1. Home
  2. CWE Database
  3. CWE-1116
Base · Medium

CWE-1116: Inaccurate Source Code Comments

The source code contains comments that do not accurately describe or explain aspects of the portion of the code with which the comment is associated.

CWE-1116 · Base Level ·1 Mitigations

Description

The source code contains comments that do not accurately describe or explain aspects of the portion of the code with which the comment is associated.

Potential Impact

Other

Reduce Maintainability

Other

Increase Analytical Complexity

Demonstrative Examples

In the following Java example the code performs a calculation to determine how much medicine to administer. A comment is provided to give insight into what the calculation shoud be doing. Unfortunately the comment does not match the actual code and thus leaves the reader to wonder which is correct.
Bad
public class Main {
                 
		   public static void main(String[] args) {
                   
		     int pt_weight = 83;
		     int mg_per_kg = 3;
		     int daily_dose = 0;
		     
		     // Add the patient weight and Mg/Kg to calculate the correct daily dose
		     daily_dose = pt_weight * mg_per_kg;
                     return dosage;
		   
                   }
		 
                 }
In the correction below, the code functionality has been verified, and the comment has been corrected to reflect the proper calculation.
Good
public class Main {
                 
		   public static void main(String[] args) {
                   
		     int pt_weight = 83;
		     int mg_per_kg = 3;
		     int daily_dose = 0;
		     
		     // Multiply the patient weight and Mg/Kg to calculate the correct daily dose
		     daily_dose = pt_weight * mg_per_kg;
                     return dosage;
		   
                   }
		 
                 }
Note that in real-world code, these values should be validated to disallow negative numbers, prevent integer overflow, etc.

Mitigations & Prevention

Implementation

Verify that each comment accurately reflects what is intended to happen during execution of the code.

CWE-1078: Inappropriate Source Code Style or Formatting

The source code does not follow desired style or formatting for indentation, white space, comments, etc.

Frequently Asked Questions

What is CWE-1116?

CWE-1116 (Inaccurate Source Code Comments) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The source code contains comments that do not accurately describe or explain aspects of the portion of the code with which the comment is associated.

How can CWE-1116 be exploited?

Attackers can exploit CWE-1116 (Inaccurate Source Code Comments) to reduce maintainability. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-1116?

Key mitigations include: Verify that each comment accurately reflects what is intended to happen during execution of the code.

What is the severity of CWE-1116?

CWE-1116 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.