View: Quality Weaknesses with Indirect Security Impacts
Incomplete
Type: Implicit
Objective
CWE identifiers in this view (slice) are quality issues that only indirectly make it easier to introduce a vulnerability and/or make the vulnerability more difficult to detect or mitigate.
Audience
| Type | Description |
|---|---|
| Assessment Tool Vendors | This view makes it easier for assessment vendors to identify and improve coverage for quality-related weaknesses. |
| Software Developers | This view makes it easier for developers to identify and learn about issues that might make their code more difficult to maintain, perform efficiently or reliably, or secure. |
| Product Vendors | This view makes it easier for software vendors to identify important issues that may make their software more difficult to maintain, perform efficiently or reliably, or secure. |
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1041 | Use of Redundant Code | This weakness occurs when a codebase contains identical or nearly identical logic duplicated across multiple functions, methods, or modules. This redundancy creates unnecessary complexity and maintenance overhead. |
| CWE-1042 | Static Member Data Element outside of a Singleton Class Element | This weakness occurs when a class that isn't designed as a singleton (a class meant to have only one instance) contains a non-final static member variable. This creates a shared, mutable state across all instances of that class, which can lead to unexpected behavior and data corruption. |
| CWE-1043 | Data Element Aggregating an Excessively Large Number of Non-Primitive Elements | This weakness occurs when a data structure, like a class or object, contains too many complex sub-elements (e.g., other objects or structs) instead of simple primitive types. |
| CWE-1044 | Architecture with Number of Horizontal Layers Outside of Expected Range | This occurs when a software system is built with either too many or too few distinct architectural layers, falling outside a recommended range that supports maintainability and security. |
| CWE-1045 | Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor | This occurs when a base class defines a virtual destructor, but a derived class inherits from it without declaring its own virtual destructor. |
| CWE-1046 | Creation of Immutable Text Using String Concatenation | This weakness occurs when code builds a string within a loop using simple concatenation (like +=), which unintentionally creates new string objects every time instead of efficiently appending to a buffer. |
| CWE-1047 | Modules with Circular Dependencies | This weakness occurs when software modules have circular references, meaning Module A depends on Module B, which in turn depends back on Module A, creating a closed loop. |
| CWE-1048 | Invokable Control Element with Large Number of Outward Calls | This weakness occurs when a single function, method, or callable code block makes an excessively high number of calls to other objects or components outside its immediate scope. This creates a complex, tightly-coupled web of dependencies that is difficult to manage. |
| CWE-1049 | Excessive Data Query Operations in a Large Data Table | This weakness occurs when an application runs a database query that uses numerous joins and sub-queries on a very large table, leading to severe performance degradation. |
| CWE-1050 | Excessive Platform Resource Consumption within a Loop | This vulnerability occurs when a loop contains code that repeatedly consumes critical system resources like file handles, database connections, memory, or session locks. Each iteration of the loop drains these finite platform assets without proper release. |
| CWE-1051 | Initialization with Hard-Coded Network Resource Configuration Data | This vulnerability occurs when software uses fixed, hard-coded values—like IP addresses, domain names, or URLs—to identify network resources during its startup or configuration phase. |
| CWE-1052 | Excessive Use of Hard-Coded Literals in Initialization | This weakness occurs when software initializes variables or data structures using hard-coded values (like strings, file paths, or network addresses) instead of configurable constants or parameters. While simple numbers or true constants are acceptable, embedding non-trivial literals directly in code creates maintenance and security risks. |
| CWE-1053 | Missing Documentation for Design | This weakness occurs when software lacks clear design documentation, making it difficult to understand how the system is structured and intended to work. |
| CWE-1054 | Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer | This weakness occurs when code in one architectural layer directly calls functions or methods in a much deeper layer, skipping over the intermediate layers that should normally handle the request. It bypasses the intended layered structure, similar to a manager going directly to an intern instead of working through the team lead. |
| CWE-1055 | Multiple Inheritance from Concrete Classes | This weakness occurs when a single class inherits functionality and state from more than one concrete (fully implemented) parent class. |
| CWE-1056 | Invokable Control Element with Variadic Parameters | This weakness occurs when a callable function or method is defined to accept a variable number of arguments (variadic parameters). |
| CWE-1057 | Data Access Operations Outside of Expected Data Manager Component | This weakness occurs when an application bypasses its dedicated, central data manager component and performs data access operations through other code paths. |
| CWE-1058 | Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element | This happens when a method or function, designed to run in a multi-threaded environment, accesses or modifies a non-final static variable or class member. Because the static element is not final, its state can be changed unexpectedly by concurrent threads, leading to race conditions and unpredictable behavior. |
| CWE-1059 | Insufficient Technical Documentation | This weakness occurs when a software or hardware product lacks comprehensive technical documentation. Missing or incomplete details about the system's architecture, interfaces, design, configuration, or operation make it difficult to understand, maintain, and secure the product effectively. |
| CWE-1060 | Excessive Number of Inefficient Server-Side Data Accesses | This weakness occurs when an application makes an excessive number of individual data queries to a server or database, instead of using more efficient methods like stored procedures or batch operations. |
| CWE-1061 | Insufficient Encapsulation | This weakness occurs when a software component exposes too much of its internal workings, such as data structures or implementation logic. This lack of proper boundaries allows other parts of the system to interact with it in unintended ways, potentially leading to corrupted data, unexpected behavior, or hidden dependencies. |
| CWE-1062 | Parent Class with References to Child Class | This weakness occurs when a parent class directly references its child classes, their methods, or their member variables, creating a problematic and tightly coupled dependency. |
| CWE-1063 | Creation of Class Instance within a Static Code Block | This weakness occurs when a class instance is created inside a static initializer block, causing premature and potentially expensive object creation. |
| CWE-1064 | Invokable Control Element with Signature Containing an Excessive Number of Parameters | This weakness occurs when a function, method, or subroutine is defined with an unnecessarily high number of parameters in its signature. |
| CWE-1065 | Runtime Resource Management Control Element in a Component Built to Run on Application Servers | This weakness occurs when an application built to run on a managed application server bypasses the server's high-level APIs and instead uses low-level operating system calls to directly control resources like memory, files, or threads. |
| CWE-1066 | Missing Serialization Control Element | This weakness occurs when a class or data structure is marked as serializable but lacks the required control methods to properly handle the serialization and deserialization process. |
| CWE-1067 | Excessive Execution of Sequential Searches of Data Resource | This weakness occurs when a database query is structured in a way that forces the system to scan entire tables row-by-row, instead of using an available index for efficient lookups. |
| CWE-1068 | Inconsistency Between Implementation and Documented Design | This weakness occurs when the actual code implementation deviates from the intended design described in its official documentation, creating a mismatch between how the system is supposed to work and how it actually does. |
| CWE-1069 | Empty Exception Block | This weakness occurs when a try-catch or try-finally block is present but contains no code to handle the caught exception or perform cleanup. |
| CWE-1070 | Serializable Data Element Containing non-Serializable Item Elements | This weakness occurs when a class or data structure is marked as serializable, but it contains one or more member elements that cannot be serialized. This mismatch prevents the entire object from being properly saved or transmitted. |
| CWE-1071 | Empty Code Block | An empty code block occurs when a section of source code, such as a conditional statement or function body, contains no executable statements. |
| CWE-1072 | Data Resource Access without Use of Connection Pooling | This weakness occurs when an application creates a new database connection for every request instead of using a managed connection pool. This inefficient pattern forces the system to repeatedly endure the full overhead of establishing and tearing down connections. |
| CWE-1073 | Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses | This weakness occurs when a client-side function or method makes an excessive number of individual data requests through a non-SQL data manager, instead of using more efficient bulk operations or database-native capabilities. |
| CWE-1074 | Class with Excessively Deep Inheritance | This weakness occurs when a class inherits from an excessive number of parent classes, creating a deep and complex inheritance hierarchy. |
| CWE-1075 | Unconditional Control Flow Transfer outside of Switch Block | This weakness occurs when code uses an unconditional jump, like a 'goto' statement, outside of a structured control flow block like a switch statement. This bypasses the intended logic and makes the program's execution path unpredictable and difficult to follow. |
| CWE-1076 | Insufficient Adherence to Expected Conventions | This weakness occurs when software code, design, documentation, or other components fail to follow established industry or project-specific standards and conventions. |
| CWE-1077 | Floating Point Comparison with Incorrect Operator | This vulnerability occurs when code compares two floating-point numbers using direct equality operators (like == or !=) without accounting for inherent precision limitations. These operators fail to consider tiny rounding differences that are common in floating-point arithmetic, leading to incorrect or unexpected comparison results. |
| CWE-1078 | Inappropriate Source Code Style or Formatting | This weakness occurs when source code violates established style guidelines for formatting, indentation, whitespace, or commenting, making it difficult to read and maintain. |
| CWE-1079 | Parent Class without Virtual Destructor Method | This occurs when a base class, designed to be inherited from, does not declare its destructor as virtual. This oversight prevents proper cleanup when objects are deleted through a pointer to the parent class. |
| CWE-1080 | Source Code File with Excessive Number of Lines of Code | This weakness occurs when a single source code file grows excessively large, containing too many lines of code. |
| CWE-1082 | Class Instance Self Destruction Control Element | This vulnerability occurs when an object's code contains logic that triggers its own deletion or destruction during runtime. |
| CWE-1083 | Data Access from Outside Expected Data Manager Component | This weakness occurs when an application is designed to handle all data operations through a dedicated manager component (like a database layer), but code elsewhere bypasses it and accesses data directly. |
| CWE-1084 | Invokable Control Element with Excessive File or Data Access Operations | This weakness occurs when a single function or method performs an excessive number of file or database operations, such as repeated reads, writes, or queries. It over-relies on a single data manager or file resource, creating a tightly coupled and fragile code structure. |
| CWE-1085 | Invokable Control Element with Excessive Volume of Commented-out Code | This weakness occurs when a callable function, method, or procedure contains a large amount of inactive, commented-out code within its implementation body. |
| CWE-1086 | Class with Excessive Number of Child Classes | This weakness occurs when a parent class has an excessive number of child classes that inherit from it, creating a deep and overly complex inheritance tree. |
| CWE-1087 | Class with Virtual Method without a Virtual Destructor | This occurs when a class defines a virtual method but does not also provide a virtual destructor. |
| CWE-1088 | Synchronous Access of Remote Resource without Timeout | This vulnerability occurs when an application makes a synchronous call to a remote service or resource but does not set a timeout, or sets an infinite one. This leaves the application waiting indefinitely for a response. |
| CWE-1089 | Large Data Table with Excessive Number of Indices | This weakness occurs when an application uses a database table with a very large number of rows and creates too many indexes on it, degrading overall system performance. |
| CWE-1090 | Method Containing Access of a Member Element from Another Class | This weakness occurs when a method in one class directly accesses a private or internal member (like a field or property) of a different class, bypassing proper interfaces. |
| CWE-1091 | Use of Object without Invoking Destructor Method | This weakness occurs when a program accesses an object but fails to properly call its destructor or finalizer method. This leaves the cleanup of the object's resources to the system's automatic garbage collection, which may not happen immediately or predictably. |
| CWE-1092 | Use of Same Invokable Control Element in Multiple Architectural Layers | This weakness occurs when the same piece of code or control logic is duplicated across different architectural layers of an application, such as the presentation, business, and data layers. |
| CWE-1093 | Excessively Complex Data Representation | This weakness occurs when software uses an overly complicated internal model to represent its data or the relationships between data elements. |
| CWE-1094 | Excessive Index Range Scan for a Data Resource | This weakness occurs when a database query performs an index range scan that can access an unnecessarily large number of rows from a substantial data table, leading to severe performance degradation. |
| CWE-1095 | Loop Condition Value Update within the Loop | This vulnerability occurs when a loop's exit condition depends on a variable that is also modified inside the loop body. This creates a complex and often unpredictable control flow that is difficult to analyze. |
| CWE-1096 | Singleton Class Instance Creation without Proper Locking or Synchronization | This flaw occurs when a Singleton class is implemented without proper thread-safe controls, allowing multiple instances to be created in concurrent environments. |
| CWE-1097 | Persistent Storable Data Element without Associated Comparison Control Element | This weakness occurs when a persistent data object lacks the necessary methods to be properly compared, which can lead to inconsistent or incorrect behavior when the system checks for equality or manages collections. |
| CWE-1098 | Data Element containing Pointer Item without Proper Copy Control Element | This weakness occurs when a data structure contains a pointer, but the code lacks proper methods to copy or initialize that pointer safely. |
| CWE-1099 | Inconsistent Naming Conventions for Identifiers | This weakness occurs when a codebase uses mixed naming styles for elements like variables, functions, data types, or files, creating an inconsistent and confusing structure. |
| CWE-1100 | Insufficient Isolation of System-Dependent Functions | This weakness occurs when an application fails to separate its core logic from functions that depend on a specific operating system, hardware, or external platform. Instead of being contained in dedicated modules, these system-dependent calls are scattered throughout the codebase. |
| CWE-1101 | Reliance on Runtime Component in Generated Code | This vulnerability occurs when software depends on automatically generated code that requires a specific, often external, runtime component to function. Without this component, the code cannot execute, creating a fragile and non-portable foundation. |
| CWE-1102 | Reliance on Machine-Dependent Data Representation | This weakness occurs when software directly depends on how a specific machine, processor, or operating system represents data in memory. Code that makes assumptions about byte order, data type sizes, or memory alignment becomes fragile and non-portable. |
| CWE-1103 | Use of Platform-Dependent Third Party Components | This weakness occurs when software depends on third-party libraries or components that behave differently or lack support across various target platforms or operating systems. |
| CWE-1104 | Use of Unmaintained Third Party Components | This weakness occurs when software depends on third-party libraries, frameworks, or modules that are no longer actively updated or supported by their creators or a trusted maintainer. |
| CWE-1105 | Insufficient Encapsulation of Machine-Dependent Functionality | This weakness occurs when an application relies on hardware-specific or platform-dependent features but fails to isolate that code from the rest of the system. This poor separation creates tight coupling between the core logic and low-level machine details. |
| CWE-1106 | Insufficient Use of Symbolic Constants | This weakness occurs when developers embed raw numbers or text strings directly in code instead of using named symbolic constants, making future updates and maintenance more difficult. |
| CWE-1107 | Insufficient Isolation of Symbolic Constant Definitions | This weakness occurs when a codebase uses symbolic constants (like named values for numbers or strings) but scatters their definitions across many files instead of centralizing them in one isolated location, such as a dedicated configuration file or module. |
| CWE-1108 | Excessive Reliance on Global Variables | This weakness occurs when a codebase depends too heavily on global variables to store and manage state, rather than keeping data within appropriate local scopes like functions or classes. |
| CWE-1109 | Use of Same Variable for Multiple Purposes | This weakness occurs when a single variable is reused to handle multiple, unrelated tasks or to store different pieces of data throughout the code. This practice muddies the variable's purpose and makes the logic harder to follow. |
| CWE-1110 | Incomplete Design Documentation | This vulnerability occurs when a system's design documentation is missing critical details about how the software actually works. Key omissions include unclear control flow, undefined data movement, missing system startup procedures, vague component relationships, or unexplained design decisions. |
| CWE-1111 | Incomplete I/O Documentation | This weakness occurs when a product's documentation fails to clearly and completely define its inputs, outputs, or how it interacts with other systems or software components. |
| CWE-1112 | Incomplete Documentation of Program Execution | This weakness occurs when a system's documentation fails to completely list all the ways its behavior can be controlled or changed during execution. |
| CWE-1113 | Inappropriate Comment Style | This weakness occurs when source code comments are written in a style or format that doesn't match the project's established standards or common conventions for the language. |
| CWE-1114 | Inappropriate Whitespace Style | This weakness occurs when source code uses inconsistent or non-standard whitespace formatting, such as irregular indentation, spacing, or line breaks. |
| CWE-1115 | Source Code Element without Standard Prologue | This weakness occurs when source code files or modules lack a consistent, standardized header or prologue that the development team has agreed upon. |
| CWE-1116 | Inaccurate Comments | This weakness occurs when code comments do not correctly describe or explain the actual behavior of the associated code. Misleading comments create a disconnect between what the documentation says and what the program actually does. |
| CWE-1117 | Callable with Insufficient Behavioral Summary | This weakness occurs when a function, method, or API lacks clear documentation about its behavior. The signature or comments fail to properly explain what inputs it expects, what outputs it returns, what side effects it causes, or what assumptions it makes. |
| CWE-1118 | Insufficient Documentation of Error Handling Techniques | This weakness occurs when software documentation fails to clearly explain how the system manages errors, exceptions, or unexpected conditions. Developers are left guessing about the proper handling mechanisms. |
| CWE-1119 | Excessive Use of Unconditional Branching | This weakness occurs when code relies heavily on unconditional jumps like 'goto' statements, making the program flow difficult to follow. |
| CWE-1120 | Excessive Code Complexity | This weakness occurs when software contains sections of code that are unnecessarily intricate, as measured by established complexity metrics like cyclomatic complexity or cognitive load scores. |
| CWE-1121 | Excessive McCabe Cyclomatic Complexity | This weakness occurs when a function or method has an overly complex control flow, measured by a high McCabe Cyclomatic Complexity score. This makes the code difficult to read, test, and maintain. |
| CWE-1122 | Excessive Halstead Complexity | This weakness occurs when code has an excessively high Halstead complexity score, indicating it is overly intricate and difficult to analyze. |
| CWE-1123 | Excessive Use of Self-Modifying Code | The software relies heavily on code that rewrites itself during execution, making it difficult to analyze and maintain. |
| CWE-1124 | Excessively Deep Nesting | This weakness occurs when a function, method, or code block contains too many levels of nested loops, conditionals, or other control structures, making the logic path difficult to follow. |
| CWE-1125 | Excessive Attack Surface | This weakness occurs when a software product has an unnecessarily large number of entry and exit points that an attacker can target, exceeding a reasonable and secure threshold. |
| CWE-1126 | Declaration of Variable with Unnecessarily Wide Scope | This weakness occurs when a variable is declared with a broader scope than it actually needs, such as declaring a variable at a global or function level when it's only used inside a loop or conditional block. |
| CWE-1127 | Compilation with Insufficient Warnings or Errors | This weakness occurs when source code is compiled without enabling a comprehensive set of warning flags from the compiler. This practice allows subtle bugs, insecure coding patterns, and quality issues to go undetected during the build process. |
| CWE-1164 | Irrelevant Code | Irrelevant code refers to sections of a program that have no impact on its execution, data, or logic. Removing this code would not change the software's behavior or correctness, as it performs no meaningful operations. |
| CWE-1173 | Improper Use of Validation Framework | This vulnerability occurs when a software application either fails to use or incorrectly implements a built-in or library-provided input validation framework. |
| CWE-1174 | ASP.NET Misconfiguration: Improper Model Validation | This vulnerability occurs when an ASP.NET application either completely bypasses the built-in model validation system or implements it incorrectly, allowing untrusted data to flow into the application without proper checks. |
| CWE-1176 | Inefficient CPU Computation | This weakness occurs when software uses inefficient algorithms or suboptimal CPU operations, performing unnecessary or overly complex calculations that waste processing power and slow down performance. |
| CWE-1177 | Use of Prohibited Code | This vulnerability occurs when software incorporates a function, library, or third-party component that has been explicitly banned by the development team or the customer. |
| CWE-1357 | Reliance on Insufficiently Trustworthy Component | This weakness occurs when a system integrates a component that cannot be fully trusted to meet security, reliability, and maintenance standards, creating risk for the entire product. |
| CWE-474 | Use of Function with Inconsistent Implementations | This vulnerability occurs when code relies on a function whose behavior changes across different operating systems or versions, leading to unpredictable security risks when the software runs in an unexpected environment. |
| CWE-475 | Undefined Behavior for Input to API | This API function exhibits unpredictable or undefined behavior when its control parameter is not set to the exact, required value. |
| CWE-477 | Use of Obsolete Function | This vulnerability occurs when code relies on deprecated or obsolete functions, indicating outdated practices and insufficient maintenance that can introduce security gaps. |
| CWE-483 | Incorrect Block Delimitation | This vulnerability occurs when a developer fails to use explicit braces or delimiters to group multiple statements within a block, leading to unexpected program logic. |
| CWE-484 | Omitted Break Statement in Switch | This vulnerability occurs when a developer forgets to include a 'break' statement inside a switch-case block. Without it, the code execution 'falls through' and unintentionally runs the logic for subsequent cases, leading to unexpected behavior. |
| CWE-489 | Active Debug Code | This vulnerability occurs when software is deployed to production with debugging or diagnostic features still enabled and accessible. |
| CWE-546 | Suspicious Comment | This weakness occurs when code contains comments that flag potential issues, such as bugs, security gaps, or unfinished work, which can expose underlying problems or oversights. |
| CWE-547 | Use of Hard-coded, Security-relevant Constants | This vulnerability occurs when code directly embeds security-critical values like passwords, cryptographic keys, or access levels as raw numbers or strings, instead of using named constants or configuration files. This practice makes the code brittle and error-prone during updates or security reviews. |
| CWE-554 | ASP.NET Misconfiguration: Not Using Input Validation Framework | This vulnerability occurs when an ASP.NET application fails to implement a structured input validation framework, relying instead on ad-hoc or missing validation checks. |
| CWE-561 | Dead Code | Dead code refers to sections of a program that can never run during normal execution, effectively making them inactive and unreachable. |
| CWE-562 | Return of Stack Variable Address | This vulnerability occurs when a function returns a pointer to its own local variable. Since that variable's memory is on the stack, the pointer becomes invalid as soon as the function finishes, leading to crashes or unpredictable behavior. |
| CWE-563 | Assignment to Variable without Use | This vulnerability occurs when a value is stored in a variable, but that variable is never read or used in subsequent code, creating a 'dead store.' |
| CWE-585 | Empty Synchronized Block | An empty synchronized block is a Java code construct where a synchronized block exists but contains no executable statements inside it. |
| CWE-587 | Assignment of a Fixed Address to a Pointer | This vulnerability occurs when code explicitly assigns a hardcoded memory address to a pointer, instead of using a dynamic or null value. |
| CWE-589 | Call to Non-ubiquitous API | This vulnerability occurs when software relies on an operating system function that isn't available on all versions of the target platform. This can cause crashes, unexpected behavior, or security failures when the software runs in an environment where the API is missing. |
| CWE-594 | J2EE Framework: Saving Unserializable Objects to Disk | This vulnerability occurs when a J2EE application framework attempts to save objects to disk that cannot be properly serialized, risking application failure. |
| CWE-676 | Use of Potentially Dangerous Function | This vulnerability occurs when code calls a function that can be dangerous if misused, but can also be used safely with proper precautions. The risk lies not in the function itself, but in how it's implemented. |
| CWE-684 | Incorrect Provision of Specified Functionality | This weakness occurs when software behaves differently than its documented specifications, which can mislead users and create security risks. |
| CWE-758 | Reliance on Undefined, Unspecified, or Implementation-Defined Behavior | This weakness occurs when software depends on specific behaviors of an API, data structure, or system component that are not formally guaranteed by its specification. The code assumes these behaviors will always work a certain way, but they might change or fail under different conditions. |
| CWE-766 | Critical Data Element Declared Public | This vulnerability occurs when a critical piece of data—like a variable, field, or class member—is mistakenly declared as public when it should be kept private according to the application's security design. |
Mapping Notes
Usage: Prohibited
Reasons: View
Rationale:
This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities.
Comment:
Use this View or other Views to search and navigate for the appropriate weakness.