What is CWE / CQE?

The CWE™ (Common Weakness Enumeration) is a list of common software security weaknesses. Maintained by The MITRE Corporation and based on contributions from the general software community, the CWE is an evolving resource that defines and categorizes software weaknesses through a common vocabulary. It provides a benchmark for assessing software tools that purport to identify software weaknesses, and establishes a baseline for weakness mitigation and prevention.  Although its focus is on security, the CWE also applies in other high-assurance contexts. A weakness could lead to a security vulnerability that is intentionally exploited by an adversary, a safety hazard that is triggered by external inputs, or, in general, an incorrect system behavior (i.e., an effect that violates the system's requirements).

The CWE list comprises more than 700 entries and can be viewed hierarchically from several perspectives. For example, the Development Concepts view shows weaknesses coming from a number of sources, including incomplete or incorrectly implemented security functionality, improper input validation, and programming errors.  The latter category is directly related to the programming language that is used, with weaknesses ranging from error-prone features to constructs with unspecified semantics. Several well-publicized software security incidents have stemmed from Buffer Overflow or other C weaknesses that would have been detected and prevented in Ada by a static analysis tool such as CodePeer.  

The size and scope of the CWE and the growing number of CWE-related tools have led MITRE to establish the CWE Compatibility and Effectiveness Program, a formal review and evaluation process that consolidates and organizes information about security products and services. CodePeer has been designated as CWE-Compatible in this program, based on its ability to detect several of the CWE’s Top 25 Most Dangerous Software Errors:

• CWE-120 (Classic Buffer Overflow)

• CWE-131 (Incorrect Calculation of Buffer Size)

• CWE-190 (Integer Overflow or Wraparound)

View the complete list of CWE weaknesses detected »

CodePeer a CWE Compatible Tool

AdaCore's static analysis tool CodePeer has been designated as CWE-Compatible by the MITRE Corporation's Common Weakness Enumeration (CWE) Compatibility and Effectiveness Program. CodePeer can detect a variety of code weaknesses, including several that are among the CWE’s Top 25 Most Dangerous Software Errors.

By mathematically analyzing every line of code, and considering every possible input and every path through the program, CodePeer can be used very early in the development life-cycle to identify problems when they are much less costly to repair. The tool can also be used retrospectively on existing code bases, to detect latent vulnerabilities.

Learn more about CodePeer