PCI DSS IDs mapped to Klocwork C and C++ checkers

The Payment Card Industry Data Security Standard (PCI DSS) provides a baseline of technical and operational requirements designed to protect account data. The PCI DSS was developed to encourage and enhance cardholder data security, and facilitate the broad adoption of consistent data security measures globally.

The tables below map the PCI DSS Version 3.2.1 IDs to Klocwork C and C++ checkers.

ID Checker name and description
6.5.1

LS.CALL   Suspicious use of non-localized string in GUI function

LS.CALL.STRING   Suspicious use of non-localized string in GUI function

SV.BRM.HKEY_LOCAL_MACHINE   HKEY_LOCAL_MACHINE Used as 'hkey' Parameter for Registry Manipulation Function

SV.CODE_INJECTION.SHELL_EXEC   Command Injection into Shell Execution

SV.DLLPRELOAD.NONABSOLUTE.DLL   Potential DLL-preload hijack vector

SV.DLLPRELOAD.NONABSOLUTE.EXE   Potential process injection vector

SV.DLLPRELOAD.SEARCHPATH   Do not use SearchPath to find DLLs

SV.FIU.PROCESS_VARIANTS   Use of Dangerous Process Creation

SV.FMTSTR.GENERIC   Format String Vulnerability

SV.LPP.CONST   Use of Insecure Macro for Dangerous Functions

SV.LPP.VAR   Use of Insecure Parameter for Dangerous Functions

SV.PCC.CONST   Insecure (Constant) Temporary File Name in Call to CreateFile

SV.PCC.INVALID_TEMP_PATH   Insecure Temporary File Name in Call to CreateFile

SV.PCC.MISSING_TEMP_CALLS.MUST   Missing Secure Temporary File Names in Call to CreateFile

SV.PCC.MISSING_TEMP_FILENAME   Missing Temporary File Name in Call to CreateFile

SV.PCC.MODIFIED_BEFORE_CREATE   Modification of Temporary File Name before Call to CreateFile

SV.PIPE.CONST   Potential pipe hijacking

SV.PIPE.VAR   Potential pipe hijacking

SV.SIP.CONST   Use of Insecure Macro for Dangerous Functions

SV.SIP.VAR   Use of Insecure Parameter for Dangerous Functions

SV.STR_PAR.UNDESIRED_STRING_PARAMETER   Undesired String for File Path

SV.TAINTED.ALLOC_SIZE   Use of Unvalidated Integer in Memory Allocation

SV.TAINTED.BINOP   Use of Unvalidated Integer in Binary Operation

SV.TAINTED.CALL.BINOP   Use of Unvalidated Integer in Binary Operation

SV.TAINTED.CALL.DEREF   Dereference Of An Unvalidated Pointer

SV.TAINTED.CALL.INDEX_ACCESS   Use of Unvalidated Integer as Array Index by Function Call

SV.TAINTED.CALL.LOOP_BOUND   Use of Unvalidated Integer in Loop Condition through a Function Call

SV.TAINTED.DEREF   Dereference Of An Unvalidated Pointer

SV.TAINTED.INDEX_ACCESS   Use of Unvalidated Integer as Array Index

SV.TAINTED.INJECTION   Command Injection

SV.TAINTED.LOOP_BOUND   Use of Unvalidated Integer in Loop Condition

SV.TAINTED.PATH_TRAVERSAL   Use of Unvalidated Data in a Path Traversal

SV.TAINTED.SECURITY_DECISION   Security Decision

SV.TOCTOU.FILE_ACCESS   Time of Creation/Time of Use Race condition in File Access

SV.USAGERULES.PERMISSIONS   Use of Privilege Elevation

SV.USAGERULES.PROCESS_VARIANTS   Use of Dangerous Process Creation Function

UNINIT.CTOR.MIGHT   Uninitialized Variable in Constructor - possible

UNINIT.CTOR.MUST   Uninitialized Variable in Constructor

UNINIT.HEAP.MIGHT   Uninitialized Heap Use - possible

UNINIT.HEAP.MUST   Uninitialized Heap Use

UNINIT.STACK.ARRAY.MIGHT   Uninitialized Array - possible

UNINIT.STACK.ARRAY.MUST   Uninitialized Array

UNINIT.STACK.ARRAY.PARTIAL.MUST   Partially Uninitialized Array

UNINIT.STACK.MIGHT   Uninitialized Variable - possible

UNINIT.STACK.MUST   Uninitialized Variable

6.5.2

ABV.ANY_SIZE_ARRAY   Buffer Overflow - Array Index Out of Bounds

ABV.GENERAL   Buffer Overflow - Array Index Out of Bounds

ABV.GENERAL.MULTIDIMENSION   Buffer Overflow - Array Index Out of Bounds

ABV.ITERATOR   Buffer Overflow - Array Index may be out of Bounds

ABV.MEMBER   Buffer Overflow - Array Index Out of Bounds

ABV.NON_ARRAY   Non-array object is used as an array

ABV.STACK   Buffer Overflow - Local Array Index Out of Bounds

ABV.TAINTED   Buffer Overflow from Unvalidated Input

ABV.UNICODE.BOUND_MAP   Buffer overflow in mapping character function

ABV.UNICODE.FAILED_MAP   Mapping function failed

ABV.UNICODE.NNTS_MAP   Buffer overflow in mapping character function

ABV.UNICODE.SELF_MAP   Mapping function failed

ABV.UNKNOWN_SIZE   Buffer Overflow - Array Index Out of Bounds

CXX.SUSPICIOUS_INDEX_CHECK   Suspicious use of index after boundary check

CXX.SUSPICIOUS_INDEX_CHECK.CALL   Suspicious use of index in a function call after a boundary check

CXX.SUSPICIOUS_INDEX_CHECK.ZERO   Suspicious use of index after index check for zero

NNTS.MIGHT   Buffer Overflow - Non-null Terminated String

NNTS.MUST   Buffer Overflow - Non-null Terminated String

NNTS.TAINTED   Unvalidated User Input Causing Buffer Overflow - Non-Null Terminated String

RABV.CHECK   Suspicious use of index before boundary check

RN.INDEX   Suspicious use of index before negative check

SV.FMT_STR.BAD_SCAN_FORMAT   Input format specifier error

SV.STRBO.BOUND_COPY.OVERFLOW   Buffer Overflow in Bound String Copy

SV.STRBO.BOUND_COPY.UNTERM   Possible Buffer Overflow in Following String Operations

SV.STRBO.BOUND_SPRINTF   Buffer Overflow in Bound sprintf

SV.STRBO.UNBOUND_COPY   Buffer Overflow in Unbound String Copy

SV.STRBO.UNBOUND_SPRINTF   Buffer Overflow in Unbound sprintf

SV.TAINTED.ALLOC_SIZE   Use of Unvalidated Integer in Memory Allocation

SV.TAINTED.CALL.INDEX_ACCESS   Use of Unvalidated Integer as Array Index by Function Call

SV.TAINTED.FMTSTR   Use of Unvalidated Data in a Format String

SV.TAINTED.INDEX_ACCESS   Use of Unvalidated Integer as Array Index

SV.UNBOUND_STRING_INPUT.CIN   Usage of cin for unbounded string input

SV.UNBOUND_STRING_INPUT.FUNC   Usage of unbounded string input

6.5.3

HCC   Use of hardcoded credentials

HCC.PWD   Use of a hardcoded password

HCC.USER   Use of a hardcoded user name

RCA   Risky cryptographic algorithm used

RCA.HASH.SALT.EMPTY   Use of a one-way hash with an empty salt

SV.PCC.CONST   Insecure (Constant) Temporary File Name in Call to CreateFile

SV.PCC.INVALID_TEMP_PATH   Insecure Temporary File Name in Call to CreateFile

SV.PCC.MISSING_TEMP_CALLS.MUST   Missing Secure Temporary File Names in Call to CreateFile

SV.PCC.MISSING_TEMP_FILENAME   Missing Temporary File Name in Call to CreateFile

SV.PCC.MODIFIED_BEFORE_CREATE   Modification of Temporary File Name before Call to CreateFile

SV.WEAK_CRYPTO.WEAK_HASH   Weak Hash Function

6.5.4

SV.BFC.USING_STRUCT   Use of INADDR_ANY in sin_addr.s_addr field of struct sockaddr_in Structure Used for Call to bind Function

SV.USAGERULES.SPOOFING   Use of Function Susceptible to Spoofing

6.5.5

AUTOSAR.EXCPT.DYNAMIC_SPEC   Dynamic exception-specification shall not be used

AUTOSAR.EXCPT.NOEXCPT_THROW   If a function is declared to be noexcept, noexcept(true) or noexcept(<true condition>), then it shall not exit with an exception

MISRA.CATCH.ALL   No ellipsis exception handler in a try-catch block

MISRA.CATCH.BY_VALUE   Exception object of class type is caught by value

MISRA.CATCH.NOALL   Ellipsis exception handler is not the last one in a try-catch block

MISRA.CATCH.WRONGORD   Handler for a base exception class precedes to a handler for a derived exception class in a try-catch block

MISRA.CTOR.TRY.NON_STATIC   Function try/catch block of constructor or destructor references non-static members

MISRA.DECL.EXCPT.SPEC   Function is declared with different exception specifications

MISRA.DTOR.THROW   Throw in destructor

MISRA.INCL.SIGNAL.2012   The standard header file signal.h shall not be used

MISRA.STDLIB.LONGJMP   Use of setjmp macro or longjmp function

MISRA.STDLIB.SIGNAL   Use of the signal handling facilities of signal.h

MISRA.THROW.EMPTY   Empty throw expression does not belong to a catch block

MISRA.THROW.NULL   NULL is thrown explicitly

MISRA.THROW.PTR   Exception object is a pointer

MISRA.TRY.JUMP   Control can be transferred into a try block with goto or switch statement

6.5.7

SV.TAINTED.XSS.REFLECTED   Cross-site Scripting Vulnerability

6.5.8

SV.STR_PAR.UNDESIRED_STRING_PARAMETER   Undesired String for File Path

SV.TAINTED.SECURITY_DECISION   Security Decision

SV.USAGERULES.PERMISSIONS   Use of Privilege Elevation