Skip to main content

Veracode and the CWE

Veracode references the Common Weakness Enumeration (CWE) standard to map the flaws found in its static and dynamic scans.

Since its founding, Veracode has reported flaws using the industry standard Common Weakness Enumeration as a taxonomy. The CWE provides a mapping of all known types of software weakness or vulnerability, and provides supplemental information to help developers understand the cause of common weaknesses and how to fix them.

Veracode always uses the latest version of the CWE, and updates to new versions within 90 days of release. This page lists the flaws that Veracode may report in automated static and dynamic scans. When a flaw may be mapped to several CWEs, Veracode generally reports the most general CWE that describes that particular case. For example, Veracode prefers CWE-80 for cross-site scripting over its child CWEs. Veracode updates this list frequently.

Veracode Manual Penetration Testing scans may report any valid CWE. You can see the full list of CWEs at the Mitre CWE website.

The listed flaws are grouped according to a list of categories that Veracode uses for convenience. The categories generally correspond to common types of attacks.

Supported static and dynamic scans

This table lists all the CWEs that Veracode searches for during static and dynamic scans.

Appendix: CWEs That Violate Security Standards provides the full list of CWEs that can prevent an application from passing security standard rules in policies.

Flaw category

CWE ID

CWE name

Flaw severity[^1]

Static

Dynamic

DAST Essentials

API Abuse

234

Failure to Handle Missing Parameter

3

X

 

 

243

Creation of Chroot Jail Without Changing Working Directory

4

X

 

 

245

J2EE Bad Practices: Direct Management of Connections

2

X

 

 

560

Use of Umask() with Chmod-Style Argument

3

X

 

 

628

Function Call with Incorrectly Specified Arguments

2

X

 

 

675

Duplicate Operations on Resource

2

X

 

 

Authentication Issues

287

Improper Authentication

4

X

X

X

352

Cross-Site Request Forgery (CSRF)

3

X

X

X

693

Protection Mechanism Failure

3

X

X

 

Authorization Issues

99

Improper Control of Resource Identifiers

3

X

 

 

272

Least Privilege Violation

3

X

 

 

273

Improper Check for Dropped Privileges

3

X

 

 

274

Improper Handling of Insufficient Privileges

0

X

 

 

282

Improper Ownership Management

3

X

 

 

285

Improper Authorization

3

X

X

X

346

Origin Validation Error

3

X

 

 

350

Reliance on Reverse DNS Resolution for a Security-Critical Action

3

X

 

 

639

Authorization Bypass Through User-Controlled Key

4

X

 

 

566

Authorization Bypass Through User-Controlled SQL Primary Key

3

X

 

 

708

Incorrect Ownership Assignment

4

X

 

 

732

Incorrect Permission Assignment for Critical Resource

3

X

 

 

942

Permissive Cross-domain Policy with Untrusted Domains

3

X

X

X

Buffer Management Errors

118

Improper Access of Indexable Resource (Range Error)

3

X

 

 

125

Out-of-Bounds Read

3

X

 

 

129

Improper Validation of Array Index

3

X

 

 

135

Incorrect Calculation of Multi-Byte String Length

5

X

 

 

170

Improper Null Termination

3

X

 

 

193

Off-by-One Error

3

X

 

 

787

Out-of-Bounds Write

3

X

 

 

823

Use of Out-of-Range Pointer Offset

3

X

 

824

Access of Uninitialized Pointer

3

X

 

 

Buffer Overflow

121

Stack-Based Buffer Overflow

5

X

 

 

Code Injection

74

Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection)

4

 

 X

X

91

XML Injection (Blind XPath Injection)

3

X

X

 

94

Improper Control of Generation of Code

3

X

 

 

95

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

5

X

X

 

98

Improper Control of Filename for Include/Require Statement in PHP Program (PHP File Inclusion)

4

X

X

X

185

Incorrect Regular Expression

2

X

 

 

830

Inclusion of Web Functionality from an Untrusted Source

2

 

X

 

Code Quality

111

Direct Use of Unsafe JNI

4

X

 

 

159

Failure to Sanitize Special Element

0

X

 

 

401

Improper Release of Memory Before Removing Last Reference (Memory Leak)

2

X

 

 

404

Improper Resource Shutdown or Release

0

X

 

 

415

Double Free

3

X

 

 

416

Use After Free

2

X

 

 

477

Use of Obsolete Functions

0

X

X

 

479

Signal Handler Use of a Non-Reentrant Function

3

X

 

 

489

Leftover Debug Code

3

X

 

 

597

Use of Wrong Operator in String Comparison

2

X

 

 

Command or Argument Injection

77

Improper Neutralization of Special Elements used in a Command (Command Injection)

5

X

 

78

Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)

5

X

X

X

88

Argument Injection or Modification

3

X

 

 

Credentials Management

256

Plaintext Storage of a Password

3

X

 

 

259

Use of Hard-coded Password

3

X

 X

 

522

Insufficiently Protected Credentials

3

X

X

X

798

Use of Hard-code Credentials

3

X

 

 

CRLF Injection

93

Improper Neutralization of CRLF Sequences (CRLF Injection)

3

X

 

 

113

Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Response Splitting)

3

X

X

 

117

Improper Output Neutralization for Logs

3

X

 

 

Cross-Site Scripting (XSS)

79

Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)

3

X

X

X

80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

3

X

X

X

83

Improper Neutralization of Script in Attributes in a Web Page

3

X

X

X

86

Improper Neutralization of Invalid Characters in Identifiers in Web Pages

3

X

 

 

Cryptographic Issues

261

Weak Cryptography for Passwords

3

X

 

 

295

Improper Certificate Validation

3

X

 

X

296

Improper Following of Chain of Trust for Certificate Validation

3

 

X

X

297

Improper Validation of Host-specific Certificate Data

3

X

X

X

298

Improper Validation of Certificate Expiration

3

 

X

X

299

Improper Check for Certificate Revocation

3

 

X

X

311

Missing Encryption of Sensitive Data

3

X

 

 

312

Cleartext Storage of Sensitive Information

3

X

 

 

313

Plaintext Storage in a File or on Disk

3

X

 

 

316

Plaintext Storage in Memory

3

X

 

 

319

Cleartext Transmission of Sensitive Information

3

X

 

 

321

Use of Hard-coded Cryptographic Key

3

X

X

 

326

Inadequate Encryption Strength

3

X

X

X

327

Use of a Broken or Risky Cryptographic Algorithm

3

X

X

X

328

Reversible One-Way Hash

3

X

 

 

329

Not Using a Random IV with CBC Mode

2

X

 

X

330

Use of Insufficiently Random Values

3

X

 

 

331

Insufficient Entropy

3

X

 

 

338

Use of Cryptographically Weak Pseudo-Random Number Generator

3

X

 

 

347

Improper Verification of Cryptographic Signature

2

X

 

 

354

Improper Validation of Integrity Check Value

3

X

 

 

547

Use of Hard-coded, Security-relevant Constants

3

X

 

 

614

Sensitive Cookie in HTTPS Session Without Secure Attribute

2

X

X

X

760

Use of a One-Way Hash with a Predictable Salt

3

X

 

 

780

Use of RSA with Optimal Asymmetric Encryption Padding

3

X

 

 

916

Use of Password Hash With Insufficient Computational Effort

3

X

 

 

Dangerous Functions

242

Use of Inherently Dangerous Function

5

X

 

 

676

Use of Potentially Dangerous Function

3

X

 

 

Deployment Configuration

402

Transmission of Private Resources into a New Sphere (Resource Leak)

3

 

X

 

668

Exposure of Resource to Wrong Sphere

3

 X

X

X

926

Improper Export of Android Application Components

3

X

 

 

Directory Traversal

22

Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)

3

X

X

X

35

Path Traversal

2

X

 

X

73

External Control of File Name or Path

3

X

X

Encapsulation

494

Download of Code Without Integrity Check

5

X

 

 

501

Trust Boundary Violation

3

X

 

 

502

Deserialization of Untrusted Data

3

X

 

X

749

Exposed Dangerous Method or Function

4

X

 

 

Error Handling

248

Uncaught Exception

2

X

 

 

252

Unchecked Return Value

2

X

 

 

Format String

134

Use of Externally-Controlled Format String

5

X

 

 

Information Leakage

200

Information Exposure

2

X

X

X

201

Insertion of Sensitive Information Into Sent Data

2

X

 

 

209

Information Exposure Through an Error Message

2

X

X

 

215

Information Exposure Through Debug Information

2

 X

X

 

359

Exposure of Private Information (Privacy Violation)

2

X

 

 

497

Exposure of System Data to an Unauthorized Control Sphere

2

X

 

 

526

Information Exposure Through Environmental Variables

2

 

X

 

530

Exposure of Backup File to an Unauthorized Control Sphere

2

 

X

X

532

Insertion of Sensitive Information into Log File

2

X

 

 

538

File and Directory Information Exposure

0

 

X

X

548

Information Exposure Through Directory Listing

2

 

X

X

611

Information Exposure Through XML External Entity Reference

3

X

X

X

615

Information Exposure Through Comments

0

X

X

 

665

Improper Initialization

2

X

 

 

918

Server-side Request Forgery

3

X

X

 

Insecure Dependencies

829

Inclusion of Functionality from Untrusted Control Sphere

3

X

X

X

Insufficient Input Validation

20

Improper Input Validation

0

X

 

 

90

Improper Neutralization of Special Elements Used in an LDAP Query (LDAP Injection)

3

X

 

 

103

Struts: Incomplete validate() Method Definition

3

X

 

 

104

Struts: Form Bean Does Not Extend Validation Class

3

X

 

 

112

Missing XML Validation

3

X

 

X

115

Misinterpretation of Input

4

 

X

 

183

Permissive List of Allowed Inputs

3

X

 

 

345

Insufficient Verification of Data Authenticity

4

X

X

 

434

Unrestricted Upload of File with Dangerous Type

4

 

X

 

470

Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection)

3

X

 

 

472

External Control of Assumed-Immutable Web Parameter

3

X

 

 

601

URL Redirection to Untrusted Site (Open Redirect)

3

X

 

618

Exposed Unsafe ActiveX Method

5

X

 

 

915

Improperly Controlled Modification of Dynamically-Determined Object Attributes

3

X

 

 

1174

ASP.NET Misconfiguration: Improper Model Validation

2

X

 

 

1236

Improper Neutralization of Formula Elements in a CSV File

3

X

 

 

Insufficient Logging & Monitoring

223

Omission of Security-relevant Information

2

X

 

 

Numeric Errors

190

Integer Overflow or Wraparound

5

X

 

 

191

Integer Underflow (Wrap or Wraparound)

3

X

 

 

192

Integer Coercion Error

3

X

 

 

195

Signed to Unsigned Conversion Error

3

X

 

 

196

Unsigned to Signed Conversion Error

3

X

 

 

197

Numeric Truncation Error

3

X

 

 

Potential Backdoor

398

Indicator of Poor Code Quality

0

X

 

 

506

Embedded Malicious Code

4

X

 

 

511

Logic/Time Bomb

5

X

 

 

514

Covert Channel

2

X

 

 

656

Reliance on Security Through Obscurity

0

X

 

 

Race Conditions

366

Race Condition within a Thread

3

X

 

 

367

Time-of-check Time-of-use (TOCTOU) Race Condition

3

X

 

 

421

Race Condition During Access to Alternate Channel

3

X

 

 

Server Configuration

16

Configuration

0

 

X

X

441

Unintended Proxy or Intermediary (Confused Deputy)

3

X

 

 

642

External Control of Critical State Data

2

 

X

 

757

Selection of Less-Secure Algorithm During Negotiation (Algorithm Downgrade)

3

 X

X

X

Session Fixation

384

Session Fixation

3

X

X

 

SQL Injection

89

Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)

4

X

X

X

564

SQL Injection: Hibernate

4

X

 

 

943

Improper Neutralization of Special Elements in Data Query Logic

4

X

 

 

Time and State

377

Insecure Temporary File

3

X

 

 

382

J2EE Bad Practices: Use of System.exit()

2

X

 

 

557

Concurrency Issues

2

X

 

 

691

Insufficient Control Flow Management

0

X

 

 

Untrusted Initialization

15

External Control of System or Configuration Setting

4

X

 

 

454

External Initialization of Trusted Variables or Data Stores

0

X

 

 

Untrusted Search Path

114

Process Control

5

X

 

 

426

Untrusted Search Path

3

X

 

 

427

Uncontrolled Search Path Element

3

X

 

 

[^1]Veracode defines flaw severities on the following severity scale: 0: Informational, 1: Very Low, 2: Low, 3: Medium, 4: High, 5: Very High. For more information, see Veracode flaw severities.