Payment Card Industry Data Security Standard IDs mapped to Klocwork checkers

LS.CALL  Suspicious use of non-localized string in GUI function

LS.CALL.STRING  Suspicious use of non-localized string in GUI function

SV.BRM.HKEY_LOCAL_MACHINE  HKEY_LOCAL_MACHINE Used as 'hkey' Parameter for Registry Manipulation Function

SV.CODE_INJECTION.SHELL_EXEC  Command Injection into Shell Execution

SV.DLLPRELOAD.NONABSOLUTE.DLL  Potential DLL-preload hijack vector

SV.DLLPRELOAD.NONABSOLUTE.EXE  Potential process injection vector

SV.DLLPRELOAD.SEARCHPATH  Do not use SearchPath to find DLLs

SV.FIU.PROCESS_VARIANTS  Use of Dangerous Process Creation

SV.FMTSTR.GENERIC  Format String Vulnerability

SV.LPP.CONST  Use of Insecure Macro for Dangerous Functions

SV.LPP.VAR  Use of Insecure Parameter for Dangerous Functions

SV.PCC.CONST  Insecure (Constant) Temporary File Name in Call to CreateFile

SV.PCC.INVALID_TEMP_PATH  Insecure Temporary File Name in Call to CreateFile

SV.PCC.MISSING_TEMP_CALLS.MUST  Missing Secure Temporary File Names in Call to CreateFile

SV.PCC.MISSING_TEMP_FILENAME  Missing Temporary File Name in Call to CreateFile

SV.PCC.MODIFIED_BEFORE_CREATE  Modification of Temporary File Name before Call to CreateFile

SV.PIPE.CONST  Potential pipe hijacking

SV.PIPE.VAR  Potential pipe hijacking

SV.SIP.CONST  Use of Insecure Macro for Dangerous Functions

SV.SIP.VAR  Use of Insecure Parameter for Dangerous Functions

SV.STR_PAR.UNDESIRED_STRING_PARAMETER  Undesired String for File Path

SV.TAINTED.ALLOC_SIZE  Use of Unvalidated Integer in Memory Allocation

SV.TAINTED.BINOP  Use of Unvalidated Integer in Binary Operation

SV.TAINTED.CALL.BINOP  Use of Unvalidated Integer in Binary Operation

SV.TAINTED.CALL.DEREF  Dereference Of An Unvalidated Pointer

SV.TAINTED.CALL.INDEX_ACCESS  Use of Unvalidated Integer as Array Index by Function Call

SV.TAINTED.CALL.LOOP_BOUND  Use of Unvalidated Integer in Loop Condition through a Function Call

SV.TAINTED.DEREF  Dereference Of An Unvalidated Pointer

SV.TAINTED.INDEX_ACCESS  Use of Unvalidated Integer as Array Index

SV.TAINTED.INJECTION  Command Injection

SV.TAINTED.LOOP_BOUND  Use of Unvalidated Integer in Loop Condition

SV.TAINTED.PATH_TRAVERSAL  Use of Unvalidated Data in a Path Traversal

SV.TAINTED.SECURITY_DECISION  Security Decision

SV.TOCTOU.FILE_ACCESS  Time of Creation/Time of Use Race condition in File Access

SV.USAGERULES.PERMISSIONS  Use of Privilege Elevation

SV.USAGERULES.PROCESS_VARIANTS  Use of Dangerous Process Creation Function

UNINIT.CTOR.MIGHT  Uninitialized Variable in Constructor - possible

UNINIT.CTOR.MUST  Uninitialized Variable in Constructor

UNINIT.HEAP.MIGHT  Uninitialized Heap Use - possible

UNINIT.HEAP.MUST  Uninitialized Heap Use

UNINIT.STACK.ARRAY.MIGHT  Uninitialized Array - possible

UNINIT.STACK.ARRAY.MUST  Uninitialized Array

UNINIT.STACK.ARRAY.PARTIAL.MUST  Partially Uninitialized Array

UNINIT.STACK.MIGHT  Uninitialized Variable - possible

UNINIT.STACK.MUST  Uninitialized Variable

ABV.ANY_SIZE_ARRAY  Buffer Overflow - Array Index Out of Bounds

ABV.GENERAL  Buffer Overflow - Array Index Out of Bounds

ABV.ITERATOR  Buffer Overflow - Array Index may be out of Bounds

ABV.MEMBER  Buffer Overflow - Array Index Out of Bounds

ABV.STACK  Buffer Overflow - Local Array Index Out of Bounds

ABV.TAINTED  Buffer Overflow from Unvalidated Input

ABV.UNICODE.BOUND_MAP  Buffer overflow in mapping character function

ABV.UNICODE.FAILED_MAP  Mapping function failed

ABV.UNICODE.NNTS_MAP  Buffer overflow in mapping character function

ABV.UNICODE.SELF_MAP  Mapping function failed

ABV.UNKNOWN_SIZE  Buffer Overflow - Array Index Out of Bounds

NNTS.MIGHT  Buffer Overflow - Non-null Terminated String

NNTS.MUST  Buffer Overflow - Non-null Terminated String

NNTS.TAINTED  Unvalidated User Input Causing Buffer Overflow - Non-Null Terminated String

RABV.CHECK  Suspicious use of index before boundary check

RN.INDEX  Suspicious use of index before negative check

SV.FMT_STR.BAD_SCAN_FORMAT  Input format specifier error

SV.STRBO.BOUND_COPY.OVERFLOW  Buffer Overflow in Bound String Copy

SV.STRBO.BOUND_COPY.UNTERM  Possible Buffer Overflow in Following String Operations

SV.STRBO.BOUND_SPRINTF  Buffer Overflow in Bound sprintf

SV.STRBO.UNBOUND_COPY  Buffer Overflow in Unbound String Copy

SV.STRBO.UNBOUND_SPRINTF  Buffer Overflow in Unbound sprintf

SV.TAINTED.ALLOC_SIZE  Use of Unvalidated Integer in Memory Allocation

SV.TAINTED.CALL.INDEX_ACCESS  Use of Unvalidated Integer as Array Index by Function Call

SV.TAINTED.FMTSTR  Use of Unvalidated Data in a Format String

SV.TAINTED.INDEX_ACCESS  Use of Unvalidated Integer as Array Index

SV.UNBOUND_STRING_INPUT.CIN  Usage of cin for unbounded string input

SV.UNBOUND_STRING_INPUT.FUNC  Usage of unbounded string input

HCC  Use of hardcoded credentials

HCC.PWD  Use of a hardcoded password

HCC.USER  Use of a hardcoded user name

RCA  Risky cryptographic algorithm used

RCA.HASH.SALT.EMPTY  Use of a one-way hash with an empty salt

SV.PCC.CONST  Insecure (Constant) Temporary File Name in Call to CreateFile

SV.PCC.INVALID_TEMP_PATH  Insecure Temporary File Name in Call to CreateFile

SV.PCC.MISSING_TEMP_CALLS.MUST  Missing Secure Temporary File Names in Call to CreateFile

SV.PCC.MISSING_TEMP_FILENAME  Missing Temporary File Name in Call to CreateFile

SV.PCC.MODIFIED_BEFORE_CREATE  Modification of Temporary File Name before Call to CreateFile

SV.WEAK_CRYPTO.WEAK_HASH  Weak Hash Function

SV.BFC.USING_STRUCT  Use of INADDR_ANY in sin_addr.s_addr field of struct sockaddr_in Structure Used for Call to bind Function

SV.USAGERULES.SPOOFING  Use of Function Susceptible to Spoofing

AUTOSAR.EXCPT.DYNAMIC_SPEC  Dynamic exception-specification shall not be used

AUTOSAR.EXCPT.NOEXCPT_THROW  If a function is declared to be noexcept, noexcept(true) or noexcept(<true condition>), then it shall not exit with an exception

MISRA.CATCH.ALL  No ellipsis exception handler in a try-catch block

MISRA.CATCH.BY_VALUE  Exception object of class type is caught by value

MISRA.CATCH.NOALL  Ellipsis exception handler is not the last one in a try-catch block

MISRA.CATCH.WRONGORD  Handler for a base exception class precedes to a handler for a derived exception class in a try-catch block

MISRA.CTOR.TRY.NON_STATIC  Function try/catch block of constructor or destructor references non-static members

MISRA.DECL.EXCPT.SPEC  Function is declared with different exception specifications

MISRA.DTOR.THROW  Throw in destructor

MISRA.INCL.SIGNAL.2012  The standard header file signal.h shall not be used

MISRA.STDLIB.LONGJMP  Use of setjmp macro or longjmp function

MISRA.STDLIB.SIGNAL  Use of the signal handling facilities of signal.h

MISRA.THROW.EMPTY  Empty throw expression does not belong to a catch block

MISRA.THROW.NULL  NULL is thrown explicitly

MISRA.THROW.PTR  Exception object is a pointer

MISRA.TRY.JUMP  Control can be transferred into a try block with goto or switch statement

SV.TAINTED.XSS.REFLECTED  Cross-site Scripting Vulnerability

SV.STR_PAR.UNDESIRED_STRING_PARAMETER  Undesired String for File Path

SV.TAINTED.SECURITY_DECISION  Security Decision

SV.USAGERULES.PERMISSIONS  Use of Privilege Elevation

CS.SQL.INJECT.LOCAL  SQL injection

CS.RCA  Risky cryptographic algorithm used

CS.EMPTY.CATCH  Empty catch clause

CS.NPS  No permissions set for resource before accessing it

SV.CLASSDEF.INJ  Runtime Class Definition Injection

SV.CLASSLOADER.INJ  Class Loader URL Injection

SV.DATA.BOUND  Untrusted Data leaks into trusted storage

SV.DATA.DB  Data injection

SV.EXEC  Process Injection

SV.EXEC.DIR  Process Injection. Working Directory

SV.EXEC.ENV  Process Injection. Environment Variables

SV.EXEC.LOCAL  Process Injection. Local Arguments

SV.PATH  Path and file name injection

SV.PATH.INJ  File injection

SV.SQL  Sql Injection

SV.SQL.DBSOURCE  Unchecked information from the database is used in SQL statements

SV.ECV  Empty certificate validation

SV.LDAP  Unvalidated user input is used as LDAP filter

SV.DOS.ARRINDEX  Tainted index used for array access

SV.DOS.ARRSIZE  Tainted size used for array allocation

SV.HASH.NO_SALT  Use of a one-way cryptographic hash without a salt

SV.PASSWD.HC  Hardcoded Password

SV.PASSWD.HC.EMPTY  Empty Password

SV.PASSWD.PLAIN  Plain-text Password

SV.RANDOM  Use of insecure Random number generator

SV.SENSITIVE.DATA  Unencrypted sensitive data is written

SV.SENSITIVE.OBJ  Object with unencrypted sensitive data is stored

SV.WEAK.CRYPT  Use of a Broken or Risky Cryptographic Algorithm

SV.EMAIL  Unchecked e-mail

SV.HTTP_SPLIT  Http Response Splitting

SV.SERIAL.NOREAD  Method readObject() should be defined for a serializable class

SV.SERIAL.NOWRITE  Method writeObject() should be defined for a serializable class

SV.SERIAL.SIG  Methods readObject() and writeObject() in serializable classes should have correct signature

SV.TAINT  Tainted data

SV.TAINT_NATIVE  Tainted data goes to native code

ECC.EMPTY  Empty catch clause

EXC.BROADTHROWS  Method has an overly broad throws declaration

JD.CATCH  Catching runtime exception

JD.FINRET  Return inside finally

JD.UNCAUGHT  Uncaught exception

SV.IL.DEV  Design information leakage

SV.IL.FILE  File Name Leaking

UMC.SYSERR  Debug print using System.err method calls is unwanted

UMC.SYSOUT  Debug print using System.out method calls is unwanted

SV.XSS.DB  Cross Site Scripting (Stored XSS)

SV.XSS.REF  Cross Site Scripting (Reflected XSS)

ANDROID.LIFECYCLE.SV.FRAGMENTINJ  Unvalidated fragment class name

ANDROID.LIFECYCLE.SV.GETEXTRA  Unvalidated external data

SV.DOS.TMPFILEDEL  Leaving temporary file for lifetime of JVM

SV.DOS.TMPFILEEXIT  Leaving temporary file

SV.CSRF.GET  CSRF Token in GET request

SV.CSRF.ORIGIN  Request handler without an origin check

SV.CSRF.TOKEN  State changing request handler without a CSRF check