Quality Weaknesses with Indirect Security Impacts

A view in the Common Weakness Enumeration published by The MITRE Corporation.


Views in the Common Weakness Enumeration (CWE) represent one perspective with which to consider a set of weaknesses.

CWE identifiers in this view (slice) are quality issues that only indirectly make it easier to introduce a vulnerability and/or make the vulnerability more difficult to detect or mitigate.

Target Audience

Assessment Tool Vendors

This view makes it easier for assessment vendors to identify and improve coverage for quality-related weaknesses.

Product Vendors

This view makes it easier for software vendors to identify important issues that may make their software more difficult to maintain, perform efficiently or reliably, or secure.

Software Developers

This view makes it easier for developers to identify and learn about issues that might make their code more difficult to maintain, perform efficiently or reliably, or secure.


Active Debug Code

The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.

Architecture with Number of Horizontal Layers Outside of Expected Range

The product's architecture contains too many - or too few - horizontal layers.

ASP.NET Misconfiguration: Improper Model Validation

The ASP.NET application does not use, or incorrectly uses, the model validation framework.

ASP.NET Misconfiguration: Not Using Input Validation Framework

The ASP.NET application does not use an input validation framework.

Assignment of a Fixed Address to a Pointer

The product sets a pointer to a specific address other than NULL or 0.

Assignment to Variable without Use

The variable's value is assigned but never used, making it a dead store.

Call to Non-ubiquitous API

The product uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial...

Callable with Insufficient Behavioral Summary

The code contains a function or method whose signature and/or associated inline documentation does not sufficiently describe the callable's inputs, outputs, ...

Class Instance Self Destruction Control Element

The code contains a class instance that calls the method or function to delete or destroy itself.

Class with Excessive Number of Child Classes

A class contains an unnecessarily large number of children.

Class with Excessively Deep Inheritance

A class has an inheritance level that is too high, i.e., it has a large number of parent classes.

Class with Virtual Method without a Virtual Destructor

A class contains a virtual method, but the method does not have an associated virtual destructor.

Compilation with Insufficient Warnings or Errors

The code is compiled without sufficient warnings enabled, which may prevent the detection of subtle bugs or quality issues.

Creation of Class Instance within a Static Code Block

A static code block creates an instance of a class.

Creation of Immutable Text Using String Concatenation

The product creates an immutable text string using string concatenation operations.

Critical Data Element Declared Public

The product declares a critical variable, field, or member to be public when intended security policy requires it to be private.

Data Access from Outside Expected Data Manager Component

The product is intended to manage data access through a particular data manager component such as a relational or non-SQL database, but it contains code that performs ...

Data Access Operations Outside of Expected Data Manager Component

The product uses a dedicated, central data manager component as required by design, but it contains code that performs data-access operations that do not use this data...

Data Element Aggregating an Excessively Large Number of Non-Primitive Elements

The product uses a data element that has an excessively large number of sub-elements with non-primitive data types such as structures or aggregated objects.

Data Element containing Pointer Item without Proper Copy Control Element

The code contains a data element with a pointer that does not have an associated copy or constructor method.

Data Resource Access without Use of Connection Pooling

The product accesses a data resource through a database without using a connection pooling capability.

Dead Code

The product contains dead code, which can never be executed.

Declaration of Variable with Unnecessarily Wide Scope

The source code declares a variable in one scope, but the variable is only used within a narrower scope.

Empty Code Block

The source code contains a block that does not contain any code, i.e., the block is empty.

Empty Exception Block

An invokable code block contains an exception handling block that does not contain any code, i.e. is empty.

Empty Synchronized Block

The product contains an empty synchronized block.

Excessive Attack Surface

The product has an attack surface whose quantitative measurement exceeds a desirable maximum.

Excessive Code Complexity

The code is too complex, as calculated using a well-defined, quantitative measure.

Excessive Data Query Operations in a Large Data Table

The product performs a data query with a large number of joins and sub-queries on a large data table.

Excessive Execution of Sequential Searches of Data Resource

The product contains a data query against an SQL table or view that is configured in a way that does not utilize an index and may cause sequential searches t...

Excessive Halstead Complexity

The code is structured in a way that a Halstead complexity measure exceeds a desirable maximum.

Excessive Index Range Scan for a Data Resource

The product contains an index range scan for a large data table, but the scan can cover a large number of rows.

Excessive McCabe Cyclomatic Complexity

The code contains McCabe cyclomatic complexity that exceeds a desirable maximum.

Excessive Number of Inefficient Server-Side Data Accesses

The product performs too many data queries without using efficient data processing functionality such as stored procedures.

Excessive Platform Resource Consumption within a Loop

The product has a loop body or loop condition that contains a control element that directly or indirectly consumes platform resources, e.g. messaging, sessions, l...

Excessive Reliance on Global Variables

The code is structured in a way that relies too much on using or setting global variables throughout various points in the code, instead of preserving the as...

Excessive Use of Hard-Coded Literals in Initialization

The product initializes a data element using a hard-coded literal that is not a simple integer or static constant element.

Excessive Use of Self-Modifying Code

The product uses too much self-modifying code.

Excessive Use of Unconditional Branching

The code uses too many unconditional branches (such as "goto").

Excessively Complex Data Representation

The product uses an unnecessarily complex internal representation for its data structures or interrelationships between those structures.

Excessively Deep Nesting

The code contains a callable or other code grouping in which the nesting / branching is too deep.

Floating Point Comparison with Incorrect Operator

The code performs a comparison such as an equality test between two float (floating point) values, but it uses comparison operators that do not account...

Improper Use of Validation Framework

The product does not use, or incorrectly uses, an input validation framework that is provided by the source language or an independent library.

Inaccurate Comments

The source code contains comments that do not accurately describe or explain aspects of the portion of the code with which the comment is associated.

Inappropriate Comment Style

The source code uses comment styles or formats that are inconsistent or do not follow expected standards for the product.

Inappropriate Source Code Style or Formatting

The source code does not follow desired style or formatting for indentation, white space, comments, etc.

Inappropriate Whitespace Style

The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product.

Incomplete Design Documentation

The product's design documentation does not adequately describe control flow, data flow, system initialization, relationships between tasks, components, rati...

Incomplete Documentation of Program Execution

The document does not fully define all mechanisms that are used to control or influence how product-specific programs are executed.

Incomplete I/O Documentation

The product's documentation does not adequately define inputs, outputs, or system/software interfaces.

Inconsistency Between Implementation and Documented Design

The implementation of the product is not consistent with the design as described within the relevant documentation.

Inconsistent Naming Conventions for Identifiers

The product's code, documentation, or other artifacts do not consistently use the same naming conventions for variables, callables, groups of related callabl...

Incorrect Block Delimitation

The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.

Incorrect Provision of Specified Functionality

The code does not function according to its published specifications, potentially leading to incorrect usage.

Inefficient CPU Computation

The product performs CPU computations using algorithms that are not as efficient as they could be for the needs of the developer, i.e., the computati...

Initialization with Hard-Coded Network Resource Configuration Data

The product initializes data using hard-coded values that act as network resource identifiers.

Insufficient Adherence to Expected Conventions

The product's architecture, source code, design, documentation, or other artifact does not follow required conventions.

Insufficient Documentation of Error Handling Techniques

The documentation does not sufficiently describe the techniques that are used for error handling, exception processing, or similar mechanisms.

Insufficient Encapsulation

The product does not sufficiently hide the internal representation and implementation details of data or methods, which might allow external components or modules to m...

Insufficient Encapsulation of Machine-Dependent Functionality

The product or code uses machine-dependent functionality, but it does not sufficiently encapsulate or isolate this functionality from the rest of the code.

Insufficient Isolation of Symbolic Constant Definitions

The source code uses symbolic constants, but it does not sufficiently place the definitions of these constants into a more centralized or isolated location.

Insufficient Isolation of System-Dependent Functions

The product or code does not isolate system-dependent functionality into separate standalone modules.

Insufficient Technical Documentation

The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of...

Insufficient Use of Symbolic Constants

The source code uses literal constants that may need to change or evolve over time, instead of using symbolic constants.

Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer

The code at one architectural layer invokes code that resides at a deeper layer than the adjacent layer, i.e., the invocation skips at least one layer, and t...

Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element

The code contains a function or method that operates in a multi-threaded environment but owns an unsafe non-final static storable or member d...

Invokable Control Element with Excessive File or Data Access Operations

A function or method contains too many operations that utilize a data manager or file resource.

Invokable Control Element with Excessive Volume of Commented-out Code

A function, method, procedure, etc. contains an excessive amount of code that has been commented out within its body.

Invokable Control Element with Large Number of Outward Calls

The code contains callable control elements that contain an excessively large number of references to other application objects external to the conte...

Invokable Control Element with Signature Containing an Excessive Number of Parameters

The product contains a function, subroutine, or method whose signature has an unnecessarily large number of parameters/arguments.

Invokable Control Element with Variadic Parameters

A named-callable or method control element has a signature that supports a variable (variadic) number of parameters or arguments.

Irrelevant Code

The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such th...

J2EE Framework: Saving Unserializable Objects to Disk

When the J2EE container attempts to write unserializable objects to disk there is no guarantee that the process will complete successfully.

Large Data Table with Excessive Number of Indices

The product uses a large data table that contains an excessively large number of indices.

Loop Condition Value Update within the Loop

The product uses a loop with a control flow condition based on a value that is updated within the body of the loop.

Method Containing Access of a Member Element from Another Class

A method for a class performs an operation that directly accesses a member element from another class.

Missing Documentation for Design

The product does not have documentation that represents how it is designed.

Missing Serialization Control Element

The product contains a serializable data element that does not have an associated serialization method.

Modules with Circular Dependencies

The product contains modules in which one module has references that cycle back to itself, i.e., there are circular dependencies.

Multiple Inheritance from Concrete Classes

The product contains a class with inheritance from more than one concrete class.

Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses

The product contains a client with a function or method that contains a large number of data accesses/queries that are sent through a data manager, i.e., does not use ...

Omitted Break Statement in Switch

The product omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the...

Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor

A parent class has a virtual destructor method, but the parent has a child class that does not have a virtual destructor.

Parent Class with References to Child Class

The code has a parent class that contains references to a child class, its methods, or its members.

Parent Class without Virtual Destructor Method

A parent class contains one or more child classes, but the parent class does not have a virtual destructor method.

Persistent Storable Data Element without Associated Comparison Control Element

The product uses a storable data element that does not have all of the associated functions or methods that are necessary to support comparison.

Reliance on Insufficiently Trustworthy Component

The product is built from multiple separate components, but it uses a component that is not sufficiently trusted to meet expectations for security, reliability, update...

Reliance on Machine-Dependent Data Representation

The code uses a data representation that relies on low-level data representation or constructs that may vary across different processors, physical machines, ...

Reliance on Runtime Component in Generated Code

The product uses automatically-generated code that cannot be executed without a specific runtime support component.

Reliance on Undefined, Unspecified, or Implementation-Defined Behavior

The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity.

Return of Stack Variable Address

A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.

Runtime Resource Management Control Element in a Component Built to Run on Application Servers

The product uses deployed components from application servers, but it also uses low-level functions/methods for management of resources, instead of the API provided by...

Serializable Data Element Containing non-Serializable Item Elements

The product contains a serializable, storable data element such as a field or member, but the data element contains member elements that are not serializable.

Singleton Class Instance Creation without Proper Locking or Synchronization

The product implements a Singleton design pattern but does not use appropriate locking or other synchronization mechanism to ensure that the singleton class is only in...

Source Code Element without Standard Prologue

The source code contains elements such as source files that do not consistently provide a prologue or header that has been standardized for the project.

Source Code File with Excessive Number of Lines of Code

A source code file has too many lines of code.

Static Member Data Element outside of a Singleton Class Element

The code contains a member element that is declared as static (but not final), in which its parent class element is not a singleton class - that is, a class...

Suspicious Comment

The code contains comments that suggest the presence of bugs, incomplete functionality, or weaknesses.

Synchronous Access of Remote Resource without Timeout

The code has a synchronous call to a remote resource, but there is no timeout for the call, or the timeout is set to infinite.

Unconditional Control Flow Transfer outside of Switch Block

The product performs unconditional control transfer (such as a "goto") in code outside of a branching structure such as a switch block.

Undefined Behavior for Input to API

The behavior of this function is undefined unless its control parameter is set to a specific value.

Use of Function with Inconsistent Implementations

The code uses a function that has inconsistent implementations across operating systems and versions.

Use of Hard-coded, Security-relevant Constants

The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or sec...

Use of Object without Invoking Destructor Method

The product contains a method that accesses an object but does not later invoke the element's associated finalize/destructor method.

Use of Obsolete Function

The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained.

Use of Platform-Dependent Third Party Components

The product relies on third-party components that do not provide equivalent functionality across all desirable platforms.

Use of Potentially Dangerous Function

The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.

Use of Prohibited Code

The product uses a function, library, or third party component that has been explicitly prohibited, whether by the developer or the customer.

Use of Redundant Code

The product has multiple functions, methods, procedures, macros, etc. that contain the same code.

Use of Same Invokable Control Element in Multiple Architectural Layers

The product uses the same control element across multiple architectural layers.

Use of Same Variable for Multiple Purposes

The code contains a callable, block, or other code element in which the same variable is used to control more than one unique task or store more than one ins...

Use of Unmaintained Third Party Components

The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original deve...

Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.