CWE
Introduction
CWE™(Common Weakness Enumeration) aims to provide a common base to identify the type of software weakness (vulnerability).. International in scope and free for public use, CWE™ provides a unified, measurable set of software weaknesses that will enable more effective discussion, description, selection, and use of software security tools and services that can find these weaknesses in source code. CWE™ gives a hierarchically structured list of weakness types to help identifying software vulnerabilities that come in a wide variety, such as SQL injection, cross-site scripting and buffer overflow.
CWE Compatible Certification
Security Reviewer Suite is CWE Compatible Certified. We have achieved the final stage of MITRE's formal CWE Compatibility Program and are now "Officially CWE-Compatible." We are now eligible to use the CWE-Compatible Product/Service logo, and we completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaires are posted here and on the Organizations Participating page as part of their product listings
CWE for Software Resilience Analysis
Security Reviewer SRA analyzes applications for discovering Security, Dead code and Best Practices vulnerabilities, both for Static Analysis and for Software Resilience Analysis.
Automated Source Code Reliability Measure
The quality measure elements (weaknesses violating software quality rules) that compose the Automated
Source Code Reliability Measure are presented in the following table.
This measure contains 35 parent weaknesses and 39 contributing weaknesses (children in the CWE) that represent variants of these weaknesses. The CWE
numbers for contributing weaknesses is presented in light blue cells immediately below the parent weakness
whose CWE number is in a dark blue cell.
For a complete list of covered CWE issues, see CISQ Riability Weakeness doc.
CWE for Security, Dead code and Best Practices Rules
Security Reviewer provides a consistent number of CWE 4.9 rules designed for detecting vulnerabilities inside source code. Each rule defines up to 12 variants and up to 50 API on which will applied, ande has its own CWE™ Identifier and Description, with related MITRE™ web site link, on which you can do a Search:
You can Export the rules list in Excel CSV format with CWE™ details:
CWE™ Ruleset
You can execute the Static Analysis with CWE™ ruleset:
CWE™ Results
After Static Analysis completion, even you chose a different RuleSet, each vulnerability detected has always its own CWE™ ID with the related web link:
You can list and export in Excel CSV all CWEs found during the Static Analysis:
In the Static Analysis Reports, each rule's violation shows the related clickable CWE™ ID:
CWE™ Capabilities
Requirement | Capability | Fulfillment Method |
CWE | Security, Dead code, Best practices Rules, Analysis Results and Reports | By using the search function in Security Reviewer, the vulnerability countermeasure information database, users are able to conduct a search using CWE identifiers as the keyword. |
CWE | Analysis Results | CWE identifiers are displayed in the “Results” section within each vulnerability countermeasure information pages. |
Reports | CWE identifier is displayed in the “Violations” section of the detailed information window of each vulnerability countermeasure information. | |
CWE | Security Reviewer Knowledge Center, User Guide | This material document will become the documentation necessary to describe and demonstrate CWE, CWE association and methods used to satisfy the compatibility requirements. |
Mapping | Security, Dead code, Best practices Rules, Analysis Results and Reports | Security Reviewer supports many of CWE 4.4 IDs related to Static Analysis |
Supported CWE™ per Programming Language (Tiobe Index Top 10)
CWE ID | Description | Language | Rule | Severity |
111 | Avoid invoking a native method | .NET | NativeNET | 3 |
113 | Header Checking Disabled | .NET | Header_Checking_Disabled | 3 |
119 | Array Index Out Of Bounds | .NET | C67VB | 1 |
200 | Deprecated use of Functions returning a Variant | .NET | DEPRECATED_VB_Variant | 2 |
200 | Avoid using of System.Console 'Write()' or 'WriteLine()' statements | .NET | Securitymisc07 | 3 |
200 | Use of deprecated ActiveX/OCX components | .NET | DEPRECATED_VB | 3 |
200 | Deprecated type or function | .NET | deprecatedObjectVB | 3 |
200 | Deprecated Variable type | .NET | deprecatedVariableVB | 3 |
200 | Use of deprecated win32 API | .NET | DEPRECATED_API | 3 |
200 | Deprecated Win32 API returning ANY | .NET | DEPRECATED_API_ANY | 3 |
209 | Improper call of 'StackTrace' property of System.Exception | .NET | Securitymisc08 | 3 |
209 | ASP.NET Misconfiguration (Impersonation) | .NET | ACIdentity | 1 |
209 | ASP.NET Misconfiguration (ViewStateMac Disabled) | .NET | ACStateMac | 1 |
209 | ASP.NET Misconfiguration (Header Checking Disabled) | .NET | ACHeaderChecking | 1 |
212 | public instance fields accessed by untrusted class | .NET | Idor06 | 4 |
212 | public inner classes accessed from untrusted classes | .NET | Idor08 | 4 |
215 | WCF Misconfiguration (Debug Information) | .NET | WCF_Debug_Information | 3 |
248 | Improper invoking of an exception filtering method | .NET | Securitymisc09 | 3 |
254 | WCF Misconfiguration (Unsafe Revocation Mode) | .NET | WCF_Unsafe_Revocation_Mode | 2 |
254 | WCF Misconfiguration (Weak Token) | .NET | WCF_Weak_Token | 2 |
257 | Avoid recreating string from SecureString | .NET | Ftorurla01 | 2 |
257 | Avoid using of String for password | .NET | Ics04 | 2 |
285 | WCF Misconfiguration (Anonymous MSMQ) | .NET | WCF_Anonymous_MSMQ | 1 |
327 | Hardcoded connection strings | .NET | Itl02 | 3 |
327 | Static Random Number Generator | .NET | Ics07VB | 2 |
327 | Static Random Number Generator | .NET | Ics07 | 2 |
327 | Poor Seeding | .NET | PoorSeeding | 2 |
327 | Improper change of RSA/DSA KeySize property | .NET | Ics03 | 1 |
327 | Hardcoded connection strings VB | .NET | Itl02VB | 3 |
352 | Unsecure local 'Cookie' object (XML) | .NET | cookieXML_NET | 3 |
388 | Ensure all exceptions are logged in the error blocks | .NET | Securitymisc03 | 2 |
388 | Avoid using of 'throw' exceptions inside destructors | .NET | Securitymisc06 | 3 |
388 | WCF Misconfiguration (Insufficient Audit Failure Handling) | .NET | WCF_Insufficient_Audit | 3 |
388 | Poor error handling | .NET | OnErrorVB | 2 |
400 | Denial of Service (Sleep) | .NET | C14VB | 1 |
400 | Denial of Service Threat | .NET | Injection23VB | 1 |
404 | Close DB connections in 'finally' block | .NET | Injection15 | 2 |
404 | Unreleased Resource | .NET | Unreleased | 1 |
404 | Unreleased Resource | .NET | Injection14VB | 1 |
404 | Close DB objects in 'finally' block | .NET | Injection14 | 1 |
495 | Static fields that are not readonly | .NET | Idor07 | 4 |
495 | public instance fields accessed by untrusted classes | .NET | Idor02 | 3 |
497 | Information Leakage (DDE) | .NET | VBDDE | 3 |
497 | LSET and RSET functions are deprecated fields not string | .NET | VBLRSET | 3 |
511 | Logic-Time Bomb (.NET) | .NET | TIMEBOMB_NET | 2 |
532 | Improper using of System.Console.Write() or WriteLine() in Catch blocks | .NET | Securitymisc05 | 2 |
581 | Improper equality using hash codes | .NET | Ics01 | 1 |
639 | System Error printed out | .NET | CE6VB | 3 |
651 | WCF Misconfiguration (Service Enumeration) | .NET | WCF_Service_Enumeration | 3 |
665 | Readonly Array fields should be cloned | .NET | Idor01 | 3 |
665 | Improper 'virtual' declaration of a 'Clone()' method | .NET | Securitymisc11 |
COPYRIGHT (C) 2015-2025 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.