CISQ Quality Measures (2016) - Reliability

The product reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer.

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buf...

The code contains a class instance that calls the method or function to delete or destroy itself.

A class contains a virtual method, but the method does not have an associated virtual destructor.

The product is intended to manage data access through a particular data manager component such as a relational or non-SQL database, but it contains code that performs ...

The code contains a data element with a pointer that does not have an associated copy or constructor method.

Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

An invokable code block contains an exception handling block that does not contain any code, i.e. is empty.

The code performs a comparison such as an equality test between two float (floating point) values, but it uses comparison operators that do not account...

The product does not correctly convert an object, resource, or structure from one type to a different type.

The product initializes data using hard-coded values that act as network resource identifiers.

The code contains a function or method that operates in a multi-threaded environment but owns an unsafe non-final static storable or member d...

A named-callable or method control element has a signature that supports a variable (variadic) number of parameters or arguments.

The product does not initialize critical variables, which causes the execution environment to use unexpected values.

The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

The product contains a serializable data element that does not have an associated serialization method.

The product contains modules in which one module has references that cycle back to itself, i.e., there are circular dependencies.

A parent class has a virtual destructor method, but the parent has a child class that does not have a virtual destructor.

The code has a parent class that contains references to a child class, its methods, or its members.

A parent class contains one or more child classes, but the parent class does not have a virtual destructor method.

The product uses a storable data element that does not have all of the associated functions or methods that are necessary to support comparison.

The product uses deployed components from application servers, but it also uses low-level functions/methods for management of resources, instead of the API provided by...

The product contains a serializable, storable data element such as a field or member, but the data element contains member elements that are not serializable.

The product implements a Singleton design pattern but does not use appropriate locking or other synchronization mechanism to ensure that the singleton class is only in...

The code has a synchronous call to a remote resource, but there is no timeout for the call, or the timeout is set to infinite.

The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristi...