CWE Compliance

Parasoft supports the Common Weakness Enumeration (CWE) guidelines with dedicated code analysis configurations that map to best practices outlined in the standard.

Secure Application Development Beyond Static Analysis

Secure application development involves more than static analysis. Truly secure application development requires that testing involve a mixture of test and analysis methods applied throughout the SDLC, and also that a broad set of software life cycle management and vulnerability/risk management activities be integrated across the process to ensure the delivery of secure and reliable software.

Parasoft addresses both of these expectations with its Application Security Solution, which recently was awarded the Jolt award in the “Security” category. This integrated system extends Parasoft’s static analysis capabilities—providing a pre-configured system with processes and best practices that help organizations produce secure applications consistently and efficiently.

The complete solution integrates project & task management with a broad spectrum of secure application development practices—including penetration testing, authentication/encryption/access control validation, code review, runtime analysis, and more. It drives security tasks to a predictable outcome according to defined industry standards or management’s expectations. This gives organizations the comprehensive process visibility & control needed to effectively satisfy security requirements.

Establish, Apply, and Monitor Adherence to Policies

Parasoft’s policy-driven approach defines the organization’s expectations around quality while ensuring consistent, unobtrusive policy application. The automated infrastructure automatically monitors policy compliance for visibility and auditability.
  • Drives expected behavior throughout the SDLC to promote predictable outcomes
  • Delivers an actionable set of tasks that are measurable through completion
  • Provides the control needed to continuously improve the process of delivering business applications

Parasoft Support for CWE in Java

The following table shows how Mitre’s Common Weakness Enumeration (CWE) maps to Parasoft’s static analysis rules for Java. Parasoft supports CWE guidelines for C, C++, and .NET languages, as well.
CWE ID
CWE Name/Description
Parasoft Rule ID(s)
CWE-6
J2EE Misconfiguration: Insufficient Session-ID Length
SECURITY.UEC.SLID
CWE-8
J2EE Misconfiguration: Entity Bean Declared Remote
EJB.RR
CWE-9
Misconfiguration: Weak Access Permissions for EJB Methods
EJB.DPANY
CWE-15
External Control of System or Configuration Setting
SECURITY.BV.SYSP
SERVLET.UCO
CWE-22
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
BD.SECURITY.TDFNAMES
CWE-73
External Control of File Name or Path
BD.SECURITY.TDFNAMES
CWE-78
Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
BD.SECURITY.TDCMD
BD.SECURITY.TDENV
CWE-79
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
BD.SECURITY.TDRESP
BD.SECURITY.TDXSS
SECURITY.IBA.CDBV
SECURITY.IBA.VPPD
CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page
BD.SECURITY.TDRESP
BD.SECURITY.TDXML
SECURITY.WSC.ARXML
CWE-89
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
BD.SECURITY.TDSQL
SECURITY.IBA.UPS
CWE-90
Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’)
BD.SECURITY.TDLDAP
CWE-102
Struts: Duplicate Validation Forms
STRUTS.DFV
CWE-104
Struts: Form Bean Does Not Extend Validation Class
SECURITY.IBA.AEAF
CWE-105
Struts: Form Field Without Validator
STRUTS.MVF
CWE-106
Struts: Plug-in Framework not in Use
STRUTS.PLUGIN
CWE-106
Struts: Plug-in Framework not in Use
STRUTS.PLUGIN
CWE-107
Struts: Unused Validation Form
STRUTS.MVF
CWE-108
Struts: Unused Validation Form
STRUTS.MVF
CWE-109
Struts: Validator Turned Off
STRUTS.EV
CWE-110
Struts: Validator Without Form Field
STRUTS.MVF
CWE-111
Weakness : Direct Use of Unsafe JNI
PORT.NATV
SECURITY.IBA.NATIW
CWE-112
Missing XML Validation
XML.VDBF
CWE-113
Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Response Splitting’)
BD.SECURITY.TDRESP
CWE-114
Process Control
BD.SECURITY.TDLIB
CWE-117
Improper Output Neutralization for Logs
BD.SECURITY.TDLOG
CWE-129
Improper Validation of Array Index
BD.PB.ARRAY
BD.PB.ARRAYINP
PB.RE.CAI
CWE-180
Incorrect Behavior Order: Validate Before Canonicalize
BD.SECURITY.TDRESP
SECURITY.WSC.SSM
CWE-190
Integer Overflow or Wraparound
PB.NUM.BSA
PB.NUM.CACO
PB.NUM.ICO
CWE-191
Integer Underflow (Wrap or Wraparound)
PB.NUM.BSA
CWE-193
Off-by-one Error
PB.LOGIC.AOBO
CWE-197
Numeric Truncation Error
PB.NUM.CLP
CWE-209
Information Exposure Through an Error Message
BD.SECURITY.SENS
SECURITY.ESD.PEO
SECURITY.WSC.ACPST
CWE-245
J2EE Bad Practices: Direct Management of Connections
SPRING.JDBCTEMPLATE
CWE-250
Execution with Unnecessary Privileges
SECURITY.EAB.LDP
SECURITY.EAB.PCL
CWE-252
Unchecked Return Value
PB.LOGIC.CRRV
CWE-256
Plaintext Storage of a Password
PROPS.PLAIN
SECURITY.UEC.PWD
CWE-258
Empty Password in Configuration File
SECURITY.UEC.PWD
CWE-259
Use of Hard-coded Password
SECURITY.WSC.HCCS
CWE-306
Missing Authentication for Critical Function
SECURITY.WSC.CAM
SECURITY.WSC.PAC
SECURITY.WSC.PPF
SECURITY.WSC.SSM
SECURITY.WSC.UOSC
SECURITY.WSC.USC
CWE-311
Missing Encryption of Sensitive Data
SECURITY.ESD.CONSEN
SECURITY.ESD.PEO
SECURITY.UEC.HTTPS
SECURITY.WSC.USC
CWE-313
Cleartext Storage in a File or on Disk
PROPS.PLAIN
CWE-315
Cleartext Storage of Sensitive Information in a Cookie
SECURITY.ESD.PLC
CWE-321
Use of Hard-coded Cryptographic Key
SECURITY.WSC.HCCK
CWE-327
Use of a Broken or Risky Cryptographic Algorithm
SECURITY.WSC.ICA
SECURITY.WSC.SRD
CWE-328
Reversible One-Way Hash
SECURITY.WSC.ICA
CWE-329
Not Using a Random IV with CBC Mode
SECURITY.WSC.ENPP
SECURITY.WSC.IVR
CWE-330
Use of Insufficiently Random Values
SECURITY.WSC.SRD
CWE-336
Same Seed in PRNG
SECURITY.WSC.ENPP
CWE-337
Predictable Seed in PRNG
SECURITY.WSC.ENPP
CWE-338
Use of Cryptographically Weak PRNG
SECURITY.WSC.SRD
CWE-347
Improper Verification of Cryptographic Signature
SECURITY.WSC.VJFS
CWE-352
Cross-Site Request Forgery (CSRF)
BD.SECURITY.TDRESP
SECURITY.ESD.UPCT
SECURITY.IBA.VPPD
SECURITY.WSC.PAC
SECURITY.WSC.PACC
SECURITY.WSC.PPF
SECURITY.WSC.UOSC
CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
PB.CUB.TOCTOU
CWE-369
Divide By Zero
BD.PB.ZERO
CWE-382
J2EE Bad Practices: Use of System.exit()
CODSTA.BP.EXIT
SECURITY.EAB.JVM
CWE-383
J2EE Bad Practices: Direct Use of Threads
SECURITY.DRC.THR
CWE-384
Compound_Element : Session Fixation
SECURITY.WSC.ISL
CWE-390
Detection of Error Condition Without Action
SECURITY.UEHL.LGE
CWE-391
Unchecked Error Condition
PB.TYPO.AECB
CWE-395
Use of NullPointerException Catch to Detect NULL Pointer Dereference
EXCEPT.NCNPE
CWE-396
Declaration of Catch for Generic Exception
CODSTA.EPC.NCE
CWE-397
Declaration of Throws for Generic Exception
CODSTA.BP.NTX
EXCEPT.NTERR
CWE-401
Improper Release of Memory Before Removing Last Reference (‘Memory Leak’)
SERVLET.LML
CWE-404
Improper Resource Shutdown or Release
BD.RES.LEAKS
CWE-413
Improper Resource Locking
TRS.LORD
CWE-431
Missing Handler
SERVLET.CETS
CWE-457
Use of Uninitialized Variable
BD.PB.NOTINITCTOR
CWE-470
Use of Externally-Controlled Input to Select Classes or Code
BD.SECURITY.TDRFL
CWE-476
NULL Pointer Dereference
BD.EXCEPT.NP
CWE-477
Use of Obsolete Functions
PB.API.DPRAPI
CWE-478
Missing Default Case in Switch Statement
PB.PDS
CWE-481
Assigning instead of Comparing
PB.TYPO.ASI
CWE-483
Incorrect Block Delimitation
CODSTA.BP.BLK
PB.CUB.EBI
CWE-484
Omitted Break Statement in Switch
PB.CUB.SBC
PB.TYPO.DAV
CWE-486
Comparison of Classes by Name
SECURITY.EAB.CMP
CWE-487
Reliance on Package-level Scope
OOP.AF
CWE-491
Public cloneable() Method Without Final (‘Object Hijack’)
SECURITY.WSC.CLONE
CWE-494
Download of Code Without Integrity Check
SECURITY.WSC.USC
CWE-495
Private Array-Typed Field Returned From A Public Method
SECURITY.ESD.RA
CWE-496
Public Data Assigned to Private Array-Typed Field
SECURITY.WSC.CAP
CWE-497
Exposure of System Data to an Unauthorized Control Sphere
BD.SECURITY.SENS
SECURITY.ESD.ACW
SECURITY.ESD.PEO
CWE-499
Serializable Class Containing Sensitive Data
SECURITY.ESD.SIF
SECURITY.WSC.SER
CWE-500
Public Static Field Not Marked Final
SECURITY.EAB.SPFF
CWE-522
Insufficiently Protected Credentials
SECURITY.UEC.PTPT
CWE-533
Information Exposure Through Server Log Files
SECURITY.ESD.CONSEN
CWE-534
Information Exposure Through Debug Log Files
SECURITY.ESD.CONSEN
CWE-543
Use of Singleton Pattern Without Synchronization in a Multithreaded Context
TRS.IASFTRS.ILI
CWE-545
Use of Dynamic Class Loading
SECURITY.WSC.APIBS
CWE-546
Suspicious Comment
CODSTA.ORG.TODO
CWE-563
Unused Variable
GLOBAL.UPPF
UC.AURV
UC.PF
CWE-568
finalize() Method Without super.finalize()
GC.FCF
CWE-570
Expression is Always False
BD.PB.CC
CWE-571
Expression is Always True
BD.PB.CC
CWE-572
Call to Thread run() instead of start()
TRS.IRUN
CWE-576
EJB Bad Practices: Use of Java I/O
EJB.JIO
CWE-577
EJB Bad Practices: Use of Sockets
EJB.AUS
CWE-578
EJB Bad Practices: Use of Class Loader
EJB.ACL
CWE-579
J2EE Bad Practices: Non-serializable Object Stored in Session
PB.API.ONS
SERIAL.SNSO
CWE-580
clone() Method Without super.clone()
CODSTA.EPC.SCLONE
CWE-581
Object Model Violation: Just One of Equals and Hashcode Defined
CODSTA.OIM.OVERRIDE
CWE-582
Array Declared Public, Final, and Static
PB.CUB.PSFA
CWE-583
finalize() Method Declared Public
OOP.MFP
CWE-584
Return Inside Finally Block
PB.CUB.ARCF
CWE-585
Empty Synchronized Block
UC.SNE
CWE-586
Explicit Call to Finalize()
GC.NCF
CWE-594
J2EE Framework: Saving Unserializable Objects to Disk
EJB.EJB3.SIVS
CWE-595
Comparison of Object References Instead of Object Contents
PB.CUB.UEIC
CWE-597
Use of Wrong Operator in String Comparison
PB.CUB.UEIC
CWE-598
Information Exposure Through Query Strings in GET Request
SECURITY.ESD.UPCT
CWE-600
Uncaught Exception in Servlet
SERVLET.CETS
CWE-601
URL Redirection to Untrusted Site (‘Open Redirect’)
BD.SECURITY.TDNET
BD.SECURITY.TDRESP
SECURITY.IBA.VRD
SERVLET.UCO
CWE-607
Public Static Final Field References Mutable Object
PB.CUB.RMO
CWE-609
Double-Checked Locking
TRS.DCL
CWE-613
Insufficient Session Expiration
SECURITY.UEC.STTL
CWE-614
Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
SECURITY.WSC.UOSC
CWE-615
Information Exposure Through Comments
JSP.AHC
CWE-643
Improper Neutralization of Data within XPath Expressions (‘XPath Injection’)
BD.SECURITY.TDJXPATH
BD.SECURITY.TDXPATH
CWE-665
Improper Initialization
BD.PB.NOTEXPLINIT
CWE-674
Uncontrolled Recursion
PB.LOGIC.FLRC
CWE-676
Use of Potentially Dangerous Function
SECURITY.WSC.SRD
CWE-681
Incorrect Conversion between Numeric Types
PB.NUM.CLP
PB.NUM.IDCD
CWE-690
Compound_Element : Unchecked Return Value to NULL Pointer Dereference
BD.EXCEPT.NP
PB.RE.MCRN
CWE-732
Incorrect Permission Assignment for Critical Resource
SECURITY.WSC.PACC
CWE-772
Missing Release of Resource after Effective Lifetime
HIBERNATE.CHS
HIBERNATE.CSF
JDBC.CDBC
JDBC.RRWD
OPT.CCR
OPT.CIO
OPT.CRWD
CWE-775
Missing Release of File Descriptor or Handle after Effective Lifetime
PB.CLOSE
CWE-780
Use of RSA Algorithm without OAEP
SECURITY.WSC.ICA
CWE-798
Use of Hard-coded Credentials
HIBERNATE.UPWD
SECURITY.UEC.PCCF
SECURITY.UEC.PTPT
SECURITY.UEC.PWD
SECURITY.UEC.UTAX
SECURITY.UEC.WCPWD
SECURITY.UEC.WPWD
SECURITY.WSC.HCCS
CWE-807
Reliance on Untrusted Inputs in a Security Decision
SECURITY.ESD.PLC
SECURITY.WSC.UOSC
CWE-833
Deadlock
BD.TRS.LOCK
BD.TRS.TSHL
TRS.CSFS
TRS.RLF
TRS.STR
CWE-835
Loop with Unreachable Exit Condition (‘Infinite Loop’)
PB.LOGIC.AIL
CWE-862
Missing Authorization
EJB.EJB3.PERMIT
SECURITY.UEC.LCA
CWE-863
Incorrect Authorization
SECURITY.UEC.DSR
SECURITY.UEC.SRCD