| Operations | Definition |
| Cast | Cast operation – Explicitly convert the value of an object to another data type. |
| Coerce | Coerce operation – Implicitly (forced by the Type System) convert the value of a passed in/out argument or the return into the corresponding parameter or return data type. (Type Coercion is known also as Type Juggling.) |
| Operands | Definition |
| Name | Name operand – The identifier of an object, function, or data type entity used to reference it. |
| Data | Data operand – The data value of an object – i.e., the actual value that is stored in memory. |
| Type | Type operand – The data type of an object – i.e., the set of allowed values (e.g., char is within [-128, 127]) and operations over them (e.g., +, *, mod). |
| Causes | Definition |
| Code Bug | Code Bug type – An error in the implementation of an operation – proper operands over an improper operation. A first cause for the chain of weaknesses underlying a software security vulnerability. Must be fixed to resolve the vulnerability. |
| Missing Code | Missing Code bug - The operation is entirely absent. |
| Wrong Code | Wrong Code bug - An incorrect operator or function is used, or an incorrect data type is specified. |
| Name Fault | Name Fault/Error type – The fully resolved name of an entity is wrong. |
| Wrong Object Resolved | Wrong Object Resolved fault/error – The object is resolved from wrong scope. |
| Missing Overloaded Function | Missing Overloaded Function fault/error – Code for particular function parameters' data types is absent. |
| Data Fault | Data Fault/Error type – The data of an object has harmed semantics or inconsistent or wrong value. |
| Under Range | Under Range fault/error – The data value is smaller than the lower range of its type. |
| Over Range | Over Range fault/error – The data value is larger than the upper range of its type. |
| Flipped Sign | Flipped Sign fault/error – Sign bit is overwritten from type related calculation. |
| Type Fault | Type Fault/Error type – The set or range of allowed values of an entity is wrong or the operations allowed on them are wrong. |
| Wrong Type | Wrong Type fault/error – A data type range or structure is not correct. |
| Wrong Object Type Resolved | Wrong Object Type Resolved fault/error – An object is resolved from a wrong scope, so its data type might be wrong (e.g., a parent vs a child data type). |
| Mismatched Argument | Mismatched Argument fault/error – An argument is not of the parameter data type. |
| Consequences | Definition |
| Data Error | Data Fault/Error type – The data of an object has harmed semantics or inconsistent or wrong value. |
| Wrong Value | Wrong Value fault/error – The data value is not accurate (e.g., outside of a range). |
| Flipped Sign | Flipped Sign fault/error – Sign bit is overwritten from type related calculation. |
| Truncated Value | Truncated Value fault/error – The rightmost bits of a data value that won’t fit the data type size are cut off. |
| Distorted Value | Distorted Value fault/error – The data value is incorrect (although is fits the type size) due to a sign flip or signed/unsigned or unsigned/signed cast. |
| Rounded Value | Rounded Value fault/error – Precision loss of a real number. |
| Type Error | Type Fault/Error type – The set or range of allowed values of an entity is wrong or the operations allowed on them are wrong. |
| Cast Pointer | Cast Pointer fault/error – A pointer is type cast to a data type that is incompatible with its object's data type. |
| Downcast Pointer | Downcast Pointer fault/error – A pointer is cast to a subtype (base to subclass or subclass to subclass) that is incompatible with its object's data type. The object may invoke an overridden function is of a wrong subtype. |
| Wrong Type | Wrong Type fault/error – A data type range or structure is not correct. |
| Type Conversion Final Error | |
| Subtype Confusion | Subtype Confusion final error – A downcasted pointer and its object have incompatible data types. |
| Operations Attributes | Definition |
| Mechanism | Mechanism operation attribute type – Shows how the operation the operation with a bug or faulty operand is performed. |
| Pass In | Pass In operation attribute – The operation is via in arguments' values to a function/ operator. |
| Pass Out | Pass Out operation attribute – The operation is via out or in/out arguments' values or a return value to a function/ operator. |
| Source Code | Source Code operation attribute type – Shows where the code of the operation with a bug or faulty operand resides within the software, firmware, or hardware. |
| Codebase | Codebase operation attribute – The operation is in the programmer's code - in the application itself. |
| Third-Party | Third-Party operation attribute – The operation code is in a third-party source. |
| Standard Library | Standard Library operation attribute – The operation code is in the standard library for a particular programming language. |
| Compiler/Interpreter | Compiler/Interpreter operation attribute – The operation code is in the language processor that allows execution or creates executables (interpreter, compiler, assembler). |
| Execution Space | Execution Space operation attribute type – Shows where the operation with a bug or faulty operand is executed and the privilege level at which it runs. |
| Local | Local operation attribute – The bugged code runs in an environment with access control policy with limited (local user) permission. |
| Admin | Admin operation attribute – The bugged code runs in an environment with access control policy with unlimited (admin user) permission. |
| Bare-Metal | Bare-Metal operation attribute – The bugged code runs in an environment without privilege control. Usually, the program is the only software running and has total access to the hardware. |
| Operands Attributes | Definition |
| Name State | Name State operand attribute type – Shows what the stage of the entity name is. |
| Resolved | Resolved operand attribute – The name scope is known to the Type System. |
| Bound | Bound operand attribute – The name is linked to a declared (or inferred) data type, a defined object's data, or a called function implementation. |
| Data Kind | Data Kind operand attribute type – Shows what the type or category of data is. |
| Numeric | Numeric operand attribute – A number – a sequence of digits. |
| Text | Text operand attribute – A string – a sequence of symbols. |
| Pointer | Pointer operand attribute – A holder of the memory address of an object. |
| Boolean | Boolean operand attribute – A truth/falsity value – true or false; 1 or 0. |
| Type Kind | Type Kind operand attribute type – Shows what the data type composition is. |
| Primitive | Primitive operand attribute – A scalar data type that mimics the hardware units - e.g., int (long, short, signed), float, double, string, Boolean. A primitive data type is only language defined and is not built from other data types. |
| Structure | Structure operand attribute – A composite data type - e.g., array, list, map, class. A structured data type is built from other data types and has primitive or structured members. |
