Rank	CWE ID	Description	Klocwork Issue Code
1	79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	Java: SV.XSS.DB SV.XSS.REF
2	89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')	Java: SV.SQL SV.SQL.DBSOURCE SV.DATA.DB C#: CS.SQL.INJECT.LOCAL
3	120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')	C/C++ ABV.GENERAL ABV.MEMBER NNTS.TAINTED SV.STRBO.UNBOUND_COPY SV.STRBO.UNBOUND_SPRINTF SV.UNBOUND_STRING_INPUT.CIN SV.UNBOUND_STRING_INPUT.FUNC
4	352	Cross-Site Request Forgery (CSRF)	Java: SV.CSRF.GET SV.CSRF.ORIGIN SV.CSRF.TOKEN
5	285	Improper Access Control (Authorization)	Although it is possible to use static analysis to detect authorization issues, such analysis requires scanning of configuration files, which is outside the scope of Klocwork analysis. In general, static analysis tools have difficulty producing a viable checker for detecting custom authorization schemes.
6	807	Reliance on Untrusted Inputs in a Security Decision	C/C++: SV.TAINTED.SECURITY_DECISION Java: SV.EMAIL SV.LDAP SV.TAINT
7	22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')	C/C++: SV.DLLPRELOAD.NONABSOLUTE.DLL SV.DLLPRELOAD.NONABSOLUTE.EXE SV.DLLPRELOAD.SEARCHPATH SV.TAINTED.PATH_TRAVERSAL Java: SV.PATH SV.PATH.INJ
8	434	Unrestricted Upload of File with Dangerous Type	Not statically verifiable. Typically associated with PHP or ASP.NET code.
9	78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')	C/C++: SV.CODE_INJECTION.SHELL_EXEC NNTS.TAINTED SV.TAINTED.INJECTION Java: SV.EXEC SV.EXEC.DIR SV.EXEC.ENV SV.EXEC.LOCAL
10	311	Missing Encryption of Sensitive Data	Java: SV.SENSITIVE.DATA SV.SENSITIVE.OBJ
11	798	Use of Hard-coded Credentials	C/C++: HCC HCC.PWD HCC.USER Java: SV.PASSWD.HC
12	805	Buffer Access with Incorrect Length Value	Klocwork will find cases of this as with 120.
13	98	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')	Associated with PHP code, which is not covered by Klocwork.
14	129	Improper Validation of Array Index	C/C++: SV.TAINTED.ALLOC_SIZE ABV.TAINTED SV.TAINTED.CALL.INDEX_ACCESS SV.TAINTED.INDEX_ACCESS Java: SV.DOS.ARRINDEX
15	754	Improper Check for Unusual or Exceptional Conditions	C/C++: SV.RVT.RETVAL_NOTTESTED
16	209	Information Exposure Through an Error Message	Not statically verifiable. Typically associated with PHP code.
17	190	Integer Overflow or Wraparound	C/C++: ABV.TAINTED SV.TAINTED.ALLOC_SIZE SV.TAINTED.CALL.INDEX_ACCESS SV.TAINTED.INDEX_ACCESS Java: SV.INT_OVF
18	131	Incorrect Calculation of Buffer Size	C/C++: INCORRECT.ALLOC_SIZE
19	306	Missing Authentication for Critical Function	Although it is possible to use static analysis to detect authorization issues, such analysis requires scanning of configuration files, which is outside the scope of Klocwork analysis. In general, static analysis tools have difficulty producing a viable checker for detecting custom authorization schemes.
20	494	Download of Code Without Integrity Check	Not statically verifiable. Manual inspection is required.
21	732	Incorrect Permission Assignment for Critical Resource	C#: CS.NPS C/C++: Checkers such as SV.USAGERULES.PERMISSIONS do provide some coverage, but typically, loose permissions for operations and custom permission models produce too many warnings from static analysis tools.
22	770	Allocation of Resources Without Limits or Throttling	Not statically verifiable. Manual inspection is required.
23	601	URL Redirection to Untrusted Site ('Open Redirect')	Manual inspection is required to determine whether input influences the beginning of a URL.
24	327	Use of a Broken or Risky Cryptographic Algorithm	C/C++: SV.WEAK_CRYPTO.WEAK_HASH RCA Java: SV.WEAK.CRYPT C#: CS.RCA
25	362	Race Condition	C/C++: SV.TOCTOU.FILE_ACCESS