Inaccurate Comments

The source code contains comments that do not accurately describe or explain aspects of the portion of the code with which the comment is associated.

  • Source

    CWE Catalog - 4.14

  • Identifier

    CWE-1116

  • Status

    Incomplete

Contents

Description

When a comment does not accurately reflect the associated code elements, this can introduce confusion to a reviewer (due to inconsistencies) or make it more difficult and less efficient to validate that the code is implementing the intended behavior correctly.

This issue makes it more difficult to maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities.

Demonstrations

The following examples help to illustrate the nature of this weakness and describe methods or techniques which can be used to mitigate the risk.

Note that the examples here are by no means exhaustive and any given weakness may have many subtle varieties, each of which may require different detection methods or runtime controls.

Example One

In the following Java example the code performs a calculation to determine how much medicine to administer. A comment is provided to give insight into what the calculation shoud be doing. Unfortunately the comment does not match the actual code and thus leaves the reader to wonder which is correct.

public class Main {

  public static void main(String[] args) {
    int pt_weight = 83;
    int mg_per_kg = 3;
    int daily_dose = 0;

    // Add the patient weight and Mg/Kg to calculate the correct daily dose
    daily_dose = pt_weight * mg_per_kg;
    return dosage;
  }
}

In the correction below, the code functionality has been verified, and the comment has been corrected to reflect the proper calculation.

public class Main {

  public static void main(String[] args) {
    int pt_weight = 83;
    int mg_per_kg = 3;
    int daily_dose = 0;

    // Multiply the patient weight and Mg/Kg to calculate the correct daily dose
    daily_dose = pt_weight * mg_per_kg;
    return dosage;
  }
}

Note that in real-world code, these values should be validated to disallow negative numbers, prevent integer overflow, etc.

See Also

Comprehensive Categorization: Poor Coding Practices

Weaknesses in this category are related to poor coding practices.

Bad Coding Practices

Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the ap...

Comprehensive CWE Dictionary

This view (slice) covers all the elements in CWE.

Quality Weaknesses with Indirect Security Impacts

CWE identifiers in this view (slice) are quality issues that only indirectly make it easier to introduce a vulnerability and/or make the vulnerability more difficult t...

Weakness Base Elements

This view (slice) displays only weakness base elements.

Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.