...
CERT Rule | Related Guidelines |
|---|---|
| IDS00-J | CWE-116, Improper Encoding or Escaping of Output |
| IDS01-J | CWE-289, Authentication bypass by alternate name |
| IDS01-J | CWE-180, Incorrect behavior order: Validate before canonicalize |
| IDS03-J | CWE-144, Improper neutralization of line delimiters |
| IDS03-J | CWE-150, Improper neutralization of escape, meta, or control sequences |
| IDS03-J | CWE-117, Improper Output Neutralization for Logs |
| IDS04-J | CWE-409, Improper Handling of Highly Compressed Data (Data Amplification) |
| IDS06-J | CWE-134, Uncontrolled Format String |
| IDS07-J | CWE-78, Improper Neutralization of Special Elements Used in an OS Command ("OS Command Injection") |
| IDS08-J | CWE-625, Permissive Regular Expression |
| IDS11-J | CWE-182, Collapse of Data into Unsafe Value |
| IDS16-J | CWE-116, Improper Encoding or Escaping of Output |
| IDS17-J | CWE-116, Improper Encoding or Escaping of Output |
| DCL00-J | CWE-665, Improper Initialization |
| EXP00-J | CWE-252, Unchecked Return Value |
| EXP01-J | CWE-476, NULL Pointer Dereference |
| EXP02-J | CWE-595, Comparison of Object References Instead of Object Contents |
| EXP03-J | CWE-595, Comparison of Object References Instead of Object Contents |
| EXP03-J | CWE-597, Use of Wrong Operator in String Comparison |
| NUM00-J | CWE-682, Incorrect Calculation |
| NUM00-J | CWE-190, Integer Overflow or Wraparound |
| NUM00-J | CWE-191, Integer Underflow (Wrap or Wraparound) |
| NUM02-J | CWE-369, Divide by Zero |
| NUM12-J | CWE-681, Incorrect Conversion between Numeric Types |
| NUM12-J | CWE-197, Numeric Truncation Error |
| STR03-J | CWE-838, Inappropriate Encoding for Output Context |
| OBJ01-J | CWE-766, Critical Variable Declared Public |
| OBJ04-J | CWE-374, Passing Mutable Objects to an Untrusted Method |
| OBJ04-J | CWE-375, Returning a Mutable Object to an Untrusted Caller |
| OBJ05-J | CWE-375, Returning a Mutable Object to an Untrusted Caller |
| OBJ07-J | CWE-498, Cloneable Class Containing Sensitive Information |
| OBJ07-J | CWE-491, Public cloneable() Method without Final (aka "Object Hijack") |
| OBJ08-J | CWE-492, Use of Inner Class Containing Sensitive Data |
| OBJ09-J | CWE-486, Comparison of Classes by Name |
| OBJ10-J | CWE-493, Critical Public Variable without Final Modifier |
| OBJ10-J | CWE-500, Public Static Field Not Marked Final |
| OBJ14-J | CWE-416, Use After Free |
| MET01-J | CWE-617, Reachable Assertion |
| MET02-J | CWE-589, Call to Non-ubiquitous API |
| MET04-J | CWE-487, Reliance on Package-Level Scope |
| MET08-J | CWE-697, Insufficient Comparison |
| MET09-J | CWE-581, Object Model Violation: Just One of equals and hashcode Defined |
| MET10-J | CWE-573, Improper Following of Specification by Caller |
| MET12-J | CWE-586, Explicit call to Finalize() |
| MET12-J | CWE-583, finalize() Method Declared Public |
| MET12-J | CWE-568, finalize() Method without super.finalize() |
| ERR00-J | CWE-390, Detection of Error Condition without Action |
| ERR01-J | CWE-209, Information Exposure through an Error Message |
| ERR01-J | CWE-497, Exposure of System Data to an Unauthorized Control Sphere |
| ERR01-J | CWE-600, Uncaught Exception in Servlet |
| ERR03-J | CWE-460, Improper Cleanup on Thrown Exception |
| ERR04-J | CWE-459, Incomplete Cleanup |
| ERR04-J | CWE-584, Return Inside finally Block |
| ERR05-J | CWE-248, Uncaught Exception |
| ERR05-J | CWE-460, Improper Cleanup on Thrown Exception |
| ERR05-J | CWE-584, Return inside finally Block |
| ERR05-J | CWE-705, Incorrect Control Flow Scoping |
| ERR05-J | CWE-754, Improper Check for Unusual or Exceptional Conditions |
| ERR06-J | CWE-703, Improper Check or Handling of Exceptional Conditions |
| ERR06-J | CWE-248, Uncaught Exception |
| ERR07-J | CWE-397, Declaration of Throws for Generic Exception |
| ERR09-J | CWE-382, J2EE Bad Practices: Use of System.exit() |
| VNA00-J | CWE-413, Improper Resource Locking |
| VNA00-J | CWE-567, Unsynchronized Access to Shared Data in a Multithreaded Context |
| VNA00-J | CWE-667, Improper Locking |
| VNA03-J | CWE-362, Concurrent Execution Using Shared Resource with Improper Synchronization ("Race Condition") |
| VNA03-J | CWE-366, Race Condition within a Thread |
| VNA03-J | CWE-662, Improper Synchronization |
| VNA05-J | CWE-667, Improper Locking |
| LCK00-J | CWE-412. Unrestricted externally accessible lock |
| LCK05-J | CWE-820, Missing Synchronization |
| LCK06-J | CWE-667, Improper Locking |
| LCK07-J | CWE-833, Deadlock |
| LCK08-J | CWE-883, Deadlock |
| LCK10-J | CWE-609, Double-checked Locking |
| THI00-J | CWE-572, Call to Thread run() instead of start() |
| THI05-J | CWE-705, Incorrect Control Flow Scoping |
| TPS00-J | CWE-405, Asymmetric Resource Consumption (Amplification) |
| TPS00-J | CWE-410, Insufficient Resource Pool |
| TPS03-J | CWE-392, Missing Report of Error Condition |
| FIO00-J | CWE-67, Improper Handling of Windows Device Names |
| FIO01-J | CWE-279, Incorrect Execution-Assigned Permissions |
| FIO01-J | CWE-276, Incorrect Default Permissions |
| FIO01-J | CWE-732, Incorrect Permission Assignment for Critical Resource |
| FIO03-J | CWE-377, Insecure Temporary File |
| FIO03-J | CWE-459, Incomplete Cleanup |
| FIO04-J | CWE-404, Improper Resource Shutdown or Release |
| FIO04-J | CWE-405, Asymmetric Resource Consumption (Amplification) |
| FIO04-J | CWE-459, Incomplete Cleanup |
| FIO04-J | CWE-770, Allocation of Resources without Limits or Throttling |
| FIO09-J | CWE-252, Unchecked Return Value |
| FIO10-J | CWE-135, Incorrect Calculation of Multi-byte String Length |
| FIO12-J | CWE-198, Use of Incorrect Byte Ordering |
| FIO13-J | CWE-359, Privacy Violation |
| FIO13-J | CWE-532, Information Exposure through Log Files |
| FIO13-J | CWE-533, Information Exposure through Server Log Files |
| FIO13-J | CWE-542, Information Exposure through Cleanup Log Files |
| FIO14-J | CWE-705, Incorrect Control Flow Scoping |
| FIO16-J | CWE-171, Cleansing, Canonicalization, and Comparison Errors |
| FIO16-J | CWE-647, Use of Non-canonical URL Paths for Authorization Decisions |
| SER00-J | CWE-589, Call to Non-ubiquitous API |
| SER01-J | CWE-502, Deserialization of Untrusted Data |
| SER02-J | CWE-319, Cleartext Transmission of Sensitive Information |
| SER03-J | CWE-499, Serializable Class Containing Sensitive Data |
| SER03-J | CWE-502, Deserialization of Untrusted Data |
| SER05-J | CWE-499, Serializable Class Containing Sensitive Data |
| SER06-J | CWE-502, Deserialization of Untrusted Data |
| SER07-J | CWE-502, "Deserialization of Untrusted Data" |
| SER08-J | CWE-250, Execution with Unnecessary Privileges |
| SER10-J | CWE-400, Uncontrolled Resource Consumption (aka "Resource Exhaustion") |
| SER10-J | CWE-770, Allocation of Resources without Limits or Throttling |
| SER12-J | CWE-502, Deserialization of Untrusted Data |
| SEC00-J | CWE-266, Incorrect Privilege Assignment |
| SEC00-J | CWE-272, Least Privilege Violation |
| SEC01-J | CWE-266, Incorrect Privilege Assignment |
| SEC01-J | CWE-272, Least Privilege Violation |
| SEC01-J | CWE-732, Incorrect Permission Assignment for Critical Resource |
| SEC02-J | CWE-302, Authentication Bypass by Assumed-Immutable Data |
| SEC02-J | CWE-470, Use of Externally-Controlled Input to Select Classes or Code ("Unsafe Reflection") |
| SEC06-J | CWE-300, Channel Accessible by Non-endpoint (aka "Man-in-the-Middle") |
| SEC06-J | CWE-319, Cleartext Transmission of Sensitive Information |
| SEC06-J | CWE-347, Improper Verification of Cryptographic Signature |
| SEC06-J | CWE-494, Download of Code without Integrity Check |
| ENV01-J | CWE-349, Acceptance of Extraneous Untrusted Data with Trusted Data |
| ENV03-J | CWE-732, Incorrect Permission Assignment for Critical Resource |
| JNI00-J | CWE-111, Direct Use of Unsafe JNI |
| MSC00-J | CWE-311, Failure to Encrypt Sensitive Data |
| MSC02-J | CWE-327, Use of a Broken or Risky Cryptographic Algorithm |
| MSC02-J | CWE-330, Use of Insufficiently Random Values |
| MSC02-J | CWE-332, Insufficient Entropy in PRNG |
| MSC02-J | CWE-336, Same Seed in PRNG |
| MSC02-J | CWE-337, Predictable Seed in PRNG |
| MSC03-J | CWE-259, Use of Hard-Coded Password |
| MSC03-J | CWE-798, Use of Hard-Coded Credentials |
| MSC04-J | CWE-401, Improper Release of Memory before Removing Last Reference ("Memory Leak") |
| MSC05-J | CWE-400, Uncontrolled Resource Consumption ("Resource Exhaustion") |
| MSC05-J | CWE-770, Allocation of Resources without Limits or Throttling |
| MSC07-J | CWE-543, Use of Singleton Pattern without Synchronization in a Multithreaded Context |
| IDS50-J | CWE-116, Improper encoding or escaping of output |
| SEC58-J | CWE-502, Deserialization of Untrusted Data |
| STR51-J | CWE-838. Inappropriate Encoding for Output Context |