CWE: 195 Signed to Unsigned Conversion Error BadSource: fscanf Read data from the console using fscanf() GoodSource: Positive integer Sink: malloc BadSink : Allocate memory using malloc() with the size of data Flow Variant: 17 Control flow: for loops

CWE: 127 Buffer Under-read BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sink: ncpy BadSink : Copy data to string using wcsncpy Flow Variant: 22 Control flow: Flow controlled by value of a global variable. Sink ...

CWE: 126 Buffer Over-read BadSource: Use a small buffer GoodSource: Use a large buffer Sink: memcpy BadSink : Copy data to string using memcpy Flow Variant: 02 Control flow: if(1) and if(0)

CWE: 124 Buffer Underwrite BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sinks: memmove BadSink : Copy string to data using memmove Flow Variant: 61 Data flow: data returned from one function to another in diffe...

CWE: 122 Heap Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sinks: cat BadSink : Copy data to string using wcscat Flow Variant: 43 Data flow: data flows using a C++ reference from one function to another in the same source file

CWE: 760 Use of one-way hash with a predictable salt BadSource: console_readLine Read data from the console using readLine GoodSource: A hardcoded string Sinks: GoodSink: use a sufficiently random salt BadSink : SHA512 with a predictable salt Flow Variant: 71 Data flow: data passed as an Ob...

CWE: 209 Information exposure through error message BadSource: PropertiesFile Read a value from a .properties file (in property named data) GoodSource: A hardcoded string Sinks: stackDump GoodSink: Generic error message BadSink : Error causes stack dump Flow Variant: 52 Data flow: data pass...

CWE: 190 Integer Overflow BadSource: URLConnection Read data from a web server with URLConnection GoodSource: A hardcoded non-zero, non-min, non-max, even number Sinks: square GoodSink: Ensure there will not be an overflow before performing the squaring operation BadSink : Unchecked squaring...

CWE: 134 Uncontrolled Format String BadSource: URLConnection Read a string from a web server with URLConnection GoodSource: A hardcoded string Sinks: printf GoodSink: dynamic printf format with string defined BadSink : dynamic printf without validation Flow Variant: 67 Data flow: data passe...

CWE: 113 HTTP Response Splitting BadSource: connect_tcp Read data using an outbound tcp connection GoodSource: A hardcoded string Sinks: sendRedirectServlet GoodSink: URLEncode input BadSink : querystring to sendRedirect() Flow Variant: 05 Control flow: if(private_t) and if(private_f)

CWE: 78 OS Command Injection BadSource: listen_socket Read data using a listen socket (server side) GoodSource: Benign input Sinks: w32spawnl BadSink : execute command with spawnl Flow Variant: 64 Data flow: void pointer to data passed from one function to another in different source files

CWE: 789 Uncontrolled Memory Allocation BadSource: listen_socket Read data using a listen socket (server side) GoodSource: Small number greater than zero Sinks: GoodSink: Allocate memory with malloc() and check the size of the memory to be allocated BadSink : Allocate memory with malloc(), b...

CWE: 758 Undefined Behavior Sinks: alloca_use GoodSink: Initialize then use data BadSink : Use data from alloca without initialization Flow Variant: 08 Control flow: if(static_returns_t()) and if(static_returns_f())

CWE: 680 Integer Overflow to Buffer Overflow BadSource: listen_socket Read data using a listen socket (server side) GoodSource: Small number greater than zero that will not cause an integer overflow in the sink Sinks: BadSink : Attempt to allocate array using length value from source Flow Va...

CWE: 401 Memory Leak BadSource: malloc Allocate data using malloc() GoodSource: Allocate data on the stack Sinks: GoodSink: call free() on data BadSink : no deallocation of data Flow Variant: 08 Control flow: if(static_returns_t()) and if(static_returns_f())

CWE: 390 Detection of Error Condition Without Action Sinks: w32ImpersonateNamedPipeClient GoodSink: Check the return value of ImpersonateNamedPipeClient() and handle it properly BadSink : Check to see if ImpersonateNamedPipeClient() failed, but do nothing about it Flow Variant: 02 Control flo...

CWE: 23 Relative Path Traversal BadSource: connect_socket Read data using a connect socket (client side) GoodSource: File name without a period or slash Sink: open BadSink : Flow Variant: 07 Control flow: if(static_five==5) and if(static_five!=5)

CWE: 190 Integer Overflow BadSource: fixed Fixed value GoodSource: Small, non-zero Sinks: add GoodSink: Ensure there is no overflow before performing the addition BadSink : Add 1 to data Flow Variant: 67 Data flow: data passed in a struct from one function to another in different source files

CWE: 187 Partial Comparison BadSource: Environment Read input from an environment variable GoodSource: Provide a matching password Sinks: ncmp_correct_pw GoodSink: Compare the 2 passwords correctly BadSink : use strncmp() to do password match, but use the length of the correct password Flow...

CWE: 134 Uncontrolled Format String BadSource: Environment Read input from an environment variable GoodSource: Copy a fixed string into data Sinks: snprintf GoodSink: snprintf with "%s" as the third argument and data as the fourth BadSink : snprintf with data as the third argument Flow Vari...

CWE: 124 Buffer Underwrite BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sink: memcpy BadSink : Copy string to data using memcpy Flow Variant: 14 Control flow: if(global_five==5) and if(global_five!=5)

CWE: 124 Buffer Underwrite BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sink: memcpy BadSink : Copy string to data using memcpy Flow Variant: 51 Data flow: data passed as an argument from one function to anothe...

CWE: 124 Buffer Underwrite BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sink: memmove BadSink : Copy string to data using memmove Flow Variant: 10 Control flow: if(global_t) and if(global_f)

CWE: 122 Heap Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sinks: memmove BadSink : Copy data to string using memmove Flow Variant: 66 Data flow: data passed in an array from one function to another in different source files

CWE: 121 Stack Based Buffer Overflow BadSource: Set data pointer to the bad buffer GoodSource: Set data pointer to the good buffer Sinks: cpy BadSink : Copy string to data using strcpy Flow Variant: 66 Data flow: data passed in an array from one function to another in different source files