The Coding Rules to Deliver Resilient and Scalable Software
The Code Quality Standards for Reliability, Performance Efficiency, Security, and Maintainability are comprised of a set of software weaknesses (CWEs) to mitigate in source code. Below is a list of CWEs included in each quality characteristic. The CWEs for each characteristic were selected by a team of renowned software engineering experts because of their criticality and measured impact on quality and security. The indented CWEs are children of the parent weaknesses, meaning they are possible instantiations of the parent weakness and should also be mitigated in the code.
Reliability
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
- CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
- CWE-123: write-what-where-condition
- CWE-125: Out-of-bounds read
- CWE-130: Improper Handling of Length Parameter Inconsistency
- CWE-786: Access of Memory Location Before Start of Buffer
- CWE-787: Out-of-bounds Write
- CWE-788: Access of Memory Location After End of Buffer
- CWE-805: Buffer Access with Incorrect Length Value
- CWE-822: Untrusted Pointer Dereference
- CWE-823: Use of Out-of-range Pointer Offset
- CWE-824: Access of Uninitialized Pointer
- CWE-825: Expired Pointer Dereference
- CWE-170: Improper Null Termination
- CWE-252: Unchecked Return Value
- CWE-390: Detection of Error Condition Without Action
- CWE-394: Unexpected Status Code or Return Value
- CWE-404: Improper Resource Shutdown or Release
- CWE-424: Improper Protection of Alternate Path
- CWE-459: Incomplete Cleanup
- CWE-476: NULL Point Dereference
- CWE-480: Use of Incorrect Operator
- CWE-484: Omitted Break Statement in Switch
- CWE-562: Return of Stack Variable Address
- CWE-595: Comparison of Object References Instead of Object Contents
- CWE-662: Improper Synchronization
- CWE-366: Race Condition within a Thread
- CWE-543: Use of Singleton Pattern Without Synchronization in a Multithreaded Context
- CWE-567: Unsynchronized Access to Shared Data in a Multithreaded Context
- CWE-667: Improper Locking
- CWE-764: Multiple Locks of a Critical Resource
- CWE-820: Missing Synchronization
- CWE-821: Incorrect Synchronization
- CWE-1058: Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element
- CWE-1096: Singleton Class Instance Creation without Proper Locking or Synchronization
- CWE-665: Improper Initialization
- CWE-672: Operation on a Resource after Expiration or Release
- CWE-681: Incorrect Conversion between Numeric Types
- CWE-682: Incorrect Calculation
- CWE-703: Improper Check or Handling of Exceptional Conditions
- CWE-704: Incorrect Type Conversion or Cast
- CWE-758: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
- CWE-833: Deadlock
- CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
- CWE-908: Use of Uninitialized Resource
- CWE-1045: Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor
- CWE-1051: Initialization with Hard-Coded Network Resource Configuration Data
- CWE-1066: Missing Serialization Control Element
- CWE-1070: Serializable Data Element Containing non-Serializable Item Elements
- CWE-1077: Floating Point Comparison with Incorrect Operator
- CWE-1079: Parent Class without Virtual Destructor Method
- CWE-1082: Class Instance Self Destruction Control Element
- CWE-1083: Data Access from Outside Designated Data Manager Component
- CWE-1087: Class with Virtual Method without a Virtual Destructor
- CWE-1088: Synchronous Access of Remote Resource without Timeout
- CWE-1098: Data Element containing Pointer Item without Proper Copy Control Element
Performance Efficiency
- CWE-404: Improper Resource Shutdown or Release
- CWE-424: Improper Protection of Alternate Path
- CWE-1042: Static Member Data Element outside of a Singleton Class Element
- CWE-1043: Data Element Aggregating an Excessively Large Number of Non-Primitive Elements
- CWE-1046: Creation of Immutable Text Using Strong Concatenation
- CWE-1049: Excessive Data Query Operations in a Large Data Table
- CWE-1050: Excessive Platform Resource Consumption within a Loop
- CWE-1057: Data Access Operations Outside of Expected Data Manager Component
- CWE-1060: Excessive Number of Inefficient Server-Side Data Accesses
- CWE-1067: Excessive Execution of Sequential Searches of Data Resource
- CWE-1072: Data Resource Access without Use of Connection Pooling
- CWE-1073: Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses
- CWE-1089: Large Data Table with Excessive Number of Indices
- CWE-1091: Use of Object without Invoking Destructor Method
- CWE-1094: Excessive Index Range Scan for a Data Resource
Security
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross Site Scripting')
- CWE-89: Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection')
- CWE-564: SQL Injection: Hibernate
- CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
- CWE-91: XML Injection (aka Blind XPath Injection)
- CWE-99: Improper Control of Resource Identifiers ('Resource Injection')
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
- CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
- CWE-123: Write-what-where condition
- CWE-125: Out-of-bounds Read
- CWE-130: Improper Handling of Length Parameter Inconsistency
- CWE-786: Access of Memory Location Before Start of Buffer
- CWE-787: Access of Memory Location After End of Buffer
- CWE-788: Access of Memory Location After End of Buffer
- CWE-805: Buffer Access with Incorrect Length Value
- CWE-822: Untrusted Pointer Dereference
- CWE-823: Use of Out-of-range Pointer Offset
- CWE-824: Access of Uninitialized Pointer
- CWE-825: Expired Pointer Dereference
- CWE-129: Improper Validation of Array Index
- CWE-134: Use of Externally Controlled Format String
- CWE-252: Unchecked Return Value
- CWE-404: Improper Resource Shutdown or Release
- CWE-424: Improper Protection of Alternate Path
- CWE-434: Unrestricted Upload of File with Dangerous Type
- CWE-477: Use of Obsolete Function
- CWE-480: Use of Incorrect Operator
- CWE-502: Deserialization of Untrusted Data
- CWE-570: Expression is Always False
- CWE-571: Expression is Always True
- CWE-606: Unchecked Input for Loop Condition
- CWE-611: Improper Restriction of XML External Entity Reference ('XXE')
- CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')
- CWE-652: Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
- CWE-665: Improper Initialization
- CWE-662: Improper Synchronization
- CWE-672: Operation on a Resource after Expiration or Release
- CWE-681: Incorrect Conversion between Numeric Types
- CWE-682: Incorrect Calculation
- CWE-732: Incorrect Permission Assignment for Critical Resource
- CWE-778: Insufficient Logging
- CWE-783: Operator Precedence Logic Error
- CWE-789: Uncontrolled Memory Allocation
- CWE-798: Use of Hard-coded Credentials
- CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
- CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
- CWE-1057: Data Access Operations Outside of Expected Data Manager Component
Maintainability
- CWE-407: Algorithmic Complexity
- CWE-478: Missing Default Case in Switch Statement
- CWE-480: Use of Incorrect Operator
- CWE-484: Omitted Break Statement in Switch
- CWE-561: Dead Code
- CWE-570: Expression is Always False
- CWE-571: Expression is Always True
- CWE-783: Operator Precedence Logic Error
- CWE-1041: Use of Redundant Code (Copy-Paste)
- CWE-1045: Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor
- CWE-1047: Modules with Circular Dependencies
- CWE-1048: Invokable Control Element with Large Number of Outward Calls (Excessive Coupling or Fan-out)
- CWE-1051: Initialization with Hard-Coded Network Resource Configuration Data
- CWE-1052: Excessive Use of Hard-Coded Literals in Initialization
- CWE-1054: Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer (Layer-skipping Call)
- CWE-1055: Multiple Inheritance from Concrete Classes
- CWE-1062: Parent Class Element with References to Child Class
- CWE-1064: Invokable Control Element with Signature Containing an Excessive Number of Parameters
- CWE-1074: Class with Excessively Deep Inheritance
- CWE-1075: Unconditional Control Flow Transfer outside of Switch Block
- CWE-1079: Parent Class without Virtual Destructor Method
- CWE-1080: Source Code File with Excessive Number of Lines of Code
- CWE-1084: Invokable Control Element with Excessive File or Data Access Operations
- CWE-1085: Invokable Control Element with Excessive Volume of Commented-out Code
- CWE-1086: Class with Excessive Number of Child Classes
- CWE-1087: Class wit Virtual Method without a Virtual Destructor
- CWE-1090: Method Containing Access of a Member Element from Another Class
- CWE-1095: Loop Condition Value Update within the Loop
- CWE-1121: Excessive McCabe Cyclomatic Complexity