For C / C++ code, the CWE Checklist provides guided checklist review of the following rules. The ◄ symbol indicates rules where the Advanced edition of Imagix 4D provides more automated checking. The subset of these rules that are supported for Java code are identified by the ☉ symbol.
This checklist together with Imagix 4D is certified as CWE compatible by the CWE organization. A listing of this support is available as a CWE Coverage Claims Representation.
Each major and many minor releases of Imagix 4D add support for any CWE versions that have been released since the last such update. Currently, all CWE versions from 2.8 up through 3.3 are supported.
| CWE-14 | Compiler Removal of Code to Clear Buffers |
| CWE-20 ☉ | Improper Input Validation |
| CWE-22 ☉ | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| CWE-23 ☉ | Relative Path Traversal |
| CWE-24 ☉ | Path Traversal: '../filedir' |
| CWE-25 ☉ | Path Traversal: '/../filedir' |
| CWE-26 ☉ | Path Traversal: '/dir/../filename' |
| CWE-27 ☉ | Path Traversal: 'dir/../../filename' |
| CWE-28 ☉ | Path Traversal: '..\filedir' |
| CWE-29 ☉ | Path Traversal: '\..\filename' |
| CWE-30 ☉ | Path Traversal: '\dir\..\filename' |
| CWE-31 ☉ | Path Traversal: 'dir\..\..\filename' |
| CWE-32 ☉ | Path Traversal: '...' (Triple Dot) |
| CWE-33 ☉ | Path Traversal: '....' (Multiple Dot) |
| CWE-34 ☉ | Path Traversal: '....//' |
| CWE-35 ☉ | Path Traversal: '.../...//' |
| CWE-36 ☉ | Absolute Path Traversal |
| CWE-37 ☉ | Path Traversal: '/absolute/pathname/here' |
| CWE-38 ☉ | Path Traversal: '\absolute\pathname\here' |
| CWE-39 ☉ | Path Traversal: 'C:dirname' |
| CWE-40 ☉ | Path Traversal: '\\UNC\share\name\' (Windows UNC Share) |
| CWE-41 ☉ | Improper Resolution of Path Equivalence |
| CWE-51 ☉ | Path Equivalence: '/multiple//internal/slash' |
| CWE-55 ☉ | Path Equivalence: '/./' (Single Dot Directory) |
| CWE-57 ☉ | Path Equivalence: 'fakedir/../realdir/filename' |
| CWE-59 ☉ | Improper Link Resolution Before File Access ('Link Following') |
| CWE-61 | UNIX Symbolic Link (Symlink) Following |
| CWE-62 | UNIX Hard Link |
| CWE-73 | External Control of File Name or Path |
| CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component('Injection') |
| CWE-75 | Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) |
| CWE-76 | Improper Neutralization of Equivalent Special Elements |
| CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS CommandInjection') |
| CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| CWE-88 | Argument Injection or Modification |
| CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| CWE-90 | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') |
| CWE-91 | XML Injection (aka Blind XPath Injection) |
| CWE-93 | Improper Neutralization of CRLF Sequences ('CRLF Injection') |
| CWE-94 | Improper Control of Generation of Code ('Code Injection') |
| CWE-95 | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
| CWE-96 | Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') |
| CWE-97 | Improper Neutralization of Server-Side Includes (SSI) Within a Web Page |
| CWE-99 | Improper Control of Resource Identifiers ('Resource Injection') |
| CWE-114 | Process Control |
| CWE-116 | Improper Encoding or Escaping of Output |
| CWE-117 | Improper Output Neutralization for Logs |
| CWE-123 | Write-what-where Condition |
| CWE-134 | Use of Externally-Controlled Format String |
| CWE-135 | Incorrect Calculation of Multi-Byte String Length |
| CWE-138 | Improper Neutralization of Special Elements |
| CWE-140 | Improper Neutralization of Delimiters |
| CWE-141 | Improper Neutralization of Parameter/Argument Delimiters |
| CWE-142 | Improper Neutralization of Value Delimiters |
| CWE-143 | Improper Neutralization of Record Delimiters |
| CWE-144 | Improper Neutralization of Line Delimiters |
| CWE-145 | Improper Neutralization of Section Delimiters |
| CWE-146 | Improper Neutralization of Expression/Command Delimiters |
| CWE-147 | Improper Neutralization of Input Terminators |
| CWE-148 | Improper Neutralization of Input Leaders |
| CWE-149 | Improper Neutralization of Quoting Syntax |
| CWE-150 | Improper Neutralization of Escape, Meta, or Control Sequences |
| CWE-151 | Improper Neutralization of Comment Delimiters |
| CWE-152 | Improper Neutralization of Macro Symbols |
| CWE-153 | Improper Neutralization of Substitution Characters |
| CWE-154 | Improper Neutralization of Variable Name Delimiters |
| CWE-155 | Improper Neutralization of Wildcards or Matching Symbols |
| CWE-156 | Improper Neutralization of Whitespace |
| CWE-157 | Failure to Sanitize Paired Delimiters |
| CWE-158 | Improper Neutralization of Null Byte or NUL Character |
| CWE-159 | Failure to Sanitize Special Element |
| CWE-160 | Improper Neutralization of Leading Special Elements |
| CWE-161 | Improper Neutralization of Multiple Leading Special Elements |
| CWE-162 | Improper Neutralization of Trailing Special Elements |
| CWE-163 | Improper Neutralization of Multiple Trailing Special Elements |
| CWE-164 | Improper Neutralization of Internal Special Elements |
| CWE-165 | Improper Neutralization of Multiple Internal Special Elements |
| CWE-166 | Improper Handling of Missing Special Element |
| CWE-167 | Improper Handling of Additional Special Element |
| CWE-168 | Improper Handling of Inconsistent Special Elements |
| CWE-172 | Encoding Error |
| CWE-173 | Improper Handling of Alternate Encoding |
| CWE-174 | Double Decoding of the Same Data |
| CWE-175 | Improper Handling of Mixed Encoding |
| CWE-176 | Improper Handling of Unicode Encoding |
| CWE-177 | Improper Handling of URL Encoding (Hex Encoding) |
| CWE-178 | Improper Handling of Case Sensitivity |
| CWE-179 | Incorrect Behavior Order: Early Validation |
| CWE-180 | Incorrect Behavior Order: Validate Before Canonicalize |
| CWE-181 | Incorrect Behavior Order: Validate Before Filter |
| CWE-182 | Collapse of Data into Unsafe Value |
| CWE-184 ☉ | Incomplete Blacklist |
| CWE-185 | Incorrect Regular Expression |
| CWE-186 | Overly Restrictive Regular Expression |
| CWE-187 | Partial Comparison |
| CWE-188 ☉ | Reliance on Data/Memory Layout |
| CWE-200 | Information Exposure |
| CWE-201 | Information Exposure Through Sent Data |
| CWE-203 | Information Exposure Through Discrepancy |
| CWE-204 | Response Discrepancy Information Exposure |
| CWE-209 | Information Exposure Through an Error Message |
| CWE-210 | Information Exposure Through Self-generated Error Message |
| CWE-211 | Information Exposure Through Externally-generated Error Message |
| CWE-212 | Improper Cross-boundary Removal of Sensitive Data |
| CWE-215 | Information Exposure Through Debug Information |
| CWE-216 | Containment Errors (Container Errors) |
| CWE-227 ☉ | Improper Fulfillment of API Contract ('API Abuse') |
| CWE-241 | Improper Handling of Unexpected Data Type |
| CWE-252 | Unchecked Return Value |
| CWE-253 | Incorrect Check of Function Return Value |
| CWE-273 | Improper Check for Dropped Privileges |
| CWE-311 | Missing Encryption of Sensitive Data |
| CWE-319 | Cleartext Transmission of Sensitive Information |
| CWE-354 | Improper Validation of Integrity Check Value |
| CWE-364 ◄ | Signal Handler Race Condition |
| CWE-365 ◄ | Race Condition in Switch |
| CWE-374 | Passing Mutable Objects to an Untrusted Method |
| CWE-375 | Returning a Mutable Object to an Untrusted Caller |
| CWE-378 | Creation of Temporary File With Insecure Permissions |
| CWE-379 | Creation of Temporary File in Directory with Incorrect Permissions |
| CWE-390 | Detection of Error Condition Without Action |
| CWE-391 | Unchecked Error Condition |
| CWE-394 | Unexpected Status Code or Return Value |
| CWE-405 ◄ | Asymmetric Resource Consumption (Amplification) |
| CWE-406 | Insufficient Control of Network Message Volume (Network Amplification) |
| CWE-407 ☉ | Algorithmic Complexity |
| CWE-408 ◄ | Incorrect Behavior Order: Early Amplification |
| CWE-409 | Improper Handling of Highly Compressed Data (Data Amplification) |
| CWE-410 | Insufficient Resource Pool |
| CWE-412 ◄ | Unrestricted Externally Accessible Lock |
| CWE-413 ◄ | Improper Resource Locking |
| CWE-414 ◄ | Missing Lock Check |
| CWE-430 | Deployment of Wrong Handler |
| CWE-431 | Missing Handler |
| CWE-432 ◄ | Dangerous Signal Handler not Disabled During Sensitive Operations |
| CWE-447 ☉ | Unimplemented or Unsupported Feature in UI |
| CWE-453 | Insecure Default Variable Initialization |
| CWE-454 | External Initialization of Trusted Variables or Data Stores |
| CWE-455 | Non-exit on Failed Initialization |
| CWE-456 | Missing Initialization of a Variable |
| CWE-460 | Improper Cleanup on Thrown Exception |
| CWE-462 | Duplicate Key in Associative List (Alist) |
| CWE-463 | Deletion of Data Structure Sentinel |
| CWE-464 | Addition of Data Structure Sentinel |
| CWE-470 | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') |
| CWE-472 | External Control of Assumed-Immutable Web Parameter |
| CWE-474 ☉ | Use of Function with Inconsistent Implementations |
| CWE-479 ◄ | Signal Handler Use of a Non-reentrant Function |
| CWE-488 ◄ | Exposure of Data Element to Wrong Session |
| CWE-489 ☉ | Leftover Debug Code |
| CWE-493 ☉ | Critical Public Variable Without Final Modifier |
| CWE-494 | Download of Code Without Integrity Check |
| CWE-496 | Public Data Assigned to Private Array-Typed Field |
| CWE-497 | Exposure of System Data to an Unauthorized Control Sphere |
| CWE-498 ☉ | Cloneable Class Containing Sensitive Information |
| CWE-500 ☉ | Public Static Field Not Marked Final |
| CWE-502 ☉ | Deserialization of Untrusted Data |
| CWE-506 ☉ | Embedded Malicious Code |
| CWE-507 ☉ | Trojan Horse |
| CWE-508 | Non-Replicating Malicious Code |
| CWE-509 ☉ | Replicating Malicious Code (Virus or Worm) |
| CWE-510 | Trapdoor |
| CWE-511 ☉ | Logic/Time Bomb |
| CWE-512 ☉ | Spyware |
| CWE-524 ☉ | Information Exposure Through Caching |
| CWE-526 | Information Exposure Through Environmental Variables |
| CWE-538 | File and Directory Information Exposure |
| CWE-539 ☉ | Information Exposure Through Persistent Cookies |
| CWE-543 ◄ | Use of Singleton Pattern Without Synchronization in a Multithreaded Context |
| CWE-544 | Missing Standardized Error Handling Mechanism |
| CWE-546 ☉ | Suspicious Comment |
| CWE-548 ☉ | Information Exposure Through Directory Listing |
| CWE-584 | Return Inside Finally Block |
| CWE-587 | Assignment of a Fixed Address to a Pointer |
| CWE-591 | Sensitive Data Storage in Improperly Locked Memory |
| CWE-595 | Comparison of Object References Instead of Object Contents |
| CWE-598 | Information Exposure Through Query Strings in GET Request |
| CWE-605 | Multiple Binds to the Same Port |
| CWE-622 ☉ | Improper Validation of Function Hook Arguments |
| CWE-636 ☉ | Not Failing Securely ('Failing Open') |
| CWE-637 ☉ | Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism') |
| CWE-638 | Not Using Complete Mediation |
| CWE-641 | Improper Restriction of Names for Files and Other Resources |
| CWE-643 | Improper Neutralization of Data within XPath Expressions ('XPath Injection') |
| CWE-652 | Improper Neutralization of Data within XQuery Expressions ('XQuery Injection') |
| CWE-663 ◄ | Use of a Non-reentrant Function in a Concurrent Context |
| CWE-664 | Improper Control of a Resource Through its Lifetime |
| CWE-666 ☉ | Operation on Resource in Wrong Phase of Lifetime |
| CWE-674 ☉ | Uncontrolled Recursion |
| CWE-688 | Function Call With Incorrect Variable or Reference as Argument |
| CWE-694 | Use of Multiple Resources with Duplicate Identifier |
| CWE-754 | Improper Check for Unusual or Exceptional Conditions |
| CWE-759 | Use of a One-Way Hash without a Salt |
| CWE-761 | Free of Pointer not at Start of Buffer |
| CWE-765 ◄ | Multiple Unlocks of a Critical Resource |
| CWE-767 | Access to Critical Private Variable via Public Method |
| CWE-773 ◄ | Missing Reference to Active File Descriptor or Handle |
| CWE-774 ◄ | Allocation of File Descriptors or Handles Without Limits or Throttling |
| CWE-777 | Regular Expression without Anchors |
| CWE-785 | Use of Path Manipulation Function without Maximum-sized Buffer |
| CWE-789 | Uncontrolled Memory Allocation |
| CWE-806 | Buffer Access Using Size of Source Buffer |
| CWE-828 ◄ | Signal Handler with Functionality that is not Asynchronous-Safe |
| CWE-909 | Missing Initialization of Resource |
| CWE-912 | Hidden Functionality |
| CWE-913 | Improper Control of Dynamically-Managed Code Resources |
| CWE-914 | Improper Control of Dynamically-Identified Variables |
| CWE-915 | Improperly Controlled Modification of Dynamically-Determined Object Attributes |
| CWE-916 ☉ | Use of Password Hash With Insufficient Computational Effort |
| CWE-940 ☉ | Improper Verification of Source of a Communication Channel |
| CWE-943 | Improper Neutralization of Special Elements in Data Query Logic |
