Code Quality Rules

The Coding Rules to Deliver Resilient and Scalable Software

The Code Quality Standards for Reliability, Performance Efficiency, Security, and Maintainability are comprised of a set of software weaknesses (CWEs) to mitigate in source code. Below is a list of CWEs included in each quality characteristic. The CWEs for each characteristic were selected by a team of renowned software engineering experts because of their criticality and measured impact on quality and security. The indented CWEs are children of the parent weaknesses, meaning they are possible instantiations of the parent weakness and should also be mitigated in the code.

Reliability

  1. CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer 
    • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
    • CWE-123: write-what-where-condition
    • CWE-125: Out-of-bounds read
    • CWE-130: Improper Handling of Length Parameter Inconsistency
    • CWE-786: Access of Memory Location Before Start of Buffer
    • CWE-787: Out-of-bounds Write
    • CWE-788: Access of Memory Location After End of Buffer
    • CWE-805: Buffer Access with Incorrect Length Value
    • CWE-822: Untrusted Pointer Dereference
    • CWE-823: Use of Out-of-range Pointer Offset
    • CWE-824: Access of Uninitialized Pointer
    • CWE-825: Expired Pointer Dereference
  2. CWE-170: Improper Null Termination
  3. CWE-252: Unchecked Return Value
  4. CWE-390: Detection of Error Condition Without Action
  5. CWE-394: Unexpected Status Code or Return Value
  6. CWE-404: Improper Resource Shutdown or Release
    • CWE-401: Improper Release of Memory Before Removing Last Reference ('Memory Leak')
    • CWE-772: Missing Release of Resource after Effective Lifetime
    • CWE-775: Missing Release of File Descriptor or Handle after Effective Lifetime
  7. CWE-424: Improper Protection of Alternate Path
  8. CWE-459: Incomplete Cleanup
  9. CWE-476: NULL Point Dereference
  10. CWE-480: Use of Incorrect Operator
  11. CWE-484: Omitted Break Statement in Switch
  12. CWE-562: Return of Stack Variable Address
  13. CWE-595: Comparison of Object References Instead of Object Contents
    • CWE-597: Use of Wrong Operators in String Comparison
    • CWE-1097: Persistent Storable Data Element without Associated Comparison Control Element
  14. CWE-662: Improper Synchronization
    • CWE-366: Race Condition within a Thread
    • CWE-543: Use of Singleton Pattern Without Synchronization in a Multithreaded Context
    • CWE-567: Unsynchronized Access to Shared Data in a Multithreaded Context
    • CWE-667: Improper Locking
    • CWE-764: Multiple Locks of a Critical Resource
    • CWE-820: Missing Synchronization
    • CWE-821: Incorrect Synchronization
    • CWE-1058: Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element
    • CWE-1096: Singleton Class Instance Creation without Proper Locking or Synchronization
  15. CWE-665: Improper Initialization
    • CWE-456: Missing Initialization of a Variable
    • CWE-457: Use of Uninitialized Variable
  16. CWE-672: Operation on a Resource after Expiration or Release
  17. CWE-681: Incorrect Conversion between Numeric Types
    • CWE-194: Unexpected Sign Extension
    • CWE-195: Signed to Unsigned Conversion Error
    • CWE-196: Unsigned to Signed Conversion Error
    • CWE-197: Numeric Truncation Error
  18. CWE-682: Incorrect Calculation
    1. CWE-131: Incorrect Calculation of Buffer Size
    2. CWE-369: Divide by Zero
  19. CWE-703: Improper Check or Handling of Exceptional Conditions
    • CWE-248: Uncaught Exception
    • CWE-391: Unchecked Error Condition
    • CWE-392: Missing Report of Error Condition
  20. CWE-704: Incorrect Type Conversion or Cast
  21. CWE-758: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
  22. CWE-833: Deadlock
  23. CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
  24. CWE-908: Use of Uninitialized Resource
  25. CWE-1045: Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor
  26. CWE-1051: Initialization with Hard-Coded Network Resource Configuration Data
  27. CWE-1066: Missing Serialization Control Element
  28. CWE-1070: Serializable Data Element Containing non-Serializable Item Elements
  29. CWE-1077: Floating Point Comparison with Incorrect Operator
  30. CWE-1079: Parent Class without Virtual Destructor Method
  31. CWE-1082: Class Instance Self Destruction Control Element
  32. CWE-1083: Data Access from Outside Designated Data Manager Component
  33. CWE-1087: Class with Virtual Method without a Virtual Destructor
  34. CWE-1088: Synchronous Access of Remote Resource without Timeout
  35. CWE-1098: Data Element containing Pointer Item without Proper Copy Control Element

Performance Efficiency

  1. CWE-404: Improper Resource Shutdown or Release
    • CWE-401: Improper Release of Memory Before Removing Last Reference ('Memory Leak')
    • CWE-772: Missing Release of Resource after Effective Lifetime
    • CWE-775: Missing Release of File Descriptor or Handle after Effective Lifetime
  2. CWE-424: Improper Protection of Alternate Path
  3. CWE-1042: Static Member Data Element outside of a Singleton Class Element
  4. CWE-1043: Data Element Aggregating an Excessively Large Number of Non-Primitive Elements
  5. CWE-1046: Creation of Immutable Text Using Strong Concatenation
  6. CWE-1049: Excessive Data Query Operations in a Large Data Table
  7. CWE-1050: Excessive Platform Resource Consumption within a Loop
  8. CWE-1057: Data Access Operations Outside of Expected Data Manager Component
  9. CWE-1060: Excessive Number of Inefficient Server-Side Data Accesses
  10. CWE-1067: Excessive Execution of Sequential Searches of Data Resource
  11. CWE-1072: Data Resource Access without Use of Connection Pooling
  12. CWE-1073: Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses
  13. CWE-1089: Large Data Table with Excessive Number of Indices
  14. CWE-1091: Use of Object without Invoking Destructor Method
  15. CWE-1094: Excessive Index Range Scan for a Data Resource

Security

  1. CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    • CWE-23: Relative Path Traversal
    • CWE-36: Absolute Path Traversal
  2. CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
    • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    • CWE-88: Argument Injection or Modification
  3. CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross Site Scripting')
  4. CWE-89: Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection')
    • CWE-564: SQL Injection: Hibernate
  5. CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
  6. CWE-91: XML Injection (aka Blind XPath Injection)
  7. CWE-99: Improper Control of Resource Identifiers ('Resource Injection')
  8. CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
    • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
    • CWE-123: Write-what-where condition
    • CWE-125: Out-of-bounds Read
    • CWE-130: Improper Handling of Length Parameter Inconsistency
    • CWE-786: Access of Memory Location Before Start of Buffer
    • CWE-787: Access of Memory Location After End of Buffer
    • CWE-788: Access of Memory Location After End of Buffer
    • CWE-805: Buffer Access with Incorrect Length Value
    • CWE-822: Untrusted Pointer Dereference
    • CWE-823: Use of Out-of-range Pointer Offset
    • CWE-824: Access of Uninitialized Pointer
    • CWE-825: Expired Pointer Dereference
  9. CWE-129: Improper Validation of Array Index
  10. CWE-134: Use of Externally Controlled Format String
  11. CWE-252: Unchecked Return Value
  12. CWE-404: Improper Resource Shutdown or Release
    • CWE-401: Improper Release of Memory Before Removing Last Reference ('Memory Leak')
    • CWE-772: Missing Release of Resource after Effective Lifetime
    • CWE-775: Missing Release of File Descriptor or Handle after Effective Lifetime
  13. CWE-424: Improper Protection of Alternate Path
  14. CWE-434: Unrestricted Upload of File with Dangerous Type
  15. CWE-477: Use of Obsolete Function
  16. CWE-480: Use of Incorrect Operator
  17. CWE-502: Deserialization of Untrusted Data
  18. CWE-570: Expression is Always False
  19. CWE-571: Expression is Always True
  20. CWE-606: Unchecked Input for Loop Condition
  21. CWE-611: Improper Restriction of XML External Entity Reference ('XXE')
  22. CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')
  23. CWE-652: Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
  24. CWE-665: Improper Initialization
    • CWE-456: Missing Initialization of a Variable
    • CWE-457: Use of Uninitialized Variable
  25. CWE-662: Improper Synchronization
    • CWE-366: Race Condition within a Thread
    • CWE-543: Use of Singleton Pattern Without Synchronization in a Multithreaded Context
    • CWE-567: Unsynchronized Access to Shared Data in a Multithreaded Context
    • CWE-667: Improper Locking
    • CWE-820: Missing Synchronization
    • CWE-821: Incorrect Synchronization
  26. CWE-672: Operation on a Resource after Expiration or Release
  27. CWE-681: Incorrect Conversion between Numeric Types
    • CWE-194: Unexpected Sign Extension
    • CWE-195: Signed to Unsigned Conversion Error
    • CWE-196: Unsigned to Signed Conversion Error
    • CWE-197: Numeric Truncation Error
  28. CWE-682: Incorrect Calculation
    • CWE-131: Incorrect Calculation of Buffer Size
    • CWE-369: Divide By Zero
  29. CWE-732: Incorrect Permission Assignment for Critical Resource
  30. CWE-778: Insufficient Logging
  31. CWE-783: Operator Precedence Logic Error
  32. CWE-789: Uncontrolled Memory Allocation
  33. CWE-798: Use of Hard-coded Credentials
    • CWE-259: Use of Hard-coded Password
    • CWE-321: Use of Hard-coded Cryptographic Key
  34. CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
  35. CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
  36. CWE-1057: Data Access Operations Outside of Expected Data Manager Component

Maintainability

  1. CWE-407: Algorithmic Complexity
  2. CWE-478: Missing Default Case in Switch Statement
  3. CWE-480: Use of Incorrect Operator
  4. CWE-484: Omitted Break Statement in Switch
  5. CWE-561: Dead Code
  6. CWE-570: Expression is Always False
  7. CWE-571: Expression is Always True
  8. CWE-783: Operator Precedence Logic Error
  9. CWE-1041: Use of Redundant Code (Copy-Paste)
  10. CWE-1045: Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor
  11. CWE-1047: Modules with Circular Dependencies
  12. CWE-1048: Invokable Control Element with Large Number of Outward Calls (Excessive Coupling or Fan-out)
  13. CWE-1051: Initialization with Hard-Coded Network Resource Configuration Data
  14. CWE-1052: Excessive Use of Hard-Coded Literals in Initialization
  15. CWE-1054: Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer (Layer-skipping Call)
  16. CWE-1055: Multiple Inheritance from Concrete Classes
  17. CWE-1062: Parent Class Element with References to Child Class
  18. CWE-1064: Invokable Control Element with Signature Containing an Excessive Number of Parameters
  19. CWE-1074: Class with Excessively Deep Inheritance
  20. CWE-1075: Unconditional Control Flow Transfer outside of Switch Block
  21. CWE-1079: Parent Class without Virtual Destructor Method
  22. CWE-1080: Source Code File with Excessive Number of Lines of Code
  23. CWE-1084: Invokable Control Element with Excessive File or Data Access Operations
  24. CWE-1085: Invokable Control Element with Excessive Volume of Commented-out Code
  25. CWE-1086: Class with Excessive Number of Child Classes
  26. CWE-1087: Class wit Virtual Method without a Virtual Destructor
  27. CWE-1090: Method Containing Access of a Member Element from Another Class
  28. CWE-1095: Loop Condition Value Update within the Loop
  29. CWE-1121: Excessive McCabe Cyclomatic Complexity