SFP Secondary Cluster: Use of an Improper API

A's behavior or functionality changes with a new version of A, or a new environment, which is not known (or manageable) by B.

The product uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial...

The product calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee.

The product uses a signal handler that shares state with other signal handlers, but it does not properly mask or prevent those signal handlers from being invoked while...

When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that ...

The product violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing.

The product violates the Enterprise JavaBeans (EJB) specification by using the class loader.

The product violates the Enterprise JavaBeans (EJB) specification by using the java.io package.

The product violates the Enterprise JavaBeans (EJB) specification by using sockets.

The product violates the Enterprise JavaBeans (EJB) specification by using thread synchronization primitives.

A feature, API, or function does not perform according to its specification.

The product makes an explicit call to the finalize() method from outside the finalizer.

The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.

The code does not function according to its published specifications, potentially leading to incorrect usage.

The J2EE application directly manages connections, instead of using the container's connection management facilities.

The J2EE application directly uses sockets instead of using framework method calls.

Thread management in a Web application is forbidden in some circumstances and is always highly error prone.

A J2EE application uses System.exit(), which also shuts down its container.

The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe th...

The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity.

The product defines a signal handler that calls a non-reentrant function.

The code uses a function that has inconsistent implementations across operating systems and versions.

The product uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values.

The product calls a function that can never be guaranteed to work safely.

The product uses low-level functionality that is explicitly prohibited by the framework or specification under which the product is supposed to operate.

The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained.

The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API ...

CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).