CISQ Quality Measures - Reliability
A category in the Common Weakness Enumeration published by The MITRE Corporation.
Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.
Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software.
The code contains a class instance that calls the method or function to delete or destroy itself.
A class contains a virtual method, but the method does not have an associated virtual destructor.
The program compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects.
The software is intended to manage data access through a particular data manager component such as a relational or non-SQL database, but it contains code that performs...
The code contains a data element with a pointer that does not have an associated copy or constructor method.
The software detects a specific error, but takes no actions to handle the error.
The code performs a comparison such as an equality test between two float (floating point) values, but it uses comparison operators that do not account...
The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software.
The software does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.
The software does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.
The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.
The program does not release or incorrectly releases a resource before it is made available for re-use.
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.
The software utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not...
The software does not properly "clean up" and remove temporary or supporting resources after they have been used.
The software performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.
When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting va...
The software does not correctly convert an object, resource, or structure from one type to a different type.
The software initializes data using hard-coded values that act as network resource identifiers.
The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
The software contains a serializable data element that does not have an associated serialization method.
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.
The program omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the...
The software uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.
A parent class has a virtual destructor method, but the parent has a child class that does not have a virtual destructor.
A parent class contains one or more child classes, but the parent class does not have a virtual destructor method.
The software uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity.
A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.
The software contains a serializable, storable data element such as a field or member, but the data element contains member elements that are not serializable.
The code has a synchronous call to a remote resource, but there is no timeout for the call, or the timeout is set to infinite.
The software does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.
The software does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the software.
The programmer accidentally uses the wrong operator, which changes the application logic in security-relevant ways.
The software uses or accesses a resource that has not been initialized.
This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristi...
- Automated Source Code Quality Measures
Consortium for Information & Software Quality (CISQ)