CWE-561: Dead Code
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product contains dead code, which can never be executed.
扩展描述
Dead code is code that can never be executed in a running program. The surrounding code makes it impossible for a section of code to ever be executed.
常见后果
影响范围: Other
技术影响: Quality Degradation
说明: Dead code that results from code that can never be executed is an indication of problems with the source code that needs to be fixed and is an indication of poor quality.
影响范围: Other
技术影响: Reduce Maintainability
潜在缓解措施
阶段: Implementation
描述: Remove dead code before deploying the application.
阶段: Testing
描述: Use a static analysis tool to spot dead code.
检测方法
方法: Architecture or Design Review
有效性: High
方法: Automated Static Analysis - Binary or Bytecode
有效性: High
方法: Dynamic Analysis with Manual Results Interpretation
有效性: SOAR Partial
方法: Automated Static Analysis
有效性: SOAR Partial
方法: Automated Static Analysis - Source Code
有效性: High
方法: Dynamic Analysis with Automated Results Interpretation
有效性: SOAR Partial
方法: Manual Static Analysis - Source Code
有效性: High
观察示例
参考: CVE-2014-1266
chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint).
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| CERT C Secure Coding | MSC07-C | Detect and remove dead code | - |
| SEI CERT Perl Coding Standard | MSC00-PL | Detect and remove dead code | Exact |
| Software Fault Patterns | SFP2 | Unused Entities | - |
| OMG ASCMM | ASCMM-MNT-20 | - |