Reino: Errors

Os erros e o processamento de erros representam uma classe de API. Erros relacionados com o processamento de erros são tão comuns que merecem um domínio próprio. Assim como no “abuso de API”, há duas formas de introduzir uma vulnerabilidade de segurança relacionada com erros. A primeira, e mais comum, é processar os erros indevidamente (ou não os processar). A segunda é produzir erros que revelem muitas informações (a possíveis invasores) ou que sejam difíceis de processar.

12 itens encontrados
Vulnerabilidades
Abstract
Ignorar uma condição pode fazer com que o programa ignore estados inesperados e erros.
Explanation
Quase todos os ataques sérios em um sistema de software começam com a violação das premissas de um programador. Depois do ataque, essas premissas parecem frágeis e infundadas, mas, antes dele, muitos programadores as defenderiam com grande veemência.

Duas premissas duvidosas que são fáceis de detectar no código são "esta chamada de método jamais falha" e "não fará diferença se esta chamada falhar". Quando um programador ignora uma condição, ele declara implicitamente que está trabalhando sob uma dessas premissas.

Exemplo 1: O seguinte trecho de código ignora uma condição de erro que pode acontecer durante uma transação CICS.


...
EXEC CICS
INGNORE CONDITION ERROR
END-EXEC.
...


Se uma transação em algum momento falhasse com essa condição de erro, o programa continuaria a ser executado como se nada de anormal tivesse ocorrido. O programa não registra nenhuma evidência que indique a situação especial, possivelmente frustrando qualquer tentativa posterior de explicar o comportamento do programa.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 391
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-003272
[3] Standards Mapping - FIPS200 AU
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling
[7] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling
[8] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation
[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
desc.semantic.cobol.poor_condition_handling_ignored_condition
Abstract
Ignorar uma exceção pode fazer com que o programa ignore estados e condições inesperadas.
Explanation
Praticamente todo ataque sério a um sistema de software começa com a violação das suposições de um programador. Após o ataque, as suposições do programador parecem frágeis e mal fundamentadas, mas antes de um ataque, muitos programadores defenderiam suas suposições bem depois do intervalo para o almoço.

Duas suposições duvidosas que são fáceis de detectar no código são: "esta chamada de método nunca pode falhar" e "não importa se esta chamada falhar". Quando um programador ignora uma exceção, ele declara implicitamente que está operando com uma dessas suposições.

Exemplo 1: O trecho de código a seguir ignora uma exceção raramente lançada de doExchange().


try {
doExchange();
}
catch (RareException e) {
// this can never happen
}


Se um RareException fosse lançado, o programa continuaria sendo executado como se nada incomum tivesse ocorrido. O programa não registra nenhuma evidência indicando a situação especial, potencialmente frustrando qualquer tentativa posterior de explicar o comportamento do programa.
References
[1] ERR00-J. Do not suppress or ignore checked exceptions CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 1069
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-003272
[4] Standards Mapping - FIPS200 AU
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling
[8] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling
[9] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.4.1 Error Handling (L1 L2 L3)
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
desc.structural.apex.poor_error_handling_empty_catch_block
Abstract
Ignorar uma exceção pode fazer com que o programa negligencie estados e condições inesperados.
Explanation
Quase todos os ataques sérios em um sistema de software começam com a violação das premissas de um programador. Depois do ataque, essas premissas parecem frágeis e infundadas, mas, antes dele, muitos programadores as defenderiam com grande veemência.

Duas premissas duvidosas que são fáceis de detectar no código são "esta chamada de método jamais falha" e "não fará diferença se esta chamada falhar". Quando os programadores ignoram exceções, eles afirmam implicitamente estarem operando de acordo com uma dessas suposições.

Exemplo 1: O seguinte trecho de código ignora uma exceção raramente lançada de DoExchange().


try {
DoExchange();
}
catch (RareException e) {
// this can never happen
}


Se uma RareException tivesse que ser lançada alguma vez, o programa continuaria a ser executado como se nada incomum tivesse ocorrido. O programa não registra nenhuma evidência que indique a situação especial, possivelmente frustrando qualquer tentativa posterior de explicar o comportamento do programa.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 1069
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-003272
[3] Standards Mapping - FIPS200 AU
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling
[7] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling
[8] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.4.1 Error Handling (L1 L2 L3)
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation
[21] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
desc.structural.dotnet.poor_error_handling_empty_catch_block
Abstract
Ignorar uma exceção pode fazer com que o programa negligencie estados e condições inesperados.
Explanation
Quase todos os ataques sérios em um sistema de software começam com a violação das premissas de um programador. Depois do ataque, essas premissas parecem frágeis e infundadas, mas, antes dele, muitos programadores as defenderiam com grande veemência.

Duas premissas duvidosas que são fáceis de detectar no código são "esta chamada de método jamais falha" e "não fará diferença se esta chamada falhar". Quando um programador ignora uma exceção, ele afirma implicitamente estar operando de acordo com uma dessas suposições.

Exemplo 1: O seguinte trecho de código ignora uma exceção raramente lançada de doExchange().


try {
doExchange();
}
catch (RareException e) {
// this can never happen
}


Se uma RareException tivesse que ser lançada alguma vez, o programa continuaria a ser executado como se nada incomum tivesse ocorrido. O programa não registra nenhuma evidência que indique a situação especial, possivelmente frustrando qualquer tentativa posterior de explicar o comportamento do programa.
References
[1] ERR00-J. Do not suppress or ignore checked exceptions CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 1069
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-003272
[4] Standards Mapping - FIPS200 AU
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling
[8] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling
[9] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.4.1 Error Handling (L1 L2 L3)
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
desc.structural.java.poor_error_handling_empty_catch_block
Abstract
Ignorar uma exceção pode fazer com que o programa negligencie estados e condições inesperados.
Explanation
Quase todos os ataques sérios em um sistema de software começam com a violação das premissas de um programador. Depois do ataque, essas premissas parecem frágeis e infundadas, mas, antes dele, muitos programadores as defenderiam com grande veemência.

Duas premissas duvidosas que são fáceis de detectar no código são "esta chamada de método jamais falha" e "não fará diferença se esta chamada falhar". Quando um programador ignora uma exceção, ele afirma implicitamente estar operando de acordo com uma dessas suposições.

Exemplo 1: O seguinte trecho de código ignora uma exceção raramente lançada de doExchange().


try {
doExchange();
}
catch (exception $e) {
// this can never happen
}


Se uma RareException tivesse que ser lançada alguma vez, o programa continuaria a ser executado como se nada incomum tivesse ocorrido. O programa não registra nenhuma evidência que indique a situação especial, possivelmente frustrando qualquer tentativa posterior de explicar o comportamento do programa.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 1069
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-003272
[3] Standards Mapping - FIPS200 AU
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling
[7] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling
[8] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.4.1 Error Handling (L1 L2 L3)
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation
[21] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
desc.structural.php.poor_error_handling_empty_catch_block
Abstract
Ignorar uma exceção pode fazer com que o programa negligencie estados e condições inesperados.
Explanation
Quase todos os ataques sérios em um sistema de software começam com a violação das premissas de um programador. Depois do ataque, essas premissas parecem frágeis e infundadas, mas, antes dele, muitos programadores as defenderiam com grande veemência.

Duas premissas duvidosas que são fáceis de detectar no código são "esta chamada de método jamais falha" e "não fará diferença se esta chamada falhar". Quando um programador ignora uma exceção, ele afirma implicitamente estar operando de acordo com uma dessas suposições.

Exemplo 1: O seguinte trecho de código ignora uma exceção raramente lançada de open().


try:
f = open('myfile.txt')
s = f.readline()
i = int(s.strip())
except:
# This will never happen
pass


Se uma RareException tivesse que ser lançada alguma vez, o programa continuaria a ser executado como se nada incomum tivesse ocorrido. O programa não registra nenhuma evidência que indique a situação especial, possivelmente frustrando qualquer tentativa posterior de explicar o comportamento do programa.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 1069
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-003272
[3] Standards Mapping - FIPS200 AU
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling
[7] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling
[8] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.4.1 Error Handling (L1 L2 L3)
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation
[21] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
desc.structural.python.poor_error_handling_empty_catch_block
Abstract
Ignorar uma exceção pode fazer com que o programa negligencie estados e condições inesperados.
Explanation
Quase todos os ataques sérios em um sistema de software começam com a violação das premissas de um programador. Depois do ataque, essas premissas parecem frágeis e infundadas, mas, antes dele, muitos programadores as defenderiam com grande veemência.

Dois pressupostos duvidosos fáceis de detectar no código são "esta chamada de função nunca pode falhar" e "não importa se esta chamada falhar". Quando um programador ignora uma exceção, ele afirma implicitamente estar operando de acordo com uma dessas suposições.

Exemplo 1: Este código ignora várias exceções que podem ser lançadas durante a execução da instrução de inserção.


PROCEDURE do_it_all
IS
BEGIN
BEGIN
INSERT INTO table1 VALUES(...);
COMMIT;
EXCEPTION
WHEN OTHERS THEN NULL;
END;
END do_it_all;


Uma exceção pode ser acionada porque a tabela não existe, um valor necessário não foi fornecido, ou por algum outro motivo. Se houver uma falha, não há nenhuma maneira de dizer, uma vez que o procedimento não a relatará ou registrará que tipo de falha ocorreu.
References
[1] Steven Feuerstein Oracle PL/SQL Best Practices O'Reilly
[2] Standards Mapping - Common Weakness Enumeration CWE ID 1069
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-003272
[4] Standards Mapping - FIPS200 AU
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling
[8] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling
[9] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.4.1 Error Handling (L1 L2 L3), 7.4.3 Error Handling (L2 L3)
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
desc.structural.sql.poor_error_handling_empty_default_exception_handler
Abstract
O bloco "catch" lida com uma ampla faixa de exceções, aprisionando potencialmente diferentes questões ou problemas que não devem ser tratados a essa altura no programa.
Explanation
Vários blocos "catch" podem se tornar repetitivos, mas a "condensação" desses blocos por meio da captura de uma classe de alto nível, como Exception, pode obscurecer exceções que merecem tratamento especial ou que não devem ser detectadas a essa altura no programa. A captura uma exceção excessivamente ampla destrói em essência a finalidade de exceções .NET com tipo definido, podendo tornar-se um procedimento particularmente perigoso se o programa crescer e começar a lançar novos tipos de exceções. Os novos tipos de exceção não receberão nenhuma atenção.

Exemplo: O seguinte trecho de código lida com três tipos de exceções de modo idêntico.


try {
DoExchange();
}
catch (IOException e) {
logger.Error("DoExchange failed", e);
}
catch (FormatException e) {
logger.Error("DoExchange failed", e);
}
catch (TimeoutException e) {
logger.Error("DoExchange failed", e);
}


À primeira vista, pode parecer preferível lidar com essas exceções em um único bloco "catch", da seguinte maneira:


try {
DoExchange();
}
catch (Exception e) {
logger.Error("DoExchange failed", e);
}


No entanto, se DoExchange() for modificado de forma a lançar um novo tipo de exceção que deve ser tratado de maneira diferente, o bloco "catch" amplo impedirá que o compilador aponte a situação. Além disso, o novo bloco "catch" também passará a lidar com exceções dos tipos ApplicationException e NullReferenceException, o que não é a intenção do programador.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 396
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-003272
[3] Standards Mapping - FIPS200 AU
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling
[6] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling
[7] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[19] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
desc.structural.dotnet.poor_error_handling_overly_broad_catch_block
Abstract
O bloco "catch" lida com uma ampla faixa de exceções, aprisionando potencialmente diferentes questões ou problemas que não devem ser tratados a essa altura no programa.
Explanation
Vários blocos "catch" podem se tornar repetitivos, mas a "condensação" desses blocos por meio da captura de uma classe de alto nível, como Exception, pode obscurecer exceções que merecem tratamento especial ou que não devem ser detectadas a essa altura no programa. A captura uma exceção excessivamente ampla destrói em essência a finalidade de exceções de Java com tipo definido, podendo tornar-se um procedimento particularmente perigoso se o programa crescer e começar a lançar novos tipos de exceções. Os novos tipos de exceção não receberão nenhuma atenção.

Exemplo: O seguinte trecho de código lida com três tipos de exceções de modo idêntico.


try {
doExchange();
}
catch (IOException e) {
logger.error("doExchange failed", e);
}
catch (InvocationTargetException e) {
logger.error("doExchange failed", e);
}
catch (SQLException e) {
logger.error("doExchange failed", e);
}


À primeira vista, pode parecer preferível lidar com essas exceções em um único bloco "catch", da seguinte maneira:


try {
doExchange();
}
catch (Exception e) {
logger.error("doExchange failed", e);
}


No entanto, se doExchange() for modificado de forma a lançar um novo tipo de exceção que deve ser tratado de maneira diferente, o bloco "catch" amplo impedirá que o compilador aponte a situação. Além disso, o novo bloco "catch" também passará a lidar com exceções derivadas de RuntimeException, como ClassCastException e NullPointerException, o que não é a intenção do programador.
References
[1] ERR07-J. Do not throw RuntimeException, Exception, or Throwable CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 396
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-003272
[4] Standards Mapping - FIPS200 AU
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling
[7] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling
[8] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
desc.structural.java.poor_error_handling_overly_broad_catch
Abstract
O método lança uma exceção genérica, dificultando ainda mais o trabalho de tratamento de erros e recuperação por parte dos chamadores.
Explanation
Declarar um método para lançar Exception ou Throwable dificulta o trabalho de tratamento de erros e recuperação por parte dos chamadores. O mecanismo de exceção do Java está configurado para facilitar a tarefa dos chamadores de antecipar o que pode dar errado e escrever um código para lidar com cada circunstância excepcional específica. Declarar que um método lança uma forma genérica de exceção derrota esse sistema.

Exemplo: O método a seguir lança três tipos de exceções.


public void doExchange()
throws IOException, InvocationTargetException,
SQLException {
...
}



Embora possa parecer mais apropriado escrever


public void doExchange()
throws Exception {
...
}


isso dificulta a capacidade do chamador de compreender e lidar com as exceções que possam ocorrer. Além disso, se uma revisão posterior de doExchange() introduz um novo tipo de exceção que deve ser tratado de forma diferente do que exceções anteriores, não haverá nenhuma maneira simples de fazer cumprir essa exigência.
References
[1] ERR07-J. Do not throw RuntimeException, Exception, or Throwable CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 397
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-003272
[4] Standards Mapping - FIPS200 AU
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling
[7] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling
[8] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
desc.structural.java.poor_error_handling_overly_broad_throws
Abstract
Em geral, capturar NullPointerException é uma prática imprópria.
Explanation
Em geral, os programadores capturam NullPointerException em três circunstâncias:

1. O programa contém um cancelamento de referência a ponteiro nulo. Capturar a exceção resultante foi mais fácil do que corrigir o problema subjacente.

2. O programa lança explicitamente uma NullPointerException para sinalizar uma condição de erro.

3. O código faz parte de um conjunto de teste que fornece entradas inesperadas para as classes sob teste.

Dessas três circunstâncias, somente a última é aceitável.

Exemplo: O seguinte código captura uma NullPointerException por engano.


try {
mysteryMethod();
}
catch (NullPointerException npe) {
}
References
[1] ERR08-J. Do not catch NullPointerException or any of its ancestors CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 395
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-003272
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling
[7] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling
[8] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
desc.structural.java.poor_error_handling_program_catches_nullpointerexception
Abstract
Em geral, capturar NullReferenceException é uma prática imprópria.
Explanation
Em geral, os programadores capturam NullReferenceException em três circunstâncias:

1. O programa contém um cancelamento de referência a ponteiro nulo. Capturar a exceção resultante foi mais fácil do que corrigir o problema subjacente.

2. O programa lança explicitamente uma NullReferenceException para sinalizar uma condição de erro.

3. O código faz parte de um conjunto de teste que fornece entradas inesperadas para as classes sob teste.

Dessas três circunstâncias, somente a última é aceitável.

Exemplo: O seguinte código captura uma NullReferenceException por engano.

try {
MysteryMethod();
}
catch (NullReferenceException npe) {
}
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 395
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-003272
[3] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling
[6] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling
[7] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[19] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
desc.structural.dotnet.poor_error_handling_program_catches_nullreferenceexception