Description
The variable's value is assigned but never used, making it a dead store.
After the assignment, the variable is either assigned another value or goes out of scope. It is likely that the variable is simply vestigial, but it is also possible that the unused variable points out a bug.
Potential Impact
Other
Quality Degradation, Varies by Context
Demonstrative Examples
r = getName();r = getNewBuffer(buf);Mitigations & Prevention
Remove unused variables from the code.
Detection Methods
- Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
Related Weaknesses
Taxonomy Mappings
- CERT C Secure Coding: MSC00-C — Compile cleanly at high warning levels
- SEI CERT Perl Coding Standard: MSC01-PL — Detect and remove unused variables
- Software Fault Patterns: SFP2 — Unused Entities
Frequently Asked Questions
What is CWE-563?
CWE-563 (Assignment to Variable without Use) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The variable's value is assigned but never used, making it a dead store.
How can CWE-563 be exploited?
Attackers can exploit CWE-563 (Assignment to Variable without Use) to quality degradation, varies by context. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-563?
Key mitigations include: Remove unused variables from the code.
What is the severity of CWE-563?
CWE-563 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.