CWE: 78 OS Command Injection BadSource: file Read input from a file GoodSource: Fixed string Sink: w32_spawnv BadSink : execute command with wspawnv Flow Variant: 54 Data flow: data passed as an argument from one function through three others to a fifth; all five functions are in different s...

CWE: 78 OS Command Injection BadSource: connect_socket Read data using a connect socket (client side) GoodSource: Fixed string Sinks: execlp BadSink : execute command with wexeclp Flow Variant: 31 Data flow using a copy of data within the same function

CWE: 78 OS Command Injection BadSource: listen_socket Read data using a listen socket (server side) GoodSource: Fixed string Sinks: w32_execv BadSink : execute command with execv Flow Variant: 62 Data flow: data flows using a C++ reference from one function to another in different source files

CWE: 762 Mismatched Memory Management Routines BadSource: realloc Allocate data using realloc() GoodSource: Allocate data using new Sinks: GoodSink: Deallocate data using free() BadSink : Deallocate data using delete Flow Variant: 31 Data flow using a copy of data within the same function

CWE: 122 Heap Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sinks: loop BadSink : Copy data to string using a loop Flow Variant: 83 Data flow: data passed to class constructor and destructor by declaring the class object on ...

CWE: 122 Heap Based Buffer Overflow BadSource: Allocate memory for a string, but do not allocate space for NULL terminator GoodSource: Allocate enough memory for a string and the NULL terminator Sink: memmove BadSink : Copy string to data using memmove() Flow Variant: 32 Data flow using two...

CWE: 122 Heap Based Buffer Overflow BadSource: Allocate memory for a string, but do not allocate space for NULL terminator GoodSource: Allocate enough memory for a string and the NULL terminator Sink: cpy BadSink : Copy string to data using wcscpy() Flow Variant: 32 Data flow using two poin...

CWE: 122 Heap Based Buffer Overflow BadSource: Allocate memory for a string, but do not allocate space for NULL terminator GoodSource: Allocate enough memory for a string and the NULL terminator Sink: memmove BadSink : Copy string to data using memmove() Flow Variant: 10 Control flow: if(gl...

CWE: 90 LDAP Injection BadSource: fromDB Read a string from a database connection GoodSource: A hardcoded string BadSink: unchecked data leads to LDAP injection Flow Variant: 11 Control flow: if(IO.static_returns_t()) and if(IO.static_returns_f())

CWE: 789 Uncontrolled Memory Allocation BadSource: getParameterServlet Read data from a querystring using getParameter GoodSource: A hardcoded non-zero, non-min, non-max, even number BadSink: HashMap Create a HashMap using data as the initial size Flow Variant: 14 Control flow: if(IO.static_f...

CWE: 379 File Creation in Insecure Directory Sinks: perm GoodSink: securely create dir BadSink : permissions never set on dir Flow Variant: 11 Control flow: if(IO.static_returns_t()) and if(IO.static_returns_f())

CWE: 321 Hard coded crypto key BadSource: hardcoded key GoodSource: read key from console Sinks: BadSink : use data as a key Flow Variant: 52 Data flow: data passed as an argument from one method to another to another in three different classes in the same package

CWE: 191 Integer Underflow BadSource: fromDB Read data from a database connection GoodSource: A hardcoded non-zero, non-min, non-max, even number Sinks: multiply GoodSink: Ensure there will not be an overflow before performing the multiplication BadSink : Unchecked multiplication, which can ...

CWE: 113 HTTP Response Splitting BadSource: URLConnection Read a string from a web server with URLConnection GoodSource: A hardcoded string Sinks: setHeaderServlet GoodSink: URLEncode input BadSink : querystring to setHeader() Flow Variant: 01 Baseline

CWE: 78 OS Command Injection BadSource: Environment Read input from an environment variable GoodSource: Benign input Sink: execv BadSink : execute command with wexecv Flow Variant: 54 Data flow: data passed as an argument from one function through three others to a fifth; all five functions ...

CWE: 560 Use Of umask With chmod Style Argument Sinks: GoodSink: Use umask() correctly BadSink : Use umask() incorrectly - the bits sent to umask() are bitwise-negated Flow Variant: 02 Control flow: if(1) and if(0)

CWE: 416 Use After Free BadSource: Allocate data using new, initialize memory block, and Deallocate data using delete GoodSource: Allocate data using new and initialize memory block Sinks: GoodSink: Do nothing BadSink : Use data after free() Flow Variant: 02 Control flow: if(1) and if(0)

CWE: 401 Memory Leak Sinks: GoodSink: Ensure the memory block pointed to by data is always freed BadSink : malloc() and use then realloc() and use data before free() Flow Variant: 04 Control flow: if(static_const_t) and if(static_const_f)

CWE: 36 Absolute Path Traversal BadSource: Environment Read input from an environment variable GoodSource: Full path and file name Sink: w32CreateFile BadSink : Flow Variant: 42 Data flow: data returned from one function to another in the same source file

CWE: 23 Relative Path Traversal BadSource: listen_socket Read data using a listen socket (server side) GoodSource: File name without a period or slash Sink: open BadSink : Flow Variant: 02 Control flow: if(1) and if(0)

CWE: 195 Signed to Unsigned Conversion BadSource: listen_socket Read data using a listen socket (server side) GoodSource: Positive integer Sink: strncpy BadSink : Copy strings using strncpy() with the length of data Flow Variant: 68 Data flow: data passed as a global variable from one functi...

CWE: 190 Integer Overflow BadSource: fixed Fixed value GoodSource: Small, non-zero Sinks: square GoodSink: Ensure there is no overflow before performing the squaring operation BadSink : Square data Flow Variant: 63 Data flow: pointer to data passed from one function to another in different ...

CWE: 187 Partial Comparison BadSource: substring Provide a password that is a shortened version of the actual password GoodSource: Provide a matching password Sinks: ncmp_user_pw GoodSink: Compare the 2 passwords correctly BadSink : use strncmp() to do password match, but use the length of t...

CWE: 127 Buffer Under-read BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sink: memcpy BadSink : Copy data to string using memcpy Flow Variant: 42 Data flow: data returned from one function to another in the same...

CWE: 124 Buffer Underwrite BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sink: memmove BadSink : Copy string to data using memmove Flow Variant: 14 Control flow: if(global_five==5) and if(global_five!=5)