CWE Coverage

This document holds the TrustInSoft Analyzer CWE Coverage Claims using the The CWE Coverage Claims Representation format.

It is a subset of CWE-658: Weaknesses in Software Written in C.

Notice that TrustInSoft Analyzer is based on static analyses techniques. In the cases were the analysis cannot be precise, some false alarms may occur due to over-approximations. Moreover, the results rely on the provided specifications for the called function when the body is not available.

The coverage of the following CWE is achieved with TrustInSoft Analyzer. The alarms triggered are the one of the value analysis.

CWE-14

  • Name: Compiler Removal of Code to Clear Buffers

  • Reference: CWE 14

  • Description:

    Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka “dead store removal.”

  • Accuracy: Exact

  • Comment:

    TrustInSoft Analyzer performs spare code analysis to detect compiler optimizations.

CWE-119

  • Name: Improper Restriction of Operations within the Bounds of a Memory Buffer

  • Reference: CWE 119

  • Description:

    The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

  • Accuracy: Exact

  • Comment:

    This is a very general CWE that is the parent of many of more specific CWE listed below. TrustInSoft Analyzer value analysis emits one of the following alarms as soon as a memory access is not well defined for sure, whatever the reason is.

  • Rules:

CWE-120

  • Name: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

  • Reference: CWE 120

  • Description:

    The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

  • Accuracy: CWE-more-specific

  • Comment:

    This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.

CWE-121

  • Name: Stack-based Buffer Overflow

  • Reference: CWE 121

  • Description:

    A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

  • Accuracy: CWE-more-specific

  • Comment:

    This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.

CWE-122

  • Name: Heap-based Buffer Overflow

  • Reference: CWE 122

  • Description:

    A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

  • Accuracy: CWE-more-specific

  • Comment:

    This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.

CWE-123

  • Name: Write-what-where Condition

  • Reference: CWE 123

  • Description:

    Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.

  • Accuracy: CWE-more-specific

  • Comment:

    This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.

CWE-124

  • Name: Buffer Underwrite (‘Buffer Underflow’)

  • Reference: CWE 124

  • Description:

    The software writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.

  • Accuracy: CWE-more-specific

  • Comment:

    This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.

CWE-125

  • Name: Out-of-bounds Read

  • Reference: CWE 125

  • Description:

    The software reads data past the end, or before the beginning, of the intended buffer.

  • Accuracy: CWE-more-specific

  • Comment:

    This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the sames rules apply.

CWE-126

  • Name: Buffer Over-read

  • Reference: CWE 126

  • Description:

    The software reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.

  • Accuracy: CWE-more-specific

  • Comment:

    This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the sames rules apply.

CWE-127

  • Name: Buffer Under-read

  • Reference: CWE 127

  • Description:

    The software reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer.

  • Accuracy: CWE-more-specific

  • Comment:

    This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the sames rules apply.

CWE-128

  • Name: Wrap-around Error

  • Reference: CWE 128

  • Description:

    Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore “wraps around” to a very small, negative, or undefined value.

  • Accuracy: CWE-more-abstract

  • Comment:

    On signed integers only.

  • Rules:

CWE-129

  • Name: Improper Validation of Array Index

  • Reference: CWE 129

  • Description:

    The product uses not trusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

  • Accuracy: Exact

  • Comment:

    The alarm is emitted when using the index, and only if there is a chance that its value is out-of-bound.

  • Rules:

CWE-130

  • Name: Improper Handling of Length Parameter Inconsistency

  • Reference: CWE 130

  • Description:

    The software parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.

  • Accuracy: CWE-more-specific

  • Comment:

    This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.

CWE-131

  • Name: Incorrect Calculation of Buffer Size

  • Reference: CWE 131

  • Description:

    The software does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.

  • Accuracy: CWE-more-specific

  • Comment:

    This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.

CWE-188

  • Name: Reliance on Data/Memory Layout

  • Reference: CWE 188

  • Description:

    The software makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior.

  • Accuracy: Exact

  • Comment:

  • Rules:

CWE-190

  • Name: Integer Overflow or Wraparound

  • Reference: CWE 190

  • Description:

    The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.

  • Accuracy: CWE-more-specific

  • Comment:

    On signed integers only, but same rule for underflow and overflow.

  • Rules:

CWE-191

  • Name: Integer Underflow (Wrap or Wraparound)

  • Reference: CWE 191

  • Description:

    The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.

  • Accuracy: CWE-more-specific

  • Comment:

    On signed integers only, but same rule for underflow and overflow.

  • Rules:

CWE-195

  • Name: Signed to Unsigned Conversion Error

  • Reference: CWE 195

  • Description:

    The software uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive.

  • Accuracy: Not-Covered

  • Comment:

    The value analysis doesn’t emit any alarm, but the RTE plug-in can be used with the -warn-signed-downcast and -warn-unsigned-downcast options to generate the relevant assertions before starting an analysis. These assertions are then checked like any other user assertions.

CWE-196

  • Name: Unsigned to Signed Conversion Error

  • Reference: CWE 196

  • Description:

    The software uses an unsigned primitive and performs a cast to a signed primitive, which can produce an unexpected value if the value of the unsigned primitive can not be represented using a signed primitive.

  • Accuracy: Not-Covered

  • Comment:

    Similar to CWE-195 above.

CWE-242

  • Name: Use of Inherently Dangerous Function

  • Reference: CWE 242

  • Description:

    The program calls a function that can never be guaranteed to work safely.

  • Accuracy: CWE-more-abstract

  • Comment:

    TrustInSoft Analyzer GUI allows to search functions. For a given list of dangerous functions, the search results of TrustInSoft Analyzer for this given list includes all functions calls including calls through pointer of functions.

CWE-243

  • Name: Creation of chroot Jail Without Changing Working Directory

  • Reference: CWE 243

  • Description:

    The program uses the chroot() system call to create a jail, but does not change the working directory afterward. This does not prevent access to files outside of the jail.

  • Accuracy: Exact

  • Comment:

    TrustInSoft Analyzer GUI allows to search functions, in particular chroot(). The search results of TrustInSoft Analyzer for chroot() includes all functions calls including calls through pointer of functions, and the user can check manually the presence of chdir() function for each call.

CWE-244

  • Name: Improper Clearing of Heap Memory Before Release (‘Heap Inspection’)

  • Reference: CWE 244

  • Description:

    Using realloc() to re-size buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory.

  • Accuracy: Exact

  • Comment:

    TrustInSoft Analyzer GUI allows to search functions, in particular realloc(). The search results of TrustInSoft Analyzer for realloc() includes all functions calls including calls through pointer of functions, and the user can check manually that the reallocated variable is not a sensitive data.

CWE-369

  • Name: Divide By Zero

  • Reference: CWE 369

  • Description:

    The product divides a value by zero.

  • Accuracy: Exact

  • Comment:

  • Rules:

CWE-401

  • Name: Improper Release of Memory Before Removing Last Reference (‘Memory Leak’)

  • Reference: CWE 401

  • Description:

    The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

  • Accuracy: CWE-partial

  • Comment:

    TrustInSoft Analyzer provides the tis_check_leak() builtin that may be called to print the list of allocated memory blocks that are no longer referenced by any other memory block. But the CWE is only partially covered because a cycle of allocated blocks never referenced by any other global/alive local is not detected yet.

CWE-415

  • Name: Double Free

  • Reference: CWE 415

  • Description:

    The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.

  • Accuracy: CWE-more-specific

  • Comment:

  • Rules:

CWE-416

  • Name: Use After Free

  • Reference: CWE 416

  • Description:

    Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

  • Accuracy: CWE-more-specific

  • Comment:

    This CWE is a child of CWE-825 described below. TrustInSoft Analyzer considers it as similar, so the sames rules apply.

CWE-457

  • Name: Use of Uninitialized Variable

  • Reference: CWE 457

  • Description:

    The code uses a variable that has not been initialized, leading to unpredictable or unintended results.

  • Accuracy: Exact

  • Comment:

  • Rules:

CWE-463

  • Name: Deletion of Data Structure Sentinel

  • Reference: CWE 463

  • Description:

    The accidental deletion of a data-structure sentinel can cause serious programming logic problems.

  • Accuracy: CWE-partial

  • Comment:

    As long as TrustInSoft Analyzer value analysis remains precise enough to compute the string, TrustInSoft Analyzer will detect any deletion of a data-structure sentinel.

  • Rules:

    • logic_memory_access

      This particular alarm is only emitted by internal built-ins such as memset and other standard library functions.

    • valid_string

      This rule is triggered by internal built-ins for the string standard library functions.

CWE-464

  • Name: Addition of Data Structure Sentinel

  • Reference: CWE 464

  • Description:

    The accidental addition of a data-structure sentinel can cause serious programming logic problems.

  • Accuracy: CWE-partial

  • Comment:

    As long as TrustInSoft Analyzer value analysis remains precise enough to compute the string, TrustInSoft Analyzer will detect any addition of a data-structure sentinel.

    However, TrustInSoft Analyzer doesn’t warn if the addition of the sentinel can be considered as a normal behavior of the program.

  • Rules:

    • logic_memory_access

      This particular alarm is only emitted by internal built-ins such as memset and other standard library functions.

    • valid_string

      This rule is triggered by internal built-ins for the string standard library functions.

CWE-466

  • Name: Return of Pointer Value Outside of Expected Range

  • Reference: CWE 466

  • Description:

    A function can return a pointer to memory that is outside of the buffer that the pointer is expected to reference.

  • Accuracy: Not-Covered

  • Comment:

    TrustInSoft Analyzer doesn’t warn on pointers having invalid values, but it does as soon as the pointer is used lated on.

CWE-467

  • Name: Use of sizeof() on a Pointer Type

  • Reference: CWE 467

  • Description:

    The code calls sizeof() on a malloced pointer type, which always returns the wordsize/8. This can produce an unexpected result if the programmer intended to determine how much memory has been allocated.

  • Accuracy: CWE-more-specific

  • Comment:

    This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.

CWE-468

  • Name: Incorrect Pointer Scaling

  • Reference: CWE 468

  • Description:

    In C and C++, one may often accidentally refer to the wrong memory due to the semantics of when math operations are implicitly scaled.

  • Accuracy: CWE-more-specific

  • Comment:

    This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.

CWE-469

  • Name: Use of Pointer Subtraction to Determine Size

  • Reference: CWE 469

  • Description:

    The application subtracts one pointer from another in order to determine size, but this calculation can be incorrect if the pointers do not exist in the same memory chunk.

  • Accuracy: CWE-more-abstract

  • Comment:

    TrustInSoft Analyzer doesn’t warn on every pointer subtraction, but only on those where there might be a problem (different blocks).

  • Rules:

CWE-474

  • Name: Use of Function with Inconsistent Implementations

  • Reference: CWE 474

  • Description:

    The code uses a function that has inconsistent implementations across operating systems and versions.

  • Accuracy: Unknown

  • Comment:

    TrustInSoft Analyzer GUI allows to search functions. For a given list of functions with inconsistent implementations, the search results of TrustInSoft Analyzer for this given list includes all functions calls including calls through pointer of functions.

CWE-476

  • Name: NULL Pointer Dereference

  • Reference: CWE 476

  • Description:

    A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

  • Accuracy: Exact

  • Comment:

  • Rules:

CWE-558

  • Name: Use of getlogin() in Multithreaded Application

  • Reference: CWE 558

  • Description:

    The application uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values.

  • Accuracy: CWE-more-abstract

  • Comment:

    TrustInSoft Analyzer GUI allows to search functions, in particular getlogin(). The search results of TrustInSoft Analyzer for getlogin() includes all functions calls including calls through pointer of functions, and the user can check manually the absence of this function.

CWE-560

  • Name: Use of umask() with chmod-style Argument

  • Reference: CWE 560

  • Description:

    The product calls umask() with an incorrect argument that is specified as if it is an argument to chmod().

  • Accuracy: CWE-more-abstract

  • Comment:

    TrustInSoft Analyzer GUI allows to search functions, in particular umask(). The search results of TrustInSoft Analyzer for umask() includes all functions calls including calls through pointer of functions, and the user can check manually the absence of this function.

CWE-561

  • Name: Dead Code

  • Reference: CWE 561

  • Description:

    The software contains dead code, which can never be executed.

  • Accuracy: Exact

  • Comment:

  • Rules:

    • tis-info-statements

      This CWE doesn’t generates an alarm, but the information is available among the About Statements elements. The coverage information in About Functions can also be used for a more global overview.

CWE-562

  • Name: Return of Stack Variable Address

  • Reference: CWE 562

  • Description:

    A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.

  • Accuracy: Unknown

  • Comment:

    Notice that TrustInSoft Analyzer doesn’t warn on the return, but when using the pointer later on.

  • Rules:

CWE-570

  • Name: Expression is Always False

  • Reference: CWE 570

  • Description:

    The software contains an expression that will always evaluate to false.

  • Accuracy: Exact

  • Comment:

  • Rules:

    • tis-info-statements

      This CWE doesn’t generates an alarm, but the information is available among the About Statements elements.

CWE-571

  • Name: Expression is Always True

  • Reference: CWE 571

  • Description:

    The software contains an expression that will always evaluate to true.

  • Accuracy: Exact

  • Comment:

  • Rules:

    • tis-info-statements

      This CWE doesn’t generates an alarm, but the information is available among the About Statements elements.

CWE-587

  • Name: Assignment of a Fixed Address to a Pointer

  • Reference: CWE 587

  • Description:

    The software sets a pointer to a specific address other than NULL or 0.

  • Accuracy: Unknown

  • Comment:

    When using a pointer that has been set to a fixed address, the default is to emit a Memory_assess alarm since all absolute addresses are assumed to be invalid. The -absolute-valid-range min-max option can be used to tell TrustInSoft Analyzer that addresses between min and max are valid memory addresses.

  • Rules:

CWE-681

  • Name: Incorrect Conversion between Numeric Types

  • Reference: CWE 681

  • Description:

    When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.

  • Accuracy: CWE-more-abstract

  • Comment:

    This CWE is about converting from one numeric data type to another, but the rule below is only about float to int conversion.

  • Rules:

    • float_to_int

      This alarm is emitted when a floating-point value appears to exceed the range of the integer type it is converted to.

CWE-682

  • Name: Incorrect Calculation

  • Reference: CWE 682

  • Description:

    The software performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.

  • Accuracy: CWE-more-abstract

  • Comment:

    This CWE is very general and groups anything that can goes wrong after calculation that generates incorrect or unintended results, but there no more specific CWE about floating-point results that can be an infinite value or NaN.

  • Rules:

CWE-685

  • Name: Function Call With Incorrect Number of Arguments

  • Reference: CWE 685

  • Description:

    The software calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior and resultant weaknesses.

  • Accuracy: Exact

  • Comment:

    This CWE is detected even without any value analysis.

  • Rules:

    • kernel user error messages

      The kernel emit one of the two error below:

      • [kernel] user error: Too few arguments in call to ...

      • [kernel] user error: Too many arguments in call to ...

CWE-690

  • Name: Unchecked Return Value to NULL Pointer Dereference

  • Reference: CWE 690

  • Description:

    The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference.

  • Accuracy: Not-Covered

  • Comment:

    TrustInSoft Analyzer doesn’t specifically whether returned values are tested or not, but it does detect NULL pointer dereference where ever it comes from (see CWE-476).

CWE-733

  • Name: Compiler Optimization Removal or Modification of Security-critical Code

  • Reference: CWE 733

  • Description:

    The developer builds a security-critical protection mechanism into the software but the compiler optimizes the program such that the mechanism is removed or modified.

  • Accuracy: Exact

  • Comment:

    TrustInSoft Analyzer performs the value analysis on the preprocessed source file. This CWE is a child of CWE-14 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.

CWE-762

  • Name: Mismatched Memory Management Routines

  • Reference: CWE 762

  • Description:

    The application attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used to allocate that resource.

  • Accuracy: Exact

  • Comment:

    TrustInSoft Analyzer automatically checks that dynamically allocated objects are correctly deallocated with the right primitive (e.g. malloc/free, new/delete).

CWE-781

  • Name: Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code

  • Reference: CWE 781

  • Description:

    The software defines an IOCTL that uses METHOD_NEITHER for I/O, but it does not validate or incorrectly validates the addresses that are provided.

  • Accuracy: CWE-more-abstract

  • Comment:

    TrustInSoft Analyzer GUI allows to search functions. For a given list of functions that performs improper address validation, the search results of TrustInSoft Analyzer for this given list includes all functions calls including calls through pointer of functions.

CWE-782

  • Name: Exposed IOCTL with Insufficient Access Control

  • Reference: CWE 782

  • Description:

    The software implements an IOCTL with functionality that should be restricted, but it does not properly enforce access control for the IOCTL.

  • Accuracy: Not-Covered

  • Comment:

CWE-786

  • Name: Access of Memory Location Before Start of Buffer

  • Reference: CWE 786

  • Description:

    The software reads or writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.

  • Accuracy: CWE-more-specific

  • Comment:

    This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.

CWE-787

  • Name: Out-of-bounds Write

  • Reference: CWE 787

  • Description:

    The software writes data past the end, or before the beginning, of the intended buffer.

  • Accuracy: CWE-more-specific

  • Comment:

    This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.

CWE-788

  • Name: Access of Memory Location After End of Buffer

  • Reference: CWE 788

  • Description:

    The software reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer.

  • Accuracy: CWE-more-specific

  • Comment:

    This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.

CWE-789

  • Name: Uncontrolled Memory Allocation

  • Reference: CWE 789

  • Description:

    The product allocates memory based on a not trusted size value, but it does not validate or incorrectly validates the size, allowing arbitrary amounts of memory to be allocated.

  • Accuracy: Exact

  • Comment:

    TrustInSoft Analyzer provides a language specification (ACSL) so the user may add a precondition to a user defined malloc. TrustInSoft Analyzer will automatically checks that the size always satisfies this precondition.

CWE-805

  • Name: Buffer Access with Incorrect Length Value

  • Reference: CWE 805

  • Description:

    The software uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer.

  • Accuracy: CWE-more-specific

  • Comment:

    This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.

CWE-806

  • Name: Buffer Access Using Size of Source Buffer

  • Reference: CWE 806

  • Description:

    The software uses the size of a source buffer when reading from or writing to a destination buffer, which may cause it to access memory that is outside of the bounds of the buffer.

  • Accuracy: CWE-more-specific

  • Comment:

    This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.

CWE-822

  • Name: Untrusted Pointer Dereference

  • Reference: CWE 822

  • Description:

    The program obtains a value from a not trusted source, converts this value to a pointer, and dereferences the resulting pointer.

  • Accuracy: CWE-more-specific

  • Comment:

    This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.

CWE-823

  • Name: Use of Out-of-range Pointer Offset

  • Reference: CWE 823

  • Description:

    The program performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.

  • Accuracy: CWE-more-specific

  • Comment:

    This CWE is a child of CWE-119 described above. TrustInSoft Analyzer considers it as similar, so the same rules apply.

CWE-824

  • Name: Access of Uninitialized Pointer

  • Reference: CWE 824

  • Description:

    The program accesses or uses a pointer that has not been initialized.

  • Accuracy: CWE-more-specific

  • Comment:

    The alarm below is emitted for any access to an uninitialized value, whether it is a pointer or not.

  • Rules:

CWE-825

  • Name: Expired Pointer Dereference

  • Reference: CWE 825

  • Description:

    The program dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.

  • Accuracy: Unknown

  • Comment:

  • Rules: