Skip to main content

Veracode and the CWE

Veracode references the Common Weakness Enumeration (CWE) standard to map the flaws found in its static and dynamic scans.

Since its founding, Veracode has reported flaws using the industry standard Common Weakness Enumeration as a taxonomy. The CWE provides a mapping of all known types of software weakness or vulnerability, and provides supplemental information to help developers understand the cause of common weaknesses and how to fix them.

Veracode always uses the latest version of the CWE, and updates to new versions within 90 days of release. This page lists the flaws that Veracode may report in automated static and dynamic scans. When a flaw may be mapped to several CWEs, Veracode generally reports the most general CWE that describes that particular case. For example, Veracode prefers CWE-80 for cross-site scripting over its child CWEs. Veracode updates this list frequently.

Veracode Manual Penetration Testing scans may report any valid CWE. You can see the full list of CWEs at the Mitre CWE website.

The listed flaws are grouped according to a list of categories that Veracode uses for convenience. The categories generally correspond to common types of attacks.

Supported static and dynamic scans

This table lists all the CWEs that Veracode searches for during static and dynamic scans.

In the Flaw severity column, Veracode defines flaw severities on the following severity scale:

  • 0: Informational
  • 1: Very Low
  • 2: Low
  • 3: Medium
  • 4: High
  • 5: Very High.

For more information, see Veracode flaw severities.

CWEs that violate security standards provides the full list of CWEs that can prevent an application from passing security standard rules in policies.

API abuse

CWE IDCWE nameFlaw severityStaticDynamicDAST Essentials
234Failure to Handle Missing Parameter3X
243Creation of Chroot Jail Without Changing Working Directory4X
245J2EE Bad Practices: Direct Management of Connections2X
560Use of Umask() with Chmod-Style Argument3X
628Function Call with Incorrectly Specified Arguments2X
675Duplicate Operations on Resource2X

Authentication issues

CWE IDCWE nameFlaw severityStaticDynamicDAST Essentials
284Improper Access Control3XXX
287Improper Authentication4XXX
352Cross-Site Request Forgery (CSRF)3XXX
693Protection Mechanism Failure3XX

Authorization issues

CWE IDCWE nameFlaw severityStaticDynamicDAST Essentials
99Improper Control of Resource Identifiers3X
272Least Privilege Violation3X
273Improper Check for Dropped Privileges3X
274Improper Handling of Insufficient Privileges0X
282 Improper Ownership Management3X
285Improper Authorization3XXX
346Origin Validation Error3X
350Reliance on Reverse DNS Resolution for a Security-Critical Action3X
639Authorization Bypass Through User-Controlled Key4X
566Authorization Bypass Through User-Controlled SQL Primary Key3X
708Incorrect Ownership Assignment4X
732Incorrect Permission Assignment for Critical Resource3X
942Permissive Cross-domain Policy with Untrusted Domains3XXX

Buffer management errors

CWE IDCWE nameFlaw severityStaticDynamicDAST Essentials
118Improper Access of Indexable Resource (Range Error)3X
125Out-of-Bounds Read3X
129Improper Validation of Array Index3X
135Incorrect Calculation of Multi-Byte String Length5X
170Improper Null Termination3X
193Off-by-One Error3X
787Out-of-Bounds Write3X
823Use of Out-of-Range Pointer Offset3X
824Access of Uninitialized Pointer3X

Buffer overflow

CWE IDCWE nameFlaw severityStaticDynamicDAST Essentials
121Stack-Based Buffer Overflow5X

Code injection

CWE IDCWE nameFlaw severityStaticDynamicDAST Essentials
74Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection)4XX
91XML Injection (Blind XPath Injection)3XX
94Improper Control of Generation of Code3X
95Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')5XX
98Improper Control of Filename for Include/Require Statement in PHP Program (PHP File Inclusion)4XXX
185Incorrect Regular Expression2X
830Inclusion of Web Functionality from an Untrusted Source2X

Code quality

CWE IDCWE nameFlaw severityStaticDynamicDAST Essentials
111Direct Use of Unsafe JNI4X
159Failure to Sanitize Special Element0X
401Improper Release of Memory Before Removing Last Reference (Memory Leak)2X
404Improper Resource Shutdown or Release0X
415Double Free3X
416Use After Free2X
477Use of Obsolete Functions0XX
479Signal Handler Use of a Non-Reentrant Function3X
489Leftover Debug Code3X
597Use of Wrong Operator in String Comparison2X

Command or argument injection

CWE IDCWE nameFlaw severityStaticDynamicDAST Essentials
77Improper Neutralization of Special Elements used in a Command (Command Injection)5XX
78Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)5XXX
88Argument Injection or Modification3X

Credentials management

CWE IDCWE nameFlaw severityStaticDynamicDAST Essentials
256Plaintext Storage of a Password3X
259Use of Hard-coded Password3XX
522Insufficiently Protected Credentials3XXX
798Use of Hard-code Credentials3X

CRLF injection

CWE IDCWE nameFlaw severityStaticDynamicDAST Essentials
93Improper Neutralization of CRLF Sequences (CRLF Injection)3X
113Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Response Splitting)3XX
117Improper Output Neutralization for Logs3X

Cross-site scripting (XSS)

CWE IDCWE nameFlaw severityStaticDynamicDAST Essentials
79Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)3XXX
80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)3XXX
83Improper Neutralization of Script in Attributes in a Web Page3XXX
86Improper Neutralization of Invalid Characters in Identifiers in Web Pages3X

Cryptographic issues

CWE IDCWE nameFlaw severityStaticDynamicDAST Essentials
261Weak Cryptography for Passwords3X
295Improper Certificate Validation3XX
296Improper Following of Chain of Trust for Certificate Validation3XX
297Improper Validation of Host-specific Certificate Data3XXX
298Improper Validation of Certificate Expiration3XX
299Improper Check for Certificate Revocation3XX
311Missing Encryption of Sensitive Data3X
312Cleartext Storage of Sensitive Information3X
313Plaintext Storage in a File or on Disk3X
316Plaintext Storage in Memory3X
319Cleartext Transmission of Sensitive Information3X
321Use of Hard-coded Cryptographic Key3XX
326Inadequate Encryption Strength3XXX
327Use of a Broken or Risky Cryptographic Algorithm3XXX
328Reversible One-Way Hash3X
329Not Using a Random IV with CBC Mode2XX
330Use of Insufficiently Random Values3X
331Insufficient Entropy3X
338Use of Cryptographically Weak Pseudo-Random Number Generator3X
347Improper Verification of Cryptographic Signature2X
354Improper Validation of Integrity Check Value3X
547Use of Hard-coded, Security-relevant Constants3X
614Sensitive Cookie in HTTPS Session Without Secure Attribute2XXX
760Use of a One-Way Hash with a Predictable Salt3X
780Use of RSA without Optimal Asymmetric Encryption Padding3X
916Use of Password Hash With Insufficient Computational Effort3X

Dangerous functions

CWE IDCWE nameFlaw severityStaticDynamicDAST Essentials
242Use of Inherently Dangerous Function5X
676Use of Potentially Dangerous Function3X

Deployment configuration

CWE IDCWE nameFlaw severityStaticDynamicDAST Essentials
402Transmission of Private Resources into a New Sphere (Resource Leak)3X
668Exposure of Resource to Wrong Sphere3XXX
926Improper Export of Android Application Components3X

Directory traversal

CWE IDCWE nameFlaw severityStaticDynamicDAST Essentials
22Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)3XXX
35Path Traversal2XX
73External Control of File Name or Path3X X

Encapsulation

CWE IDCWE nameFlaw severityStaticDynamicDAST Essentials
494Download of Code Without Integrity Check5X
501Trust Boundary Violation3X
502Deserialization of Untrusted Data3XX
749Exposed Dangerous Method or Function4X

Error handling

CWE IDCWE nameFlaw severityStaticDynamicDAST Essentials
248Uncaught Exception2X
252Unchecked Return Value2X

Format string

CWE IDCWE nameFlaw severityStaticDynamicDAST Essentials
134Use of Externally-Controlled Format String5X

Information leakage

CWE IDCWE nameFlaw severityStaticDynamicDAST Essentials
200Information Exposure2XXX
201Insertion of Sensitive Information Into Sent Data2X
209Information Exposure Through an Error Message2XX
215Information Exposure Through Debug Information2XX
359Exposure of Private Information (Privacy Violation)2X
497Exposure of System Data to an Unauthorized Control Sphere2X
526Information Exposure Through Environmental Variables2X
530Exposure of Backup File to an Unauthorized Control Sphere2XX
532Insertion of Sensitive Information into Log File2X
538File and Directory Information Exposure0XX
548Information Exposure Through Directory Listing2XX
611Information Exposure Through XML External Entity Reference3XXX
615Information Exposure Through Comments0XX
665Improper Initialization2X
918Server-side Request Forgery3XX

Insecure Dependencies

CWE IDCWE nameFlaw severityStaticDynamicDAST Essentials
829Inclusion of Functionality from Untrusted Control Sphere3XXX

Insufficient input validation

CWE IDCWE nameFlaw severityStaticDynamicDAST Essentials
20Improper Input Validation0X
90Improper Neutralization of Special Elements Used in an LDAP Query (LDAP Injection)3X
103Struts: Incomplete validate() Method Definition3X
104Struts: Form Bean Does Not Extend Validation Class3X
112Missing XML Validation3XX
115Misinterpretation of Input4X
183Permissive List of Allowed Inputs3X
345Insufficient Verification of Data Authenticity4XX
434Unrestricted Upload of File with Dangerous Type4X
470Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection)3X
472External Control of Assumed-Immutable Web Parameter3X
601URL Redirection to Untrusted Site (Open Redirect)3XX
618Exposed Unsafe ActiveX Method5X
915Improperly Controlled Modification of Dynamically-Determined Object Attributes3 X
1174ASP.NET Misconfiguration: Improper Model Validation2X
1236Improper Neutralization of Formula Elements in a CSV File3X

Insufficient logging and monitoring

CWE IDCWE nameFlaw severityStaticDynamicDAST Essentials
223Omission of Security-relevant Information2X

Numeric errors

CWE IDCWE nameFlaw severityStaticDynamicDAST Essentials
190Integer Overflow or Wraparound5X
191Integer Underflow (Wrap or Wraparound)3X
192Integer Coercion Error3X
195Signed to Unsigned Conversion Error3X
196Unsigned to Signed Conversion Error3X
197Numeric Truncation Error3X

Potential backdoor

CWE IDCWE nameFlaw severityStaticDynamicDAST Essentials
398Indicator of Poor Code Quality0X
506Embedded Malicious Code4X
511Logic/Time Bomb5X
514Covert Channel2X
656Reliance on Security Through Obscurity0X

Race conditions

CWE IDCWE nameFlaw severityStaticDynamicDAST Essentials
366Race Condition within a Thread3X
367Time-of-check Time-of-use (TOCTOU) Race Condition3X
421Race Condition During Access to Alternate Channel3X

Server configuration

CWE IDCWE nameFlaw severityStaticDynamicDAST Essentials
16Configuration0XX
441Unintended Proxy or Intermediary (Confused Deputy)3X
642External Control of Critical State Data2X
757Selection of Less-Secure Algorithm During Negotiation (Algorithm Downgrade)3XXX

Sessions fixation

CWE IDCWE nameFlaw severityStaticDynamicDAST Essentials
384Session Fixation3XX

SQL injection

CWE IDCWE nameFlaw severityStaticDynamicDAST Essentials
89Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)4XXX
564SQL Injection: Hibernate4X
943Improper Neutralization of Special Elements in Data Query Logic4X

Time and state

CWE IDCWE nameFlaw severityStaticDynamicDAST Essentials
377Insecure Temporary File3X
382J2EE Bad Practices: Use of System.exit()2X
557Concurrency Issues2X
691Insufficient Control Flow Management0X

Untrusted initialization

CWE IDCWE nameFlaw severityStaticDynamicDAST Essentials
15External Control of System or Configuration Setting4X
454External Initialization of Trusted Variables or Data Stores0X

Untrusted search path

CWE IDCWE nameFlaw severityStaticDynamicDAST Essentials
114Process Control5X
426Untrusted Search Path3X
427Uncontrolled Search Path Element3X