CWE: 127 Buffer Under-read BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sink: loop BadSink : Copy data to string using a loop Flow Variant: 13 Control flow: if(GLOBAL_CONST_FIVE==5) and if(GLOBAL_CONST_FIVE!=5)

CWE: 122 Heap Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sink: ncpy BadSink : Copy data to string using wcsncpy Flow Variant: 08 Control flow: if(staticReturnsTrue()) and if(staticReturnsFalse())

CWE: 122 Heap Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sinks: ncat BadSink : Copy data to string using wcsncat Flow Variant: 43 Data flow: data flows using a C++ reference from one function to another in the same source...

CWE: 122 Heap Based Buffer Overflow BadSource: Allocate using malloc() and set data pointer to a small buffer GoodSource: Allocate using malloc() and set data pointer to a large buffer Sink: memmove BadSink : Copy string to data using memmove Flow Variant: 13 Control flow: if(GLOBAL_CONST_F...

CWE: 89 SQL Injection BadSource: getParameterServlet Read data from a querystring using getParameter GoodSource: A hardcoded string Sinks: executeUpdate GoodSink: prepared sqlstatement, executeUpdate BadSink : raw query used in executeUpdate Flow Variant: 45 Data flow: data passed as a priv...

CWE: 89 SQL Injection BadSource: getCookiesServlet Read data from the first cookie GoodSource: A hardcoded string Sinks: executeQuery GoodSink: prepared sqlstatement, executeQuery BadSink : raw query used in executeQuery Flow Variant: 45 Data flow: data passed as a private class member vari...

CWE: 643 Unsafe Treatment of XPath Input BadSource: getCookiesServlet Read data from the first cookie GoodSource: A hardcoded string Sinks: unvalidatedXPath GoodSink: validate input through StringEscapeUtils BadSink : user input is used without validate Flow Variant: 04 Control flow: if(pri...

CWE: 613 Insufficient Session Expiration Sinks: GoodSink: force session to expire BadSink : set session to never expire Flow Variant: 11 Control flow: if(IO.static_returns_t()) and if(IO.static_returns_f())

CWE: 338 Use of Cryptographically Weak PRNG Sinks: util GoodSink: stronger PRNG BadSink : weak PRNG Flow Variant: 04 Control flow: if(private_final_t) and if(private_final_f)

CWE: 257 Storing passwords in a recoverable format BadSource: connect_tcp Read data using an outbound tcp connection GoodSource: A hardcoded string Sinks: GoodSink: one-way hash instead of symmetric crypto BadSink : symmetric encryption with an easy key Flow Variant: 71 Data flow: data pass...

CWE: 190 Integer Overflow BadSource: URLConnection Read data from a web server with URLConnection GoodSource: A hardcoded non-zero, non-min, non-max, even number Sinks: multiply GoodSink: Ensure there will not be an overflow before performing the multiplication BadSink : Unchecked multiplica...

CWE: 789 Uncontrolled Memory Allocation BadSource: fscanf Read data from the console using fscanf() GoodSource: Small number greater than zero Sinks: GoodSink: Allocate memory with malloc() and check the size of the memory to be allocated BadSink : Allocate memory with malloc(), but incorrec...

CWE: 415 Double Free BadSource: Allocate data using new and Deallocae data using delete GoodSource: Allocate data using new Sinks: GoodSink: do nothing BadSink : Deallocate data using delete Flow Variant: 51 Data flow: data passed as an argument from one function to another in different so...

CWE: 401 Memory Leak BadSource: Allocate data using new GoodSource: Allocate data on the stack Sinks: GoodSink: call delete on data BadSink : no deallocation of data Flow Variant: 05 Control flow: if(static_t) and if(static_f)

CWE: 253 Incorrect Check of Return Value Sinks: fprintf GoodSink: Correctly check if fprintf() failed BadSink : Incorrectly check if fprintf() failed Flow Variant: 06 Control flow: if(static_const_five==5) and if(static_const_five!=5)

CWE: 252 Unchecked Return Value Sinks: remove GoodSink: Check if wremove() fails BadSink : Do not check if wremove() fails Flow Variant: 05 Control flow: if(static_t) and if(static_f)

CWE: 197 Numeric Truncation Error BadSource: connect_socket Read data using a connect socket (client side) GoodSource: Less than CHAR_MAX Sink: to_short BadSink : Convert data to a short Flow Variant: 10 Control flow: if(global_t) and if(global_f)

CWE: 190 Integer Overflow BadSource: rand Set data to result of rand() GoodSource: Small, non-zero Sinks: add GoodSink: Ensure there is no overflow before performing the addition BadSink : Add 1 to data Flow Variant: 02 Control flow: if(1) and if(0)

CWE: 127 Buffer Under-read BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sinks: loop BadSink : Copy data to string using a loop Flow Variant: 61 Data flow: data returned from one function to another in different...

CWE: 127 Buffer Under-read BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sinks: cpy BadSink : Copy data to string using strcpy Flow Variant: 67 Data flow: data passed in a struct from one function to another in ...

CWE: 124 Buffer Underwrite BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sink: memcpy BadSink : Copy string to data using memcpy Flow Variant: 02 Control flow: if(1) and if(0)

CWE: 122 Heap Based Buffer Overflow BadSource: Allocate using new[] and set data pointer to a small buffer GoodSource: Allocate using new[] and set data pointer to a large buffer Sink: ncat BadSink : Copy string to data using wcsncat Flow Variant: 51 Data flow: data passed as an argument fr...

CWE: 122 Heap Based Buffer Overflow BadSource: Allocate using malloc() and set data pointer to a small buffer GoodSource: Allocate using malloc() and set data pointer to a large buffer Sink: ncpy BadSink : Copy string to data using wcsncpy Flow Variant: 32 Data flow using two pointers to th...

CWE: 121 Stack Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sink: memcpy BadSink : Copy data to string using memcpy Flow Variant: 01 Baseline

CWE: 121 Stack Based Buffer Overflow BadSource: Set data pointer to the bad buffer GoodSource: Set data pointer to the good buffer Sinks: memcpy BadSink : Copy int array to data using memcpy Flow Variant: 44 Data/control flow: data passed as an argument from one function to a function in th...