2021 CWE Top 25 Most Dangerous Software Errors mapped to Klocwork C# checkers

Rank and ID Checker name
#01 - CWE-787: Out-of-bounds Write

CS.ABV.EXCEPT

#02 - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CS.XSS.REFLECT

CS.XSS.PERSIST

#03 - CWE-125: Out-of-bounds Read

CS.ABV.EXCEPT

#04 - CWE-20: Improper Input Validation

CS.SQL.INJECT.LOCAL

CS.SV.TAINTED.ALLOC_SIZE

CS.SV.TAINTED.CALL.GLOBAL

CS.SV.TAINTED.CALL.INDEX_ACCESS

CS.SV.TAINTED.CALL.LOOP_BOUND.RESOURCE

CS.SV.TAINTED.CALL.LOOP_BOUND

CS.SV.TAINTED.DESERIALIZATION

CS.SV.TAINTED.FMTSTR

CS.SV.TAINTED.GLOBAL

CS.SV.TAINTED.INDEX_ACCESS

CS.SV.TAINTED.INJECTION

CS.SV.TAINTED.LOOP_BOUND.RESOURCE

CS.SV.TAINTED.LOOP_BOUND

CS.SV.TAINTED.PATH_TRAVERSAL

#05 - CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CS.SV.TAINTED.INJECTION

#06 - CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CS.SQL.INJECT.LOCAL

#07 - CWE-416: Use After Free

CS.LOCRET.ARG

CS.LOCRET.GLOB

CS.LOCRET.RET

CS.UFR

#08 - CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CS.SV.TAINTED.PATH_TRAVERSAL

#09 - CWE-352: Cross-Site Request Forgery (CSRF)

CS.CSRF.ATTR.NOATTR

CS.CSRF.ATTR.POST

CS.CSRF.VALIDATE

CS.CSRF.VSUK.CONSTASSIGN

CS.CSRF.VSUK.NOASSIGN

#10 - CWE-434: Unrestricted Upload of File with Dangerous Type

Currently, there is no applicable checker for this rule.

#11 - CWE-306: Missing Authentication for Critical Function

Currently, there is no applicable checker for this rule.

#12 - CWE-190: Integer Overflow or Wraparound

CS.SV.TAINTED.BINOP

CS.SV.TAINTED.CALL.BINOP

#13 - CWE-502: Deserialization of Untrusted Data

CS.SV.TAINTED.DESERIALIZATION

#14 - CWE-287: Improper Authentication

Currently, there is no applicable checker for this rule.

#15 - CWE-476: NULL Pointer Dereference

CS.NRE.CHECK.CALL.MIGHT

CS.NRE.CHECK.CALL.MUST

CS.NRE.CHECK.MIGHT

CS.NRE.CHECK.MUST

CS.NRE.CONST.CALL

CS.NRE.CONST.DEREF

CS.NRE.FUNC.CALL.MIGHT

CS.NRE.FUNC.CALL.MUST

CS.NRE.FUNC.MIGHT

CS.NRE.FUNC.MUST

CS.NRE.GEN.CALL.MIGHT

CS.NRE.GEN.CALL.MUST

CS.NRE.GEN.MIGHT

CS.NRE.GEN.MUST

CS.RNRE

#16 - CWE-798: Use of Hard-coded Credentials

CS.HCC.PWD

CS.HCC.USER

CS.HCC

#17 - CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CS.SV.TAINTED.CALL.INDEX_ACCESS

CS.SV.TAINTED.INDEX_ACCESS

#18 - CWE-862: Missing Authorization

CS.AUTH.NOATTR

#19 - CWE-276: Incorrect Default Permissions

Currently, there is no applicable checker for this rule.

#20 - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CS.INFORMATION_EXPOSURE.ALL

CS.INFORMATION_EXPOSURE.ATTR

#21 - CWE-522: Insufficiently Protected Credentials

Currently, there is no applicable checker for this rule.

#22 - CWE-732: Incorrect Permission Assignment for Critical Resource

CS.NPS

#23 - CWE-611: Improper Restriction of XML External Entity Reference

CS.XXE.DOCUMENT

CS.XXE.READER

CS.XXE.TEXT_READER

#24 - CWE-918: Server-Side Request Forgery (SSRF)

Currently, there is no applicable checker for this rule.

#25 - CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

CS.SV.TAINTED.INJECTION

Support Summary:

  • 18 of 25 weaknesses