how to fix null dereference in java fortify how to fix null dereference in java fortify

While there Fortify keeps track of the parts that came from the original input. What does this means in this context? : Fortify: The method processMessage() in VET360InboundProcessService.java can crash the program by dereferencing a null pointer on line 197. If the program is performing an atomic operation, it can leave the system in an inconsistent state. The programmer expects that when fgets() returns, buf will contain a null-terminated string of length 9 or less. If Fortify SCA can be put into a pipeline, it can also be hooked to fix issues automatically (although care must be taken to avoid situations like the Debian OpenSSL PRNG vulnerability, which was not a vulnerability until a security-focused static code analyzer suggested a fix that ended up being July 2019. pylint. In .NET, it is not uncommon for programmers to misunderstand Read() and related methods that are part of many System.IO classes. Most null pointer Closed. A method returning a List should per convention never return null but an empty List as default "empty" value. If an attacker provides an address that appears to be well-formed, but the address does not resolve to a hostname, then the call to gethostbyaddr() will return NULL. Pillar - a weakness that is the most abstract type of weakness and represents a theme for all class/base/variant weaknesses related to it. Chain - a Compound Element that is a sequence of two or more separate weaknesses that can be closely linked together within software. NULL pointer dereference issues can occur through a number of flaws, including race conditions, and simple programming omissions. More information is available Please select a different filter. Improper Check for Unusual or Exceptional Conditions, Error Conditions, Return Values, Status Codes, OWASP Top Ten 2004 Category A7 - Improper Error Handling, CERT C Secure Coding Standard (2008) Chapter 9 - Memory Management (MEM), The CERT Oracle Secure Coding Standard for Java (2011) Chapter 4 - Expressions (EXP), CERT C++ Secure Coding Section 08 - Memory Management (MEM), SFP Secondary Cluster: Unchecked Status Condition, CISQ Quality Measures (2016) - Reliability, SEI CERT Oracle Secure Coding Standard for Java - Guidelines 02. Cross-Session Contamination. For more information, please refer to our General Disclaimer. This website uses cookies to analyze our traffic and only share that information with our analytics partners. Is Java "pass-by-reference" or "pass-by-value"? and Gary McGraw. The unary prefix ! 2002-12-04. CODETOOLS-7900078 Fortify: Analize and fix "Redundant Null Check" issues. The modules cover the full breadth and depth of topics for PCI Section 6.5 compliance and the items that are important for secure software development. This listing shows possible areas for which the given weakness could appear. that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Browse other questions tagged java fortify or ask your own question. [A-Z a-z 0-9]*$")){ throw new IllegalArgumentException(); } message.setSubject(subject) This still gets flagged by Fortify. Not the answer you're looking for? Variant - a weakness language that is not susceptible to these issues. Requirements specification: The choice could be made to use a Use of the Common Weakness Enumeration (CWE) and the associated references from this website are subject to the Terms of Use. What fortify do not like is the fact that you initialize the variable with null first, without condition, and then change it. Addison Wesley. David LeBlanc. It is not uncommon for Java programmers to misunderstand read() and related methods that are part of many java.io classes. My code is GPL licensed, can I issue a license to have my code be distributed in a specific MIT licensed project? What is the difference between public, protected, package-private and private in Java? and Justin Schuh. Il suffit de nous contacter ! The following VB.NET code does not check to make sure that it has read 50 bytes from myfile.txt. Null-pointer exceptions usually occur when one or more of the programmer's assumptions is violated. These classes simply add the small amount of data to the return buffer, and set the return value to the number of bytes or characters read. Wij hebben geen controle over de inhoud van deze sites. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In this case, the caller abuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). rev2023.3.3.43278. PS: Yes, Fortify should know that these properties are secure. a property named cmd defined. Base - a weakness For example, if the program calls a function to drop privileges but does not check the return code to ensure that privileges were successfully dropped, then the program will continue to operate with the higher privileges. To subscribe to this RSS feed, copy and paste this URL into your RSS reader. ImmuniWeb. The The play-webgoat repository contains an example web app that uses the Play framework. In the following example, it is possible to request that memcpy move a much larger segment of memory than assumed: If returnChunkSize() happens to encounter an error it will return -1. environment so that cmd is not defined, the program throws a null When this happens, CWE refers to X as "primary" to Y, and Y is "resultant" from X. Java/JSP. operator is the null-forgiving, or null-suppression, operator. Is it suspicious or odd to stand by the gate of a GA airport watching the planes? corrected in a simple way. vegan) just to try it, does this inconvenience the caterers and staff? Or was it caused by a memory leak that has built up over time? how to fix null dereference in java fortify. I'm using "HP Fortify v3.50" on a java project and I find lots of false positive on "Null Dereference", because Fortify doesn't see the control against null is in another method. Convert byte[] to String (text data) The below example convert a string to a byte array or byte[] and vice versa. In order to avoid data races, correctly written programs must check the result of thread synchronization functions and appropriately handle all errors, either by attempting to recover from them or reporting them to higher levels. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact. The program can dereference a null-pointer because it does not check the return value of a function that might return null. Web-application scanning, also known as dynamic analysis, is a type of test that runs while an application is in a development environment. Chain: Use of an unimplemented network socket operation pointing to an uninitialized handler function (, Chain: race condition might allow resource to be released before operating on it, leading to NULL dereference, Chain: some unprivileged ioctls do not verify that a structure has been initialized before invocation, leading to NULL dereference, Chain: IP and UDP layers each track the same value with different mechanisms that can get out of sync, possibly resulting in a NULL dereference, Chain: uninitialized function pointers can be dereferenced allowing code execution, Chain: improper initialization of memory can lead to NULL dereference, Chain: game server can access player data structures before initialization has happened leading to NULL dereference, Chain: The return value of a function returning a pointer is not checked for success (, Chain: a message having an unknown message type may cause a reference to uninitialized memory resulting in a null pointer dereference (, Chain: unchecked return value can lead to NULL dereference. Note that this code is also vulnerable to a buffer overflow . In the following code, the programmer assumes that the system always has CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). sanity-checked previous to use, nearly all null-pointer dereferences ( A girl said this after she killed a demon and saved MC). It can be disabled with the -Wno-nonnull-compare option. The Null dereference error was on the line of code sortName = lastName; not the call of the setter : fortify do not want you to conditionnally change the value of a variable that was set to null without doing so in all the branches. The text was updated successfully, but these errors were encountered: cmheazel self-assigned this Jan 8, 2018 The best way to avoid memory leaks in C++ is to have as few new/delete calls at the program level as possible ideally NONE. A null-pointer dereference takes place when a pointer with a value of NULL is used as though it pointed to a valid memory area. The same occurs with the presence of every form in html/jsp (x)/asp (x) page, that are suspect of CSRF weakness. Note that this code is also vulnerable to a buffer overflow . is incorrect. Penticton Regional Hospital Diagnostic Imaging, If an attacker can create a smaller file, the program will recycle the remainder of the data from the previous user and treat it as though it belongs to the attacker. Revolution Radio With Scott Mckay, Amouranth Talks Masturbating & Her Sexual Past | OnlyFans Livestream, Washing my friend in the bathtub | lesbians kissing and boob rubbing, Girl sucks and fucks BBC Creampie ONLYFANS JEWLSMARCIANO. When designing a function, make sure you return a value or throw an exception in case of an error. . All rights reserved. How do I generate random integers within a specific range in Java? The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. This MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. It is impossible for the program to perform a graceful exit if required. Anyone have experience with this one? "Automated Source Code Reliability Measure (ASCRM)". John Aldridge Hillsborough Nc Obituary, How do I convert a String to an int in Java? I know we could change the code to remove it, but that would be changing the structure of our code because of a problem in the tool. Can archive.org's Wayback Machine ignore some query terms? For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact. matthew le nevez love child facebook; how to ignore a house on fire answer key twitter; who is depicted in this ninth century equestrian portrait instagram; wasilla accident report youtube; newark state of the city 2021 mail TRESPASSING! While there are no complete fixes aside from conscientious programming, the following steps will go a long way to ensure that NULL pointer dereferences do not occur. Note that this code is also vulnerable to a buffer overflow (CWE-119). The following code uses Java's SecureRandom class to generate a cryptographically strong pseudo-random number (DO THIS): public static int generateRandom (int maximumValue) { SecureRandom ranGen = new SecureRandom (); return ranGen.nextInt (maximumValue); } Edit on GitHub The platform is listed along with how frequently the given weakness appears for that instance. Take the following code: Integer num; num = new Integer(10); Cross-Client Data Access. Null-pointer errors are usually the result of one or more programmer assumptions being violated. Closed. The following function attempts to acquire a lock in order to perform operations on a shared resource. Java (Undetermined Prevalence) C# (Undetermined Prevalence) Common Consequences. "24 Deadly Sins of Software Security". and Gary McGraw. issues result in general software reliability problems, but if an What video game is Charlie playing in Poker Face S01E07? It works under 64-bit systems in Windows, Linux and macOS environments, and can analyze source code intended for 32-bit, 64-bit and embedded ARM platforms. How do I efficiently iterate over each entry in a Java Map? Just about every serious attack on a software system begins with the violation of a programmer's assumptions. Because memcpy() assumes that the value is unsigned, it will be interpreted as MAXINT-1 (CWE-195), and therefore will copy far more memory than is likely available to the destination buffer (CWE-787, CWE-788). Does ZnSO4 + H2 at high pressure reverses to Zn + H2SO4? Anything that requires dynamic memory should be buried inside an RAII object that releases the memory when it goes out of scope. Browse other questions tagged, Where developers & technologists share private knowledge with coworkers, Reach developers & technologists worldwide, The best way to fix this is not returning, @MarkRotteveel those are from different classes, is there a way to return an empty list that will not cause null dereference? null. Most errors and unusual events in Java result in an exception being thrown. Explanation Null-pointer errors are usually the result of one or more programmer assumptions being violated. If a law is new but its interpretation is vague, can the courts directly ask the drafters the intent and official interpretation of their law? <, [REF-961] Object Management Group (OMG). Fortify is complaining about a Null Dereference when I set a field to null: But that seems really silly. that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. CWE is a community-developed list of software and hardware weakness types. Null dereference is a common type of runtime failure in Java programs, and it is necessary to verify whether a dereference in the program is safe. Real ghetto African girls smoking with their pussies. An unexpected return value could place the system in a state that could lead to a crash or other unintended behaviors. But, when you try to declare a reference type, something different happens. cmd=cmd.trim(); Null-pointer dereference issues can occur through a number of flaws, Could someone advise here? We set fields to "null" in many places in our code and Fortify is good with that. How do I align things in the following tabular environment? Cross-Site Flashing. Compliance Failure. In both of these situations, fgets() signals that something unusual has happened by returning NULL, but in this code, the warning will not be noticed. Generally, null variables, references and collections are tricky to handle in Java code.They are not only hard to identify but also complex to deal with. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. PVS-Studio is a tool for detecting bugs and security weaknesses in the source code of programs, written in C, C++, C# and Java. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries). This Android application has registered to handle a URL when sent an intent: The application assumes the URL will always be included in the intent. Fix: Added if block around the close call at line 906 to keep this from being 3 FortifyJava 8 - Fortify : Null dereference for Java 8 Java 8 fortify Null Dereference null Common Weakness Enumeration. report. Team Collaboration and Endpoint Management. The stream and reader classes do not consider it to be unusual or exceptional if only a small amount of data becomes available. The choice could be made to use a language that is not susceptible to these issues. [1] Standards Mapping - Common Weakness Enumeration, [2] Standards Mapping - Common Weakness Enumeration Top 25 2019, [3] Standards Mapping - Common Weakness Enumeration Top 25 2020, [4] Standards Mapping - Common Weakness Enumeration Top 25 2021, [5] Standards Mapping - Common Weakness Enumeration Top 25 2022, [6] Standards Mapping - DISA Control Correlation Identifier Version 2, [7] Standards Mapping - General Data Protection Regulation (GDPR), [8] Standards Mapping - NIST Special Publication 800-53 Revision 4, [9] Standards Mapping - NIST Special Publication 800-53 Revision 5, [10] Standards Mapping - OWASP Top 10 2004, [11] Standards Mapping - OWASP Application Security Verification Standard 4.0, [12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1, [13] Standards Mapping - Security Technical Implementation Guide Version 3.1, [14] Standards Mapping - Security Technical Implementation Guide Version 3.4, [15] Standards Mapping - Security Technical Implementation Guide Version 3.5, [16] Standards Mapping - Security Technical Implementation Guide Version 3.6, [17] Standards Mapping - Security Technical Implementation Guide Version 3.7, [18] Standards Mapping - Security Technical Implementation Guide Version 3.9, [19] Standards Mapping - Security Technical Implementation Guide Version 3.10, [20] Standards Mapping - Security Technical Implementation Guide Version 4.1, [21] Standards Mapping - Security Technical Implementation Guide Version 4.2, [22] Standards Mapping - Security Technical Implementation Guide Version 4.3, [23] Standards Mapping - Security Technical Implementation Guide Version 4.4, [24] Standards Mapping - Security Technical Implementation Guide Version 4.5, [25] Standards Mapping - Security Technical Implementation Guide Version 4.6, [26] Standards Mapping - Security Technical Implementation Guide Version 4.7, [27] Standards Mapping - Security Technical Implementation Guide Version 4.8, [28] Standards Mapping - Security Technical Implementation Guide Version 4.9, [29] Standards Mapping - Security Technical Implementation Guide Version 4.10, [30] Standards Mapping - Security Technical Implementation Guide Version 4.11, [31] Standards Mapping - Security Technical Implementation Guide Version 5.1, [32] Standards Mapping - Web Application Security Consortium 24 + 2, [33] Standards Mapping - Web Application Security Consortium Version 2.00, desc.controlflow.dotnet.missing_check_against_null, desc.controlflow.java.missing_check_against_null, (Generated from version 2022.4.0.0009 of the Fortify Secure Coding Rulepacks), Fortify Taxonomy: Software Security Errors. Returns the thread that currently owns the write lock, or null if not owned. String URL = intent.getStringExtra("URLToOpen"); race condition causes a table to be corrupted if a timer activates while it is being modified, leading to resultant NULL dereference; also involves locking. 2005-11-07. There is no guarantee that the amount of data returned is equal to the amount of data requested. The different Modes of Introduction provide information about how and when this weakness may be introduced. If I had to guess, the tool you're using is complaining about our use of Math.random() but we don't rely on it being cryptographically secure. The lack of a null terminator in buf can result in a buffer overflow in the subsequent call to strcpy(). For an attacker it provides an opportunity to stress the system in unexpected ways. Check the documentation for the Connection object of the type returned by the getConnection() factory method, and see if the methods rollback() and close() Null Dereference. Concatenating a string with null is safe. Connect and share knowledge within a single location that is structured and easy to search. Why are non-Western countries siding with China in the UN? Dynamic analysis is a great way to uncover error-handling flaws. pointer exception when it attempts to call the trim() method. Alle links, video's en afbeeldingen zijn afkomstig van derden. "Automated Source Code Reliability Measure (ASCRM)". This behavior makes it important for programmers to examine the return value from read() and other IO methods to ensure that they receive the amount of data they expect. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. Mature pregnant Mom ass fucked by horny Stepson, Perfect Pussy cant Stop Squirting all over herself, Shokugeki no Soma Todokoro Megumi Hard Sex, naughty teen in sexy lace lingerie dancing and seducing boy sucking him and riding him hard amateur, Slutty wife Jayla de Angelis gets assfucked by the hung doctor in POV. When to use LinkedList over ArrayList in Java? Network monitor allows remote attackers to cause a denial of service (crash) or execute arbitrary code via malformed packets that cause a NULL pointer dereference. one or more programmer assumptions being violated. (Generated from version 2022.1.0.0007 of the Fortify Secure Coding Rulepacks) We recreated the patterns in a small tool and then performed comparative analysis. environment, ensure that proper locking APIs are used to lock before the A check-after-dereference error occurs when a program dereferences a pointer that can be, [1] Standards Mapping - Common Weakness Enumeration, [2] Standards Mapping - Common Weakness Enumeration Top 25 2019, [3] Standards Mapping - Common Weakness Enumeration Top 25 2020, [4] Standards Mapping - Common Weakness Enumeration Top 25 2021, [5] Standards Mapping - Common Weakness Enumeration Top 25 2022, [6] Standards Mapping - DISA Control Correlation Identifier Version 2, [7] Standards Mapping - General Data Protection Regulation (GDPR), [8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012, [9] Standards Mapping - NIST Special Publication 800-53 Revision 4, [10] Standards Mapping - NIST Special Publication 800-53 Revision 5, [11] Standards Mapping - OWASP Top 10 2004, [12] Standards Mapping - OWASP Application Security Verification Standard 4.0, [13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1, [14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0, [15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1, [16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2, [17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1, [18] Standards Mapping - Payment Card Industry Software Security Framework 1.0, [19] Standards Mapping - Payment Card Industry Software Security Framework 1.1, [20] Standards Mapping - Security Technical Implementation Guide Version 3.1, [21] Standards Mapping - Security Technical Implementation Guide Version 3.4, [22] Standards Mapping - Security Technical Implementation Guide Version 3.5, [23] Standards Mapping - Security Technical Implementation Guide Version 3.6, [24] Standards Mapping - Security Technical Implementation Guide Version 3.7, [25] Standards Mapping - Security Technical Implementation Guide Version 3.9, [26] Standards Mapping - Security Technical Implementation Guide Version 3.10, [27] Standards Mapping - Security Technical Implementation Guide Version 4.1, [28] Standards Mapping - Security Technical Implementation Guide Version 4.2, [29] Standards Mapping - Security Technical Implementation Guide Version 4.3, [30] Standards Mapping - Security Technical Implementation Guide Version 4.4, [31] Standards Mapping - Security Technical Implementation Guide Version 4.5, [32] Standards Mapping - Security Technical Implementation Guide Version 4.6, [33] Standards Mapping - Security Technical Implementation Guide Version 4.7, [34] Standards Mapping - Security Technical Implementation Guide Version 4.8, [35] Standards Mapping - Security Technical Implementation Guide Version 4.9, [36] Standards Mapping - Security Technical Implementation Guide Version 4.10, [37] Standards Mapping - Security Technical Implementation Guide Version 4.11, [38] Standards Mapping - Security Technical Implementation Guide Version 5.1, [39] Standards Mapping - Web Application Security Consortium 24 + 2, [40] Standards Mapping - Web Application Security Consortium Version 2.00. Furthermore, if the end of the file is reached before any characters are read, fgets() returns without writing anything to buf. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners. Expressions (EXP), SEI CERT C Coding Standard - Guidelines 12. I think I know why I'm getting it , just wanted to know what would be the best way to fix the issue. Making statements based on opinion; back them up with references or personal experience. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. Staging Ground Beta 1 Recap, and Reviewers needed for Beta 2. Closed; is cloned by. Asking for help, clarification, or responding to other answers. Why are trials on "Law & Order" in the New York Supreme Court? High severity (3.7) NULL Pointer Dereference in java-1.8.-openjdk-accessibility | CVE-2019-2962 McGraw-Hill. The program can potentially dereference a null-pointer, thereby causing a segmentation fault. An awesome tip to avoid NPE is to return empty When it comes to these specific properties, you're safe. steps will go a long way to ensure that null-pointer dereferences do not 2006. What is a NullPointerException, and how do I fix it? Fix : Analysis found that this is a false positive result; no code changes are required. If you preorder a special airline meal (e.g. Copyright 20062023, The MITRE Corporation. The annotations will help SCA to reduce false negative or false positive security issues thus increasing the accuracy of the report. The nature of simulating nature: A Q&A with IBM Quantum researcher Dr. Jamie We've added a "Necessary cookies only" option to the cookie consent popup. When an object has been found, the requested method is called ( toString in this case). Most appsec missions are graded on fixing app vulns, not finding them. This also passes Fortify's scan: Thanks for contributing an answer to Stack Overflow! Example . PS: Yes, Fortify should know that these properties are secure. Palash Sachan 8-Feb-17 13:41pm. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. For Benchmark, we've seen it report it both ways. Bny Mellon Layoffs 2021, This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer. The different Modes of Introduction provide information about how and when this weakness may be introduced. NIST. citrus county livestock regulations; how many points did klay thompson score last night. System.clearProperty ("os.name"); . I got Fortify findings back and I'm getting a null dereference. Find centralized, trusted content and collaborate around the technologies you use most. rev2023.3.3.43278. Follows a very simple code sample that should reproduce the issue: public override bool Equals (object obj) { var typedObj = obj as SomeCustomClass; if (typedObj == null) return false; return this.Name == typedObj.Name; } In this simple excerpt Fortify complains that "typedObj" can be null in the return statement. This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer. Two common programmer assumptions are "this function call can never fail" and "it doesn't matter if this function call fails". The Optional class contains methods that can be used to make programs shorter and more intuitive [].. For Benchmark, we've seen it report it both ways. [REF-6] Katrina Tsipenyuk, Brian Chess attacker can intentionally trigger a null pointer dereference, the We nemen geen verantwoordelijkheid voor de inhoud van een website waarnaar we linken, gebruik je eigen goeddunken tijdens het surfen op de links. Page 183. For example, if a program fails to call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. The following code shows a system property that is set to null and later dereferenced by a programmer who mistakenly assumes it will always be defined. 2005-11-07. This way you initialize sortName only once, and explicitely show that a null value is the right one in some cases, and not that you forgot some cases, leading to a var staying null while it is unexpected. Null pointers null dereference null dereference best practices Using Nullable type parameters Memory leak Unmanaged memory leaks. Expressions (EXP), https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf, https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223, Cybersecurity and Infrastructure Security Agency, Homeland Security Systems Engineering and Development Institute, Detect and handle standard library errors, The CERT Oracle Secure Coding Standard for Java (2011), Provided Demonstrative Example and suggested CERT reference, updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings, updated Background_Details, Demonstrative_Examples, Description, Observed_Examples, Other_Notes, Potential_Mitigations, updated Common_Consequences, Demonstrative_Examples, References, updated Demonstrative_Examples, Potential_Mitigations, References, updated Demonstrative_Examples, References, updated Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings, updated Common_Consequences, References, Relationships, updated Demonstrative_Examples, Potential_Mitigations, updated Demonstrative_Examples, Relationships, Taxonomy_Mappings, updated Applicable_Platforms, References, Relationships, Taxonomy_Mappings, updated References, Relationships, Taxonomy_Mappings, updated Demonstrative_Examples, Observed_Examples, Relationships, Weakness_Ordinalities.