| HasMember | Allowed | B | 1021 | Improper Restriction of Rendered UI Layers or Frames |
| HasMember | Allowed-with-Review | C | 1023 | Incomplete Comparison with Missing Factors |
| HasMember | Allowed | B | 1037 | Processor Optimization Removal or Modification of Security-critical Code |
| HasMember | Allowed-with-Review | C | 1039 | Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism |
| HasMember | Allowed | V | 105 | Struts: Form Field Without Validator |
| HasMember | Allowed | V | 109 | Struts: Validator Turned Off |
| HasMember | Allowed | V | 111 | Direct Use of Unsafe JNI |
| HasMember | Allowed-with-Review | C | 116 | Improper Encoding or Escaping of Output |
| HasMember | Allowed | B | 1189 | Improper Isolation of Shared Resources on System-on-a-Chip (SoC) |
| HasMember | Allowed | B | 1190 | DMA Device Enabled Too Early in Boot Phase |
| HasMember | Allowed | B | 1191 | On-Chip Debug and Test Interface With Improper Access Control |
| HasMember | Allowed | B | 1192 | Improper Identifier for IP Block used in System-On-Chip (SOC) |
| HasMember | Allowed | B | 1193 | Power-On of Untrusted Execution Core Before Enabling Fabric Access Control |
| HasMember | Allowed | V | 121 | Stack-based Buffer Overflow |
| HasMember | Allowed | V | 122 | Heap-based Buffer Overflow |
| HasMember | Allowed | B | 1220 | Insufficient Granularity of Access Control |
| HasMember | Allowed | B | 1223 | Race Condition for Write-Once Attributes |
| HasMember | Allowed | B | 123 | Write-what-where Condition |
| HasMember | Allowed | B | 1234 | Hardware Internal or Debug Modes Allow Override of Locks |
| HasMember | Allowed | B | 124 | Buffer Underwrite ('Buffer Underflow') |
| HasMember | Allowed | B | 1242 | Inclusion of Undocumented Features or Chicken Bits |
| HasMember | Allowed | B | 1243 | Sensitive Non-Volatile Information Not Protected During Debug |
| HasMember | Allowed | B | 1244 | Internal Asset Exposed to Unsafe Debug Access Level or State |
| HasMember | Allowed | B | 1247 | Improper Protection Against Voltage and Clock Glitches |
| HasMember | Allowed | B | 125 | Out-of-bounds Read |
| HasMember | Allowed | B | 1253 | Incorrect Selection of Fuse Values |
| HasMember | Allowed | B | 1254 | Incorrect Comparison Logic Granularity |
| HasMember | Allowed | V | 1255 | Comparison Logic is Vulnerable to Power Side-Channel Attacks |
| HasMember | Allowed | B | 1256 | Improper Restriction of Software Interfaces to Hardware Features |
| HasMember | Allowed | B | 1258 | Exposure of Sensitive System Information Due to Uncleared Debug Information |
| HasMember | Allowed | B | 1259 | Improper Restriction of Security Token Assignment |
| HasMember | Allowed | V | 126 | Buffer Over-read |
| HasMember | Allowed | B | 1261 | Improper Handling of Single Event Upsets |
| HasMember | Allowed | B | 1262 | Improper Access Control for Register Interface |
| HasMember | Allowed | B | 1267 | Policy Uses Obsolete Encoding |
| HasMember | Allowed | B | 1268 | Policy Privileges are not Assigned Consistently Between Control and Data Agents |
| HasMember | Allowed | V | 127 | Buffer Under-read |
| HasMember | Allowed | B | 1270 | Generation of Incorrect Security Tokens |
| HasMember | Allowed | B | 1273 | Device Unlock Credential Sharing |
| HasMember | Allowed | B | 1277 | Firmware Not Updateable |
| HasMember | Allowed | B | 128 | Wrap-around Error |
| HasMember | Allowed | B | 1280 | Access Control Check Implemented After Asset is Accessed |
| HasMember | Allowed | B | 1295 | Debug Messages Revealing Unnecessary Information |
| HasMember | Allowed | B | 1296 | Incorrect Chaining or Granularity of Debug Components |
| HasMember | Allowed | B | 1297 | Unprotected Confidential Information on Device is Accessible by OSAT Vendors |
| HasMember | Allowed | B | 1298 | Hardware Logic Contains Race Conditions |
| HasMember | Allowed | B | 1299 | Missing Protection Mechanism for Alternate Hardware Interface |
| HasMember | Allowed | B | 1302 | Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC) |
| HasMember | Allowed | B | 1304 | Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation |
| HasMember | Allowed | B | 1311 | Improper Translation of Security Attributes by Fabric Bridge |
| HasMember | Allowed | B | 1312 | Missing Protection for Mirrored Regions in On-Chip Fabric Firewall |
| HasMember | Allowed | B | 1313 | Hardware Allows Activation of Test or Debug Logic at Runtime |
| HasMember | Allowed | B | 1315 | Improper Setting of Bus Controlling Capability in Fabric End-point |
| HasMember | Allowed | B | 1316 | Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges |
| HasMember | Allowed | B | 1317 | Improper Access Control in Fabric Bridge |
| HasMember | Allowed | B | 1319 | Improper Protection against Electromagnetic Fault Injection (EM-FI) |
| HasMember | Allowed | B | 1329 | Reliance on Component That is Not Updateable |
| HasMember | Allowed | B | 1332 | Improper Handling of Faults that Lead to Instruction Skips |
| HasMember | Allowed | V | 1385 | Missing Origin Validation in WebSockets |
| HasMember | Allowed | B | 1389 | Incorrect Parsing of Numbers with Different Radices |
| HasMember | Allowed | V | 14 | Compiler Removal of Code to Clear Buffers |
| HasMember | Allowed | B | 168 | Improper Handling of Inconsistent Special Elements |
| HasMember | Allowed | V | 173 | Improper Handling of Alternate Encoding |
| HasMember | Allowed | V | 174 | Double Decoding of the Same Data |
| HasMember | Allowed | B | 178 | Improper Handling of Case Sensitivity |
| HasMember | Allowed | B | 179 | Incorrect Behavior Order: Early Validation |
| HasMember | Allowed | V | 180 | Incorrect Behavior Order: Validate Before Canonicalize |
| HasMember | Allowed | V | 181 | Incorrect Behavior Order: Validate Before Filter |
| HasMember | Allowed | B | 182 | Collapse of Data into Unsafe Value |
| HasMember | Allowed | B | 183 | Permissive List of Allowed Inputs |
| HasMember | Allowed | B | 184 | Incomplete List of Disallowed Inputs |
| HasMember | Allowed-with-Review | C | 185 | Incorrect Regular Expression |
| HasMember | Allowed | B | 186 | Overly Restrictive Regular Expression |
| HasMember | Allowed | V | 187 | Partial String Comparison |
| HasMember | Allowed | B | 190 | Integer Overflow or Wraparound |
| HasMember | Allowed | B | 191 | Integer Underflow (Wrap or Wraparound) |
| HasMember | Allowed | B | 193 | Off-by-one Error |
| HasMember | Allowed | V | 196 | Unsigned to Signed Conversion Error |
| HasMember | Allowed | B | 203 | Observable Discrepancy |
| HasMember | Allowed | B | 204 | Observable Response Discrepancy |
| HasMember | Allowed | B | 205 | Observable Behavioral Discrepancy |
| HasMember | Allowed | V | 206 | Observable Internal Behavioral Discrepancy |
| HasMember | Allowed | V | 207 | Observable Behavioral Discrepancy With Equivalent Products |
| HasMember | Allowed | B | 208 | Observable Timing Discrepancy |
| HasMember | Allowed | B | 288 | Authentication Bypass Using an Alternate Path or Channel |
| HasMember | Allowed | B | 289 | Authentication Bypass by Alternate Name |
| HasMember | Allowed | B | 290 | Authentication Bypass by Spoofing |
| HasMember | Allowed | B | 295 | Improper Certificate Validation |
| HasMember | Allowed | B | 302 | Authentication Bypass by Assumed-Immutable Data |
| HasMember | Allowed | B | 303 | Incorrect Implementation of Authentication Algorithm |
| HasMember | Allowed | B | 304 | Missing Critical Step in Authentication |
| HasMember | Allowed | B | 305 | Authentication Bypass by Primary Weakness |
| HasMember | Allowed | B | 307 | Improper Restriction of Excessive Authentication Attempts |
| HasMember | Allowed | B | 308 | Use of Single-factor Authentication |
| HasMember | Allowed | B | 309 | Use of Password System for Primary Authentication |
| HasMember | Allowed | V | 321 | Use of Hard-coded Cryptographic Key |
| HasMember | Allowed | B | 322 | Key Exchange without Entity Authentication |
| HasMember | Allowed | B | 323 | Reusing a Nonce, Key Pair in Encryption |
| HasMember | Allowed | B | 324 | Use of a Key Past its Expiration Date |
| HasMember | Allowed | B | 325 | Missing Cryptographic Step |
| HasMember | Allowed-with-Review | C | 326 | Inadequate Encryption Strength |
| HasMember | Allowed | B | 328 | Use of Weak Hash |
| HasMember | Discouraged | C | 330 | Use of Insufficiently Random Values |
| HasMember | Allowed | B | 331 | Insufficient Entropy |
| HasMember | Allowed | V | 332 | Insufficient Entropy in PRNG |
| HasMember | Allowed | B | 334 | Small Space of Random Values |
| HasMember | Allowed | B | 335 | Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) |
| HasMember | Allowed | V | 336 | Same Seed in Pseudo-Random Number Generator (PRNG) |
| HasMember | Allowed | B | 338 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) |
| HasMember | Allowed | B | 348 | Use of Less Trusted Source |
| HasMember | Allowed | B | 349 | Acceptance of Extraneous Untrusted Data With Trusted Data |
| HasMember | Allowed | V | 350 | Reliance on Reverse DNS Resolution for a Security-Critical Action |
| HasMember | Allowed | C | 352 | Cross-Site Request Forgery (CSRF) |
| HasMember | Allowed | B | 358 | Improperly Implemented Security Check for Standard |
| HasMember | Allowed-with-Review | C | 362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
| HasMember | Discouraged | C | 400 | Uncontrolled Resource Consumption |
| HasMember | Allowed | B | 41 | Improper Resolution of Path Equivalence |
| HasMember | Allowed | B | 419 | Unprotected Primary Channel |
| HasMember | Allowed | V | 42 | Path Equivalence: 'filename.' (Trailing Dot) |
| HasMember | Allowed | B | 420 | Unprotected Alternate Channel |
| HasMember | Allowed | B | 421 | Race Condition During Access to Alternate Channel |
| HasMember | Allowed | V | 422 | Unprotected Windows Messaging Channel ('Shatter') |
| HasMember | Allowed-with-Review | C | 424 | Improper Protection of Alternate Path |
| HasMember | Allowed | B | 444 | Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') |
| HasMember | Allowed-with-Review | C | 451 | User Interface (UI) Misrepresentation of Critical Information |
| HasMember | Allowed | B | 489 | Active Debug Code |
| HasMember | Allowed | V | 498 | Cloneable Class Containing Sensitive Information |
| HasMember | Allowed | B | 501 | Trust Boundary Violation |
| HasMember | Allowed | B | 510 | Trapdoor |
| HasMember | Allowed-with-Review | C | 514 | Covert Channel |
| HasMember | Allowed | V | 529 | Exposure of Access Control List Files to an Unauthorized Control Sphere |
| HasMember | Allowed | B | 549 | Missing Password Field Masking |
| HasMember | Allowed | B | 551 | Incorrect Behavior Order: Authorization Before Parsing and Canonicalization |
| HasMember | Allowed | V | 555 | J2EE Misconfiguration: Plaintext Password in Configuration File |
| HasMember | Allowed | V | 558 | Use of getlogin() in Multithreaded Application |
| HasMember | Allowed | V | 560 | Use of umask() with chmod-style Argument |
| HasMember | Allowed | V | 566 | Authorization Bypass Through User-Controlled SQL Primary Key |
| HasMember | Allowed | B | 59 | Improper Link Resolution Before File Access ('Link Following') |
| HasMember | Allowed | V | 593 | Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created |
| HasMember | Allowed | V | 599 | Missing Validation of OpenSSL Certificate |
| HasMember | Allowed | B | 601 | URL Redirection to Untrusted Site ('Open Redirect') |
| HasMember | Allowed-with-Review | C | 602 | Client-Side Enforcement of Server-Side Security |
| HasMember | Allowed | B | 603 | Use of Client-Side Authentication |
| HasMember | Allowed | B | 611 | Improper Restriction of XML External Entity Reference |
| HasMember | Allowed | B | 613 | Insufficient Session Expiration |
| HasMember | Allowed | B | 620 | Unverified Password Change |
| HasMember | Allowed | B | 625 | Permissive Regular Expression |
| HasMember | Allowed-with-Review | C | 636 | Not Failing Securely ('Failing Open') |
| HasMember | Allowed-with-Review | C | 638 | Not Using Complete Mediation |
| HasMember | Allowed | B | 639 | Authorization Bypass Through User-Controlled Key |
| HasMember | Allowed-with-Review | C | 642 | External Control of Critical State Data |
| HasMember | Allowed | B | 643 | Improper Neutralization of Data within XPath Expressions ('XPath Injection') |
| HasMember | Allowed | V | 647 | Use of Non-Canonical URL Paths for Authorization Decisions |
| HasMember | Allowed | C | 653 | Improper Isolation or Compartmentalization |
| HasMember | Allowed-with-Review | C | 655 | Insufficient Psychological Acceptability |
| HasMember | Discouraged | C | 665 | Improper Initialization |
| HasMember | Discouraged | P | 682 | Incorrect Calculation |
| HasMember | Allowed | V | 69 | Improper Handling of Windows ::DATA Alternate Data Stream |
| HasMember | Discouraged | P | 693 | Protection Mechanism Failure |
| HasMember | Allowed | B | 694 | Use of Multiple Resources with Duplicate Identifier |
| HasMember | Allowed | B | 733 | Compiler Optimization Removal or Modification of Security-critical Code |
| HasMember | Discouraged | C | 74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| HasMember | Allowed | B | 757 | Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') |
| HasMember | Allowed | V | 759 | Use of a One-Way Hash without a Salt |
| HasMember | Allowed | V | 760 | Use of a One-Way Hash with a Predictable Salt |
| HasMember | Allowed | V | 777 | Regular Expression without Anchors |
| HasMember | Allowed | V | 780 | Use of RSA Algorithm without OAEP |
| HasMember | Allowed | V | 784 | Reliance on Cookies without Validation and Integrity Checking in a Security Decision |
| HasMember | Allowed | B | 79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| HasMember | Allowed | B | 798 | Use of Hard-coded Credentials |
| HasMember | Allowed-with-Review | C | 799 | Improper Control of Interaction Frequency |
| HasMember | Allowed | B | 804 | Guessable CAPTCHA |
| HasMember | Allowed | V | 806 | Buffer Access Using Size of Source Buffer |
| HasMember | Allowed | B | 807 | Reliance on Untrusted Inputs in a Security Decision |
| HasMember | Allowed | V | 831 | Signal Handler Function Associated with Multiple Signals |
| HasMember | Allowed | B | 836 | Use of Password Hash Instead of Password for Authentication |
| HasMember | Allowed-with-Review | C | 862 | Missing Authorization |
| HasMember | Allowed-with-Review | C | 863 | Incorrect Authorization |
| HasMember | Allowed | B | 89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| HasMember | Allowed | B | 916 | Use of Password Hash With Insufficient Computational Effort |
| HasMember | Allowed | B | 918 | Server-Side Request Forgery (SSRF) |
| HasMember | Allowed-with-Review | B | 94 | Improper Control of Generation of Code ('Code Injection') |
| HasMember | Allowed | V | 942 | Permissive Cross-domain Policy with Untrusted Domains |
| HasMember | Allowed-with-Review | C | 943 | Improper Neutralization of Special Elements in Data Query Logic |
| HasMember | Allowed | V | 95 | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
| HasMember | Allowed | B | 96 | Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') |