CWE Tree Viewer - Version 4.19

CWE-71:DEPRECATED: Apple '.DS_Store' (Prohibited)

CWE-92:DEPRECATED: Improper Sanitization of Custom Special Characters (Prohibited)

CWE-132:DEPRECATED: Miscalculated Null Termination (Prohibited)

CWE-216:DEPRECATED: Containment Errors (Container Errors) (Prohibited)

CWE-217:DEPRECATED: Failure to Protect Stored Data from Modification (Prohibited)

CWE-218:DEPRECATED: Failure to provide confidentiality for stored data (Prohibited)

CWE-225:DEPRECATED: General Information Management Problems (Prohibited)

CWE-247:DEPRECATED: Reliance on DNS Lookups in a Security Decision (Prohibited)

CWE-249:DEPRECATED: Often Misused: Path Manipulation (Prohibited)

CWE-284:Improper Access Control (Discouraged)
- CWE-269:Improper Privilege Management (Discouraged)
  - CWE-250:Execution with Unnecessary Privileges (Allowed)
  - CWE-266:Incorrect Privilege Assignment (Allowed)
    - CWE-9:J2EE Misconfiguration: Weak Access Permissions for EJB Methods (Allowed)
    - CWE-520:.NET Misconfiguration: Use of Impersonation (Allowed)
    - CWE-556:ASP.NET Misconfiguration: Use of Identity Impersonation (Allowed)
    - CWE-1022:Use of Web Link to Untrusted Target with window.opener Access (Allowed)
    - CWE-1268:Policy Privileges are not Assigned Consistently Between Control and Data Agents (Allowed)
  - CWE-267:Privilege Defined With Unsafe Actions (Allowed)
    - CWE-623:Unsafe ActiveX Control Marked Safe For Scripting (Allowed)
  - CWE-268:Privilege Chaining (Allowed)
  - CWE-270:Privilege Context Switching Error (Allowed)
  - CWE-271:Privilege Dropping / Lowering Errors (Allowed-with-Review)
    - CWE-272:Least Privilege Violation (Allowed)
    - CWE-273:Improper Check for Dropped Privileges (Allowed)
  - CWE-274:Improper Handling of Insufficient Privileges (Discouraged)
  - CWE-648:Incorrect Use of Privileged APIs (Allowed)
- CWE-282:Improper Ownership Management (Allowed-with-Review)
  - CWE-283:Unverified Ownership (Allowed)
  - CWE-708:Incorrect Ownership Assignment (Allowed)
- CWE-285:Improper Authorization (Discouraged)
  - CWE-552:Files or Directories Accessible to External Parties (Allowed)
    - CWE-219:Storage of File with Sensitive Data Under Web Root (Allowed)
      - CWE-433:Unparsed Raw Web Content Delivery (Allowed)
    - CWE-220:Storage of File With Sensitive Data Under FTP Root (Allowed)
    - CWE-527:Exposure of Version-Control Repository to an Unauthorized Control Sphere (Allowed)
    - CWE-528:Exposure of Core Dump File to an Unauthorized Control Sphere (Allowed)
    - CWE-529:Exposure of Access Control List Files to an Unauthorized Control Sphere (Allowed)
    - CWE-530:Exposure of Backup File to an Unauthorized Control Sphere (Allowed)
    - CWE-539:Use of Persistent Cookies Containing Sensitive Information (Allowed)
    - CWE-553:Command Shell in Externally Accessible Directory (Allowed)
  - CWE-732:Incorrect Permission Assignment for Critical Resource (Allowed-with-Review)
    - CWE-276:Incorrect Default Permissions (Allowed)
    - CWE-277:Insecure Inherited Permissions (Allowed)
    - CWE-278:Insecure Preserved Inherited Permissions (Allowed)
    - CWE-279:Incorrect Execution-Assigned Permissions (Allowed)
    - CWE-281:Improper Preservation of Permissions (Allowed)
    - CWE-766:Critical Data Element Declared Public (Allowed)
    - CWE-1004:Sensitive Cookie Without 'HttpOnly' Flag (Allowed)
  - CWE-862:Missing Authorization (Allowed-with-Review)
    - CWE-425:Direct Request ('Forced Browsing') (Allowed)
    - CWE-638:Not Using Complete Mediation (Allowed-with-Review)
      - CWE-424:Improper Protection of Alternate Path (Allowed-with-Review)
        
        CWE-425:Direct Request ('Forced Browsing') (Allowed)
    - CWE-939:Improper Authorization in Handler for Custom URL Scheme (Allowed)
    - CWE-1314:Missing Write Protection for Parametric Data Values (Allowed)
  - CWE-863:Incorrect Authorization (Allowed-with-Review)
    - CWE-41:Improper Resolution of Path Equivalence (Allowed)
      - CWE-42:Path Equivalence: 'filename.' (Trailing Dot) (Allowed)
        
        CWE-43:Path Equivalence: 'filename....' (Multiple Trailing Dot) (Allowed)
      - CWE-44:Path Equivalence: 'file.name' (Internal Dot) (Allowed)
        
        CWE-45:Path Equivalence: 'file...name' (Multiple Internal Dot) (Allowed)
      - CWE-46:Path Equivalence: 'filename ' (Trailing Space) (Allowed)
      - CWE-47:Path Equivalence: ' filename' (Leading Space) (Allowed)
      - CWE-48:Path Equivalence: 'file name' (Internal Whitespace) (Allowed)
      - CWE-49:Path Equivalence: 'filename/' (Trailing Slash) (Allowed)
      - CWE-50:Path Equivalence: '//multiple/leading/slash' (Allowed)
      - CWE-51:Path Equivalence: '/multiple//internal/slash' (Allowed)
      - CWE-52:Path Equivalence: '/multiple/trailing/slash//' (Allowed)
      - CWE-53:Path Equivalence: '\multiple\\internal\backslash' (Allowed)
      - CWE-54:Path Equivalence: 'filedir\' (Trailing Backslash) (Allowed)
      - CWE-55:Path Equivalence: '/./' (Single Dot Directory) (Allowed)
      - CWE-56:Path Equivalence: 'filedir*' (Wildcard) (Allowed)
      - CWE-57:Path Equivalence: 'fakedir/../realdir/filename' (Allowed)
      - CWE-58:Path Equivalence: Windows 8.3 Filename (Allowed)
    - CWE-551:Incorrect Behavior Order: Authorization Before Parsing and Canonicalization (Allowed)
    - CWE-639:Authorization Bypass Through User-Controlled Key (Allowed)
      - CWE-566:Authorization Bypass Through User-Controlled SQL Primary Key (Allowed)
    - CWE-647:Use of Non-Canonical URL Paths for Authorization Decisions (Allowed)
    - CWE-804:Guessable CAPTCHA (Allowed)
    - CWE-942:Permissive Cross-domain Security Policy with Untrusted Domains (Allowed)
    - CWE-1244:Internal Asset Exposed to Unsafe Debug Access Level or State (Allowed)
  - CWE-926:Improper Export of Android Application Components (Allowed)
  - CWE-927:Use of Implicit Intent for Sensitive Communication (Allowed)
  - CWE-1230:Exposure of Sensitive Information Through Metadata (Allowed)
    - CWE-202:Exposure of Sensitive Information Through Data Queries (Allowed)
    - CWE-612:Improper Authorization of Index Containing Sensitive Information (Allowed)
  - CWE-1256:Improper Restriction of Software Interfaces to Hardware Features (Allowed)
  - CWE-1297:Unprotected Confidential Information on Device is Accessible by OSAT Vendors (Allowed)
  - CWE-1328:Security Version Number Mutable to Older Versions (Allowed)
- CWE-286:Incorrect User Management (Allowed-with-Review)
  - CWE-842:Placement of User into Incorrect Group (Allowed)
- CWE-287:Improper Authentication (Discouraged)
  - CWE-290:Authentication Bypass by Spoofing (Allowed)
    - CWE-291:Reliance on IP Address for Authentication (Allowed)
    - CWE-293:Using Referer Field for Authentication (Allowed)
    - CWE-350:Reliance on Reverse DNS Resolution for a Security-Critical Action (Allowed)
  - CWE-294:Authentication Bypass by Capture-replay (Allowed)
  - CWE-295:Improper Certificate Validation (Allowed)
    - CWE-296:Improper Following of a Certificate's Chain of Trust (Allowed)
    - CWE-297:Improper Validation of Certificate with Host Mismatch (Allowed)
    - CWE-298:Improper Validation of Certificate Expiration (Allowed)
    - CWE-299:Improper Check for Certificate Revocation (Allowed)
      - CWE-370:Missing Check for Certificate Revocation after Initial Check (Allowed)
    - CWE-599:Missing Validation of OpenSSL Certificate (Allowed)
  - CWE-306:Missing Authentication for Critical Function (Allowed)
    - CWE-288:Authentication Bypass Using an Alternate Path or Channel (Allowed)
      - CWE-425:Direct Request ('Forced Browsing') (Allowed)
      - CWE-1299:Missing Protection Mechanism for Alternate Hardware Interface (Allowed)
    - CWE-322:Key Exchange without Entity Authentication (Allowed)
  - CWE-307:Improper Restriction of Excessive Authentication Attempts (Allowed)
  - CWE-521:Weak Password Requirements (Allowed)
    - CWE-258:Empty Password in Configuration File (Allowed)
  - CWE-522:Insufficiently Protected Credentials (Allowed-with-Review)
    - CWE-256:Plaintext Storage of a Password (Allowed)
    - CWE-257:Storing Passwords in a Recoverable Format (Allowed)
    - CWE-260:Password in Configuration File (Allowed)
      - CWE-13:ASP.NET Misconfiguration: Password in Configuration File (Allowed)
      - CWE-258:Empty Password in Configuration File (Allowed)
      - CWE-555:J2EE Misconfiguration: Plaintext Password in Configuration File (Allowed)
    - CWE-261:Weak Encoding for Password (Allowed)
    - CWE-523:Unprotected Transport of Credentials (Allowed)
    - CWE-549:Missing Password Field Masking (Allowed)
  - CWE-640:Weak Password Recovery Mechanism for Forgotten Password (Allowed-with-Review)
  - CWE-645:Overly Restrictive Account Lockout Mechanism (Allowed)
  - CWE-798:Use of Hard-coded Credentials (Allowed-with-Review)
    - CWE-259:Use of Hard-coded Password (Allowed)
    - CWE-321:Use of Hard-coded Cryptographic Key (Allowed)
  - CWE-1390:Weak Authentication (Allowed-with-Review)
    - CWE-41:Improper Resolution of Path Equivalence (Allowed)
      - CWE-42:Path Equivalence: 'filename.' (Trailing Dot) (Allowed)
        
        CWE-43:Path Equivalence: 'filename....' (Multiple Trailing Dot) (Allowed)
      - CWE-44:Path Equivalence: 'file.name' (Internal Dot) (Allowed)
        
        CWE-45:Path Equivalence: 'file...name' (Multiple Internal Dot) (Allowed)
      - CWE-46:Path Equivalence: 'filename ' (Trailing Space) (Allowed)
      - CWE-47:Path Equivalence: ' filename' (Leading Space) (Allowed)
      - CWE-48:Path Equivalence: 'file name' (Internal Whitespace) (Allowed)
      - CWE-49:Path Equivalence: 'filename/' (Trailing Slash) (Allowed)
      - CWE-50:Path Equivalence: '//multiple/leading/slash' (Allowed)
      - CWE-51:Path Equivalence: '/multiple//internal/slash' (Allowed)
      - CWE-52:Path Equivalence: '/multiple/trailing/slash//' (Allowed)
      - CWE-53:Path Equivalence: '\multiple\\internal\backslash' (Allowed)
      - CWE-54:Path Equivalence: 'filedir\' (Trailing Backslash) (Allowed)
      - CWE-55:Path Equivalence: '/./' (Single Dot Directory) (Allowed)
      - CWE-56:Path Equivalence: 'filedir*' (Wildcard) (Allowed)
      - CWE-57:Path Equivalence: 'fakedir/../realdir/filename' (Allowed)
      - CWE-58:Path Equivalence: Windows 8.3 Filename (Allowed)
    - CWE-262:Not Using Password Aging (Allowed)
    - CWE-263:Password Aging with Long Expiration (Discouraged)
    - CWE-289:Authentication Bypass by Alternate Name (Allowed)
    - CWE-290:Authentication Bypass by Spoofing (Allowed)
      - CWE-291:Reliance on IP Address for Authentication (Allowed)
      - CWE-293:Using Referer Field for Authentication (Allowed)
      - CWE-350:Reliance on Reverse DNS Resolution for a Security-Critical Action (Allowed)
    - CWE-294:Authentication Bypass by Capture-replay (Allowed)
    - CWE-301:Reflection Attack in an Authentication Protocol (Allowed)
    - CWE-302:Authentication Bypass by Assumed-Immutable Data (Allowed)
    - CWE-303:Incorrect Implementation of Authentication Algorithm (Allowed)
      - CWE-304:Missing Critical Step in Authentication (Allowed)
    - CWE-305:Authentication Bypass by Primary Weakness (Allowed)
    - CWE-307:Improper Restriction of Excessive Authentication Attempts (Allowed)
    - CWE-308:Use of Single-factor Authentication (Allowed)
    - CWE-309:Use of Password System for Primary Authentication (Allowed)
    - CWE-522:Insufficiently Protected Credentials (Allowed-with-Review)
      - CWE-256:Plaintext Storage of a Password (Allowed)
      - CWE-257:Storing Passwords in a Recoverable Format (Allowed)
      - CWE-260:Password in Configuration File (Allowed)
        
        CWE-13:ASP.NET Misconfiguration: Password in Configuration File (Allowed)
        
        CWE-258:Empty Password in Configuration File (Allowed)
        
        CWE-555:J2EE Misconfiguration: Plaintext Password in Configuration File (Allowed)
      - CWE-261:Weak Encoding for Password (Allowed)
      - CWE-523:Unprotected Transport of Credentials (Allowed)
      - CWE-549:Missing Password Field Masking (Allowed)
    - CWE-593:Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created (Allowed)
    - CWE-603:Use of Client-Side Authentication (Allowed)
    - CWE-620:Unverified Password Change (Allowed)
    - CWE-640:Weak Password Recovery Mechanism for Forgotten Password (Allowed-with-Review)
    - CWE-804:Guessable CAPTCHA (Allowed)
    - CWE-836:Use of Password Hash Instead of Password for Authentication (Allowed)
    - CWE-1391:Use of Weak Credentials (Allowed-with-Review)
      - CWE-521:Weak Password Requirements (Allowed)
        
        CWE-258:Empty Password in Configuration File (Allowed)
      - CWE-798:Use of Hard-coded Credentials (Allowed-with-Review)
        
        CWE-259:Use of Hard-coded Password (Allowed)
        
        CWE-321:Use of Hard-coded Cryptographic Key (Allowed)
      - CWE-1392:Use of Default Credentials (Allowed)
        
        CWE-1393:Use of Default Password (Allowed)
        
        CWE-1394:Use of Default Cryptographic Key (Allowed)
- CWE-288:Authentication Bypass Using an Alternate Path or Channel (Allowed)
  - CWE-425:Direct Request ('Forced Browsing') (Allowed)
  - CWE-1299:Missing Protection Mechanism for Alternate Hardware Interface (Allowed)
- CWE-346:Origin Validation Error (Allowed-with-Review)
  - CWE-940:Improper Verification of Source of a Communication Channel (Allowed)
    - CWE-925:Improper Verification of Intent by Broadcast Receiver (Allowed)
    - CWE-939:Improper Authorization in Handler for Custom URL Scheme (Allowed)
  - CWE-1385:Missing Origin Validation in WebSockets (Allowed)
- CWE-639:Authorization Bypass Through User-Controlled Key (Allowed)
  - CWE-566:Authorization Bypass Through User-Controlled SQL Primary Key (Allowed)
- CWE-749:Exposed Dangerous Method or Function (Allowed)
  - CWE-618:Exposed Unsafe ActiveX Method (Allowed)
  - CWE-782:Exposed IOCTL with Insufficient Access Control (Allowed)
- CWE-862:Missing Authorization (Allowed-with-Review)
  - CWE-425:Direct Request ('Forced Browsing') (Allowed)
  - CWE-638:Not Using Complete Mediation (Allowed-with-Review)
    - CWE-424:Improper Protection of Alternate Path (Allowed-with-Review)
      - CWE-425:Direct Request ('Forced Browsing') (Allowed)
  - CWE-939:Improper Authorization in Handler for Custom URL Scheme (Allowed)
  - CWE-1314:Missing Write Protection for Parametric Data Values (Allowed)
- CWE-863:Incorrect Authorization (Allowed-with-Review)
  - CWE-41:Improper Resolution of Path Equivalence (Allowed)
    - CWE-42:Path Equivalence: 'filename.' (Trailing Dot) (Allowed)
      - CWE-43:Path Equivalence: 'filename....' (Multiple Trailing Dot) (Allowed)
    - CWE-44:Path Equivalence: 'file.name' (Internal Dot) (Allowed)
      - CWE-45:Path Equivalence: 'file...name' (Multiple Internal Dot) (Allowed)
    - CWE-46:Path Equivalence: 'filename ' (Trailing Space) (Allowed)
    - CWE-47:Path Equivalence: ' filename' (Leading Space) (Allowed)
    - CWE-48:Path Equivalence: 'file name' (Internal Whitespace) (Allowed)
    - CWE-49:Path Equivalence: 'filename/' (Trailing Slash) (Allowed)
    - CWE-50:Path Equivalence: '//multiple/leading/slash' (Allowed)
    - CWE-51:Path Equivalence: '/multiple//internal/slash' (Allowed)
    - CWE-52:Path Equivalence: '/multiple/trailing/slash//' (Allowed)
    - CWE-53:Path Equivalence: '\multiple\\internal\backslash' (Allowed)
    - CWE-54:Path Equivalence: 'filedir\' (Trailing Backslash) (Allowed)
    - CWE-55:Path Equivalence: '/./' (Single Dot Directory) (Allowed)
    - CWE-56:Path Equivalence: 'filedir*' (Wildcard) (Allowed)
    - CWE-57:Path Equivalence: 'fakedir/../realdir/filename' (Allowed)
    - CWE-58:Path Equivalence: Windows 8.3 Filename (Allowed)
  - CWE-551:Incorrect Behavior Order: Authorization Before Parsing and Canonicalization (Allowed)
  - CWE-639:Authorization Bypass Through User-Controlled Key (Allowed)
    - CWE-566:Authorization Bypass Through User-Controlled SQL Primary Key (Allowed)
  - CWE-647:Use of Non-Canonical URL Paths for Authorization Decisions (Allowed)
  - CWE-804:Guessable CAPTCHA (Allowed)
  - CWE-942:Permissive Cross-domain Security Policy with Untrusted Domains (Allowed)
  - CWE-1244:Internal Asset Exposed to Unsafe Debug Access Level or State (Allowed)
- CWE-923:Improper Restriction of Communication Channel to Intended Endpoints (Allowed-with-Review)
  - CWE-291:Reliance on IP Address for Authentication (Allowed)
  - CWE-297:Improper Validation of Certificate with Host Mismatch (Allowed)
  - CWE-300:Channel Accessible by Non-Endpoint (Discouraged)
  - CWE-419:Unprotected Primary Channel (Allowed)
  - CWE-420:Unprotected Alternate Channel (Allowed)
    - CWE-421:Race Condition During Access to Alternate Channel (Allowed)
    - CWE-422:Unprotected Windows Messaging Channel ('Shatter') (Allowed)
    - CWE-1299:Missing Protection Mechanism for Alternate Hardware Interface (Allowed)
  - CWE-940:Improper Verification of Source of a Communication Channel (Allowed)
    - CWE-925:Improper Verification of Intent by Broadcast Receiver (Allowed)
    - CWE-939:Improper Authorization in Handler for Custom URL Scheme (Allowed)
  - CWE-941:Incorrectly Specified Destination in a Communication Channel (Allowed)
  - CWE-942:Permissive Cross-domain Security Policy with Untrusted Domains (Allowed)
  - CWE-1275:Sensitive Cookie with Improper SameSite Attribute (Allowed)
- CWE-1191:On-Chip Debug and Test Interface With Improper Access Control (Allowed)
- CWE-1220:Insufficient Granularity of Access Control (Allowed)
  - CWE-1222:Insufficient Granularity of Address Regions Protected by Register Locks (Allowed)
- CWE-1224:Improper Restriction of Write-Once Bit Fields (Allowed)
- CWE-1231:Improper Prevention of Lock Bit Modification (Allowed)
- CWE-1233:Security-Sensitive Hardware Controls with Missing Lock Bit Protection (Allowed)
- CWE-1252:CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations (Allowed)
- CWE-1257:Improper Access Control Applied to Mirrored or Aliased Memory Regions (Allowed)
- CWE-1259:Improper Restriction of Security Token Assignment (Allowed)
- CWE-1260:Improper Handling of Overlap Between Protected Memory Ranges (Allowed)
- CWE-1262:Improper Access Control for Register Interface (Allowed)
- CWE-1263:Improper Physical Access Control (Allowed-with-Review)
  - CWE-1243:Sensitive Non-Volatile Information Not Protected During Debug (Allowed)
- CWE-1267:Policy Uses Obsolete Encoding (Allowed)
- CWE-1270:Generation of Incorrect Security Tokens (Allowed)
- CWE-1274:Improper Access Control for Volatile Memory Containing Boot Code (Allowed)
- CWE-1276:Hardware Child Block Incorrectly Connected to Parent System (Allowed)
- CWE-1280:Access Control Check Implemented After Asset is Accessed (Allowed)
- CWE-1283:Mutable Attestation or Measurement Reporting Data (Allowed)
- CWE-1290:Incorrect Decoding of Security Identifiers (Allowed)
- CWE-1292:Incorrect Conversion of Security Identifiers (Allowed)
- CWE-1294:Insecure Security Identifier Mechanism (Allowed-with-Review)
  - CWE-1259:Improper Restriction of Security Token Assignment (Allowed)
  - CWE-1270:Generation of Incorrect Security Tokens (Allowed)
  - CWE-1290:Incorrect Decoding of Security Identifiers (Allowed)
  - CWE-1292:Incorrect Conversion of Security Identifiers (Allowed)
  - CWE-1302:Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC) (Allowed)
- CWE-1296:Incorrect Chaining or Granularity of Debug Components (Allowed)
- CWE-1304:Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation (Allowed)
- CWE-1311:Improper Translation of Security Attributes by Fabric Bridge (Allowed)
- CWE-1312:Missing Protection for Mirrored Regions in On-Chip Fabric Firewall (Allowed)
- CWE-1313:Hardware Allows Activation of Test or Debug Logic at Runtime (Allowed)
- CWE-1315:Improper Setting of Bus Controlling Capability in Fabric End-point (Allowed)
- CWE-1316:Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges (Allowed)
- CWE-1317:Improper Access Control in Fabric Bridge (Allowed)
- CWE-1320:Improper Protection for Outbound Error Messages and Alert Signals (Allowed)
- CWE-1323:Improper Management of Sensitive Trace Data (Allowed)
- CWE-1334:Unauthorized Error Injection Can Degrade Hardware Redundancy (Allowed)

CWE-292:DEPRECATED: Trusting Self-reported DNS Name (Prohibited)

CWE-365:DEPRECATED: Race Condition in Switch (Prohibited)

CWE-373:DEPRECATED: State Synchronization Error (Prohibited)

CWE-423:DEPRECATED: Proxied Trusted Channel (Prohibited)

CWE-435:Improper Interaction Between Multiple Correctly-Behaving Entities (Discouraged)
- CWE-188:Reliance on Data/Memory Layout (Allowed)
  - CWE-198:Use of Incorrect Byte Ordering (Allowed)
- CWE-436:Interpretation Conflict (Allowed-with-Review)
  - CWE-86:Improper Neutralization of Invalid Characters in Identifiers in Web Pages (Allowed)
  - CWE-113:Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') (Allowed)
  - CWE-115:Misinterpretation of Input (Allowed)
  - CWE-437:Incomplete Model of Endpoint Features (Allowed)
  - CWE-444:Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') (Allowed)
  - CWE-626:Null Byte Interaction Error (Poison Null Byte) (Allowed)
  - CWE-650:Trusting HTTP Permission Methods on the Server Side (Allowed)
- CWE-439:Behavioral Change in New Version or Environment (Allowed)
- CWE-1038:Insecure Automated Optimizations (Allowed-with-Review)
  - CWE-733:Compiler Optimization Removal or Modification of Security-critical Code (Allowed)
    - CWE-14:Compiler Removal of Code to Clear Buffers (Allowed)
  - CWE-1037:Processor Optimization Removal or Modification of Security-critical Code (Allowed)

CWE-443:DEPRECATED: HTTP response splitting (Prohibited)

CWE-458:DEPRECATED: Incorrect Initialization (Prohibited)

CWE-516:DEPRECATED: Covert Timing Channel (Prohibited)

CWE-533:DEPRECATED: Information Exposure Through Server Log Files (Prohibited)

CWE-534:DEPRECATED: Information Exposure Through Debug Log Files (Prohibited)

CWE-542:DEPRECATED: Information Exposure Through Cleanup Log Files (Prohibited)

CWE-545:DEPRECATED: Use of Dynamic Class Loading (Prohibited)

CWE-592:DEPRECATED: Authentication Bypass Issues (Prohibited)

CWE-596:DEPRECATED: Incorrect Semantic Object Comparison (Prohibited)

CWE-664:Improper Control of a Resource Through its Lifetime (Discouraged)
- CWE-118:Incorrect Access of Indexable Resource ('Range Error') (Discouraged)
  - CWE-119:Improper Restriction of Operations within the Bounds of a Memory Buffer (Discouraged)
    - CWE-120:Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (Allowed-with-Review)
      - CWE-785:Use of Path Manipulation Function without Maximum-sized Buffer (Allowed)
    - CWE-123:Write-what-where Condition (Allowed)
    - CWE-125:Out-of-bounds Read (Allowed)
      - CWE-126:Buffer Over-read (Allowed)
      - CWE-127:Buffer Under-read (Allowed)
    - CWE-130:Improper Handling of Length Parameter Inconsistency (Allowed)
    - CWE-466:Return of Pointer Value Outside of Expected Range (Allowed)
    - CWE-786:Access of Memory Location Before Start of Buffer (Discouraged)
      - CWE-124:Buffer Underwrite ('Buffer Underflow') (Allowed)
      - CWE-127:Buffer Under-read (Allowed)
    - CWE-787:Out-of-bounds Write (Allowed)
      - CWE-120:Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (Allowed-with-Review)
        
        CWE-785:Use of Path Manipulation Function without Maximum-sized Buffer (Allowed)
      - CWE-121:Stack-based Buffer Overflow (Allowed)
      - CWE-122:Heap-based Buffer Overflow (Allowed)
      - CWE-123:Write-what-where Condition (Allowed)
      - CWE-124:Buffer Underwrite ('Buffer Underflow') (Allowed)
    - CWE-788:Access of Memory Location After End of Buffer (Discouraged)
      - CWE-121:Stack-based Buffer Overflow (Allowed)
      - CWE-122:Heap-based Buffer Overflow (Allowed)
      - CWE-126:Buffer Over-read (Allowed)
    - CWE-805:Buffer Access with Incorrect Length Value (Allowed)
      - CWE-806:Buffer Access Using Size of Source Buffer (Allowed)
    - CWE-822:Untrusted Pointer Dereference (Allowed)
    - CWE-823:Use of Out-of-range Pointer Offset (Allowed)
    - CWE-824:Access of Uninitialized Pointer (Allowed)
    - CWE-825:Expired Pointer Dereference (Allowed)
      - CWE-415:Double Free (Allowed)
      - CWE-416:Use After Free (Allowed)
- CWE-221:Information Loss or Omission (Allowed-with-Review)
  - CWE-222:Truncation of Security-relevant Information (Allowed)
  - CWE-223:Omission of Security-relevant Information (Allowed)
    - CWE-778:Insufficient Logging (Allowed)
    - CWE-1429:Missing Security-Relevant Feedback for Unexecuted Operations in Hardware Interface (Allowed)
  - CWE-224:Obscured Security-relevant Information by Alternate Name (Allowed)
  - CWE-356:Product UI does not Warn User of Unsafe Actions (Allowed)
  - CWE-396:Declaration of Catch for Generic Exception (Allowed)
  - CWE-397:Declaration of Throws for Generic Exception (Allowed)
  - CWE-451:User Interface (UI) Misrepresentation of Critical Information (Allowed-with-Review)
    - CWE-1007:Insufficient Visual Distinction of Homoglyphs Presented to User (Allowed)
    - CWE-1021:Improper Restriction of Rendered UI Layers or Frames (Allowed)
- CWE-372:Incomplete Internal State Distinction (Discouraged)
- CWE-400:Uncontrolled Resource Consumption (Discouraged)
  - CWE-405:Asymmetric Resource Consumption (Amplification) (Allowed-with-Review)
    - CWE-406:Insufficient Control of Network Message Volume (Network Amplification) (Allowed-with-Review)
    - CWE-407:Inefficient Algorithmic Complexity (Allowed-with-Review)
      - CWE-1333:Inefficient Regular Expression Complexity (Allowed)
    - CWE-408:Incorrect Behavior Order: Early Amplification (Allowed)
    - CWE-409:Improper Handling of Highly Compressed Data (Data Amplification) (Allowed)
    - CWE-776:Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') (Allowed)
    - CWE-1050:Excessive Platform Resource Consumption within a Loop (Allowed)
    - CWE-1072:Data Resource Access without Use of Connection Pooling (Prohibited)
    - CWE-1073:Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses (Prohibited)
    - CWE-1084:Invokable Control Element with Excessive File or Data Access Operations (Prohibited)
    - CWE-1089:Large Data Table with Excessive Number of Indices (Allowed)
    - CWE-1094:Excessive Index Range Scan for a Data Resource (Prohibited)
    - CWE-1176:Inefficient CPU Computation (Allowed-with-Review)
      - CWE-1042:Static Member Data Element outside of a Singleton Class Element (Prohibited)
      - CWE-1046:Creation of Immutable Text Using String Concatenation (Allowed)
      - CWE-1049:Excessive Data Query Operations in a Large Data Table (Allowed)
      - CWE-1063:Creation of Class Instance within a Static Code Block (Prohibited)
      - CWE-1067:Excessive Execution of Sequential Searches of Data Resource (Allowed)
  - CWE-770:Allocation of Resources Without Limits or Throttling (Allowed)
    - CWE-774:Allocation of File Descriptors or Handles Without Limits or Throttling (Allowed)
    - CWE-789:Memory Allocation with Excessive Size Value (Allowed)
    - CWE-1325:Improperly Controlled Sequential Memory Allocation (Allowed)
  - CWE-771:Missing Reference to Active Allocated Resource (Allowed)
    - CWE-773:Missing Reference to Active File Descriptor or Handle (Allowed)
  - CWE-779:Logging of Excessive Data (Allowed)
  - CWE-920:Improper Restriction of Power Consumption (Allowed)
  - CWE-1235:Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations (Allowed)
  - CWE-1246:Improper Write Handling in Limited-write Non-Volatile Memories (Allowed)
- CWE-404:Improper Resource Shutdown or Release (Allowed-with-Review)
  - CWE-299:Improper Check for Certificate Revocation (Allowed)
    - CWE-370:Missing Check for Certificate Revocation after Initial Check (Allowed)
  - CWE-401:Missing Release of Memory after Effective Lifetime (Allowed)
  - CWE-459:Incomplete Cleanup (Allowed)
    - CWE-226:Sensitive Information in Resource Not Removed Before Reuse (Allowed)
      - CWE-244:Improper Clearing of Heap Memory Before Release ('Heap Inspection') (Allowed)
      - CWE-1239:Improper Zeroization of Hardware Register (Allowed)
      - CWE-1272:Sensitive Information Uncleared Before Debug/Power State Transition (Allowed)
      - CWE-1301:Insufficient or Incomplete Data Removal within Hardware Component (Allowed)
        
        CWE-1330:Remanent Data Readable after Memory Erase (Allowed)
      - CWE-1342:Information Exposure through Microarchitectural State after Transient Execution (Allowed)
    - CWE-460:Improper Cleanup on Thrown Exception (Allowed)
    - CWE-568:finalize() Method Without super.finalize() (Allowed)
  - CWE-761:Free of Pointer not at Start of Buffer (Allowed)
  - CWE-762:Mismatched Memory Management Routines (Allowed)
    - CWE-590:Free of Memory not on the Heap (Allowed)
  - CWE-763:Release of Invalid Pointer or Reference (Allowed)
    - CWE-761:Free of Pointer not at Start of Buffer (Allowed)
    - CWE-762:Mismatched Memory Management Routines (Allowed)
      - CWE-590:Free of Memory not on the Heap (Allowed)
  - CWE-772:Missing Release of Resource after Effective Lifetime (Allowed)
    - CWE-401:Missing Release of Memory after Effective Lifetime (Allowed)
    - CWE-775:Missing Release of File Descriptor or Handle after Effective Lifetime (Allowed)
    - CWE-1091:Use of Object without Invoking Destructor Method (Allowed)
  - CWE-775:Missing Release of File Descriptor or Handle after Effective Lifetime (Allowed)
  - CWE-1266:Improper Scrubbing of Sensitive Data from Decommissioned Device (Allowed)
- CWE-410:Insufficient Resource Pool (Allowed)
- CWE-471:Modification of Assumed-Immutable Data (MAID) (Allowed)
  - CWE-472:External Control of Assumed-Immutable Web Parameter (Allowed)
  - CWE-473:PHP External Variable Modification (Allowed)
  - CWE-607:Public Static Final Field References Mutable Object (Allowed)
- CWE-487:Reliance on Package-level Scope (Allowed)
- CWE-495:Private Data Structure Returned From A Public Method (Allowed)
- CWE-496:Public Data Assigned to Private Array-Typed Field (Allowed)
- CWE-501:Trust Boundary Violation (Allowed)
- CWE-580:clone() Method Without super.clone() (Allowed)
- CWE-610:Externally Controlled Reference to a Resource in Another Sphere (Discouraged)
  - CWE-15:External Control of System or Configuration Setting (Allowed)
  - CWE-73:External Control of File Name or Path (Allowed)
    - CWE-114:Process Control (Discouraged)
  - CWE-384:Session Fixation (Allowed)
  - CWE-441:Unintended Proxy or Intermediary ('Confused Deputy') (Allowed-with-Review)
    - CWE-918:Server-Side Request Forgery (SSRF) (Allowed)
    - CWE-1021:Improper Restriction of Rendered UI Layers or Frames (Allowed)
  - CWE-470:Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') (Allowed)
  - CWE-601:URL Redirection to Untrusted Site ('Open Redirect') (Allowed)
  - CWE-611:Improper Restriction of XML External Entity Reference (Allowed)
  - CWE-918:Server-Side Request Forgery (SSRF) (Allowed)
  - CWE-1021:Improper Restriction of Rendered UI Layers or Frames (Allowed)
- CWE-662:Improper Synchronization (Discouraged)
  - CWE-362:Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') (Allowed-with-Review)
    - CWE-364:Signal Handler Race Condition (Allowed)
      - CWE-432:Dangerous Signal Handler not Disabled During Sensitive Operations (Allowed)
      - CWE-828:Signal Handler with Functionality that is not Asynchronous-Safe (Allowed)
        
        CWE-479:Signal Handler Use of a Non-reentrant Function (Allowed)
      - CWE-831:Signal Handler Function Associated with Multiple Signals (Allowed)
    - CWE-366:Race Condition within a Thread (Allowed)
    - CWE-367:Time-of-check Time-of-use (TOCTOU) Race Condition (Allowed)
      - CWE-363:Race Condition Enabling Link Following (Allowed)
    - CWE-368:Context Switching Race Condition (Allowed)
    - CWE-421:Race Condition During Access to Alternate Channel (Allowed)
    - CWE-689:Permission Race Condition During Resource Copy (Allowed)
    - CWE-1223:Race Condition for Write-Once Attributes (Allowed)
    - CWE-1298:Hardware Logic Contains Race Conditions (Allowed)
  - CWE-366:Race Condition within a Thread (Allowed)
  - CWE-543:Use of Singleton Pattern Without Synchronization in a Multithreaded Context (Allowed)
  - CWE-567:Unsynchronized Access to Shared Data in a Multithreaded Context (Allowed)
  - CWE-663:Use of a Non-reentrant Function in a Concurrent Context (Allowed)
    - CWE-479:Signal Handler Use of a Non-reentrant Function (Allowed)
    - CWE-558:Use of getlogin() in Multithreaded Application (Allowed)
  - CWE-667:Improper Locking (Allowed-with-Review)
    - CWE-412:Unrestricted Externally Accessible Lock (Allowed)
    - CWE-413:Improper Resource Locking (Allowed)
      - CWE-591:Sensitive Data Storage in Improperly Locked Memory (Allowed)
    - CWE-414:Missing Lock Check (Allowed)
    - CWE-609:Double-Checked Locking (Allowed)
    - CWE-764:Multiple Locks of a Critical Resource (Allowed)
    - CWE-765:Multiple Unlocks of a Critical Resource (Allowed)
    - CWE-832:Unlock of a Resource that is not Locked (Allowed)
    - CWE-833:Deadlock (Allowed)
    - CWE-1232:Improper Lock Behavior After Power State Transition (Allowed)
    - CWE-1233:Security-Sensitive Hardware Controls with Missing Lock Bit Protection (Allowed)
    - CWE-1234:Hardware Internal or Debug Modes Allow Override of Locks (Allowed)
  - CWE-764:Multiple Locks of a Critical Resource (Allowed)
  - CWE-820:Missing Synchronization (Allowed)
    - CWE-543:Use of Singleton Pattern Without Synchronization in a Multithreaded Context (Allowed)
    - CWE-567:Unsynchronized Access to Shared Data in a Multithreaded Context (Allowed)
    - CWE-1096:Singleton Class Instance Creation without Proper Locking or Synchronization (Allowed)
  - CWE-821:Incorrect Synchronization (Allowed)
    - CWE-572:Call to Thread run() instead of start() (Allowed)
    - CWE-574:EJB Bad Practices: Use of Synchronization Primitives (Allowed)
    - CWE-1088:Synchronous Access of Remote Resource without Timeout (Allowed)
    - CWE-1264:Hardware Logic with Insecure De-Synchronization between Control and Data Channels (Allowed)
  - CWE-833:Deadlock (Allowed)
  - CWE-1058:Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element (Allowed)
  - CWE-1096:Singleton Class Instance Creation without Proper Locking or Synchronization (Allowed)
  - CWE-1265:Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls (Allowed)
- CWE-665:Improper Initialization (Discouraged)
  - CWE-455:Non-exit on Failed Initialization (Allowed)
  - CWE-456:Missing Initialization of a Variable (Allowed)
  - CWE-457:Use of Uninitialized Variable (Allowed)
  - CWE-770:Allocation of Resources Without Limits or Throttling (Allowed)
    - CWE-774:Allocation of File Descriptors or Handles Without Limits or Throttling (Allowed)
    - CWE-789:Memory Allocation with Excessive Size Value (Allowed)
    - CWE-1325:Improperly Controlled Sequential Memory Allocation (Allowed)
  - CWE-908:Use of Uninitialized Resource (Allowed)
    - CWE-457:Use of Uninitialized Variable (Allowed)
  - CWE-909:Missing Initialization of Resource (Allowed-with-Review)
    - CWE-456:Missing Initialization of a Variable (Allowed)
    - CWE-1271:Uninitialized Value on Reset for Registers Holding Security Settings (Allowed)
  - CWE-1188:Initialization of a Resource with an Insecure Default (Allowed)
    - CWE-453:Insecure Default Variable Initialization (Allowed)
  - CWE-1279:Cryptographic Operations are run Before Supporting Units are Ready (Allowed)
  - CWE-1419:Incorrect Initialization of Resource (Allowed-with-Review)
    - CWE-454:External Initialization of Trusted Variables or Data Stores (Allowed)
    - CWE-1051:Initialization with Hard-Coded Network Resource Configuration Data (Prohibited)
    - CWE-1052:Excessive Use of Hard-Coded Literals in Initialization (Allowed)
    - CWE-1188:Initialization of a Resource with an Insecure Default (Allowed)
      - CWE-453:Insecure Default Variable Initialization (Allowed)
    - CWE-1221:Incorrect Register Defaults or Module Parameters (Allowed)
  - CWE-1434:Insecure Setting of Generative AI/ML Model Inference Parameters (Allowed)
- CWE-666:Operation on Resource in Wrong Phase of Lifetime (Discouraged)
  - CWE-415:Double Free (Allowed)
  - CWE-593:Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created (Allowed)
  - CWE-605:Multiple Binds to the Same Port (Allowed)
  - CWE-672:Operation on a Resource after Expiration or Release (Allowed-with-Review)
    - CWE-298:Improper Validation of Certificate Expiration (Allowed)
    - CWE-324:Use of a Key Past its Expiration Date (Allowed)
    - CWE-415:Double Free (Allowed)
    - CWE-416:Use After Free (Allowed)
    - CWE-613:Insufficient Session Expiration (Allowed)
    - CWE-825:Expired Pointer Dereference (Allowed)
      - CWE-415:Double Free (Allowed)
      - CWE-416:Use After Free (Allowed)
    - CWE-910:Use of Expired File Descriptor (Allowed)
  - CWE-826:Premature Release of Resource During Expected Lifetime (Allowed)
- CWE-668:Exposure of Resource to Wrong Sphere (Discouraged)
  - CWE-8:J2EE Misconfiguration: Entity Bean Declared Remote (Allowed)
  - CWE-134:Use of Externally-Controlled Format String (Allowed)
  - CWE-200:Exposure of Sensitive Information to an Unauthorized Actor (Discouraged)
    - CWE-201:Insertion of Sensitive Information Into Sent Data (Allowed)
      - CWE-598:Use of GET Request Method With Sensitive Query Strings (Allowed)
    - CWE-203:Observable Discrepancy (Allowed)
      - CWE-204:Observable Response Discrepancy (Allowed)
      - CWE-205:Observable Behavioral Discrepancy (Allowed)
        
        CWE-206:Observable Internal Behavioral Discrepancy (Allowed)
        
        CWE-207:Observable Behavioral Discrepancy With Equivalent Products (Allowed)
      - CWE-208:Observable Timing Discrepancy (Allowed)
        
        CWE-1254:Incorrect Comparison Logic Granularity (Allowed)
      - CWE-1300:Improper Protection of Physical Side Channels (Allowed)
        
        CWE-1255:Comparison Logic is Vulnerable to Power Side-Channel Attacks (Allowed)
      - CWE-1303:Non-Transparent Sharing of Microarchitectural Resources (Allowed)
    - CWE-209:Generation of Error Message Containing Sensitive Information (Allowed)
      - CWE-210:Self-generated Error Message Containing Sensitive Information (Allowed)
      - CWE-211:Externally-Generated Error Message Containing Sensitive Information (Allowed)
        
        CWE-535:Exposure of Information Through Shell Error Message (Allowed)
        
        CWE-536:Servlet Runtime Error Message Containing Sensitive Information (Allowed)
        
        CWE-537:Java Runtime Error Message Containing Sensitive Information (Allowed)
      - CWE-550:Server-generated Error Message Containing Sensitive Information (Allowed)
    - CWE-213:Exposure of Sensitive Information Due to Incompatible Policies (Allowed)
    - CWE-215:Insertion of Sensitive Information Into Debugging Code (Allowed)
    - CWE-359:Exposure of Private Personal Information to an Unauthorized Actor (Allowed)
    - CWE-497:Exposure of Sensitive System Information to an Unauthorized Control Sphere (Allowed)
      - CWE-214:Invocation of Process Using Visible Sensitive Information (Allowed)
      - CWE-548:Exposure of Information Through Directory Listing (Allowed)
    - CWE-532:Insertion of Sensitive Information into Log File (Allowed)
    - CWE-538:Insertion of Sensitive Information into Externally-Accessible File or Directory (Allowed)
      - CWE-532:Insertion of Sensitive Information into Log File (Allowed)
      - CWE-540:Inclusion of Sensitive Information in Source Code (Allowed)
        
        CWE-531:Inclusion of Sensitive Information in Test Code (Allowed)
        
        CWE-541:Inclusion of Sensitive Information in an Include File (Allowed)
        
        CWE-615:Inclusion of Sensitive Information in Source Code Comments (Allowed)
      - CWE-651:Exposure of WSDL File Containing Sensitive Information (Allowed)
    - CWE-1273:Device Unlock Credential Sharing (Allowed)
    - CWE-1295:Debug Messages Revealing Unnecessary Information (Allowed)
    - CWE-1431:Driving Intermediate Cryptographic State/Results to Hardware Module Outputs (Allowed)
  - CWE-374:Passing Mutable Objects to an Untrusted Method (Allowed)
  - CWE-375:Returning a Mutable Object to an Untrusted Caller (Allowed)
  - CWE-377:Insecure Temporary File (Allowed-with-Review)
    - CWE-378:Creation of Temporary File With Insecure Permissions (Allowed)
    - CWE-379:Creation of Temporary File in Directory with Insecure Permissions (Allowed)
  - CWE-402:Transmission of Private Resources into a New Sphere ('Resource Leak') (Allowed-with-Review)
    - CWE-403:Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak') (Allowed)
    - CWE-619:Dangling Database Cursor ('Cursor Injection') (Allowed)
  - CWE-426:Untrusted Search Path (Allowed-with-Review)
  - CWE-427:Uncontrolled Search Path Element (Allowed-with-Review)
  - CWE-428:Unquoted Search Path or Element (Allowed)
  - CWE-488:Exposure of Data Element to Wrong Session (Allowed)
  - CWE-491:Public cloneable() Method Without Final ('Object Hijack') (Allowed)
  - CWE-492:Use of Inner Class Containing Sensitive Data (Allowed)
  - CWE-493:Critical Public Variable Without Final Modifier (Allowed)
    - CWE-500:Public Static Field Not Marked Final (Allowed)
  - CWE-498:Cloneable Class Containing Sensitive Information (Allowed)
  - CWE-499:Serializable Class Containing Sensitive Data (Allowed)
  - CWE-522:Insufficiently Protected Credentials (Allowed-with-Review)
    - CWE-256:Plaintext Storage of a Password (Allowed)
    - CWE-257:Storing Passwords in a Recoverable Format (Allowed)
    - CWE-260:Password in Configuration File (Allowed)
      - CWE-13:ASP.NET Misconfiguration: Password in Configuration File (Allowed)
      - CWE-258:Empty Password in Configuration File (Allowed)
      - CWE-555:J2EE Misconfiguration: Plaintext Password in Configuration File (Allowed)
    - CWE-261:Weak Encoding for Password (Allowed)
    - CWE-523:Unprotected Transport of Credentials (Allowed)
    - CWE-549:Missing Password Field Masking (Allowed)
  - CWE-524:Use of Cache Containing Sensitive Information (Allowed)
    - CWE-525:Use of Web Browser Cache Containing Sensitive Information (Allowed)
  - CWE-552:Files or Directories Accessible to External Parties (Allowed)
    - CWE-219:Storage of File with Sensitive Data Under Web Root (Allowed)
      - CWE-433:Unparsed Raw Web Content Delivery (Allowed)
    - CWE-220:Storage of File With Sensitive Data Under FTP Root (Allowed)
    - CWE-527:Exposure of Version-Control Repository to an Unauthorized Control Sphere (Allowed)
    - CWE-528:Exposure of Core Dump File to an Unauthorized Control Sphere (Allowed)
    - CWE-529:Exposure of Access Control List Files to an Unauthorized Control Sphere (Allowed)
    - CWE-530:Exposure of Backup File to an Unauthorized Control Sphere (Allowed)
    - CWE-539:Use of Persistent Cookies Containing Sensitive Information (Allowed)
    - CWE-553:Command Shell in Externally Accessible Directory (Allowed)
  - CWE-582:Array Declared Public, Final, and Static (Allowed)
  - CWE-583:finalize() Method Declared Public (Allowed)
  - CWE-608:Struts: Non-private Field in ActionForm Class (Allowed)
  - CWE-642:External Control of Critical State Data (Allowed-with-Review)
    - CWE-15:External Control of System or Configuration Setting (Allowed)
    - CWE-73:External Control of File Name or Path (Allowed)
      - CWE-114:Process Control (Discouraged)
    - CWE-426:Untrusted Search Path (Allowed-with-Review)
    - CWE-472:External Control of Assumed-Immutable Web Parameter (Allowed)
    - CWE-565:Reliance on Cookies without Validation and Integrity Checking (Allowed)
      - CWE-784:Reliance on Cookies without Validation and Integrity Checking in a Security Decision (Allowed)
  - CWE-732:Incorrect Permission Assignment for Critical Resource (Allowed-with-Review)
    - CWE-276:Incorrect Default Permissions (Allowed)
    - CWE-277:Insecure Inherited Permissions (Allowed)
    - CWE-278:Insecure Preserved Inherited Permissions (Allowed)
    - CWE-279:Incorrect Execution-Assigned Permissions (Allowed)
    - CWE-281:Improper Preservation of Permissions (Allowed)
    - CWE-766:Critical Data Element Declared Public (Allowed)
    - CWE-1004:Sensitive Cookie Without 'HttpOnly' Flag (Allowed)
  - CWE-767:Access to Critical Private Variable via Public Method (Allowed)
  - CWE-927:Use of Implicit Intent for Sensitive Communication (Allowed)
  - CWE-1189:Improper Isolation of Shared Resources on System-on-a-Chip (SoC) (Allowed)
    - CWE-1303:Non-Transparent Sharing of Microarchitectural Resources (Allowed)
  - CWE-1282:Assumed-Immutable Data is Stored in Writable Memory (Allowed)
  - CWE-1327:Binding to an Unrestricted IP Address (Allowed)
  - CWE-1331:Improper Isolation of Shared Resources in Network On Chip (NoC) (Allowed)
- CWE-669:Incorrect Resource Transfer Between Spheres (Allowed-with-Review)
  - CWE-212:Improper Removal of Sensitive Information Before Storage or Transfer (Allowed)
    - CWE-226:Sensitive Information in Resource Not Removed Before Reuse (Allowed)
      - CWE-244:Improper Clearing of Heap Memory Before Release ('Heap Inspection') (Allowed)
      - CWE-1239:Improper Zeroization of Hardware Register (Allowed)
      - CWE-1272:Sensitive Information Uncleared Before Debug/Power State Transition (Allowed)
      - CWE-1301:Insufficient or Incomplete Data Removal within Hardware Component (Allowed)
        
        CWE-1330:Remanent Data Readable after Memory Erase (Allowed)
      - CWE-1342:Information Exposure through Microarchitectural State after Transient Execution (Allowed)
    - CWE-1258:Exposure of Sensitive System Information Due to Uncleared Debug Information (Allowed)
  - CWE-243:Creation of chroot Jail Without Changing Working Directory (Allowed)
  - CWE-434:Unrestricted Upload of File with Dangerous Type (Allowed)
  - CWE-494:Download of Code Without Integrity Check (Allowed)
  - CWE-565:Reliance on Cookies without Validation and Integrity Checking (Allowed)
    - CWE-784:Reliance on Cookies without Validation and Integrity Checking in a Security Decision (Allowed)
  - CWE-829:Inclusion of Functionality from Untrusted Control Sphere (Allowed)
    - CWE-98:Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') (Allowed)
    - CWE-827:Improper Control of Document Type Definition (Allowed)
    - CWE-830:Inclusion of Web Functionality from an Untrusted Source (Allowed)
  - CWE-1420:Exposure of Sensitive Information during Transient Execution (Allowed-with-Review)
    - CWE-1421:Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution (Allowed)
    - CWE-1422:Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution (Allowed)
    - CWE-1423:Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution (Allowed)
- CWE-673:External Influence of Sphere Definition (Allowed-with-Review)
  - CWE-426:Untrusted Search Path (Allowed-with-Review)
- CWE-704:Incorrect Type Conversion or Cast (Allowed-with-Review)
  - CWE-588:Attempt to Access Child of a Non-structure Pointer (Allowed)
  - CWE-681:Incorrect Conversion between Numeric Types (Allowed)
    - CWE-192:Integer Coercion Error (Allowed)
    - CWE-194:Unexpected Sign Extension (Allowed)
    - CWE-195:Signed to Unsigned Conversion Error (Allowed)
    - CWE-196:Unsigned to Signed Conversion Error (Allowed)
    - CWE-197:Numeric Truncation Error (Allowed)
  - CWE-843:Access of Resource Using Incompatible Type ('Type Confusion') (Allowed)
  - CWE-1389:Incorrect Parsing of Numbers with Different Radices (Allowed)
- CWE-706:Use of Incorrectly-Resolved Name or Reference (Allowed-with-Review)
  - CWE-22:Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (Allowed-with-Review)
    - CWE-23:Relative Path Traversal (Allowed)
      - CWE-24:Path Traversal: '../filedir' (Allowed)
      - CWE-25:Path Traversal: '/../filedir' (Allowed)
      - CWE-26:Path Traversal: '/dir/../filename' (Allowed)
      - CWE-27:Path Traversal: 'dir/../../filename' (Allowed)
      - CWE-28:Path Traversal: '..\filedir' (Allowed)
      - CWE-29:Path Traversal: '\..\filename' (Allowed)
      - CWE-30:Path Traversal: '\dir\..\filename' (Allowed)
      - CWE-31:Path Traversal: 'dir\..\..\filename' (Allowed)
      - CWE-32:Path Traversal: '...' (Triple Dot) (Allowed)
      - CWE-33:Path Traversal: '....' (Multiple Dot) (Allowed)
      - CWE-34:Path Traversal: '....//' (Allowed)
      - CWE-35:Path Traversal: '.../...//' (Allowed)
    - CWE-36:Absolute Path Traversal (Allowed)
      - CWE-37:Path Traversal: '/absolute/pathname/here' (Allowed)
      - CWE-38:Path Traversal: '\absolute\pathname\here' (Allowed)
      - CWE-39:Path Traversal: 'C:dirname' (Allowed)
      - CWE-40:Path Traversal: '\\UNC\share\name\' (Windows UNC Share) (Allowed)
  - CWE-41:Improper Resolution of Path Equivalence (Allowed)
    - CWE-42:Path Equivalence: 'filename.' (Trailing Dot) (Allowed)
      - CWE-43:Path Equivalence: 'filename....' (Multiple Trailing Dot) (Allowed)
    - CWE-44:Path Equivalence: 'file.name' (Internal Dot) (Allowed)
      - CWE-45:Path Equivalence: 'file...name' (Multiple Internal Dot) (Allowed)
    - CWE-46:Path Equivalence: 'filename ' (Trailing Space) (Allowed)
    - CWE-47:Path Equivalence: ' filename' (Leading Space) (Allowed)
    - CWE-48:Path Equivalence: 'file name' (Internal Whitespace) (Allowed)
    - CWE-49:Path Equivalence: 'filename/' (Trailing Slash) (Allowed)
    - CWE-50:Path Equivalence: '//multiple/leading/slash' (Allowed)
    - CWE-51:Path Equivalence: '/multiple//internal/slash' (Allowed)
    - CWE-52:Path Equivalence: '/multiple/trailing/slash//' (Allowed)
    - CWE-53:Path Equivalence: '\multiple\\internal\backslash' (Allowed)
    - CWE-54:Path Equivalence: 'filedir\' (Trailing Backslash) (Allowed)
    - CWE-55:Path Equivalence: '/./' (Single Dot Directory) (Allowed)
    - CWE-56:Path Equivalence: 'filedir*' (Wildcard) (Allowed)
    - CWE-57:Path Equivalence: 'fakedir/../realdir/filename' (Allowed)
    - CWE-58:Path Equivalence: Windows 8.3 Filename (Allowed)
  - CWE-59:Improper Link Resolution Before File Access ('Link Following') (Allowed)
    - CWE-61:UNIX Symbolic Link (Symlink) Following (Allowed)
    - CWE-62:UNIX Hard Link (Allowed)
    - CWE-64:Windows Shortcut Following (.LNK) (Allowed)
    - CWE-65:Windows Hard Link (Allowed)
    - CWE-1386:Insecure Operation on Windows Junction / Mount Point (Allowed)
  - CWE-66:Improper Handling of File Names that Identify Virtual Resources (Allowed)
    - CWE-67:Improper Handling of Windows Device Names (Allowed)
    - CWE-69:Improper Handling of Windows ::DATA Alternate Data Stream (Allowed)
    - CWE-72:Improper Handling of Apple HFS+ Alternate Data Stream Path (Allowed)
  - CWE-98:Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') (Allowed)
  - CWE-178:Improper Handling of Case Sensitivity (Allowed)
  - CWE-386:Symbolic Name not Mapping to Correct Object (Allowed)
  - CWE-827:Improper Control of Document Type Definition (Allowed)
- CWE-911:Improper Update of Reference Count (Allowed)
- CWE-913:Improper Control of Dynamically-Managed Code Resources (Allowed-with-Review)
  - CWE-94:Improper Control of Generation of Code ('Code Injection') (Allowed-with-Review)
    - CWE-95:Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') (Allowed)
    - CWE-96:Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') (Allowed)
      - CWE-97:Improper Neutralization of Server-Side Includes (SSI) Within a Web Page (Allowed)
    - CWE-1336:Improper Neutralization of Special Elements Used in a Template Engine (Allowed)
  - CWE-470:Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') (Allowed)
  - CWE-502:Deserialization of Untrusted Data (Allowed)
  - CWE-914:Improper Control of Dynamically-Identified Variables (Allowed)
    - CWE-621:Variable Extraction Error (Allowed)
    - CWE-627:Dynamic Variable Evaluation (Allowed)
  - CWE-915:Improperly Controlled Modification of Dynamically-Determined Object Attributes (Allowed)
    - CWE-1321:Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (Allowed)
  - CWE-1321:Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (Allowed)
- CWE-922:Insecure Storage of Sensitive Information (Allowed-with-Review)
  - CWE-312:Cleartext Storage of Sensitive Information (Allowed)
    - CWE-313:Cleartext Storage in a File or on Disk (Allowed)
    - CWE-314:Cleartext Storage in the Registry (Allowed)
    - CWE-315:Cleartext Storage of Sensitive Information in a Cookie (Allowed)
    - CWE-316:Cleartext Storage of Sensitive Information in Memory (Allowed)
    - CWE-317:Cleartext Storage of Sensitive Information in GUI (Allowed)
    - CWE-318:Cleartext Storage of Sensitive Information in Executable (Allowed)
    - CWE-526:Cleartext Storage of Sensitive Information in an Environment Variable (Allowed)
  - CWE-921:Storage of Sensitive Data in a Mechanism without Access Control (Allowed)
- CWE-1229:Creation of Emergent Resource (Allowed-with-Review)
  - CWE-514:Covert Channel (Allowed-with-Review)
    - CWE-385:Covert Timing Channel (Allowed)
    - CWE-515:Covert Storage Channel (Allowed)
- CWE-1250:Improper Preservation of Consistency Between Independent Representations of Shared State (Allowed)
  - CWE-1249:Application-Level Admin Tool with Inconsistent View of Underlying Operating System (Allowed)
  - CWE-1251:Mirrored Regions with Different Values (Allowed)
- CWE-1329:Reliance on Component That is Not Updateable (Allowed)
  - CWE-1277:Firmware Not Updateable (Allowed)
  - CWE-1310:Missing Ability to Patch ROM Code (Allowed)
CWE-682:Incorrect Calculation (Discouraged)
- CWE-128:Wrap-around Error (Allowed)
- CWE-131:Incorrect Calculation of Buffer Size (Allowed)
  - CWE-467:Use of sizeof() on a Pointer Type (Allowed)
- CWE-135:Incorrect Calculation of Multi-Byte String Length (Allowed)
- CWE-190:Integer Overflow or Wraparound (Allowed)
  - CWE-680:Integer Overflow to Buffer Overflow (Discouraged)
- CWE-191:Integer Underflow (Wrap or Wraparound) (Allowed)
- CWE-193:Off-by-one Error (Allowed)
- CWE-369:Divide By Zero (Allowed)
- CWE-468:Incorrect Pointer Scaling (Allowed)
- CWE-469:Use of Pointer Subtraction to Determine Size (Allowed)
- CWE-1335:Incorrect Bitwise Shift of Integer (Allowed)
- CWE-1339:Insufficient Precision or Accuracy of a Real Number (Allowed)
CWE-691:Insufficient Control Flow Management (Discouraged)
- CWE-430:Deployment of Wrong Handler (Allowed)
- CWE-431:Missing Handler (Allowed)
- CWE-662:Improper Synchronization (Discouraged)
  - CWE-362:Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') (Allowed-with-Review)
    - CWE-364:Signal Handler Race Condition (Allowed)
      - CWE-432:Dangerous Signal Handler not Disabled During Sensitive Operations (Allowed)
      - CWE-828:Signal Handler with Functionality that is not Asynchronous-Safe (Allowed)
        
        CWE-479:Signal Handler Use of a Non-reentrant Function (Allowed)
      - CWE-831:Signal Handler Function Associated with Multiple Signals (Allowed)
    - CWE-366:Race Condition within a Thread (Allowed)
    - CWE-367:Time-of-check Time-of-use (TOCTOU) Race Condition (Allowed)
      - CWE-363:Race Condition Enabling Link Following (Allowed)
    - CWE-368:Context Switching Race Condition (Allowed)
    - CWE-421:Race Condition During Access to Alternate Channel (Allowed)
    - CWE-689:Permission Race Condition During Resource Copy (Allowed)
    - CWE-1223:Race Condition for Write-Once Attributes (Allowed)
    - CWE-1298:Hardware Logic Contains Race Conditions (Allowed)
  - CWE-366:Race Condition within a Thread (Allowed)
  - CWE-543:Use of Singleton Pattern Without Synchronization in a Multithreaded Context (Allowed)
  - CWE-567:Unsynchronized Access to Shared Data in a Multithreaded Context (Allowed)
  - CWE-663:Use of a Non-reentrant Function in a Concurrent Context (Allowed)
    - CWE-479:Signal Handler Use of a Non-reentrant Function (Allowed)
    - CWE-558:Use of getlogin() in Multithreaded Application (Allowed)
  - CWE-667:Improper Locking (Allowed-with-Review)
    - CWE-412:Unrestricted Externally Accessible Lock (Allowed)
    - CWE-413:Improper Resource Locking (Allowed)
      - CWE-591:Sensitive Data Storage in Improperly Locked Memory (Allowed)
    - CWE-414:Missing Lock Check (Allowed)
    - CWE-609:Double-Checked Locking (Allowed)
    - CWE-764:Multiple Locks of a Critical Resource (Allowed)
    - CWE-765:Multiple Unlocks of a Critical Resource (Allowed)
    - CWE-832:Unlock of a Resource that is not Locked (Allowed)
    - CWE-833:Deadlock (Allowed)
    - CWE-1232:Improper Lock Behavior After Power State Transition (Allowed)
    - CWE-1233:Security-Sensitive Hardware Controls with Missing Lock Bit Protection (Allowed)
    - CWE-1234:Hardware Internal or Debug Modes Allow Override of Locks (Allowed)
  - CWE-764:Multiple Locks of a Critical Resource (Allowed)
  - CWE-820:Missing Synchronization (Allowed)
    - CWE-543:Use of Singleton Pattern Without Synchronization in a Multithreaded Context (Allowed)
    - CWE-567:Unsynchronized Access to Shared Data in a Multithreaded Context (Allowed)
    - CWE-1096:Singleton Class Instance Creation without Proper Locking or Synchronization (Allowed)
  - CWE-821:Incorrect Synchronization (Allowed)
    - CWE-572:Call to Thread run() instead of start() (Allowed)
    - CWE-574:EJB Bad Practices: Use of Synchronization Primitives (Allowed)
    - CWE-1088:Synchronous Access of Remote Resource without Timeout (Allowed)
    - CWE-1264:Hardware Logic with Insecure De-Synchronization between Control and Data Channels (Allowed)
  - CWE-833:Deadlock (Allowed)
  - CWE-1058:Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element (Allowed)
  - CWE-1096:Singleton Class Instance Creation without Proper Locking or Synchronization (Allowed)
  - CWE-1265:Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls (Allowed)
- CWE-670:Always-Incorrect Control Flow Implementation (Allowed-with-Review)
  - CWE-480:Use of Incorrect Operator (Allowed)
    - CWE-481:Assigning instead of Comparing (Allowed)
    - CWE-482:Comparing instead of Assigning (Allowed)
    - CWE-597:Use of Wrong Operator in String Comparison (Allowed)
  - CWE-483:Incorrect Block Delimitation (Allowed)
  - CWE-484:Omitted Break Statement in Switch (Allowed)
  - CWE-617:Reachable Assertion (Allowed)
  - CWE-698:Execution After Redirect (EAR) (Allowed)
  - CWE-783:Operator Precedence Logic Error (Allowed)
- CWE-696:Incorrect Behavior Order (Allowed-with-Review)
  - CWE-179:Incorrect Behavior Order: Early Validation (Allowed)
    - CWE-180:Incorrect Behavior Order: Validate Before Canonicalize (Allowed)
      - CWE-647:Use of Non-Canonical URL Paths for Authorization Decisions (Allowed)
    - CWE-181:Incorrect Behavior Order: Validate Before Filter (Allowed)
  - CWE-408:Incorrect Behavior Order: Early Amplification (Allowed)
  - CWE-551:Incorrect Behavior Order: Authorization Before Parsing and Canonicalization (Allowed)
  - CWE-1190:DMA Device Enabled Too Early in Boot Phase (Allowed)
  - CWE-1193:Power-On of Untrusted Execution Core Before Enabling Fabric Access Control (Allowed)
  - CWE-1279:Cryptographic Operations are run Before Supporting Units are Ready (Allowed)
  - CWE-1280:Access Control Check Implemented After Asset is Accessed (Allowed)
- CWE-705:Incorrect Control Flow Scoping (Allowed-with-Review)
  - CWE-248:Uncaught Exception (Allowed)
    - CWE-600:Uncaught Exception in Servlet (Allowed)
  - CWE-382:J2EE Bad Practices: Use of System.exit() (Allowed)
  - CWE-395:Use of NullPointerException Catch to Detect NULL Pointer Dereference (Allowed)
  - CWE-396:Declaration of Catch for Generic Exception (Allowed)
  - CWE-397:Declaration of Throws for Generic Exception (Allowed)
  - CWE-455:Non-exit on Failed Initialization (Allowed)
  - CWE-584:Return Inside Finally Block (Allowed)
  - CWE-617:Reachable Assertion (Allowed)
  - CWE-698:Execution After Redirect (EAR) (Allowed)
- CWE-768:Incorrect Short Circuit Evaluation (Allowed)
- CWE-799:Improper Control of Interaction Frequency (Allowed-with-Review)
  - CWE-307:Improper Restriction of Excessive Authentication Attempts (Allowed)
  - CWE-837:Improper Enforcement of a Single, Unique Action (Allowed)
- CWE-834:Excessive Iteration (Discouraged)
  - CWE-674:Uncontrolled Recursion (Allowed-with-Review)
    - CWE-776:Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') (Allowed)
  - CWE-835:Loop with Unreachable Exit Condition ('Infinite Loop') (Allowed)
  - CWE-1322:Use of Blocking Code in Single-threaded, Non-blocking Context (Allowed)
- CWE-841:Improper Enforcement of Behavioral Workflow (Allowed)
- CWE-1281:Sequence of Processor Instructions Leads to Unexpected Behavior (Allowed)
CWE-693:Protection Mechanism Failure (Discouraged)
- CWE-184:Incomplete List of Disallowed Inputs (Allowed)
  - CWE-692:Incomplete Denylist to Cross-Site Scripting (Discouraged)
- CWE-311:Missing Encryption of Sensitive Data (Discouraged)
  - CWE-312:Cleartext Storage of Sensitive Information (Allowed)
    - CWE-313:Cleartext Storage in a File or on Disk (Allowed)
    - CWE-314:Cleartext Storage in the Registry (Allowed)
    - CWE-315:Cleartext Storage of Sensitive Information in a Cookie (Allowed)
    - CWE-316:Cleartext Storage of Sensitive Information in Memory (Allowed)
    - CWE-317:Cleartext Storage of Sensitive Information in GUI (Allowed)
    - CWE-318:Cleartext Storage of Sensitive Information in Executable (Allowed)
    - CWE-526:Cleartext Storage of Sensitive Information in an Environment Variable (Allowed)
  - CWE-319:Cleartext Transmission of Sensitive Information (Allowed)
    - CWE-5:J2EE Misconfiguration: Data Transmission Without Encryption (Allowed)
    - CWE-614:Sensitive Cookie in HTTPS Session Without 'Secure' Attribute (Allowed)
    - CWE-1428:Reliance on HTTP instead of HTTPS (Allowed)
- CWE-326:Inadequate Encryption Strength (Allowed-with-Review)
  - CWE-328:Use of Weak Hash (Allowed)
    - CWE-916:Use of Password Hash With Insufficient Computational Effort (Allowed)
      - CWE-759:Use of a One-Way Hash without a Salt (Allowed)
      - CWE-760:Use of a One-Way Hash with a Predictable Salt (Allowed)
- CWE-327:Use of a Broken or Risky Cryptographic Algorithm (Allowed-with-Review)
  - CWE-328:Use of Weak Hash (Allowed)
    - CWE-916:Use of Password Hash With Insufficient Computational Effort (Allowed)
      - CWE-759:Use of a One-Way Hash without a Salt (Allowed)
      - CWE-760:Use of a One-Way Hash with a Predictable Salt (Allowed)
  - CWE-780:Use of RSA Algorithm without OAEP (Allowed)
  - CWE-916:Use of Password Hash With Insufficient Computational Effort (Allowed)
    - CWE-759:Use of a One-Way Hash without a Salt (Allowed)
    - CWE-760:Use of a One-Way Hash with a Predictable Salt (Allowed)
  - CWE-1240:Use of a Cryptographic Primitive with a Risky Implementation (Allowed)
    - CWE-325:Missing Cryptographic Step (Allowed)
- CWE-330:Use of Insufficiently Random Values (Discouraged)
  - CWE-331:Insufficient Entropy (Allowed)
    - CWE-332:Insufficient Entropy in PRNG (Allowed)
    - CWE-333:Improper Handling of Insufficient Entropy in TRNG (Allowed)
  - CWE-334:Small Space of Random Values (Allowed)
    - CWE-6:J2EE Misconfiguration: Insufficient Session-ID Length (Allowed)
  - CWE-335:Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) (Allowed)
    - CWE-336:Same Seed in Pseudo-Random Number Generator (PRNG) (Allowed)
    - CWE-337:Predictable Seed in Pseudo-Random Number Generator (PRNG) (Allowed)
    - CWE-339:Small Seed Space in PRNG (Allowed)
  - CWE-338:Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (Allowed)
  - CWE-340:Generation of Predictable Numbers or Identifiers (Allowed-with-Review)
    - CWE-341:Predictable from Observable State (Allowed)
    - CWE-342:Predictable Exact Value from Previous Values (Allowed)
    - CWE-343:Predictable Value Range from Previous Values (Allowed)
  - CWE-344:Use of Invariant Value in Dynamically Changing Context (Allowed)
    - CWE-323:Reusing a Nonce, Key Pair in Encryption (Allowed)
    - CWE-587:Assignment of a Fixed Address to a Pointer (Allowed)
    - CWE-798:Use of Hard-coded Credentials (Allowed-with-Review)
      - CWE-259:Use of Hard-coded Password (Allowed)
      - CWE-321:Use of Hard-coded Cryptographic Key (Allowed)
    - CWE-1188:Initialization of a Resource with an Insecure Default (Allowed)
      - CWE-453:Insecure Default Variable Initialization (Allowed)
  - CWE-1204:Generation of Weak Initialization Vector (IV) (Allowed)
    - CWE-329:Generation of Predictable IV with CBC Mode (Allowed)
  - CWE-1241:Use of Predictable Algorithm in Random Number Generator (Allowed)
- CWE-345:Insufficient Verification of Data Authenticity (Discouraged)
  - CWE-346:Origin Validation Error (Allowed-with-Review)
    - CWE-940:Improper Verification of Source of a Communication Channel (Allowed)
      - CWE-925:Improper Verification of Intent by Broadcast Receiver (Allowed)
      - CWE-939:Improper Authorization in Handler for Custom URL Scheme (Allowed)
    - CWE-1385:Missing Origin Validation in WebSockets (Allowed)
  - CWE-347:Improper Verification of Cryptographic Signature (Allowed)
  - CWE-348:Use of Less Trusted Source (Allowed)
  - CWE-349:Acceptance of Extraneous Untrusted Data With Trusted Data (Allowed)
  - CWE-351:Insufficient Type Distinction (Allowed)
  - CWE-352:Cross-Site Request Forgery (CSRF) (Allowed)
  - CWE-353:Missing Support for Integrity Check (Allowed)
  - CWE-354:Improper Validation of Integrity Check Value (Allowed)
  - CWE-360:Trust of System Event Data (Allowed)
    - CWE-422:Unprotected Windows Messaging Channel ('Shatter') (Allowed)
  - CWE-494:Download of Code Without Integrity Check (Allowed)
  - CWE-616:Incomplete Identification of Uploaded File Variables (PHP) (Allowed)
  - CWE-646:Reliance on File Name or Extension of Externally-Supplied File (Allowed)
  - CWE-649:Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking (Allowed)
  - CWE-924:Improper Enforcement of Message Integrity During Transmission in a Communication Channel (Allowed)
  - CWE-1293:Missing Source Correlation of Multiple Independent Data (Allowed)
- CWE-357:Insufficient UI Warning of Dangerous Operations (Allowed)
  - CWE-450:Multiple Interpretations of UI Input (Allowed)
- CWE-358:Improperly Implemented Security Check for Standard (Allowed)
- CWE-424:Improper Protection of Alternate Path (Allowed-with-Review)
  - CWE-425:Direct Request ('Forced Browsing') (Allowed)
- CWE-602:Client-Side Enforcement of Server-Side Security (Allowed-with-Review)
  - CWE-565:Reliance on Cookies without Validation and Integrity Checking (Allowed)
    - CWE-784:Reliance on Cookies without Validation and Integrity Checking in a Security Decision (Allowed)
  - CWE-603:Use of Client-Side Authentication (Allowed)
- CWE-653:Improper Isolation or Compartmentalization (Allowed)
  - CWE-1189:Improper Isolation of Shared Resources on System-on-a-Chip (SoC) (Allowed)
    - CWE-1303:Non-Transparent Sharing of Microarchitectural Resources (Allowed)
  - CWE-1331:Improper Isolation of Shared Resources in Network On Chip (NoC) (Allowed)
- CWE-654:Reliance on a Single Factor in a Security Decision (Allowed)
  - CWE-308:Use of Single-factor Authentication (Allowed)
  - CWE-309:Use of Password System for Primary Authentication (Allowed)
- CWE-655:Insufficient Psychological Acceptability (Allowed-with-Review)
- CWE-656:Reliance on Security Through Obscurity (Allowed-with-Review)
- CWE-757:Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') (Allowed)
- CWE-807:Reliance on Untrusted Inputs in a Security Decision (Allowed)
  - CWE-302:Authentication Bypass by Assumed-Immutable Data (Allowed)
  - CWE-350:Reliance on Reverse DNS Resolution for a Security-Critical Action (Allowed)
  - CWE-784:Reliance on Cookies without Validation and Integrity Checking in a Security Decision (Allowed)
- CWE-1039:Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism (Allowed-with-Review)
- CWE-1248:Semiconductor Defects in Hardware Logic with Security-Sensitive Implications (Allowed)
- CWE-1253:Incorrect Selection of Fuse Values (Allowed)
- CWE-1269:Product Released in Non-Release Configuration (Allowed)
- CWE-1278:Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques (Allowed)
- CWE-1291:Public Key Re-Use for Signing both Debug and Production Code (Allowed)
- CWE-1318:Missing Support for Security Features in On-chip Fabrics or Buses (Allowed)
- CWE-1319:Improper Protection against Electromagnetic Fault Injection (EM-FI) (Allowed)
- CWE-1326:Missing Immutable Root of Trust in Hardware (Allowed)
- CWE-1338:Improper Protections Against Hardware Overheating (Allowed)
CWE-697:Incorrect Comparison (Discouraged)
- CWE-183:Permissive List of Allowed Inputs (Allowed)
  - CWE-942:Permissive Cross-domain Security Policy with Untrusted Domains (Allowed)
- CWE-185:Incorrect Regular Expression (Allowed-with-Review)
  - CWE-186:Overly Restrictive Regular Expression (Allowed)
  - CWE-625:Permissive Regular Expression (Allowed)
    - CWE-777:Regular Expression without Anchors (Allowed)
- CWE-581:Object Model Violation: Just One of Equals and Hashcode Defined (Allowed)
- CWE-1023:Incomplete Comparison with Missing Factors (Allowed-with-Review)
  - CWE-184:Incomplete List of Disallowed Inputs (Allowed)
    - CWE-692:Incomplete Denylist to Cross-Site Scripting (Discouraged)
  - CWE-187:Partial String Comparison (Allowed)
  - CWE-478:Missing Default Case in Multiple Condition Expression (Allowed)
  - CWE-839:Numeric Range Comparison Without Minimum Check (Allowed)
- CWE-1024:Comparison of Incompatible Types (Allowed)
- CWE-1025:Comparison Using Wrong Factors (Allowed)
  - CWE-486:Comparison of Classes by Name (Allowed)
  - CWE-595:Comparison of Object References Instead of Object Contents (Allowed)
    - CWE-597:Use of Wrong Operator in String Comparison (Allowed)
    - CWE-1097:Persistent Storable Data Element without Associated Comparison Control Element (Prohibited)
- CWE-1039:Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism (Allowed-with-Review)
- CWE-1077:Floating Point Comparison with Incorrect Operator (Allowed)
- CWE-1254:Incorrect Comparison Logic Granularity (Allowed)
CWE-703:Improper Check or Handling of Exceptional Conditions (Discouraged)
- CWE-228:Improper Handling of Syntactically Invalid Structure (Allowed-with-Review)
  - CWE-166:Improper Handling of Missing Special Element (Allowed)
  - CWE-167:Improper Handling of Additional Special Element (Allowed)
  - CWE-168:Improper Handling of Inconsistent Special Elements (Allowed)
  - CWE-229:Improper Handling of Values (Allowed)
    - CWE-230:Improper Handling of Missing Values (Allowed)
    - CWE-231:Improper Handling of Extra Values (Allowed)
    - CWE-232:Improper Handling of Undefined Values (Allowed)
  - CWE-233:Improper Handling of Parameters (Allowed)
    - CWE-234:Failure to Handle Missing Parameter (Discouraged)
    - CWE-235:Improper Handling of Extra Parameters (Allowed)
    - CWE-236:Improper Handling of Undefined Parameters (Allowed)
  - CWE-237:Improper Handling of Structural Elements (Allowed)
    - CWE-238:Improper Handling of Incomplete Structural Elements (Allowed)
    - CWE-239:Failure to Handle Incomplete Element (Allowed)
    - CWE-240:Improper Handling of Inconsistent Structural Elements (Allowed)
      - CWE-130:Improper Handling of Length Parameter Inconsistency (Allowed)
  - CWE-241:Improper Handling of Unexpected Data Type (Allowed)
- CWE-248:Uncaught Exception (Allowed)
  - CWE-600:Uncaught Exception in Servlet (Allowed)
- CWE-391:Unchecked Error Condition (Prohibited)
- CWE-392:Missing Report of Error Condition (Allowed)
- CWE-393:Return of Wrong Status Code (Allowed)
- CWE-397:Declaration of Throws for Generic Exception (Allowed)
- CWE-754:Improper Check for Unusual or Exceptional Conditions (Allowed-with-Review)
  - CWE-252:Unchecked Return Value (Allowed)
    - CWE-690:Unchecked Return Value to NULL Pointer Dereference (Discouraged)
  - CWE-253:Incorrect Check of Function Return Value (Allowed)
  - CWE-273:Improper Check for Dropped Privileges (Allowed)
  - CWE-354:Improper Validation of Integrity Check Value (Allowed)
  - CWE-391:Unchecked Error Condition (Prohibited)
  - CWE-394:Unexpected Status Code or Return Value (Allowed)
  - CWE-476:NULL Pointer Dereference (Allowed)
- CWE-755:Improper Handling of Exceptional Conditions (Discouraged)
  - CWE-209:Generation of Error Message Containing Sensitive Information (Allowed)
    - CWE-210:Self-generated Error Message Containing Sensitive Information (Allowed)
    - CWE-211:Externally-Generated Error Message Containing Sensitive Information (Allowed)
      - CWE-535:Exposure of Information Through Shell Error Message (Allowed)
      - CWE-536:Servlet Runtime Error Message Containing Sensitive Information (Allowed)
      - CWE-537:Java Runtime Error Message Containing Sensitive Information (Allowed)
    - CWE-550:Server-generated Error Message Containing Sensitive Information (Allowed)
  - CWE-248:Uncaught Exception (Allowed)
    - CWE-600:Uncaught Exception in Servlet (Allowed)
  - CWE-274:Improper Handling of Insufficient Privileges (Discouraged)
  - CWE-280:Improper Handling of Insufficient Permissions or Privileges (Allowed)
  - CWE-333:Improper Handling of Insufficient Entropy in TRNG (Allowed)
  - CWE-390:Detection of Error Condition Without Action (Allowed)
  - CWE-392:Missing Report of Error Condition (Allowed)
  - CWE-395:Use of NullPointerException Catch to Detect NULL Pointer Dereference (Allowed)
  - CWE-396:Declaration of Catch for Generic Exception (Allowed)
  - CWE-460:Improper Cleanup on Thrown Exception (Allowed)
  - CWE-544:Missing Standardized Error Handling Mechanism (Allowed)
  - CWE-636:Not Failing Securely ('Failing Open') (Allowed-with-Review)
    - CWE-455:Non-exit on Failed Initialization (Allowed)
  - CWE-756:Missing Custom Error Page (Allowed)
    - CWE-7:J2EE Misconfiguration: Missing Custom Error Page (Allowed)
    - CWE-12:ASP.NET Misconfiguration: Missing Custom Error Page (Allowed)
- CWE-1384:Improper Handling of Physical or Environmental Conditions (Allowed-with-Review)
  - CWE-1247:Improper Protection Against Voltage and Clock Glitches (Allowed)
  - CWE-1261:Improper Handling of Single Event Upsets (Allowed)
  - CWE-1332:Improper Handling of Faults that Lead to Instruction Skips (Allowed)
  - CWE-1351:Improper Handling of Hardware Behavior in Exceptionally Cold Environments (Allowed)
CWE-707:Improper Neutralization (Discouraged)
- CWE-20:Improper Input Validation (Discouraged)
  - CWE-15:External Control of System or Configuration Setting (Allowed)
  - CWE-73:External Control of File Name or Path (Allowed)
    - CWE-114:Process Control (Discouraged)
  - CWE-102:Struts: Duplicate Validation Forms (Allowed)
  - CWE-103:Struts: Incomplete validate() Method Definition (Allowed)
  - CWE-104:Struts: Form Bean Does Not Extend Validation Class (Allowed)
  - CWE-105:Struts: Form Field Without Validator (Allowed)
  - CWE-106:Struts: Plug-in Framework not in Use (Allowed)
  - CWE-107:Struts: Unused Validation Form (Allowed)
  - CWE-108:Struts: Unvalidated Action Form (Allowed)
  - CWE-109:Struts: Validator Turned Off (Allowed)
  - CWE-110:Struts: Validator Without Form Field (Allowed)
  - CWE-111:Direct Use of Unsafe JNI (Allowed)
  - CWE-112:Missing XML Validation (Allowed)
  - CWE-113:Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') (Allowed)
  - CWE-114:Process Control (Discouraged)
  - CWE-117:Improper Output Neutralization for Logs (Allowed)
  - CWE-119:Improper Restriction of Operations within the Bounds of a Memory Buffer (Discouraged)
    - CWE-120:Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (Allowed-with-Review)
      - CWE-785:Use of Path Manipulation Function without Maximum-sized Buffer (Allowed)
    - CWE-123:Write-what-where Condition (Allowed)
    - CWE-125:Out-of-bounds Read (Allowed)
      - CWE-126:Buffer Over-read (Allowed)
      - CWE-127:Buffer Under-read (Allowed)
    - CWE-130:Improper Handling of Length Parameter Inconsistency (Allowed)
    - CWE-466:Return of Pointer Value Outside of Expected Range (Allowed)
    - CWE-786:Access of Memory Location Before Start of Buffer (Discouraged)
      - CWE-124:Buffer Underwrite ('Buffer Underflow') (Allowed)
      - CWE-127:Buffer Under-read (Allowed)
    - CWE-787:Out-of-bounds Write (Allowed)
      - CWE-120:Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (Allowed-with-Review)
        
        CWE-785:Use of Path Manipulation Function without Maximum-sized Buffer (Allowed)
      - CWE-121:Stack-based Buffer Overflow (Allowed)
      - CWE-122:Heap-based Buffer Overflow (Allowed)
      - CWE-123:Write-what-where Condition (Allowed)
      - CWE-124:Buffer Underwrite ('Buffer Underflow') (Allowed)
    - CWE-788:Access of Memory Location After End of Buffer (Discouraged)
      - CWE-121:Stack-based Buffer Overflow (Allowed)
      - CWE-122:Heap-based Buffer Overflow (Allowed)
      - CWE-126:Buffer Over-read (Allowed)
    - CWE-805:Buffer Access with Incorrect Length Value (Allowed)
      - CWE-806:Buffer Access Using Size of Source Buffer (Allowed)
    - CWE-822:Untrusted Pointer Dereference (Allowed)
    - CWE-823:Use of Out-of-range Pointer Offset (Allowed)
    - CWE-824:Access of Uninitialized Pointer (Allowed)
    - CWE-825:Expired Pointer Dereference (Allowed)
      - CWE-415:Double Free (Allowed)
      - CWE-416:Use After Free (Allowed)
  - CWE-120:Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (Allowed-with-Review)
    - CWE-785:Use of Path Manipulation Function without Maximum-sized Buffer (Allowed)
  - CWE-129:Improper Validation of Array Index (Allowed)
  - CWE-134:Use of Externally-Controlled Format String (Allowed)
  - CWE-170:Improper Null Termination (Allowed)
  - CWE-179:Incorrect Behavior Order: Early Validation (Allowed)
    - CWE-180:Incorrect Behavior Order: Validate Before Canonicalize (Allowed)
      - CWE-647:Use of Non-Canonical URL Paths for Authorization Decisions (Allowed)
    - CWE-181:Incorrect Behavior Order: Validate Before Filter (Allowed)
  - CWE-190:Integer Overflow or Wraparound (Allowed)
    - CWE-680:Integer Overflow to Buffer Overflow (Discouraged)
  - CWE-466:Return of Pointer Value Outside of Expected Range (Allowed)
  - CWE-470:Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') (Allowed)
  - CWE-622:Improper Validation of Function Hook Arguments (Allowed)
  - CWE-785:Use of Path Manipulation Function without Maximum-sized Buffer (Allowed)
  - CWE-1173:Improper Use of Validation Framework (Allowed)
    - CWE-102:Struts: Duplicate Validation Forms (Allowed)
    - CWE-105:Struts: Form Field Without Validator (Allowed)
    - CWE-106:Struts: Plug-in Framework not in Use (Allowed)
    - CWE-108:Struts: Unvalidated Action Form (Allowed)
    - CWE-109:Struts: Validator Turned Off (Allowed)
    - CWE-554:ASP.NET Misconfiguration: Not Using Input Validation Framework (Allowed)
    - CWE-1174:ASP.NET Misconfiguration: Improper Model Validation (Allowed)
  - CWE-1284:Improper Validation of Specified Quantity in Input (Allowed)
    - CWE-606:Unchecked Input for Loop Condition (Allowed)
  - CWE-1285:Improper Validation of Specified Index, Position, or Offset in Input (Allowed)
    - CWE-129:Improper Validation of Array Index (Allowed)
    - CWE-781:Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code (Allowed)
  - CWE-1286:Improper Validation of Syntactic Correctness of Input (Allowed)
    - CWE-112:Missing XML Validation (Allowed)
  - CWE-1287:Improper Validation of Specified Type of Input (Allowed)
  - CWE-1288:Improper Validation of Consistency within Input (Allowed)
  - CWE-1289:Improper Validation of Unsafe Equivalence in Input (Allowed)
- CWE-74:Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (Discouraged)
  - CWE-75:Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) (Discouraged)
    - CWE-76:Improper Neutralization of Equivalent Special Elements (Allowed)
  - CWE-77:Improper Neutralization of Special Elements used in a Command ('Command Injection') (Allowed-with-Review)
    - CWE-78:Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (Allowed)
    - CWE-88:Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (Allowed)
    - CWE-624:Executable Regular Expression Error (Allowed)
    - CWE-917:Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') (Allowed)
    - CWE-1427:Improper Neutralization of Input Used for LLM Prompting (Allowed)
  - CWE-78:Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (Allowed)
  - CWE-79:Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (Allowed)
    - CWE-80:Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (Allowed)
    - CWE-81:Improper Neutralization of Script in an Error Message Web Page (Allowed)
    - CWE-83:Improper Neutralization of Script in Attributes in a Web Page (Allowed)
      - CWE-82:Improper Neutralization of Script in Attributes of IMG Tags in a Web Page (Allowed)
    - CWE-84:Improper Neutralization of Encoded URI Schemes in a Web Page (Allowed)
    - CWE-85:Doubled Character XSS Manipulations (Allowed)
    - CWE-86:Improper Neutralization of Invalid Characters in Identifiers in Web Pages (Allowed)
    - CWE-87:Improper Neutralization of Alternate XSS Syntax (Allowed)
  - CWE-88:Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (Allowed)
  - CWE-89:Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (Allowed)
    - CWE-564:SQL Injection: Hibernate (Allowed)
  - CWE-91:XML Injection (aka Blind XPath Injection) (Allowed)
    - CWE-643:Improper Neutralization of Data within XPath Expressions ('XPath Injection') (Allowed)
    - CWE-652:Improper Neutralization of Data within XQuery Expressions ('XQuery Injection') (Allowed)
  - CWE-93:Improper Neutralization of CRLF Sequences ('CRLF Injection') (Allowed)
    - CWE-113:Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') (Allowed)
  - CWE-94:Improper Control of Generation of Code ('Code Injection') (Allowed-with-Review)
    - CWE-95:Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') (Allowed)
    - CWE-96:Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') (Allowed)
      - CWE-97:Improper Neutralization of Server-Side Includes (SSI) Within a Web Page (Allowed)
    - CWE-1336:Improper Neutralization of Special Elements Used in a Template Engine (Allowed)
  - CWE-99:Improper Control of Resource Identifiers ('Resource Injection') (Allowed-with-Review)
    - CWE-641:Improper Restriction of Names for Files and Other Resources (Allowed)
    - CWE-694:Use of Multiple Resources with Duplicate Identifier (Allowed)
      - CWE-102:Struts: Duplicate Validation Forms (Allowed)
      - CWE-462:Duplicate Key in Associative List (Alist) (Allowed)
    - CWE-914:Improper Control of Dynamically-Identified Variables (Allowed)
      - CWE-621:Variable Extraction Error (Allowed)
      - CWE-627:Dynamic Variable Evaluation (Allowed)
  - CWE-917:Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') (Allowed)
  - CWE-943:Improper Neutralization of Special Elements in Data Query Logic (Allowed-with-Review)
    - CWE-89:Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (Allowed)
      - CWE-564:SQL Injection: Hibernate (Allowed)
    - CWE-90:Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') (Allowed)
    - CWE-643:Improper Neutralization of Data within XPath Expressions ('XPath Injection') (Allowed)
    - CWE-652:Improper Neutralization of Data within XQuery Expressions ('XQuery Injection') (Allowed)
  - CWE-1236:Improper Neutralization of Formula Elements in a CSV File (Allowed)
- CWE-116:Improper Encoding or Escaping of Output (Allowed-with-Review)
  - CWE-117:Improper Output Neutralization for Logs (Allowed)
  - CWE-644:Improper Neutralization of HTTP Headers for Scripting Syntax (Allowed)
  - CWE-838:Inappropriate Encoding for Output Context (Allowed)
- CWE-138:Improper Neutralization of Special Elements (Discouraged)
  - CWE-140:Improper Neutralization of Delimiters (Allowed)
    - CWE-141:Improper Neutralization of Parameter/Argument Delimiters (Allowed)
    - CWE-142:Improper Neutralization of Value Delimiters (Allowed)
    - CWE-143:Improper Neutralization of Record Delimiters (Allowed)
    - CWE-144:Improper Neutralization of Line Delimiters (Allowed)
    - CWE-145:Improper Neutralization of Section Delimiters (Allowed)
    - CWE-146:Improper Neutralization of Expression/Command Delimiters (Allowed)
  - CWE-147:Improper Neutralization of Input Terminators (Allowed)
    - CWE-626:Null Byte Interaction Error (Poison Null Byte) (Allowed)
  - CWE-148:Improper Neutralization of Input Leaders (Allowed)
  - CWE-149:Improper Neutralization of Quoting Syntax (Allowed)
  - CWE-150:Improper Neutralization of Escape, Meta, or Control Sequences (Allowed)
  - CWE-151:Improper Neutralization of Comment Delimiters (Allowed)
  - CWE-152:Improper Neutralization of Macro Symbols (Allowed)
  - CWE-153:Improper Neutralization of Substitution Characters (Allowed)
  - CWE-154:Improper Neutralization of Variable Name Delimiters (Allowed)
  - CWE-155:Improper Neutralization of Wildcards or Matching Symbols (Allowed)
    - CWE-56:Path Equivalence: 'filedir*' (Wildcard) (Allowed)
  - CWE-156:Improper Neutralization of Whitespace (Allowed)
  - CWE-157:Failure to Sanitize Paired Delimiters (Allowed)
  - CWE-158:Improper Neutralization of Null Byte or NUL Character (Allowed)
  - CWE-159:Improper Handling of Invalid Use of Special Elements (Allowed-with-Review)
    - CWE-166:Improper Handling of Missing Special Element (Allowed)
    - CWE-167:Improper Handling of Additional Special Element (Allowed)
    - CWE-168:Improper Handling of Inconsistent Special Elements (Allowed)
  - CWE-160:Improper Neutralization of Leading Special Elements (Allowed)
    - CWE-37:Path Traversal: '/absolute/pathname/here' (Allowed)
    - CWE-161:Improper Neutralization of Multiple Leading Special Elements (Allowed)
      - CWE-50:Path Equivalence: '//multiple/leading/slash' (Allowed)
  - CWE-162:Improper Neutralization of Trailing Special Elements (Allowed)
    - CWE-42:Path Equivalence: 'filename.' (Trailing Dot) (Allowed)
      - CWE-43:Path Equivalence: 'filename....' (Multiple Trailing Dot) (Allowed)
    - CWE-46:Path Equivalence: 'filename ' (Trailing Space) (Allowed)
    - CWE-49:Path Equivalence: 'filename/' (Trailing Slash) (Allowed)
    - CWE-54:Path Equivalence: 'filedir\' (Trailing Backslash) (Allowed)
    - CWE-163:Improper Neutralization of Multiple Trailing Special Elements (Allowed)
      - CWE-43:Path Equivalence: 'filename....' (Multiple Trailing Dot) (Allowed)
      - CWE-52:Path Equivalence: '/multiple/trailing/slash//' (Allowed)
  - CWE-164:Improper Neutralization of Internal Special Elements (Allowed)
    - CWE-165:Improper Neutralization of Multiple Internal Special Elements (Allowed)
      - CWE-45:Path Equivalence: 'file...name' (Multiple Internal Dot) (Allowed)
      - CWE-53:Path Equivalence: '\multiple\\internal\backslash' (Allowed)
  - CWE-464:Addition of Data Structure Sentinel (Allowed)
  - CWE-790:Improper Filtering of Special Elements (Allowed-with-Review)
    - CWE-791:Incomplete Filtering of Special Elements (Allowed)
      - CWE-792:Incomplete Filtering of One or More Instances of Special Elements (Allowed)
        
        CWE-793:Only Filtering One Instance of a Special Element (Allowed)
        
        CWE-794:Incomplete Filtering of Multiple Instances of Special Elements (Allowed)
      - CWE-795:Only Filtering Special Elements at a Specified Location (Allowed)
        
        CWE-796:Only Filtering Special Elements Relative to a Marker (Allowed)
        
        CWE-797:Only Filtering Special Elements at an Absolute Position (Allowed)
- CWE-170:Improper Null Termination (Allowed)
- CWE-172:Encoding Error (Allowed-with-Review)
  - CWE-173:Improper Handling of Alternate Encoding (Allowed)
  - CWE-174:Double Decoding of the Same Data (Allowed)
  - CWE-175:Improper Handling of Mixed Encoding (Allowed)
  - CWE-176:Improper Handling of Unicode Encoding (Allowed)
  - CWE-177:Improper Handling of URL Encoding (Hex Encoding) (Allowed)
- CWE-182:Collapse of Data into Unsafe Value (Allowed)
- CWE-228:Improper Handling of Syntactically Invalid Structure (Allowed-with-Review)
  - CWE-166:Improper Handling of Missing Special Element (Allowed)
  - CWE-167:Improper Handling of Additional Special Element (Allowed)
  - CWE-168:Improper Handling of Inconsistent Special Elements (Allowed)
  - CWE-229:Improper Handling of Values (Allowed)
    - CWE-230:Improper Handling of Missing Values (Allowed)
    - CWE-231:Improper Handling of Extra Values (Allowed)
    - CWE-232:Improper Handling of Undefined Values (Allowed)
  - CWE-233:Improper Handling of Parameters (Allowed)
    - CWE-234:Failure to Handle Missing Parameter (Discouraged)
    - CWE-235:Improper Handling of Extra Parameters (Allowed)
    - CWE-236:Improper Handling of Undefined Parameters (Allowed)
  - CWE-237:Improper Handling of Structural Elements (Allowed)
    - CWE-238:Improper Handling of Incomplete Structural Elements (Allowed)
    - CWE-239:Failure to Handle Incomplete Element (Allowed)
    - CWE-240:Improper Handling of Inconsistent Structural Elements (Allowed)
      - CWE-130:Improper Handling of Length Parameter Inconsistency (Allowed)
  - CWE-241:Improper Handling of Unexpected Data Type (Allowed)
- CWE-240:Improper Handling of Inconsistent Structural Elements (Allowed)
  - CWE-130:Improper Handling of Length Parameter Inconsistency (Allowed)
- CWE-463:Deletion of Data Structure Sentinel (Allowed)
- CWE-1426:Improper Validation of Generative AI Output (Discouraged)
CWE-710:Improper Adherence to Coding Standards (Discouraged)
- CWE-476:NULL Pointer Dereference (Allowed)
- CWE-477:Use of Obsolete Function (Allowed)
- CWE-484:Omitted Break Statement in Switch (Allowed)
- CWE-489:Active Debug Code (Allowed)
  - CWE-11:ASP.NET Misconfiguration: Creating Debug Binary (Allowed)
- CWE-570:Expression is Always False (Allowed)
- CWE-571:Expression is Always True (Allowed)
- CWE-573:Improper Following of Specification by Caller (Allowed-with-Review)
  - CWE-103:Struts: Incomplete validate() Method Definition (Allowed)
  - CWE-104:Struts: Form Bean Does Not Extend Validation Class (Allowed)
  - CWE-243:Creation of chroot Jail Without Changing Working Directory (Allowed)
  - CWE-253:Incorrect Check of Function Return Value (Allowed)
  - CWE-296:Improper Following of a Certificate's Chain of Trust (Allowed)
  - CWE-304:Missing Critical Step in Authentication (Allowed)
  - CWE-325:Missing Cryptographic Step (Allowed)
  - CWE-329:Generation of Predictable IV with CBC Mode (Allowed)
  - CWE-358:Improperly Implemented Security Check for Standard (Allowed)
  - CWE-475:Undefined Behavior for Input to API (Allowed)
  - CWE-568:finalize() Method Without super.finalize() (Allowed)
  - CWE-577:EJB Bad Practices: Use of Sockets (Allowed)
  - CWE-578:EJB Bad Practices: Use of Class Loader (Allowed)
  - CWE-579:J2EE Bad Practices: Non-serializable Object Stored in Session (Allowed)
  - CWE-580:clone() Method Without super.clone() (Allowed)
  - CWE-581:Object Model Violation: Just One of Equals and Hashcode Defined (Allowed)
  - CWE-628:Function Call with Incorrectly Specified Arguments (Allowed)
    - CWE-683:Function Call With Incorrect Order of Arguments (Allowed)
    - CWE-685:Function Call With Incorrect Number of Arguments (Allowed)
    - CWE-686:Function Call With Incorrect Argument Type (Allowed)
    - CWE-687:Function Call With Incorrectly Specified Argument Value (Allowed)
      - CWE-560:Use of umask() with chmod-style Argument (Allowed)
    - CWE-688:Function Call With Incorrect Variable or Reference as Argument (Allowed)
  - CWE-675:Multiple Operations on Resource in Single-Operation Context (Allowed-with-Review)
    - CWE-174:Double Decoding of the Same Data (Allowed)
    - CWE-605:Multiple Binds to the Same Port (Allowed)
    - CWE-764:Multiple Locks of a Critical Resource (Allowed)
    - CWE-765:Multiple Unlocks of a Critical Resource (Allowed)
    - CWE-1341:Multiple Releases of Same Resource or Handle (Allowed)
      - CWE-415:Double Free (Allowed)
  - CWE-694:Use of Multiple Resources with Duplicate Identifier (Allowed)
    - CWE-102:Struts: Duplicate Validation Forms (Allowed)
    - CWE-462:Duplicate Key in Associative List (Alist) (Allowed)
  - CWE-695:Use of Low-Level Functionality (Allowed)
    - CWE-111:Direct Use of Unsafe JNI (Allowed)
    - CWE-245:J2EE Bad Practices: Direct Management of Connections (Allowed)
    - CWE-246:J2EE Bad Practices: Direct Use of Sockets (Allowed)
    - CWE-383:J2EE Bad Practices: Direct Use of Threads (Allowed)
    - CWE-574:EJB Bad Practices: Use of Synchronization Primitives (Allowed)
    - CWE-575:EJB Bad Practices: Use of AWT Swing (Allowed)
    - CWE-576:EJB Bad Practices: Use of Java I/O (Allowed)
- CWE-657:Violation of Secure Design Principles (Discouraged)
  - CWE-250:Execution with Unnecessary Privileges (Allowed)
  - CWE-636:Not Failing Securely ('Failing Open') (Allowed-with-Review)
    - CWE-455:Non-exit on Failed Initialization (Allowed)
  - CWE-637:Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism') (Allowed-with-Review)
  - CWE-638:Not Using Complete Mediation (Allowed-with-Review)
    - CWE-424:Improper Protection of Alternate Path (Allowed-with-Review)
      - CWE-425:Direct Request ('Forced Browsing') (Allowed)
  - CWE-653:Improper Isolation or Compartmentalization (Allowed)
    - CWE-1189:Improper Isolation of Shared Resources on System-on-a-Chip (SoC) (Allowed)
      - CWE-1303:Non-Transparent Sharing of Microarchitectural Resources (Allowed)
    - CWE-1331:Improper Isolation of Shared Resources in Network On Chip (NoC) (Allowed)
  - CWE-654:Reliance on a Single Factor in a Security Decision (Allowed)
    - CWE-308:Use of Single-factor Authentication (Allowed)
    - CWE-309:Use of Password System for Primary Authentication (Allowed)
  - CWE-655:Insufficient Psychological Acceptability (Allowed-with-Review)
  - CWE-656:Reliance on Security Through Obscurity (Allowed-with-Review)
  - CWE-671:Lack of Administrator Control over Security (Allowed-with-Review)
    - CWE-447:Unimplemented or Unsupported Feature in UI (Allowed)
    - CWE-798:Use of Hard-coded Credentials (Allowed-with-Review)
      - CWE-259:Use of Hard-coded Password (Allowed)
      - CWE-321:Use of Hard-coded Cryptographic Key (Allowed)
  - CWE-1192:Improper Identifier for IP Block used in System-On-Chip (SOC) (Allowed)
  - CWE-1395:Dependency on Vulnerable Third-Party Component (Allowed-with-Review)
- CWE-684:Incorrect Provision of Specified Functionality (Allowed-with-Review)
  - CWE-392:Missing Report of Error Condition (Allowed)
  - CWE-393:Return of Wrong Status Code (Allowed)
  - CWE-440:Expected Behavior Violation (Allowed)
    - CWE-1434:Insecure Setting of Generative AI/ML Model Inference Parameters (Allowed)
  - CWE-446:UI Discrepancy for Security Feature (Allowed-with-Review)
    - CWE-447:Unimplemented or Unsupported Feature in UI (Allowed)
    - CWE-448:Obsolete Feature in UI (Allowed)
    - CWE-449:The UI Performs the Wrong Action (Allowed)
  - CWE-451:User Interface (UI) Misrepresentation of Critical Information (Allowed-with-Review)
    - CWE-1007:Insufficient Visual Distinction of Homoglyphs Presented to User (Allowed)
    - CWE-1021:Improper Restriction of Rendered UI Layers or Frames (Allowed)
  - CWE-912:Hidden Functionality (Allowed-with-Review)
    - CWE-506:Embedded Malicious Code (Allowed-with-Review)
      - CWE-507:Trojan Horse (Allowed)
        
        CWE-508:Non-Replicating Malicious Code (Allowed)
        
        CWE-509:Replicating Malicious Code (Virus or Worm) (Allowed)
      - CWE-510:Trapdoor (Allowed)
      - CWE-511:Logic/Time Bomb (Allowed)
      - CWE-512:Spyware (Allowed)
    - CWE-1242:Inclusion of Undocumented Features or Chicken Bits (Allowed)
  - CWE-1245:Improper Finite State Machines (FSMs) in Hardware Logic (Allowed)
- CWE-758:Reliance on Undefined, Unspecified, or Implementation-Defined Behavior (Allowed-with-Review)
  - CWE-474:Use of Function with Inconsistent Implementations (Allowed)
    - CWE-589:Call to Non-ubiquitous API (Allowed)
  - CWE-562:Return of Stack Variable Address (Allowed)
  - CWE-587:Assignment of a Fixed Address to a Pointer (Allowed)
  - CWE-588:Attempt to Access Child of a Non-structure Pointer (Allowed)
  - CWE-1038:Insecure Automated Optimizations (Allowed-with-Review)
    - CWE-733:Compiler Optimization Removal or Modification of Security-critical Code (Allowed)
      - CWE-14:Compiler Removal of Code to Clear Buffers (Allowed)
    - CWE-1037:Processor Optimization Removal or Modification of Security-critical Code (Allowed)
  - CWE-1102:Reliance on Machine-Dependent Data Representation (Allowed)
  - CWE-1103:Use of Platform-Dependent Third Party Components (Prohibited)
  - CWE-1105:Insufficient Encapsulation of Machine-Dependent Functionality (Prohibited)
    - CWE-188:Reliance on Data/Memory Layout (Allowed)
      - CWE-198:Use of Incorrect Byte Ordering (Allowed)
- CWE-1041:Use of Redundant Code (Prohibited)
- CWE-1044:Architecture with Number of Horizontal Layers Outside of Expected Range (Prohibited)
- CWE-1048:Invokable Control Element with Large Number of Outward Calls (Prohibited)
- CWE-1059:Insufficient Technical Documentation (Prohibited)
  - CWE-1053:Missing Documentation for Design (Prohibited)
  - CWE-1110:Incomplete Design Documentation (Prohibited)
  - CWE-1111:Incomplete I/O Documentation (Prohibited)
  - CWE-1112:Incomplete Documentation of Program Execution (Prohibited)
  - CWE-1118:Insufficient Documentation of Error Handling Techniques (Prohibited)
- CWE-1061:Insufficient Encapsulation (Allowed-with-Review)
  - CWE-766:Critical Data Element Declared Public (Allowed)
  - CWE-1054:Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer (Prohibited)
  - CWE-1057:Data Access Operations Outside of Expected Data Manager Component (Prohibited)
  - CWE-1062:Parent Class with References to Child Class (Prohibited)
  - CWE-1083:Data Access from Outside Expected Data Manager Component (Prohibited)
  - CWE-1090:Method Containing Access of a Member Element from Another Class (Prohibited)
  - CWE-1100:Insufficient Isolation of System-Dependent Functions (Allowed)
  - CWE-1105:Insufficient Encapsulation of Machine-Dependent Functionality (Prohibited)
    - CWE-188:Reliance on Data/Memory Layout (Allowed)
      - CWE-198:Use of Incorrect Byte Ordering (Allowed)
- CWE-1065:Runtime Resource Management Control Element in a Component Built to Run on Application Servers (Prohibited)
- CWE-1066:Missing Serialization Control Element (Prohibited)
- CWE-1068:Inconsistency Between Implementation and Documented Design (Prohibited)
- CWE-1076:Insufficient Adherence to Expected Conventions (Prohibited)
  - CWE-586:Explicit Call to Finalize() (Allowed)
  - CWE-594:J2EE Framework: Saving Unserializable Objects to Disk (Allowed)
  - CWE-1045:Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor (Allowed)
  - CWE-1070:Serializable Data Element Containing non-Serializable Item Elements (Prohibited)
  - CWE-1078:Inappropriate Source Code Style or Formatting (Prohibited)
    - CWE-546:Suspicious Comment (Allowed)
    - CWE-547:Use of Hard-coded, Security-relevant Constants (Allowed)
    - CWE-1085:Invokable Control Element with Excessive Volume of Commented-out Code (Prohibited)
    - CWE-1099:Inconsistent Naming Conventions for Identifiers (Prohibited)
    - CWE-1106:Insufficient Use of Symbolic Constants (Prohibited)
    - CWE-1107:Insufficient Isolation of Symbolic Constant Definitions (Prohibited)
    - CWE-1109:Use of Same Variable for Multiple Purposes (Prohibited)
    - CWE-1113:Inappropriate Comment Style (Prohibited)
    - CWE-1114:Inappropriate Whitespace Style (Prohibited)
    - CWE-1115:Source Code Element without Standard Prologue (Prohibited)
    - CWE-1116:Inaccurate Source Code Comments (Allowed)
    - CWE-1117:Callable with Insufficient Behavioral Summary (Prohibited)
  - CWE-1079:Parent Class without Virtual Destructor Method (Allowed)
  - CWE-1082:Class Instance Self Destruction Control Element (Prohibited)
  - CWE-1087:Class with Virtual Method without a Virtual Destructor (Allowed)
  - CWE-1091:Use of Object without Invoking Destructor Method (Allowed)
  - CWE-1097:Persistent Storable Data Element without Associated Comparison Control Element (Prohibited)
  - CWE-1098:Data Element containing Pointer Item without Proper Copy Control Element (Allowed)
  - CWE-1108:Excessive Reliance on Global Variables (Allowed)
- CWE-1092:Use of Same Invokable Control Element in Multiple Architectural Layers (Prohibited)
- CWE-1093:Excessively Complex Data Representation (Allowed-with-Review)
  - CWE-1043:Data Element Aggregating an Excessively Large Number of Non-Primitive Elements (Prohibited)
  - CWE-1055:Multiple Inheritance from Concrete Classes (Prohibited)
  - CWE-1074:Class with Excessively Deep Inheritance (Prohibited)
  - CWE-1086:Class with Excessive Number of Child Classes (Prohibited)
- CWE-1101:Reliance on Runtime Component in Generated Code (Prohibited)
- CWE-1120:Excessive Code Complexity (Allowed-with-Review)
  - CWE-1047:Modules with Circular Dependencies (Prohibited)
  - CWE-1056:Invokable Control Element with Variadic Parameters (Prohibited)
  - CWE-1060:Excessive Number of Inefficient Server-Side Data Accesses (Prohibited)
  - CWE-1064:Invokable Control Element with Signature Containing an Excessive Number of Parameters (Prohibited)
  - CWE-1075:Unconditional Control Flow Transfer outside of Switch Block (Allowed)
  - CWE-1080:Source Code File with Excessive Number of Lines of Code (Prohibited)
  - CWE-1095:Loop Condition Value Update within the Loop (Prohibited)
  - CWE-1119:Excessive Use of Unconditional Branching (Prohibited)
  - CWE-1121:Excessive McCabe Cyclomatic Complexity (Prohibited)
  - CWE-1122:Excessive Halstead Complexity (Prohibited)
  - CWE-1123:Excessive Use of Self-Modifying Code (Allowed)
  - CWE-1124:Excessively Deep Nesting (Prohibited)
  - CWE-1125:Excessive Attack Surface (Prohibited)
- CWE-1126:Declaration of Variable with Unnecessarily Wide Scope (Allowed)
- CWE-1127:Compilation with Insufficient Warnings or Errors (Allowed)
- CWE-1164:Irrelevant Code (Allowed-with-Review)
  - CWE-107:Struts: Unused Validation Form (Allowed)
  - CWE-110:Struts: Validator Without Form Field (Allowed)
  - CWE-561:Dead Code (Allowed)
  - CWE-563:Assignment to Variable without Use (Allowed)
  - CWE-1071:Empty Code Block (Allowed)
    - CWE-585:Empty Synchronized Block (Allowed)
    - CWE-1069:Empty Exception Block (Prohibited)
- CWE-1177:Use of Prohibited Code (Allowed-with-Review)
  - CWE-242:Use of Inherently Dangerous Function (Allowed)
  - CWE-676:Use of Potentially Dangerous Function (Allowed)
    - CWE-785:Use of Path Manipulation Function without Maximum-sized Buffer (Allowed)
- CWE-1209:Failure to Disable Reserved Bits (Allowed)
- CWE-1357:Reliance on Insufficiently Trustworthy Component (Allowed-with-Review)
  - CWE-1104:Use of Unmaintained Third Party Components (Allowed)
  - CWE-1329:Reliance on Component That is Not Updateable (Allowed)
    - CWE-1277:Firmware Not Updateable (Allowed)
    - CWE-1310:Missing Ability to Patch ROM Code (Allowed)

CWE-769:DEPRECATED: Uncontrolled File Descriptor Consumption (Prohibited)

CWE-1187:DEPRECATED: Use of Uninitialized Resource (Prohibited)

CWE-1324:DEPRECATED: Sensitive Information Accessible by Physical Probing of JTAG Interface (Prohibited)