To get a trial key
fill out the form below
Team License (a basic version)
Enterprise License (an extended version)
* By clicking this button you agree to our Privacy Policy statement

Request our prices
New License
License Renewal
--Select currency--
USD
EUR
GBP
RUB
* By clicking this button you agree to our Privacy Policy statement

Free PVS-Studio license for Microsoft MVP specialists
* By clicking this button you agree to our Privacy Policy statement

To get the licence for your open-source project, please fill out this form
* By clicking this button you agree to our Privacy Policy statement

I am interested to try it on the platforms:
* By clicking this button you agree to our Privacy Policy statement

Message submitted.

Your message has been sent. We will email you at


If you haven't received our response, please do the following:
check your Spam/Junk folder and click the "Not Spam" button for our message.
This way, you won't miss messages from our team in the future.

>
>
CWE Top 25 2021. What is it, what is it…

CWE Top 25 2021. What is it, what is it for and how is it useful for static analysis?

Sep 28 2021

For the first time PVS-Studio provided support for the CWE classification in the 6.21 release. It took place on January 15, 2018. Years have passed since then and we would like to tell you about the improvements related to the support of this classification in the latest analyzer version.

0869_CWE_status/image1.png

We position the PVS-Studio analyzer as a Static Application Security Testing (SAST) tool. This means our analyzer not only detects typos and errors in code, but also searches for potential vulnerabilities and correlates them with various standards (CWE, OWASP, SEI CERT, MISRA, AUTOSAR, etc.). Why potential vulnerabilities? Because potential vulnerabilities (CWE) may become real vulnerabilities (CVE) only if someone exploits them. And to make it happen many, sometimes unrelated, factors must often coincide.

That's why we decided to check how well PVS-Studio covers the most common defects now. To do this, it's enough to refer to the CWE Top 25 list. Somehow, we missed this list. Well, it's time to make amends!

CWE. What this is and what it is for

Let's refresh some moments and definitions in memory. If you're already good at terminology and know the difference between CVE and CWE, why we need CVSS and how CWE Top 25 is ranked, you can skip this part. Otherwise, I strongly recommend that you refresh those terms before you read the article. Below is a rather free interpretation of some points of CWE FAQ and CVE FAQ:

How does a software defect differ from a software vulnerability?

Defects are errors, failures and other problems of implementation, design or architecture of the software that can lead to vulnerabilities.

Vulnerabilities are errors that have already been found by someone. Attackers may use these vulnerabilities to get access to a system or a network, to disrupt services, etc.

What is CWE? How is it different from CVE and what does CVSS have to do with it?

  • CWE (Common Weakness Enumeration) is a general list of security defects.
  • CVE (Common Vulnerabilities and Exposures) is a list of vulnerabilities and defects found in various software.
  • CVSS (Common Vulnerability Scoring System) is a numerical score that indicates the potential severity of a vulnerability (CVE). It is based on a standardized set of characteristics.
0869_CWE_status/image2.png

What is CWE Top 25?

CWE Top 25 is a list of the most dangerous and common defects. These defects are dangerous because someone can easily find and exploit them. Attackers can use them to disrupt the application's operation, steal data or even completely take over a system. CWE Top 25 is a significant community resource. It helps developers, testers, users, project managers, security researchers and teachers. They use this list to get an idea of the most common and dangerous security defects now.

What is an algorithm to compile and rank the CWE Top 25 list?

To create the current version of CWE Top 25, the CWE Team used data from U.D National Vulnerability Database (NVD) for 2019–2020. Next, the team of researchers used their own formula to calculate the ranking order. This formula takes into account the frequency, with which a defect (CWE) is the main cause of a vulnerability, and the potential danger of exploitation. The team made the formula that way, so it normalizes the frequency and predicted severity relative to their minimum and maximum values.

To obtain the frequency of mentions, the formula calculates how many times CVE referred to CWE within the NVD. The formula uses only those CVEs, which have a reference to CWE. If the formula uses the full data set, it will lead to very low frequency rates and an insignificant difference amongst the different types of defects.

Freq = {count(CWE_X' ∈ NVD) for each CWE_X' in NVD}

Fr(CWE_X) = (count(CWE_X ∈ NVD) - min(Freq)) / (max(Freq) - min(Freq))

Another important component of the scoring formula is a defect's severity. The following formula calculates it:

Sv(CWE_X) = (average_CVSS_for_CWE_X - min(CVSS)) / (max(CVSS) - min(CVSS))

At the end, the final score is calculated by multiplying the frequency of mention by the severity score.

Score(CWE_X) = Fr(CWE_X) * Sv(CWE_X) * 100

This approach introduces a bias by analyzing only detected vulnerabilities and can potentially exclude a significant part of data. Although, the CWE Team believes that this approach helps to compile a more accurate CWE Top 25 list every year.

Is the Top 25 updated annually?

Yes, it is. For information about previous versions, visit CWE Top 25 archive.

Who participates in the development of CWE Top 25?

The CWE community includes individual researchers and representatives of numerous organizations, the scientific community, and government agencies. They are all interested in elimination of software defects. You can get a list of CWE Team members on the "CWE Community Members" page.

Why should I know that?

Today, developers use CWE as the main tool when discussing the elimination and / or minimizing security defects in the architecture, design, code, and software implementation. Organizations use CWE as a standard measure for evaluating software security verification tools and as a common baseline standard for identifying, preventing, and minimizing negative consequences.

Can you give us examples of errors?

The CWE classification covers the most common problems with the development of software and various equipment. For example:

  • software defects: buffer overflows; errors in format strings; structure and data validation problems; common special elements manipulation; channel and path errors; handler errors; UI errors; pathname traversal and equivalence errors; authentication errors; resource management errors; insufficient data verification; code evaluation and injection problems; randomness and predictability problems;
  • hardware defects: core and computation errors typically associated with CPUs, graphics, Vision, AI, FPGA, and uControllers; privilege separation and access control issues related to the identification and policy, shared resources, locking controls, and other features and mechanisms; power, clock, and reset concerns related to voltage, electrical current, temperature, clock frequency control and state saving/restoring.

Read more about classification on the cwe.mitre.org website.

The situation today

We have been using the CWE classification for PVS-Studio diagnostics for more than three years. Their number increases every year. In 2018, we covered only 94 points on the CWE list. Now it's almost 130. However, this article isn't about the total number of diagnostics. Let's talk about those that are included in the list of the most dangerous diagnostics in 2021. If you want to read the full list, you can get it in the "CWE compliance" section of our documentation.

Below is a table of correspondence between the CWE Top 25 2021 list and the PVS-Studio diagnostics, divided by programming languages. In the future, we are going to regularly update the table with the CWE Top 25 coverage on our website.

#

CWE ID

Name

Evaluation

PVS-Studio diagnostics

1

CWE-787

Out-of-bounds Write

65,93

C++: V512, V557, V582, V645

C#: V3106

Java: V6025

2

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

46,84

C#: V5610

3

CWE-125

Out-of-bounds Read

24,90

C++: V512, V557, V582

C#: V3106

Java: V6025

4

CWE-20

Improper Input Validation

20,47

C++: V739, V781, V1010, V1024, V5009

5

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

19,55

C++: V1010, V5009

6

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

19,54

C#: V5608

7

CWE-416

Use After Free

16,83

C++: V623, V723, V758, V774, V1017

8

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

14,69

C#: V5609

9

CWE-352

Cross-Site Request Forgery (CSRF)

14,46

Coming in the future

10

CWE-434

Unrestricted Upload of File with Dangerous Type

8,45

Coming in the future

11

CWE-306

Missing Authentication for Critical Function

7,93

Coming in the future

12

CWE-190

Integer Overflow or Wraparound

7,12

C++: V629, V658, V673, V683, V1026, V1028, V5004, V5005, V5006, V5007, V5010, V5011

C#: V3113

Java: V6105

13

CWE-502

Deserialization of Untrusted Data

6,71

C#: V5611

14

CWE-287

Improper Authentication

6,58

Coming in the future

15

CWE-476

NULL Pointer Dereference

6,54

C++: V522, V595, V664, V713, V1004

C#: V3027, V3042, V3080, V3095, V3100, V3125, V3145, V3146, V3148, V3149, V3152, V3153, V3168

Java: V6008, V6060, V6093

16

CWE-798

Use of Hard-coded Credentials

6,27

C++: V5013

C#: V5601

Java: V5305

17

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

5,84

C++: V512, V557, V582, V769, V783, V1004

18

CWE-862

Missing Authorization

5,47

Coming in the future

19

CWE-276

Incorrect Default Permissions

5,09

Coming in the future

20

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

4,74

Coming in the future

21

CWE-522

Insufficiently Protected Credentials

4,21

Coming in the future

22

CWE-732

Incorrect Permission Assignment for Critical Resource

4,20

Coming in the future

23

CWE-611

Improper Restriction of XML External Entity Reference

4,02

Coming in the future

24

CWE-918

Server-Side Request Forgery (SSRF)

3,78

Coming in the future

25

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

3,58

Coming in the future

The table shows that PVS-Studio now covers 52% (13 out of 25) of the CWE Top 25 2021 list. It seems that 52% is not so much. However, we continue to develop diagnostics further. In the future we will be able to find even more defects. If we reduce this list to the 10 most dangerous and common defects, the picture becomes clearer — the total coverage grows to 80%. :) But this is a completely different story.

Changes in the CWE Top 25 over the past year

For the most sophisticated, I suggest looking at a brief statistic on movements in the CWE Top 25 over the past year.

The five biggest upshifts:

#

CWE ID

Name

Position in 2020

Position in 2021

Annual change

1

CWE-276

Incorrect Default Permissions

41

19

22▲

2

CWE-306

Missing Authentication for Critical Function

24

11

13▲

3

CWE-502

Deserialization of Untrusted Data

21

13

8▲

4

CWE-862

Missing Authorization

25

18

7▲

5

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

31

25

6▲

The five biggest downshifts:

#

CWE ID

Name

Position in 2020

Position in 2021

Annual change

1

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

7

20

13▼

2

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

5

17

12▼

3

CWE-94

Improper Control of Generation of Code ('Code Injection')

17

28

11▼

4

CWE-269

Improper Privilege Management

22

29

7▼

5

CWE-732

Incorrect Permission Assignment for Critical Resource

16

22

6▼

Most of the CWEs presented in the table above belong to categories that are difficult to analyze. We can explain their rating decline (and their appearance in this table). The community has improved its educational, instrumental, and analytical capabilities, thereby reduced the frequency of mentioning errors related to these categories.

"Newbies" in the Top 25:

#

CWE ID

Name

Position in 2020

Position in 2021

Annual change

1

CWE-276

Incorrect Default Permissions

41

19

22▲

2

CWE-918

Server-Side Request Forgery (SSRF)

27

24

3▲

3

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

31

25

6▲

And in the end — the defects that were dropped out of the CWE Top 25 in 2021:

#

CWE ID

Name

Position in 2020

Position in 2021

Annual change

1

CWE-400

Uncontrolled Resource Consumption

23

27

4▼

2

CWE-94

Improper Control of Generation of Code ('Code Injection')

17

28

11▼

3

CWE-269

Improper Privilege Management

22

29

7▼

Conclusion

I hope you enjoyed this article and understood the current terminology.

Fortunately, static analyzers help us fight potential vulnerabilities. Therefore, I suggest that you download and test the PVS-Studio static analyzer with your project. Maybe a couple of CWEs crept into your code and are about to become CVE :)

Additional links:

Popular related articles
The Last Line Effect

Date: May 31 2014

Author: Andrey Karpov

I have studied many errors caused by the use of the Copy-Paste method, and can assure you that programmers most often tend to make mistakes in the last fragment of a homogeneous code block. I have ne…
How PVS-Studio Proved to Be More Attentive Than Three and a Half Programmers

Date: Oct 22 2018

Author: Andrey Karpov

Just like other static analyzers, PVS-Studio often produces false positives. What you are about to read is a short story where I'll tell you how PVS-Studio proved, just one more time, to be more atte…
PVS-Studio ROI

Date: Jan 30 2019

Author: Andrey Karpov

Occasionally, we're asked a question, what monetary value the company will receive from using PVS-Studio. We decided to draw up a response in the form of an article and provide tables, which will sho…
Free PVS-Studio for those who develops open source projects

Date: Dec 22 2018

Author: Andrey Karpov

On the New 2019 year's eve, a PVS-Studio team decided to make a nice gift for all contributors of open-source projects hosted on GitHub, GitLab or Bitbucket. They are given free usage of PVS-Studio s…
The Evil within the Comparison Functions

Date: May 19 2017

Author: Andrey Karpov

Perhaps, readers remember my article titled "Last line effect". It describes a pattern I've once noticed: in most cases programmers make an error in the last line of similar text blocks. Now I want t…
Static analysis as part of the development process in Unreal Engine

Date: Jun 27 2017

Author: Andrey Karpov

Unreal Engine continues to develop as new code is added and previously written code is changed. What is the inevitable consequence of ongoing development in a project? The emergence of new bugs in th…
Technologies used in the PVS-Studio code analyzer for finding bugs and potential vulnerabilities

Date: Nov 21 2018

Author: Andrey Karpov

A brief description of technologies used in the PVS-Studio tool, which let us effectively detect a large number of error patterns and potential vulnerabilities. The article describes the implementati…
Appreciate Static Code Analysis!

Date: Oct 16 2017

Author: Andrey Karpov

I am really astonished by the capabilities of static code analysis even though I am one of the developers of PVS-Studio analyzer myself. The tool surprised me the other day as it turned out to be sma…
The way static analyzers fight against false positives, and why they do it

Date: Mar 20 2017

Author: Andrey Karpov

In my previous article I wrote that I don't like the approach of evaluating the efficiency of static analyzers with the help of synthetic tests. In that article, I give the example of a code fragment…
Characteristics of PVS-Studio Analyzer by the Example of EFL Core Libraries, 10-15% of False Positives

Date: Jul 31 2017

Author: Andrey Karpov

After I wrote quite a big article about the analysis of the Tizen OS code, I received a large number of questions concerning the percentage of false positives and the density of errors (how many erro…

Comments (0)

Next comments
This website uses cookies and other technology to provide you a more personalized experience. By continuing the view of our web-pages you accept the terms of using these files. If you don't want your personal data to be processed, please, leave this site.
Learn More →
Accept