CWE: 190 Integer Overflow BadSource: fgets Read data from the console using fgets() GoodSource: Set data to a small, non-zero number (two) Sinks: square GoodSink: Ensure there will not be an overflow before squaring data BadSink : Square data, which can lead to overflow Flow Variant: 18 Con...

CWE: 190 Integer Overflow BadSource: fscanf Read data from the console using fscanf() GoodSource: Set data to a small, non-zero number (two) Sinks: square GoodSink: Ensure there will not be an overflow before squaring data BadSink : Square data, which can lead to overflow Flow Variant: 17 C...

CWE: 134 Uncontrolled Format String BadSource: console Read input from the console GoodSource: Copy a fixed string into data Sinks: snprintf GoodSink: snwprintf with %s as the third argument and data as the fourth BadSink : snwprintf with data as the third argument Flow Variant: 43 Data flo...

CWE: 122 Heap Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sink: snprintf BadSink : Copy data to string using snprintf Flow Variant: 32 Data flow using two pointers to the same value within the same function

CWE: 122 Heap Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sink: loop BadSink : Copy data to string using a loop Flow Variant: 41 Data flow: data passed as an argument from one function to another in the same source file

CWE: 122 Heap Based Buffer Overflow BadSource: Allocate memory for a string, but do not allocate space for NULL terminator GoodSource: Allocate enough memory for a string and the NULL terminator Sink: memmove BadSink : Copy string to data using memmove() Flow Variant: 13 Control flow: if(GL...

CWE: 122 Heap Based Buffer Overflow BadSource: Allocate memory without using sizeof(int) GoodSource: Allocate memory using sizeof(int) Sink: loop BadSink : Copy array to data using a loop Flow Variant: 08 Control flow: if(staticReturnsTrue()) and if(staticReturnsFalse())

CWE: 121 Stack Based Buffer Overflow BadSource: Set data pointer to the bad buffer GoodSource: Set data pointer to the good buffer Sink: loop BadSink : Copy twoIntsStruct array to data using a loop Flow Variant: 54 Data flow: data passed as an argument from one function through three others...

CWE: 89 SQL Injection BadSource: getQueryStringServlet Parse id param out of the querystring without getParam GoodSource: A hardcoded string Sinks: execute GoodSink: prepared sqlstatement, single BadSink : untrusted parameter value to raw insert sqlstatement Flow Variant: 54 Data flow: data...

CWE: 476 Null Pointer Dereference BadSource: Set data to null GoodSource: Set data to a non-null value Sinks: GoodSink: add check to prevent possibility of null dereference BadSink : possibility of null dereference Flow Variant: 15 Control flow: switch(6) and switch(7)

CWE: 470 Unsafe Reflection BadSource: console_readLine Read data from the console using readLine GoodSource: Hardcoded class to load Sinks: GoodSink: instantiate only certain fixed classes BadSink : instantiate arbitrary class Flow Variant: 51 Data flow: data passed as an argument from one ...

CWE: 78 OS Command Injection BadSource: connect_socket Read data using a connect socket (client side) GoodSource: Benign input Sink: w32spawnv BadSink : execute command with wspawnv Flow Variant: 68 Data flow: data passed as a global variable from one function to another in different source ...

CWE: 78 OS Command Injection BadSource: Environment Read input from an environment variable GoodSource: Benign input Sink: popen BadSink : Execute command using popen() Flow Variant: 32 Data flow using two pointers to the same value within the same function

CWE: 78 OS Command Injection BadSource: Environment Read input from an environment variable GoodSource: Benign input Sink: execvp BadSink : execute command with wexecvp Flow Variant: 11 Control flow: if(global_returns_t()) and if(global_returns_f())

CWE: 772 Missing Release of Resource after Effective Lifetime BadSource: Open a file using CreateFile() Sinks: GoodSink: Close the file using CloseHandle() BadSink : Do not close file Flow Variant: 42 Data flow: data returned from one function to another in the same source file

CWE: 680 Integer Overflow to Buffer Overflow BadSource: rand Set data to result of rand(), which may be zero GoodSource: Small number greater than zero that will not cause an integer overflow in the sink Sinks: BadSink : Attempt to allocate array using length value from source Flow Variant: ...

CWE: 563 Unused Variable BadSource: Initialize data GoodSource: Initialize and use data Sinks: GoodSink: Use data BadSink : Initialize and use data Flow Variant: 03 Control flow: if(5==5) and if(5!=5)

CWE: 415 Double Free BadSource: Allocate data using malloc() and Deallocate data using free() GoodSource: Allocate data using malloc() Sinks: GoodSink: do nothing BadSink : Deallocate data using free() Flow Variant: 07 Control flow: if(static_five==5) and if(static_five!=5)

CWE: 390 Detection of Error Condition Without Action Sinks: rename GoodSink: Check if wrename() failed and handle errors properly BadSink : Check to see if wrename() failed, but do nothing about it Flow Variant: 15 Control flow: switch(6)

CWE: 252 Unchecked Return Value Sinks: putc GoodSink: Check if putc() fails BadSink : Do not check if putc() fails Flow Variant: 04 Control flow: if(static_const_t) and if(static_const_f)

CWE: 197 Numeric Truncation Error BadSource: fgets Read data from the console using fgets() GoodSource: Less than CHAR_MAX Sinks: BadSink : Convert data to a char Flow Variant: 65 Data/control flow: data passed as an argument from one function to a function in a different source file called ...

CWE: 195 Signed to Unsigned Conversion BadSource: negative Set data to a fixed negative number GoodSource: Positive integer Sink: strncpy BadSink : Copy strings using strncpy() with the length of data Flow Variant: 11 Control flow: if(global_returns_t()) and if(global_returns_f())

CWE: 190 Integer Overflow BadSource: fixed Fixed value GoodSource: Small, non-zero Sinks: multiply GoodSink: Ensure there is no overflow before performing the multiplication BadSink : Multiply data by 2 Flow Variant: 18 Control flow: goto statements

CWE: 187 Partial Comparison BadSource: Environment Read input from an environment variable GoodSource: Provide a matching password Sinks: ncmp_correct_pw GoodSink: Compare the 2 passwords correctly BadSink : use wcsncmp() to do password match, but use the length of the correct password Flow...

CWE: 124 Buffer Underwrite BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sinks: ncpy BadSink : Copy string to data using strncpy Flow Variant: 61 Data flow: data returned from one function to another in differen...