Category: Bad Coding Practices
Draft
Summary
Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1041 | Use of Redundant Code | This weakness occurs when a codebase contains identical or nearly identical logic duplicated across multiple functions, methods, or modules. This redundancy creates unnecessary complexity and maintenance overhead. |
| CWE-1043 | Data Element Aggregating an Excessively Large Number of Non-Primitive Elements | This weakness occurs when a data structure, like a class or object, contains too many complex sub-elements (e.g., other objects or structs) instead of simple primitive types. |
| CWE-1044 | Architecture with Number of Horizontal Layers Outside of Expected Range | This occurs when a software system is built with either too many or too few distinct architectural layers, falling outside a recommended range that supports maintainability and security. |
| CWE-1045 | Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor | This occurs when a base class defines a virtual destructor, but a derived class inherits from it without declaring its own virtual destructor. |
| CWE-1046 | Creation of Immutable Text Using String Concatenation | This weakness occurs when code builds a string within a loop using simple concatenation (like +=), which unintentionally creates new string objects every time instead of efficiently appending to a buffer. |
| CWE-1048 | Invokable Control Element with Large Number of Outward Calls | This weakness occurs when a single function, method, or callable code block makes an excessively high number of calls to other objects or components outside its immediate scope. This creates a complex, tightly-coupled web of dependencies that is difficult to manage. |
| CWE-1049 | Excessive Data Query Operations in a Large Data Table | This weakness occurs when an application runs a database query that uses numerous joins and sub-queries on a very large table, leading to severe performance degradation. |
| CWE-1050 | Excessive Platform Resource Consumption within a Loop | This vulnerability occurs when a loop contains code that repeatedly consumes critical system resources like file handles, database connections, memory, or session locks. Each iteration of the loop drains these finite platform assets without proper release. |
| CWE-1063 | Creation of Class Instance within a Static Code Block | This weakness occurs when a class instance is created inside a static initializer block, causing premature and potentially expensive object creation. |
| CWE-1065 | Runtime Resource Management Control Element in a Component Built to Run on Application Servers | This weakness occurs when an application built to run on a managed application server bypasses the server's high-level APIs and instead uses low-level operating system calls to directly control resources like memory, files, or threads. |
| CWE-1066 | Missing Serialization Control Element | This weakness occurs when a class or data structure is marked as serializable but lacks the required control methods to properly handle the serialization and deserialization process. |
| CWE-1067 | Excessive Execution of Sequential Searches of Data Resource | This weakness occurs when a database query is structured in a way that forces the system to scan entire tables row-by-row, instead of using an available index for efficient lookups. |
| CWE-1070 | Serializable Data Element Containing non-Serializable Item Elements | This weakness occurs when a class or data structure is marked as serializable, but it contains one or more member elements that cannot be serialized. This mismatch prevents the entire object from being properly saved or transmitted. |
| CWE-1071 | Empty Code Block | An empty code block occurs when a section of source code, such as a conditional statement or function body, contains no executable statements. |
| CWE-1072 | Data Resource Access without Use of Connection Pooling | This weakness occurs when an application creates a new database connection for every request instead of using a managed connection pool. This inefficient pattern forces the system to repeatedly endure the full overhead of establishing and tearing down connections. |
| CWE-1073 | Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses | This weakness occurs when a client-side function or method makes an excessive number of individual data requests through a non-SQL data manager, instead of using more efficient bulk operations or database-native capabilities. |
| CWE-1079 | Parent Class without Virtual Destructor Method | This occurs when a base class, designed to be inherited from, does not declare its destructor as virtual. This oversight prevents proper cleanup when objects are deleted through a pointer to the parent class. |
| CWE-1082 | Class Instance Self Destruction Control Element | This vulnerability occurs when an object's code contains logic that triggers its own deletion or destruction during runtime. |
| CWE-1084 | Invokable Control Element with Excessive File or Data Access Operations | This weakness occurs when a single function or method performs an excessive number of file or database operations, such as repeated reads, writes, or queries. It over-relies on a single data manager or file resource, creating a tightly coupled and fragile code structure. |
| CWE-1085 | Invokable Control Element with Excessive Volume of Commented-out Code | This weakness occurs when a callable function, method, or procedure contains a large amount of inactive, commented-out code within its implementation body. |
| CWE-1087 | Class with Virtual Method without a Virtual Destructor | This occurs when a class defines a virtual method but does not also provide a virtual destructor. |
| CWE-1089 | Large Data Table with Excessive Number of Indices | This weakness occurs when an application uses a database table with a very large number of rows and creates too many indexes on it, degrading overall system performance. |
| CWE-1092 | Use of Same Invokable Control Element in Multiple Architectural Layers | This weakness occurs when the same piece of code or control logic is duplicated across different architectural layers of an application, such as the presentation, business, and data layers. |
| CWE-1094 | Excessive Index Range Scan for a Data Resource | This weakness occurs when a database query performs an index range scan that can access an unnecessarily large number of rows from a substantial data table, leading to severe performance degradation. |
| CWE-1097 | Persistent Storable Data Element without Associated Comparison Control Element | This weakness occurs when a persistent data object lacks the necessary methods to be properly compared, which can lead to inconsistent or incorrect behavior when the system checks for equality or manages collections. |
| CWE-1098 | Data Element containing Pointer Item without Proper Copy Control Element | This weakness occurs when a data structure contains a pointer, but the code lacks proper methods to copy or initialize that pointer safely. |
| CWE-1099 | Inconsistent Naming Conventions for Identifiers | This weakness occurs when a codebase uses mixed naming styles for elements like variables, functions, data types, or files, creating an inconsistent and confusing structure. |
| CWE-1101 | Reliance on Runtime Component in Generated Code | This vulnerability occurs when software depends on automatically generated code that requires a specific, often external, runtime component to function. Without this component, the code cannot execute, creating a fragile and non-portable foundation. |
| CWE-1102 | Reliance on Machine-Dependent Data Representation | This weakness occurs when software directly depends on how a specific machine, processor, or operating system represents data in memory. Code that makes assumptions about byte order, data type sizes, or memory alignment becomes fragile and non-portable. |
| CWE-1103 | Use of Platform-Dependent Third Party Components | This weakness occurs when software depends on third-party libraries or components that behave differently or lack support across various target platforms or operating systems. |
| CWE-1104 | Use of Unmaintained Third Party Components | This weakness occurs when software depends on third-party libraries, frameworks, or modules that are no longer actively updated or supported by their creators or a trusted maintainer. |
| CWE-1106 | Insufficient Use of Symbolic Constants | This weakness occurs when developers embed raw numbers or text strings directly in code instead of using named symbolic constants, making future updates and maintenance more difficult. |
| CWE-1107 | Insufficient Isolation of Symbolic Constant Definitions | This weakness occurs when a codebase uses symbolic constants (like named values for numbers or strings) but scatters their definitions across many files instead of centralizing them in one isolated location, such as a dedicated configuration file or module. |
| CWE-1108 | Excessive Reliance on Global Variables | This weakness occurs when a codebase depends too heavily on global variables to store and manage state, rather than keeping data within appropriate local scopes like functions or classes. |
| CWE-1109 | Use of Same Variable for Multiple Purposes | This weakness occurs when a single variable is reused to handle multiple, unrelated tasks or to store different pieces of data throughout the code. This practice muddies the variable's purpose and makes the logic harder to follow. |
| CWE-1113 | Inappropriate Comment Style | This weakness occurs when source code comments are written in a style or format that doesn't match the project's established standards or common conventions for the language. |
| CWE-1114 | Inappropriate Whitespace Style | This weakness occurs when source code uses inconsistent or non-standard whitespace formatting, such as irregular indentation, spacing, or line breaks. |
| CWE-1115 | Source Code Element without Standard Prologue | This weakness occurs when source code files or modules lack a consistent, standardized header or prologue that the development team has agreed upon. |
| CWE-1116 | Inaccurate Comments | This weakness occurs when code comments do not correctly describe or explain the actual behavior of the associated code. Misleading comments create a disconnect between what the documentation says and what the program actually does. |
| CWE-1117 | Callable with Insufficient Behavioral Summary | This weakness occurs when a function, method, or API lacks clear documentation about its behavior. The signature or comments fail to properly explain what inputs it expects, what outputs it returns, what side effects it causes, or what assumptions it makes. |
| CWE-1126 | Declaration of Variable with Unnecessarily Wide Scope | This weakness occurs when a variable is declared with a broader scope than it actually needs, such as declaring a variable at a global or function level when it's only used inside a loop or conditional block. |
| CWE-1127 | Compilation with Insufficient Warnings or Errors | This weakness occurs when source code is compiled without enabling a comprehensive set of warning flags from the compiler. This practice allows subtle bugs, insecure coding patterns, and quality issues to go undetected during the build process. |
| CWE-1235 | Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations | This weakness occurs when a program relies on automatic boxing and unboxing of primitive types within performance-sensitive code sections, causing unnecessary computational overhead and potential resource strain. |
| CWE-358 | Improperly Implemented Security Check for Standard | This vulnerability occurs when software fails to correctly implement one or more critical security checks required by a standard protocol, algorithm, or security technique. |
| CWE-360 | Trust of System Event Data | This vulnerability occurs when software blindly trusts system event data without verifying its source, allowing attackers to spoof events and manipulate application behavior. |
| CWE-478 | Missing Default Case in Multiple Condition Expression | This vulnerability occurs when code with multiple conditional branches, like a switch statement, lacks a default case to handle unexpected values. |
| CWE-487 | Reliance on Package-level Scope | This weakness occurs when a Java application mistakenly treats package-level access as a security boundary, assuming it can prevent unauthorized access to code. |
| CWE-489 | Active Debug Code | This vulnerability occurs when software is deployed to production with debugging or diagnostic features still enabled and accessible. |
| CWE-547 | Use of Hard-coded, Security-relevant Constants | This vulnerability occurs when code directly embeds security-critical values like passwords, cryptographic keys, or access levels as raw numbers or strings, instead of using named constants or configuration files. This practice makes the code brittle and error-prone during updates or security reviews. |
| CWE-561 | Dead Code | Dead code refers to sections of a program that can never run during normal execution, effectively making them inactive and unreachable. |
| CWE-562 | Return of Stack Variable Address | This vulnerability occurs when a function returns a pointer to its own local variable. Since that variable's memory is on the stack, the pointer becomes invalid as soon as the function finishes, leading to crashes or unpredictable behavior. |
| CWE-563 | Assignment to Variable without Use | This vulnerability occurs when a value is stored in a variable, but that variable is never read or used in subsequent code, creating a 'dead store.' |
| CWE-581 | Object Model Violation: Just One of Equals and Hashcode Defined | This vulnerability occurs when a Java class defines either the equals() method or the hashCode() method, but not both, breaking a fundamental contract of object equality. |
| CWE-586 | Explicit Call to Finalize() | This vulnerability occurs when code directly calls an object's finalize() method from outside its designated finalizer context. |
| CWE-605 | Multiple Binds to the Same Port | This vulnerability occurs when a system's socket configuration allows multiple applications to bind to the same network port simultaneously. This can let a malicious process hijack or impersonate legitimate services running on that port. |
| CWE-628 | Function Call with Incorrectly Specified Arguments | This weakness occurs when a function is called with arguments that are incorrectly specified, causing the function to behave in an unintended and consistently wrong manner. |
| CWE-654 | Reliance on a Single Factor in a Security Decision | This vulnerability occurs when a system's security check depends almost entirely on just one condition, object, or piece of data to decide whether to grant access to sensitive resources or actions. It's like having a single, easily compromised lock on a vault, instead of a layered defense. |
| CWE-656 | Reliance on Security Through Obscurity | This weakness occurs when a system's primary defense relies on hiding how it works, rather than using a robust, well-tested security mechanism. If an attacker discovers the hidden details—like a secret algorithm or hardcoded key—the protection fails completely. |
| CWE-694 | Use of Multiple Resources with Duplicate Identifier | This vulnerability occurs when a system uses multiple resources that can share the same identifier, even though the application logic requires each identifier to be unique. |
| CWE-807 | Reliance on Untrusted Inputs in a Security Decision | This vulnerability occurs when an application's security check depends on user-controlled data that can be manipulated to bypass protection mechanisms, such as authentication or authorization gates. |
| CWE-699 | Software Development | This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.