Détail du CWE-482

CWE-482

Comparing instead of Assigning
Bas
Draft
2006-07-19
00h00 +00:00
2023-06-29
00h00 +00:00
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Gestion des notifications

Nom: Comparing instead of Assigning

The code uses an operator for comparison when the intention was to perform an assignment.

Description du CWE

In many languages, the compare statement is very close in appearance to the assignment statement; they are often confused.

Informations générales

Modes d'introduction

Implementation : This bug primarily originates from a typo.

Plateformes applicables

Langue

Name: C (Undetermined)
Name: C++ (Undetermined)

Conséquences courantes

Portée Impact Probabilité
Availability
Integrity
Unexpected State

Note: The assignment will not take place, which should cause obvious program execution problems.

Mesures d’atténuation potentielles

Phases : Testing
Many IDEs and static analysis products will detect this problem.

Méthodes de détection

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Efficacité : High

Notes de cartographie des vulnérabilités

Justification : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Références

REF-18

The CLASP Application Security Process
Secure Software, Inc..
https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf

REF-62

The Art of Software Security Assessment
Mark Dowd, John McDonald, Justin Schuh.

Soumission

Nom Organisation Date Date de publication Version
CLASP 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Modifications

Nom Organisation Date Commentaire
Eric Dalci Cigital 2008-07-01 +00:00 updated Time_of_Introduction
CWE Content Team MITRE 2008-09-08 +00:00 updated Applicable_Platforms, Description, Relationships, Other_Notes, Taxonomy_Mappings
CWE Content Team MITRE 2008-11-24 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2009-07-27 +00:00 updated Common_Consequences, Modes_of_Introduction
CWE Content Team MITRE 2009-10-29 +00:00 updated Other_Notes
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2011-06-27 +00:00 updated Common_Consequences
CWE Content Team MITRE 2011-09-13 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2012-05-11 +00:00 updated References, Relationships
CWE Content Team MITRE 2012-10-30 +00:00 updated Demonstrative_Examples, Potential_Mitigations
CWE Content Team MITRE 2014-07-30 +00:00 updated Taxonomy_Mappings
CWE Content Team MITRE 2017-01-19 +00:00 updated Relationships
CWE Content Team MITRE 2017-11-08 +00:00 updated Demonstrative_Examples, Taxonomy_Mappings
CWE Content Team MITRE 2020-02-24 +00:00 updated References, Relationships
CWE Content Team MITRE 2023-04-27 +00:00 updated Detection_Factors, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes