CWE: 113 HTTP Response Splitting BadSource: Environment Read a string from an environment variable GoodSource: A hardcoded string Sinks: addHeaderServlet GoodSink: URLEncode input BadSink : querystring to addHeader() Flow Variant: 67 Data flow: data passed in a class from one method to anot...

CWE: 78 OS Command Injection BadSource: fromConsole Read input from the console GoodSource: Benign input Sink: execvp BadSink : execute command with execvp Flow Variant: 54 Data flow: data passed as an argument from one function through three others to a fifth; all five functions are in diff...

CWE: 762 Mismatched Memory Management Routines BadSource: Allocate data using new GoodSource: Allocate data using malloc() Sinks: GoodSink: Deallocate data using delete BadSink : Deallocate data using free() Flow Variant: 64 Data flow: void pointer to data passed from one function to anoth...

CWE: 762 Mismatched Memory Management Routines BadSource: Allocate data using new GoodSource: Allocate data using new [] Sinks: GoodSink: Deallocate data using delete BadSink : Deallocate data using delete [] Flow Variant: 16 Control flow: while(1) and while(0)

CWE: 762 Mismatched Memory Management Routines BadSource: Allocate data using new [] GoodSource: Allocate data using malloc() Sinks: GoodSink: Deallocate data using delete [] BadSink : Deallocate data using free() Flow Variant: 51 Data flow: data passed as an argument from one function to ...

CWE: 761 Free Pointer Not At Start of Buffer BadSource: fixed_string Initialize data to be a fixed string Sinks: GoodSink: free() memory correctly at the start of the buffer BadSink : free() memory not at the start of the buffer Flow Variant: 53 Data flow: data passed as an argument from one...

CWE: 427 Uncontrolled Search Path Element BadSource: connect_socket Read data using a connect socket (client side) GoodSource: Use a hardcoded path Sinks: BadSink : Set the environment variable Flow Variant: 67 Data flow: data passed in a struct from one function to another in different sour...

CWE: 416 Use After Free Sinks: GoodSink: Use a block of memory returned from a function BadSink : Use a block of memory returned from a function after it has been freed Flow Variant: 02 Control flow: if(1) and if(0)

CWE: 36 Absolute Path Traversal BadSource: Environment Read input from an environment variable GoodSource: Full path and file name Sink: fopen BadSink : Flow Variant: 32 Data flow using two pointers to the same value within the same function

CWE: 36 Absolute Path Traversal BadSource: listen_socket Read data using a listen socket (server side) GoodSource: Full path and file name Sinks: w32CreateFile BadSink : Flow Variant: 31 Data flow using a copy of data within the same function

CWE: 195 Signed to Unsigned Conversion BadSource: negative Set data to a fixed negative number GoodSource: Positive integer Sinks: strncpy BadSink : Copy strings using strncpy() with the length of data Flow Variant: 64 Data flow: void pointer to data passed from one function to another in di...

CWE: 191 Integer Underflow BadSource: fixed Fixed value GoodSource: Greater than INT_MIN Sinks: GoodSink: Ensure there is no underflow before performing the subtraction BadSink : Subtract 1 from data Flow Variant: 17 Control flow: for loops

CWE: 191 Integer Underflow BadSource: fgets Read data from the console using fgets() GoodSource: Greater than INT_MIN Sinks: GoodSink: Ensure there is no underflow before performing the subtraction BadSink : Subtract 1 from data Flow Variant: 63 Data flow: pointer to data passed from one fu...

CWE: 187 Partial Comparison BadSource: connect_socket Read data using a connect socket (client side) GoodSource: Provide a matching password Sinks: ncmp_correct_pw GoodSink: Compare the 2 passwords correctly BadSink : use strncmp() to do password match, but use the length of the correct pass...

CWE: 134 Uncontrolled Format String BadSource: listen_socket Read data using a listen socket (server side) GoodSource: Copy a fixed string into data Sinks: fprintf GoodSink: fprintf with "%s" as the second argument and data as the third BadSink : fprintf with data as the second argument Flo...

CWE: 134 Uncontrolled Format String BadSource: fromFile Read input from a file GoodSource: Copy a fixed string into data Sinks: printf GoodSink: printf with "%s" as the first argument and data as the second BadSink : printf with only data as an argument Flow Variant: 10 Control flow: if(glo...

CWE: 129 Improper Validation of Array Index BadSource: large Large index value that is greater than 10-1 GoodSource: Larger than zero but less than 10 Sinks: wchar_t GoodSink: Ensure the array index is valid BadSink : Improperly check the array index by not checking the upper bound Flow Var...

CWE: 126 Buffer Over-read BadSource: Set data pointer to a small buffer GoodSource: Set data pointer to a large buffer Sinks: loop BadSink : Copy data to string using a loop Flow Variant: 67 Data flow: data passed in a struct from one function to another in different source files

CWE: 124 Buffer Underwrite BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sink: memmove BadSink : Copy string to data using memmove Flow Variant: 51 Data flow: data passed as an argument from one function to anot...

CWE: 124 Buffer Underwrite BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sinks: memcpy BadSink : Copy string to data using memcpy Flow Variant: 67 Data flow: data passed in a struct from one function to another ...

CWE: 122 Heap Based Buffer Overflow BadSource: Allocate using malloc() and set data pointer to a small buffer GoodSource: Allocate using malloc() and set data pointer to a large buffer Sink: snprintf BadSink : Copy string to data using snwprintf Flow Variant: 32 Data flow using two pointers...

CWE: 121 Stack Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sink: loop BadSink : Copy data to string using a loop Flow Variant: 02 Control flow: if(1) and if(0)

CWE: 121 Stack Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sink: ncat BadSink : Copy data to string using strncat Flow Variant: 02 Control flow: if(1) and if(0)

CWE: 121 Stack Based Buffer Overflow BadSource: Set data pointer to the bad buffer GoodSource: Set data pointer to the good buffer Sink: ncpy BadSink : Copy string to data using wcsncpy Flow Variant: 04 Control flow: if(static_const_t) and if(static_const_f)

CWE: 114 Process Control BadSource: Environment Read input from an environment variable GoodSource: Hard code the full pathname to the library Sink: BadSink : Load a dynamic link library Flow Variant: 07 Control flow: if(static_five==5) and if(static_five!=5)