CWE: 134 Uncontrolled Format String BadSource: console Read input from the console GoodSource: Copy a fixed string into data Sinks: snprintf GoodSink: snwprintf with %s as the third argument and data as the fourth BadSink : snwprintf with data as the third argument Flow Variant: 07 Control ...

CWE: 127 Buffer Under-read BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sinks: memmove BadSink : Copy data to string using memmove Flow Variant: 62 Data flow: data flows using a C++ reference from one function ...

CWE: 127 Buffer Under-read BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sink: memmove BadSink : Copy data to string using memmove Flow Variant: 08 Control flow: if(staticReturnsTrue()) and if(staticReturnsFalse())

CWE: 122 Heap Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sink: memmove BadSink : Copy data to string using memmove Flow Variant: 17 Control flow: for loops

CWE: 121 Stack Based Buffer Overflow BadSource: Void pointer to a wchar_t array GoodSource: Void pointer to a char array Sinks: GoodSink: Allocate memory using wcslen() and copy data BadSink : Allocate memory using strlen() and copy data Flow Variant: 07 Control flow: if(staticFive==5) and...

CWE: 597 Use of '==' instead of 'equals()' to test String equivalence Sinks: GoodSink: Correctly use .equals() to compare strings BadSink : Use == operator instead of .equals() to compare strings Flow Variant: 02 Control flow: if(true) and if(false)

CWE: 369 Divide by zero BadSource: random Set data to a random value GoodSource: A hardcoded non-zero, non-min, non-max, even number Sinks: modulo GoodSink: Check for zero before modulo BadSink : Modulo by a value that may be zero Flow Variant: 31 Data flow: make a copy of data within the s...

CWE: 257 Storing passwords in a recoverable format BadSource: fromDB Read a string from a database connection GoodSource: A hardcoded string Sinks: GoodSink: one-way hash instead of symmetric crypto BadSink : symmetric encryption with an easy key Flow Variant: 06 Control flow: if(private_fi...

CWE: 113 HTTP Response Splitting BadSource: getParameterServlet Read data from a querystring using getParameter GoodSource: A hardcoded string Sinks: addCookieServlet GoodSink: URLEncode input BadSink : querystring to addCookie() Flow Variant: 03 Control flow: if(5==5) and if(5!=5)

CWE: 789 Uncontrolled Memory Allocation BadSource: fscanf Read data from the console using fscanf() GoodSource: Small number greater than zero Sinks: GoodSink: Allocate memory with malloc() and check the size of the memory to be allocated BadSink : Allocate memory with malloc(), but incorrec...

CWE: 762 Mismatched Memory Management Routines BadSource: Allocate data using wcsdup() GoodSource: Allocate data using new Sinks: GoodSink: Deallocate data using free() BadSink : Deallocate data using delete Flow Variant: 18 Control flow: goto statements

CWE: 680 Integer Overflow to Buffer Overflow BadSource: rand Set data to result of rand(), which may be zero GoodSource: Small number greater than zero that will not cause an integer overflow in the sink Sink: BadSink : Attempt to allocate array using length value from source Flow Variant: 0...

CWE: 590 Free of Invalid Pointer Not on the Heap BadSource: static Data buffer is declared static on the stack GoodSource: Allocate memory on the heap Sink: BadSink : Print then free data Flow Variant: 03 Control flow: if(5==5) and if(5!=5)

CWE: 590 Free of Invalid Pointer Not on the Heap BadSource: alloca Data buffer is allocated on the stack with alloca() GoodSource: Allocate memory on the heap Sinks: BadSink : Print then free data Flow Variant: 34 Data flow: use of a union containing two methods of accessing the same data (w...

CWE: 563 Unused Variable BadSource: Initialize data GoodSource: Initialize and use data Sinks: GoodSink: Use data BadSink : Initialize and use data Flow Variant: 01 Baseline

CWE: 36 Absolute Path Traversal BadSource: fromFile Read input from a file GoodSource: Full path and file name Sink: open BadSink : Flow Variant: 02 Control flow: if(1) and if(0)

CWE: 36 Absolute Path Traversal BadSource: fromFile Read input from a file GoodSource: Full path and file name Sinks: fopen BadSink : Flow Variant: 67 Data flow: data passed in a struct from one function to another in different source files

CWE: 36 Absolute Path Traversal BadSource: fromConsole Read input from the console GoodSource: Full path and file name Sinks: w32CreateFile BadSink : Flow Variant: 63 Data flow: pointer to data passed from one function to another in different source files

CWE: 195 Signed to Unsigned Conversion BadSource: listen_socket Read data using a listen socket (server side) GoodSource: Positive integer Sinks: memcpy BadSink : Copy strings using memcpy() with the length of data Flow Variant: 64 Data flow: void pointer to data passed from one function to ...

CWE: 190 Integer Overflow BadSource: listen_socket Read data using a listen socket (server side) GoodSource: Small, non-zero Sinks: multiply GoodSink: Ensure there is no overflow before performing the multiplication BadSink : Multiply data by 2 Flow Variant: 52 Data flow: data passed as an ...

CWE: 190 Integer Overflow BadSource: connect_socket Read data using a connect socket (client side) GoodSource: Small, non-zero Sinks: square GoodSink: Ensure there is no overflow before performing the square root BadSink : Square data Flow Variant: 64 Data flow: void pointer to data passed ...

CWE: 187 Partial Comparison BadSource: substring Provide a password that is a shortened version of the actual password GoodSource: Provide a matching password Sinks: ncmp_correct_pw GoodSink: Compare the 2 passwords correctly BadSink : use strncmp() to do password match, but use the length o...

CWE: 124 Buffer Underwrite BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sink: cpy BadSink : Copy string to data using wcscpy Flow Variant: 15 Control flow: switch(6)

CWE: 122 Heap Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sink: loop BadSink : Copy data to string using a loop Flow Variant: 41 Data flow: data passed as an argument from one function to another in the same source file

CWE: 122 Heap Based Buffer Overflow BadSource: Allocate using new[] and set data pointer to a small buffer GoodSource: Allocate using new[] and set data pointer to a large buffer Sink: memmove BadSink : Copy long long array to data using memmove Flow Variant: 09 Control flow: if(global_cons...