Kiuwan CWE declaration

The following is the list of common software security weaknesses covered by the Kiuwan engines

 

 

 

Click a link to jump to the CWE rules for a language.

ABAP ActionScript ASP ASP.NET COBOL C++ C# Hibernate HTML Informix Java JavaScript JSP
Kotlin Objective-C Oracle Forms PHP PL/SQL Python RPG4 Scala SQL Script Swift Transact-SQL VB6 VB.NET

 

ABAP

Rule number Language Description Rule
CWE:113 ABAP Unvalidated data in HTTP response header OPT.ABAP.SEC.HttpHeaderManipulation
CWE:114 ABAP Avoid dynamic constructs controlled by external input OPT.ABAP.SEC.DynamicConstructs
CWE:185 ABAP Prevent denial of service attack through malicious regular expression (‘Regex Injection’) OPT.ABAP.SEC.RegexInjection
CWE:200 ABAP Hardcoded SAP client check (sy-mandt) OPT.ABAP.SEC.HardcodedClientCheck
CWE:200 ABAP Avoid hardcoding into the code current server date checks (sy-datum) OPT.ABAP.SEC.HardcodedDateCheck
CWE:200 ABAP Avoid hardcoding sensitive information OPT.ABAP.SEC.HardcodedSensitiveData
CWE:22 ABAP External Control of File Name or Path OPT.ABAP.SEC.PathManipulation
CWE:259 ABAP Avoid hard-coded or in-comment credentials (username / password) in code OPT.ABAP.SEC.PasswordManagement
CWE:266 ABAP Table without authorization group OPT.ABAP.SEC.NoAuthorizationGroup4Table
CWE:285 ABAP Improper implementation of authorization check OPT.ABAP.SEC.BadAuthorizationCheck
CWE:285 ABAP Any report must perform an authority check OPT.ABAP.SEC.CheckAuthInAllPrograms
CWE:285 ABAP Authorization check must be done explicitely before CALL TRANSACTION OPT.ABAP.SEC.NoAuthorizationCheckCallTransaction
CWE:285 ABAP Authorization check must be done explicitly in RFC-enabled functions OPT.ABAP.SEC.NoAuthorizationCheckRFC
CWE:285 ABAP Authorization check must be done explicitely on SQL statements OPT.ABAP.SEC.NoAuthorizationCheckSQL
CWE:300 ABAP Standard pseudo-random number generators cannot withstand cryptographic attacks OPT.ABAP.SEC.InsecureRandomness
CWE:328 ABAP Weak cryptographic hashes cannot guarantee data integrity OPT.ABAP.SEC.WeakHashAlgorithm
CWE:330 ABAP Standard pseudo-random number generators cannot withstand cryptographic attacks OPT.ABAP.SEC.InsecureRandomness
CWE:338 ABAP Standard pseudo-random number generators cannot withstand cryptographic attacks OPT.ABAP.SEC.InsecureRandomness
CWE:391 ABAP Uncaught exception in RFC call OPT.ABAP.RELIABILITY.UncaughtExceptionInRfcCall
CWE:434 ABAP Dangerous file download OPT.ABAP.SEC.DangerousFileDownload
CWE:434 ABAP Dangerous file upload OPT.ABAP.SEC.DangerousFileUpload
CWE:488 ABAP Do not bypass SAP client separation mechanism OPT.ABAP.SEC.CrossClientDatabaseAccess
CWE:488 ABAP Hardcoded SAP client check (sy-mandt) OPT.ABAP.SEC.HardcodedClientCheck
CWE:489 ABAP Remove BREAK-POINT statements from production code OPT.ABAP.APBR.NoBreakPointStatements
CWE:489 ABAP Avoid development/test backdoors in production code OPT.ABAP.SEC.Backdoors
CWE:489 ABAP Usage of sy-sysid (informative) OPT.ABAP.SEC.UsagesOfSySysid
CWE:489 ABAP Usage of sy-uname (informative) OPT.ABAP.SEC.UsagesOfSyUname
CWE:601 ABAP URL Redirection to Untrusted Site (‘Open Redirect’) OPT.ABAP.SEC.OpenRedirect
CWE:606 ABAP Use WHILE instead of unconditional DO loops OPT.ABAP.APFR.SuggestWhileInsteadOfDo
CWE:615 ABAP Avoid hard-coded or in-comment credentials (username / password) in code OPT.ABAP.SEC.PasswordManagement
CWE:642 ABAP Inadequate usage of ABAP System field OPT.ABAP.SEC.OverwriteSystemFields
CWE:653 ABAP Hardcoded System ID check (sy-sysid) OPT.ABAP.SEC.HardcodedSystemIdCheck
CWE:676 ABAP Do not call system / kernel functions from ABAP application code OPT.ABAP.AGR.CallSysFunction
CWE:691 ABAP Logic depending on text symbols OPT.ABAP.RELIABILITY.LogicDependingOnTextSymbols
CWE:73 ABAP External Control of File Name or Path OPT.ABAP.SEC.PathManipulation
CWE:749 ABAP Avoid called transactions corresponding to a certain module OPT.ABAP.AGR.CallTx
CWE:77 ABAP Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) OPT.ABAP.SEC.CommandInjection
CWE:778 ABAP Include audit fields in custom tables OPT.ABAP.ASR.ControlFieldsClientTables
CWE:78 ABAP Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) OPT.ABAP.SEC.CommandInjection
CWE:79 ABAP Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) OPT.ABAP.SEC.CrossSiteScripting
CWE:798 ABAP Avoid hard-coded or in-comment credentials (username / password) in code OPT.ABAP.SEC.PasswordManagement
CWE:813 ABAP Avoid queries on sensitive tables from ABAP code OPT.ABAP.ASR.SecuritySelectTables
CWE:862 ABAP SQL Bad Practices – Direct Update OPT.ABAP.SEC.DirectUpdate
CWE:89 ABAP Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) OPT.ABAP.SEC.SqlInjection
CWE:941 ABAP Destination injection in RFC call OPT.ABAP.SEC.RfcDestinationInjection
CWE:95 ABAP Avoid Dynamic Code constructs OPT.ABAP.SEC.DynamicCode
CWE:95 ABAP Avoid dynamic constructs controlled by external input OPT.ABAP.SEC.DynamicConstructs

 

ActionScript

Jump to top of page

Rule number Language Description Rule
CWE:563 ACTIONSCRIPT Detect local vars unused OPT.ACTIONSCRIPT.GEN_ACTIONSCRIPT.AvoidUnusedLocalVar

 

ASP

Jump to top of page

Rule number Language Description Rule
CWE:89 ASP Checks for SQL injection vulnerabilities OPT.ASP.ASP_SEC.ASP_SqlInjection

 

ASP.NET

Jump to top of page

Rule number Language Description Rule
CWE:1022 ASPNET Improper Neutralization of links to external sites OPT.ASPNET.TargetBlankVulnerability
CWE:11 ASPNET ASP.NET Misconfiguration: Creating Debug Binary OPT.ASPNET.AvoidEnabledDebugMode
CWE:113 ASPNET Unvalidated data in HTTP response header (‘HTTP Response Splitting’) OPT.ASPNET.HeaderValidationMisconfiguration
CWE:12 ASPNET ASP.NET Misconfiguration: Missing Custom Error Page OPT.ASPNET.EnableCustomErrorPage
CWE:16 ASPNET ASP.NET Misconfiguration: Creating Debug Binary OPT.ASPNET.AvoidEnabledDebugMode
CWE:16 ASPNET No clickjacking protection configured OPT.ASPNET.ClickjackingProtection
CWE:16 ASPNET Dangerous application setting OPT.ASPNET.DangerousAppSetting
CWE:16 ASPNET Directory Browsing enabled OPT.ASPNET.DirectoryBrowsing
CWE:16 ASPNET A misconfiguration makes easier performing Session hijacking attacks OPT.ASPNET.SessionHijackingMisconfiguration
CWE:16 ASPNET Trace information enabled and remotely accessible OPT.ASPNET.TraceEnabled
CWE:185 ASPNET Regular expression in RegularExpressionValidator may be used for denial of service OPT.ASPNET.ReDoSInRegularExpressionValidator
CWE:20 ASPNET The value of ValidateRequest in pages must be set to true to prevent code injection attacks OPT.ASPNET.AvoidDisabledValidateRequest
CWE:20 ASPNET The validateRequest attribute value should be true to prevent code injection attacks OPT.ASPNET.AvoidDisabledValidateRequestConfig
CWE:200 ASPNET Service metadata exposure OPT.ASPNET.ServiceMetadataVisibility
CWE:259 ASPNET Password exposure in Web.config file OPT.ASPNET.CredentialsMisconfiguration
CWE:285 ASPNET Do not use transport security mode in WCF OPT.ASPNET.WCFTransportSecurity
CWE:288 ASPNET Misconfiguration in authorization rules allowing HTTP Verb Tampering OPT.ASPNET.HTTPVerbTampering
CWE:295 ASPNET Untrusty certificate verification OPT.ASPNET.CertificateVerificationMisconfiguration
CWE:302 ASPNET Unprotected roles in cookies OPT.ASPNET.UnprotectedRolesInCookies
CWE:346 ASPNET CORS policy (Cross-origin resource sharing) too broad OPT.ASPNET.TooBroadCORSPolicy
CWE:388 ASPNET Audit of security events misconfiguration in WCF OPT.ASPNET.WCFAuditMisconfiguration
CWE:489 ASPNET Avoid enabling WCF debug information OPT.ASPNET.WCFAvoidEnabledDebug
CWE:497 ASPNET Trace information enabled and remotely accessible OPT.ASPNET.TraceEnabled
CWE:522 ASPNET Insufficiently protected credentials in connection strings OPT.ASPNET.CredentialsInConnectionString
CWE:522 ASPNET Persist Security Info enabled in connection strings OPT.ASPNET.PersistSecurityInfoTrue
CWE:548 ASPNET Directory Browsing enabled OPT.ASPNET.DirectoryBrowsing
CWE:556 ASPNET Avoid impersonation in ASP.Net configuration OPT.ASPNET.AvoidImpersonation
CWE:613 ASPNET Set expiration timeout for authentication cookies OPT.ASPNET.FormsAuthenticacionTimeout
CWE:614 ASPNET Send Cookies using SSL OPT.ASPNET.AvoidSendCookiesWithoutSSL
CWE:646 ASPNET Prevent MIME sniffing OPT.ASPNET.PreventMIMESniffing
CWE:693 ASPNET No clickjacking protection configured OPT.ASPNET.ClickjackingProtection
CWE:778 ASPNET Audit of security events misconfiguration in WCF OPT.ASPNET.WCFAuditMisconfiguration
CWE:79 ASPNET Do not set EnableViewStateMac=false OPT.ASPNET.EnableViewStateMac
CWE:807 ASPNET If authentication is through Forms enable the sending of information through SSL OPT.ASPNET.AuthenticationFormsWithoutSSL
CWE:807 ASPNET Set expiration timeout for authentication cookies OPT.ASPNET.FormsAuthenticacionTimeout
CWE:807 ASPNET A misconfiguration makes easier performing Session hijacking attacks OPT.ASPNET.SessionHijackingMisconfiguration
CWE:863 ASPNET Dangerous application setting OPT.ASPNET.DangerousAppSetting
CWE:94 ASPNET Do not use Content Delivery Network (CDN) for JavaScript code OPT.ASPNET.AvoidContentDeliveryNetwork

 

COBOL

Jump to top of page

Rule number Language Description Rule
CWE:113 COBOL Unvalidated data in HTTP response header OPT.COBOL.SEC.HTTPHeaderManipulation
CWE:114 COBOL Avoid calling subprogram where its name could be controlled by user input OPT.COBOL.SEC.Cobol_ProcessControl
CWE:20 COBOL Do not ACCEPT data from untrusted sources OPT.COBOL.SEC.NoAcceptFromUntrustedSource
CWE:215 COBOL Information Exposure Through Debug Information OPT.COBOL.SEC.NoActiveDebug
CWE:22 COBOL Avoid non-neutralized user-controlled input to be part of a pathname (file or directory) used in I/O operations OPT.COBOL.SEC.PathTraversal
CWE:252 COBOL Validate return code for cryptographic operations OPT.COBOL.SEC.CheckCryptoReturnCode
CWE:259 COBOL Hardcoded passwords can compromise system security in a way that cannot be easily remedied OPT.COBOL.SEC.Cobol_HardcodedPassword
CWE:261 COBOL Weak Cryptography for Passwords OPT.COBOL.SEC.Cobol_PasswordWithWeakCrypto
CWE:328 COBOL Weak cryptographic hashes cannot guarantee data integrity OPT.COBOL.SEC.WeakCryptoHash
CWE:359 COBOL Exposure of Private Information (‘Privacy Violation’) OPT.COBOL.SEC.Cobol_PrivacyViolation
CWE:391 COBOL Ignoring error conditions may allow an attacker to induce unexpected behavior unnoticed OPT.COBOL.SEC.PoorErrorHandling
CWE:401 COBOL Potential dynamic storage area leak OPT.COBOL.SEC.DynamicStorageLeakRule
CWE:497 COBOL Avoid dumping system info (typically for debugging) in production code OPT.COBOL.SEC.Cobol_SystemInformationLeak
CWE:566 COBOL Authorization Bypass Through User-Controlled SQL Primary Key OPT.COBOL.SEC.Cobol_AccessControlDatabase
CWE:615 COBOL Avoid placing passwords and other sensitive info in code comments OPT.COBOL.SEC.Cobol_PasswordInComment
CWE:628 COBOL Parameter mismatch in CALL OPT.COBOL.SEC.CallParameterMismatch
CWE:639 COBOL Check user input used in DL/I (IMS) queries OPT.COBOL.SEC.Cobol_AccessControlDLI
CWE:639 COBOL Do not allow user input to control fields of MQSeries descriptor OPT.COBOL.SEC.Cobol_AccessControlMQ
CWE:691 COBOL Avoid ALTER OPT.COBOL.SEC.AvoidAlter
CWE:73 COBOL Avoid non-neutralized user-controlled input to be part of a pathname (file or directory) used in I/O operations OPT.COBOL.SEC.PathTraversal
CWE:77 COBOL Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) OPT.COBOL.SEC.OSCommandInjection
CWE:78 COBOL Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) OPT.COBOL.SEC.OSCommandInjection
CWE:79 COBOL Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) OPT.COBOL.SEC.CrossSiteScripting
CWE:823 COBOL Avoid pointer arithmetic in Cobol OPT.COBOL.SEC.PointerArithmetic
CWE:824 COBOL Access of Uninitialized Pointer OPT.COBOL.SEC.IllegalValuesForPointers
CWE:89 COBOL Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) OPT.COBOL.SEC.SqlInjection
CWE:99 COBOL Improper Control of Resource Identifiers (‘Resource Injection’) OPT.COBOL.SEC.Cobol_ResourceInjection

 

C++

Jump to top of page

Rule number Language Description Rule
CWE:119 CPP Guarantee that copies are made into storage of sufficient size OPT.CPP.CERTC.ARR33
CWE:119 CPP Do not allow loops to iterate beyond the end of an array OPT.CPP.CERTC.ARR35
CWE:119 CPP Do not make assumptions about the size of an environment variable OPT.CPP.CERTC.ENV01
CWE:119 CPP Guarantee that storage for strings has sufficient space for character data and the null terminator OPT.CPP.CERTC.STR31
CWE:119 CPP Size wide character strings correctly OPT.CPP.CERTC.STR33
CWE:120 CPP Do not copy data from an unbounded source to a fixed-length array OPT.CPP.CERTC.STR35
CWE:129 CPP Do not form or use out-of-bounds pointers or array subscripts on arrays. OPT.CPP.CERTC.ARR30
CWE:129 CPP Do not add or subtract an integer to a pointer if resulting value does not refer to a valid array element OPT.CPP.CERTC.ARR38
CWE:131 CPP Guarantee that copies are made into storage of sufficient size OPT.CPP.CERTC.ARR33
CWE:131 CPP Do not allow loops to iterate beyond the end of an array OPT.CPP.CERTC.ARR35
CWE:131 CPP Do not make assumptions about the size of an environment variable OPT.CPP.CERTC.ENV01
CWE:131 CPP Incorrect Calculation of Buffer Size. OPT.CPP.CERTC.MEM35
CWE:131 CPP Guarantee that storage for strings has sufficient space for character data and the null terminator OPT.CPP.CERTC.STR31
CWE:131 CPP Size wide character strings correctly OPT.CPP.CERTC.STR33
CWE:134 CPP Exclude unsanitized user input from format strings OPT.CPP.CERTC.FIO30
CWE:135 CPP Size wide character strings correctly OPT.CPP.CERTC.STR33
CWE:170 CPP Use the readlink() function properly OPT.CPP.CERTC.POS30
CWE:170 CPP Null-terminate byte strings as required OPT.CPP.CERTC.STR32
CWE:190 CPP Evaluate integer expressions in a larger size before comparing or assigning to that size OPT.CPP.CERTC.INT35
CWE:193 CPP Guarantee that storage for strings has sufficient space for character data and the null terminator OPT.CPP.CERTC.STR31
CWE:242 CPP Do not use vfork() OPT.CPP.CERTC.POS33
CWE:252 CPP Detect and handle memory allocation errors OPT.CPP.CERTC.MEM32
CWE:273 CPP Improper Check for Dropped Privileges OPT.CPP.CERTC.POS37
CWE:363 CPP Race Condition Enabling Link Following OPT.CPP.CERTC.POS35
CWE:367 CPP Be careful using functions that use file names for identification OPT.CPP.CERTC.FIO01
CWE:379 CPP Creation of Temporary File in Directory with Incorrect Permissions OPT.CPP.CERTC.FIO43
CWE:401 CPP Allocated memory must be released in same scope OPT.CPP.CorrectUseMemoryLeaks
CWE:415 CPP Allocate and free memory in the same module at the same level of abstraction OPT.CPP.CERTC.MEM00
CWE:415 CPP Free dynamically allocated memory exactly once (Double Free) OPT.CPP.CERTC.MEM31
CWE:416 CPP Allocate and free memory in the same module at the same level of abstraction OPT.CPP.CERTC.MEM00
CWE:416 CPP Do not access freed memory (Use after free) OPT.CPP.CERTC.MEM30
CWE:457 CPP Use of Uninitialized Variable OPT.CPP.CERTC.EXP33
CWE:467 CPP Do not apply the sizeof operator to a pointer when taking the size of an array OPT.CPP.CERTC.ARR01
CWE:467 CPP Use of sizeof() on a Pointer Type OPT.CPP.CERTC.EXP01
CWE:476 CPP NULL Pointer Dereference OPT.CPP.CERTC.EXP34
CWE:476 CPP Detect and handle memory allocation errors OPT.CPP.CERTC.MEM32
CWE:479 CPP Signal Handler Use of a Non-reentrant Function OPT.CPP.CERTC.SIG30
CWE:479 CPP Signal Handler Use of a Non-reentrant Function OPT.CPP.CERTC.SIG32
CWE:563 CPP Local variables never used OPT.CPP.VariablesNeverUsed
CWE:590 CPP Free of Memory not on the Heap OPT.CPP.CERTC.MEM34
CWE:628 CPP Use realloc() only to resize dynamically allocated arrays OPT.CPP.CERTC.MEM08
CWE:676 CPP Guarantee that copies are made into storage of sufficient size OPT.CPP.CERTC.ARR33
CWE:676 CPP Be careful using functions that use file names for identification OPT.CPP.CERTC.FIO01
CWE:676 CPP Guarantee that storage for strings has sufficient space for character data and the null terminator OPT.CPP.CERTC.STR31
CWE:681 CPP MISRA 10.1: The value of an expression of integer type shall not be implicitly converted to a different underlying type OPT.CPP.MISRAC.IntegerImplicitConversions
CWE:682 CPP Use bitwise operators only on unsigned operands OPT.CPP.CERTC.INT13
CWE:684 CPP Do not replace secure functions with less secure functions OPT.CPP.CERTC.PRE09
CWE:696 CPP Observe correct revocation order while relinquishing privileges OPT.CPP.CERTC.POS36
CWE:705 CPP No atexit handler should terminate in any way other than by returning OPT.CPP.CERTC.ENV32
CWE:77 CPP Do not call system() if you do not need a command processor OPT.CPP.CERTC.ENV04
CWE:77 CPP Sanitize data passed to sensitive subsystems OPT.CPP.CERTC.STR02
CWE:78 CPP Do not call system() if you do not need a command processor OPT.CPP.CERTC.ENV04
CWE:78 CPP Sanitize data passed to sensitive subsystems OPT.CPP.CERTC.STR02
CWE:835 CPP Loop with Unreachable Exit Condition (‘Infinite Loop’) OPT.CPP.PotentialInfiniteLoop
CWE:88 CPP Do not call system() if you do not need a command processor OPT.CPP.CERTC.ENV04
CWE:88 CPP Sanitize data passed to sensitive subsystems OPT.CPP.CERTC.STR02

 

C#

Jump to top of page

Rule number Language Description Rule
CWE:113 CSHARP Improper neutralization of CR/LF Sequences in HTTP headers OPT.CSHARP.SEC.HttpSplittingRule
CWE:114 CSHARP Do not load executables or libraries from untrusted sources OPT.CSHARP.SEC.ProcessControl
CWE:117 CSHARP Improper Output Neutralization for Logs OPT.CSHARP.SEC.LogForging
CWE:120 CSHARP Potential memory corruption OPT.CSHARP.SEC.BufferOverflow
CWE:15 CSHARP Registry manipulation OPT.CSHARP.SEC.RegistryManipulation
CWE:185 CSHARP Prevent denial of service attack through malicious regular expression OPT.CSHARP.DoSRegexp
CWE:20 CSHARP Unvalidated model in MVC controller OPT.CSHARP.SEC.UnvalidatedAspNetModel
CWE:200 CSHARP Insecure Mail Transport OPT.CSHARP.SEC.InsecureEmailTransport
CWE:200 CSHARP Generate server-side cookies with adequate security properties OPT.CSHARP.SEC.UnsafeCookieRule
CWE:203 CSHARP Cross-Site History Manipulation (XSHM) OPT.CSHARP.SEC.CrossSiteHistoryManipulation
CWE:209 CSHARP Avoid sensitive information exposure through error messages OPT.CSHARP.SEC.InformationExposureThroughErrorMessage
CWE:22 CSHARP External Control of File Name or Path OPT.CSHARP.PathTraversal
CWE:233 CSHARP Request data is accessed in an ambiguous way, which can leave it open to attack OPT.CSHARP.SEC.HttpRequestValueShadowing
CWE:235 CSHARP HTTP parameter pollution (HPP) OPT.CSHARP.SEC.HttpParameterPollution
CWE:252 CSHARP Unchecked return value. OPT.CSHARP.UncheckedReturnValue
CWE:256 CSHARP Plaintext Storage of a Password OPT.CSHARP.SEC.PlaintextStorageOfPassword
CWE:284 CSHARP .Net access restriction subverted (Reflection) OPT.CSHARP.SEC.AccessibilitySubversionRule
CWE:285 CSHARP Access Control – Anonymous LDAP Bind OPT.CSHARP.SEC.AnonymousLdapBind
CWE:287 CSHARP Avoid that a user can perform actions to which he does not have access OPT.CSHARP.SEC.ImproperAuthentication
CWE:310 CSHARP Weak cryptography, insufficient key length OPT.CSHARP.WeakKeySize
CWE:311 CSHARP Insecure transport OPT.CSHARP.SEC.InsecureTransport
CWE:311 CSHARP Insecure transport in HTTP servers] OPT.CSHARP.SEC.ServerInsecureTransport
CWE:312 CSHARP Cleartext Storage of Sensitive Information in a Cookie OPT.CSHARP.PlaintextStorageInACookie
CWE:315 CSHARP Cleartext Storage of Sensitive Information in a Cookie OPT.CSHARP.PlaintextStorageInACookie
CWE:320 CSHARP Use of Hard-coded Cryptographic Key OPT.CSHARP.SEC.HardcodedCryptoKey
CWE:320 CSHARP Weak cryptography, insufficient key length OPT.CSHARP.WeakKeySize
CWE:321 CSHARP Use of Hard-coded Cryptographic Key OPT.CSHARP.SEC.HardcodedCryptoKey
CWE:326 CSHARP Insufficient RSA key length OPT.CSHARP.WeakEncryption
CWE:326 CSHARP Weak cryptography, insufficient key length OPT.CSHARP.WeakKeySize
CWE:327 CSHARP Weak cryptographic hash OPT.CSHARP.WeakCryptographicHash
CWE:327 CSHARP Weak symmetric encryption algorithm OPT.CSHARP.WeakSymmetricEncryptionAlgorithm
CWE:327 CSHARP Do not use weak modes of operation with symmetric encryption OPT.CSHARP.WeakSymmetricEncryptionModeOfOperation
CWE:330 CSHARP Standard pseudo-random number generators cannot withstand cryptographic attacks OPT.CSHARP.InsecureRandomness
CWE:338 CSHARP Standard pseudo-random number generators cannot withstand cryptographic attacks OPT.CSHARP.InsecureRandomness
CWE:345 CSHARP Prevent over-posting attacks in model definition OPT.CSHARP.MVCPreventOverpostingModelDefinition
CWE:345 CSHARP Prevent under-posting attacks in model composition OPT.CSHARP.MVCPreventUnderpostingModelComposition
CWE:345 CSHARP Prevent under-posting attacks in model definition OPT.CSHARP.MVCPreventUnderpostingModelDefinition
CWE:346 CSHARP CORS policy (Cross-origin resource sharing) too broad OPT.CSHARP.TooMuchOriginsAllowed
CWE:350 CSHARP Avoid checks on client-side hostname, that are not reliable due to DNS poisoning OPT.CSHARP.SEC.AvoidHostNameChecks
CWE:352 CSHARP Cross-Site Request Forgery (CSRF) OPT.CSHARP.CrossSiteRequestForgery
CWE:352 CSHARP Restrict allowed HTTP verbs for state-change operations in MVC controllers OPT.CSHARP.MVCPostInControllers
CWE:377 CSHARP Temporary files not deleted OPT.CSHARP.SEC.TemporaryFilesLeft
CWE:390 CSHARP Avoid empty catch blocks OPT.CSHARP.Csharp.AvoidEmptyCatchBlock
CWE:395 CSHARP Use of NullPointerException Catch to Detect NULL Pointer Dereference OPT.CSHARP.AvoidNullReferenceException
CWE:396 CSHARP Declaration of Catch for Generic Exception OPT.CSHARP.Csharp.DoNotCatchGeneralExceptionTypes
CWE:398 CSHARP Using Console.Out or Console.Error rather than a dedicated log interface, makes it more difficult to monitor the behavior of the software OPT.CSHARP.AvoidSystemOutputStream
CWE:404 CSHARP Unreleased database resource OPT.CSHARP.ResourceLeakDatabase
CWE:404 CSHARP Unreleased LDAP resource OPT.CSHARP.ResourceLeakLdap
CWE:404 CSHARP Unreleased stream resource OPT.CSHARP.ResourceLeakStream
CWE:404 CSHARP Unreleased unmanaged resource OPT.CSHARP.ResourceLeakUnmanaged
CWE:426 CSHARP Do not hardcode absolute paths OPT.CSHARP.HardcodedAbsolutePath
CWE:434 CSHARP Unrestricted Upload of File with Dangerous Type OPT.CSHARP.SEC.DangerousFileUpload
CWE:449 CSHARP Implement Dispose method provided by IDisposable interface OPT.CSHARP.Csharp.ImplementIDisposableWithFinalize
CWE:459 CSHARP Call Dispose method of fields that implements System.IDisposable OPT.CSHARP.Csharp.DisposableFieldsShouldBeDisposed
CWE:459 CSHARP Dispose objects before losing scope OPT.CSHARP.Csharp.DisposeObjectsBeforeLosingScope
CWE:470 CSHARP Use of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’) OPT.CSHARP.SEC.UnsafeReflection
CWE:476 CSHARP NULL Pointer Dereference OPT.CSHARP.NullDereference
CWE:489 CSHARP Main() method not allowed in web application OPT.CSHARP.SEC.MainMethodInWebApplication
CWE:494 CSHARP Do not load executables or libraries from untrusted sources OPT.CSHARP.SEC.ProcessControl
CWE:494 CSHARP Avoid using non-neutralized user-controlled input when creating XSL stylesheets OPT.CSHARP.XSLTInjection
CWE:497 CSHARP Remove ASP.NET MVC version from HTTP headers OPT.CSHARP.MVCRemoveVersionHeader
CWE:497 CSHARP Exposure of System Data to an Unauthorized Control Sphere OPT.CSHARP.SystemInformationLeak
CWE:499 CSHARP Serializable Class Containing Sensitive Data OPT.CSHARP.SEC.SerializableClassContainingSensitiveData
CWE:501 CSHARP Trust boundary violation OPT.CSHARP.SEC.TrustBoundaryViolation
CWE:502 CSHARP Dynamic code injection during object deserialization OPT.CSHARP.CodeInjectionWithDeserialization
CWE:532 CSHARP Avoid exposing sensible information through log OPT.CSHARP.SEC.InformationExposureThroughDebugLog
CWE:539 CSHARP Generate server-side cookies with adequate security properties OPT.CSHARP.SEC.UnsafeCookieRule
CWE:544 CSHARP Missing Standardized Error Handling Mechanism in ASP.Net OPT.CSHARP.SEC.MissingStandardErrorHandling
CWE:563 CSHARP Unused local variable OPT.CSHARP.Csharp.RemoveUnusedLocals
CWE:566 CSHARP Avoid using an user controlled Primary Key into a query OPT.CSHARP.SEC.UserControlledSQLPrimaryKey
CWE:567 CSHARP Static database connection / session OPT.CSHARP.SEC.StaticDatabaseConnection
CWE:581 CSHARP Any type that overrides GetHashCode method should also override Equals method OPT.CSHARP.Csharp.OverridingEqualsAndGetHashCode
CWE:601 CSHARP URL Redirection to Untrusted Site (‘Open Redirect’) OPT.CSHARP.OpenRedirect
CWE:606 CSHARP Unchecked input in loop condition OPT.CSHARP.UncheckedInputInLoopCondition
CWE:611 CSHARP XML entity injection OPT.CSHARP.SEC.XMLEntityInjection
CWE:614 CSHARP Generate server-side cookies with adequate security properties OPT.CSHARP.SEC.UnsafeCookieRule
CWE:643 CSHARP Improper Neutralization of Data within XPath Expressions (‘XPath Injection’) OPT.CSHARP.XPathInjection
CWE:652 CSHARP Improper Neutralization of Data within XQuery Expressions (‘XQuery Injection’) OPT.CSHARP.XQueryInjection
CWE:73 CSHARP External Control of File Name or Path OPT.CSHARP.PathTraversal
CWE:754 CSHARP Unchecked return value. OPT.CSHARP.UncheckedReturnValue
CWE:760 CSHARP A hardcoded salt can compromise system security OPT.CSHARP.SEC.HardcodedSalt
CWE:77 CSHARP Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) OPT.CSHARP.CommandInjection
CWE:776 CSHARP XML entity injection OPT.CSHARP.SEC.XMLEntityInjection
CWE:78 CSHARP Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) OPT.CSHARP.CommandInjection
CWE:780 CSHARP Use of RSA Algorithm without Optimal Asymmetric Encryption Padding (OAEP) OPT.CSHARP.SEC.ProperPaddingWithPublicKeyCrypto
CWE:784 CSHARP Reliance on Cookies without Validation and Integrity Checking in a Security Decision OPT.CSHARP.SEC.CookiesInSecurityDecision
CWE:79 CSHARP Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) OPT.CSHARP.CrossSiteScripting
CWE:79 CSHARP Web content generation from improper sanitized database data and escaped output (Stored Cross-site Scripting, XSS) OPT.CSHARP.StoredCrossSiteScripting
CWE:798 CSHARP Use of Hard-coded Credentials OPT.CSHARP.SEC.HardcodedCredential
CWE:835 CSHARP Loop with Unreachable Exit Condition (‘Infinite Loop’) OPT.CSHARP.PotentialInfiniteLoop
CWE:862 CSHARP Protect public methods that are not action methods in controllers OPT.CSHARP.MVCNonActionPublicMethods
CWE:89 CSHARP Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) OPT.CSHARP.SqlInjection
CWE:90 CSHARP Avoid non-neutralized user-controlled input in LDAP search filters OPT.CSHARP.LdapInjection
CWE:91 CSHARP Avoid using non-neutralized user-controlled input in JSON entities OPT.CSHARP.JSONInjection
CWE:91 CSHARP XML Injection (aka Blind XPath Injection) OPT.CSHARP.XMLInjection
CWE:918 CSHARP Server-Side Request Forgery (SSRF) OPT.CSHARP.ServerSideRequestForgery
CWE:93 CSHARP Mail Command Injection OPT.CSHARP.SEC.MailCommandInjection
CWE:94 CSHARP Improper Control of Generation of Code (‘Code Injection’) OPT.CSHARP.CodeInjection
CWE:943 CSHARP Improper neutralization of special elements in data query logic (NoSQL injection) OPT.CSHARP.SEC.NoSQLInjection
CWE:99 CSHARP Connection string polluted with untrusted input OPT.CSHARP.SEC.ConnectionStringParameterPollution
CWE:99 CSHARP Improper control of resource identifiers (“Resource Injection”) OPT.CSHARP.SEC.ResourceInjection

 

Hibernate

Jump to top of page

Rule number Language Description Rule
CWE:564 HIBERNATE Use bind (or named) parameters in HQL and native SQL queries OPT.HIBERNATE.BindParametersInQueries
CWE:89 HIBERNATE Use bind (or named) parameters in HQL and native SQL queries OPT.HIBERNATE.BindParametersInQueries

 

HTML

Jump to top of page

Rule number Language Description Rule
CWE:1022 HTML Improper Neutralization of links to external sites OPT.HTML.TargetBlankVulnerability
CWE:20 HTML Form validation disabled OPT.HTML.FormValidationOff
CWE:358 HTML Add a CSP to every page OPT.HTML.CORDOVA.ShouldUseContentSecurityPolicy
CWE:359 HTML Password in GET FORM OPT.HTML.PasswordInHttpGet
CWE:434 HTML File upload enabled OPT.HTML.FileUploadEnabled
CWE:525 HTML Autocomplete enabled for sensitive form fields OPT.HTML.AutocompleteOnForSensitiveFields
CWE:549 HTML Password input field is not masked OPT.HTML.MissingPasswordFieldMasking
CWE:830 HTML Unsafe sandbox with allow-scripts and allow-same-origin OPT.HTML.SandboxAllowScriptsAndSameOrigin

 

Informix

Jump to top of page

Rule number Language Description Rule
CWE:563 INFORMIX Avoid unused local variables OPT.INFORMIX.UnusedLocalVar

 

Java

Jump to top of page

Rule number Language Description Rule
CWE:111 JAVA Avoid calls from Java to native (JNI) code OPT.JAVA.SEC_JAVA.AvoidNativeCallsRule
CWE:113 JAVA Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Response Splitting’) OPT.JAVA.SEC_JAVA.HttpSplittingRule
CWE:114 JAVA Discourage dynamically loading code OPT.JAVA.ANDROID.DynamicallyLoadingCode
CWE:114 JAVA Library loaded from untrusted source OPT.JAVA.SEC_JAVA.ProcessControlRule
CWE:117 JAVA Improper Output Neutralization for Logs OPT.JAVA.SEC_JAVA.LogForging
CWE:129 JAVA Array index coming from a non neutralized vulnerable input OPT.JAVA.SEC_JAVA.ImproperValidationOfArrayIndex
CWE:134 JAVA Exclude unsanitized user input from format strings OPT.JAVA.SEC_JAVA.FormatStringInjectionRule
CWE:15 JAVA External Control of System or Configuration Setting OPT.JAVA.SEC_JAVA.ExternalControlOfConfigurationSetting
CWE:159 JAVA Connection string polluted with untrusted input OPT.JAVA.SEC_JAVA.ConnectionStringParameterPollution
CWE:16 JAVA Inadecuate backup configuration OPT.JAVA.ANDROID.PreventBackupVulnerability
CWE:16 JAVA Use defaultHtmlEscape=true with SpringMVC for better cross-site scripting prevention OPT.JAVA.SEC_JAVA.SpringNoAntiXssConfiguration
CWE:16 JAVA Avoid misconfiguring security properties in web.xml descriptor OPT.JAVA.SEC_JAVA.WebXmlSecurityMisconfigurationsRule
CWE:180 JAVA Incorrect Behavior Order: Validate Before Canonicalize OPT.JAVA.SEC_JAVA.InputPathNotCanonicalizedRule
CWE:180 JAVA Always normalize system inputs OPT.JAVA.SEC_JAVA.UnnormalizedInputString
CWE:185 JAVA Prevent denial of service attack through malicious regular expression (‘Regex Injection’) OPT.JAVA.SEC_JAVA.RegexInjectionRule
CWE:20 JAVA Request parameters should not be passed into Session without sanitizing OPT.JAVA.SEC_JAVA.RequestParametersInSessionRule
CWE:200 JAVA Specify an endpoint interface to avoid exposing all the public methods OPT.JAVA.JAX.AvoidExposingAllEndpointlPublicMethods
CWE:200 JAVA Check the HTTP method used to send the request OPT.JAVA.JAX.CheckHTTPMethods
CWE:200 JAVA Generate server-side cookies with adequate security properties OPT.JAVA.SEC_JAVA.UnsafeCookieRule
CWE:209 JAVA Avoid sensitive information exposure through error messages OPT.JAVA.SEC_JAVA.InformationExposureThroughErrorMessage
CWE:22 JAVA Avoid non-neutralized user-controlled input composed in a pathname to a resource OPT.JAVA.SEC_JAVA.PathTraversalRule
CWE:235 JAVA HTTP parameter pollution (HPP) OPT.JAVA.SEC_JAVA.HttpParameterPollutionRule
CWE:245 JAVA J2EE Bad Practices: Direct Management of Connections OPT.JAVA.SEC_JAVA.AvoidJ2EEDirectDatabaseConnection
CWE:246 JAVA J2EE Bad Practices: Direct Use of Sockets OPT.JAVA.SEC_JAVA.AvoidJ2EEExplicitSocket
CWE:256 JAVA Plaintext Storage of a Password OPT.JAVA.SEC_JAVA.PlaintextStorageOfPassword
CWE:260 JAVA Use of credentials into configuration file OPT.JAVA.SEC_JAVA.PasswordInConfigurationFile
CWE:265 JAVA Check permission usage conformance (External Storage Permission) OPT.JAVA.ANDROID.CheckExternalStoragePermission
CWE:265 JAVA Check permission usage conformance (Internet Permission) OPT.JAVA.ANDROID.CheckInternetPermission
CWE:265 JAVA Check permission usage conformance (Location Permission) OPT.JAVA.ANDROID.CheckLocationPermission
CWE:275 JAVA Don’t allow applications to execute code using other applications privileges OPT.JAVA.ANDROID.PrivilegeEscalationAttack
CWE:284 JAVA Java access restriction subverted (Reflection) OPT.JAVA.SEC_JAVA.AccessibilitySubversionRule
CWE:285 JAVA Access Control – Anonymous LDAP Bind OPT.JAVA.SEC_JAVA.AnonymousLdapBindRule
CWE:285 JAVA Avoid queries in the database except from the specific classes OPT.JAVA.SEC_JAVA.DatabaseAccessControlRule
CWE:285 JAVA Dynamic method invocation in Struts 2 OPT.JAVA.SEC_JAVA.DynamicMethodInvocation
CWE:287 JAVA Use SOAP messages authentication OPT.JAVA.JAX.UseAuthenticatedSOAPMessages
CWE:287 JAVA Acegi Misconfiguration – Run-As Authentication Replacement OPT.JAVA.SEC_JAVA.AcegiRunAsAuthenticationReplacementRule
CWE:296 JAVA Insecure SSL configuration OPT.JAVA.SEC_JAVA.InsecureSSL
CWE:297 JAVA Insecure SSL configuration OPT.JAVA.SEC_JAVA.InsecureSSL
CWE:298 JAVA Insecure SSL configuration OPT.JAVA.SEC_JAVA.InsecureSSL
CWE:299 JAVA Insecure SSL configuration OPT.JAVA.SEC_JAVA.InsecureSSL
CWE:310 JAVA Weak cryptography, insufficient key length OPT.JAVA.SEC_JAVA.InsufficientKeySizeRule
CWE:311 JAVA Use encrypted SOAP messages OPT.JAVA.JAX.UseEncryptedSOAPMessages
CWE:311 JAVA Avoid using HTTP instead of HTTPS OPT.JAVA.JAX.UseSecuredTransportLayer
CWE:312 JAVA Cleartext Storage of Sensitive Information in a Cookie OPT.JAVA.SEC_JAVA.PlaintextStorageInACookieRule
CWE:315 JAVA Cleartext Storage of Sensitive Information in a Cookie OPT.JAVA.SEC_JAVA.PlaintextStorageInACookieRule
CWE:320 JAVA Hardcoded cryptographic keys OPT.JAVA.SEC_JAVA.HardcodedCryptoKey
CWE:320 JAVA Weak cryptography, insufficient key length OPT.JAVA.SEC_JAVA.InsufficientKeySizeRule
CWE:321 JAVA Hardcoded cryptographic keys OPT.JAVA.SEC_JAVA.HardcodedCryptoKey
CWE:325 JAVA Inadequate padding OPT.JAVA.SEC_JAVA.InadequatePaddingRule
CWE:326 JAVA Weak cryptography, insufficient key length OPT.JAVA.SEC_JAVA.InsufficientKeySizeRule
CWE:327 JAVA Weak symmetric encryption algorithm OPT.JAVA.SEC_JAVA.WeakEncryptionRule
CWE:328 JAVA Weak cryptographic hash OPT.JAVA.SEC_JAVA.WeakCryptographicHashRule
CWE:329 JAVA Not using a Random IV with CBC Mode OPT.JAVA.SEC_JAVA.NonRandomIVWithCBCMode
CWE:330 JAVA Standard pseudo-random number generators cannot withstand cryptographic attacks OPT.JAVA.SEC_JAVA.InsecureRandomnessRule
CWE:338 JAVA Do not use SecureRandom with a fixed seed OPT.JAVA.ANDROID.SecureRandom
CWE:338 JAVA Standard pseudo-random number generators cannot withstand cryptographic attacks OPT.JAVA.SEC_JAVA.InsecureRandomnessRule
CWE:345 JAVA Avoid using non-neutralized user-controlled input into JSON entities – JSON Injection OPT.JAVA.SEC_JAVA.JSONInjection
CWE:346 JAVA CORS policy (Cross-origin resource sharing) too broad OPT.JAVA.SEC_JAVA.TooMuchOriginsAllowedRule
CWE:350 JAVA Avoid checks on client-side hostname, that are not reliable due to DNS poisoning OPT.JAVA.SEC_JAVA.AvoidHostNameChecksRule
CWE:352 JAVA Cross-site request forgery (CSRF) OPT.JAVA.SEC_JAVA.CrossSiteRequestForgeryRule
CWE:353 JAVA Use signed SOAP messages OPT.JAVA.JAX.UseSignedSOAPMessages
CWE:358 JAVA Not overridable method OPT.JAVA.SEC_JAVA.NotOverridableMethodRule
CWE:358 JAVA Methods that perform a security check must be declared private or final OPT.JAVA.SEC_JAVA.SecurityCheckInOverridableMethodRule
CWE:359 JAVA Inadecuate backup configuration OPT.JAVA.ANDROID.PreventBackupVulnerability
CWE:359 JAVA Password Management – Password in Redirect OPT.JAVA.SEC_JAVA.PasswordInRedirectRule
CWE:362 JAVA Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) OPT.JAVA.SEC_JAVA.RaceConditionFormatFlaw
CWE:362 JAVA Race Condition in a Java Servlet OPT.JAVA.SEC_JAVA.RaceConditionServlet
CWE:374 JAVA Do not directly return or store references to mutable members OPT.JAVA.DoNotReturnStoreMutableMembers
CWE:375 JAVA Do not directly return or store references to mutable members OPT.JAVA.DoNotReturnStoreMutableMembers
CWE:382 JAVA J2EE Bad Practices: Use of System.exit() OPT.JAVA.SEC_JAVA.AvoidEJBJVMShutdown
CWE:382 JAVA Avoid JVM shutdown code in J2EE applications OPT.JAVA.SEC_JAVA.AvoidJ2EEJvmExit
CWE:383 JAVA Avoid explicit thread management in EJB OPT.JAVA.SEC_JAVA.AvoidEJBExplicitThreadManagement
CWE:383 JAVA J2EE Bad Practices: Direct Use of Threads OPT.JAVA.SEC_JAVA.AvoidJ2EEExplicitThreadManagement
CWE:384 JAVA Avoid misconfiguring security properties in web.xml descriptor OPT.JAVA.SEC_JAVA.WebXmlSecurityMisconfigurationsRule
CWE:391 JAVA Unhandled SSL exception OPT.JAVA.SEC_JAVA.UnhandledSSLExceptionRule
CWE:395 JAVA Avoid capturing NullPointerExceptions OPT.JAVA.EXCP.AvoidNullPointerException
CWE:396 JAVA Avoid java.lang.Error catch exceptions OPT.JAVA.EXCP.AvoidExcpError
CWE:396 JAVA Avoid capturing java.lang.Exception exceptions OPT.JAVA.EXCP.AvoidExcpException
CWE:396 JAVA Avoid Exception, RuntimeException o Throwable in catch or throw statements OPT.JAVA.FMETODOS.NCE
CWE:397 JAVA Avoid throwing ‘Exception’. Always use a proper Exception subclass OPT.JAVA.DECLARA.NTX
CWE:397 JAVA Avoid creating new instances of java.lang.Throwable OPT.JAVA.EXCP.AvoidNewThrowable
CWE:397 JAVA Avoid Exception, RuntimeException o Throwable in catch or throw statements OPT.JAVA.FMETODOS.NCE
CWE:404 JAVA Prevent potential memory leaks in ObjectOutputStreams by calling reset () or close () OPT.JAVA.GC.OSTM
CWE:459 JAVA Close input and output resources in finally blocks OPT.JAVA.IO.CS
CWE:459 JAVA Close JDBC connections in finally blocks OPT.JAVA.JDBC.CDBC
CWE:459 JAVA Close JDBC resources when finishing using OPT.JAVA.JDBC.RRWD
CWE:470 JAVA Activities extending PreferenceActivity should not be exported OPT.JAVA.ANDROID.ExportedPreferenceActivity
CWE:470 JAVA Use of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’) OPT.JAVA.SEC_JAVA.UnsafeReflection
CWE:476 JAVA NULL Pointer Dereference OPT.JAVA.NullDereference
CWE:478 JAVA Provide ‘default’ label for each switch statement OPT.JAVA.PB.PDS
CWE:481 JAVA Avoid assigning values to variables inside for loops OPT.JAVA.BUC.AvoidAssignInFor
CWE:481 JAVA Avoid assignments in while / do-while loop condition OPT.JAVA.BUC.AvoidAssignInWhile
CWE:481 JAVA Avoid assignments inside conditional expressions OPT.JAVA.COND.AvoidAsignmentsWithinIF
CWE:481 JAVA Possible confusion between assignment and comparison in a conditional expression OPT.JAVA.PB.ASI
CWE:484 JAVA Avoid using a switch structure with a bad case statement OPT.JAVA.PB.SBC
CWE:486 JAVA Do not compare class objects with getName() or getSimpleName() methods OPT.JAVA.RGS.CMP
CWE:489 JAVA Leftover Debug Code in J2EE applications OPT.JAVA.SEC_JAVA.AvoidJ2EELeftoverDebugCode
CWE:491 JAVA Make your clone() method final for security OPT.JAVA.RGS.CLONE
CWE:494 JAVA Library loaded from untrusted source OPT.JAVA.SEC_JAVA.ProcessControlRule
CWE:497 JAVA Do not send detail error information to client OPT.JAVA.SEC_JAVA.DetailErrorLeakRule
CWE:499 JAVA Serializable Class Containing Sensitive Data OPT.JAVA.SEC_JAVA.SerializableClassContainingSensitiveData
CWE:5 JAVA Acegi Misconfiguration – Insecure Channel Mixing OPT.JAVA.SEC_JAVA.AcegiInsecureChannelMixingRule
CWE:5 JAVA Avoid misconfiguring security properties in web.xml descriptor OPT.JAVA.SEC_JAVA.WebXmlSecurityMisconfigurationsRule
CWE:500 JAVA Avoid non-final public static fields OPT.JAVA.J2SE.AvoidStaticPublicNoFinalField
CWE:501 JAVA Trust boundary violation OPT.JAVA.SEC_JAVA.TrustBoundaryViolationRule
CWE:502 JAVA Mark as transient the fields with system resources OPT.JAVA.J2SE.TransientForSystemResources
CWE:502 JAVA Dynamic code injection during XML deserialization OPT.JAVA.SEC_JAVA.CodeInjectionWithDeserializationRule
CWE:522 JAVA Use of credentials into configuration file OPT.JAVA.SEC_JAVA.PasswordInConfigurationFile
CWE:532 JAVA Avoid exposing sensible information through log OPT.JAVA.SEC_JAVA.InformationExposureThroughDebugLog
CWE:539 JAVA Generate server-side cookies with adequate security properties OPT.JAVA.SEC_JAVA.UnsafeCookieRule
CWE:552 JAVA File disclosure in server-side J2EE forward/include OPT.JAVA.SEC_JAVA.J2eeFileDisclosureRule
CWE:563 JAVA Avoid unused local variables OPT.JAVA.CNU.EVNU
CWE:563 JAVA Avoid unused private fields OPT.JAVA.CNU.PF
CWE:563 JAVA Avoid unused fields OPT.JAVA.DECL.AvoidNotUseField
CWE:564 JAVA Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) OPT.JAVA.SEC_JAVA.SqlInjectionRule
CWE:566 JAVA Avoid using an user controlled Primary Key into a query OPT.JAVA.SEC_JAVA.UserControlledSQLPrimaryKey
CWE:567 JAVA Static database connection / session OPT.JAVA.SEC_JAVA.StaticDatabaseConnection
CWE:568 JAVA Call super.finalize() from finalize() OPT.JAVA.GC.FCF
CWE:572 JAVA Avoid calling Thread.run() OPT.JAVA.HEB.AvoidCallRun
CWE:574 JAVA Avoid use of synchronization primitives in EJB OPT.JAVA.SEC_JAVA.AvoidEJBSynchronizationPrimitives
CWE:575 JAVA EJB Bad Practices: Use of AWT Swing OPT.JAVA.SEC_JAVA.AvoidEJBAWTSwing
CWE:576 JAVA EJB Bad Practices: Use of Java I/O OPT.JAVA.SEC_JAVA.AvoidEJBJavaIo
CWE:577 JAVA EJB Bad Practices: Use of Sockets OPT.JAVA.SEC_JAVA.AvoidEJBExplicitServerSocket
CWE:578 JAVA Avoid changing the input, output, and error streams in EJB OPT.JAVA.SEC_JAVA.AvoidEJBRedirectStreams
CWE:578 JAVA Avoid setting context ClassLoader in EJB OPT.JAVA.SEC_JAVA.AvoidEJBSetClassLoader
CWE:578 JAVA Avoid setting system SecurityManager in EJB OPT.JAVA.SEC_JAVA.AvoidEJBSetSecurityManager
CWE:579 JAVA Avoid non-serializable objects stored in session in J2EE applications OPT.JAVA.SEC_JAVA.AvoidJ2EENonSerializableObjectsStored
CWE:580 JAVA Call super.clone() in all clone() methods OPT.JAVA.RGM.CLONE
CWE:581 JAVA Always overwrite java.lang.Object.equals() and java.lang.Object.hashCode() OPT.JAVA.COMP.EqualsHashCode
CWE:581 JAVA Override Object.equals ()when you override Object.hashCode () OPT.JAVA.FMETODOS.OVERRIDE
CWE:582 JAVA Avoid using public static final array fields OPT.JAVA.RGM.PSFA
CWE:584 JAVA Return from finally blocks OPT.JAVA.PB.RFFB
CWE:585 JAVA Avoid empty synchronized blocks OPT.JAVA.PB.ESBL
CWE:586 JAVA Never call finalize() explicitly OPT.JAVA.FIN.DontCallFinalize
CWE:597 JAVA Use equals() when comparing Strings OPT.JAVA.PB.UEI2
CWE:601 JAVA URL Redirection to Untrusted Site (‘Open Redirect’) OPT.JAVA.SEC_JAVA.OpenRedirectRule
CWE:606 JAVA Unchecked input in loop condition OPT.JAVA.SEC_JAVA.UncheckedInputInLoopCondition
CWE:611 JAVA XML entity injection OPT.JAVA.SEC_JAVA.XmlEntityInjectionRule
CWE:613 JAVA Checks that session expiration interval is positive and does not exceed a limit OPT.JAVA.SEC_JAVA.InsufficientSessionExpirationRule
CWE:613 JAVA Avoid misconfiguring security properties in web.xml descriptor OPT.JAVA.SEC_JAVA.WebXmlSecurityMisconfigurationsRule
CWE:614 JAVA Generate server-side cookies with adequate security properties OPT.JAVA.SEC_JAVA.UnsafeCookieRule
CWE:615 JAVA Avoid hard-coded or in-comment passwords in code OPT.JAVA.SEC_JAVA.PasswordInCommentRule
CWE:617 JAVA Do not use assert and do not launch AssertionError OPT.JAVA.RGM.DontUseAssert
CWE:643 JAVA Improper Neutralization of Data within XPath Expressions (‘XPath Injection’) OPT.JAVA.SEC_JAVA.XPathInjectionRule
CWE:676 JAVA Avoid using Runtime.exec() OPT.JAVA.RGP.EXEC
CWE:676 JAVA Library loaded from untrusted source OPT.JAVA.SEC_JAVA.ProcessControlRule
CWE:693 JAVA Security misconfiguration in Play framework. OPT.JAVA.SEC_JAVA.PlaySecurityMisconfiguration
CWE:698 JAVA Execution After Redirect (EAR) OPT.JAVA.SEC_JAVA.ExecutionAfterRedirect
CWE:7 JAVA Avoid misconfiguring security properties in web.xml descriptor OPT.JAVA.SEC_JAVA.WebXmlSecurityMisconfigurationsRule
CWE:73 JAVA Avoid non-neutralized user-controlled input composed in a pathname to a resource OPT.JAVA.SEC_JAVA.PathTraversalRule
CWE:749 JAVA Enabling JavaScript is not recommended OPT.JAVA.ANDROID.JavascriptEnabled
CWE:749 JAVA Potential code injection via WebView.addJavaScriptInterface() OPT.JAVA.ANDROID.JavascriptInterfaceAnnotation
CWE:749 JAVA Don’t use SMS for data input or command OPT.JAVA.ANDROID.SMSMonitoring
CWE:760 JAVA A hardcoded salt can compromise system security OPT.JAVA.SEC_JAVA.HardcodedSaltRule
CWE:77 JAVA Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) OPT.JAVA.SEC_JAVA.CommandInjectionRule
CWE:776 JAVA XML entity injection OPT.JAVA.SEC_JAVA.XmlEntityInjectionRule
CWE:78 JAVA Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) OPT.JAVA.SEC_JAVA.CommandInjectionRule
CWE:784 JAVA Reliance on Cookies without Validation and Integrity Checking in a Security Decision OPT.JAVA.SEC_JAVA.CookiesInSecurityDecision
CWE:79 JAVA Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) OPT.JAVA.SEC_JAVA.CrossSiteScriptingRule
CWE:79 JAVA Same Origin Method Execution (SOME) OPT.JAVA.SEC_JAVA.SameOriginMethodExecution
CWE:798 JAVA Use of Hard-coded Credentials OPT.JAVA.SEC_JAVA.HardcodedUsernamePassword
CWE:80 JAVA Use defaultHtmlEscape=true with SpringMVC for better cross-site scripting prevention OPT.JAVA.SEC_JAVA.SpringNoAntiXssConfiguration
CWE:835 JAVA Avoid loops without an initiator and an increase OPT.JAVA.BUC.AvoidForWithoutIniIncr
CWE:835 JAVA Loop with Unreachable Exit Condition (‘Infinite Loop’) OPT.JAVA.SEC_JAVA.PotentialInfiniteLoop
CWE:89 JAVA Content Provider URI Injection OPT.JAVA.ANDROID.ContentProviderUriInjection
CWE:89 JAVA Improper Neutralization of Special Elements used in an SQL Command in iBatis (‘SQL Injection’) OPT.JAVA.SEC_JAVA.IBatisSqlInjectionRule
CWE:89 JAVA Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) OPT.JAVA.SEC_JAVA.SqlInjectionRule
CWE:90 JAVA Avoid non-neutralized user-controlled input in LDAP search filters OPT.JAVA.SEC_JAVA.LdapInjectionRule
CWE:91 JAVA XML Injection (aka Blind XPath Injection) OPT.JAVA.SEC_JAVA.XsltInjection
CWE:915 JAVA Avoid data submissions to non editable fields OPT.JAVA.SPRING.AvoidDataSubmissionToNonEditableField
CWE:918 JAVA Server-Side Request Forgery (SSRF) OPT.JAVA.SEC_JAVA.ServerSideRequestForgeryRule
CWE:927 JAVA Avoid Sticky Broadcasts OPT.JAVA.ANDROID.AndroidStickyBroadcast
CWE:93 JAVA Mail Command Injection OPT.JAVA.SEC_JAVA.MailCommandInjection
CWE:943 JAVA Improper neutralization of special elements in data query logic (NoSQL injection) OPT.JAVA.SEC_JAVA.NoSQLInjection
CWE:95 JAVA Dynamic code injection in scripting API OPT.JAVA.SEC_JAVA.CodeInjectionRule
CWE:99 JAVA Intent Manipulation OPT.JAVA.ANDROID.IntentManipulation
CWE:99 JAVA Improper control of resource identifiers (“Resource Injection”) OPT.JAVA.SEC_JAVA.ResourceInjection

 

JavaScript

Jump to top of page

Rule number Language Description Rule
CWE:1004 JAVASCRIPT Generate server-side cookies with adequate security properties OPT.JAVASCRIPT.UnsafeCookie
CWE:11 JAVASCRIPT Debug logs enabled OPT.JAVASCRIPT.CORDOVA.AvoidEnabledDebugMode
CWE:113 JAVASCRIPT Unvalidated data in HTTP response header or in cookies (‘HTTP Response Splitting’) OPT.JAVASCRIPT.HeaderManipulation
CWE:16 JAVASCRIPT Android SDK version too old OPT.JAVASCRIPT.CORDOVA.InsecureAndroidMinSdkVersion
CWE:183 JAVASCRIPT Loading Angular templates insecurely OPT.JAVASCRIPT.ANGULARJS.UnsafeResourceUrlWhitelist
CWE:183 JAVASCRIPT Unsafe URL whitelist OPT.JAVASCRIPT.ANGULARJS.UnsafeUrlWhitelist
CWE:183 JAVASCRIPT Avoid post cross-document messages with an overly permissive target origin OPT.JAVASCRIPT.AvoidOverlyPermissiveMessagePosting
CWE:185 JAVASCRIPT Potential denial-of-service attack through malicious regular expression (ReDoS) OPT.JAVASCRIPT.DoSRegexp
CWE:20 JAVASCRIPT Strict Contextual Escaping (SCE) disabled OPT.JAVASCRIPT.ANGULARJS.ContextualEscapingDisabled
CWE:200 JAVASCRIPT AngularJS local storage information leakage OPT.JAVASCRIPT.ANGULARJS.AngularLocalStorageInformationLeak
CWE:200 JAVASCRIPT Avoid Web SQL OPT.JAVASCRIPT.AvoidWebSQL
CWE:200 JAVASCRIPT Use of sensitive information into configuration file OPT.JAVASCRIPT.SensitiveInfoInConfigurationFile
CWE:200 JAVASCRIPT Generate server-side cookies with adequate security properties OPT.JAVASCRIPT.UnsafeCookie
CWE:209 JAVASCRIPT Avoid sensitive information exposure through error messages OPT.JAVASCRIPT.InformationExposureThroughErrorMessage
CWE:22 JAVASCRIPT External Control of File Name or Path OPT.JAVASCRIPT.PathManipulation
CWE:235 JAVASCRIPT HTTP parameter pollution (HPP) OPT.JAVASCRIPT.HttpParameterPollution
CWE:259 JAVASCRIPT Empty or hardcoded passwords may compromise system security in a way that cannot be easily remedied OPT.JAVASCRIPT.EmptyOrHardcodedPassword
CWE:295 JAVASCRIPT Improper Certificate Validation OPT.JAVASCRIPT.ImproperCertificateValidation
CWE:311 JAVASCRIPT Insecure transport OPT.JAVASCRIPT.InsecureTransport
CWE:311 JAVASCRIPT Insecure transport in Node.js HTTP servers OPT.JAVASCRIPT.ServerInsecureTransport
CWE:312 JAVASCRIPT Cleartext Storage of Sensitive Information in a Cookie OPT.JAVASCRIPT.PlaintextStorageInACookie
CWE:315 JAVASCRIPT Cleartext Storage of Sensitive Information in a Cookie OPT.JAVASCRIPT.PlaintextStorageInACookie
CWE:319 JAVASCRIPT Use HTTP Strict Transport Security OPT.JAVASCRIPT.UseStrictTransportSecurity
CWE:320 JAVASCRIPT Hardcoded cryptographic keys OPT.JAVASCRIPT.HardcodedCryptoKey
CWE:321 JAVASCRIPT Hardcoded cryptographic keys OPT.JAVASCRIPT.HardcodedCryptoKey
CWE:326 JAVASCRIPT An otherwise strong encryption algorithm is vulnerable to brute force attack when a small key size is used OPT.JAVASCRIPT.InsuficientKeySize
CWE:327 JAVASCRIPT Weak cryptographic hash OPT.JAVASCRIPT.WeakCryptographicHash
CWE:327 JAVASCRIPT Weak symmetric encryption algorithm OPT.JAVASCRIPT.WeakEncryption
CWE:330 JAVASCRIPT Do not use easy-to-guess Web SQL database name OPT.JAVASCRIPT.EasyToGuestDatabaseName
CWE:330 JAVASCRIPT Standard pseudo-random number generators cannot withstand cryptographic attacks OPT.JAVASCRIPT.InsecureRandomness
CWE:338 JAVASCRIPT Standard pseudo-random number generators cannot withstand cryptographic attacks OPT.JAVASCRIPT.InsecureRandomness
CWE:346 JAVASCRIPT Access policy too broad OPT.JAVASCRIPT.CORDOVA.TooBroadAccessOrigin
CWE:352 JAVASCRIPT Execution of an action on user behalf in a previously authenticated web site (cross-site request forgery, CSRF) OPT.JAVASCRIPT.CrossSiteRequestForgery
CWE:358 JAVASCRIPT Whitelist plugin not installed OPT.JAVASCRIPT.CORDOVA.WhitelistPluginNotInstalled
CWE:359 JAVASCRIPT Exposure of Private Information (‘Privacy Violation’) OPT.JAVASCRIPT.PrivacyViolation
CWE:398 JAVASCRIPT The Content-Length header should not have a negative value OPT.JAVASCRIPT.AvoidNegativeContentLenght
CWE:472 JAVASCRIPT Cookie Poisoning OPT.JAVASCRIPT.CookiePoisoning
CWE:476 JAVASCRIPT Avoid accessing unreliable variable properties OPT.JAVASCRIPT.AvoidAccesingUnreliableVariableProperties
CWE:501 JAVASCRIPT Avoid transferring data between localStorage and sessionStorage as it can expose confidential information OPT.JAVASCRIPT.AvoidTransferValuesLocalSessionStorage
CWE:501 JAVASCRIPT Do not use JavaScript to transport sensitive data OPT.JAVASCRIPT.HijackingAdHocAjax
CWE:501 JAVASCRIPT Trust boundary violation OPT.JAVASCRIPT.TrustBoundaryViolation
CWE:502 JAVASCRIPT Dynamic code injection during object deserialization OPT.JAVASCRIPT.CodeInjectionWithDeserialization
CWE:539 JAVASCRIPT Generate server-side cookies with adequate security properties OPT.JAVASCRIPT.UnsafeCookie
CWE:563 JAVASCRIPT Avoid unused local variable OPT.JAVASCRIPT.ERRORCOMUN.UnusedLocalVar
CWE:601 JAVASCRIPT URL Redirection to Untrusted Site (‘Open Redirect’) OPT.JAVASCRIPT.OpenRedirect
CWE:601 JAVASCRIPT Open Redirect (HANA XS) OPT.JAVASCRIPT.OpenRedirectHanaXS
CWE:611 JAVASCRIPT XML entity injection OPT.JAVASCRIPT.XmlEntityInjection
CWE:614 JAVASCRIPT Generate server-side cookies with adequate security properties OPT.JAVASCRIPT.UnsafeCookie
CWE:615 JAVASCRIPT Avoid hard-coded or in-comment passwords in code OPT.JAVASCRIPT.PasswordInComments
CWE:643 JAVASCRIPT Improper Neutralization of Data within XPath Expressions (‘XPath Injection’) OPT.JAVASCRIPT.XPathInjection
CWE:644 JAVASCRIPT Deactivate X-Powered-By header OPT.JAVASCRIPT.HidePoweredByHeader
CWE:646 JAVASCRIPT Prevent MIME sniffing OPT.JAVASCRIPT.PreventMIMESniffing
CWE:693 JAVASCRIPT No clickjacking protection configured OPT.JAVASCRIPT.ClickjackingProtection
CWE:73 JAVASCRIPT External Control of File Name or Path OPT.JAVASCRIPT.PathManipulation
CWE:730 JAVASCRIPT An attacker could cause the program becomes unavailable to legitimate users OPT.JAVASCRIPT.DenialOfService
CWE:77 JAVASCRIPT Avoid non-neutralized user-controlled input to be part of an OS command OPT.JAVASCRIPT.CommandInjection
CWE:776 JAVASCRIPT XML entity injection OPT.JAVASCRIPT.XmlEntityInjection
CWE:78 JAVASCRIPT Avoid non-neutralized user-controlled input to be part of an OS command OPT.JAVASCRIPT.CommandInjection
CWE:79 JAVASCRIPT Improper neutralization of input during web content generation (Cross-site Scripting, XSS) – AngularJS OPT.JAVASCRIPT.ANGULARJS.AngularCrossSiteScripting
CWE:79 JAVASCRIPT Improper neutralization of input during web content generation (Cross-site Scripting, XSS) OPT.JAVASCRIPT.CrossSiteScripting
CWE:79 JAVASCRIPT Same Origin Method Execution (SOME) OPT.JAVASCRIPT.SameOriginMethodExecution
CWE:79 JAVASCRIPT Web content generation from improper sanitized database data and escaped output (Stored Cross-site Scripting, XSS) OPT.JAVASCRIPT.StoredCrossSiteScripting
CWE:79 JAVASCRIPT Cross-site scripting protection disabled OPT.JAVASCRIPT.XssProtectionDisabled
CWE:798 JAVASCRIPT Empty or hardcoded passwords may compromise system security in a way that cannot be easily remedied OPT.JAVASCRIPT.EmptyOrHardcodedPassword
CWE:80 JAVASCRIPT Improper neutralization of input during web content generation (Cross-site Scripting, XSS) – AngularJS OPT.JAVASCRIPT.ANGULARJS.AngularCrossSiteScripting
CWE:80 JAVASCRIPT Improper neutralization of input during web content generation (Cross-site Scripting, XSS) OPT.JAVASCRIPT.CrossSiteScripting
CWE:80 JAVASCRIPT Web content generation from improper sanitized database data and escaped output (Stored Cross-site Scripting, XSS) OPT.JAVASCRIPT.StoredCrossSiteScripting
CWE:80 JAVASCRIPT Cross-site scripting protection disabled OPT.JAVASCRIPT.XssProtectionDisabled
CWE:89 JAVASCRIPT Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) OPT.JAVASCRIPT.SqlInjection
CWE:90 JAVASCRIPT Avoid non-neutralized user-controlled input in LDAP search filters OPT.JAVASCRIPT.LdapInjection
CWE:93 JAVASCRIPT Mail Command Injection OPT.JAVASCRIPT.MailCommandInjection
CWE:94 JAVASCRIPT Improper Control of Generation of Code (‘Code Injection’) OPT.JAVASCRIPT.CodeInjection
CWE:943 JAVASCRIPT Improper neutralization of special elements in data query logic (NoSQL injection) OPT.JAVASCRIPT.NoSQLInjection
CWE:95 JAVASCRIPT Client-side Template Injection OPT.JAVASCRIPT.ClientSideTemplateInjection
CWE:95 JAVASCRIPT Improper Control of Generation of Code (‘Code Injection’) OPT.JAVASCRIPT.CodeInjection
CWE:95 JAVASCRIPT Server-side Template Injection OPT.JAVASCRIPT.ServerSideTemplateInjection
CWE:99 JAVASCRIPT Do not allow external input to control resource identifiers OPT.JAVASCRIPT.ResourceInjection

 

JSP

Jump to top of page

Rule number Language Description Rule
CWE:1022 JSP Improper Neutralization of links to external sites OPT.JSP.SEC_JSP.TargetBlankVulnerability
CWE:523 JSP Unprotected transport of credentials OPT.JSP.SEC_JSP.UnprotectedTransportCredential
CWE:549 JSP Password input field is not masked OPT.JSP.SEC_JSP.MissingPasswordFieldMasking
CWE:598 JSP Information exposure through strings sent by GET OPT.JSP.SEC_JSP.InformationExposureInGetRequest
CWE:917 JSP Expression Language (EL / OGNL) injection OPT.JSP.SEC_JSP.ExpressionLanguageInjection
CWE:94 JSP JSP File Inclusion vulnerability OPT.JSP.SEC_JSP.FileInclusionVulnerability
CWE:95 JSP Expression Language (EL / OGNL) injection OPT.JSP.SEC_JSP.ExpressionLanguageInjection

 

Kotlin

Jump to top of page

Rule number Language Description Rule
CWE:111 KOTLIN Native Code Exposed. OPT.KOTLIN.SEC.NativeCodeExposed
CWE:200 KOTLIN Do not write IP address in source code OPT.KOTLIN.SEC.HardcodedIp
CWE:200 KOTLIN Generate server-side cookies with adequate security properties OPT.KOTLIN.SEC.UnsafeCookie
CWE:311 KOTLIN Insecure transport OPT.KOTLIN.SEC.InsecureTransport
CWE:326 KOTLIN Insecure transport OPT.KOTLIN.SEC.InsecureTransport
CWE:359 KOTLIN Sensitive information exposed through JSONP OPT.KOTLIN.SEC.JSONPHijacking
CWE:359 KOTLIN Password Management – Password in Redirect OPT.KOTLIN.SEC.PasswordInRedirect
CWE:359 KOTLIN Exposure of Private Information (‘Privacy Violation’) OPT.KOTLIN.SEC.PrivacyViolation
CWE:502 KOTLIN Deserialization of untrusted data OPT.KOTLIN.SEC.SerializationInjection
CWE:539 KOTLIN Generate server-side cookies with adequate security properties OPT.KOTLIN.SEC.UnsafeCookie
CWE:561 KOTLIN Unreachable (“dead”) code. OPT.KOTLIN.UnreachableCode
CWE:581 KOTLIN Object Model Violation: Just one of equals and hashcode defined. OPT.KOTLIN.UnpairedEqualsHashCode
CWE:614 KOTLIN Generate server-side cookies with adequate security properties OPT.KOTLIN.SEC.UnsafeCookie
CWE:79 KOTLIN Same Origin Method Execution (SOME) OPT.KOTLIN.SEC.SameOriginMethodExecution

 

Objective-C

Jump to top of page

Rule number Language Description Rule
CWE:113 OBJECTIVEC Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Response Splitting’) OPT.OBJECTIVEC.SECURITY.HttpSplittingRule
CWE:117 OBJECTIVEC Improper Output Neutralization for Logs OPT.OBJECTIVEC.SECURITY.LogForging
CWE:120 OBJECTIVEC Avoid C library functions that do not check for bounds OPT.OBJECTIVEC.AvoidInsecureCStringFunctions
CWE:134 OBJECTIVEC Exclude unsanitized user input from format strings OPT.OBJECTIVEC.FormatStringVulnerability
CWE:159 OBJECTIVEC Connection string polluted with untrusted input OPT.OBJECTIVEC.SECURITY.ConnectionStringParameterPollution
CWE:185 OBJECTIVEC Prevent denial of service attack through malicious regular expression OPT.OBJECTIVEC.DoSRegularExpression
CWE:200 OBJECTIVEC Do not write IP address in source code OPT.OBJECTIVEC.SECURITY.HardcodedIp
CWE:200 OBJECTIVEC Generate server-side cookies with adequate security properties OPT.OBJECTIVEC.SECURITY.UnsafeCookie
CWE:209 OBJECTIVEC Avoid sensitive information exposure through error messages OPT.OBJECTIVEC.SECURITY.InformationExposureThroughErrorMessage
CWE:22 OBJECTIVEC Avoid non-neutralized user-controlled input to be part of a pathname (file or directory) used in I/O operations OPT.OBJECTIVEC.PathManipulationVulnerability
CWE:235 OBJECTIVEC HTTP parameter pollution (HPP) OPT.OBJECTIVEC.SECURITY.HttpParameterPollutionRule
CWE:260 OBJECTIVEC Use of credentials into configuration file OPT.OBJECTIVEC.SECURITY.PasswordInConfigurationFile
CWE:265 OBJECTIVEC Avoid performing SMS-related operations OPT.OBJECTIVEC.SECURITY.AvoidSMS
CWE:271 OBJECTIVEC Avoid setuid() / setreuid() / setgid() / setregid() to change program privilege levels OPT.OBJECTIVEC.AvoidConfusingUserIdCalls
CWE:284 OBJECTIVEC Avoid using sudo programmatically OPT.OBJECTIVEC.AvoidSudo
CWE:285 OBJECTIVEC Avoid using sudo programmatically OPT.OBJECTIVEC.AvoidSudo
CWE:295 OBJECTIVEC Do not bypass certificate validation fails OPT.OBJECTIVEC.CertificateVerifyFailedBypass
CWE:295 OBJECTIVEC Evaluate server certificate trust chain OPT.OBJECTIVEC.SECURITY.ServerTrustCredentialCheck
CWE:311 OBJECTIVEC Avoid using HTTP instead of HTTPS OPT.OBJECTIVEC.InsecureTransportLayer
CWE:311 OBJECTIVEC Sensitive data stored into CoreData(‘Privacy Violation’) OPT.OBJECTIVEC.SECURITY.SensitiveCoreData
CWE:311 OBJECTIVEC Sensitive data stored into a NoSQL database(‘Privacy Violation’) OPT.OBJECTIVEC.SECURITY.SensitiveNoSQL
CWE:311 OBJECTIVEC Sensitive data stored into a SQL database(‘Privacy Violation’) OPT.OBJECTIVEC.SECURITY.SensitiveSQL
CWE:311 OBJECTIVEC Sensitive data stored into NSUserDefaults(‘Privacy Violation’) OPT.OBJECTIVEC.SECURITY.SensitiveUserDefaults
CWE:312 OBJECTIVEC Cleartext Storage of Sensitive Information in a Cookie OPT.OBJECTIVEC.SECURITY.PlaintextStorageInACookieRule
CWE:313 OBJECTIVEC HTTP sensitive responses being cached OPT.OBJECTIVEC.SECURITY.HttpResponseCachingLeak
CWE:315 OBJECTIVEC Cleartext Storage of Sensitive Information in a Cookie OPT.OBJECTIVEC.SECURITY.PlaintextStorageInACookieRule
CWE:320 OBJECTIVEC Hardcoded cryptographic keys OPT.OBJECTIVEC.SECURITY.HardcodedCryptoKey
CWE:320 OBJECTIVEC Empty or nil password used in key derivation OPT.OBJECTIVEC.SECURITY.WeakKeyDerivationPassword
CWE:321 OBJECTIVEC Hardcoded cryptographic keys OPT.OBJECTIVEC.SECURITY.HardcodedCryptoKey
CWE:321 OBJECTIVEC Empty or nil password used in key derivation OPT.OBJECTIVEC.SECURITY.WeakKeyDerivationPassword
CWE:327 OBJECTIVEC Weak encryption algorithm OPT.OBJECTIVEC.WeakEncryption
CWE:328 OBJECTIVEC Weak cryptographic hashes cannot guarantee data integrity OPT.OBJECTIVEC.WeakCryptographicHash
CWE:359 OBJECTIVEC Sensitive data leaked through keyboard cache OPT.OBJECTIVEC.SECURITY.KeyboardCachingLeak
CWE:359 OBJECTIVEC Sensitive data leaked through the pasteboard caching mechanism OPT.OBJECTIVEC.SECURITY.PasteboardCachingLeak
CWE:359 OBJECTIVEC Exposure of Private Information (‘Privacy Violation’) OPT.OBJECTIVEC.SECURITY.PrivacyViolation
CWE:359 OBJECTIVEC Sensitive data leaked through the screen caching mechanism when app is backgrounded OPT.OBJECTIVEC.SECURITY.ScreenCachingLeak
CWE:359 OBJECTIVEC Sensitive data accessed from Itunes (‘Privacy Violation’) OPT.OBJECTIVEC.SECURITY.SensitiveDataAccessedFromItunes
CWE:367 OBJECTIVEC Use safe file access POSIX functions OPT.OBJECTIVEC.AvoidUnsafeFileFunctions
CWE:377 OBJECTIVEC Creating and using insecure temporary files can leave application and system data vulnerable to attack. OPT.OBJECTIVEC.SECURITY.InsecureTemporaryFile
CWE:467 OBJECTIVEC Do not apply the sizeof operator to a pointer when taking the size of an array OPT.OBJECTIVEC.SizeofPointerInsteadArray
CWE:470 OBJECTIVEC Avoid external control over performSelector OPT.OBJECTIVEC.PerformSelectorWithUntrustedData
CWE:494 OBJECTIVEC Avoid external control over performSelector OPT.OBJECTIVEC.PerformSelectorWithUntrustedData
CWE:499 OBJECTIVEC Serializable Class Containing Sensitive Data OPT.OBJECTIVEC.SECURITY.SerializableClassContainingSensitiveData
CWE:501 OBJECTIVEC Missing Content Validation OPT.OBJECTIVEC.SECURITY.MissingContentValidation
CWE:502 OBJECTIVEC Deserialization of untrusted data OPT.OBJECTIVEC.SECURITY.SerializationInjection
CWE:522 OBJECTIVEC User is asked for fingerprints without reason OPT.OBJECTIVEC.SECURITY.BiometricWithoutMessage
CWE:522 OBJECTIVEC Avoid exposing sensitive data to third party keyboards. OPT.OBJECTIVEC.SECURITY.ThirdPartyKeyboardAllowed
CWE:532 OBJECTIVEC Exposure of Private Information (‘Privacy Violation’) OPT.OBJECTIVEC.SECURITY.PrivacyViolation
CWE:539 OBJECTIVEC Generate server-side cookies with adequate security properties OPT.OBJECTIVEC.SECURITY.UnsafeCookie
CWE:549 OBJECTIVEC Password input field is not masked OPT.OBJECTIVEC.SECURITY.MissingPasswordFieldMasking
CWE:563 OBJECTIVEC Avoid unused local variable OPT.OBJECTIVEC.UnusedLocalVar
CWE:566 OBJECTIVEC Avoid using an user controlled Primary Key into a query OPT.OBJECTIVEC.SECURITY.UserControlledSQLPrimaryKey
CWE:601 OBJECTIVEC URL Redirection to Untrusted Site (‘Open Redirect’) OPT.OBJECTIVEC.OpenRedirect
CWE:606 OBJECTIVEC Unchecked input in loop condition OPT.OBJECTIVEC.SECURITY.UncheckedInputInLoopCondition
CWE:611 OBJECTIVEC XML entity injection OPT.OBJECTIVEC.XMLEntityInjection
CWE:614 OBJECTIVEC Avoid creating cookies without security attributes OPT.OBJECTIVEC.CookieWithoutSSL
CWE:614 OBJECTIVEC Generate server-side cookies with adequate security properties OPT.OBJECTIVEC.SECURITY.UnsafeCookie
CWE:615 OBJECTIVEC Storing passwords or password details in plaintext anywhere in the system or system code can compromise system security OPT.OBJECTIVEC.SECURITY.PasswordInCommentRule
CWE:643 OBJECTIVEC Improper Neutralization of Data within XPath Expressions (‘XPath Injection’) OPT.OBJECTIVEC.XPathInjection
CWE:684 OBJECTIVEC Do not replace secure functions with less secure functions OPT.OBJECTIVEC.ReplaceWithLessSecureFunc
CWE:698 OBJECTIVEC Execution After Redirect (EAR) OPT.OBJECTIVEC.SECURITY.ExecutionAfterRedirect
CWE:73 OBJECTIVEC Avoid non-neutralized user-controlled input to be part of a pathname (file or directory) used in I/O operations OPT.OBJECTIVEC.PathManipulationVulnerability
CWE:759 OBJECTIVEC Weak cryptographic hashes cannot guarantee data integrity OPT.OBJECTIVEC.WeakCryptographicHash
CWE:760 OBJECTIVEC Weak cryptographic hashes cannot guarantee data integrity OPT.OBJECTIVEC.WeakCryptographicHash
CWE:77 OBJECTIVEC Do not call system() if you do not need a command processor OPT.OBJECTIVEC.DoNotUseSystem
CWE:77 OBJECTIVEC Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) OPT.OBJECTIVEC.SECURITY.CommandInjectionRule
CWE:776 OBJECTIVEC XML entity injection OPT.OBJECTIVEC.XMLEntityInjection
CWE:78 OBJECTIVEC Do not call system() if you do not need a command processor OPT.OBJECTIVEC.DoNotUseSystem
CWE:78 OBJECTIVEC Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) OPT.OBJECTIVEC.SECURITY.CommandInjectionRule
CWE:79 OBJECTIVEC Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) OPT.OBJECTIVEC.CrossSiteScripting
CWE:798 OBJECTIVEC Use of Hard-coded Credentials OPT.OBJECTIVEC.SECURITY.HardcodedUsernamePassword
CWE:829 OBJECTIVEC User is asked for fingerprints without reason OPT.OBJECTIVEC.SECURITY.BiometricWithoutMessage
CWE:829 OBJECTIVEC Avoid exposing sensitive data to third party keyboards. OPT.OBJECTIVEC.SECURITY.ThirdPartyKeyboardAllowed
CWE:835 OBJECTIVEC Loop with Unreachable Exit Condition (‘Infinite Loop’) OPT.OBJECTIVEC.SECURITY.PotentialInfiniteLoop
CWE:88 OBJECTIVEC Do not call system() if you do not need a command processor OPT.OBJECTIVEC.DoNotUseSystem
CWE:89 OBJECTIVEC Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) OPT.OBJECTIVEC.AvoidSqlInjection
CWE:91 OBJECTIVEC Avoid using non-neutralized user-controlled input into JSON entities – JSON Injection OPT.OBJECTIVEC.JSONInjection
CWE:91 OBJECTIVEC XML Injection (aka Blind XPath Injection) OPT.OBJECTIVEC.SECURITY.XMLInjection
CWE:916 OBJECTIVEC Too weak iteration count on key derivation OPT.OBJECTIVEC.SECURITY.WeakKeyDerivationIteration
CWE:916 OBJECTIVEC Weak cryptographic hashes cannot guarantee data integrity OPT.OBJECTIVEC.WeakCryptographicHash
CWE:93 OBJECTIVEC Mail Command Injection OPT.OBJECTIVEC.SECURITY.MailCommandInjection
CWE:939 OBJECTIVEC URL scheme hijacking though user input OPT.OBJECTIVEC.SECURITY.URLSchemeHijacking
CWE:939 OBJECTIVEC Verify invoker application identity OPT.OBJECTIVEC.URLSchemesHandling
CWE:94 OBJECTIVEC Improper Control of Generation of Code (‘Code Injection’) OPT.OBJECTIVEC.CodeInjection
CWE:943 OBJECTIVEC Improper neutralization of special elements in data query logic (NoSQL injection) OPT.OBJECTIVEC.SECURITY.NoSQLInjection
CWE:95 OBJECTIVEC Improper Control of Generation of Code (‘Code Injection’) OPT.OBJECTIVEC.CodeInjection
CWE:99 OBJECTIVEC Improper control of resource identifiers (“Resource Injection”) OPT.OBJECTIVEC.SECURITY.ResourceInjection

 

Oracle Forms

Jump to top of page

Rule number Language Description Rule
CWE:89 ORACLEFORMS Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) OPT.ORACLEFORMS.SqlInjection

 

PHP

Jump to top of page

Rule number Language Description Rule
CWE:113 PHP Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Response Splitting’) OPT.PHP.HttpSplitting
CWE:116 PHP CSV Excel macro injection OPT.PHP.CsvFormulaInjection
CWE:117 PHP Improper Output Neutralization for Logs OPT.PHP.LogForging
CWE:129 PHP Array index coming from a non neutralized vulnerable input OPT.PHP.SEC.ImproperValidationOfArrayIndex
CWE:134 PHP Exclude unsanitized user input from format strings OPT.PHP.SEC.FormatStringInjectionRule
CWE:15 PHP External Control of System or Configuration Setting OPT.PHP.SEC.ExternalControlOfConfigurationSetting
CWE:159 PHP Connection string polluted with untrusted input OPT.PHP.ConnectionStringParameterPollution
CWE:16 PHP Avoid insecure configuration settings in php.ini / .htaccess descriptors OPT.PHP.InsecurePhpConfiguration
CWE:16 PHP Weak session cookies configuration OPT.PHP.SessionCookieConfiguration
CWE:185 PHP Prevent denial of service attack through malicious regular expression (‘Regex Injection’)] OPT.PHP.DoSRegexp
CWE:200 PHP Zend framework session management configuration OPT.PHP.ZendConfiguration
CWE:209 PHP Avoid sensitive information exposure through error messages OPT.PHP.InformationExposureThroughErrorMessage
CWE:22 PHP Avoid non-neutralized user-controlled input to be part of a pathname (file or directory) used in I/O operations OPT.PHP.PathTraversal
CWE:235 PHP HTTP parameter pollution (HPP) OPT.PHP.HttpParameterPollution
CWE:256 PHP Plaintext Storage of a Password OPT.PHP.SEC.PlaintextStorageOfPassword
CWE:310 PHP Weak cryptography, insufficient key length OPT.PHP.SEC.InsufficientKeySizeRule
CWE:311 PHP Avoid using HTTP instead of HTTPS OPT.PHP.HttpToSendData
CWE:311 PHP Encrypt sensitive data before transmission or storage OPT.PHP.MissingEncryptionOfSensitiveData
CWE:312 PHP Cleartext Storage of Sensitive Information in a Cookie OPT.PHP.SEC.PlaintextStorageInACookieRule
CWE:315 PHP Cleartext Storage of Sensitive Information in a Cookie OPT.PHP.SEC.PlaintextStorageInACookieRule
CWE:320 PHP Use of Hard-coded Cryptographic Key OPT.PHP.HardcodedCryptoKey
CWE:320 PHP Weak cryptography, insufficient key length OPT.PHP.SEC.InsufficientKeySizeRule
CWE:321 PHP Use of Hard-coded Cryptographic Key OPT.PHP.HardcodedCryptoKey
CWE:326 PHP Weak cryptography, insufficient key length OPT.PHP.SEC.InsufficientKeySizeRule
CWE:327 PHP Weak cryptographic hash OPT.PHP.WeakCryptographicHash
CWE:327 PHP Weak symmetric encryption algorithm OPT.PHP.WeakEncryptionAlgorithm
CWE:330 PHP Standard pseudo-random number generators cannot withstand cryptographic attacks OPT.PHP.InsecureRandomness
CWE:338 PHP Standard pseudo-random number generators cannot withstand cryptographic attacks OPT.PHP.InsecureRandomness
CWE:346 PHP CORS policy (Cross-origin resource sharing) too broad OPT.PHP.TooBroadCORSPolicy
CWE:352 PHP Cross-Site Request Forgery (CSRF) OPT.PHP.CrossSiteRequestForgery
CWE:359 PHP Exposure of Private Information OPT.PHP.PrivacyViolation
CWE:359 PHP Password Management – Password in Redirect OPT.PHP.SEC.PasswordInRedirectRule
CWE:434 PHP Unrestricted Upload of File with Dangerous Type OPT.PHP.DangerousFileUpload
CWE:473 PHP PHP External Variable Modification OPT.PHP.ExternalVariableModification
CWE:489 PHP CakePHP framework weak configuration OPT.PHP.CakePHPConfiguration
CWE:489 PHP No use debug statement in production OPT.PHP.NoUseDebugStatements
CWE:501 PHP Trust boundary violation OPT.PHP.SEC.TrustBoundaryViolationRule
CWE:502 PHP Deserialization of untrusted data OPT.PHP.SerializationInjection
CWE:522 PHP Plaintext Storage of a Password OPT.PHP.SEC.PlaintextStorageOfPassword
CWE:539 PHP Weak cookies configuration OPT.PHP.CookiesConfiguration
CWE:539 PHP Weak session cookies configuration OPT.PHP.SessionCookieConfiguration
CWE:563 PHP Avoid unused local variables OPT.PHP.UnusedLocalVar
CWE:566 PHP Avoid using an user controlled Primary Key into a query. OPT.PHP.SEC.UserControlledSQLPrimaryKey
CWE:601 PHP URL Redirection to Untrusted Site (‘Open Redirect’) OPT.PHP.OpenRedirect
CWE:606 PHP Unchecked input in loop condition OPT.PHP.SEC.UncheckedInputInLoopCondition
CWE:611 PHP XML entity injection OPT.PHP.XmlEntityInjection
CWE:613 PHP CakePHP framework weak configuration OPT.PHP.CakePHPConfiguration
CWE:613 PHP Checks that session expiration interval does not exceed a limit OPT.PHP.SEC.InsufficientSessionExpirationRule
CWE:614 PHP Weak session cookies configuration OPT.PHP.SessionCookieConfiguration
CWE:614 PHP Zend framework session management configuration OPT.PHP.ZendConfiguration
CWE:615 PHP Use of empty or hardcoded password, or storing password in comments OPT.PHP.PasswordManagement
CWE:643 PHP Improper Neutralization of Data within XPath Expressions (‘XPath Injection’) OPT.PHP.XPathInjection
CWE:676 PHP Use of Potentially Dangerous Function OPT.PHP.UnsafeFunction
CWE:698 PHP Execution After Redirect (EAR) OPT.PHP.SEC.ExecutionAfterRedirect
CWE:73 PHP Avoid non-neutralized user-controlled input to be part of a pathname (file or directory) used in I/O operations OPT.PHP.PathTraversal
CWE:760 PHP Use of hardcoded salt OPT.PHP.HardcodedSalt
CWE:77 PHP Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) OPT.PHP.CommandInjection
CWE:776 PHP XML entity injection OPT.PHP.XmlEntityInjection
CWE:78 PHP Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) OPT.PHP.CommandInjection
CWE:784 PHP Reliance on Cookies without Validation and Integrity Checking in a Security Decision OPT.PHP.SEC.CookiesInSecurityDecision
CWE:79 PHP Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) OPT.PHP.CrossSiteScripting
CWE:79 PHP Improper neutralization of stored data during web content generation (Cross-site Scripting, XSS) OPT.PHP.StoredCrossSiteScripting
CWE:835 PHP Loop with Unreachable Exit Condition (‘Infinite Loop’) OPT.PHP.SEC.PotentialInfiniteLoop
CWE:862 PHP Inadequate authorization check to access a resource or perform an action OPT.PHP.MissingAuthorization
CWE:89 PHP Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) OPT.PHP.SqlInjection
CWE:90 PHP Avoid non-neutralized user-controlled input in LDAP search filters OPT.PHP.LdapInjection
CWE:91 PHP XML Injection (aka Blind XPath Injection) OPT.PHP.SEC.XsltInjection
CWE:918 PHP Server-Side Request Forgery (SSRF) OPT.PHP.ServerSideRequestForgery
CWE:93 PHP SMTP Header manipulation OPT.PHP.MailHeaderManipulation
CWE:93 PHP Mail Command Injection OPT.PHP.SEC.MailCommandInjection
CWE:943 PHP Improper neutralization of special elements in data query logic (NoSQL injection) OPT.PHP.SEC.NoSQLInjection
CWE:95 PHP Do not use eval() OPT.PHP.AvoidEval
CWE:95 PHP Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) OPT.PHP.CodeInjection
CWE:98 PHP Improper Control of filename for include / require statement OPT.PHP.IncludeFileInjection
CWE:99 PHP Improper Control of Resource Identifiers (‘Resource Injection’) OPT.PHP.ResourceInjection

 

PL/SQL

Jump to top of page

Rule number Language Description Rule
CWE:113 PLSQL Unvalidated data in HTTP response header or in cookies (‘HTTP Response Splitting’) OPT.PLSQL.SEC.HeaderManipulation
CWE:22 PLSQL External Control of File Name or Path OPT.PLSQL.SEC.PathTraversal
CWE:242 PLSQL Dangerous procedure / function called. OPT.PLSQL.SEC.ForbiddenCall
CWE:266 PLSQL Too broad privileges granted. OPT.PLSQL.SEC.TooBroadGrant
CWE:269 PLSQL No explicit AUTHID clause. OPT.PLSQL.SEC.DefaultAuthid
CWE:327 PLSQL Weak cryptographic hashes cannot guarantee data integrity OPT.PLSQL.SEC.WeakCryptographicHash
CWE:327 PLSQL Weak symmetric encryption algorithm. OPT.PLSQL.SEC.WeakSymmetricEncryptionAlgorithm
CWE:330 PLSQL Standard pseudo-random number generators cannot withstand cryptographic attacks. OPT.PLSQL.SEC.InsecureRandomness
CWE:338 PLSQL Standard pseudo-random number generators cannot withstand cryptographic attacks. OPT.PLSQL.SEC.InsecureRandomness
CWE:391 PLSQL Avoid WHEN OTHERS THEN NULL in exceptions OPT.PLSQL.GEN_PLSQL.GER3
CWE:404 PLSQL Close all opened cursors OPT.PLSQL.GEN_PLSQL.CC
CWE:404 PLSQL Close all opened ref cursors OPT.PLSQL.GEN_PLSQL.CRC
CWE:506 PLSQL Potential malicious code. OPT.PLSQL.SEC.SuspiciousCode
CWE:563 PLSQL Detects local variables declared but not used OPT.PLSQL.CNU_PLSQL.UselessVar
CWE:566 PLSQL Avoid using an user controlled Primary Key into a query OPT.PLSQL.SEC.UserControlledSQLPrimaryKey
CWE:601 PLSQL Do not allow to control the URL used in a redirect by an unvalidated input OPT.PLSQL.SEC.OpenRedirect
CWE:619 PLSQL Cursor Snarfing OPT.PLSQL.SEC.CursorSnarfing
CWE:706 PLSQL Unqualified database items in AUTHID CURRENT_USER routine. OPT.PLSQL.SEC.UnqualifiedItemAtInvokerRightsRoutine
CWE:730 PLSQL Denial of Service by externally controlled sleep time OPT.PLSQL.SEC.SleepInjection
CWE:77 PLSQL Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) OPT.PLSQL.SEC.CommandInjection
CWE:79 PLSQL Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) OPT.PLSQL.SEC.CrossSiteScripting
CWE:79 PLSQL Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) OPT.PLSQL.SEC.PersistedCrossSiteScripting
CWE:798 PLSQL Use of Hard-coded Credentials OPT.PLSQL.SEC.HardcodedCredential
CWE:89 PLSQL Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) OPT.PLSQL.SEC.SqlInjection
CWE:918 PLSQL Server-Side Request Forgery (SSRF) OPT.PLSQL.SEC.ServerSideRequestForgery

 

Python

Jump to top of page

CWE:1004 PYTHON Cookie-based session with a unsafe configuration OPT.PYTHON.DJANGO.CookieBasedSessions
CWE:1004 PYTHON Generate server-side cookies with adequate security properties OPT.PYTHON.SECURITY.UnsafeCookie
CWE:113 PYTHON Avoid including unvalidated data in HTTP response header or in Cookies OPT.PYTHON.SECURITY.HeaderManipulation
CWE:117 PYTHON Unvalidated untrusted input in log OPT.PYTHON.SECURITY.LogForging
CWE:134 PYTHON Exclude unsanitized user input from format strings OPT.PYTHON.SECURITY.FormatStringInjectionRule
CWE:185 PYTHON Potential denial-of-service attack through malicious regular expression (ReDoS) OPT.PYTHON.SECURITY.DoSRegexp
CWE:20 PYTHON Avoid non-neutralized user-controlled input to be stored into a cache OPT.PYTHON.SECURITY.MemcachedInjection
CWE:200 PYTHON Do not write IP address in source code OPT.PYTHON.SECURITY.HardcodedIp
CWE:200 PYTHON Generate server-side cookies with adequate security properties OPT.PYTHON.SECURITY.UnsafeCookie
CWE:209 PYTHON Avoid sensitive information exposure through error messages OPT.PYTHON.SECURITY.InformationExposureThroughErrorMessage
CWE:22 PYTHON Avoid non-neutralized user-controlled input to be part of a pathname (file or directory) used in I/O operations OPT.PYTHON.SECURITY.PathTraversal
CWE:235 PYTHON HTTP parameter pollution (HPP) OPT.PYTHON.SECURITY.HttpParameterPollutionRule
CWE:259 PYTHON Empty or hardcoded passwords may compromise system security in a way that cannot be easily remedied OPT.PYTHON.SECURITY.HardcodedCredential
CWE:260 PYTHON Use of credentials into configuration file OPT.PYTHON.SECURITY.PasswordInConfigurationFile
CWE:285 PYTHON Perform an authorization check when performing an action which requires authorization OPT.PYTHON.DJANGO.MissingFunctionLevelAccessControl
CWE:287 PYTHON Perform an authorization check when performing an action which requires authorization OPT.PYTHON.DJANGO.MissingFunctionLevelAccessControl
CWE:310 PYTHON Weak cryptography, insufficient key length OPT.PYTHON.SECURITY.InsufficientKeySizeRule
CWE:311 PYTHON Insecure transport OPT.PYTHON.SECURITY.InsecureTransport
CWE:311 PYTHON Insecure transport in HTTP servers OPT.PYTHON.SECURITY.ServerInsecureTransport
CWE:312 PYTHON Cleartext Storage of Sensitive Information in a Cookie OPT.PYTHON.SECURITY.PlaintextStorageInACookieRule
CWE:315 PYTHON Cleartext Storage of Sensitive Information in a Cookie OPT.PYTHON.SECURITY.PlaintextStorageInACookieRule
CWE:320 PYTHON Hardcoded cryptographic keys OPT.PYTHON.SECURITY.HardcodedCryptoKey
CWE:320 PYTHON Weak cryptography, insufficient key length OPT.PYTHON.SECURITY.InsufficientKeySizeRule
CWE:321 PYTHON Hardcoded cryptographic keys OPT.PYTHON.SECURITY.HardcodedCryptoKey
CWE:326 PYTHON Weak cryptography, insufficient key length OPT.PYTHON.SECURITY.InsufficientKeySizeRule
CWE:327 PYTHON Weak cryptographic hash OPT.PYTHON.SECURITY.WeakCryptographicHash
CWE:327 PYTHON Weak symmetric encryption algorithm OPT.PYTHON.SECURITY.WeakEncryptionAlgorithm
CWE:328 PYTHON Weak cryptographic hashes cannot guarantee data integrity OPT.PYTHON.DJANGO.WeakCryptographicHashInSettings
CWE:329 PYTHON Not using a Random IV with CBC Mode OPT.PYTHON.SECURITY.NonRandomIVWithCBCMode
CWE:330 PYTHON Standard pseudo-random number generators cannot withstand cryptographic attacks OPT.PYTHON.SECURITY.InsecureRandomness
CWE:338 PYTHON Standard pseudo-random number generators cannot withstand cryptographic attacks OPT.PYTHON.SECURITY.InsecureRandomness
CWE:345 PYTHON Avoid using non-neutralized user-controlled input into JSON entities – JSON Injection OPT.PYTHON.SECURITY.JSONInjection
CWE:346 PYTHON CORS policy (Cross-origin resource sharing) too broad OPT.PYTHON.SECURITY.TooMuchOriginsAllowedRule
CWE:350 PYTHON Avoid checks on client-side hostname, that are not reliable due to DNS poisoning OPT.PYTHON.SECURITY.AvoidHostNameChecksRule
CWE:352 PYTHON Cross-site request forgery (CSRF) OPT.PYTHON.SECURITY.CrossSiteRequestForgery
CWE:359 PYTHON Password Management – Password in Redirect OPT.PYTHON.SECURITY.PasswordInRedirectRule
CWE:391 PYTHON Unhandled SSL exception OPT.PYTHON.SECURITY.UnhandledSSLErrorRule
CWE:426 PYTHON Do not hardcode absolute paths OPT.PYTHON.PORTABILITY.HardcodedAbsolutePath
CWE:470 PYTHON Use of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’) OPT.PYTHON.SECURITY.UnsafeReflection
CWE:472 PYTHON Cookie Poisoning OPT.PYTHON.SECURITY.CookiePoisoning
CWE:501 PYTHON Trust boundary violation OPT.PYTHON.SECURITY.TrustBoundary
CWE:502 PYTHON Deserialization of untrusted data OPT.PYTHON.SECURITY.SerializationInjection
CWE:532 PYTHON Avoid exposing sensitive information through log OPT.PYTHON.SECURITY.InformationExposureThroughDebugLog
CWE:539 PYTHON Generate server-side cookies with adequate security properties OPT.PYTHON.SECURITY.UnsafeCookie
CWE:561 PYTHON Avoid dead code OPT.PYTHON.MAINTAINABILITY.DeadCode
CWE:561 PYTHON Statements after a jump are dead code OPT.PYTHON.MAINTAINABILITY.RemoveStatementsAfterJump
CWE:561 PYTHON Avoid unreachable code OPT.PYTHON.RELIABILITY.UnreachableCode
CWE:566 PYTHON Avoid using an user controlled Primary Key into a query OPT.PYTHON.SECURITY.UserControlledSQLPrimaryKey
CWE:601 PYTHON Do not allow to control the URL used in a redirect by an unvalidated input OPT.PYTHON.SECURITY.OpenRedirect
CWE:606 PYTHON Unchecked input in loop condition OPT.PYTHON.SECURITY.UncheckedInputInLoopCondition
CWE:611 PYTHON XML entity injection OPT.PYTHON.SECURITY.XmlEntityInjection
CWE:613 PYTHON Checks that session expiration interval is positive and does not exceed a limit OPT.PYTHON.DJANGO.InsufficientDjangoSettingsSessionExpiration
CWE:613 PYTHON Checks that session expiration interval is positive and does not exceed a limit OPT.PYTHON.SECURITY.InsufficientSessionExpirationRule
CWE:614 PYTHON Generate server-side cookies with adequate security properties OPT.PYTHON.SECURITY.UnsafeCookie
CWE:615 PYTHON Storing passwords or password details in plaintext anywhere in the system or system code can compromise system security OPT.PYTHON.SECURITY.PasswordInComments
CWE:639 PYTHON Check for user authentication and/ or authorization before let him modifying a sensible system resource OPT.PYTHON.DJANGO.InsecureDirectObjectReferences
CWE:643 PYTHON Avoid XPath expressions formed with non neutralized user input OPT.PYTHON.SECURITY.XpathInjection
CWE:698 PYTHON Execution After Redirect (EAR) OPT.PYTHON.SECURITY.ExecutionAfterRedirect
CWE:73 PYTHON Avoid non-neutralized user-controlled input to be part of a pathname (file or directory) used in I/O operations OPT.PYTHON.SECURITY.PathTraversal
CWE:760 PYTHON Use of hardcoded salt OPT.PYTHON.SECURITY.HardcodedSalt
CWE:77 PYTHON Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) OPT.PYTHON.SECURITY.CommandInjection
CWE:776 PYTHON XML entity injection OPT.PYTHON.SECURITY.XmlEntityInjection
CWE:78 PYTHON Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) OPT.PYTHON.SECURITY.CommandInjection
CWE:784 PYTHON Reliance on Cookies without Validation and Integrity Checking in a Security Decision OPT.PYTHON.SECURITY.CookiesInSecurityDecision
CWE:79 PYTHON Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) OPT.PYTHON.SECURITY.CrossSiteScripting
CWE:79 PYTHON Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) OPT.PYTHON.SECURITY.StoredCrossSiteScripting
CWE:798 PYTHON Use of Hard-coded Credentials OPT.PYTHON.SECURITY.HardcodedAuthData
CWE:798 PYTHON Empty or hardcoded passwords may compromise system security in a way that cannot be easily remedied OPT.PYTHON.SECURITY.HardcodedCredential
CWE:80 PYTHON Secure browser XSS filter OPT.PYTHON.DJANGO.MissingBrowserXssFilter
CWE:835 PYTHON Loop with Unreachable Exit Condition (‘Infinite Loop’) OPT.PYTHON.SECURITY.PotentialInfiniteLoop
CWE:89 PYTHON Avoid SQL code formed with non neutralized user input (vulnerable to SQL Injection attacks) OPT.PYTHON.SECURITY.SqlInjection
CWE:90 PYTHON Avoid non-neutralized user-controlled input in LDAP search filters OPT.PYTHON.SECURITY.LdapInjection
CWE:91 PYTHON Avoid using non-neutralized user-controlled input when creating XML documents OPT.PYTHON.SECURITY.XmlInjection
CWE:915 PYTHON Insufficient form fields validation OPT.PYTHON.DJANGO.MassAssigmentAttack
CWE:918 PYTHON Creation of requests from a vulnerable server using untrusted input (server side request forgery, SSRF) OPT.PYTHON.SECURITY.ServerSideRequestForgery
CWE:93 PYTHON Mail Command Injection OPT.PYTHON.SECURITY.MailCommandInjection
CWE:94 PYTHON Avoid non-neutralized user-controlled input in dynamic code evaluation OPT.PYTHON.SECURITY.CodeInjection
CWE:943 PYTHON Improper neutralization of special elements in data query logic (NoSQL injection) OPT.PYTHON.SECURITY.NoSQLInjection
CWE:99 PYTHON Improper control of resource identifiers (“Resource Injection”) OPT.PYTHON.SECURITY.ResourceInjection

 

RPG4

Jump to top of page

Rule number Language Description Rule
CWE:114 RPG4 Avoid calling subprogram where its name could be controlled by user input OPT.RPG4.SEC.ProcessControl
CWE:200 RPG4 Every READE command must be preceeded by SETLL OPT.RPG4.SEC.PositionBeforeReadFile
CWE:215 RPG4 Information Exposure Through Debug Information OPT.RPG4.SEC.NoActiveDebugRule
CWE:22 RPG4 External Control of File Name or Path OPT.RPG4.SEC.PathManipulation
CWE:252 RPG4 Validate return code for cryptographic operations OPT.RPG4.SEC.CheckCryptoReturnCode
CWE:272 RPG4 Least privilege failure due to special authority granted OPT.RPG4.SEC.SpecialAuthorityGranted
CWE:327 RPG4 Weak encryption algorithm OPT.RPG4.SEC.WeakEncryptionAlgorithm
CWE:328 RPG4 Weak cryptographic hashes cannot guarantee data integrity OPT.RPG4.SEC.WeakCryptoHash
CWE:391 RPG4 Ignoring error conditions may allow an attacker to induce unexpected behavior unnoticed OPT.RPG4.SEC.PoorErrorHandling
CWE:401 RPG4 Check that allocated memory is properly freed OPT.RPG4.REL.AllocHeapMisuse
CWE:415 RPG4 Check that allocated memory is properly freed OPT.RPG4.REL.AllocHeapMisuse
CWE:416 RPG4 Check that allocated memory is properly freed OPT.RPG4.REL.AllocHeapMisuse
CWE:489 RPG4 Do not use DEBUG in control-specification statements OPT.RPG4.AvoidDebugControlSentences
CWE:566 RPG4 Authorization Bypass Through User-Controlled SQL Primary Key OPT.RPG4.SEC.UnexpectedKeySelect
CWE:628 RPG4 Parameter mismatch in CALL OPT.RPG4.REL.CallParameterMismatch
CWE:639 RPG4 A record UPDATE or DELETE operation must be preceeded by a record read operation (CHAIN or READxxx) OPT.RPG4.SEC.ReadRecordBeforeUpdateDelete
CWE:710 RPG4 Do not use GOTO / TAG, CABXX and COMP statements OPT.RPG4.AvoidDangerousConditionalSentences
CWE:73 RPG4 External Control of File Name or Path OPT.RPG4.SEC.PathManipulation
CWE:77 RPG4 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) OPT.RPG4.SEC.OSCommandInjection
CWE:78 RPG4 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) OPT.RPG4.SEC.OSCommandInjection
CWE:823 RPG4 Avoid pointer arithmetic in RPG OPT.RPG4.SEC.PointerArithmetic
CWE:89 RPG4 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) OPT.RPG4.SEC.SqlInjection

 

Scala

Jump to top of page

Rule number Language Description Rule
CWE:111 SCALA Avoid calls from Scala to native (JNI) code OPT.SCALA.SECURITY.AvoidNativeCalls
CWE:113 SCALA Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Response Splitting’) OPT.SCALA.SECURITY.HttpSplitting
CWE:114 SCALA Library loaded from untrusted source OPT.SCALA.SECURITY.ProcessControl
CWE:117 SCALA Improper Output Neutralization for Logs OPT.SCALA.SECURITY.LogForging
CWE:134 SCALA Exclude unsanitized user input from format strings OPT.SCALA.SECURITY.FormatStringInjection
CWE:15 SCALA Security misconfiguration in Akka framework. OPT.SCALA.SECURITY.AkkaSecurityMisconfiguration
CWE:15 SCALA External Control of System or Configuration Setting OPT.SCALA.SECURITY.ExternalControlOfConfigurationSetting
CWE:159 SCALA Connection string polluted with untrusted input OPT.SCALA.SECURITY.ConnectionStringParameterPollution
CWE:185 SCALA Prevent denial of service attack through malicious regular expression (‘Regex Injection’) OPT.SCALA.SECURITY.RegexInjection
CWE:200 SCALA Security misconfiguration in Akka framework. OPT.SCALA.SECURITY.AkkaSecurityMisconfiguration
CWE:200 SCALA Do not write IP address in source code OPT.SCALA.SECURITY.HardcodedIp
CWE:200 SCALA Generate server-side cookies with adequate security properties OPT.SCALA.SECURITY.UnsafeCookie
CWE:209 SCALA Avoid sensitive information exposure through error messages OPT.SCALA.SECURITY.InformationExposureThroughErrorMessage
CWE:22 SCALA Avoid non-neutralized user-controlled input composed in a pathname to a resource OPT.SCALA.SECURITY.PathTraversal
CWE:235 SCALA HTTP parameter pollution (HPP) OPT.SCALA.SECURITY.HttpParameterPollution
CWE:256 SCALA Plaintext Storage of a Password OPT.SCALA.SECURITY.PlaintextStorageOfPassword
CWE:260 SCALA Use of credentials into configuration file OPT.SCALA.SECURITY.PasswordInConfigurationFile
CWE:285 SCALA Access Control – Anonymous LDAP Bind OPT.SCALA.SECURITY.AnonymousLdapBind
CWE:310 SCALA Weak cryptography, insufficient key length OPT.SCALA.SECURITY.InsufficientKeySize
CWE:311 SCALA Security misconfiguration in Akka framework. OPT.SCALA.SECURITY.AkkaSecurityMisconfiguration
CWE:311 SCALA Insecure transport OPT.SCALA.SECURITY.InsecureTransport
CWE:312 SCALA Cleartext Storage of Sensitive Information in a Cookie OPT.SCALA.SECURITY.PlaintextStorageInACookieRule
CWE:315 SCALA Cleartext Storage of Sensitive Information in a Cookie OPT.SCALA.SECURITY.PlaintextStorageInACookieRule
CWE:320 SCALA Hardcoded cryptographic keys OPT.SCALA.SECURITY.HardcodedCryptoKey
CWE:320 SCALA Weak cryptography, insufficient key length OPT.SCALA.SECURITY.InsufficientKeySize
CWE:321 SCALA Hardcoded cryptographic keys OPT.SCALA.SECURITY.HardcodedCryptoKey
CWE:325 SCALA Inadequate padding OPT.SCALA.SECURITY.InadequatePadding
CWE:326 SCALA Insecure transport OPT.SCALA.SECURITY.InsecureTransport
CWE:326 SCALA Weak cryptography, insufficient key length OPT.SCALA.SECURITY.InsufficientKeySize
CWE:327 SCALA Weak symmetric encryption algorithm OPT.SCALA.SECURITY.WeakEncryption
CWE:328 SCALA Weak cryptographic hash OPT.SCALA.SECURITY.WeakCryptographicHash
CWE:329 SCALA Not using a Random IV with CBC Mode OPT.SCALA.SECURITY.NonRandomIVWithCBCMode
CWE:330 SCALA Standard pseudo-random number generators cannot withstand cryptographic attacks OPT.SCALA.SECURITY.InsecureRandomness
CWE:338 SCALA Standard pseudo-random number generators cannot withstand cryptographic attacks OPT.SCALA.SECURITY.InsecureRandomness
CWE:345 SCALA Avoid using non-neutralized user-controlled input into JSON entities – JSON Injection OPT.SCALA.SECURITY.JSONInjection
CWE:346 SCALA Too much allowed origins in HTML5 Access-Control-Allow-Origin header OPT.SCALA.SECURITY.TooBroadCORSPolicy
CWE:350 SCALA Avoid checks on client-side hostname, that are not reliable due to DNS poisoning OPT.SCALA.SECURITY.AvoidHostNameChecks
CWE:352 SCALA Cross-site request forgery (CSRF) OPT.SCALA.SECURITY.CrossSiteRequestForgery
CWE:359 SCALA Sensitive information exposed through JSONP OPT.SCALA.SECURITY.JSONPHijacking
CWE:359 SCALA Password Management – Password in Redirect OPT.SCALA.SECURITY.PasswordInRedirect
CWE:359 SCALA Exposure of Private Information (‘Privacy Violation’) OPT.SCALA.SECURITY.PrivacyViolation
CWE:400 SCALA Security misconfiguration in Akka framework. OPT.SCALA.SECURITY.AkkaSecurityMisconfiguration
CWE:470 SCALA Use of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’) OPT.SCALA.SECURITY.UnsafeReflection
CWE:494 SCALA Library loaded from untrusted source OPT.SCALA.SECURITY.ProcessControl
CWE:499 SCALA Serializable Class Containing Sensitive Data OPT.SCALA.SECURITY.SerializableClassContainingSensitiveData
CWE:501 SCALA Trust boundary violation OPT.SCALA.SECURITY.TrustBoundaryViolation
CWE:502 SCALA Security misconfiguration in Akka framework. OPT.SCALA.SECURITY.AkkaSecurityMisconfiguration
CWE:502 SCALA Deserialization of untrusted data OPT.SCALA.SECURITY.SerializationInjection
CWE:522 SCALA Use of credentials into configuration file OPT.SCALA.SECURITY.PasswordInConfigurationFile
CWE:539 SCALA Generate server-side cookies with adequate security properties OPT.SCALA.SECURITY.UnsafeCookie
CWE:566 SCALA Avoid using an user controlled Primary Key into a query OPT.SCALA.SECURITY.UserControlledSQLPrimaryKey
CWE:601 SCALA URL Redirection to Untrusted Site (‘Open Redirect’) OPT.SCALA.SECURITY.ExecutionAfterRedirect
CWE:601 SCALA Do not allow to control the URL used in a redirect by an unvalidated input OPT.SCALA.SECURITY.OpenRedirect
CWE:606 SCALA Unchecked input in loop condition OPT.SCALA.SECURITY.UncheckedInputInLoopCondition
CWE:611 SCALA XML entity injection OPT.SCALA.SECURITY.XmlEntityInjection
CWE:613 SCALA Security misconfiguration in Akka framework. OPT.SCALA.SECURITY.AkkaSecurityMisconfiguration
CWE:614 SCALA Generate server-side cookies with adequate security properties OPT.SCALA.SECURITY.UnsafeCookie
CWE:643 SCALA Improper Neutralization of Data within XPath Expressions (‘XPath Injection’) OPT.SCALA.SECURITY.XPathInjection
CWE:676 SCALA Library loaded from untrusted source OPT.SCALA.SECURITY.ProcessControl
CWE:760 SCALA A hardcoded salt can compromise system security OPT.SCALA.SECURITY.HardcodedSalt
CWE:77 SCALA Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) OPT.SCALA.SECURITY.CommandInjection
CWE:776 SCALA XML entity injection OPT.SCALA.SECURITY.XmlEntityInjection
CWE:78 SCALA Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) OPT.SCALA.SECURITY.CommandInjection
CWE:784 SCALA Reliance on Cookies without Validation and Integrity Checking in a Security Decision OPT.SCALA.SECURITY.CookiesInSecurityDecision
CWE:79 SCALA Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) OPT.SCALA.SECURITY.CrossSiteScripting
CWE:79 SCALA Same Origin Method Execution (SOME) OPT.SCALA.SECURITY.SameOriginMethodExecution
CWE:798 SCALA Use of Hard-coded Credentials OPT.SCALA.SECURITY.HardcodedUsernamePassword
CWE:835 SCALA Loop with Unreachable Exit Condition (‘Infinite Loop’) OPT.SCALA.SECURITY.PotentialInfiniteLoop
CWE:89 SCALA Avoid SQL code formed with non neutralized user input (vulnerable to SQL Injection attacks) OPT.SCALA.SECURITY.SqlInjection
CWE:90 SCALA Avoid non-neutralized user-controlled input in LDAP search filters OPT.SCALA.SECURITY.LdapInjection
CWE:91 SCALA XML Injection (aka Blind XPath Injection) OPT.SCALA.SECURITY.XsltInjection
CWE:918 SCALA Creation of requests from a vulnerable server using untrusted input (server side request forgery, SSRF) OPT.SCALA.SECURITY.ServerSideRequestForgery
CWE:93 SCALA Mail Command Injection OPT.SCALA.SECURITY.MailCommandInjection
CWE:94 SCALA Avoid non-neutralized user-controlled input in dynamic code evaluation OPT.SCALA.SECURITY.CodeInjection
CWE:943 SCALA Improper neutralization of special elements in data query logic (NoSQL injection) OPT.SCALA.SECURITY.NoSQLInjection
CWE:95 SCALA Avoid non-neutralized user-controlled input in dynamic code evaluation OPT.SCALA.SECURITY.CodeInjection
CWE:99 SCALA Improper control of resource identifiers (“Resource Injection”) OPT.SCALA.SECURITY.ResourceInjection

 

SQL Script

Jump to top of page

Rule number Language Description Rule
CWE:272 SQLSCRIPT Excessive privileges granted. OPT.HANA.SEC.ExcessivePrivilegesGranted
CWE:489 SQLSCRIPT Avoid TRACE in production code. OPT.HANA.EFFICIENCY.AvoidTraceInProduction
CWE:563 SQLSCRIPT Unused local variable. OPT.HANA.EFFICIENCY.UnusedVariable
CWE:676 SQLSCRIPT Call to unsafe or dangerous procedure / function. OPT.HANA.SEC.ForbiddenCall
CWE:89 SQLSCRIPT Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) OPT.HANA.SEC.SqlInjection

 

Swift

Jump to top of page

Rule number Language Description Rule
CWE:113 SWIFT Avoid including unvalidated data in HTTP response header or in Cookies OPT.SWIFT.SECURITY.HeaderManipulation
CWE:117 SWIFT Improper Output Neutralization for Logs OPT.SWIFT.SECURITY.LogForging
CWE:120 SWIFT Potential memory corruption OPT.SWIFT.RELIABILITY.BufferOverflow
CWE:134 SWIFT Exclude unsanitized user input from format strings OPT.SWIFT.SECURITY.StringFormatInjection
CWE:159 SWIFT Connection string polluted with untrusted input OPT.SWIFT.SECURITY.ConnectionStringParameterPollution
CWE:176 SWIFT Potential memory corruption OPT.SWIFT.RELIABILITY.PotentialEncodingBufferOverflow
CWE:185 SWIFT Prevent denial of service attack through malicious regular expression (‘Regex Injection’) OPT.SWIFT.SECURITY.RegexInjection
CWE:200 SWIFT Do not write IP address in source code OPT.SWIFT.SECURITY.HardcodedIp
CWE:200 SWIFT Generate server-side cookies with adequate security properties OPT.SWIFT.SECURITY.UnsafeCookie
CWE:22 SWIFT Avoid non-neutralized user-controlled input composed in a pathname to a resource OPT.SWIFT.SECURITY.PathTraversal
CWE:235 SWIFT HTTP parameter pollution (HPP) OPT.SWIFT.SECURITY.HttpParameterPollutionRule
CWE:259 SWIFT Weak keys used for cryptographic purposes OPT.SWIFT.SECURITY.WeakCryptographicKey
CWE:260 SWIFT Use of credentials into configuration file OPT.SWIFT.SECURITY.PasswordInConfigurationFile
CWE:265 SWIFT Avoid performing SMS-related operations OPT.SWIFT.SECURITY.AvoidSMS
CWE:295 SWIFT Evaluate server certificate trust chain OPT.SWIFT.SECURITY.ServerTrustCredentialCheck
CWE:311 SWIFT Insecure transport OPT.SWIFT.SECURITY.InsecureTransport
CWE:311 SWIFT Sensitive data stored into CoreData(‘Privacy Violation’) OPT.SWIFT.SECURITY.SensitiveCoreData
CWE:311 SWIFT Sensitive data stored into a NoSQL database(‘Privacy Violation’) OPT.SWIFT.SECURITY.SensitiveNoSQL
CWE:311 SWIFT Sensitive data stored into a SQL database(‘Privacy Violation’) OPT.SWIFT.SECURITY.SensitiveSQL
CWE:311 SWIFT Sensitive data stored into UserDefaults(‘Privacy Violation’) OPT.SWIFT.SECURITY.SensitiveUserDefaults
CWE:312 SWIFT Cleartext Storage of Sensitive Information in a Cookie OPT.SWIFT.SECURITY.PlaintextStorageInACookieRule
CWE:313 SWIFT HTTP sensitive responses being cached OPT.SWIFT.SECURITY.HTTPResponseCachingLeak
CWE:315 SWIFT Cleartext Storage of Sensitive Information in a Cookie OPT.SWIFT.SECURITY.PlaintextStorageInACookieRule
CWE:320 SWIFT Weak keys used for cryptographic purposes OPT.SWIFT.SECURITY.WeakCryptographicKey
CWE:320 SWIFT Empty or nil password used in key derivation OPT.SWIFT.SECURITY.WeakKeyDerivationPassword
CWE:321 SWIFT Weak keys used for cryptographic purposes OPT.SWIFT.SECURITY.WeakCryptographicKey
CWE:321 SWIFT Empty or nil password used in key derivation OPT.SWIFT.SECURITY.WeakKeyDerivationPassword
CWE:326 SWIFT Insecure transport OPT.SWIFT.SECURITY.InsecureTransport
CWE:327 SWIFT Weak symmetric encryption algorithm OPT.SWIFT.SECURITY.WeakEncryption
CWE:327 SWIFT Do not use weak modes of operation with symmetric encryption OPT.SWIFT.SECURITY.WeakSymmetricEncryptionModeOfOperation
CWE:328 SWIFT Weak cryptographic hashes cannot guarantee data integrity OPT.SWIFT.SECURITY.WeakCryptographicHash
CWE:328 SWIFT Weak cryptographic salts cannot guarantee data integrity OPT.SWIFT.SECURITY.WeakCryptographicHashSalt
CWE:329 SWIFT Weak encryption initialization vector OPT.SWIFT.SECURITY.WeakSymmetricEncryptionInitializationVector
CWE:345 SWIFT Avoid using non-neutralized user-controlled input into JSON entities – JSON Injection OPT.SWIFT.SECURITY.JSONInjection
CWE:359 SWIFT Sensitive data leaked through keyboard cache OPT.SWIFT.SECURITY.KeyboardCachingLeak
CWE:359 SWIFT Sensitive data leaked through the pasteboard caching mechanism OPT.SWIFT.SECURITY.PasteboardCachingLeak
CWE:359 SWIFT Exposure of Private Information (‘Privacy Violation’) OPT.SWIFT.SECURITY.PrivacyViolation
CWE:359 SWIFT Sensitive data leaked through the screen caching mechanism when app is backgrounded OPT.SWIFT.SECURITY.ScreenCachingLeak
CWE:359 SWIFT Exposure of Private Information (‘Privacy Violation’) OPT.SWIFT.SECURITY.SensitiveDataAccessedFromItunes
CWE:377 SWIFT Creating and using insecure temporary files can leave application and system data vulnerable to attack. OPT.SWIFT.SECURITY.InsecureTemporaryFile
CWE:390 SWIFT Avoid use empty CATCH blocks OPT.SWIFT.RELIABILITY.AvoidEmptyCatchBlocks
CWE:426 SWIFT Do not hardcode absolute paths OPT.SWIFT.PORTABILITY.HardcodedAbsolutePath
CWE:470 SWIFT Use of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’) OPT.SWIFT.SECURITY.UnsafeReflection
CWE:499 SWIFT Serializable Class Containing Sensitive Data OPT.SWIFT.SECURITY.SerializableClassContainingSensitiveData
CWE:501 SWIFT Missing Content Validation OPT.SWIFT.SECURITY.MissingContentValidation
CWE:502 SWIFT Deserialization of untrusted data OPT.SWIFT.SECURITY.SerializationInjection
CWE:522 SWIFT User is asked for fingerprints without reason OPT.SWIFT.SECURITY.BiometricWithoutMessage
CWE:522 SWIFT Avoid exposing sensitive data to third party keyboards. OPT.SWIFT.SECURITY.ThirdPartyKeyboardAllowed
CWE:539 SWIFT Generate server-side cookies with adequate security properties OPT.SWIFT.SECURITY.UnsafeCookie
CWE:549 SWIFT Password input field is not masked OPT.SWIFT.SECURITY.MissingPasswordFieldMasking
CWE:561 SWIFT Unused function parameter OPT.SWIFT.MAINTAINABILITY.UnusedParameter
CWE:561 SWIFT Avoid unused private methods and constructors OPT.SWIFT.MAINTAINABILITY.UnusedPrivateFunction
CWE:561 SWIFT Avoid unreachable code OPT.SWIFT.RELIABILITY.UnreachableCode
CWE:563 SWIFT Bound local variable value is never used OPT.SWIFT.MAINTAINABILITY.DeadStores
CWE:563 SWIFT Unused local variable OPT.SWIFT.MAINTAINABILITY.UnusedLocalVar
CWE:566 SWIFT Avoid using an user controlled Primary Key into a query OPT.SWIFT.SECURITY.UserControlledSQLPrimaryKey
CWE:601 SWIFT Do not allow to control the URL used in a redirect by an unvalidated input OPT.SWIFT.SECURITY.OpenRedirect
CWE:606 SWIFT Unchecked input in loop condition OPT.SWIFT.SECURITY.UncheckedInputInLoopCondition
CWE:611 SWIFT XML entity injection OPT.SWIFT.SECURITY.XMLEntityInjection
CWE:614 SWIFT Generate server-side cookies with adequate security properties OPT.SWIFT.SECURITY.UnsafeCookie
CWE:615 SWIFT Storing passwords or password details in plaintext anywhere in the system or system code can compromise system security OPT.SWIFT.SECURITY.PasswordInCommentRule
CWE:643 SWIFT Avoid XPath expressions formed with non neutralized user input OPT.SWIFT.SECURITY.XpathInjection
CWE:698 SWIFT Execution After Redirect (EAR) OPT.SWIFT.SECURITY.ExecutionAfterRedirect
CWE:759 SWIFT Weak cryptographic salts cannot guarantee data integrity OPT.SWIFT.SECURITY.WeakCryptographicHashSalt
CWE:760 SWIFT Weak cryptographic salts cannot guarantee data integrity OPT.SWIFT.SECURITY.WeakCryptographicHashSalt
CWE:77 SWIFT Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) OPT.SWIFT.SECURITY.CommandInjection
CWE:776 SWIFT XML entity injection OPT.SWIFT.SECURITY.XMLEntityInjection
CWE:78 SWIFT Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) OPT.SWIFT.SECURITY.CommandInjection
CWE:79 SWIFT Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) OPT.SWIFT.SECURITY.CrossSiteScripting
CWE:798 SWIFT Use of Hard-coded Credentials OPT.SWIFT.SECURITY.HardcodedUsernamePassword
CWE:829 SWIFT User is asked for fingerprints without reason OPT.SWIFT.SECURITY.BiometricWithoutMessage
CWE:829 SWIFT Avoid exposing sensitive data to third party keyboards. OPT.SWIFT.SECURITY.ThirdPartyKeyboardAllowed
CWE:835 SWIFT Loop with Unreachable Exit Condition (‘Infinite Loop’) OPT.SWIFT.SECURITY.PotentialInfiniteLoop
CWE:89 SWIFT Avoid SQL code formed with non neutralized user input (vulnerable to SQL Injection attacks) OPT.SWIFT.SECURITY.SqlInjection
CWE:91 SWIFT XML Injection (aka Blind XPath Injection) OPT.SWIFT.SECURITY.XMLInjection
CWE:911 SWIFT Delegate protocols must be class-only OPT.SWIFT.RELIABILITY.UseWeakReferencesWithDelegateProtocols
CWE:916 SWIFT Too weak iteration count on key derivation OPT.SWIFT.SECURITY.WeakKeyDerivationIteration
CWE:93 SWIFT Mail Command Injection OPT.SWIFT.SECURITY.MailCommandInjection
CWE:939 SWIFT URL scheme hijacking though user input OPT.SWIFT.SECURITY.URLSchemeHijacking
CWE:94 SWIFT Avoid non-neutralized user-controlled input in dynamic code evaluation OPT.SWIFT.SECURITY.CodeInjection
CWE:943 SWIFT Improper neutralization of special elements in data query logic (NoSQL injection) OPT.SWIFT.SECURITY.NoSQLInjection
CWE:95 SWIFT Avoid non-neutralized user-controlled input in dynamic code evaluation OPT.SWIFT.SECURITY.CodeInjection
CWE:99 SWIFT Improper control of resource identifiers (“Resource Injection”) OPT.SWIFT.SECURITY.ResourceInjection

 

Transact-SQL

Jump to top of page

Rule number Language Description Rule
CWE:242 TRANSACTSQL Dangerous procedure / function called. OPT.TRANSACTSQL.SEC.ForbiddenCall
CWE:266 TRANSACTSQL Too broad privileges granted. OPT.TRANSACTSQL.SEC.TooBroadGrant
CWE:327 TRANSACTSQL Weak cryptographic hashes cannot guarantee data integrity OPT.TRANSACTSQL.SEC.WeakCryptographicHash
CWE:327 TRANSACTSQL Weak symmetric encryption algorithm. OPT.TRANSACTSQL.SEC.WeakSymmetricEncryptionAlgorithm
CWE:330 TRANSACTSQL Standard pseudo-random number generators cannot withstand cryptographic attacks. OPT.TRANSACTSQL.SEC.InsecureRandomness
CWE:338 TRANSACTSQL Standard pseudo-random number generators cannot withstand cryptographic attacks. OPT.TRANSACTSQL.SEC.InsecureRandomness
CWE:404 TRANSACTSQL Close/deallocate cursors and deallocate cursor variables in the same T-SQL scope where they are declared OPT.TRANSACTSQL.CloseDeallocateCursors
CWE:563 TRANSACTSQL Looks for unused local variables and procedure/function parameter.s OPT.TRANSACTSQL.DeadVariableOrParameter
CWE:566 TRANSACTSQL Avoid using an user controlled Primary Key into a query OPT.TRANSACTSQL.SEC.UserControlledSQLPrimaryKey
CWE:615 TRANSACTSQL Avoid hardcoded or in-comment emails in source code OPT.TRANSACTSQL.AvoidEmailHardcoded
CWE:730 TRANSACTSQL Denial of Service by externally controlled sleep time OPT.TRANSACTSQL.SEC.SleepInjection
CWE:77 TRANSACTSQL Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) OPT.TRANSACTSQL.SEC.CommandInjection
CWE:798 TRANSACTSQL Avoid hardcoded or in-comment emails in source code OPT.TRANSACTSQL.AvoidEmailHardcoded
CWE:89 TRANSACTSQL Avoid dynamic SQL statements as much as possible OPT.TRANSACTSQL.AvoidDynamicSql
CWE:89 TRANSACTSQL Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) OPT.TRANSACTSQL.SEC.SqlInjection

 

VB6

Jump to top of page

Rule number Language Description Rule
CWE:563 VB6 Avoid unused Local variables OPT.VB6.VBDC.VLSU

 

VB.NET

Jump to top of page

CWE:390 VBNET Do not leave empty catch blocks OPT.VBNET.VBnet.EmptyCatch
CWE:459 VBNET Dispose objects before losing scope OPT.VBNET.VBnet.DisposeObjectsBeforeLosingScope
CWE:563 VBNET Unused local variable OPT.VBNET.VBnet.RemoveUnusedLocals