1. Home
  2. CWE Database
  3. CWE-571
Base · Medium

CWE-571: Expression is Always True

The product contains an expression that will always evaluate to true.

CWE-571 · Base Level ·1 Mitigations

Description

The product contains an expression that will always evaluate to true.

Potential Impact

Other

Quality Degradation, Varies by Context

Demonstrative Examples

In the following Java example the updateInventory() method used within an e-business product ordering/inventory application will check if the input product number is in the store or in the warehouse. If the product is found, the method will update the store or warehouse database as well as the aggregate product database. If the product is not found, the method intends to do some special processing without updating any database.
Bad
public void updateInventory(String productNumber) {
                        boolean isProductAvailable = false;boolean isDelayed = false;
                           if (productInStore(productNumber)) {isProductAvailable = true;updateInStoreDatabase(productNumber);}else if (productInWarehouse(productNumber)) {isProductAvailable = true;updateInWarehouseDatabase(productNumber);}else {isProductAvailable = true;}
                           if ( isProductAvailable ) {updateProductDatabase(productNumber);}else if ( isDelayed ) {
                              
                                 
                                 /* Warn customer about delay before order processing */
                                 ...
                           }
                     }
However, the method never sets the isDelayed variable and instead will always update the isProductAvailable variable to true. The result is that the predicate testing the isProductAvailable boolean will always evaluate to true and therefore always update the product database. Further, since the isDelayed variable is initialized to false and never changed, the expression always evaluates to false and the customer will never be warned of a delay on their product.

Mitigations & Prevention

Implementation

Consider refactoring the code, or determine if the code is not including a condition that could cause the expression to become false.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

CWE-710: Improper Adherence to Coding Standards

The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the...

CWE-561: Dead Code

The product contains dead code, which can never be executed.

Taxonomy Mappings

  • CERT C Secure Coding: MSC00-C — Compile cleanly at high warning levels
  • Software Fault Patterns: SFP1 — Glitch in computation

Frequently Asked Questions

What is CWE-571?

CWE-571 (Expression is Always True) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product contains an expression that will always evaluate to true.

How can CWE-571 be exploited?

Attackers can exploit CWE-571 (Expression is Always True) to quality degradation, varies by context. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-571?

Key mitigations include: Consider refactoring the code, or determine if the code is not including a condition that could cause the expression to become false.

What is the severity of CWE-571?

CWE-571 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.