CISQ Quality Measures (2016) - Reliability

A category in the Common Weakness Enumeration published by The MITRE Corporation.


Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.

Weaknesses in this category are related to the CISQ Quality Measures for Reliability, as documented in 2016 with the Automated Source Code CISQ Reliability Measure (ASCRM) Specification 1.0. Presence of these weaknesses could reduce the reliability of the software.


Access of Memory Location After End of Buffer

The product reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer.

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buf...

Class Instance Self Destruction Control Element

The code contains a class instance that calls the method or function to delete or destroy itself.

Class with Virtual Method without a Virtual Destructor

A class contains a virtual method, but the method does not have an associated virtual destructor.

Data Access from Outside Expected Data Manager Component

The product is intended to manage data access through a particular data manager component such as a relational or non-SQL database, but it contains code that performs ...

Data Element containing Pointer Item without Proper Copy Control Element

The code contains a data element with a pointer that does not have an associated copy or constructor method.

Declaration of Catch for Generic Exception

Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

Declaration of Throws for Generic Exception

Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

Empty Exception Block

An invokable code block contains an exception handling block that does not contain any code, i.e. is empty.

Floating Point Comparison with Incorrect Operator

The code performs a comparison such as an equality test between two float (floating point) values, but it uses comparison operators that do not account...

Incorrect Type Conversion or Cast

The product does not correctly convert an object, resource, or structure from one type to a different type.

Initialization with Hard-Coded Network Resource Configuration Data

The product initializes data using hard-coded values that act as network resource identifiers.

Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element

The code contains a function or method that operates in a multi-threaded environment but owns an unsafe non-final static storable or member d...

Invokable Control Element with Variadic Parameters

A named-callable or method control element has a signature that supports a variable (variadic) number of parameters or arguments.

Missing Initialization of a Variable

The product does not initialize critical variables, which causes the execution environment to use unexpected values.

Missing Release of Resource after Effective Lifetime

The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

Missing Serialization Control Element

The product contains a serializable data element that does not have an associated serialization method.

Modules with Circular Dependencies

The product contains modules in which one module has references that cycle back to itself, i.e., there are circular dependencies.

Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor

A parent class has a virtual destructor method, but the parent has a child class that does not have a virtual destructor.

Parent Class with References to Child Class

The code has a parent class that contains references to a child class, its methods, or its members.

Parent Class without Virtual Destructor Method

A parent class contains one or more child classes, but the parent class does not have a virtual destructor method.

Persistent Storable Data Element without Associated Comparison Control Element

The product uses a storable data element that does not have all of the associated functions or methods that are necessary to support comparison.

Runtime Resource Management Control Element in a Component Built to Run on Application Servers

The product uses deployed components from application servers, but it also uses low-level functions/methods for management of resources, instead of the API provided by...

Serializable Data Element Containing non-Serializable Item Elements

The product contains a serializable, storable data element such as a field or member, but the data element contains member elements that are not serializable.

Singleton Class Instance Creation without Proper Locking or Synchronization

The product implements a Singleton design pattern but does not use appropriate locking or other synchronization mechanism to ensure that the singleton class is only in...

Synchronous Access of Remote Resource without Timeout

The code has a synchronous call to a remote resource, but there is no timeout for the call, or the timeout is set to infinite.

Unchecked Return Value

The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.

Uncontrolled Recursion

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.


CISQ Quality Measures (2016)

This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristi...

See Also

  1. Automated Source Code Reliability Measure (ASCRM)

    Object Management Group (OMG)

  2. Automated Quality Characteristic Measures

    Consortium for Information & Software Quality (CISQ)

Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.