SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-382 Claims of Insufficient Testing

Coverage: 5 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 5 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.

What this means

SiteShadow flagged a pattern where security-relevant behavior appears to rely on assumptions rather than being backed by tests/verification. This isn't "a bug" by itself, but it correlates strongly with security regressions and false confidence.

Why it matters

Unvalidated claims can hide security gaps and regressions.

Safer examples

1) Add tests for abuse cases (not just happy paths)

Include negative tests: unauthorized access attempts, malformed inputs, replay, rate-limit triggers.

2) Add integration tests around authz and sensitive flows

Test that "User A cannot access User B's data" and "Admin-only endpoints reject normal users" (see CWE-286).

3) Use automated security checks in CI

Linting, dependency scanning, and basic SAST/secret scanning help prevent regressions (see CICD01 / A08).

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.