CWE-1116: Inaccurate Comments

BaseIncomplete

The source code contains comments that do not accurately describe or explain aspects of the portion of the code with which the comment is associated.

View on MITRE
Back to CWE Lookup

Extended Description

When a comment does not accurately reflect the associated code elements, this can introduce confusion to a reviewer (due to inconsistencies) or make it more difficult and less efficient to validate that the code is implementing the intended behavior correctly. This issue makes it more difficult to maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities.

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms

Frequently Asked Questions

What is CWE-1116: Inaccurate Comments?+

CWE-1116: Inaccurate Comments is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The source code contains comments that do not accurately describe or explain aspects of the portion of the code with which the comment is associated. When a comment does not accurately reflect the associated code elements, this can introduce confusion to a reviewer (due to inconsistencies) or make it more difficult and less efficient to validate that the code is implementing the intended behavior correctly. This issue makes it more difficult to maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities.

What are the security consequences of Inaccurate Comments?+

If exploited, CWE-1116 (Inaccurate Comments) it can compromise Other, leading to outcomes such as Reduce Maintainability.

How do you prevent or mitigate Inaccurate Comments?+

Recommended mitigations for CWE-1116 include: Verify that each comment accurately reflects what is intended to happen during execution of the code.

Which programming languages are affected by Inaccurate Comments?+

CWE-1116 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-1116 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More