| MemberOf | Prohibited | V | 1400 | Comprehensive Categorization for Software Assurance Trends |
| HasMember | Prohibited | B | 1053 | Missing Documentation for Design |
| HasMember | Prohibited | B | 1054 | Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer |
| HasMember | Prohibited | B | 1055 | Multiple Inheritance from Concrete Classes |
| HasMember | Prohibited | B | 1056 | Invokable Control Element with Variadic Parameters |
| HasMember | Prohibited | B | 1057 | Data Access Operations Outside of Expected Data Manager Component |
| HasMember | Allowed | B | 1007 | Insufficient Visual Distinction of Homoglyphs Presented to User |
| HasMember | Allowed | V | 103 | Struts: Incomplete validate() Method Definition |
| HasMember | Allowed | V | 104 | Struts: Form Bean Does Not Extend Validation Class |
| HasMember | Prohibited | B | 1041 | Use of Redundant Code |
| HasMember | Prohibited | B | 1043 | Data Element Aggregating an Excessively Large Number of Non-Primitive Elements |
| HasMember | Prohibited | B | 1044 | Architecture with Number of Horizontal Layers Outside of Expected Range |
| HasMember | Allowed | B | 1045 | Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor |
| HasMember | Prohibited | B | 1047 | Modules with Circular Dependencies |
| HasMember | Prohibited | B | 1048 | Invokable Control Element with Large Number of Outward Calls |
| HasMember | Prohibited | C | 1059 | Insufficient Technical Documentation |
| HasMember | Prohibited | B | 1060 | Excessive Number of Inefficient Server-Side Data Accesses |
| HasMember | Allowed-with-Review | C | 1061 | Insufficient Encapsulation |
| HasMember | Prohibited | B | 1062 | Parent Class with References to Child Class |
| HasMember | Prohibited | B | 1064 | Invokable Control Element with Signature Containing an Excessive Number of Parameters |
| HasMember | Prohibited | B | 1065 | Runtime Resource Management Control Element in a Component Built to Run on Application Servers |
| HasMember | Prohibited | B | 1066 | Missing Serialization Control Element |
| HasMember | Prohibited | B | 1068 | Inconsistency Between Implementation and Documented Design |
| HasMember | Prohibited | V | 1069 | Empty Exception Block |
| HasMember | Allowed | V | 107 | Struts: Unused Validation Form |
| HasMember | Prohibited | B | 1070 | Serializable Data Element Containing non-Serializable Item Elements |
| HasMember | Allowed | B | 1071 | Empty Code Block |
| HasMember | Prohibited | B | 1074 | Class with Excessively Deep Inheritance |
| HasMember | Allowed | B | 1075 | Unconditional Control Flow Transfer outside of Switch Block |
| HasMember | Prohibited | C | 1076 | Insufficient Adherence to Expected Conventions |
| HasMember | Prohibited | C | 1078 | Inappropriate Source Code Style or Formatting |
| HasMember | Allowed | B | 1079 | Parent Class without Virtual Destructor Method |
| HasMember | Prohibited | B | 1080 | Source Code File with Excessive Number of Lines of Code |
| HasMember | Prohibited | B | 1082 | Class Instance Self Destruction Control Element |
| HasMember | Prohibited | B | 1083 | Data Access from Outside Expected Data Manager Component |
| HasMember | Prohibited | B | 1085 | Invokable Control Element with Excessive Volume of Commented-out Code |
| HasMember | Prohibited | B | 1086 | Class with Excessive Number of Child Classes |
| HasMember | Allowed | B | 1087 | Class with Virtual Method without a Virtual Destructor |
| HasMember | Prohibited | B | 1090 | Method Containing Access of a Member Element from Another Class |
| HasMember | Prohibited | B | 1092 | Use of Same Invokable Control Element in Multiple Architectural Layers |
| HasMember | Allowed-with-Review | C | 1093 | Excessively Complex Data Representation |
| HasMember | Prohibited | B | 1095 | Loop Condition Value Update within the Loop |
| HasMember | Prohibited | B | 1097 | Persistent Storable Data Element without Associated Comparison Control Element |
| HasMember | Allowed | B | 1098 | Data Element containing Pointer Item without Proper Copy Control Element |
| HasMember | Prohibited | B | 1099 | Inconsistent Naming Conventions for Identifiers |
| HasMember | Allowed | V | 11 | ASP.NET Misconfiguration: Creating Debug Binary |
| HasMember | Allowed | V | 110 | Struts: Validator Without Form Field |
| HasMember | Allowed | B | 1100 | Insufficient Isolation of System-Dependent Functions |
| HasMember | Prohibited | B | 1101 | Reliance on Runtime Component in Generated Code |
| HasMember | Allowed | B | 1102 | Reliance on Machine-Dependent Data Representation |
| HasMember | Prohibited | B | 1103 | Use of Platform-Dependent Third Party Components |
| HasMember | Prohibited | B | 1105 | Insufficient Encapsulation of Machine-Dependent Functionality |
| HasMember | Prohibited | B | 1106 | Insufficient Use of Symbolic Constants |
| HasMember | Prohibited | B | 1107 | Insufficient Isolation of Symbolic Constant Definitions |
| HasMember | Allowed | B | 1108 | Excessive Reliance on Global Variables |
| HasMember | Prohibited | B | 1109 | Use of Same Variable for Multiple Purposes |
| HasMember | Allowed | V | 111 | Direct Use of Unsafe JNI |
| HasMember | Prohibited | B | 1110 | Incomplete Design Documentation |
| HasMember | Prohibited | B | 1111 | Incomplete I/O Documentation |
| HasMember | Prohibited | B | 1112 | Incomplete Documentation of Program Execution |
| HasMember | Prohibited | B | 1113 | Inappropriate Comment Style |
| HasMember | Prohibited | B | 1114 | Inappropriate Whitespace Style |
| HasMember | Prohibited | B | 1115 | Source Code Element without Standard Prologue |
| HasMember | Allowed | B | 1116 | Inaccurate Comments |
| HasMember | Prohibited | B | 1117 | Callable with Insufficient Behavioral Summary |
| HasMember | Prohibited | B | 1118 | Insufficient Documentation of Error Handling Techniques |
| HasMember | Prohibited | B | 1119 | Excessive Use of Unconditional Branching |
| HasMember | Allowed-with-Review | C | 1120 | Excessive Code Complexity |
| HasMember | Prohibited | B | 1121 | Excessive McCabe Cyclomatic Complexity |
| HasMember | Prohibited | B | 1122 | Excessive Halstead Complexity |
| HasMember | Allowed | B | 1123 | Excessive Use of Self-Modifying Code |
| HasMember | Prohibited | B | 1124 | Excessively Deep Nesting |
| HasMember | Prohibited | B | 1125 | Excessive Attack Surface |
| HasMember | Allowed | B | 1126 | Declaration of Variable with Unnecessarily Wide Scope |
| HasMember | Allowed | B | 1127 | Compilation with Insufficient Warnings or Errors |
| HasMember | Allowed-with-Review | C | 1164 | Irrelevant Code |
| HasMember | Allowed-with-Review | C | 1177 | Use of Prohibited Code |
| HasMember | Allowed | B | 1209 | Failure to Disable Reserved Bits |
| HasMember | Allowed | B | 1245 | Improper Finite State Machines (FSMs) in Hardware Logic |
| HasMember | Allowed | B | 1341 | Multiple Releases of Same Resource or Handle |
| HasMember | Allowed-with-Review | C | 1357 | Reliance on Insufficiently Trustworthy Component |
| HasMember | Allowed | B | 242 | Use of Inherently Dangerous Function |
| HasMember | Allowed | V | 245 | J2EE Bad Practices: Direct Management of Connections |
| HasMember | Allowed | V | 246 | J2EE Bad Practices: Direct Use of Sockets |
| HasMember | Allowed | B | 253 | Incorrect Check of Function Return Value |
| HasMember | Allowed | B | 358 | Improperly Implemented Security Check for Standard |
| HasMember | Allowed | V | 383 | J2EE Bad Practices: Direct Use of Threads |
| HasMember | Allowed | B | 392 | Missing Report of Error Condition |
| HasMember | Allowed | B | 393 | Return of Wrong Status Code |
| HasMember | Allowed | B | 440 | Expected Behavior Violation |
| HasMember | Allowed-with-Review | C | 446 | UI Discrepancy for Security Feature |
| HasMember | Allowed | B | 448 | Obsolete Feature in UI |
| HasMember | Allowed | B | 449 | The UI Performs the Wrong Action |
| HasMember | Allowed-with-Review | C | 451 | User Interface (UI) Misrepresentation of Critical Information |
| HasMember | Allowed | V | 462 | Duplicate Key in Associative List (Alist) |
| HasMember | Allowed | B | 474 | Use of Function with Inconsistent Implementations |
| HasMember | Allowed | B | 475 | Undefined Behavior for Input to API |
| HasMember | Allowed | B | 476 | NULL Pointer Dereference |
| HasMember | Allowed | B | 477 | Use of Obsolete Function |
| HasMember | Allowed | B | 484 | Omitted Break Statement in Switch |
| HasMember | Allowed | B | 489 | Active Debug Code |
| HasMember | Allowed-with-Review | C | 506 | Embedded Malicious Code |
| HasMember | Allowed | B | 507 | Trojan Horse |
| HasMember | Allowed | B | 508 | Non-Replicating Malicious Code |
| HasMember | Allowed | B | 509 | Replicating Malicious Code (Virus or Worm) |
| HasMember | Allowed | B | 510 | Trapdoor |
| HasMember | Allowed | B | 511 | Logic/Time Bomb |
| HasMember | Allowed | B | 512 | Spyware |
| HasMember | Allowed-with-Review | C | 573 | Improper Following of Specification by Caller |
| HasMember | Allowed | V | 546 | Suspicious Comment |
| HasMember | Allowed | B | 547 | Use of Hard-coded, Security-relevant Constants |
| HasMember | Allowed | V | 560 | Use of umask() with chmod-style Argument |
| HasMember | Allowed | B | 561 | Dead Code |
| HasMember | Allowed | B | 563 | Assignment to Variable without Use |
| HasMember | Allowed | B | 570 | Expression is Always False |
| HasMember | Allowed | B | 571 | Expression is Always True |
| HasMember | Allowed | V | 575 | EJB Bad Practices: Use of AWT Swing |
| HasMember | Allowed | V | 576 | EJB Bad Practices: Use of Java I/O |
| HasMember | Allowed | V | 577 | EJB Bad Practices: Use of Sockets |
| HasMember | Allowed | V | 578 | EJB Bad Practices: Use of Class Loader |
| HasMember | Allowed | V | 579 | J2EE Bad Practices: Non-serializable Object Stored in Session |
| HasMember | Allowed | V | 581 | Object Model Violation: Just One of Equals and Hashcode Defined |
| HasMember | Allowed | V | 585 | Empty Synchronized Block |
| HasMember | Allowed | B | 586 | Explicit Call to Finalize() |
| HasMember | Allowed | V | 589 | Call to Non-ubiquitous API |
| HasMember | Allowed | V | 594 | J2EE Framework: Saving Unserializable Objects to Disk |
| HasMember | Allowed | V | 605 | Multiple Binds to the Same Port |
| HasMember | Allowed | B | 628 | Function Call with Incorrectly Specified Arguments |
| HasMember | Allowed-with-Review | C | 675 | Multiple Operations on Resource in Single-Operation Context |
| HasMember | Allowed | B | 676 | Use of Potentially Dangerous Function |
| HasMember | Allowed | V | 683 | Function Call With Incorrect Order of Arguments |
| HasMember | Allowed-with-Review | C | 684 | Incorrect Provision of Specified Functionality |
| HasMember | Allowed | V | 685 | Function Call With Incorrect Number of Arguments |
| HasMember | Allowed | V | 686 | Function Call With Incorrect Argument Type |
| HasMember | Allowed | V | 687 | Function Call With Incorrectly Specified Argument Value |
| HasMember | Allowed | V | 688 | Function Call With Incorrect Variable or Reference as Argument |
| HasMember | Allowed | B | 695 | Use of Low-Level Functionality |
| HasMember | Discouraged | P | 710 | Improper Adherence to Coding Standards |
| HasMember | Allowed-with-Review | C | 758 | Reliance on Undefined, Unspecified, or Implementation-Defined Behavior |
| HasMember | Allowed | B | 766 | Critical Data Element Declared Public |
| HasMember | Allowed | V | 785 | Use of Path Manipulation Function without Maximum-sized Buffer |
| HasMember | Allowed-with-Review | C | 912 | Hidden Functionality |