Description
A function, method, procedure, etc. contains an excessive amount of code that has been commented out within its body.
While the interpretation of "excessive volume" may vary for each product or developer, CISQ recommends a default threshold of 2% of commented code.
Potential Impact
Other
Reduce Maintainability
Detection Methods
- Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
Related Weaknesses
Taxonomy Mappings
- OMG ASCMM: ASCMM-MNT-6 —
Frequently Asked Questions
What is CWE-1085?
CWE-1085 (Invokable Control Element with Excessive Volume of Commented-out Code) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. A function, method, procedure, etc. contains an excessive amount of code that has been commented out within its body.
How can CWE-1085 be exploited?
Attackers can exploit CWE-1085 (Invokable Control Element with Excessive Volume of Commented-out Code) to reduce maintainability. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-1085?
Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.
What is the severity of CWE-1085?
CWE-1085 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.