CWE: 244 Failure to Clear Heap Before Release (Heap Inspection) Sinks: realloc GoodSink: Clear the password buffer before reallocating it BadSink : Reallocate buffer containing password without first clearing the buffer Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)

CWE: 195 Signed to Unsigned Conversion Error BadSource: negative Set data to a fixed negative number GoodSource: Positive integer Sink: malloc BadSink : Allocate memory using malloc() with the size of data Flow Variant: 10 Control flow: if(globalTrue) and if(globalFalse)

CWE: 190 Integer Overflow BadSource: rand Set data to result of rand() GoodSource: Set data to a small, non-zero number (two) Sinks: square GoodSink: Ensure there will not be an overflow before squaring data BadSink : Square data, which can lead to overflow Flow Variant: 01 Baseline

CWE: 190 Integer Overflow BadSource: rand Set data to result of rand() GoodSource: Set data to a small, non-zero number (two) Sinks: square GoodSink: Ensure there will not be an overflow before squaring data BadSink : Square data, which can lead to overflow Flow Variant: 14 Control flow: if...

CWE: 122 Heap Based Buffer Overflow BadSource: Initialize the source buffer using the size of a pointer GoodSource: Initialize the source buffer using the size of the DataElementType Sink: BadSink : Print then free data Flow Variant: 08 Control flow: if(staticReturnsTrue()) and if(staticRet...

CWE: 122 Heap Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sink: snprintf BadSink : Copy data to string using snprintf Flow Variant: 09 Control flow: if(GLOBAL_CONST_TRUE) and if(GLOBAL_CONST_FALSE)

CWE: 122 Heap Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sink: memmove BadSink : Copy data to string using memmove Flow Variant: 11 Control flow: if(globalReturnsTrue()) and if(globalReturnsFalse())

CWE: 122 Heap Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sinks: memcpy BadSink : Copy data to string using memcpy Flow Variant: 43 Data flow: data flows using a C++ reference from one function to another in the same sourc...

CWE: 122 Heap Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sink: loop BadSink : Copy data to string using a loop Flow Variant: 32 Data flow using two pointers to the same value within the same function

CWE: 122 Heap Based Buffer Overflow BadSource: Allocate using malloc() and set data pointer to a small buffer GoodSource: Allocate using malloc() and set data pointer to a large buffer Sink: snprintf BadSink : Copy string to data using snprintf Flow Variant: 12 Control flow: if(globalReturn...

CWE: 89 SQL Injection BadSource: fromFile Read data from file (named c:\data.txt) GoodSource: A hardcoded string Sinks: executeUpdate GoodSink: prepared sqlstatement, executeUpdate BadSink : raw query used in executeUpdate Flow Variant: 13 Control flow: if(IO.static_final_five==5) and if(IO...

CWE: 89 SQL Injection BadSource: console_readLine Read data from the console using readLine GoodSource: A hardcoded string Sinks: executeBatch GoodSink: prepared sqlstatement, batch BadSink : untrusted input to raw update batch Flow Variant: 11 Control flow: if(IO.static_returns_t()) and if...

CWE: 89 SQL Injection BadSource: Environment Read a string from an environment variable GoodSource: A hardcoded string Sinks: executeBatch GoodSink: prepared sqlstatement, batch BadSink : untrusted input to raw update batch Flow Variant: 66 Data flow: data passed in an array from one method...

CWE: 81 Cross Site Scripting (XSS) in Error Message BadSource: console_readLine Read data from the console using readLine GoodSource: A hardcoded string Sinks: sendErrorServlet BadSink : XSS in sendError Flow Variant: 53 Data flow: data passed as an argument from one method through two other...

CWE: 23 Relative Path Traversal BadSource: PropertiesFile Read a value from a .properties file (in property named data) GoodSource: A hardcoded string BadSink: readFile no validation Flow Variant: 04 Control flow: if(private_final_t) and if(private_final_f)

CWE: 134 Uncontrolled Format String BadSource: fromDB Read a string from a database connection GoodSource: A hardcoded string Sinks: format GoodSink: dynamic formatted stdout with string defined BadSink : dynamic formatted stdout without validation Flow Variant: 53 Data flow: data passed as...

CWE: 113 HTTP Response Splitting BadSource: console_readLine Read data from the console using readLine GoodSource: A hardcoded string Sinks: addCookieServlet GoodSink: URLEncode input BadSink : querystring to addCookie() Flow Variant: 02 Control flow: if(true) and if(false)

CWE: 762 Mismatched Memory Management Routines BadSource: Allocate data using new [] GoodSource: Allocate data using malloc() Sinks: GoodSink: Deallocate data using delete [] BadSink : Deallocate data using free() Flow Variant: 02 Control flow: if(1) and if(0)

CWE: 617 Reachable Assertion BadSource: fscanf Read data from the console using fscanf() GoodSource: Number greater than ASSERT_VALUE Sink: BadSink : Assert if n is less than ASSERT_VALUE Flow Variant: 68 Data flow: data passed as a global variable from one function to another in different s...

CWE: 457 Use of Uninitialized Variable BadSource: partial_init Initialize part, but not all of the array GoodSource: Initialize data Sinks: use GoodSink: Initialize then use data BadSink : Use data Flow Variant: 33 Data flow: use of a C++ reference to data within the same function

CWE: 134 Uncontrolled Format String BadSource: Environment Read input from an environment variable GoodSource: Copy a fixed string into data Sinks: vsnprintf GoodSink: _vsnwprintf with a format string BadSink : _vsnwprintf without a format string Flow Variant: 68 Data flow: data passed as a...

CWE: 122 Heap Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sink: ncpy BadSink : Copy data to string using wcsncpy Flow Variant: 19 Control flow: Dead code after a return

CWE: 122 Heap Based Buffer Overflow BadSource: Allocate using new[] and set data pointer to a small buffer GoodSource: Allocate using new[] and set data pointer to a large buffer Sinks: snprintf BadSink : Copy string to data using snprintf Flow Variant: 61 Data flow: data returned from one ...

CWE: 121 Stack Based Buffer Overflow BadSource: Initialize data as a large string GoodSource: Initialize data as a small string Sink: memcpy BadSink : Copy data to string using memcpy Flow Variant: 09 Control flow: if(global_const_t) and if(global_const_f)

CWE: 121 Stack Based Buffer Overflow BadSource: Set data pointer to the bad buffer GoodSource: Set data pointer to the good buffer Sinks: memmove BadSink : Copy long long array to data using memmove Flow Variant: 63 Data flow: pointer to data passed from one function to another in different...