Classification of PVS-Studio warnings according to 2023 CWE Top 25 Most Dangerous Software Weaknesses
CWE Top 25 Most Dangerous Software Weaknesses is a list of the most dangerous and common software weaknesses. These software weaknesses are dangerous because someone can easily find and exploit them. Attackers can use them to disrupt the application's operation, steal data or even completely take over a system. CWE Top 25 Most Dangerous Software Weaknesses is a significant community resource. It helps developers, testers, users, project managers, security researchers and teachers. They use this list to get an idea of the most common and dangerous security defects now.
Below is a table of correspondence between the CWE Top 25 Most Dangerous Software Weaknesses 2023 list and the PVS-Studio diagnostics, divided by programming languages.
PVS-Studio has diagnostic rules for detecting 16/25 (64%) of the listed types of vulnerabilities.
# |
CWE ID |
Name |
PVS-Studio Diagnostics |
---|---|---|---|
1 |
Out-of-bounds Write |
|
|
2 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
C#: V5610 |
|
3 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
|
|
4 |
Use After Free |
|
|
5 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
|
|
6 |
Improper Input Validation |
|
|
7 |
Out-of-bounds Read |
|
|
8 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
|
9 |
Cross-Site Request Forgery (CSRF) |
Coming in the future. |
|
10 |
Unrestricted Upload of File with Dangerous Type |
Coming in the future. |
|
11 |
Missing Authorization |
Coming in the future. |
|
12 |
NULL Pointer Dereference |
C++: V522, V595, V664, V713, V1004 |
|
13 |
Improper Authentication |
Coming in the future. |
|
14 |
Integer Overflow or Wraparound |
C++: V629, V658, V673, V683, V1026, V1028, V1081, V1083, V1085, V5004, V5005, V5006, V5007, V5010, V5011 |
|
15 |
Deserialization of Untrusted Data |
C#: V5611 |
|
16 |
Improper Neutralization of Special Elements used in a Command ('Command Injection') |
C#: V5616 |
|
17 |
Improper Restriction of Operations within the Bounds of a Memory Buffer |
|
|
18 |
Use of Hard-coded Credentials |
|
|
19 |
Server-Side Request Forgery (SSRF) |
C#: V5618 |
|
20 |
Missing Authentication for Critical Function |
Coming in the future. |
|
21 |
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
Coming in the future. |
|
22 |
Improper Privilege Management |
Coming in the future. |
|
23 |
Improper Control of Generation of Code ('Code Injection') |
C++: V1076 |
|
24 |
Incorrect Authorization |
Coming in the future. |
|
25 |
Incorrect Default Permissions |
Coming in the future. |