Appendix: CWEs That Violate Security Standards

Results and Reports

This appendix lists all the CWEs that violate the security standards you can apply to your policies in the Veracode Platform. It also indicates which CWEs are supported by Veracode Static Analysis as well as DynamicDS, DynamicMP, and Dynamic Analysis. Veracode Manual Penetration Testing scans may report any valid CWE, including those not listed here.

OWASP 2017

This table lists all the CWEs that may cause an application to fail a policy that includes an OWASP 2017 policy rule.

CWE ID CWE Name Static Support Dynamic Support Veracode Severity
5 J2EE Misconfiguration: Data Transmission Without Encryption      
9 J2EE Misconfiguration: Weak Access Permissions for EJB Methods      
13 ASP.NET Misconfiguration: Password in Configuration File      
16 Configuration   X 0 - Informational
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') X X 3 - Medium
23 Relative Path Traversal      
24 Path Traversal: '../filedir'      
25 Path Traversal: '/../filedir'      
26 Path Traversal: '/dir/../filename'      
27 Path Traversal: 'dir/../../filename'      
28 Path Traversal: '..\filedir'      
29 Path Traversal: '\..\filename'      
30 Path Traversal: '\dir\..\filename'      
31 Path Traversal: 'dir\..\..\filename'      
32 Path Traversal: '...' (Triple Dot)      
33 Path Traversal: '....' (Multiple Dot)      
34 Path Traversal: '....//'      
35 Path Traversal: '.../...//'      
36 Absolute Path Traversal      
37 Path Traversal: '/absolute/pathname/here'      
38 Path Traversal: '\absolute\pathname\here'      
39 Path Traversal: 'C:dirname'      
40 Path Traversal: '\\UNC\share\name\' (Windows UNC Share)      
74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')      
75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)      
76 Improper Neutralization of Equivalent Special Elements      
77 Improper Neutralization of Special Elements used in a Command ('Command Injection') X   5 - Very High
78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') X X 5 - Very High
79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')   X 3 - Medium
80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) X X 3 - Medium
81 Improper Neutralization of Script in an Error Message Web Page      
82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page      
83 Improper Neutralization of Script in Attributes in a Web Page   X 3 - Medium
84 Improper Neutralization of Encoded URI Schemes in a Web Page      
85 Doubled Character XSS Manipulations      
86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages X   3 - Medium
87 Improper Neutralization of Alternate XSS Syntax      
88 Argument Injection or Modification X   3 - Medium
89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') X X 4 - High
90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') X   3 - Medium
91 XML Injection (aka Blind XPath Injection) X   3 - Medium
93 Improper Neutralization of CRLF Sequences ('CRLF Injection') X   3 - Medium
94 Improper Control of Generation of Code ('Code Injection') X   3 - Medium
95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') X   5 - Very High
96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')      
97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page      
98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') X X 4 - High
99 Improper Control of Resource Identifiers ('Resource Injection') X   3 - Medium
102 Struts: Duplicate Validation Forms      
113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') X X 3 - Medium
117 Improper Output Neutralization for Logs X   3 - Medium
202 Exposure of Sensitive Data Through Data Queries      
209 Information Exposure Through an Error Message X X 2 - Low
210 Information Exposure Through Self-generated Error Message      
211 Information Exposure Through Externally-Generated Error Message      
219 Sensitive Data Under Web Root      
220 Sensitive Data Under FTP Root      
223 Omission of Security-relevant Information X   2 - Low
256 Unprotected Storage of Credentials X   3 - Medium
257 Storing Passwords in a Recoverable Format      
258 Empty Password in Configuration File      
259 Use of Hard-coded Password X X 3 - Medium
260 Password in Configuration File      
261 Weak Cryptography for Passwords X   3 - Medium
262 Not Using Password Aging      
263 Password Aging with Long Expiration      
266 Incorrect Privilege Assignment      
267 Privilege Defined With Unsafe Actions      
268 Privilege Chaining      
269 Improper Privilege Management      
270 Privilege Context Switching Error      
271 Privilege Dropping / Lowering Errors      
272 Least Privilege Violation X   3 - Medium
276 Incorrect Default Permissions      
277 Insecure Inherited Permissions      
278 Insecure Preserved Inherited Permissions      
279 Incorrect Execution-Assigned Permissions      
281 Improper Preservation of Permissions      
282 Improper Ownership Management      
283 Unverified Ownership      
284 Improper Access Control      
285 Improper Authorization X X 3 - Medium
286 Incorrect User Management      
287 Improper Authentication      
288 Authentication Bypass Using an Alternate Path or Channel      
289 Authentication Bypass by Alternate Name      
290 Authentication Bypass by Spoofing      
291 Reliance on IP Address for Authentication      
293 Using Referer Field for Authentication      
294 Authentication Bypass by Capture-replay      
295 Improper Certificate Validation X   3 - Medium
296 Improper Following of a Certificate's Chain of Trust X X 3 - Medium
297 Improper Validation of Certificate with Host Mismatch X X 3 - Medium
298 Improper Validation of Certificate Expiration   X 3 - Medium
299 Improper Check for Certificate Revocation   X 3 - Medium
300 Channel Accessible by Non-Endpoint ('Man-in-the-Middle')      
301 Reflection Attack in an Authentication Protocol      
302 Authentication Bypass by Assumed-Immutable Data      
303 Incorrect Implementation of Authentication Algorithm      
305 Authentication Bypass by Primary Weakness      
306 Missing Authentication for Critical Function      
307 Improper Restriction of Excessive Authentication Attempts      
308 Use of Single-factor Authentication      
309 Use of Password System for Primary Authentication      
311 Missing Encryption of Sensitive Data X   3 - Medium
312 Cleartext Storage of Sensitive Information X   3 - Medium
313 Cleartext Storage in a File or on Disk X   3 - Medium
314 Cleartext Storage in the Registry      
315 Cleartext Storage of Sensitive Information in a Cookie      
316 Cleartext Storage of Sensitive Information in Memory X   3 - Medium
317 Cleartext Storage of Sensitive Information in GUI      
318 Cleartext Storage of Sensitive Information in Executable      
319 Cleartext Transmission of Sensitive Information      
320 Key Management Errors      
321 Use of Hard-coded Cryptographic Key X X 3 - Medium
322 Key Exchange without Entity Authentication      
325 Missing Required Cryptographic Step      
326 Inadequate Encryption Strength X X 3 - Medium
327 Use of a Broken or Risky Cryptographic Algorithm X X 3 - Medium
328 Reversible One-Way Hash      
350 Reliance on Reverse DNS Resolution for a Security-Critical Action X   3 - Medium
359 Exposure of Private Information ('Privacy Violation') X   2 - Low
370 Missing Check for Certificate Revocation after Initial Check      
384 Session Fixation X X 3 - Medium
419 Unprotected Primary Channel      
420 Unprotected Alternate Channel      
421 Race Condition During Access to Alternate Channel X   3 - Medium
422 Unprotected Windows Messaging Channel ('Shatter')      
425 Direct Request ('Forced Browsing')      
433 Unparsed Raw Web Content Delivery      
462 Duplicate Key in Associative List (Alist)      
502 Deserialization of Untrusted Data X   3 - Medium
520 .NET Misconfiguration: Use of Impersonation      
521 Weak Password Requirements      
522 Insufficiently Protected Credentials X X 3 - Medium
523 Unprotected Transport of Credentials      
535 Information Exposure Through Shell Error Message      
536 Information Exposure Through Servlet Runtime Error Message      
537 Information Exposure Through Java Runtime Error Message      
548 Information Exposure Through Directory Listing   X 2 - Low
549 Missing Password Field Masking      
550 Information Exposure Through Server Error Message      
551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization      
555 J2EE Misconfiguration: Plaintext Password in Configuration File      
556 ASP.NET Misconfiguration: Use of Identity Impersonation      
564 SQL Injection: Hibernate X   4 - High
566 Authorization Bypass Through User-Controlled SQL Primary Key X   3 - Medium
599 Missing Validation of OpenSSL Certificate      
611 Improper Restriction of XML External Entity Reference ('XXE') X X 3 - Medium
613 Insufficient Session Expiration      
614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute X X 2 - Low
620 Unverified Password Change      
621 Variable Extraction Error      
623 Unsafe ActiveX Control Marked Safe For Scripting      
624 Executable Regular Expression Error      
627 Dynamic Variable Evaluation      
639 Authorization Bypass Through User-Controlled Key X   4 - High
640 Weak Password Recovery Mechanism for Forgotten Password      
641 Improper Restriction of Names for Files and Other Resources      
643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')      
645 Overly Restrictive Account Lockout Mechanism      
647 Use of Non-Canonical URL Paths for Authorization Decisions      
648 Incorrect Use of Privileged APIs      
652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')      
689 Permission Race Condition During Resource Copy      
692 Incomplete Blacklist to Cross-Site Scripting      
694 Use of Multiple Resources with Duplicate Identifier      
708 Incorrect Ownership Assignment X   4 - High
732 Incorrect Permission Assignment for Critical Resource X   3 - Medium
759 Use of a One-Way Hash without a Salt      
760 Use of a One-Way Hash with a Predictable Salt X   3 - Medium
776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')      
778 Insufficient Logging      
780 Use of RSA Algorithm without OAEP X   3 - Medium
798 Use of Hard-coded Credentials X   3 - Medium
804 Guessable CAPTCHA      
836 Use of Password Hash Instead of Password for Authentication      
842 Placement of User into Incorrect Group      
862 Missing Authorization      
863 Incorrect Authorization      
914 Improper Control of Dynamically-Identified Variables      
916 Use of Password Hash With Insufficient Computational Effort X   3 - Medium
917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')      
923 Improper Restriction of Communication Channel to Intended Endpoints      
925 Improper Verification of Intent by Broadcast Receiver      
926 Improper Export of Android Application Components      
927 Use of Implicit Intent for Sensitive Communication      
939 Improper Authorization in Handler for Custom URL Scheme      
940 Improper Verification of Source of a Communication Channel      
941 Incorrectly Specified Destination in a Communication Channel      
942 Overly Permissive Cross-domain Whitelist   X 3 - Medium
943 Improper Neutralization of Special Elements in Data Query Logic X   4 - High
1004 Sensitive Cookie Without 'HttpOnly' Flag      
1022 Use of Web Link to Untrusted Target with window.opener Access      

OWASP Mobile

This table lists all the CWEs that may cause an application to fail a policy that includes an OWASP Mobile policy rule.

CWE ID CWE Name Android Support iOS Support Veracode Severity
15 External Control of System or Configuration Setting X   4 - High
73 External Control of File Name or Path X X 3 - Medium
89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') X   4 - High
114 Process Control X   5 - Very High
201 Information Exposure Through Sent Data X   2 - Low
209 Information Exposure Through an Error Message X   2 - Low
215 Information Exposure Through Debug Information X   2 - Low
242 Use of Inherently Dangerous Function X X 5 - Very High
256 Unprotected Storage of Credentials X   3 - Medium
259 Use of Hard-coded Password X   3 - Medium
296 Improper Following of a Certificate's Chain of Trust      
297 Improper Validation of Certificate with Host Mismatch X X 3 - Medium
311 Missing Encryption of Sensitive Data X   3 - Medium
312 Cleartext Storage of Sensitive Information   X 3 - Medium
313 Cleartext Storage in a File or on Disk X   3 - Medium
316 Cleartext Storage of Sensitive Information in Memory X   3 - Medium
321 Use of Hard-coded Cryptographic Key X   3 - Medium
326 Inadequate Encryption Strength X X 3 - Medium
327 Use of a Broken or Risky Cryptographic Algorithm X   3 - Medium
329 Not Using a Random IV with CBC Mode X   2 - Low
331 Insufficient Entropy X X 3 - Medium
347 Improper Verification of Cryptographic Signature X   2 - Low
354 Improper Validation of Integrity Check Value X   3 - Medium
377 Insecure Temporary File X   3 - Medium
378 Creation of Temporary File With Insecure Permissions X   3 - Medium
391 Unchecked Error Condition X X 2 - Low
470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') X   3 - Medium
489 Leftover Debug Code X   3 - Medium
497 Exposure of System Data to an Unauthorized Control Sphere X   2 - Low
501 Trust Boundary Violation X   3 - Medium
506 Embedded Malicious Code X   4 - High
511 Logic/Time Bomb X   5 - Very High
514 Covert Channel X   2 - Low
522 Insufficiently Protected Credentials      
732 Incorrect Permission Assignment for Critical Resource X   3 - Medium
798 Use of Hard-coded Credentials X   3 - Medium

SANS

This table lists all the CWEs that may cause the application to fail a policy that includes a SANS Top 25 policy rule.

CWE ID CWE Name Static Support Dynamic Support Veracode Severity
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') X X 3 - Medium
78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') X X 5 - Very High
79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') X X 3 - Medium
89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') X X 4 - High
120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')      
131 Incorrect Calculation of Buffer Size      
134 Use of Externally-Controlled Format String      
190 Integer Overflow or Wraparound X   5 - Very High
250 Execution with Unnecessary Privileges      
306 Missing Authentication for Critical Function      
307 Improper Restriction of Excessive Authentication Attempts      
311 Missing Encryption of Sensitive Data X X 3 - Medium
327 Use of a Broken or Risky Cryptographic Algorithm X X 3 - Medium
352 Cross-Site Request Forgery (CSRF) X X 3 - Medium
434 Unrestricted Upload of File with Dangerous Type   X 4 - High
494 Download of Code Without Integrity Check X   5 - Very High
601 URL Redirection to Untrusted Site ('Open Redirect') X X 3 - Medium
676 Use of Potentially Dangerous Function X   3 - Medium
732 Incorrect Permission Assignment for Critical Resource X   3 - Medium
759 Use of a One-Way Hash without a Salt      
798 Use of Hard-coded Credentials X   3 - Medium
807 Reliance on Untrusted Inputs in a Security Decision      
829 Inclusion of Functionality from Untrusted Control Sphere X X 3 - Medium
862 Missing Authorization      
863 Incorrect Authorization      

CERT

This table lists all the CWEs that may cause the application to fail a policy that includes a CERT policy rule.

CWE ID CWE Name Static Support Dynamic Support Veracode Severity
14 Compiler Removal of Code to Clear Buffers      
20 Improper Input Validation      
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') X X 3 - Medium
37 Path Traversal: '/absolute/pathname/here'      
38 Path Traversal: '\absolute\pathname\here'      
39 Path Traversal: 'C:dirname'      
41 Improper Resolution of Path Equivalence      
59 Improper Link Resolution Before File Access ('Link Following')      
62 UNIX Hard Link      
64 Windows Shortcut Following (.LNK)      
65 Windows Hard Link      
67 Improper Handling of Windows Device Names      
78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') X X 5 - Very High
88 Argument Injection or Modification X   3 - Medium
111 Direct Use of Unsafe JNI X   4 - High
116 Improper Encoding or Escaping of Output      
117 Improper Output Neutralization for Logs X   3 - Medium
119 Improper Restriction of Operations within the Bounds of a Memory Buffer      
120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')      
121 Stack-based Buffer Overflow X   5 - Very High
122 Heap-based Buffer Overflow      
123 Write-what-where Condition      
125 Out-of-bounds Read X   3 - Medium
128 Wrap-around Error      
129 Improper Validation of Array Index X   3 - Medium
131 Incorrect Calculation of Buffer Size      
134 Use of Externally-Controlled Format String      
135 Incorrect Calculation of Multi-Byte String Length X   5 - Very High
144 Improper Neutralization of Line Delimiters      
150 Improper Neutralization of Escape, Meta, or Control Sequences      
170 Improper Null Termination X   3 - Medium
171 Cleansing, Canonicalization, and Comparison Errors      
176 Improper Handling of Unicode Encoding      
180 Incorrect Behavior Order: Validate Before Canonicalize      
182 Collapse of Data into Unsafe Value      
190 Integer Overflow or Wraparound X   5 - Very High
191 Integer Underflow (Wrap or Wraparound) X   3 - Medium
192 Integer Coercion Error X   3 - Medium
193 Off-by-one Error X   3 - Medium
194 Unexpected Sign Extension      
195 Signed to Unsigned Conversion Error X   3 - Medium
197 Numeric Truncation Error X   3 - Medium
198 Use of Incorrect Byte Ordering      
209 Information Exposure Through an Error Message X X 2 - Low
226 Sensitive Information Uncleared Before Release      
227 7PK - API Abuse      
230 Improper Handling of Missing Values      
232 Improper Handling of Undefined Values      
241 Improper Handling of Unexpected Data Type      
242 Use of Inherently Dangerous Function X   5 - Very High
244 Improper Clearing of Heap Memory Before Release ('Heap Inspection')      
248 Uncaught Exception X   2 - Low
250 Execution with Unnecessary Privileges      
252 Unchecked Return Value X   2 - Low
253 Incorrect Check of Function Return Value      
259 Use of Hard-coded Password X X 3 - Medium
266 Incorrect Privilege Assignment      
272 Least Privilege Violation X   3 - Medium
273 Improper Check for Dropped Privileges      
276 Incorrect Default Permissions      
279 Incorrect Execution-Assigned Permissions      
289 Authentication Bypass by Alternate Name      
300 Channel Accessible by Non-Endpoint ('Man-in-the-Middle')      
302 Authentication Bypass by Assumed-Immutable Data      
311 Missing Encryption of Sensitive Data X   3 - Medium
319 Cleartext Transmission of Sensitive Information      
327 Use of a Broken or Risky Cryptographic Algorithm      
330 Use of Insufficiently Random Values X   3 - Medium
331 Insufficient Entropy X   3 - Medium
332 Insufficient Entropy in PRNG      
333 Improper Handling of Insufficient Entropy in TRNG      
336 Same Seed in Pseudo-Random Number Generator (PRNG)      
337 Predictable Seed in Pseudo-Random Number Generator (PRNG)      
338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) X   3 - Medium
347 Improper Verification of Cryptographic Signature X   2 - Low
349 Acceptance of Extraneous Untrusted Data With Trusted Data      
359 Exposure of Private Information ('Privacy Violation') X   2 - Low
362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')      
363 Race Condition Enabling Link Following      
366 Race Condition within a Thread X   3 - Medium
367 Time-of-check Time-of-use (TOCTOU) Race Condition X   3 - Medium
369 Divide By Zero      
374 Passing Mutable Objects to an Untrusted Method      
375 Returning a Mutable Object to an Untrusted Caller      
377 Insecure Temporary File X   3 - Medium
379 Creation of Temporary File in Directory with Incorrect Permissions      
382 J2EE Bad Practices: Use of System.exit() X   2 - Low
390 Detection of Error Condition Without Action      
391 Unchecked Error Condition X   2 - Low
392 Missing Report of Error Condition      
395 Use of NullPointerException Catch to Detect NULL Pointer Dereference      
397 Declaration of Throws for Generic Exception      
400 Uncontrolled Resource Consumption      
401 Improper Release of Memory Before Removing Last Reference X   2 - Low
403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')      
404 Improper Resource Shutdown or Release X   2 - Low
405 Asymmetric Resource Consumption (Amplification)      
409 Improper Handling of Highly Compressed Data (Data Amplification)      
410 Insufficient Resource Pool      
412 Unrestricted Externally Accessible Lock      
413 Improper Resource Locking      
415 Double Free X   3 - Medium
416 Use After Free X   2 - Low
426 Untrusted Search Path X   3 - Medium
456 Missing Initialization of a Variable      
459 Incomplete Cleanup      
460 Improper Cleanup on Thrown Exception      
462 Duplicate Key in Associative List (Alist)      
464 Addition of Data Structure Sentinel      
466 Return of Pointer Value Outside of Expected Range      
467 Use of sizeof() on a Pointer Type      
468 Incorrect Pointer Scaling      
469 Use of Pointer Subtraction to Determine Size      
470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') X   3 - Medium
476 NULL Pointer Dereference      
479 Signal Handler Use of a Non-reentrant Function X   3 - Medium
480 Use of Incorrect Operator      
481 Assigning instead of Comparing      
482 Comparing instead of Assigning      
486 Comparison of Classes by Name      
487 Reliance on Package-level Scope      
491 Public cloneable() Method Without Final ('Object Hijack')      
492 Use of Inner Class Containing Sensitive Data      
493 Critical Public Variable Without Final Modifier      
494 Download of Code Without Integrity Check      
497 Exposure of System Data to an Unauthorized Control Sphere X   2 - Low
498 Cloneable Class Containing Sensitive Information      
499 Serializable Class Containing Sensitive Data      
500 Public Static Field Not Marked Final      
502 Deserialization of Untrusted Data X   3 - Medium
528 Exposure of Core Dump File to an Unauthorized Control Sphere      
532 Information Exposure Through Log Files      
543 Use of Singleton Pattern Without Synchronization in a Multithreaded Context      
544 Missing Standardized Error Handling Mechanism      
547 Use of Hard-coded, Security-relevant Constants X   3 - Medium
552 Files or Directories Accessible to External Parties      
561 Dead Code      
562 Return of Stack Variable Address      
563 Assignment to Variable without Use      
567 Unsynchronized Access to Shared Data in a Multithreaded Context      
568 finalize() Method Without super.finalize()      
570 Expression is Always False      
571 Expression is Always True      
572 Call to Thread run() instead of start()      
573 Improper Following of Specification by Caller      
581 Object Model Violation: Just One of Equals and Hashcode Defined      
582 Array Declared Public, Final, and Static      
583 finalize() Method Declared Public      
584 Return Inside Finally Block      
586 Explicit Call to Finalize()      
587 Assignment of a Fixed Address to a Pointer      
589 Call to Non-ubiquitous API      
590 Free of Memory not on the Heap      
591 Sensitive Data Storage in Improperly Locked Memory      
595 Comparison of Object References Instead of Object Contents      
597 Use of Wrong Operator in String Comparison X   2 - Low
600 Uncaught Exception in Servlet      
606 Unchecked Input for Loop Condition      
609 Double-Checked Locking      
617 Reachable Assertion      
625 Permissive Regular Expression      
628 Function Call with Incorrectly Specified Arguments X   2 - Low
647 Use of Non-Canonical URL Paths for Authorization Decisions      
662 Improper Synchronization      
664 Improper Control of a Resource Through its Lifetime      
665 Improper Initialization X   2 - Low
666 Operation on Resource in Wrong Phase of Lifetime      
667 Improper Locking      
672 Operation on a Resource after Expiration or Release      
675 Duplicate Operations on Resource X   2 - Low
676 Use of Potentially Dangerous Function X   3 - Medium
680 Integer Overflow to Buffer Overflow      
681 Incorrect Conversion between Numeric Types      
682 Incorrect Calculation      
684 Incorrect Provision of Specified Functionality      
685 Function Call With Incorrect Number of Arguments      
686 Function Call With Incorrect Argument Type      
687 Function Call With Incorrectly Specified Argument Value      
690 Unchecked Return Value to NULL Pointer Dereference      
696 Incorrect Behavior Order      
697 Incorrect Comparison      
703 Improper Check or Handling of Exceptional Conditions      
704 Incorrect Type Conversion or Cast      
705 Incorrect Control Flow Scoping      
732 Incorrect Permission Assignment for Critical Resource X   3 - Medium
754 Improper Check for Unusual or Exceptional Conditions      
758 Reliance on Undefined, Unspecified, or Implementation-Defined Behavior      
762 Mismatched Memory Management Routines      
766 Critical Data Element Declared Public      
770 Allocation of Resources Without Limits or Throttling      
771 Missing Reference to Active Allocated Resource      
772 Missing Release of Resource after Effective Lifetime      
773 Missing Reference to Active File Descriptor or Handle      
775 Missing Release of File Descriptor or Handle after Effective Lifetime      
783 Operator Precedence Logic Error      
786 Access of Memory Location Before Start of Buffer      
789 Uncontrolled Memory Allocation      
798 Use of Hard-coded Credentials X   3 - Medium
805 Buffer Access with Incorrect Length Value      
807 Reliance on Untrusted Inputs in a Security Decision      
820 Missing Synchronization      
833 Deadlock      
838 Inappropriate Encoding for Output Context      
843 Access of Resource Using Incompatible Type ('Type Confusion')      
908 Use of Uninitialized Resource      
910 Use of Expired File Descriptor