CWE-561: Dead Code | Glexia
CWE-561 (Dead Code) weakness overview with consequences, detection methods, mitigations, related CVEs and MITRE ATT&CK context.
Glexia's Take · Automated analysis
CWE-561: Dead Code
Dead Code represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Executive Impact
- Other: Quality Degradation: Dead code that results from code that can never be executed is an indication of problems with the source code that needs to be fixed and is an indication of poor quality.
- Other: Reduce Maintainability
Developer Pattern
CWE-561 is the kind of defect developers can usually prevent with explicit validation, safer framework defaults, and tests that exercise hostile input or unsafe state transitions.
Automation confidence
high confidence from CWE-561, 4.20.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Official CWE Definition
CWE-561: Dead Code
The product contains dead code, which can never be executed.
Dead code is code that can never be executed in a running program. The surrounding code makes it impossible for a section of code to ever be executed.
Developer And Remediation Guidance
How teams prevent and detect this weakness
Causes
- The condition for the second if statement is impossible to satisfy. It requires that the variables be non-null. However, on the only path where s can be assigned a non-null value, there is a return statement.
- In the following class, two private methods call each other, but since neither one is ever invoked from anywhere else, they are both dead code. (In this case it is a good thing that the methods are dead: invoking either one would cause an infinite loop.)
- The field named glue is not used in the following class. The author of the class has accidentally put quotes around the field name, transforming it into a string constant.
Remediation
- Implementation: Remove dead code before deploying the application.
Detection
- Architecture or Design Review:
- Automated Static Analysis - Binary or Bytecode:
- Dynamic Analysis with Manual Results Interpretation:
- Automated Static Analysis:
- Automated Static Analysis - Source Code:
- Dynamic Analysis with Automated Results Interpretation:
- Manual Static Analysis - Source Code:
Mappings
Related CVEs, CWEs, and ATT&CK context
Related CWEs
ATT&CK Relevance
ATT&CK relevance is shown only when reviewed or responsibly inferred.
