Policy Impact of CWE 3.2

Results and Reports

In June 2019, Veracode will support version 3.2 of the MITRE CWE list. With CWE 3.2, additional findings will impact some of the security standards that you can apply to application policies in the Veracode Platform.

For the full list of CWEs that can cause an application to fail policy rules requiring applications to meet security standards, see the CWEs that violate security standards.

OWASP 2017

With support for CWE 3.2, policies configured to meet the OWASP 2017 security standard in the Veracode Platform will disallow the following CWE:
  • 117: Improper Output Neutralization for Logs

CERT

With support for CWE 3.2, policies configured to meet the CERT security standard in the Veracode Platform will disallow the following CWEs:
  • 117: Improper Output Neutralization for Logs
  • 121: Stack-based Buffer Overflow
  • 122: Heap-based Buffer Overflow
  • 123: Write-what-where Condition
  • 125: Out-of-bounds Read
  • 191: Integer Underflow (Wrap or Wraparound)
  • 194: Unexpected Sign Extension
  • 195: Signed to Unsigned Conversion Error
  • 227: 7PK - API Abuse
  • 253: Incorrect Check of Function Return Value
  • 327: Use of a Broken or Risky Cryptographic Algorithm
  • 331: Insufficient Entropy
  • 338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
  • 456: Missing Initialization of a Variable
  • 481: Assigning instead of Comparing
  • 664: Improper Control of a Resource Through its Lifetime
  • 666: Operation on Resource in Wrong Phase of Lifetime
  • 672: Operation on a Resource after Expiration or Release
  • 680: Integer Overflow to Buffer Overflow
  • 685: Function Call With Incorrect Number of Arguments
  • 758: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
  • 762: Mismatched Memory Management Routines
  • 771: Missing Reference to Active Allocated Resource
  • 772: Missing Release of Resource after Effective Lifetime
  • 773: Missing Reference to Active File Descriptor or Handle
  • 775: Missing Release of File Descriptor or Handle after Effective Lifetime
  • 786: Access of Memory Location Before Start of Buffer
  • 789: Uncontrolled Memory Allocation
  • 843: Access of Resource Using Incompatible Type ('Type Confusion')
  • 908: Use of Uninitialized Resource
  • 910: Use of Expired File Descriptor