Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-1116:Inaccurate Comments
Weakness ID:1116
Version:v4.17
Weakness Name:Inaccurate Comments
Vulnerability Mapping:Allowed
Abstraction:Base
Structure:Simple
Status:Incomplete
Likelihood of Exploit:
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

The source code contains comments that do not accurately describe or explain aspects of the portion of the code with which the comment is associated.

▼Extended Description

When a comment does not accurately reflect the associated code elements, this can introduce confusion to a reviewer (due to inconsistencies) or make it more difficult and less efficient to validate that the code is implementing the intended behavior correctly.

This issue makes it more difficult to maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities.

▼Alternate Terms
▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
ChildOfProhibitedC1078Inappropriate Source Code Style or Formatting
Nature: ChildOf
Mapping: Prohibited
Type: Class
ID: 1078
Name: Inappropriate Source Code Style or Formatting
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC1006Bad Coding Practices
MemberOfProhibitedC1412Comprehensive Categorization: Poor Coding Practices
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1006
Name: Bad Coding Practices
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1412
Name: Comprehensive Categorization: Poor Coding Practices
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-294Not Language-Specific Weaknesses
MemberOfProhibitedBSBOSS-310Reduce Maintainability (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-294
Name: Not Language-Specific Weaknesses
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-310
Name: Reduce Maintainability (impact)
▼Relevant To View
Relevant to the view"Software Development - (699)"
NatureMappingTypeIDName
MemberOfProhibitedC1006Bad Coding Practices
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1006
Name: Bad Coding Practices
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
OtherN/AReduce Maintainability
N/A
Scope: Other
Likelihood: N/A
Impact: Reduce Maintainability
Note:
N/A
▼Potential Mitigations
Phase:Implementation
Mitigation ID:
Strategy:
Effectiveness:
Description:

Verify that each comment accurately reflects what is intended to happen during execution of the code.

Note:

▼Modes Of Introduction
▼Applicable Platforms
Languages
Class: Not Language-Specific(Undetermined Prevalence)
▼Demonstrative Examples
Example 1

In the following Java example the code performs a calculation to determine how much medicine to administer. A comment is provided to give insight into what the calculation shoud be doing. Unfortunately the comment does not match the actual code and thus leaves the reader to wonder which is correct.

Language: ( code)
N/A

Language: Java(Bad code)
public class Main { public static void main(String[] args) { int pt_weight = 83; int mg_per_kg = 3; int daily_dose = 0; // Add the patient weight and Mg/Kg to calculate the correct daily dose daily_dose = pt_weight * mg_per_kg; return dosage; } }

Language: ( code)
N/A

In the correction below, the code functionality has been verified, and the comment has been corrected to reflect the proper calculation.

Language: Java(Good code)
public class Main { public static void main(String[] args) { int pt_weight = 83; int mg_per_kg = 3; int daily_dose = 0; // Multiply the patient weight and Mg/Kg to calculate the correct daily dose daily_dose = pt_weight * mg_per_kg; return dosage; } }

Language: ( code)
N/A

Note that in real-world code, these values should be validated to disallow negative numbers, prevent integer overflow, etc.

▼Observed Examples
ReferenceDescription
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      Indirect
      N/A
      Ordinality: Indirect
      Description:
      N/A
      ▼Detection Methods
      ▼Vulnerability Mapping Notes
      Usage:Allowed
      Reason:Acceptable-Use
      Rationale:

      This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

      Comments:

      Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

      Suggestions:
      ▼Notes
      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      ▼Related Attack Patterns
      IDName
      ▼References
      Reference ID: REF-963
      Title: Providing a Framework for Effective Software Quality Assessment
      Author: Robert A. Martin, Lawrence H. Shafer
      Section:
      Publication:
      Publisher:
      Edition:
      URL:https://www.researchgate.net/publication/285403022_PROVIDING_A_FRAMEWORK_FOR_EFFECTIVE_SOFTWARE_QUALITY_MEASUREMENT_MAKING_A_SCIENCE_OF_RISK_ASSESSMENT
      URL Date:2023-04-07
      Day:N/A
      Month:07
      Year:1996
      Details not found