CWE: 761 Free Pointer Not At Start of Buffer BadSource: listen_socket Read data using a listen socket (server side) Sinks: GoodSink: free() memory correctly at the start of the buffer BadSink : free() memory not at the start of the buffer Flow Variant: 53 Data flow: data passed as an argumen...

CWE: 680 Integer Overflow to Buffer Overflow BadSource: fscanf Read data from the console using fscanf() GoodSource: Small number greater than zero that will not cause an integer overflow in the sink Sinks: BadSink : Attempt to allocate array using length value from source Flow Variant: 67 D...

CWE: 674 Uncontrolled Recursion Sinks: unbounded_recursive_call GoodSink: Limit recursion to a managed level BadSink : Recursion not limited to a managed level Flow Variant: 10 Control flow: if(global_t) and if(global_f)

CWE: 590 Free of Invalid Pointer Not on the Heap BadSource: static Data buffer is declared static on the stack GoodSource: Allocate memory on the heap Sinks: BadSink : Print then free data Flow Variant: 43 Data flow: data flows using a C++ reference from one function to another in the same s...

CWE: 590 Free of Invalid Pointer Not on the Heap BadSource: alloca Data buffer is allocated on the stack with alloca() GoodSource: Allocate memory on the heap Sinks: BadSink : Print then free data Flow Variant: 45 Data flow: data passed as a static global variable from one function to anothe...

CWE: 415 Double Free BadSource: Allocate data using new and Deallocae data using delete GoodSource: Allocate data using new Sinks: GoodSink: do nothing BadSink : Deallocate data using delete Flow Variant: 13 Control flow: if(global_const_five==5) and if(global_const_five!=5)

CWE: 401 Memory Leak BadSource: Allocate data using new[] GoodSource: Point data to a stack buffer Sinks: GoodSink: call delete[] on data BadSink : no deallocation of data Flow Variant: 54 Data flow: data passed as an argument from one function through three others to a fifth; all five fun...

CWE: 390 Detection of Error Condition Without Action Sinks: fwrite GoodSink: Check if fwrite() failed and handle errors properly BadSink : Check to see if fwrite() failed, but do nothing about it Flow Variant: 16 Control flow: while(1) and while(0)

CWE: 36 Absolute Path Traversal BadSource: connect_socket Read data using a connect socket (client side) GoodSource: Full path and file name Sink: w32CreateFile BadSink : Flow Variant: 53 Data flow: data passed as an argument from one function through two others to a fourth; all four functio...

CWE: 284 Access Control Issues Sinks: w32CreateDesktop GoodSink: Create a desktop using CreateDesktopA() without excessive privileges BadSink : Create a desktop using CreateDesktopA() with excessive privileges Flow Variant: 14 Control flow: if(global_five==5) and if(global_five!=5)

CWE: 252 Unchecked Return Value Sinks: rename GoodSink: Check if wrename() fails BadSink : Do not check if wrename() fails Flow Variant: 05 Control flow: if(static_t) and if(static_f)

CWE: 23 Relative Path Traversal BadSource: connect_socket Read data using a connect socket (client side) GoodSource: File name without a period or slash Sink: w32CreateFile BadSink : Flow Variant: 68 Data flow: data passed as a global variable from one function to another in different source...

CWE: 197 Numeric Truncation Error BadSource: fscanf Read data from the console using fscanf() GoodSource: Less than CHAR_MAX Sinks: to_char BadSink : Convert data to a char Flow Variant: 67 Data flow: data passed in a struct from one function to another in different source files

CWE: 190 Integer Overflow BadSource: fixed Fixed value GoodSource: Small, non-zero Sinks: square GoodSink: Ensure there is no overflow before performing the squaring operation BadSink : Square data Flow Variant: 10 Control flow: if(global_t) and if(global_f)

CWE: 134 Uncontrolled Format String BadSource: listen_socket Read data using a listen socket (server side) GoodSource: Copy a fixed string into data Sinks: vprintf GoodSink: vwprintf with a format string BadSink : vwprintf without a format string Flow Variant: 16 Control flow: while(1) and ...

CWE: 134 Uncontrolled Format String BadSource: listen_socket Read data using a listen socket (server side) GoodSource: Copy a fixed string into data Sinks: snprintf GoodSink: snprintf with "%s" as the third argument and data as the fourth BadSink : snprintf with data as the third argument F...

CWE: 124 Buffer Underwrite BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sink: ncpy BadSink : Copy string to data using wcsncpy Flow Variant: 41 Data flow: data passed as an argument from one function to another...

CWE: 124 Buffer Underwrite BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sink: cpy BadSink : Copy string to data using strcpy Flow Variant: 54 Data flow: data passed as an argument from one function through thre...

CWE: 124 Buffer Underwrite BadSource: Set data pointer to before the allocated memory buffer GoodSource: Set data pointer to the allocated memory buffer Sink: loop BadSink : Copy string to data using a loop Flow Variant: 02 Control flow: if(1) and if(0)

CWE: 122 Heap Based Buffer Overflow BadSource: Allocate using new[] and set data pointer to a small buffer GoodSource: Allocate using new[] and set data pointer to a large buffer Sinks: cat BadSink : Copy string to data using wcscat Flow Variant: 65 Data/control flow: data passed as an argu...

CWE: 122 Heap Based Buffer Overflow BadSource: Allocate using new[] and set data pointer to a small buffer GoodSource: Allocate using new[] and set data pointer to a large buffer Sink: memcpy BadSink : Copy twointsclass array to data using memcpy Flow Variant: 16 Control flow: while(1) and ...

CWE: 122 Heap Based Buffer Overflow BadSource: Allocate using new[] and set data pointer to a small buffer GoodSource: Allocate using new[] and set data pointer to a large buffer Sink: memcpy BadSink : Copy string to data using memcpy Flow Variant: 13 Control flow: if(global_const_five==5) ...

CWE: 121 Stack Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sink: snprintf BadSink : Copy data to string using snwprintf Flow Variant: 15 Control flow: switch(6)

CWE: 121 Stack Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sink: snprintf BadSink : Copy data to string using snprintf Flow Variant: 11 Control flow: if(global_returns_t()) and if(global_returns_f())

CWE: 121 Stack Based Buffer Overflow BadSource: Set data pointer to the bad buffer GoodSource: Set data pointer to the good buffer Sink: loop BadSink : Copy int array to data using a loop Flow Variant: 02 Control flow: if(1) and if(0)