{"@ID": "482", "@Name": "Comparing instead of Assigning", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Draft", "Description": "The code uses an operator for comparison when the intention was to perform an assignment.", "Extended_Description": "In many languages, the compare statement is very close in appearance to the assignment statement; they are often confused.", "Related_Weaknesses": {"Related_Weakness": {"@Nature": "ChildOf", "@CWE_ID": "480", "@View_ID": "1000", "@Ordinal": "Primary"}}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": [{"@Name": "C", "@Prevalence": "Undetermined"}, {"@Name": "C++", "@Prevalence": "Undetermined"}]}, "Modes_Of_Introduction": {"Introduction": {"Phase": "Implementation", "Note": "This bug primarily originates from a typo."}}, "Likelihood_Of_Exploit": "Low", "Common_Consequences": {"Consequence": {"Scope": ["Availability", "Integrity"], "Impact": "Unexpected State", "Note": "The assignment will not take place, which should cause obvious program execution problems."}}, "Detection_Methods": {"Detection_Method": [{"@Detection_Method_ID": "DM-14", "Method": "Automated Static Analysis", "Description": "Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect \"sources\" (origins of input) with \"sinks\" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)", "Effectiveness": "High"}, {"@Detection_Method_ID": "DM-16", "Method": "Automated Static Analysis - Source Code", "Description": "An Integrated Development Environment (IDE) or linter can report or highlight this weaknesses."}]}, "Potential_Mitigations": {"Mitigation": {"Phase": "Testing", "Description": "Many IDEs and static analysis products will detect this problem."}}, "Demonstrative_Examples": {"Demonstrative_Example": [{"Intro_Text": "The following example demonstrates the weakness.", "Example_Code": {"@Nature": "Bad", "@Language": "Java", "xhtml:div": {"xhtml:div": [{"@style": "margin-left:1em;", "xhtml:br": null, "#text": "foo==1;if (foo==1) System.out.println(\"foo\\n\");"}, {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null], "#text": "called(2);return 0;"}}], "xhtml:br": null, "#text": "void called(int foo) {}int main() {}"}}}, {"@Demonstrative_Example_ID": "DX-103", "Intro_Text": "The following C/C++ example shows a simple implementation of a stack that includes methods for adding and removing integer values from the stack. The example uses pointers to add and remove integer values to the stack array variable.", "Example_Code": {"@Nature": "Bad", "@Language": "C", "xhtml:div": {"xhtml:br": [null, null, null, null, null, null, null], "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null], "xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null], "xhtml:i": "// Print stack overflow error message and exit"}}, "#text": "p1++;if(p1==(tos+SIZE)) {}*p1 == i;"}}, {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null], "xhtml:i": "// Print stack underflow error message and exit"}}, "xhtml:br": [null, null], "#text": "if(p1==tos) {}p1--;return *(p1+1);"}}, {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null, null, null, null, null], "xhtml:i": ["// initialize tos and p1 to point to the top of stack", "// code to add and remove items from stack"], "#text": "tos = stack;p1 = stack;\n                           \n                           ...return 0;"}}], "#text": "#define SIZE 50int *tos, *p1, stack[SIZE];\n                     void push(int i) {}\n                     int pop(void) {}\n                     int main(int argc, char *argv[]) {}"}}, "Body_Text": ["The push method includes an expression to assign the integer value to the location in the stack pointed to by the pointer variable.", "However, this expression uses the comparison operator \"==\" rather than the assignment operator \"=\". The result of using the comparison operator instead of the assignment operator causes erroneous values to be entered into the stack and can cause unexpected results."]}]}, "Taxonomy_Mappings": {"Taxonomy_Mapping": [{"@Taxonomy_Name": "CLASP", "Entry_Name": "Comparing instead of assigning"}, {"@Taxonomy_Name": "Software Fault Patterns", "Entry_ID": "SFP2", "Entry_Name": "Unused Entities"}]}, "References": {"Reference": [{"@External_Reference_ID": "REF-18"}, {"@External_Reference_ID": "REF-62", "@Section": "Chapter 6, \"Typos\", Page 289"}]}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Content_History": {"Submission": {"Submission_Name": "CLASP", "Submission_Date": "2006-07-19", "Submission_Version": "Draft 3", "Submission_ReleaseDate": "2006-07-19"}, "Modification": [{"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Applicable_Platforms, Description, Relationships, Other_Notes, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-11-24", "Modification_Version": "1.1", "Modification_ReleaseDate": "2008-11-25", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-07-27", "Modification_Version": "1.5", "Modification_ReleaseDate": "2009-07-27", "Modification_Comment": "updated Common_Consequences, Modes_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-10-29", "Modification_Version": "1.6", "Modification_ReleaseDate": "2009-10-29", "Modification_Comment": "updated Other_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-27", "Modification_Version": "2.0", "Modification_ReleaseDate": "2011-06-27", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-09-13", "Modification_Version": "2.1", "Modification_ReleaseDate": "2011-09-13", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-10-30", "Modification_Version": "2.3", "Modification_ReleaseDate": "2012-10-30", "Modification_Comment": "updated Demonstrative_Examples, Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-01-19", "Modification_Version": "2.10", "Modification_ReleaseDate": "2017-01-19", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Demonstrative_Examples, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Detection_Factors, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Weakness_Ordinalities"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2026-04-30", "Modification_Version": "4.20", "Modification_ReleaseDate": "2026-04-30", "Modification_Comment": "updated Detection_Factors"}]}}
