C / C++コードの場合、CWEチェックリストは以下のルールに対するガイド付きチェックリストレビューを提供します。◄記号は、Imagix 4DのAdvancedエディションでより自動化されたチェックを提供するルールを示しています。Javaコードに対応するこれらのルールのサブセットは、☉記号で識別されています。
Imagix 4Dの各メジャーリリースおよび多くのマイナーリリースは、前回の更新以降にリリースされたCWEバージョンに対するサポートを追加します。現在、2.8から3.3までのすべてのCWEバージョンがサポートされています。
| CWE-14 | Compiler Removal of Code to Clear Buffers |
| CWE-20 ☉ | Improper Input Validation |
| CWE-22 ☉ | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| CWE-23 ☉ | Relative Path Traversal |
| CWE-24 ☉ | Path Traversal: '../filedir' |
| CWE-25 ☉ | Path Traversal: '/../filedir' |
| CWE-26 ☉ | Path Traversal: '/dir/../filename' |
| CWE-27 ☉ | Path Traversal: 'dir/../../filename' |
| CWE-28 ☉ | Path Traversal: '..\filedir' |
| CWE-29 ☉ | Path Traversal: '\..\filename' |
| CWE-30 ☉ | Path Traversal: '\dir\..\filename' |
| CWE-31 ☉ | Path Traversal: 'dir\..\..\filename' |
| CWE-32 ☉ | Path Traversal: '...' (Triple Dot) |
| CWE-33 ☉ | Path Traversal: '....' (Multiple Dot) |
| CWE-34 ☉ | Path Traversal: '....//' |
| CWE-35 ☉ | Path Traversal: '.../...//' |
| CWE-36 ☉ | Absolute Path Traversal |
| CWE-37 ☉ | Path Traversal: '/absolute/pathname/here' |
| CWE-38 ☉ | Path Traversal: '\absolute\pathname\here' |
| CWE-39 ☉ | Path Traversal: 'C:dirname' |
| CWE-40 ☉ | Path Traversal: '\\UNC\share\name\' (Windows UNC Share) |
| CWE-41 ☉ | Improper Resolution of Path Equivalence |
| CWE-51 ☉ | Path Equivalence: '/multiple//internal/slash' |
| CWE-55 ☉ | Path Equivalence: '/./' (Single Dot Directory) |
| CWE-57 ☉ | Path Equivalence: 'fakedir/../realdir/filename' |
| CWE-59 ☉ | Improper Link Resolution Before File Access ('Link Following') |
| CWE-61 | UNIX Symbolic Link (Symlink) Following |
| CWE-62 | UNIX Hard Link |
| CWE-73 | External Control of File Name or Path |
| CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component('Injection') |
| CWE-75 | Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) |
| CWE-76 | Improper Neutralization of Equivalent Special Elements |
| CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS CommandInjection') |
| CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| CWE-88 | Argument Injection or Modification |
| CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| CWE-90 | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') |
| CWE-91 | XML Injection (aka Blind XPath Injection) |
| CWE-93 | Improper Neutralization of CRLF Sequences ('CRLF Injection') |
| CWE-94 | Improper Control of Generation of Code ('Code Injection') |
| CWE-95 | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
| CWE-96 | Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') |
| CWE-97 | Improper Neutralization of Server-Side Includes (SSI) Within a Web Page |
| CWE-99 | Improper Control of Resource Identifiers ('Resource Injection') |
| CWE-114 | Process Control |
| CWE-116 | Improper Encoding or Escaping of Output |
| CWE-117 | Improper Output Neutralization for Logs |
| CWE-123 | Write-what-where Condition |
| CWE-134 | Use of Externally-Controlled Format String |
| CWE-135 | Incorrect Calculation of Multi-Byte String Length |
| CWE-138 | Improper Neutralization of Special Elements |
| CWE-140 | Improper Neutralization of Delimiters |
| CWE-141 | Improper Neutralization of Parameter/Argument Delimiters |
| CWE-142 | Improper Neutralization of Value Delimiters |
| CWE-143 | Improper Neutralization of Record Delimiters |
| CWE-144 | Improper Neutralization of Line Delimiters |
| CWE-145 | Improper Neutralization of Section Delimiters |
| CWE-146 | Improper Neutralization of Expression/Command Delimiters |
| CWE-147 | Improper Neutralization of Input Terminators |
| CWE-148 | Improper Neutralization of Input Leaders |
| CWE-149 | Improper Neutralization of Quoting Syntax |
| CWE-150 | Improper Neutralization of Escape, Meta, or Control Sequences |
| CWE-151 | Improper Neutralization of Comment Delimiters |
| CWE-152 | Improper Neutralization of Macro Symbols |
| CWE-153 | Improper Neutralization of Substitution Characters |
| CWE-154 | Improper Neutralization of Variable Name Delimiters |
| CWE-155 | Improper Neutralization of Wildcards or Matching Symbols |
| CWE-156 | Improper Neutralization of Whitespace |
| CWE-157 | Failure to Sanitize Paired Delimiters |
| CWE-158 | Improper Neutralization of Null Byte or NUL Character |
| CWE-159 | Failure to Sanitize Special Element |
| CWE-160 | Improper Neutralization of Leading Special Elements |
| CWE-161 | Improper Neutralization of Multiple Leading Special Elements |
| CWE-162 | Improper Neutralization of Trailing Special Elements |
| CWE-163 | Improper Neutralization of Multiple Trailing Special Elements |
| CWE-164 | Improper Neutralization of Internal Special Elements |
| CWE-165 | Improper Neutralization of Multiple Internal Special Elements |
| CWE-166 | Improper Handling of Missing Special Element |
| CWE-167 | Improper Handling of Additional Special Element |
| CWE-168 | Improper Handling of Inconsistent Special Elements |
| CWE-172 | Encoding Error |
| CWE-173 | Improper Handling of Alternate Encoding |
| CWE-174 | Double Decoding of the Same Data |
| CWE-175 | Improper Handling of Mixed Encoding |
| CWE-176 | Improper Handling of Unicode Encoding |
| CWE-177 | Improper Handling of URL Encoding (Hex Encoding) |
| CWE-178 | Improper Handling of Case Sensitivity |
| CWE-179 | Incorrect Behavior Order: Early Validation |
| CWE-180 | Incorrect Behavior Order: Validate Before Canonicalize |
| CWE-181 | Incorrect Behavior Order: Validate Before Filter |
| CWE-182 | Collapse of Data into Unsafe Value |
| CWE-184 ☉ | Incomplete Blacklist |
| CWE-185 | Incorrect Regular Expression |
| CWE-186 | Overly Restrictive Regular Expression |
| CWE-187 | Partial Comparison |
| CWE-188 ☉ | Reliance on Data/Memory Layout |
| CWE-200 | Information Exposure |
| CWE-201 | Information Exposure Through Sent Data |
| CWE-203 | Information Exposure Through Discrepancy |
| CWE-204 | Response Discrepancy Information Exposure |
| CWE-209 | Information Exposure Through an Error Message |
| CWE-210 | Information Exposure Through Self-generated Error Message |
| CWE-211 | Information Exposure Through Externally-generated Error Message |
| CWE-212 | Improper Cross-boundary Removal of Sensitive Data |
| CWE-215 | Information Exposure Through Debug Information |
| CWE-216 | Containment Errors (Container Errors) |
| CWE-227 ☉ | Improper Fulfillment of API Contract ('API Abuse') |
| CWE-241 | Improper Handling of Unexpected Data Type |
| CWE-252 | Unchecked Return Value |
| CWE-253 | Incorrect Check of Function Return Value |
| CWE-273 | Improper Check for Dropped Privileges |
| CWE-311 | Missing Encryption of Sensitive Data |
| CWE-319 | Cleartext Transmission of Sensitive Information |
| CWE-354 | Improper Validation of Integrity Check Value |
| CWE-364 ◄ | Signal Handler Race Condition |
| CWE-365 ◄ | Race Condition in Switch |
| CWE-374 | Passing Mutable Objects to an Untrusted Method |
| CWE-375 | Returning a Mutable Object to an Untrusted Caller |
| CWE-378 | Creation of Temporary File With Insecure Permissions |
| CWE-379 | Creation of Temporary File in Directory with Incorrect Permissions |
| CWE-390 | Detection of Error Condition Without Action |
| CWE-391 | Unchecked Error Condition |
| CWE-394 | Unexpected Status Code or Return Value |
| CWE-405 ◄ | Asymmetric Resource Consumption (Amplification) |
| CWE-406 | Insufficient Control of Network Message Volume (Network Amplification) |
| CWE-407 ☉ | Algorithmic Complexity |
| CWE-408 ◄ | Incorrect Behavior Order: Early Amplification |
| CWE-409 | Improper Handling of Highly Compressed Data (Data Amplification) |
| CWE-410 | Insufficient Resource Pool |
| CWE-412 ◄ | Unrestricted Externally Accessible Lock |
| CWE-413 ◄ | Improper Resource Locking |
| CWE-414 ◄ | Missing Lock Check |
| CWE-430 | Deployment of Wrong Handler |
| CWE-431 | Missing Handler |
| CWE-432 ◄ | Dangerous Signal Handler not Disabled During Sensitive Operations |
| CWE-447 ☉ | Unimplemented or Unsupported Feature in UI |
| CWE-453 | Insecure Default Variable Initialization |
| CWE-454 | External Initialization of Trusted Variables or Data Stores |
| CWE-455 | Non-exit on Failed Initialization |
| CWE-456 | Missing Initialization of a Variable |
| CWE-460 | Improper Cleanup on Thrown Exception |
| CWE-462 | Duplicate Key in Associative List (Alist) |
| CWE-463 | Deletion of Data Structure Sentinel |
| CWE-464 | Addition of Data Structure Sentinel |
| CWE-470 | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') |
| CWE-472 | External Control of Assumed-Immutable Web Parameter |
| CWE-474 ☉ | Use of Function with Inconsistent Implementations |
| CWE-479 ◄ | Signal Handler Use of a Non-reentrant Function |
| CWE-488 ◄ | Exposure of Data Element to Wrong Session |
| CWE-489 ☉ | Leftover Debug Code |
| CWE-493 ☉ | Critical Public Variable Without Final Modifier |
| CWE-494 | Download of Code Without Integrity Check |
| CWE-496 | Public Data Assigned to Private Array-Typed Field |
| CWE-497 | Exposure of System Data to an Unauthorized Control Sphere |
| CWE-498 ☉ | Cloneable Class Containing Sensitive Information |
| CWE-500 ☉ | Public Static Field Not Marked Final |
| CWE-502 ☉ | Deserialization of Untrusted Data |
| CWE-506 ☉ | Embedded Malicious Code |
| CWE-507 ☉ | Trojan Horse |
| CWE-508 | Non-Replicating Malicious Code |
| CWE-509 ☉ | Replicating Malicious Code (Virus or Worm) |
| CWE-510 | Trapdoor |
| CWE-511 ☉ | Logic/Time Bomb |
| CWE-512 ☉ | Spyware |
| CWE-524 ☉ | Information Exposure Through Caching |
| CWE-526 | Information Exposure Through Environmental Variables |
| CWE-538 | File and Directory Information Exposure |
| CWE-539 ☉ | Information Exposure Through Persistent Cookies |
| CWE-543 ◄ | Use of Singleton Pattern Without Synchronization in a Multithreaded Context |
| CWE-544 | Missing Standardized Error Handling Mechanism |
| CWE-546 ☉ | Suspicious Comment |
| CWE-548 ☉ | Information Exposure Through Directory Listing |
| CWE-584 | Return Inside Finally Block |
| CWE-587 | Assignment of a Fixed Address to a Pointer |
| CWE-591 | Sensitive Data Storage in Improperly Locked Memory |
| CWE-595 | Comparison of Object References Instead of Object Contents |
| CWE-598 | Information Exposure Through Query Strings in GET Request |
| CWE-605 | Multiple Binds to the Same Port |
| CWE-622 ☉ | Improper Validation of Function Hook Arguments |
| CWE-636 ☉ | Not Failing Securely ('Failing Open') |
| CWE-637 ☉ | Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism') |
| CWE-638 | Not Using Complete Mediation |
| CWE-641 | Improper Restriction of Names for Files and Other Resources |
| CWE-643 | Improper Neutralization of Data within XPath Expressions ('XPath Injection') |
| CWE-652 | Improper Neutralization of Data within XQuery Expressions ('XQuery Injection') |
| CWE-663 ◄ | Use of a Non-reentrant Function in a Concurrent Context |
| CWE-664 | Improper Control of a Resource Through its Lifetime |
| CWE-666 ☉ | Operation on Resource in Wrong Phase of Lifetime |
| CWE-674 ☉ | Uncontrolled Recursion |
| CWE-688 | Function Call With Incorrect Variable or Reference as Argument |
| CWE-694 | Use of Multiple Resources with Duplicate Identifier |
| CWE-754 | Improper Check for Unusual or Exceptional Conditions |
| CWE-759 | Use of a One-Way Hash without a Salt |
| CWE-761 | Free of Pointer not at Start of Buffer |
| CWE-765 ◄ | Multiple Unlocks of a Critical Resource |
| CWE-767 | Access to Critical Private Variable via Public Method |
| CWE-773 ◄ | Missing Reference to Active File Descriptor or Handle |
| CWE-774 ◄ | Allocation of File Descriptors or Handles Without Limits or Throttling |
| CWE-777 | Regular Expression without Anchors |
| CWE-785 | Use of Path Manipulation Function without Maximum-sized Buffer |
| CWE-789 | Uncontrolled Memory Allocation |
| CWE-806 | Buffer Access Using Size of Source Buffer |
| CWE-828 ◄ | Signal Handler with Functionality that is not Asynchronous-Safe |
| CWE-909 | Missing Initialization of Resource |
| CWE-912 | Hidden Functionality |
| CWE-913 | Improper Control of Dynamically-Managed Code Resources |
| CWE-914 | Improper Control of Dynamically-Identified Variables |
| CWE-915 | Improperly Controlled Modification of Dynamically-Determined Object Attributes |
| CWE-916 ☉ | Use of Password Hash With Insufficient Computational Effort |
| CWE-940 ☉ | Improper Verification of Source of a Communication Channel |
| CWE-943 | Improper Neutralization of Special Elements in Data Query Logic |
