| Operations | Definition |
| Declare | Specify the name and type of an object; the name, return type, and parameters of a function; or the name and type parameters of a type. |
| Define | Specify the implementation of a function; or the member objects and functions of a type. (The data of an object is specified at its initialization -- see MAD and MUS.) |
| Operands | Definition |
| Name | The declared identifier for an entity. |
| Type | The data type of an object -- the set of allowed values (e.g., char is within [-128, 127]) and the operations allowed over them (e.g., +, *, mod). |
| Causes | Definition |
| Code Defect Bug | The operation has a bug, which is the first cause for the chain of weaknesses underlying a software security vulnerability. The bug must be fixed to resolve the vulnerability. |
| Missing Code | The entire operation implementation or a part of its specification is absent. |
| Wrong Code | An inappropriate data type is specified; or an inappropriate function/operator is used. |
| Erroneous Code | The operation implementation has a bug. |
| Specification Defect Bug | A specification (algorithm, protocol) of an operation an error or a rule (policy, keying material) used by the operation has an error, which when implemented becomes the bug causing the chain of weaknesses underlying a software security vulnerability. It must be fixed to fix the bug and to resolve the vulnerability. |
| Missing Modifier | A required behavioral restriction is absent. |
| Wrong Modifier | A wrong behavioral restriction is specified. |
| Anonymous Scope | The declaration is in an unnamed scope. |
| Wrong Scope | The declaration should be in another scope. |
| Type Fault | The set or range of allowed values is wrong or the operations allowed on them are wrong. |
| Wrong Type Resolved | A data type is resolved from a wrong scope. |
| Consequences | Definition |
| Name Error | The resolved name is wrong. |
| Missing Overridden Function | Function implementation in a particular subclass is absent. |
| Missing Overloaded Function | Code for particular function parameters' data types is absent. |
| Type Error | The set or range of allowed values is wrong or the operations allowed on them are wrong. |
| Wrong Type | A data type range or structure is not correct. |
| Incomplete Type | A specific constructor, method, or overloaded function is missing. |
| Wrong Generic Type | A generic object is instantiated via wrong type argument. |
| Confused Subtype | The object invoking an overridden function is of wrong subtype data type. |
| Wrong Argument Type | An argument to an overloaded function is of incorrect data type. |
| Access Final Error | An exploitable or undefined system behavior caused by 'name access' declaration bugs. |
| Wrong Access Object | An unauthorized access to an object; allows access to sensitive data or to member functions. |
| Wrong Access Type | An unauthorized access to a data type; allows access to member objects and functions. |
| Wrong Access Function | An unauthorized access to a function; allows its execution. |
| Operations Attributes | Definition |
| Mechanism | Shows how the buggy/faulty operation code is performed. |
| Simple | Non-polymorphic. |
| Generics | Parameterizing by type. |
| Overriding | Functions with the same name as one in the base type but implemented in different subtypes. |
| Overloading | Functions with the same name in the same declaration scope, but implemented with different signature. |
| Source Code | Shows where the buggy/faulty operation code is in the program -- in what kind of software. |
| Codebase | The operation is in the programmer's code - in the application itself. |
| Third-Party | The operation is in a third-party software. |
| Standard Library | The operation is in the standard library for a particular programming language. |
| Compiler/Interpreter | The operation is in the language processor that allows execution or creates executables (compiler, assembler, interpreter). |
| Execution Space | Shows where the buggy/faulty operation code is running or with what privilege level). |
| Local | The bugged code runs in an environment with access control policy with limited (local user) permission. |
| Admin | The bugged code runs in an environment with access control policy with unlimited (admin user) permission. |
| Bare-Metal | The bugged code runs in an environment without privilege control. Usually, the program is the only software running and has total access to the hardware. |
| Operands Attributes | Definition |
| Name Kind | Shows what the entity with this name is. |
| Object | A memory region used to store data. |
| Function | An organized block of code that when called takes in data, processes it, and produces a result(s). |
| Data Type | A set of allowed values and the operations allowed over them. |
| Namespace | An organization of entities' names, utilized to avoid names collision. |
| Type Kind | Shows what the data type composition is. |
| Primitive | A scalar data type that mimics the hardware units - e.g., int (long, short, signed), float, double, string, Boolean. A primitive data type is only language defined and is not built from other data types. |
| Structure | A composite data type - e.g., array, list, map, class. A structured data type is built from other data types and has primitive or structured members. |
