CWE-1116: Inaccurate Comments

Description

The source code contains comments that do not accurately describe or explain aspects of the portion of the code with which the comment is associated.

Submission Date :

July 2, 2018, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE

Extended Description

When a comment does not accurately reflect the associated code elements, this can introduce confusion to a reviewer (due to inconsistencies) or make it more difficult and less efficient to validate that the code is implementing the intended behavior correctly.

This issue makes it more difficult to maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities.

Example Vulnerable Codes

Example - 1

In the following Java example the code performs a calculation to determine how much medicine to administer. A comment is provided to give insight into what the calculation shoud be doing. Unfortunately the comment does not match the actual code and thus leaves the reader to wonder which is correct.



int pt_weight = 83;int mg_per_kg = 3;int daily_dose = 0;// Add the patient weight and Mg/Kg to calculate the correct daily dosedaily_dose = pt_weight * mg_per_kg;return dosage;public static void main(String[] args) {}public class Main {}

In the correction below, the code functionality has been verified, and the comment has been corrected to reflect the proper calculation.



int pt_weight = 83;int mg_per_kg = 3;int daily_dose = 0;// Multiply the patient weight and Mg/Kg to calculate the correct daily dosedaily_dose = pt_weight * mg_per_kg;return dosage;public static void main(String[] args) {}public class Main {}

Note that in real-world code, these values should be validated to disallow negative numbers, prevent integer overflow, etc.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-1078: Inappropriate Source Code Style or Formatting

Go to

Visit http://cwe.mitre.org/ for more details.