CWE: 134 Uncontrolled Format String BadSource: file Read input from a file GoodSource: Copy a fixed string into data Sinks: snprintf GoodSink: snwprintf with %s as the third argument and data as the fourth BadSink : snwprintf with data as the third argument Flow Variant: 31 Data flow using ...

CWE: 122 Heap Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sink: cpy BadSink : Copy data to string using strcpy Flow Variant: 06 Control flow: if(STATIC_CONST_FIVE==5) and if(STATIC_CONST_FIVE!=5)

CWE: 122 Heap Based Buffer Overflow BadSource: Allocate memory for a string, but do not allocate space for NULL terminator GoodSource: Allocate enough memory for a string and the NULL terminator Sink: ncpy BadSink : Copy string to data using strncpy() Flow Variant: 06 Control flow: if(STATI...

CWE: 89 SQL Injection BadSource: URLConnection Read a string from a web server with URLConnection GoodSource: A hardcoded string Sinks: execute GoodSink: prepared sqlstatement, single BadSink : untrusted parameter value to raw insert sqlstatement Flow Variant: 31 Data flow: make a copy of d...

CWE: 80 Cross Site Scripting (XSS) BadSource: listen_tcp Read data using a listening tcp connection GoodSource: A hardcoded string Sinks: Servlet BadSink : querystring parameter not sanitized Flow Variant: 66 Data flow: data passed in an array from one method to another in different source f...

CWE: 80 Cross Site Scripting (XSS) BadSource: fromFile Read data from file (named c:\data.txt) GoodSource: A hardcoded string BadSink: Servlet querystring parameter not sanitized Flow Variant: 04 Control flow: if(private_final_t) and if(private_final_f)

CWE: 257 Storing passwords in a recoverable format BadSource: PropertiesFile Read a value from a .properties file (in property named data) GoodSource: A hardcoded string Sinks: GoodSink: one-way hash instead of symmetric crypto BadSink : symmetric encryption with an easy key Flow Variant: 1...

CWE: 209 Information exposure through error message BadSource: Environment Read a string from an environment variable GoodSource: A hardcoded string Sinks: stackDump GoodSink: Generic error message BadSink : Error causes stack dump Flow Variant: 03 Control flow: if(5==5) and if(5!=5)

CWE: 134 Uncontrolled Format String BadSource: Environment Read a string from an environment variable GoodSource: A hardcoded string Sinks: format GoodSink: dynamic formatted stdout with string defined BadSink : dynamic formatted stdout without validation Flow Variant: 01 Baseline

CWE: 78 OS Command Injection BadSource: fromFile Read input from a file GoodSource: Benign input Sinks: w32spawnvp BadSink : execute command with wspawnvp Flow Variant: 64 Data flow: void pointer to data passed from one function to another in different source files

CWE: 78 OS Command Injection BadSource: fromConsole Read input from the console GoodSource: Benign input Sink: execvp BadSink : execute command with execvp Flow Variant: 10 Control flow: if(global_t) and if(global_f)

CWE: 761 Free Pointer Not At Start of Buffer BadSource: listen_socket Read data using a listen socket (server side) Sinks: GoodSink: free() memory correctly at the start of the buffer BadSink : free() memory not at the start of the buffer Flow Variant: 68 Data flow: data passed as a global v...

CWE: 761 Free Pointer Not At Start of Buffer BadSource: Environment Read input from an environment variable Sinks: GoodSink: free() memory correctly at the start of the buffer BadSink : free() memory not at the start of the buffer Flow Variant: 15 Control flow: switch(6)

CWE: 680 Integer Overflow to Buffer Overflow BadSource: fixed Fixed value that will cause an integer overflow in the sink GoodSource: Small number greater than zero that will not cause an integer overflow in the sink Sink: BadSink : Attempt to allocate array using length value from source Fl...

CWE: 457 Use of Uninitialized Variable BadSource: no_init Don't initialize data GoodSource: Initialize data Sinks: use GoodSink: Initialize then use data BadSink : Use data Flow Variant: 10 Control flow: if(global_t) and if(global_f)

CWE: 401 Memory Leak BadSource: realloc Allocate data using realloc() GoodSource: Allocate data on the stack Sinks: GoodSink: call free() on data BadSink : no deallocation of data Flow Variant: 41 Data flow: data passed as an argument from one function to another in the same source file

CWE: 23 Relative Path Traversal BadSource: Environment Read input from an environment variable GoodSource: File name without a period or slash Sinks: fopen BadSink : Flow Variant: 65 Data/control flow: data passed as an argument from one function to a function in a different source file call...

CWE: 190 Integer Overflow BadSource: fscanf Read data from the console using fscanf() GoodSource: Small, non-zero Sinks: square GoodSink: Ensure there is no overflow before performing the squaring operation BadSink : Square data Flow Variant: 45 Data flow: data passed as a static global var...

CWE: 190 Integer Overflow BadSource: fscanf Read data from the console using fscanf() GoodSource: Small, non-zero Sinks: square GoodSink: Ensure there is no overflow before performing the squaring operation BadSink : Square data Flow Variant: 34 Data flow: use of a union containing two meth...

CWE: 187 Partial Comparison BadSource: fromFile Read input from a file GoodSource: Provide a matching password Sinks: ncmp_correct_pw GoodSink: Compare the 2 passwords correctly BadSink : use strncmp() to do password match, but use the length of the correct password Flow Variant: 63 Data fl...

CWE: 134 Uncontrolled Format String BadSource: Environment Read input from an environment variable GoodSource: Copy a fixed string into data Sinks: vsnprintf GoodSink: vsnprintf with a format string BadSink : vsnprintf without a format string Flow Variant: 52 Data flow: data passed as an ar...

CWE: 122 Heap Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sink: cat BadSink : Copy data to string using strcat Flow Variant: 16 Control flow: while(1) and while(0)

CWE: 122 Heap Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sinks: memmove BadSink : Copy data to string using memmove Flow Variant: 64 Data flow: void pointer to data passed from one function to another in different source ...

CWE: 122 Heap Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sink: memmove BadSink : Copy data to string using memmove Flow Variant: 52 Data flow: data passed as an argument from one function to another to another in three di...

CWE: 121 Stack Based Buffer Overflow BadSource: Set data pointer to the bad buffer GoodSource: Set data pointer to the good buffer Sink: memcpy BadSink : Copy twoints array to data using memcpy Flow Variant: 52 Data flow: data passed as an argument from one function to another to another in...