The source code contains comments that do not accurately describe or explain aspects of the portion of the code with which the comment is associated.
View on MITREWhen a comment does not accurately reflect the associated code elements, this can introduce confusion to a reviewer (due to inconsistencies) or make it more difficult and less efficient to validate that the code is implementing the intended behavior correctly. This issue makes it more difficult to maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities.
Verify that each comment accurately reflects what is intended to happen during execution of the code.
No detection method information available for this CWE.
In the following Java example the code performs a calculation to determine how much medicine to administer. A comment is provided to give insight into what the calculation shoud be doing. Unfortunately the comment does not match the actual code and thus leaves the reader to wonder which is correct.
In the correction below, the code functionality has been verified, and the comment has been corrected to reflect the proper calculation.
In the following Java example the code performs a calculation to determine how much medicine to administer. A comment is provided to give insight into what the calculation shoud be doing. Unfortunately the comment does not match the actual code and thus leaves the reader to wonder which is correct.
In the correction below, the code functionality has been verified, and the comment has been corrected to reflect the proper calculation.
CWE-1116: Inaccurate Comments is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The source code contains comments that do not accurately describe or explain aspects of the portion of the code with which the comment is associated. When a comment does not accurately reflect the associated code elements, this can introduce confusion to a reviewer (due to inconsistencies) or make it more difficult and less efficient to validate that the code is implementing the intended behavior correctly. This issue makes it more difficult to maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities.
If exploited, CWE-1116 (Inaccurate Comments) it can compromise Other, leading to outcomes such as Reduce Maintainability.
Recommended mitigations for CWE-1116 include: Verify that each comment accurately reflects what is intended to happen during execution of the code.
CWE-1116 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
A CWE (Common Weakness Enumeration) like CWE-1116 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.