C Test Suite for Source Code Analyzer v2 - Vulnerable Test suite #100
DownloadDescription
This test suite replaces test suite 45 based on a collaboration with Alexander Hoole from University of Victoria, BC, Canada. The new test cases provided by these test suites contain the following improvements: removal of extraneous weaknesses, replacement of test cases to align with the CWEs specified in NIST SP 500-268 v1.1, creation of additional test cases to provide consistent BAD/GOOD pairings, application of minor improvements to code, renaming of files and the addition of FLAW/FIX comments to assist automation, and insertion of improved metadata to assist researchers using SARD. Please refer to the test case metadata fields to view additional information for each test case. Note: Some test cases have been deprecated and replaced with fixed versions since this test suite has been initially published.
-
The SQL Injection is possible because the arguments are not validated before the MySQL query.
-
The SQL Injection is possible if the arguments are not validated.
-
The SQL Injection is possible because the arguments are not validated. The code complexity is in the call of another function to perform the MySQL query.
-
The test case shows a Time-of-Check-Time-of-Use (TOCTOU) race condition between checking access permissions and then opening and writing to the file.
-
This test case exposes a Race Condition error at the line 47. Many processes can access the same file in different moment.
-
The use of a hard-coded password increases the possibility of password guessing tremendously. (from TCCLASP-5_5_9_10-C)
-
This test case shows a double free in a local control flow complexity.
-
This test case shows a double free in a for loop structure.
-
This test cases exposes a format string vulnerability with a container code complexity.
-
This test case shows a format string vulnerability in a local control flow; here, we use function pointer for control flow.
-
The test cases shows hard-coded passwords; these passwords are in a array.
-
The test case exposes a password which is hard-coded in the source code, the password is stored in a C structure.
-
This test case shows a hard-coded password in a local control flow.
-
This test case shows a hard coded password in a for loop structure.
-
The test case shows a Heap Overflow with an array complexity.
-
This test case exposes Heap Overflow with an array index complexity.
-
This test case shows an improper null termination; fread don\'t add the null character at the end of the string.
-
The test case shows an improper null termination with an address alias level as code complexity.
-
The test case exposes an improper null termination in a string which is in a structure.
-
This test case exposes an improper null termination which occurred when a argv contains tainted data.
-
The test case exposes a leftover debug weakness. Basically developer can debug his code and get the root promotion for debugging.
-
The test case shows how it is easy to get a buffer overflow if a string function is misused.
-
The test case shows how it is easy to get a buffer overflow if a string function is misused.
-
The test case shows how it is easy to get a buffer overflow if a string function is misused with a string which is in a structure.
-
The test case shows how it is easy to get a buffer overflow if a string function is misused with scope complexity.