Veracode and the CWE
Veracode references the Common Weakness Enumeration (CWE) standard to map the flaws found in its static and dynamic scans.
Since its founding, Veracode has reported flaws using the industry standard Common Weakness Enumeration as a taxonomy. The CWE provides a mapping of all known types of software weakness or vulnerability, and provides supplemental information to help developers understand the cause of common weaknesses and how to fix them.
Veracode always uses the latest version of the CWE, and updates to new versions within 90 days of release. This page lists the flaws that Veracode may report in automated static and dynamic scans. When a flaw may be mapped to several CWEs, Veracode generally reports the most general CWE that describes that particular case. For example, Veracode prefers CWE-80 for cross-site scripting over its child CWEs. Veracode updates this list frequently.
Veracode Manual Penetration Testing scans may report any valid CWE. You can see the full list of CWEs at the Mitre CWE website.
The listed flaws are grouped according to a list of categories that Veracode uses for convenience. The categories generally correspond to common types of attacks.
Supported Static and Dynamic Scans
This table lists all the CWEs that Veracode searches for during static and dynamic scans.
Appendix: CWEs That Violate Security Standards provides the full list of CWEs that can prevent an application from passing security standard rules in policies.
| Flaw Category | CWE ID | CWE Name | Flaw Severity¹ | Static | Dynamic |
|---|---|---|---|---|---|
| API Abuse | 234 | Failure to Handle Missing Parameter | 3 | X | |
| 243 | Creation of Chroot Jail Without Changing Working Directory | 4 | X | ||
| 245 | J2EE Bad Practices: Direct Management of Connections | 2 | X | ||
| 560 | Use of Umask() with Chmod-Style Argument | 3 | X | ||
| 628 | Function Call with Incorrectly Specified Arguments | 2 | X | ||
| 675 | Duplicate Operations on Resource | 2 | X | ||
| Authentication Issues | 287 | Improper Authentication | 4 | X | X |
| 352 | Cross-Site Request Forgery (CSRF) | 3 | X | X | |
| 693 | Protection Mechanism Failure | 3 | X | X | |
| Authorization Issues | 99 | Improper Control of Resource Identifiers | 3 | X | |
| 272 | Least Privilege Violation | 3 | X | ||
| 273 | Improper Check for Dropped Privileges | 3 | X | ||
| 274 | Improper Handling of Insufficient Privileges | 0 | X | ||
| 282 | Improper Ownership Management | 3 | X | ||
| 285 | Improper Authorization | 3 | X | X | |
| 346 | Origin Validation Error | 3 | X | ||
| 350 | Reliance on Reverse DNS Resolution for a Security-Critical Action | 3 | X | ||
| 639 | Authorization Bypass Through User-Controlled Key | 4 | X | ||
| 566 | Authorization Bypass Through User-Controlled SQL Primary Key | 3 | X | ||
| 708 | Incorrect Ownership Assignment | 4 | X | ||
| 732 | Incorrect Permission Assignment for Critical Resource | 3 | X | ||
| 942 | Permissive Cross-domain Policy with Untrusted Domains | 3 | X | X | |
| Buffer Management Errors | 118 | Improper Access of Indexable Resource (Range Error) | 3 | X | |
| 125 | Out-of-Bounds Read | 3 | X | ||
| 129 | Improper Validation of Array Index | 3 | X | ||
| 135 | Incorrect Calculation of Multi-Byte String Length | 5 | X | ||
| 170 | Improper Null Termination | 3 | X | ||
| 193 | Off-by-One Error | 3 | X | ||
| 787 | Out-of-Bounds Write | 3 | X | ||
| 823 | Use of Out-of-Range Pointer Offset | 3 | X | ||
| 824 | Access of Uninitialized Pointer | 3 | X | ||
| Buffer Overflow | 121 | Stack-Based Buffer Overflow | 5 | X | |
| Code Injection | 74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection) | 4 | X | |
| 91 | XML Injection (Blind XPath Injection) | 3 | X | X | |
| 94 | Improper Control of Generation of Code | 3 | X | ||
| 95 | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') | 5 | X | X | |
| 98 | Improper Control of Filename for Include/Require Statement in PHP Program (PHP File Inclusion) | 4 | X | X | |
| 185 | Incorrect Regular Expression | 2 | X | ||
| 830 | Inclusion of Web Functionality from an Untrusted Source | 2 | X | ||
| Code Quality | 111 | Direct Use of Unsafe JNI | 4 | X | |
| 159 | Failure to Sanitize Special Element | 0 | X | ||
| 401 | Improper Release of Memory Before Removing Last Reference (Memory Leak) | 2 | X | ||
| 404 | Improper Resource Shutdown or Release | 0 | X | ||
| 415 | Double Free | 3 | X | ||
| 416 | Use After Free | 2 | X | ||
| 477 | Use of Obsolete Functions | 0 | X | X | |
| 479 | Signal Handler Use of a Non-Reentrant Function | 3 | X | ||
| 489 | Leftover Debug Code | 3 | X | ||
| 597 | Use of Wrong Operator in String Comparison | 2 | X | ||
| Command or Argument Injection | 77 | Improper Neutralization of Special Elements used in a Command (Command Injection) | 5 | X | |
| 78 | Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) | 5 | X | X | |
| 88 | Argument Injection or Modification | 3 | X | ||
| Credentials Management | 256 | Plaintext Storage of a Password | 3 | X | |
| 259 | Use of Hard-coded Password | 3 | X | X | |
| 522 | Insufficiently Protected Credentials | 3 | X | X | |
| 798 | Use of Hard-code Credentials | 3 | X | ||
| CRLF Injection | 93 | Improper Neutralization of CRLF Sequences (CRLF Injection) | 3 | X | |
| 113 | Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Response Splitting) | 3 | X | X | |
| 117 | Improper Output Neutralization for Logs | 3 | X | ||
| Cross-Site Scripting (XSS) | 79 | Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) | 3 | X | X |
| 80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | 3 | X | X | |
| 83 | Improper Neutralization of Script in Attributes in a Web Page | 3 | X | X | |
| 86 | Improper Neutralization of Invalid Characters in Identifiers in Web Pages | 3 | X | ||
| Cryptographic Issues | 261 | Weak Cryptography for Passwords | 3 | X | |
| 295 | Improper Certificate Validation | 3 | X | ||
| 296 | Improper Following of Chain of Trust for Certificate Validation | 3 | X | ||
| 297 | Improper Validation of Host-specific Certificate Data | 3 | X | X | |
| 298 | Improper Validation of Certificate Expiration | 3 | X | ||
| 299 | Improper Check for Certificate Revocation | 3 | X | ||
| 311 | Missing Encryption of Sensitive Data | 3 | X | ||
| 312 | Cleartext Storage of Sensitive Information | 3 | X | ||
| 313 | Plaintext Storage in a File or on Disk | 3 | X | ||
| 316 | Plaintext Storage in Memory | 3 | X | ||
| 319 | Cleartext Transmission of Sensitive Information | 3 | X | ||
| 321 | Use of Hard-coded Cryptographic Key | 3 | X | X | |
| 326 | Inadequate Encryption Strength | 3 | X | X | |
| 327 | Use of a Broken or Risky Cryptographic Algorithm | 3 | X | X | |
| 328 | Reversible One-Way Hash | 3 | X | ||
| 329 | Not Using a Random IV with CBC Mode | 2 | X | ||
| 330 | Use of Insufficiently Random Values | 3 | X | ||
| 331 | Insufficient Entropy | 3 | X | ||
| 338 | Use of Cryptographically Weak Pseudo-Random Number Generator | 3 | X | ||
| 347 | Improper Verification of Cryptographic Signature | 2 | X | ||
| 354 | Improper Validation of Integrity Check Value | 3 | X | ||
| 547 | Use of Hard-coded, Security-relevant Constants | 3 | X | ||
| 614 | Sensitive Cookie in HTTPS Session Without Secure Attribute | 2 | X | X | |
| 760 | Use of a One-Way Hash with a Predictable Salt | 3 | X | ||
| 780 | Use of RSA with Optimal Asymmetric Encryption Padding | 3 | X | ||
| 916 | Use of Password Hash With Insufficient Computational Effort | 3 | X | ||
| Dangerous Functions | 242 | Use of Inherently Dangerous Function | 5 | X | |
| 676 | Use of Potentially Dangerous Function | 3 | X | ||
| Deployment Configuration | 402 | Transmission of Private Resources into a New Sphere (Resource Leak) | 3 | X | |
| 668 | Exposure of Resource to Wrong Sphere | 3 | X | X | |
| 926 | Improper Export of Android Application Components | 3 | X | ||
| Directory Traversal | 22 | Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) | 3 | X | X |
| 35 | Path Traversal | 2 | X | ||
| 73 | External Control of File Name or Path | 3 | X | ||
| Encapsulation | 494 | Download of Code Without Integrity Check | 5 | X | |
| 501 | Trust Boundary Violation | 3 | X | ||
| 502 | Deserialization of Untrusted Data | 3 | X | ||
| 749 | Exposed Dangerous Method or Function | 4 | X | ||
| Error Handling | 248 | Uncaught Exception | 2 | X | |
| 252 | Unchecked Return Value | 2 | X | ||
| Format String | 134 | Use of Externally-Controlled Format String | 5 | X | |
| Information Leakage | 200 | Information Exposure | 2 | X | X |
| 201 | Insertion of Sensitive Information Into Sent Data | 2 | X | ||
| 209 | Information Exposure Through an Error Message | 2 | X | X | |
| 215 | Information Exposure Through Debug Information | 2 | X | X | |
| 359 | Exposure of Private Information (Privacy Violation) | 2 | X | ||
| 497 | Exposure of System Data to an Unauthorized Control Sphere | 2 | X | ||
| 526 | Information Exposure Through Environmental Variables | 2 | X | ||
| 530 | Exposure of Backup File to an Unauthorized Control Sphere | 2 | X | ||
| 532 | Insertion of Sensitive Information into Log File | 2 | X | ||
| 538 | File and Directory Information Exposure | 0 | X | ||
| 548 | Information Exposure Through Directory Listing | 2 | X | ||
| 611 | Information Exposure Through XML External Entity Reference | 3 | X | X | |
| 615 | Information Exposure Through Comments | 0 | X | X | |
| 665 | Improper Initialization | 2 | X | ||
| 918 | Server-side Request Forgery | 3 | X | X | |
| Insecure Dependencies | 829 | Inclusion of Functionality from Untrusted Control Sphere | 3 | X | X |
| Insufficient Input Validation | 20 | Improper Input Validation | 0 | X | |
| 90 | Improper Neutralization of Special Elements Used in an LDAP Query (LDAP Injection) | 3 | X | ||
| 103 | Struts: Incomplete validate() Method Definition | 3 | X | ||
| 104 | Struts: Form Bean Does Not Extend Validation Class | 3 | X | ||
| 112 | Missing XML Validation | 3 | X | ||
| 115 | Misinterpretation of Input | 4 | X | ||
| 183 | Permissive List of Allowed Inputs | 3 | X | ||
| 345 | Insufficient Verification of Data Authenticity | 4 | X | ||
| 434 | Unrestricted Upload of File with Dangerous Type | 4 | X | ||
| 470 | Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection) | 3 | X | ||
| 472 | External Control of Assumed-Immutable Web Parameter | 3 | X | ||
| 601 | URL Redirection to Untrusted Site (Open Redirect) | 3 | X | X | |
| 618 | Exposed Unsafe ActiveX Method | 5 | X | ||
| 915 | Improperly Controlled Modification of Dynamically-Determined Object Attributes | 3 | X | ||
| 1174 | ASP.NET Misconfiguration: Improper Model Validation | 2 | X | ||
| 1236 | Improper Neutralization of Formula Elements in a CSV File | 3 | X | ||
| Insufficient Logging & Monitoring | 223 | Omission of Security-relevant Information | 2 | X | |
| Numeric Errors | 190 | Integer Overflow or Wraparound | 5 | X | |
| 191 | Integer Underflow (Wrap or Wraparound) | 3 | X | ||
| 192 | Integer Coercion Error | 3 | X | ||
| 195 | Signed to Unsigned Conversion Error | 3 | X | ||
| 196 | Unsigned to Signed Conversion Error | 3 | X | ||
| 197 | Numeric Truncation Error | 3 | X | ||
| Potential Backdoor | 398 | Indicator of Poor Code Quality | 0 | X | |
| 506 | Embedded Malicious Code | 4 | X | ||
| 511 | Logic/Time Bomb | 5 | X | ||
| 514 | Covert Channel | 2 | X | ||
| 656 | Reliance on Security Through Obscurity | 0 | X | ||
| Race Conditions | 366 | Race Condition within a Thread | 3 | X | |
| 367 | Time-of-check Time-of-use (TOCTOU) Race Condition | 3 | X | ||
| 421 | Race Condition During Access to Alternate Channel | 3 | X | ||
| Server Configuration | 16 | Configuration | 0 | X | |
| 441 | Unintended Proxy or Intermediary (Confused Deputy) | 3 | X | ||
| 642 | External Control of Critical State Data | 2 | X | ||
| 757 | Selection of Less-Secure Algorithm During Negotiation (Algorithm Downgrade) | 3 | X | X | |
| Session Fixation | 384 | Session Fixation | 3 | X | X |
| SQL Injection | 89 | Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) | 4 | X | X |
| 564 | SQL Injection: Hibernate | 4 | X | ||
| 943 | Improper Neutralization of Special Elements in Data Query Logic | 4 | X | ||
| Time and State | 377 | Insecure Temporary File | 3 | X | |
| 382 | J2EE Bad Practices: Use of System.exit() | 2 | X | ||
| 557 | Concurrency Issues | 2 | X | ||
| 691 | Insufficient Control Flow Management | 0 | X | ||
| Untrusted Initialization | 15 | External Control of System or Configuration Setting | 4 | X | |
| 454 | External Initialization of Trusted Variables or Data Stores | 0 | X | ||
| Untrusted Search Path | 114 | Process Control | 5 | X | |
| 426 | Untrusted Search Path | 3 | X | ||
| 427 | Uncontrolled Search Path Element | 3 | X |
¹Veracode defines flaw severities on the following severity scale: 0: Informational, 1: Very Low, 2: Low, 3: Medium, 4: High, 5: Very High. For more information, see Veracode Flaw Severities.