffer GoodSource: Set data pointer to a large buffer Sinks: memmove BadSink : Copy data to string using memmove Flow Variant: 31 Data flow using a copy of data within the same function

CWE: 123 Write-What-Where Condition BadSource: fgets Overwrite linked list pointers using fgets GoodSource: Don't overwrite linked list pointers Sink: BadSink : Remove element from list Flow Variant: 17 Control flow: for loops