Skip to main content

Veracode and the CWE

Veracode references the Common Weakness Enumeration (CWE) standard to map the flaws found in its static and dynamic scans.

Since its founding, Veracode has reported flaws using the industry standard Common Weakness Enumeration as a taxonomy. The CWE provides a mapping of all known types of software weakness or vulnerability, and provides supplemental information to help developers understand the cause of common weaknesses and how to fix them.

Veracode always uses the latest version of the CWE, and updates to new versions within 90 days of release. This page lists the flaws that Veracode may report in automated static and dynamic scans. When a flaw may be mapped to several CWEs, Veracode generally reports the most general CWE that describes that particular case. For example, Veracode prefers CWE-80 for cross-site scripting over its child CWEs. Veracode updates this list frequently.

Veracode Manual Penetration Testing scans may report any valid CWE. You can see the full list of CWEs at the Mitre CWE website.

The listed flaws are grouped according to a list of categories that Veracode uses for convenience. The categories generally correspond to common types of attacks.

Supported Static and Dynamic Scans

This table lists all the CWEs that Veracode searches for during static and dynamic scans.

Appendix: CWEs That Violate Security Standards provides the full list of CWEs that can prevent an application from passing security standard rules in policies.

Flaw CategoryCWE IDCWE NameFlaw Severity¹StaticDynamic
API Abuse234Failure to Handle Missing Parameter3X 
243Creation of Chroot Jail Without Changing Working Directory4X 
245J2EE Bad Practices: Direct Management of Connections2X 
560Use of Umask() with Chmod-Style Argument3X 
628Function Call with Incorrectly Specified Arguments2X 
675Duplicate Operations on Resource2X 
Authentication Issues287Improper Authentication4XX
352Cross-Site Request Forgery (CSRF)3XX
693Protection Mechanism Failure3XX
Authorization Issues99Improper Control of Resource Identifiers3X 
272Least Privilege Violation3X 
273Improper Check for Dropped Privileges3X 
274Improper Handling of Insufficient Privileges0X 
282 Improper Ownership Management3X 
285Improper Authorization3XX
346Origin Validation Error3X 
350Reliance on Reverse DNS Resolution for a Security-Critical Action3X 
639Authorization Bypass Through User-Controlled Key4X 
566Authorization Bypass Through User-Controlled SQL Primary Key3X 
708Incorrect Ownership Assignment4X 
732Incorrect Permission Assignment for Critical Resource3X 
942Permissive Cross-domain Policy with Untrusted Domains3XX
Buffer Management Errors118Improper Access of Indexable Resource (Range Error)3X 
125Out-of-Bounds Read3X 
129Improper Validation of Array Index3X 
135Incorrect Calculation of Multi-Byte String Length5X 
170Improper Null Termination3X 
193Off-by-One Error3X 
787Out-of-Bounds Write3X 
823Use of Out-of-Range Pointer Offset3X 
824Access of Uninitialized Pointer3X 
Buffer Overflow121Stack-Based Buffer Overflow5X 
Code Injection74Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection)4  X
91XML Injection (Blind XPath Injection)3XX
94Improper Control of Generation of Code3X 
95Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')5XX
98Improper Control of Filename for Include/Require Statement in PHP Program (PHP File Inclusion)4XX
185Incorrect Regular Expression2X 
830Inclusion of Web Functionality from an Untrusted Source2 X
Code Quality111Direct Use of Unsafe JNI4X 
159Failure to Sanitize Special Element0X 
401Improper Release of Memory Before Removing Last Reference (Memory Leak)2X 
404Improper Resource Shutdown or Release0X 
415Double Free3X 
416Use After Free2X 
477Use of Obsolete Functions0XX
479Signal Handler Use of a Non-Reentrant Function3X 
489Leftover Debug Code3X 
597Use of Wrong Operator in String Comparison2X 
Command or Argument Injection77Improper Neutralization of Special Elements used in a Command (Command Injection)5X 
78Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)5XX
88Argument Injection or Modification3X 
Credentials Management256Plaintext Storage of a Password3X 
259Use of Hard-coded Password3X X
522Insufficiently Protected Credentials3XX
798Use of Hard-code Credentials3X 
CRLF Injection93Improper Neutralization of CRLF Sequences (CRLF Injection)3X 
113Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Response Splitting)3XX
117Improper Output Neutralization for Logs3X 
Cross-Site Scripting (XSS)79Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)3XX
80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)3XX
83Improper Neutralization of Script in Attributes in a Web Page3XX
86Improper Neutralization of Invalid Characters in Identifiers in Web Pages3X 
Cryptographic Issues261Weak Cryptography for Passwords3X 
295Improper Certificate Validation3X 
296Improper Following of Chain of Trust for Certificate Validation3 X
297Improper Validation of Host-specific Certificate Data3XX
298Improper Validation of Certificate Expiration3 X
299Improper Check for Certificate Revocation3 X
311Missing Encryption of Sensitive Data3X 
312Cleartext Storage of Sensitive Information3X 
313Plaintext Storage in a File or on Disk3X 
316Plaintext Storage in Memory3X 
319Cleartext Transmission of Sensitive Information3X 
321Use of Hard-coded Cryptographic Key3XX
326Inadequate Encryption Strength3XX
327Use of a Broken or Risky Cryptographic Algorithm3XX
328Reversible One-Way Hash3X 
329Not Using a Random IV with CBC Mode2X 
330Use of Insufficiently Random Values3X 
331Insufficient Entropy3X 
338Use of Cryptographically Weak Pseudo-Random Number Generator3X 
347Improper Verification of Cryptographic Signature2X 
354Improper Validation of Integrity Check Value3X 
547Use of Hard-coded, Security-relevant Constants3X 
614Sensitive Cookie in HTTPS Session Without Secure Attribute2XX
760Use of a One-Way Hash with a Predictable Salt3X 
780Use of RSA with Optimal Asymmetric Encryption Padding3X 
916Use of Password Hash With Insufficient Computational Effort3X 
Dangerous Functions242Use of Inherently Dangerous Function5X 
676Use of Potentially Dangerous Function3X 
Deployment Configuration402Transmission of Private Resources into a New Sphere (Resource Leak)3 X
668Exposure of Resource to Wrong Sphere3 XX
926Improper Export of Android Application Components3X 
Directory Traversal22Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)3XX
35Path Traversal2X 
73External Control of File Name or Path3X
Encapsulation494Download of Code Without Integrity Check5X 
501Trust Boundary Violation3X 
502Deserialization of Untrusted Data3X 
749Exposed Dangerous Method or Function4X 
Error Handling248Uncaught Exception2X 
252Unchecked Return Value2X 
Format String134Use of Externally-Controlled Format String5X 
Information Leakage200Information Exposure2XX
201Insertion of Sensitive Information Into Sent Data2X 
209Information Exposure Through an Error Message2XX
215Information Exposure Through Debug Information2 XX
359Exposure of Private Information (Privacy Violation)2X 
497Exposure of System Data to an Unauthorized Control Sphere2X 
526Information Exposure Through Environmental Variables2 X
530Exposure of Backup File to an Unauthorized Control Sphere2 X
532Insertion of Sensitive Information into Log File2X 
538File and Directory Information Exposure0 X
548Information Exposure Through Directory Listing2 X
611Information Exposure Through XML External Entity Reference3XX
615Information Exposure Through Comments0XX
665Improper Initialization2X 
918Server-side Request Forgery3XX
Insecure Dependencies829Inclusion of Functionality from Untrusted Control Sphere3XX
Insufficient Input Validation20Improper Input Validation0X 
90Improper Neutralization of Special Elements Used in an LDAP Query (LDAP Injection)3X 
103Struts: Incomplete validate() Method Definition3X 
104Struts: Form Bean Does Not Extend Validation Class3X 
112Missing XML Validation3X 
115Misinterpretation of Input4 X
183Permissive List of Allowed Inputs3X 
345Insufficient Verification of Data Authenticity4XX
434Unrestricted Upload of File with Dangerous Type4 X
470Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection)3X 
472External Control of Assumed-Immutable Web Parameter3X 
601URL Redirection to Untrusted Site (Open Redirect)3X
618Exposed Unsafe ActiveX Method5X 
915Improperly Controlled Modification of Dynamically-Determined Object Attributes3 X 
1174ASP.NET Misconfiguration: Improper Model Validation2X 
1236Improper Neutralization of Formula Elements in a CSV File3X 
Insufficient Logging & Monitoring223Omission of Security-relevant Information2X 
Numeric Errors190Integer Overflow or Wraparound5X 
191Integer Underflow (Wrap or Wraparound)3X 
192Integer Coercion Error3X 
195Signed to Unsigned Conversion Error3X 
196Unsigned to Signed Conversion Error3X 
197Numeric Truncation Error3X 
Potential Backdoor398Indicator of Poor Code Quality0X 
506Embedded Malicious Code4X 
511Logic/Time Bomb5X 
514Covert Channel2X 
656Reliance on Security Through Obscurity0X 
Race Conditions366Race Condition within a Thread3X 
367Time-of-check Time-of-use (TOCTOU) Race Condition3X 
421Race Condition During Access to Alternate Channel3X 
Server Configuration16Configuration0 X
441Unintended Proxy or Intermediary (Confused Deputy)3X 
642External Control of Critical State Data2 X
757Selection of Less-Secure Algorithm During Negotiation (Algorithm Downgrade)3 XX
Session Fixation384Session Fixation3XX
SQL Injection89Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)4XX
564SQL Injection: Hibernate4X 
943Improper Neutralization of Special Elements in Data Query Logic4X 
Time and State377Insecure Temporary File3X 
382J2EE Bad Practices: Use of System.exit()2X 
557Concurrency Issues2X 
691Insufficient Control Flow Management0X 
Untrusted Initialization15External Control of System or Configuration Setting4X 
454External Initialization of Trusted Variables or Data Stores0X 
Untrusted Search Path114Process Control5X 
426Untrusted Search Path3X 
427Uncontrolled Search Path Element3X 

¹Veracode defines flaw severities on the following severity scale: 0: Informational, 1: Very Low, 2: Low, 3: Medium, 4: High, 5: Very High. For more information, see Veracode Flaw Severities.