txt2stix 0.0.4__py3-none-any.whl

txt2stix/includes/lookups/mitre_cwe_name_v4_15.txt

@@ -0,0 +1,939 @@
+Sensitive Cookie Without 'HttpOnly' Flag
+Insufficient Visual Distinction of Homoglyphs Presented to User
+Struts: Duplicate Validation Forms
+Improper Restriction of Rendered UI Layers or Frames
+Use of Web Link to Untrusted Target with window.opener Access
+Incomplete Comparison with Missing Factors
+Comparison of Incompatible Types
+Comparison Using Wrong Factors
+Struts: Incomplete validate() Method Definition
+Processor Optimization Removal or Modification of Security-critical Code
+Insecure Automated Optimizations
+Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations
+Struts: Form Bean Does Not Extend Validation Class
+Use of Redundant Code
+Static Member Data Element outside of a Singleton Class Element
+Data Element Aggregating an Excessively Large Number of Non-Primitive Elements
+Architecture with Number of Horizontal Layers Outside of Expected Range
+Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor
+Creation of Immutable Text Using String Concatenation
+Modules with Circular Dependencies
+Invokable Control Element with Large Number of Outward Calls
+Excessive Data Query Operations in a Large Data Table
+Struts: Form Field Without Validator
+Excessive Platform Resource Consumption within a Loop
+Initialization with Hard-Coded Network Resource Configuration Data
+Excessive Use of Hard-Coded Literals in Initialization
+Missing Documentation for Design
+Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer
+Multiple Inheritance from Concrete Classes
+Invokable Control Element with Variadic Parameters
+Data Access Operations Outside of Expected Data Manager Component
+Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element
+Insufficient Technical Documentation
+Struts: Plug-in Framework not in Use
+Excessive Number of Inefficient Server-Side Data Accesses
+Insufficient Encapsulation
+Parent Class with References to Child Class
+Creation of Class Instance within a Static Code Block
+Invokable Control Element with Signature Containing an Excessive Number of Parameters
+Runtime Resource Management Control Element in a Component Built to Run on Application Servers
+Missing Serialization Control Element
+Excessive Execution of Sequential Searches of Data Resource
+Inconsistency Between Implementation and Documented Design
+Empty Exception Block
+Struts: Unused Validation Form
+Serializable Data Element Containing non-Serializable Item Elements
+Empty Code Block
+Data Resource Access without Use of Connection Pooling
+Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses
+Class with Excessively Deep Inheritance
+Unconditional Control Flow Transfer outside of Switch Block
+Insufficient Adherence to Expected Conventions
+Floating Point Comparison with Incorrect Operator
+Inappropriate Source Code Style or Formatting
+Parent Class without Virtual Destructor Method
+Struts: Unvalidated Action Form
+Source Code File with Excessive Number of Lines of Code
+Class Instance Self Destruction Control Element
+Data Access from Outside Expected Data Manager Component
+Invokable Control Element with Excessive File or Data Access Operations
+Invokable Control Element with Excessive Volume of Commented-out Code
+Class with Excessive Number of Child Classes
+Class with Virtual Method without a Virtual Destructor
+Synchronous Access of Remote Resource without Timeout
+Large Data Table with Excessive Number of Indices
+Struts: Validator Turned Off
+Method Containing Access of a Member Element from Another Class
+Use of Object without Invoking Destructor Method
+Use of Same Invokable Control Element in Multiple Architectural Layers
+Excessively Complex Data Representation
+Excessive Index Range Scan for a Data Resource
+Loop Condition Value Update within the Loop
+Singleton Class Instance Creation without Proper Locking or Synchronization
+Persistent Storable Data Element without Associated Comparison Control Element
+Data Element containing Pointer Item without Proper Copy Control Element
+Inconsistent Naming Conventions for Identifiers
+ASP.NET Misconfiguration: Creating Debug Binary
+Struts: Validator Without Form Field
+Insufficient Isolation of System-Dependent Functions
+Reliance on Runtime Component in Generated Code
+Reliance on Machine-Dependent Data Representation
+Use of Platform-Dependent Third Party Components
+Use of Unmaintained Third Party Components
+Insufficient Encapsulation of Machine-Dependent Functionality
+Insufficient Use of Symbolic Constants
+Insufficient Isolation of Symbolic Constant Definitions
+Excessive Reliance on Global Variables
+Use of Same Variable for Multiple Purposes
+Direct Use of Unsafe JNI
+Incomplete Design Documentation
+Incomplete I/O Documentation
+Incomplete Documentation of Program Execution
+Inappropriate Comment Style
+Inappropriate Whitespace Style
+Source Code Element without Standard Prologue
+Inaccurate Comments
+Callable with Insufficient Behavioral Summary
+Insufficient Documentation of Error Handling Techniques
+Excessive Use of Unconditional Branching
+Missing XML Validation
+Excessive Code Complexity
+Excessive McCabe Cyclomatic Complexity
+Excessive Halstead Complexity
+Excessive Use of Self-Modifying Code
+Excessively Deep Nesting
+Excessive Attack Surface
+Declaration of Variable with Unnecessarily Wide Scope
+Compilation with Insufficient Warnings or Errors
+Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
+Process Control
+Misinterpretation of Input
+Improper Encoding or Escaping of Output
+Irrelevant Code
+Improper Output Neutralization for Logs
+Improper Use of Validation Framework
+ASP.NET Misconfiguration: Improper Model Validation
+Inefficient CPU Computation
+Use of Prohibited Code
+Incorrect Access of Indexable Resource ('Range Error')
+Initialization of a Resource with an Insecure Default
+Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
+Improper Restriction of Operations within the Bounds of a Memory Buffer
+DMA Device Enabled Too Early in Boot Phase
+On-Chip Debug and Test Interface With Improper Access Control
+Improper Identifier for IP Block used in System-On-Chip (SOC)
+Power-On of Untrusted Execution Core Before Enabling Fabric Access Control
+ASP.NET Misconfiguration: Missing Custom Error Page
+Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
+Generation of Weak Initialization Vector (IV)
+Failure to Disable Reserved Bits
+Stack-based Buffer Overflow
+Heap-based Buffer Overflow
+Insufficient Granularity of Access Control
+Incorrect Register Defaults or Module Parameters
+Insufficient Granularity of Address Regions Protected by Register Locks
+Race Condition for Write-Once Attributes
+Improper Restriction of Write-Once Bit Fields
+Creation of Emergent Resource
+Write-what-where Condition
+Exposure of Sensitive Information Through Metadata
+Improper Prevention of Lock Bit Modification
+Improper Lock Behavior After Power State Transition
+Security-Sensitive Hardware Controls with Missing Lock Bit Protection
+Hardware Internal or Debug Modes Allow Override of Locks
+Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations
+Improper Neutralization of Formula Elements in a CSV File
+Improper Zeroization of Hardware Register
+Buffer Underwrite ('Buffer Underflow')
+Use of a Cryptographic Primitive with a Risky Implementation
+Use of Predictable Algorithm in Random Number Generator
+Inclusion of Undocumented Features or Chicken Bits
+Sensitive Non-Volatile Information Not Protected During Debug
+Internal Asset Exposed to Unsafe Debug Access Level or State
+Improper Finite State Machines (FSMs) in Hardware Logic
+Improper Write Handling in Limited-write Non-Volatile Memories
+Improper Protection Against Voltage and Clock Glitches
+Semiconductor Defects in Hardware Logic with Security-Sensitive Implications
+Application-Level Admin Tool with Inconsistent View of Underlying Operating System
+Out-of-bounds Read
+Improper Preservation of Consistency Between Independent Representations of Shared State
+Mirrored Regions with Different Values
+CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations
+Incorrect Selection of Fuse Values
+Incorrect Comparison Logic Granularity
+Comparison Logic is Vulnerable to Power Side-Channel Attacks
+Improper Restriction of Software Interfaces to Hardware Features
+Improper Access Control Applied to Mirrored or Aliased Memory Regions
+Exposure of Sensitive System Information Due to Uncleared Debug Information
+Improper Restriction of Security Token Assignment
+Buffer Over-read
+Improper Handling of Overlap Between Protected Memory Ranges
+Improper Handling of Single Event Upsets
+Improper Access Control for Register Interface
+Improper Physical Access Control
+Hardware Logic with Insecure De-Synchronization between Control and Data Channels
+Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls
+Improper Scrubbing of Sensitive Data from Decommissioned Device
+Policy Uses Obsolete Encoding
+Policy Privileges are not Assigned Consistently Between Control and Data Agents
+Product Released in Non-Release Configuration
+Buffer Under-read
+Generation of Incorrect Security Tokens
+Uninitialized Value on Reset for Registers Holding Security Settings
+Sensitive Information Uncleared Before Debug/Power State Transition
+Device Unlock Credential Sharing
+Improper Access Control for Volatile Memory Containing Boot Code
+Sensitive Cookie with Improper SameSite Attribute
+Hardware Child Block Incorrectly Connected to Parent System
+Firmware Not Updateable
+Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques
+Cryptographic Operations are run Before Supporting Units are Ready
+Wrap-around Error
+Access Control Check Implemented After Asset is Accessed
+Sequence of Processor Instructions Leads to Unexpected Behavior
+Assumed-Immutable Data is Stored in Writable Memory
+Mutable Attestation or Measurement Reporting Data
+Improper Validation of Specified Quantity in Input
+Improper Validation of Specified Index, Position, or Offset in Input
+Improper Validation of Syntactic Correctness of Input
+Improper Validation of Specified Type of Input
+Improper Validation of Consistency within Input
+Improper Validation of Unsafe Equivalence in Input
+Improper Validation of Array Index
+Incorrect Decoding of Security Identifiers 
+Public Key Re-Use for Signing both Debug and Production Code
+Incorrect Conversion of Security Identifiers
+Missing Source Correlation of Multiple Independent Data
+Insecure Security Identifier Mechanism
+Debug Messages Revealing Unnecessary Information
+Incorrect Chaining or Granularity of Debug Components
+Unprotected Confidential Information on Device is Accessible by OSAT Vendors
+Hardware Logic Contains Race Conditions
+Missing Protection Mechanism for Alternate Hardware Interface
+ASP.NET Misconfiguration: Password in Configuration File
+Improper Handling of Length Parameter Inconsistency
+Improper Protection of Physical Side Channels
+Insufficient or Incomplete Data Removal within Hardware Component
+Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)
+Non-Transparent Sharing of Microarchitectural Resources
+Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation
+Incorrect Calculation of Buffer Size
+Missing Ability to Patch ROM Code
+Improper Translation of Security Attributes by Fabric Bridge
+Missing Protection for Mirrored Regions in On-Chip Fabric Firewall
+Hardware Allows Activation of Test or Debug Logic at Runtime
+Missing Write Protection for Parametric Data Values
+Improper Setting of Bus Controlling Capability in Fabric End-point
+Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges
+Improper Access Control in Fabric Bridge
+Missing Support for Security Features in On-chip Fabrics or Buses
+Improper Protection against Electromagnetic Fault Injection (EM-FI)
+Improper Protection for Outbound Error Messages and Alert Signals
+Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
+Use of Blocking Code in Single-threaded, Non-blocking Context
+Improper Management of Sensitive Trace Data
+Improperly Controlled Sequential Memory Allocation
+Missing Immutable Root of Trust in Hardware
+Binding to an Unrestricted IP Address
+Security Version Number Mutable to Older Versions
+Reliance on Component That is Not Updateable
+Remanent Data Readable after Memory Erase
+Improper Isolation of Shared Resources in Network On Chip (NoC)
+Improper Handling of Faults that Lead to Instruction Skips
+Inefficient Regular Expression Complexity
+Unauthorized Error Injection Can Degrade Hardware Redundancy
+Incorrect Bitwise Shift of Integer
+Improper Neutralization of Special Elements Used in a Template Engine
+Improper Protections Against Hardware Overheating
+Insufficient Precision or Accuracy of a Real Number
+Use of Externally-Controlled Format String
+Multiple Releases of Same Resource or Handle
+Information Exposure through Microarchitectural State after Transient Execution
+Incorrect Calculation of Multi-Byte String Length
+Improper Handling of Hardware Behavior in Exceptionally Cold Environments
+Reliance on Insufficiently Trustworthy Component
+Improper Neutralization of Special Elements
+Improper Handling of Physical or Environmental Conditions
+Missing Origin Validation in WebSockets
+Insecure Operation on Windows Junction / Mount Point
+Incorrect Parsing of Numbers with Different Radices
+Weak Authentication
+Use of Weak Credentials
+Use of Default Credentials
+Use of Default Password
+Use of Default Cryptographic Key
+Dependency on Vulnerable Third-Party Component
+Compiler Removal of Code to Clear Buffers
+Improper Neutralization of Delimiters
+Improper Neutralization of Parameter/Argument Delimiters
+Incorrect Initialization of Resource
+Improper Neutralization of Value Delimiters
+Exposure of Sensitive Information during Transient Execution
+Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution
+Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution
+Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution
+Improper Validation of Generative AI Output
+Improper Neutralization of Record Delimiters
+Improper Neutralization of Line Delimiters
+Improper Neutralization of Section Delimiters
+Improper Neutralization of Expression/Command Delimiters
+Improper Neutralization of Input Terminators
+Improper Neutralization of Input Leaders
+Improper Neutralization of Quoting Syntax
+External Control of System or Configuration Setting
+Improper Neutralization of Escape, Meta, or Control Sequences
+Improper Neutralization of Comment Delimiters
+Improper Neutralization of Macro Symbols
+Improper Neutralization of Substitution Characters
+Improper Neutralization of Variable Name Delimiters
+Improper Neutralization of Wildcards or Matching Symbols
+Improper Neutralization of Whitespace
+Failure to Sanitize Paired Delimiters
+Improper Neutralization of Null Byte or NUL Character
+Improper Handling of Invalid Use of Special Elements
+Improper Neutralization of Leading Special Elements
+Improper Neutralization of Multiple Leading Special Elements
+Improper Neutralization of Trailing Special Elements
+Improper Neutralization of Multiple Trailing Special Elements
+Improper Neutralization of Internal Special Elements
+Improper Neutralization of Multiple Internal Special Elements
+Improper Handling of Missing Special Element
+Improper Handling of Additional Special Element
+Improper Handling of Inconsistent Special Elements
+Improper Null Termination
+Encoding Error
+Improper Handling of Alternate Encoding
+Double Decoding of the Same Data
+Improper Handling of Mixed Encoding
+Improper Handling of Unicode Encoding
+Improper Handling of URL Encoding (Hex Encoding)
+Improper Handling of Case Sensitivity
+Incorrect Behavior Order: Early Validation
+Incorrect Behavior Order: Validate Before Canonicalize
+Incorrect Behavior Order: Validate Before Filter
+Collapse of Data into Unsafe Value
+Permissive List of Allowed Inputs
+Incomplete List of Disallowed Inputs
+Incorrect Regular Expression
+Overly Restrictive Regular Expression
+Partial String Comparison
+Reliance on Data/Memory Layout
+Integer Overflow or Wraparound
+Integer Underflow (Wrap or Wraparound)
+Integer Coercion Error
+Off-by-one Error
+Unexpected Sign Extension
+Signed to Unsigned Conversion Error
+Unsigned to Signed Conversion Error
+Numeric Truncation Error
+Use of Incorrect Byte Ordering
+Improper Input Validation
+Exposure of Sensitive Information to an Unauthorized Actor
+Insertion of Sensitive Information Into Sent Data
+Exposure of Sensitive Information Through Data Queries
+Observable Discrepancy
+Observable Response Discrepancy
+Observable Behavioral Discrepancy
+Observable Internal Behavioral Discrepancy
+Observable Behavioral Discrepancy With Equivalent Products
+Observable Timing Discrepancy
+Generation of Error Message Containing Sensitive Information
+Self-generated Error Message Containing Sensitive Information
+Externally-Generated Error Message Containing Sensitive Information
+Improper Removal of Sensitive Information Before Storage or Transfer
+Exposure of Sensitive Information Due to Incompatible Policies
+Invocation of Process Using Visible Sensitive Information
+Insertion of Sensitive Information Into Debugging Code
+Storage of File with Sensitive Data Under Web Root
+Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
+Storage of File With Sensitive Data Under FTP Root
+Information Loss or Omission
+Truncation of Security-relevant Information
+Omission of Security-relevant Information
+Obscured Security-relevant Information by Alternate Name
+Sensitive Information in Resource Not Removed Before Reuse
+Improper Handling of Syntactically Invalid Structure
+Improper Handling of Values
+Relative Path Traversal
+Improper Handling of Missing Values
+Improper Handling of Extra Values
+Improper Handling of Undefined Values
+Improper Handling of Parameters
+Failure to Handle Missing Parameter
+Improper Handling of Extra Parameters
+Improper Handling of Undefined Parameters
+Improper Handling of Structural Elements
+Improper Handling of Incomplete Structural Elements
+Failure to Handle Incomplete Element
+Path Traversal: '../filedir'
+Improper Handling of Inconsistent Structural Elements
+Improper Handling of Unexpected Data Type
+Use of Inherently Dangerous Function
+Creation of chroot Jail Without Changing Working Directory
+Improper Clearing of Heap Memory Before Release ('Heap Inspection')
+J2EE Bad Practices: Direct Management of Connections
+J2EE Bad Practices: Direct Use of Sockets
+Uncaught Exception
+Path Traversal: '/../filedir'
+Execution with Unnecessary Privileges
+Unchecked Return Value
+Incorrect Check of Function Return Value
+Plaintext Storage of a Password
+Storing Passwords in a Recoverable Format
+Empty Password in Configuration File
+Use of Hard-coded Password
+Path Traversal: '/dir/../filename'
+Password in Configuration File
+Weak Encoding for Password
+Not Using Password Aging
+Password Aging with Long Expiration
+Incorrect Privilege Assignment
+Privilege Defined With Unsafe Actions
+Privilege Chaining
+Improper Privilege Management
+Path Traversal: 'dir/../../filename'
+Privilege Context Switching Error
+Privilege Dropping / Lowering Errors
+Least Privilege Violation
+Improper Check for Dropped Privileges
+Improper Handling of Insufficient Privileges
+Incorrect Default Permissions
+Insecure Inherited Permissions
+Insecure Preserved Inherited Permissions
+Incorrect Execution-Assigned Permissions
+Path Traversal: '..\filedir'
+Improper Handling of Insufficient Permissions or Privileges 
+Improper Preservation of Permissions
+Improper Ownership Management
+Unverified Ownership
+Improper Access Control
+Improper Authorization
+Incorrect User Management
+Improper Authentication
+Authentication Bypass Using an Alternate Path or Channel
+Authentication Bypass by Alternate Name
+Path Traversal: '\..\filename'
+Authentication Bypass by Spoofing
+Reliance on IP Address for Authentication
+Using Referer Field for Authentication
+Authentication Bypass by Capture-replay
+Improper Certificate Validation
+Improper Following of a Certificate's Chain of Trust
+Improper Validation of Certificate with Host Mismatch
+Improper Validation of Certificate Expiration
+Improper Check for Certificate Revocation
+Path Traversal: '\dir\..\filename'
+Channel Accessible by Non-Endpoint
+Reflection Attack in an Authentication Protocol
+Authentication Bypass by Assumed-Immutable Data
+Incorrect Implementation of Authentication Algorithm
+Missing Critical Step in Authentication
+Authentication Bypass by Primary Weakness
+Missing Authentication for Critical Function
+Improper Restriction of Excessive Authentication Attempts
+Use of Single-factor Authentication
+Use of Password System for Primary Authentication
+Path Traversal: 'dir\..\..\filename'
+Missing Encryption of Sensitive Data
+Cleartext Storage of Sensitive Information
+Cleartext Storage in a File or on Disk
+Cleartext Storage in the Registry
+Cleartext Storage of Sensitive Information in a Cookie
+Cleartext Storage of Sensitive Information in Memory
+Cleartext Storage of Sensitive Information in GUI
+Cleartext Storage of Sensitive Information in Executable
+Cleartext Transmission of Sensitive Information
+Path Traversal: '...' (Triple Dot)
+Use of Hard-coded Cryptographic Key
+Key Exchange without Entity Authentication
+Reusing a Nonce, Key Pair in Encryption
+Use of a Key Past its Expiration Date
+Missing Cryptographic Step
+Inadequate Encryption Strength
+Use of a Broken or Risky Cryptographic Algorithm
+Use of Weak Hash
+Generation of Predictable IV with CBC Mode
+Path Traversal: '....' (Multiple Dot)
+Use of Insufficiently Random Values
+Insufficient Entropy
+Insufficient Entropy in PRNG
+Improper Handling of Insufficient Entropy in TRNG
+Small Space of Random Values
+Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
+Same Seed in Pseudo-Random Number Generator (PRNG)
+Predictable Seed in Pseudo-Random Number Generator (PRNG)
+Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
+Small Seed Space in PRNG
+Path Traversal: '....//'
+Generation of Predictable Numbers or Identifiers
+Predictable from Observable State
+Predictable Exact Value from Previous Values
+Predictable Value Range from Previous Values
+Use of Invariant Value in Dynamically Changing Context
+Insufficient Verification of Data Authenticity
+Origin Validation Error
+Improper Verification of Cryptographic Signature
+Use of Less Trusted Source
+Acceptance of Extraneous Untrusted Data With Trusted Data
+Path Traversal: '.../...//'
+Reliance on Reverse DNS Resolution for a Security-Critical Action
+Insufficient Type Distinction
+Cross-Site Request Forgery (CSRF)
+Missing Support for Integrity Check
+Improper Validation of Integrity Check Value
+Product UI does not Warn User of Unsafe Actions
+Insufficient UI Warning of Dangerous Operations
+Improperly Implemented Security Check for Standard
+Exposure of Private Personal Information to an Unauthorized Actor
+Absolute Path Traversal
+Trust of System Event Data
+Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
+Race Condition Enabling Link Following
+Signal Handler Race Condition
+Race Condition within a Thread
+Time-of-check Time-of-use (TOCTOU) Race Condition
+Context Switching Race Condition
+Divide By Zero
+Path Traversal: '/absolute/pathname/here'
+Missing Check for Certificate Revocation after Initial Check
+Incomplete Internal State Distinction
+Passing Mutable Objects to an Untrusted Method
+Returning a Mutable Object to an Untrusted Caller
+Insecure Temporary File
+Creation of Temporary File With Insecure Permissions
+Creation of Temporary File in Directory with Insecure Permissions
+Path Traversal: '\absolute\pathname\here'
+J2EE Bad Practices: Use of System.exit()
+J2EE Bad Practices: Direct Use of Threads
+Session Fixation
+Covert Timing Channel
+Symbolic Name not Mapping to Correct Object
+Path Traversal: 'C:dirname'
+Detection of Error Condition Without Action
+Unchecked Error Condition
+Missing Report of Error Condition
+Return of Wrong Status Code
+Unexpected Status Code or Return Value
+Use of NullPointerException Catch to Detect NULL Pointer Dereference
+Declaration of Catch for Generic Exception
+Declaration of Throws for Generic Exception
+Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
+Uncontrolled Resource Consumption
+Missing Release of Memory after Effective Lifetime
+Transmission of Private Resources into a New Sphere ('Resource Leak')
+Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
+Improper Resource Shutdown or Release
+Asymmetric Resource Consumption (Amplification)
+Insufficient Control of Network Message Volume (Network Amplification)
+Inefficient Algorithmic Complexity
+Incorrect Behavior Order: Early Amplification
+Improper Handling of Highly Compressed Data (Data Amplification)
+Improper Resolution of Path Equivalence
+Insufficient Resource Pool
+Unrestricted Externally Accessible Lock
+Improper Resource Locking
+Missing Lock Check
+Double Free
+Use After Free
+Unprotected Primary Channel
+Path Equivalence: 'filename.' (Trailing Dot)
+Unprotected Alternate Channel
+Race Condition During Access to Alternate Channel
+Unprotected Windows Messaging Channel ('Shatter')
+Improper Protection of Alternate Path
+Direct Request ('Forced Browsing')
+Untrusted Search Path
+Uncontrolled Search Path Element
+Unquoted Search Path or Element
+Path Equivalence: 'filename....' (Multiple Trailing Dot)
+Deployment of Wrong Handler
+Missing Handler
+Dangerous Signal Handler not Disabled During Sensitive Operations
+Unparsed Raw Web Content Delivery
+Unrestricted Upload of File with Dangerous Type
+Improper Interaction Between Multiple Correctly-Behaving Entities
+Interpretation Conflict
+Incomplete Model of Endpoint Features
+Behavioral Change in New Version or Environment
+Path Equivalence: 'file.name' (Internal Dot)
+Expected Behavior Violation
+Unintended Proxy or Intermediary ('Confused Deputy')
+Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
+UI Discrepancy for Security Feature
+Unimplemented or Unsupported Feature in UI
+Obsolete Feature in UI
+The UI Performs the Wrong Action
+Path Equivalence: 'file...name' (Multiple Internal Dot)
+Multiple Interpretations of UI Input
+User Interface (UI) Misrepresentation of Critical Information
+Insecure Default Variable Initialization
+External Initialization of Trusted Variables or Data Stores
+Non-exit on Failed Initialization
+Missing Initialization of a Variable
+Use of Uninitialized Variable
+Incomplete Cleanup
+Path Equivalence: 'filename ' (Trailing Space)
+Improper Cleanup on Thrown Exception
+Duplicate Key in Associative List (Alist)
+Deletion of Data Structure Sentinel
+Addition of Data Structure Sentinel
+Return of Pointer Value Outside of Expected Range
+Use of sizeof() on a Pointer Type
+Incorrect Pointer Scaling
+Use of Pointer Subtraction to Determine Size
+Path Equivalence: ' filename' (Leading Space)
+Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
+Modification of Assumed-Immutable Data (MAID)
+External Control of Assumed-Immutable Web Parameter
+PHP External Variable Modification
+Use of Function with Inconsistent Implementations
+Undefined Behavior for Input to API
+NULL Pointer Dereference
+Use of Obsolete Function
+Missing Default Case in Multiple Condition Expression
+Signal Handler Use of a Non-reentrant Function
+Path Equivalence: 'file name' (Internal Whitespace)
+Use of Incorrect Operator
+Assigning instead of Comparing
+Comparing instead of Assigning
+Incorrect Block Delimitation
+Omitted Break Statement in Switch
+Comparison of Classes by Name
+Reliance on Package-level Scope
+Exposure of Data Element to Wrong Session
+Active Debug Code
+Path Equivalence: 'filename/' (Trailing Slash)
+Public cloneable() Method Without Final ('Object Hijack')
+Use of Inner Class Containing Sensitive Data
+Critical Public Variable Without Final Modifier
+Download of Code Without Integrity Check
+Private Data Structure Returned From A Public Method
+Public Data Assigned to Private Array-Typed Field
+Exposure of Sensitive System Information to an Unauthorized Control Sphere
+Cloneable Class Containing Sensitive Information
+Serializable Class Containing Sensitive Data
+J2EE Misconfiguration: Data Transmission Without Encryption
+Path Equivalence: '//multiple/leading/slash'
+Public Static Field Not Marked Final
+Trust Boundary Violation
+Deserialization of Untrusted Data
+Embedded Malicious Code
+Trojan Horse
+Non-Replicating Malicious Code
+Replicating Malicious Code (Virus or Worm)
+Path Equivalence: '/multiple//internal/slash'
+Trapdoor
+Logic/Time Bomb
+Spyware
+Covert Channel
+Covert Storage Channel
+Path Equivalence: '/multiple/trailing/slash//'
+.NET Misconfiguration: Use of Impersonation
+Weak Password Requirements
+Insufficiently Protected Credentials
+Unprotected Transport of Credentials
+Use of Cache Containing Sensitive Information
+Use of Web Browser Cache Containing Sensitive Information
+Cleartext Storage of Sensitive Information in an Environment Variable
+Exposure of Version-Control Repository to an Unauthorized Control Sphere
+Exposure of Core Dump File to an Unauthorized Control Sphere
+Exposure of Access Control List Files to an Unauthorized Control Sphere
+Path Equivalence: '\multiple\\internal\backslash'
+Exposure of Backup File to an Unauthorized Control Sphere
+Inclusion of Sensitive Information in Test Code
+Insertion of Sensitive Information into Log File
+Exposure of Information Through Shell Error Message
+Servlet Runtime Error Message Containing Sensitive Information
+Java Runtime Error Message Containing Sensitive Information
+Insertion of Sensitive Information into Externally-Accessible File or Directory
+Use of Persistent Cookies Containing Sensitive Information
+Path Equivalence: 'filedir\' (Trailing Backslash)
+Inclusion of Sensitive Information in Source Code
+Inclusion of Sensitive Information in an Include File
+Use of Singleton Pattern Without Synchronization in a Multithreaded Context
+Missing Standardized Error Handling Mechanism
+Suspicious Comment
+Use of Hard-coded, Security-relevant Constants
+Exposure of Information Through Directory Listing
+Missing Password Field Masking
+Path Equivalence: '/./' (Single Dot Directory)
+Server-generated Error Message Containing Sensitive Information
+Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
+Files or Directories Accessible to External Parties
+Command Shell in Externally Accessible Directory
+ASP.NET Misconfiguration: Not Using Input Validation Framework
+J2EE Misconfiguration: Plaintext Password in Configuration File
+ASP.NET Misconfiguration: Use of Identity Impersonation
+Use of getlogin() in Multithreaded Application
+Path Equivalence: 'filedir*' (Wildcard)
+Use of umask() with chmod-style Argument
+Dead Code
+Return of Stack Variable Address
+Assignment to Variable without Use
+SQL Injection: Hibernate
+Reliance on Cookies without Validation and Integrity Checking
+Authorization Bypass Through User-Controlled SQL Primary Key
+Unsynchronized Access to Shared Data in a Multithreaded Context
+finalize() Method Without super.finalize()
+Path Equivalence: 'fakedir/../realdir/filename'
+Expression is Always False
+Expression is Always True
+Call to Thread run() instead of start()
+Improper Following of Specification by Caller
+EJB Bad Practices: Use of Synchronization Primitives
+EJB Bad Practices: Use of AWT Swing
+EJB Bad Practices: Use of Java I/O
+EJB Bad Practices: Use of Sockets
+EJB Bad Practices: Use of Class Loader
+J2EE Bad Practices: Non-serializable Object Stored in Session
+Path Equivalence: Windows 8.3 Filename
+clone() Method Without super.clone()
+Object Model Violation: Just One of Equals and Hashcode Defined
+Array Declared Public, Final, and Static
+finalize() Method Declared Public
+Return Inside Finally Block
+Empty Synchronized Block
+Explicit Call to Finalize()
+Assignment of a Fixed Address to a Pointer
+Attempt to Access Child of a Non-structure Pointer
+Call to Non-ubiquitous API
+Improper Link Resolution Before File Access ('Link Following')
+Free of Memory not on the Heap
+Sensitive Data Storage in Improperly Locked Memory
+Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
+J2EE Framework: Saving Unserializable Objects to Disk
+Comparison of Object References Instead of Object Contents
+Use of Wrong Operator in String Comparison
+Use of GET Request Method With Sensitive Query Strings
+Missing Validation of OpenSSL Certificate
+J2EE Misconfiguration: Insufficient Session-ID Length
+Uncaught Exception in Servlet 
+URL Redirection to Untrusted Site ('Open Redirect')
+Client-Side Enforcement of Server-Side Security
+Use of Client-Side Authentication
+Multiple Binds to the Same Port
+Unchecked Input for Loop Condition
+Public Static Final Field References Mutable Object
+Struts: Non-private Field in ActionForm Class
+Double-Checked Locking
+UNIX Symbolic Link (Symlink) Following
+Externally Controlled Reference to a Resource in Another Sphere
+Improper Restriction of XML External Entity Reference
+Improper Authorization of Index Containing Sensitive Information
+Insufficient Session Expiration
+Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
+Inclusion of Sensitive Information in Source Code Comments
+Incomplete Identification of Uploaded File Variables (PHP)
+Reachable Assertion
+Exposed Unsafe ActiveX Method
+Dangling Database Cursor ('Cursor Injection')
+UNIX Hard Link
+Unverified Password Change
+Variable Extraction Error
+Improper Validation of Function Hook Arguments
+Unsafe ActiveX Control Marked Safe For Scripting
+Executable Regular Expression Error
+Permissive Regular Expression
+Null Byte Interaction Error (Poison Null Byte)
+Dynamic Variable Evaluation
+Function Call with Incorrectly Specified Arguments
+Not Failing Securely ('Failing Open')
+Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
+Not Using Complete Mediation
+Authorization Bypass Through User-Controlled Key
+Windows Shortcut Following (.LNK)
+Weak Password Recovery Mechanism for Forgotten Password
+Improper Restriction of Names for Files and Other Resources
+External Control of Critical State Data
+Improper Neutralization of Data within XPath Expressions ('XPath Injection')
+Improper Neutralization of HTTP Headers for Scripting Syntax
+Overly Restrictive Account Lockout Mechanism
+Reliance on File Name or Extension of Externally-Supplied File
+Use of Non-Canonical URL Paths for Authorization Decisions
+Incorrect Use of Privileged APIs
+Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
+Windows Hard Link
+Trusting HTTP Permission Methods on the Server Side
+Exposure of WSDL File Containing Sensitive Information
+Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
+Improper Isolation or Compartmentalization
+Reliance on a Single Factor in a Security Decision
+Insufficient Psychological Acceptability
+Reliance on Security Through Obscurity
+Violation of Secure Design Principles
+Improper Handling of File Names that Identify Virtual Resources
+Improper Synchronization
+Use of a Non-reentrant Function in a Concurrent Context
+Improper Control of a Resource Through its Lifetime
+Improper Initialization
+Operation on Resource in Wrong Phase of Lifetime
+Improper Locking
+Exposure of Resource to Wrong Sphere
+Incorrect Resource Transfer Between Spheres
+Improper Handling of Windows Device Names
+Always-Incorrect Control Flow Implementation
+Lack of Administrator Control over Security
+Operation on a Resource after Expiration or Release
+External Influence of Sphere Definition
+Uncontrolled Recursion
+Multiple Operations on Resource in Single-Operation Context
+Use of Potentially Dangerous Function
+Integer Overflow to Buffer Overflow
+Incorrect Conversion between Numeric Types
+Incorrect Calculation
+Function Call With Incorrect Order of Arguments
+Incorrect Provision of Specified Functionality
+Function Call With Incorrect Number of Arguments
+Function Call With Incorrect Argument Type
+Function Call With Incorrectly Specified Argument Value
+Function Call With Incorrect Variable or Reference as Argument
+Permission Race Condition During Resource Copy
+Improper Handling of Windows ::DATA Alternate Data Stream
+Unchecked Return Value to NULL Pointer Dereference
+Insufficient Control Flow Management
+Incomplete Denylist to Cross-Site Scripting
+Protection Mechanism Failure
+Use of Multiple Resources with Duplicate Identifier
+Use of Low-Level Functionality
+Incorrect Behavior Order
+Incorrect Comparison
+Execution After Redirect (EAR)
+J2EE Misconfiguration: Missing Custom Error Page
+Improper Check or Handling of Exceptional Conditions
+Incorrect Type Conversion or Cast
+Incorrect Control Flow Scoping
+Use of Incorrectly-Resolved Name or Reference
+Improper Neutralization
+Incorrect Ownership Assignment
+Improper Adherence to Coding Standards
+Improper Handling of Apple HFS+ Alternate Data Stream Path
+External Control of File Name or Path
+Incorrect Permission Assignment for Critical Resource
+Compiler Optimization Removal or Modification of Security-critical Code
+Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
+Exposed Dangerous Method or Function
+Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
+Improper Check for Unusual or Exceptional Conditions
+Improper Handling of Exceptional Conditions
+Missing Custom Error Page
+Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
+Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
+Use of a One-Way Hash without a Salt
+Improper Neutralization of Equivalent Special Elements
+Use of a One-Way Hash with a Predictable Salt
+Free of Pointer not at Start of Buffer
+Mismatched Memory Management Routines
+Release of Invalid Pointer or Reference
+Multiple Locks of a Critical Resource
+Multiple Unlocks of a Critical Resource
+Critical Data Element Declared Public
+Access to Critical Private Variable via Public Method
+Incorrect Short Circuit Evaluation
+Improper Neutralization of Special Elements used in a Command ('Command Injection')
+Allocation of Resources Without Limits or Throttling
+Missing Reference to Active Allocated Resource
+Missing Release of Resource after Effective Lifetime
+Missing Reference to Active File Descriptor or Handle
+Allocation of File Descriptors or Handles Without Limits or Throttling
+Missing Release of File Descriptor or Handle after Effective Lifetime
+Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
+Regular Expression without Anchors
+Insufficient Logging
+Logging of Excessive Data
+Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
+Use of RSA Algorithm without OAEP
+Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code
+Exposed IOCTL with Insufficient Access Control
+Operator Precedence Logic Error
+Reliance on Cookies without Validation and Integrity Checking in a Security Decision
+Use of Path Manipulation Function without Maximum-sized Buffer
+Access of Memory Location Before Start of Buffer
+Out-of-bounds Write
+Access of Memory Location After End of Buffer
+Memory Allocation with Excessive Size Value
+Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
+Improper Filtering of Special Elements
+Incomplete Filtering of Special Elements
+Incomplete Filtering of One or More Instances of Special Elements
+Only Filtering One Instance of a Special Element
+Incomplete Filtering of Multiple Instances of Special Elements
+Only Filtering Special Elements at a Specified Location
+Only Filtering Special Elements Relative to a Marker
+Only Filtering Special Elements at an Absolute Position
+Use of Hard-coded Credentials
+Improper Control of Interaction Frequency
+J2EE Misconfiguration: Entity Bean Declared Remote
+Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
+Guessable CAPTCHA
+Buffer Access with Incorrect Length Value
+Buffer Access Using Size of Source Buffer
+Reliance on Untrusted Inputs in a Security Decision
+Improper Neutralization of Script in an Error Message Web Page
+Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
+Missing Synchronization
+Incorrect Synchronization
+Untrusted Pointer Dereference
+Use of Out-of-range Pointer Offset
+Access of Uninitialized Pointer
+Expired Pointer Dereference
+Premature Release of Resource During Expected Lifetime
+Improper Control of Document Type Definition
+Signal Handler with Functionality that is not Asynchronous-Safe
+Inclusion of Functionality from Untrusted Control Sphere
+Improper Neutralization of Script in Attributes in a Web Page
+Inclusion of Web Functionality from an Untrusted Source
+Signal Handler Function Associated with Multiple Signals
+Unlock of a Resource that is not Locked
+Deadlock
+Excessive Iteration
+Loop with Unreachable Exit Condition ('Infinite Loop')
+Use of Password Hash Instead of Password for Authentication
+Improper Enforcement of a Single, Unique Action
+Inappropriate Encoding for Output Context
+Numeric Range Comparison Without Minimum Check
+Improper Neutralization of Encoded URI Schemes in a Web Page
+Improper Enforcement of Behavioral Workflow
+Placement of User into Incorrect Group
+Access of Resource Using Incompatible Type ('Type Confusion')
+Doubled Character XSS Manipulations
+Improper Neutralization of Invalid Characters in Identifiers in Web Pages
+Missing Authorization
+Incorrect Authorization
+Improper Neutralization of Alternate XSS Syntax
+Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
+Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
+J2EE Misconfiguration: Weak Access Permissions for EJB Methods
+Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
+Use of Uninitialized Resource
+Missing Initialization of Resource
+XML Injection (aka Blind XPath Injection)
+Use of Expired File Descriptor
+Improper Update of Reference Count
+Hidden Functionality
+Improper Control of Dynamically-Managed Code Resources
+Improper Control of Dynamically-Identified Variables
+Improperly Controlled Modification of Dynamically-Determined Object Attributes
+Use of Password Hash With Insufficient Computational Effort
+Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
+Server-Side Request Forgery (SSRF)
+Improper Restriction of Power Consumption
+Storage of Sensitive Data in a Mechanism without Access Control
+Insecure Storage of Sensitive Information
+Improper Restriction of Communication Channel to Intended Endpoints
+Improper Enforcement of Message Integrity During Transmission in a Communication Channel
+Improper Verification of Intent by Broadcast Receiver
+Improper Export of Android Application Components
+Use of Implicit Intent for Sensitive Communication
+Improper Neutralization of CRLF Sequences ('CRLF Injection')
+Improper Authorization in Handler for Custom URL Scheme
+Improper Control of Generation of Code ('Code Injection')
+Improper Verification of Source of a Communication Channel
+Incorrectly Specified Destination in a Communication Channel
+Permissive Cross-domain Policy with Untrusted Domains
+Improper Neutralization of Special Elements in Data Query Logic
+Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
+Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
+Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
+Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
+Improper Control of Resource Identifiers ('Resource Injection')