Category: CISQ Quality Measures (2016) - Reliability
Draft
Summary
Weaknesses in this category are related to the CISQ Quality Measures for Reliability, as documented in 2016 with the Automated Source Code CISQ Reliability Measure (ASCRM) Specification 1.0. Presence of these weaknesses could reduce the reliability of the software.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1045 | Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor | This occurs when a base class defines a virtual destructor, but a derived class inherits from it without declaring its own virtual destructor. |
| CWE-1047 | Modules with Circular Dependencies | This weakness occurs when software modules have circular references, meaning Module A depends on Module B, which in turn depends back on Module A, creating a closed loop. |
| CWE-1051 | Initialization with Hard-Coded Network Resource Configuration Data | This vulnerability occurs when software uses fixed, hard-coded values—like IP addresses, domain names, or URLs—to identify network resources during its startup or configuration phase. |
| CWE-1056 | Invokable Control Element with Variadic Parameters | This weakness occurs when a callable function or method is defined to accept a variable number of arguments (variadic parameters). |
| CWE-1058 | Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element | This happens when a method or function, designed to run in a multi-threaded environment, accesses or modifies a non-final static variable or class member. Because the static element is not final, its state can be changed unexpectedly by concurrent threads, leading to race conditions and unpredictable behavior. |
| CWE-1062 | Parent Class with References to Child Class | This weakness occurs when a parent class directly references its child classes, their methods, or their member variables, creating a problematic and tightly coupled dependency. |
| CWE-1065 | Runtime Resource Management Control Element in a Component Built to Run on Application Servers | This weakness occurs when an application built to run on a managed application server bypasses the server's high-level APIs and instead uses low-level operating system calls to directly control resources like memory, files, or threads. |
| CWE-1066 | Missing Serialization Control Element | This weakness occurs when a class or data structure is marked as serializable but lacks the required control methods to properly handle the serialization and deserialization process. |
| CWE-1069 | Empty Exception Block | This weakness occurs when a try-catch or try-finally block is present but contains no code to handle the caught exception or perform cleanup. |
| CWE-1070 | Serializable Data Element Containing non-Serializable Item Elements | This weakness occurs when a class or data structure is marked as serializable, but it contains one or more member elements that cannot be serialized. This mismatch prevents the entire object from being properly saved or transmitted. |
| CWE-1077 | Floating Point Comparison with Incorrect Operator | This vulnerability occurs when code compares two floating-point numbers using direct equality operators (like == or !=) without accounting for inherent precision limitations. These operators fail to consider tiny rounding differences that are common in floating-point arithmetic, leading to incorrect or unexpected comparison results. |
| CWE-1079 | Parent Class without Virtual Destructor Method | This occurs when a base class, designed to be inherited from, does not declare its destructor as virtual. This oversight prevents proper cleanup when objects are deleted through a pointer to the parent class. |
| CWE-1082 | Class Instance Self Destruction Control Element | This vulnerability occurs when an object's code contains logic that triggers its own deletion or destruction during runtime. |
| CWE-1083 | Data Access from Outside Expected Data Manager Component | This weakness occurs when an application is designed to handle all data operations through a dedicated manager component (like a database layer), but code elsewhere bypasses it and accesses data directly. |
| CWE-1087 | Class with Virtual Method without a Virtual Destructor | This occurs when a class defines a virtual method but does not also provide a virtual destructor. |
| CWE-1088 | Synchronous Access of Remote Resource without Timeout | This vulnerability occurs when an application makes a synchronous call to a remote service or resource but does not set a timeout, or sets an infinite one. This leaves the application waiting indefinitely for a response. |
| CWE-1096 | Singleton Class Instance Creation without Proper Locking or Synchronization | This flaw occurs when a Singleton class is implemented without proper thread-safe controls, allowing multiple instances to be created in concurrent environments. |
| CWE-1097 | Persistent Storable Data Element without Associated Comparison Control Element | This weakness occurs when a persistent data object lacks the necessary methods to be properly compared, which can lead to inconsistent or incorrect behavior when the system checks for equality or manages collections. |
| CWE-1098 | Data Element containing Pointer Item without Proper Copy Control Element | This weakness occurs when a data structure contains a pointer, but the code lacks proper methods to copy or initialize that pointer safely. |
| CWE-120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | This vulnerability occurs when a program copies data from one memory location to another without first verifying that the source data will fit within the destination buffer's allocated space. |
| CWE-252 | Unchecked Return Value | This vulnerability occurs when a program fails to verify the result of a function or method call, allowing it to continue execution without detecting errors or unexpected conditions. |
| CWE-396 | Declaration of Catch for Generic Exception | This weakness occurs when code catches a generic exception type like 'Exception' or 'Throwable', which can hide specific errors and create insecure error handling logic. |
| CWE-397 | Declaration of Throws for Generic Exception | This vulnerability occurs when a method is declared to throw an overly broad exception type, such as a generic 'Exception' or 'Throwable'. This practice masks the specific error conditions that can occur, making it difficult for calling code to handle failures appropriately. |
| CWE-456 | Missing Initialization of a Variable | This vulnerability occurs when a program uses a variable before giving it a starting value, causing the software to rely on unpredictable data left over in memory. |
| CWE-674 | Uncontrolled Recursion | This vulnerability occurs when an application fails to limit how deeply a function can call itself. Without proper controls, this uncontrolled recursion can exhaust system resources like memory or stack space, leading to crashes or denial-of-service. |
| CWE-704 | Incorrect Type Conversion or Cast | This vulnerability occurs when software incorrectly changes data from one type to another, leading to unexpected behavior or security flaws. |
| CWE-772 | Missing Release of Resource after Effective Lifetime | This vulnerability occurs when a program fails to properly release a system resource—like memory, file handles, or network sockets—after it is no longer needed. This leads to a gradual accumulation of unused resources, known as a resource leak. |
| CWE-788 | Access of Memory Location After End of Buffer | This vulnerability occurs when software attempts to read from or write to a memory buffer using an index or pointer that points past the buffer's allocated boundary. |
| CWE-1128 | CISQ Quality Measures (2016) | This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.