7PK - Code Quality
A category in the Common Weakness Enumeration published by The MITRE Corporation.
Summary
Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.
This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways."
Weaknesses
The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.
The product does not release or incorrectly releases a resource before it is made available for re-use.
The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.
The behavior of this function is undefined unless its control parameter is set to a specific value.
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.
The code uses a function that has inconsistent implementations across operating systems and versions.
The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained.
The code uses a variable that has not been initialized, leading to unpredictable or unintended results.
Concepts
This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.
See Also
- Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors
NIST Workshop on Software Security Assurance Tools Techniques and Metrics
Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.