CWE: The Common Weakness Enumeration

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.2p0

CONFIDENTIAL

CodeSecure Inc

CWE: The Common Weakness Enumeration

CWE-Compatible logo

This version of CodeSonar (9.2p0) uses CWE 4.19.1, published January 21, 2026.

What is CWE?
CWE Compatibility and Effectiveness
CWE in CodeSonar
CWE/SANS Top 25 and CWE KEV Top 10

What is CWE?

The Common Weaknesses Enumeration (CWE) initiative is focused on creating a common set of software security vulnerability descriptions. Such a set allows clear communication between different parties with interests in computer security, including researchers, tool designers, and users.

The CWE set describes and categorizes hundreds of different weaknesses, each of which is detailed on the CWE website. We refer to individual weaknesses in the set by their numerical CWE IDs.

CWE Compatibility and Effectiveness

CodeSonar is certified CWE-Compatible, and is in the process of being certified CWE-Effective. This requires that CodeSonar meet the following requirements, as listed in the CWE website.

Quote from CWE Compatibility page begins

CWE Searchable users may search security elements using CWE identifiers

CWE Output security elements presented to users includes, or allows users to obtain, associated CWE identifiers

Mapping Accuracy security elements accurately link to the appropriate CWE identifiers

CWE Documentation capability's documentation describes CWE, CWE compatibility, and how CWE-related functionality in the capability is used

CWE Coverage for CWE-Effectiveness, capability's documentation explicitly lists the CWE identifiers that the capability is effective at locating in software

CWE Test Results for CWE-Effectiveness, test results from the capability showing the results of assessing software for the CWEs are posted on the CWE Web site

Quote from CWE Compatibility page ends

CWE Searchable	users may search security elements using CWE identifiers
CWE Output	security elements presented to users includes, or allows users to obtain, associated CWE identifiers
Mapping Accuracy	security elements accurately link to the appropriate CWE identifiers
CWE Documentation	capability's documentation describes CWE, CWE compatibility, and how CWE-related functionality in the capability is used
CWE Coverage	for CWE-Effectiveness, capability's documentation explicitly lists the CWE identifiers that the capability is effective at locating in software
CWE Test Results	for CWE-Effectiveness, test results from the capability showing the results of assessing software for the CWEs are posted on the CWE Web site

CWE in CodeSonar

We use the following terminology.

close CWE mapping	The close CWE mapping for a given warning class is the set of CWE IDs that most closely match that class (if any). These are the CWE IDs that appear in the Categories field for the class. The close CWE mapping includes CWE Weaknesses only. Unless otherwise specified, CWE correspondences discussed in this manual are close correspondences: that is, correspondences with respect to the close CWE mapping.
broad CWE mapping	The broad CWE mapping for a given warning class combines CWE IDs from four sources: The close CWE mapping for the class. Other CWE IDs that are related to the class in a meaningful way, but not eligible for the close mapping. Usually this indicates a substantial overlap between CWE ID and warning class, but overlap that cannot be characterized as a subset or superset relationship. For all CWE IDs from sources 1 and 2, all ancestors of those IDs in the CWE inheritance hierarchy. In a small number of cases, all descendants of a CWE ID from source 1 or 2 are also applicable to the class. In these cases the descendants are also added to the broad mapping. The broad CWE mapping includes all CWE entity types: Weakness, Category, and View.

close CWE mapping

The close CWE mapping for a given warning class is the set of CWE IDs that most closely match that class (if any). These are the CWE IDs that appear in the Categories field for the class.
The close CWE mapping includes CWE Weaknesses only.

Unless otherwise specified, CWE correspondences discussed in this manual are close correspondences: that is, correspondences with respect to the close CWE mapping.

broad CWE mapping

The broad CWE mapping for a given warning class combines CWE IDs from four sources:

The close CWE mapping for the class.
Other CWE IDs that are related to the class in a meaningful way, but not eligible for the close mapping. Usually this indicates a substantial overlap between CWE ID and warning class, but overlap that cannot be characterized as a subset or superset relationship.
For all CWE IDs from sources 1 and 2, all ancestors of those IDs in the CWE inheritance hierarchy.
In a small number of cases, all descendants of a CWE ID from source 1 or 2 are also applicable to the class. In these cases the descendants are also added to the broad mapping.

The broad CWE mapping includes all CWE entity types: Weakness, Category, and View.

The correspondence between CWE IDs and CodeSonar warning classes is made explicit throughout the CodeSonar user interface.

The documentation for individual CodeSonar warning mnemonics includes the closely-corresponding CWE IDs, if any, with links to the CWE website.
This manual includes summary tables for the close CWE mapping.
- warning classes by CWE ID
- CWE IDs by warning class
Tables for the broad CWE mapping are also provided (by CWE ID, by warning class).
Users can specify associated CWE IDs when they implement custom warning classes.
CSV tables of CodeSonar warning classes by CWE ID are provided in CWE-mapping.csv and CWE-mapping-broad.csv.

This version of CodeSonar (9.2p0) uses CWE 4.19.1, published January 21, 2026.

Searching by CWE ID
Locating CWE IDs for a Warning
Specifying Related CWE IDs for a Custom Warning Class

CodeSonar: Searching by CWE ID

Searching for warnings containing one or more specific CWE IDs follows the same general procedures as searching by any other criteria.

Full-Text Search	Type the CWE ID(s) into the Simple Search field and click Search. If you are searching for CWE ID xyz, you can use either "CWE:xyz" or "xyz" as a search string: the latter is quicker to type but will also match any warnings that contain xyz in other contexts, for example because they are issued on line xyz of some file.
Search Language	Construct a warning search language term using the categories field-name and the desired CWE ID(s). Enter the search term in the Simple Search field and click Search. For example, to find warnings whose categories include CWE:476 (Null Pointer Dereference), use search term: categories:"CWE:476"
Advanced Search	Enter the CWE ID(s) in the Categories field of the Advanced Search: Warnings tab and click Search.

CodeSonar: Locating CWE IDs for a Warning

The closely-corresponding CWE IDs for a CodeSonar warning class (if any) are shown in the Categories field for the class. This field can be viewed in the Warning Report, Analysis: Warnings, Warning Cluster, and Warning Search Results pages.

Warning Report	The Categories field is located at the top of the report.
Analysis:Warnings	Categories is one of the available warning table columns.
Warning Cluster	Categories is one of the available warning table columns.
Warning Search Results	Categories is one of the available warning table columns.

CodeSonar: Specifying Related CWE IDs for a Custom Warning Class

The CodeSonar extension capabilities allow users to define custom warning classes and set up triggers for new warnings. Corresponding CWE IDs can be specified as part of this process. Any specified CWE IDs will be associated with the appropriate warning reports and table entries in exactly the same way as the CWE IDs for built in CodeSonar warnings, including the linking to the CWE website entries.

Using the Extension API	Use csonar_trigger_m() to trigger warnings and specify the associated CWE IDs.
Using the CodeSonar Plug-In API	Specify associated CWE IDs when you define new warning classes. C++: analysis::create_warningclass() Python: analysis.create_warningclass() C: csonar_create_warningclass()

CWE/SANS Top 25 and CWE KEV Top 10

We provide additional functionality for specific focus on recent versions of the CWE/SANS Top 25 Most Dangerous Software Weaknesses list and the CWE Top 10 KEV Weaknesses list.

For each of these recent list versions we provide the following.

A preset that enables all warning classes that are closely mapped to at least one CWE ID on the list.
A predefined management report template that allows you to automatically generate a report summarizing all the warnings from a particular analysis that are closely mapped to one or more of the CWE IDs on the list.
You can generate these reports from the GUI Analysis page for the analysis of interest. For general instructions, see Task: Generate a Management Report.

List Version	Preset	Management Report Template
2024 CWE Top 25 Most Dangerous Software Weaknesses	cwe2024	CWE Top 25 2024 Report
2025 CWE Top 25 Most Dangerous Software Weaknesses	cwe2025	CWE Top 25 2025 Report
2024 CWE Top 10 KEV Weaknesses	cwe_kev10_2024	CWE Top 10 KEV Weaknesses 2024 Report
2023 CWE Top 25 Most Dangerous Software Weaknesses	cwe2023	CWE Top 25 2023 Report
2022 CWE Top 25 Most Dangerous Software Weaknesses	cwe2022	CWE Top 25 2022 Report
2021 CWE Top 25 Most Dangerous Software Weaknesses	cwe2021	CWE Top 25 2021 Report
2020 CWE/SANS Top 25 Most Dangerous Software Weaknesses	cwe2020	CWE Top 25 2020 Report

To report problems with this documentation, please visit https://support.codesecure.com/.