The source code contains comments that do not accurately describe or explain aspects of the portion of the code with which the comment is associated.
When a comment does not accurately reflect the associated code elements, this can introduce confusion to a reviewer (due to inconsistencies) or make it more difficult and less efficient to validate that the code is implementing the intended behavior correctly.
This issue makes it more difficult to maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities.
The following examples help to illustrate the nature of this weakness and describe methods or techniques which can be used to mitigate the risk.
Note that the examples here are by no means exhaustive and any given weakness may have many subtle varieties, each of which may require different detection methods or runtime controls.
In the following Java example the code performs a calculation to determine how much medicine to administer. A comment is provided to give insight into what the calculation shoud be doing. Unfortunately the comment does not match the actual code and thus leaves the reader to wonder which is correct.
In the correction below, the code functionality has been verified, and the comment has been corrected to reflect the proper calculation.
Note that in real-world code, these values should be validated to disallow negative numbers, prevent integer overflow, etc.
Weaknesses in this category are related to poor coding practices.
Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the ap...
This view (slice) covers all the elements in CWE.
CWE identifiers in this view (slice) are quality issues that only indirectly make it easier to introduce a vulnerability and/or make the vulnerability more difficult t...
This view (slice) displays only weakness base elements.