ByteOS Network

CWE-1025:Comparison Using Wrong Factors

Weakness ID:1025

Version:v4.17

Weakness Name:Comparison Using Wrong Factors

Vulnerability Mapping:Allowed

Abstraction:Base

Structure:Simple

Status:Incomplete

Details Content History Observed CVE Examples Reports

▼Description

The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.

▼Extended Description

This can lead to incorrect results and resultant weaknesses. For example, the code might inadvertently compare references to objects, instead of the relevant contents of those objects, causing two "equal" objects to be considered unequal.

▼Relationships

Relevant to the view"Research Concepts - (1000)"

Nature	Mapping	Type	ID	Name
ChildOf	Discouraged	P	697	Incorrect Comparison
ParentOf	Allowed	V	486	Comparison of Classes by Name
ParentOf	Allowed	V	595	Comparison of Object References Instead of Object Contents

Nature: ChildOf

Mapping: Discouraged

Type: Pillar

ID: 697

Name: Incorrect Comparison

Nature: ParentOf

Mapping: Allowed

Type: Variant

ID: 486

Name: Comparison of Classes by Name

Nature: ParentOf

Mapping: Allowed

Type: Variant

ID: 595

Name: Comparison of Object References Instead of Object Contents

▼Memberships

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	438	Behavioral Problems
MemberOf	Prohibited	C	1397	Comprehensive Categorization: Comparison

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 438

Name: Behavioral Problems

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 1397

Name: Comprehensive Categorization: Comparison

▼Tags

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	BS	BOSS-294	Not Language-Specific Weaknesses
MemberOf	Prohibited	BS	BOSS-326	Varies by Context (impact)

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-294

Name: Not Language-Specific Weaknesses

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-326

Name: Varies by Context (impact)

▼Relevant To View

Relevant to the view"Software Development - (699)"

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	438	Behavioral Problems

Nature: MemberOf

Mapping: Prohibited

Type: Category

ID: 438

Name: Behavioral Problems

▼Common Consequences

Scope	Likelihood	Impact	Note
Other	N/A	Varies by Context	N/A

Scope: Other

Likelihood: N/A

Impact: Varies by Context

Note:

N/A

▼Potential Mitigations

Phase:Testing

Description:

Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing.

▼Modes Of Introduction

Phase: Implementation

Note:

N/A

▼Applicable Platforms

Languages

Class: Not Language-Specific(Undetermined Prevalence)

▼Demonstrative Examples

Example 1

In the example below, two Java String objects are declared and initialized with the same string values. An if statement is used to determine if the strings are equivalent.

Language: Java(Bad code)

String str1 = new String("Hello"); String str2 = new String("Hello"); if (str1 == str2) { System.out.println("str1 == str2"); }

However, the if statement will not be executed as the strings are compared using the "==" operator. For Java objects, such as String objects, the "==" operator compares object references, not object values. While the two String objects above contain the same string values, they refer to different object references, so the System.out.println statement will not be executed. To compare object values, the previous code could be modified to use the equals method:

Language: Java(Good code)

if (str1.equals(str2)) { System.out.println("str1 equals str2"); }

▼Weakness Ordinalities

Ordinality	Description
Primary	N/A

Ordinality: Primary

Description:

N/A

▼Vulnerability Mapping Notes

Usage:Allowed

Reason:Acceptable-Use

Rationale:

This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

Comments:

Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.