Classification of PVS-Studio warnings according to 2022 CWE Top 25 Most Dangerous Software Weaknesses
CWE Top 25 Most Dangerous Software Weaknesses is a list of the most dangerous and common software weaknesses. These software weaknesses are dangerous because someone can easily find and exploit them. Attackers can use them to disrupt the application's operation, steal data or even completely take over a system. CWE Top 25 Most Dangerous Software Weaknesses is a significant community resource. It helps developers, testers, users, project managers, security researchers and teachers. They use this list to get an idea of the most common and dangerous security defects now.
Below is a table of correspondence between the CWE Top 25 Most Dangerous Software Weaknesses 2022 list and the PVS-Studio diagnostics, divided by programming languages.
PVS-Studio has diagnostic rules for detecting 17/25 (68%) of the listed types of vulnerabilities.
# |
CWE ID |
Name |
PVS-Studio Diagnostics |
---|---|---|---|
1 |
Out-of-bounds Write |
|
|
2 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
C#: V5610 |
|
3 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
C#: V5608 |
|
4 |
Improper Input Validation |
|
|
5 |
Out-of-bounds Read |
|
|
6 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
|
|
7 |
Use After Free |
|
|
8 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
|
9 |
Cross-Site Request Forgery (CSRF) |
Coming in the future. |
|
10 |
Unrestricted Upload of File with Dangerous Type |
Coming in the future. |
|
11 |
NULL Pointer Dereference |
C++: V522, V595, V664, V713, V1004 |
|
12 |
Deserialization of Untrusted Data |
C#: V5611 |
|
13 |
Integer Overflow or Wraparound |
C++: V629, V658, V673, V683, V1026, V1028, V1081, V1083, V1085, V5004, V5005, V5006, V5007, V5010, V5011 |
|
14 |
Improper Authentication |
Coming in the future. |
|
15 |
Use of Hard-coded Credentials |
|
|
16 |
Missing Authorization |
Coming in the future. |
|
17 |
Improper Neutralization of Special Elements used in a Command ('Command Injection') |
C#: V5616 |
|
18 |
Missing Authentication for Critical Function |
Coming in the future. |
|
19 |
Improper Restriction of Operations within the Bounds of a Memory Buffer |
|
|
20 |
Incorrect Default Permissions |
Coming in the future. |
|
21 |
Server-Side Request Forgery (SSRF) |
C#: V5618 |
|
22 |
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
Coming in the future. |
|
23 |
Uncontrolled Resource Consumption |
Coming in the future. |
|
24 |
Improper Restriction of XML External Entity Reference |
C#: V5614 |
|
25 |
Improper Control of Generation of Code ('Code Injection') |
C++: V1076 |