7PK - Code Quality
A category in the Common Weakness Enumeration published by The MITRE Corporation.
Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.
This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways."
The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.
The program does not release or incorrectly releases a resource before it is made available for re-use.
The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.
The behavior of this function is undefined unless its control parameter is set to a specific value.
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.
The code uses a function that has inconsistent implementations across operating systems and versions.
The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained.
The code uses a variable that has not been initialized, leading to unpredictable or unintended results.
This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.
- Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors
NIST Workshop on Software Security Assurance Tools Techniques and Metrics