CWE-561
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Nom: Dead Code
The product contains dead code, which can never be executed.
Description du CWE
Dead code is code that can never be executed in a running program. The surrounding code makes it impossible for a section of code to ever be executed.
Informations générales
Modes d'introduction
ImplementationPlateformes applicables
Langue
Class: Not Language-Specific (Undetermined)Conséquences courantes
| Portée | Impact | Probabilité |
|---|---|---|
| Other | Quality Degradation Note: Dead code that results from code that can never be executed is an indication of problems with the source code that needs to be fixed and is an indication of poor quality. | |
| Other | Reduce Maintainability |
Exemples observés
| Références | Description |
|---|---|
CVE-2014-1266 | chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint). |
Mesures d’atténuation potentielles
Phases : ImplementationRemove dead code before deploying the application.
Phases : Testing
Use a static analysis tool to spot dead code.
Méthodes de détection
Architecture or Design Review
According to SOAR [REF-1479], the following detection techniques may be useful:
Highly cost effective:
- Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)
- Formal Methods / Correct-By-Construction
Cost effective for partial coverage:
- Attack Modeling
Efficacité : High
Automated Static Analysis - Binary or Bytecode
According to SOAR [REF-1479], the following detection techniques may be useful:
Highly cost effective:
- Binary / Bytecode Quality Analysis
- Compare binary / bytecode to application permission manifest
Efficacité : High
Dynamic Analysis with Manual Results Interpretation
According to SOAR [REF-1479], the following detection techniques may be useful:
Cost effective for partial coverage:
- Automated Monitored Execution
Efficacité : SOAR Partial
Automated Static Analysis
According to SOAR [REF-1479], the following detection techniques may be useful:
Cost effective for partial coverage:
- Permission Manifest Analysis
Efficacité : SOAR Partial
Automated Static Analysis - Source Code
According to SOAR [REF-1479], the following detection techniques may be useful:
Highly cost effective:
- Source Code Quality Analyzer
Cost effective for partial coverage:
- Warning Flags
- Source code Weakness Analyzer
- Context-configured Source Code Weakness Analyzer
Efficacité : High
Dynamic Analysis with Automated Results Interpretation
According to SOAR [REF-1479], the following detection techniques may be useful:
Cost effective for partial coverage:
- Web Application Scanner
- Web Services Scanner
- Database Scanners
Efficacité : SOAR Partial
Manual Static Analysis - Source Code
According to SOAR [REF-1479], the following detection techniques may be useful:
Highly cost effective:
- Manual Source Code Review (not inspections)
Cost effective for partial coverage:
- Focused Manual Spotcheck - Focused manual analysis of source
Efficacité : High
Notes de cartographie des vulnérabilités
Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Références
REF-960
Automated Source Code Maintainability Measure (ASCMM)Object Management Group (OMG).
https://www.omg.org/spec/ASCMM/
REF-1479
State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and EvaluationGregory Larsen, E. Kenneth Hong Fong, David A. Wheeler, Rama S. Moorthy.
https://www.ida.org/-/media/feature/publications/s/st/stateoftheart-resources-soar-for-software-vulnerability-detection-test-and-evaluation/p-5061.ashx
Soumission
| Nom | Organisation | Date | Date de publication | Version |
|---|---|---|---|---|
| Anonymous Tool Vendor (under NDA) | Draft 3 |
Modifications
| Nom | Organisation | Date | Commentaire |
|---|---|---|---|
| Eric Dalci | Cigital | updated Potential_Mitigations, Time_of_Introduction | |
| CWE Content Team | MITRE | updated Description, Relationships, Other_Notes, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Demonstrative_Examples | |
| CWE Content Team | MITRE | updated Demonstrative_Examples | |
| CWE Content Team | MITRE | updated Common_Consequences, Other_Notes | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Common_Consequences, Relationships | |
| CWE Content Team | MITRE | updated Potential_Mitigations | |
| CWE Content Team | MITRE | updated Observed_Examples | |
| CWE Content Team | MITRE | updated Detection_Factors, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Common_Consequences, References, Relationships, Taxonomy_Mappings, Weakness_Ordinalities | |
| CWE Content Team | MITRE | updated Type | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Observed_Examples, Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Observed_Examples | |
| CWE Content Team | MITRE | updated Description | |
| CWE Content Team | MITRE | updated References, Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Demonstrative_Examples | |
| CWE Content Team | MITRE | updated Detection_Factors, References |
