Classification of PVS-Studio warnings according to 2023 CWE Top 25 Most Dangerous Software Weaknesses
CWE Top 25 Most Dangerous Software Weaknesses is a list of the most dangerous and common software weaknesses. These software weaknesses are dangerous because attackers can easily find and exploit them. They can use them to disrupt application operations, steal data, or even completely take full control of a system. CWE Top 25 Most Dangerous Software Weaknesses is a valuable community resource. It assists developers, testers, users, project managers, security researchers, and educators. They may use this list to get an idea of the most common and dangerous security defects that exist today.
Below is a table showing how PVS-Studio diagnostic rules divided by programming languages comply with the CWE Top 25 Most Dangerous Software Weaknesses 2023 list.
PVS-Studio has diagnostic rules for detecting 16/25 (64%) of the listed vulnerability types.
|
# |
CWE ID |
Name |
PVS-Studio Diagnostics |
|---|---|---|---|
|
1 |
Out-of-bounds Write |
|
|
|
2 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|
|
|
3 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
|
|
|
4 |
Use After Free |
|
|
|
5 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
|
|
|
6 |
Improper Input Validation |
|
|
|
7 |
Out-of-bounds Read |
|
|
|
8 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
|
|
9 |
Cross-Site Request Forgery (CSRF) |
Coming in the future. |
|
|
10 |
Unrestricted Upload of File with Dangerous Type |
Coming in the future. |
|
|
11 |
Missing Authorization |
Coming in the future. |
|
|
12 |
NULL Pointer Dereference |
C++: V522, V595, V664, V713, V1004 |
|
|
13 |
Improper Authentication |
Coming in the future. |
|
|
14 |
Integer Overflow or Wraparound |
C++: V629, V658, V673, V683, V1026, V1028, V1081, V1083, V1085, V5004, V5005, V5006, V5007, V5010, V5011 |
|
|
15 |
Deserialization of Untrusted Data |
C#: V5611 |
|
|
16 |
Improper Neutralization of Special Elements used in a Command ('Command Injection') |
|
|
|
17 |
Improper Restriction of Operations within the Bounds of a Memory Buffer |
|
|
|
18 |
Use of Hard-coded Credentials |
|
|
|
19 |
Server-Side Request Forgery (SSRF) |
C#: V5618 |
|
|
20 |
Missing Authentication for Critical Function |
Coming in the future. |
|
|
21 |
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
Coming in the future. |
|
|
22 |
Improper Privilege Management |
Coming in the future. |
|
|
23 |
Improper Control of Generation of Code ('Code Injection') |
Coming in the future. |
|
|
24 |
Incorrect Authorization |
Coming in the future. |
|
|
25 |
Incorrect Default Permissions |
Java: V5318 |
