CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities
New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > CWE- Individual Dictionary Definition (4.18)
ID
CWE Glossary Definition

CWE VIEW: CISQ Quality Measures (2016)

View ID: 1128
Vulnerability Mapping: PROHIBITED This CWE ID must not be used to map to real-world vulnerabilities
Type: Graph
Downloads: Booklet | CSV | XML
Objective
This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards.
Audience
Stakeholder Description
Software Developers This view provides a good starting point for anyone involved in software development (including architects, designers, coders, and testers) to ensure that code quality issues are considered during the development process.
Product Vendors This view can help product vendors understand code quality issues and convey an overall status of their software.
Assessment Tool Vendors This view provides a good starting point for assessment tool vendors (e.g., vendors selling static analysis tools) who wish to understand what constitutes software with good code quality, and which quality issues may be of concern.
Relationships
The following graph shows the tree-like relationships between weaknesses that exist at different levels of abstraction. At the highest level, categories and pillars exist to group weaknesses. Categories (which are not technically weaknesses) are special CWE entries used to group weaknesses that share a common characteristic. Pillars are weaknesses that are described in the most abstract fashion. Below these top-level entries are weaknesses are varying levels of abstraction. Classes are still very abstract, typically independent of any specific language or technology. Base level weaknesses are used to present a more specific type of weakness. A variant is a weakness that is described at a very low level of detail, typically limited to a specific language or technology. A chain is a set of weaknesses that must be reachable consecutively in order to produce an exploitable vulnerability. While a composite is a set of weaknesses that must all be present simultaneously in order to produce an exploitable vulnerability.
Show Details:
|
1128 - CISQ Quality Measures (2016)
Category Category - a CWE entry that contains a set of other entries that share a common characteristic. CISQ Quality Measures (2016) - Reliability - (1129)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability)
Weaknesses in this category are related to the CISQ Quality Measures for Reliability, as documented in 2016 with the Automated Source Code CISQ Reliability Measure (ASCRM) Specification 1.0. Presence of these weaknesses could reduce the reliability of the software.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - (120)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 120 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'))
The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. Classic Buffer Overflow Unbounded Transfer
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Unchecked Return Value - (252)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 252 (Unchecked Return Value)
The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Declaration of Catch for Generic Exception - (396)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 396 (Declaration of Catch for Generic Exception)
Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Declaration of Throws for Generic Exception - (397)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 397 (Declaration of Throws for Generic Exception)
The product throws or raises an overly broad exceptions that can hide important details and produce inappropriate responses to certain conditions.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Missing Initialization of a Variable - (456)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 456 (Missing Initialization of a Variable)
The product does not initialize critical variables, which causes the execution environment to use unexpected values.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Uncontrolled Recursion - (674)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 674 (Uncontrolled Recursion)
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. Stack Exhaustion
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Incorrect Type Conversion or Cast - (704)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 704 (Incorrect Type Conversion or Cast)
The product does not correctly convert an object, resource, or structure from one type to a different type.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Missing Release of Resource after Effective Lifetime - (772)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 772 (Missing Release of Resource after Effective Lifetime)
The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Access of Memory Location After End of Buffer - (788)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 788 (Access of Memory Location After End of Buffer)
The product reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor - (1045)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1045 (Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor)
A parent class has a virtual destructor method, but the parent has a child class that does not have a virtual destructor.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Modules with Circular Dependencies - (1047)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1047 (Modules with Circular Dependencies)
The product contains modules in which one module has references that cycle back to itself, i.e., there are circular dependencies.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Initialization with Hard-Coded Network Resource Configuration Data - (1051)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1051 (Initialization with Hard-Coded Network Resource Configuration Data)
The product initializes data using hard-coded values that act as network resource identifiers.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Invokable Control Element with Variadic Parameters - (1056)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1056 (Invokable Control Element with Variadic Parameters)
A named-callable or method control element has a signature that supports a variable (variadic) number of parameters or arguments.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element - (1058)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1058 (Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element)
The code contains a function or method that operates in a multi-threaded environment but owns an unsafe non-final static storable or member data element.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Parent Class with References to Child Class - (1062)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1062 (Parent Class with References to Child Class)
The code has a parent class that contains references to a child class, its methods, or its members.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Runtime Resource Management Control Element in a Component Built to Run on Application Servers - (1065)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1065 (Runtime Resource Management Control Element in a Component Built to Run on Application Servers)
The product uses deployed components from application servers, but it also uses low-level functions/methods for management of resources, instead of the API provided by the application server.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Missing Serialization Control Element - (1066)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1066 (Missing Serialization Control Element)
The product contains a serializable data element that does not have an associated serialization method.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Empty Exception Block - (1069)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1069 (Empty Exception Block)
An invokable code block contains an exception handling block that does not contain any code, i.e. is empty.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Serializable Data Element Containing non-Serializable Item Elements - (1070)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1070 (Serializable Data Element Containing non-Serializable Item Elements)
The product contains a serializable, storable data element such as a field or member, but the data element contains member elements that are not serializable.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Floating Point Comparison with Incorrect Operator - (1077)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1077 (Floating Point Comparison with Incorrect Operator)
The code performs a comparison such as an equality test between two float (floating point) values, but it uses comparison operators that do not account for the possibility of loss of precision.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Parent Class without Virtual Destructor Method - (1079)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1079 (Parent Class without Virtual Destructor Method)
A parent class contains one or more child classes, but the parent class does not have a virtual destructor method.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Class Instance Self Destruction Control Element - (1082)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1082 (Class Instance Self Destruction Control Element)
The code contains a class instance that calls the method or function to delete or destroy itself.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Data Access from Outside Expected Data Manager Component - (1083)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1083 (Data Access from Outside Expected Data Manager Component)
The product is intended to manage data access through a particular data manager component such as a relational or non-SQL database, but it contains code that performs data access operations without using that component.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Class with Virtual Method without a Virtual Destructor - (1087)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1087 (Class with Virtual Method without a Virtual Destructor)
A class contains a virtual method, but the method does not have an associated virtual destructor.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Synchronous Access of Remote Resource without Timeout - (1088)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1088 (Synchronous Access of Remote Resource without Timeout)
The code has a synchronous call to a remote resource, but there is no timeout for the call, or the timeout is set to infinite.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Persistent Storable Data Element without Associated Comparison Control Element - (1097)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1097 (Persistent Storable Data Element without Associated Comparison Control Element)
The product uses a storable data element that does not have all of the associated functions or methods that are necessary to support comparison.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Singleton Class Instance Creation without Proper Locking or Synchronization - (1096)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1096 (Singleton Class Instance Creation without Proper Locking or Synchronization)
The product implements a Singleton design pattern but does not use appropriate locking or other synchronization mechanism to ensure that the singleton class is only instantiated once.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Data Element containing Pointer Item without Proper Copy Control Element - (1098)
1128 (CISQ Quality Measures (2016)) > 1129 (CISQ Quality Measures (2016) - Reliability) > 1098 (Data Element containing Pointer Item without Proper Copy Control Element)
The code contains a data element with a pointer that does not have an associated copy or constructor method.
Category Category - a CWE entry that contains a set of other entries that share a common characteristic. CISQ Quality Measures (2016) - Maintainability - (1130)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability)
Weaknesses in this category are related to the CISQ Quality Measures for Maintainability, as documented in 2016 with the Automated Source Code Maintainability Measure (ASCMM) Specification 1.0. Presence of these weaknesses could reduce the maintainability of the software.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Dead Code - (561)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 561 (Dead Code)
The product contains dead code, which can never be executed.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Use of Redundant Code - (1041)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1041 (Use of Redundant Code)
The product has multiple functions, methods, procedures, macros, etc. that contain the same code.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Architecture with Number of Horizontal Layers Outside of Expected Range - (1044)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1044 (Architecture with Number of Horizontal Layers Outside of Expected Range)
The product's architecture contains too many - or too few - horizontal layers.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Modules with Circular Dependencies - (1047)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1047 (Modules with Circular Dependencies)
The product contains modules in which one module has references that cycle back to itself, i.e., there are circular dependencies.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Invokable Control Element with Large Number of Outward Calls - (1048)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1048 (Invokable Control Element with Large Number of Outward Calls)
The code contains callable control elements that contain an excessively large number of references to other application objects external to the context of the callable, i.e. a Fan-Out value that is excessively large.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Excessive Use of Hard-Coded Literals in Initialization - (1052)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1052 (Excessive Use of Hard-Coded Literals in Initialization)
The product initializes a data element using a hard-coded literal that is not a simple integer or static constant element.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer - (1054)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1054 (Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer)
The code at one architectural layer invokes code that resides at a deeper layer than the adjacent layer, i.e., the invocation skips at least one layer, and the invoked code is not part of a vertical utility layer that can be referenced from any horizontal layer.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Multiple Inheritance from Concrete Classes - (1055)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1055 (Multiple Inheritance from Concrete Classes)
The product contains a class with inheritance from more than one concrete class.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Invokable Control Element with Signature Containing an Excessive Number of Parameters - (1064)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1064 (Invokable Control Element with Signature Containing an Excessive Number of Parameters)
The product contains a function, subroutine, or method whose signature has an unnecessarily large number of parameters/arguments.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Class with Excessively Deep Inheritance - (1074)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1074 (Class with Excessively Deep Inheritance)
A class has an inheritance level that is too high, i.e., it has a large number of parent classes.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Unconditional Control Flow Transfer outside of Switch Block - (1075)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1075 (Unconditional Control Flow Transfer outside of Switch Block)
The product performs unconditional control transfer (such as a "goto") in code outside of a branching structure such as a switch block.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Source Code File with Excessive Number of Lines of Code - (1080)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1080 (Source Code File with Excessive Number of Lines of Code)
A source code file has too many lines of code.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Critical Data Element Declared Public - (766)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 766 (Critical Data Element Declared Public)
The product declares a critical variable, field, or member to be public when intended security policy requires it to be private.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Invokable Control Element with Excessive File or Data Access Operations - (1084)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1084 (Invokable Control Element with Excessive File or Data Access Operations)
A function or method contains too many operations that utilize a data manager or file resource.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Invokable Control Element with Excessive Volume of Commented-out Code - (1085)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1085 (Invokable Control Element with Excessive Volume of Commented-out Code)
A function, method, procedure, etc. contains an excessive amount of code that has been commented out within its body.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Class with Excessive Number of Child Classes - (1086)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1086 (Class with Excessive Number of Child Classes)
A class contains an unnecessarily large number of children.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Method Containing Access of a Member Element from Another Class - (1090)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1090 (Method Containing Access of a Member Element from Another Class)
A method for a class performs an operation that directly accesses a member element from another class.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Use of Same Invokable Control Element in Multiple Architectural Layers - (1092)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1092 (Use of Same Invokable Control Element in Multiple Architectural Layers)
The product uses the same control element across multiple architectural layers.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Loop Condition Value Update within the Loop - (1095)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1095 (Loop Condition Value Update within the Loop)
The product uses a loop with a control flow condition based on a value that is updated within the body of the loop.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Excessive McCabe Cyclomatic Complexity - (1121)
1128 (CISQ Quality Measures (2016)) > 1130 (CISQ Quality Measures (2016) - Maintainability) > 1121 (Excessive McCabe Cyclomatic Complexity)
The code contains McCabe cyclomatic complexity that exceeds a desirable maximum.
Category Category - a CWE entry that contains a set of other entries that share a common characteristic. CISQ Quality Measures (2016) - Security - (1131)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security)
Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - (22)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Directory traversal Path traversal
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - (78)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. Shell injection Shell metacharacters OS Command Injection
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - (79)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. XSS HTML Injection Reflected XSS / Non-Persistent XSS / Type 1 XSS Stored XSS / Persistent XSS / Type 2 XSS DOM-Based XSS / Type 0 XSS CSS
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - (89)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. SQL injection SQLi
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Control of Resource Identifiers ('Resource Injection') - (99)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 99 (Improper Control of Resource Identifiers ('Resource Injection'))
The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. Insecure Direct Object Reference
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - (120)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 120 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'))
The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. Classic Buffer Overflow Unbounded Transfer
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Improper Validation of Array Index - (129)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 129 (Improper Validation of Array Index)
The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array. out-of-bounds array index index-out-of-range array index underflow
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Use of Externally-Controlled Format String - (134)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 134 (Use of Externally-Controlled Format String)
The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Unchecked Return Value - (252)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 252 (Unchecked Return Value)
The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Use of a Broken or Risky Cryptographic Algorithm - (327)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 327 (Use of a Broken or Risky Cryptographic Algorithm)
The product uses a broken or risky cryptographic algorithm or protocol.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Declaration of Catch for Generic Exception - (396)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 396 (Declaration of Catch for Generic Exception)
Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Declaration of Throws for Generic Exception - (397)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 397 (Declaration of Throws for Generic Exception)
The product throws or raises an overly broad exceptions that can hide important details and produce inappropriate responses to certain conditions.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Unrestricted Upload of File with Dangerous Type - (434)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 434 (Unrestricted Upload of File with Dangerous Type)
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. Unrestricted File Upload
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Missing Initialization of a Variable - (456)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 456 (Missing Initialization of a Variable)
The product does not initialize critical variables, which causes the execution environment to use unexpected values.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Unchecked Input for Loop Condition - (606)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 606 (Unchecked Input for Loop Condition)
The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Locking - (667)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 667 (Improper Locking)
The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Operation on a Resource after Expiration or Release - (672)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 672 (Operation on a Resource after Expiration or Release)
The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Incorrect Conversion between Numeric Types - (681)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 681 (Incorrect Conversion between Numeric Types)
When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Missing Release of Resource after Effective Lifetime - (772)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 772 (Missing Release of Resource after Effective Lifetime)
The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Memory Allocation with Excessive Size Value - (789)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 789 (Memory Allocation with Excessive Size Value)
The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated. Stack Exhaustion
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Use of Hard-coded Credentials - (798)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 798 (Use of Hard-coded Credentials)
The product contains hard-coded credentials, such as a password or cryptographic key.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Loop with Unreachable Exit Condition ('Infinite Loop') - (835)
1128 (CISQ Quality Measures (2016)) > 1131 (CISQ Quality Measures (2016) - Security) > 835 (Loop with Unreachable Exit Condition ('Infinite Loop'))
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Category Category - a CWE entry that contains a set of other entries that share a common characteristic. CISQ Quality Measures (2016) - Performance Efficiency - (1132)
1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures (2016) - Performance Efficiency)
Weaknesses in this category are related to the CISQ Quality Measures for Performance Efficiency, as documented in 2016 with the Automated Source Code Performance Efficiency Measure (ASCPEM) Specification 1.0. Presence of these weaknesses could reduce the performance efficiency of the software.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Static Member Data Element outside of a Singleton Class Element - (1042)
1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures (2016) - Performance Efficiency) > 1042 (Static Member Data Element outside of a Singleton Class Element)
The code contains a member element that is declared as static (but not final), in which its parent class element is not a singleton class - that is, a class element that can be used only once in the 'to' association of a Create action.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Data Element Aggregating an Excessively Large Number of Non-Primitive Elements - (1043)
1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures (2016) - Performance Efficiency) > 1043 (Data Element Aggregating an Excessively Large Number of Non-Primitive Elements)
The product uses a data element that has an excessively large number of sub-elements with non-primitive data types such as structures or aggregated objects.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Creation of Immutable Text Using String Concatenation - (1046)
1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures (2016) - Performance Efficiency) > 1046 (Creation of Immutable Text Using String Concatenation)
The product creates an immutable text string using string concatenation operations.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Excessive Data Query Operations in a Large Data Table - (1049)
1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures (2016) - Performance Efficiency) > 1049 (Excessive Data Query Operations in a Large Data Table)
The product performs a data query with a large number of joins and sub-queries on a large data table.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Excessive Platform Resource Consumption within a Loop - (1050)
1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures (2016) - Performance Efficiency) > 1050 (Excessive Platform Resource Consumption within a Loop)
The product has a loop body or loop condition that contains a control element that directly or indirectly consumes platform resources, e.g. messaging, sessions, locks, or file descriptors.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Data Access Operations Outside of Expected Data Manager Component - (1057)
1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures (2016) - Performance Efficiency) > 1057 (Data Access Operations Outside of Expected Data Manager Component)
The product uses a dedicated, central data manager component as required by design, but it contains code that performs data-access operations that do not use this data manager.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Excessive Number of Inefficient Server-Side Data Accesses - (1060)
1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures (2016) - Performance Efficiency) > 1060 (Excessive Number of Inefficient Server-Side Data Accesses)
The product performs too many data queries without using efficient data processing functionality such as stored procedures.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Creation of Class Instance within a Static Code Block - (1063)
1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures (2016) - Performance Efficiency) > 1063 (Creation of Class Instance within a Static Code Block)
A static code block creates an instance of a class.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Excessive Execution of Sequential Searches of Data Resource - (1067)
1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures (2016) - Performance Efficiency) > 1067 (Excessive Execution of Sequential Searches of Data Resource)
The product contains a data query against an SQL table or view that is configured in a way that does not utilize an index and may cause sequential searches to be performed.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Data Resource Access without Use of Connection Pooling - (1072)
1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures (2016) - Performance Efficiency) > 1072 (Data Resource Access without Use of Connection Pooling)
The product accesses a data resource through a database without using a connection pooling capability.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses - (1073)
1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures (2016) - Performance Efficiency) > 1073 (Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses)
The product contains a client with a function or method that contains a large number of data accesses/queries that are sent through a data manager, i.e., does not use efficient database capabilities.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Large Data Table with Excessive Number of Indices - (1089)
1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures (2016) - Performance Efficiency) > 1089 (Large Data Table with Excessive Number of Indices)
The product uses a large data table that contains an excessively large number of indices.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Use of Object without Invoking Destructor Method - (1091)
1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures (2016) - Performance Efficiency) > 1091 (Use of Object without Invoking Destructor Method)
The product contains a method that accesses an object but does not later invoke the element's associated finalize/destructor method.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Excessive Index Range Scan for a Data Resource - (1094)
1128 (CISQ Quality Measures (2016)) > 1132 (CISQ Quality Measures (2016) - Performance Efficiency) > 1094 (Excessive Index Range Scan for a Data Resource)
The product contains an index range scan for a large data table, but the scan can cover a large number of rows.
Vulnerability Mapping Notes

Usage: PROHIBITED

(this CWE ID must not be used to map to real-world vulnerabilities)

Reason: View

Rationale:

This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities.

Comments:

Use this View or other Views to search and navigate for the appropriate weakness.
References
[REF-968] Consortium for Information & Software Quality (CISQ). "Automated Quality Characteristic Measures". 2016. <https://www.it-cisq.org/standards/automated-quality-characteristic-measures-maintainability/>. URL validated: 2025年08月04日.
View Metrics
CWEs in this view Total CWEs
Weaknesses 77 out of 944
Categories 4 out of 375
Views 0 out of 52
Total 81 out of 1371
Content History
Submissions
Submission Date Submitter Organization
2018年07月23日
(CWE 3.2, 2019年01月03日) 		CWE Content Team MITRE
View constructed using Common Quality Enumeration (CQE) draft 0.9, constructed using view 9001.
Modifications
Modification Date Modifier Organization
2020年02月24日 CWE Content Team MITRE
updated Description, View_Audience
2020年06月25日 CWE Content Team MITRE
updated References
2023年06月29日 CWE Content Team MITRE
updated Mapping_Notes
2025年09月09日
(CWE 4.18, 2025年09月09日) 		CWE Content Team MITRE
updated References
More information is available — Please edit the custom filter or select a different filter.
Page Last Updated: September 09, 2025

Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

AltStyle によって変換されたページ (->オリジナル) /