Kiuwan CWE declaration

The following is the list of common software security weaknesses covered by the Kiuwan engines

 

 

 

Click a link to jump to the CWE rules for a language.

ABAPActionScriptASPASP.NETCOBOLC++C#HibernateHTMLInformixJavaJavaScriptJSP
KotlinObjective-COracle FormsPHPPL/SQLPythonRPG4ScalaSQL ScriptSwiftTransact-SQLVB6VB.NET

 

ABAP

Rule numberLanguageDescriptionRule
CWE:113ABAPUnvalidated data in HTTP response headerOPT.ABAP.SEC.HttpHeaderManipulation
CWE:114ABAPAvoid dynamic constructs controlled by external inputOPT.ABAP.SEC.DynamicConstructs
CWE:185ABAPPrevent denial of service attack through malicious regular expression (‘Regex Injection’)OPT.ABAP.SEC.RegexInjection
CWE:200ABAPHardcoded SAP client check (sy-mandt)OPT.ABAP.SEC.HardcodedClientCheck
CWE:200ABAPAvoid hardcoding into the code current server date checks (sy-datum)OPT.ABAP.SEC.HardcodedDateCheck
CWE:200ABAPAvoid hardcoding sensitive informationOPT.ABAP.SEC.HardcodedSensitiveData
CWE:22ABAPExternal Control of File Name or PathOPT.ABAP.SEC.PathManipulation
CWE:259ABAPAvoid hard-coded or in-comment credentials (username / password) in codeOPT.ABAP.SEC.PasswordManagement
CWE:266ABAPTable without authorization groupOPT.ABAP.SEC.NoAuthorizationGroup4Table
CWE:285ABAPImproper implementation of authorization checkOPT.ABAP.SEC.BadAuthorizationCheck
CWE:285ABAPAny report must perform an authority checkOPT.ABAP.SEC.CheckAuthInAllPrograms
CWE:285ABAPAuthorization check must be done explicitely before CALL TRANSACTIONOPT.ABAP.SEC.NoAuthorizationCheckCallTransaction
CWE:285ABAPAuthorization check must be done explicitly in RFC-enabled functionsOPT.ABAP.SEC.NoAuthorizationCheckRFC
CWE:285ABAPAuthorization check must be done explicitely on SQL statementsOPT.ABAP.SEC.NoAuthorizationCheckSQL
CWE:300ABAPStandard pseudo-random number generators cannot withstand cryptographic attacksOPT.ABAP.SEC.InsecureRandomness
CWE:328ABAPWeak cryptographic hashes cannot guarantee data integrityOPT.ABAP.SEC.WeakHashAlgorithm
CWE:330ABAPStandard pseudo-random number generators cannot withstand cryptographic attacksOPT.ABAP.SEC.InsecureRandomness
CWE:338ABAPStandard pseudo-random number generators cannot withstand cryptographic attacksOPT.ABAP.SEC.InsecureRandomness
CWE:391ABAPUncaught exception in RFC callOPT.ABAP.RELIABILITY.UncaughtExceptionInRfcCall
CWE:434ABAPDangerous file downloadOPT.ABAP.SEC.DangerousFileDownload
CWE:434ABAPDangerous file uploadOPT.ABAP.SEC.DangerousFileUpload
CWE:488ABAPDo not bypass SAP client separation mechanismOPT.ABAP.SEC.CrossClientDatabaseAccess
CWE:488ABAPHardcoded SAP client check (sy-mandt)OPT.ABAP.SEC.HardcodedClientCheck
CWE:489ABAPRemove BREAK-POINT statements from production codeOPT.ABAP.APBR.NoBreakPointStatements
CWE:489ABAPAvoid development/test backdoors in production codeOPT.ABAP.SEC.Backdoors
CWE:489ABAPUsage of sy-sysid (informative)OPT.ABAP.SEC.UsagesOfSySysid
CWE:489ABAPUsage of sy-uname (informative)OPT.ABAP.SEC.UsagesOfSyUname
CWE:601ABAPURL Redirection to Untrusted Site (‘Open Redirect’)OPT.ABAP.SEC.OpenRedirect
CWE:606ABAPUse WHILE instead of unconditional DO loopsOPT.ABAP.APFR.SuggestWhileInsteadOfDo
CWE:615ABAPAvoid hard-coded or in-comment credentials (username / password) in codeOPT.ABAP.SEC.PasswordManagement
CWE:642ABAPInadequate usage of ABAP System fieldOPT.ABAP.SEC.OverwriteSystemFields
CWE:653ABAPHardcoded System ID check (sy-sysid)OPT.ABAP.SEC.HardcodedSystemIdCheck
CWE:676ABAPDo not call system / kernel functions from ABAP application codeOPT.ABAP.AGR.CallSysFunction
CWE:691ABAPLogic depending on text symbolsOPT.ABAP.RELIABILITY.LogicDependingOnTextSymbols
CWE:73ABAPExternal Control of File Name or PathOPT.ABAP.SEC.PathManipulation
CWE:749ABAPAvoid called transactions corresponding to a certain moduleOPT.ABAP.AGR.CallTx
CWE:77ABAPImproper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)OPT.ABAP.SEC.CommandInjection
CWE:778ABAPInclude audit fields in custom tablesOPT.ABAP.ASR.ControlFieldsClientTables
CWE:78ABAPImproper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)OPT.ABAP.SEC.CommandInjection
CWE:79ABAPImproper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)OPT.ABAP.SEC.CrossSiteScripting
CWE:798ABAPAvoid hard-coded or in-comment credentials (username / password) in codeOPT.ABAP.SEC.PasswordManagement
CWE:813ABAPAvoid queries on sensitive tables from ABAP codeOPT.ABAP.ASR.SecuritySelectTables
CWE:862ABAPSQL Bad Practices – Direct UpdateOPT.ABAP.SEC.DirectUpdate
CWE:89ABAPImproper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)OPT.ABAP.SEC.SqlInjection
CWE:941ABAPDestination injection in RFC callOPT.ABAP.SEC.RfcDestinationInjection
CWE:95ABAPAvoid Dynamic Code constructsOPT.ABAP.SEC.DynamicCode
CWE:95ABAPAvoid dynamic constructs controlled by external inputOPT.ABAP.SEC.DynamicConstructs

 

ActionScript

Jump to top of page

Rule numberLanguageDescriptionRule
CWE:563ACTIONSCRIPTDetect local vars unusedOPT.ACTIONSCRIPT.GEN_ACTIONSCRIPT.AvoidUnusedLocalVar

 

ASP

Jump to top of page

Rule numberLanguageDescriptionRule
CWE:89ASPChecks for SQL injection vulnerabilitiesOPT.ASP.ASP_SEC.ASP_SqlInjection

 

ASP.NET

Jump to top of page

Rule numberLanguageDescriptionRule
CWE:1022ASPNETImproper Neutralization of links to external sitesOPT.ASPNET.TargetBlankVulnerability
CWE:11ASPNETASP.NET Misconfiguration: Creating Debug BinaryOPT.ASPNET.AvoidEnabledDebugMode
CWE:113ASPNETUnvalidated data in HTTP response header (‘HTTP Response Splitting’)OPT.ASPNET.HeaderValidationMisconfiguration
CWE:12ASPNETASP.NET Misconfiguration: Missing Custom Error PageOPT.ASPNET.EnableCustomErrorPage
CWE:16ASPNETASP.NET Misconfiguration: Creating Debug BinaryOPT.ASPNET.AvoidEnabledDebugMode
CWE:16ASPNETNo clickjacking protection configuredOPT.ASPNET.ClickjackingProtection
CWE:16ASPNETDangerous application settingOPT.ASPNET.DangerousAppSetting
CWE:16ASPNETDirectory Browsing enabledOPT.ASPNET.DirectoryBrowsing
CWE:16ASPNETA misconfiguration makes easier performing Session hijacking attacksOPT.ASPNET.SessionHijackingMisconfiguration
CWE:16ASPNETTrace information enabled and remotely accessibleOPT.ASPNET.TraceEnabled
CWE:185ASPNETRegular expression in RegularExpressionValidator may be used for denial of serviceOPT.ASPNET.ReDoSInRegularExpressionValidator
CWE:20ASPNETThe value of ValidateRequest in pages must be set to true to prevent code injection attacksOPT.ASPNET.AvoidDisabledValidateRequest
CWE:20ASPNETThe validateRequest attribute value should be true to prevent code injection attacksOPT.ASPNET.AvoidDisabledValidateRequestConfig
CWE:200ASPNETService metadata exposureOPT.ASPNET.ServiceMetadataVisibility
CWE:259ASPNETPassword exposure in Web.config fileOPT.ASPNET.CredentialsMisconfiguration
CWE:285ASPNETDo not use transport security mode in WCFOPT.ASPNET.WCFTransportSecurity
CWE:288ASPNETMisconfiguration in authorization rules allowing HTTP Verb TamperingOPT.ASPNET.HTTPVerbTampering
CWE:295ASPNETUntrusty certificate verificationOPT.ASPNET.CertificateVerificationMisconfiguration
CWE:302ASPNETUnprotected roles in cookiesOPT.ASPNET.UnprotectedRolesInCookies
CWE:346ASPNETCORS policy (Cross-origin resource sharing) too broadOPT.ASPNET.TooBroadCORSPolicy
CWE:388ASPNETAudit of security events misconfiguration in WCFOPT.ASPNET.WCFAuditMisconfiguration
CWE:489ASPNETAvoid enabling WCF debug informationOPT.ASPNET.WCFAvoidEnabledDebug
CWE:497ASPNETTrace information enabled and remotely accessibleOPT.ASPNET.TraceEnabled
CWE:522ASPNETInsufficiently protected credentials in connection stringsOPT.ASPNET.CredentialsInConnectionString
CWE:522ASPNETPersist Security Info enabled in connection stringsOPT.ASPNET.PersistSecurityInfoTrue
CWE:548ASPNETDirectory Browsing enabledOPT.ASPNET.DirectoryBrowsing
CWE:556ASPNETAvoid impersonation in ASP.Net configurationOPT.ASPNET.AvoidImpersonation
CWE:613ASPNETSet expiration timeout for authentication cookiesOPT.ASPNET.FormsAuthenticacionTimeout
CWE:614ASPNETSend Cookies using SSLOPT.ASPNET.AvoidSendCookiesWithoutSSL
CWE:646ASPNETPrevent MIME sniffingOPT.ASPNET.PreventMIMESniffing
CWE:693ASPNETNo clickjacking protection configuredOPT.ASPNET.ClickjackingProtection
CWE:778ASPNETAudit of security events misconfiguration in WCFOPT.ASPNET.WCFAuditMisconfiguration
CWE:79ASPNETDo not set EnableViewStateMac=falseOPT.ASPNET.EnableViewStateMac
CWE:807ASPNETIf authentication is through Forms enable the sending of information through SSLOPT.ASPNET.AuthenticationFormsWithoutSSL
CWE:807ASPNETSet expiration timeout for authentication cookiesOPT.ASPNET.FormsAuthenticacionTimeout
CWE:807ASPNETA misconfiguration makes easier performing Session hijacking attacksOPT.ASPNET.SessionHijackingMisconfiguration
CWE:863ASPNETDangerous application settingOPT.ASPNET.DangerousAppSetting
CWE:94ASPNETDo not use Content Delivery Network (CDN) for JavaScript codeOPT.ASPNET.AvoidContentDeliveryNetwork

 

COBOL

Jump to top of page

Rule numberLanguageDescriptionRule
CWE:113COBOLUnvalidated data in HTTP response headerOPT.COBOL.SEC.HTTPHeaderManipulation
CWE:114COBOLAvoid calling subprogram where its name could be controlled by user inputOPT.COBOL.SEC.Cobol_ProcessControl
CWE:20COBOLDo not ACCEPT data from untrusted sourcesOPT.COBOL.SEC.NoAcceptFromUntrustedSource
CWE:215COBOLInformation Exposure Through Debug InformationOPT.COBOL.SEC.NoActiveDebug
CWE:22COBOLAvoid non-neutralized user-controlled input to be part of a pathname (file or directory) used in I/O operationsOPT.COBOL.SEC.PathTraversal
CWE:252COBOLValidate return code for cryptographic operationsOPT.COBOL.SEC.CheckCryptoReturnCode
CWE:259COBOLHardcoded passwords can compromise system security in a way that cannot be easily remediedOPT.COBOL.SEC.Cobol_HardcodedPassword
CWE:261COBOLWeak Cryptography for PasswordsOPT.COBOL.SEC.Cobol_PasswordWithWeakCrypto
CWE:328COBOLWeak cryptographic hashes cannot guarantee data integrityOPT.COBOL.SEC.WeakCryptoHash
CWE:359COBOLExposure of Private Information (‘Privacy Violation’)OPT.COBOL.SEC.Cobol_PrivacyViolation
CWE:391COBOLIgnoring error conditions may allow an attacker to induce unexpected behavior unnoticedOPT.COBOL.SEC.PoorErrorHandling
CWE:401COBOLPotential dynamic storage area leakOPT.COBOL.SEC.DynamicStorageLeakRule
CWE:497COBOLAvoid dumping system info (typically for debugging) in production codeOPT.COBOL.SEC.Cobol_SystemInformationLeak
CWE:566COBOLAuthorization Bypass Through User-Controlled SQL Primary KeyOPT.COBOL.SEC.Cobol_AccessControlDatabase
CWE:615COBOLAvoid placing passwords and other sensitive info in code commentsOPT.COBOL.SEC.Cobol_PasswordInComment
CWE:628COBOLParameter mismatch in CALLOPT.COBOL.SEC.CallParameterMismatch
CWE:639COBOLCheck user input used in DL/I (IMS) queriesOPT.COBOL.SEC.Cobol_AccessControlDLI
CWE:639COBOLDo not allow user input to control fields of MQSeries descriptorOPT.COBOL.SEC.Cobol_AccessControlMQ
CWE:691COBOLAvoid ALTEROPT.COBOL.SEC.AvoidAlter
CWE:73COBOLAvoid non-neutralized user-controlled input to be part of a pathname (file or directory) used in I/O operationsOPT.COBOL.SEC.PathTraversal
CWE:77COBOLImproper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)OPT.COBOL.SEC.OSCommandInjection
CWE:78COBOLImproper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)OPT.COBOL.SEC.OSCommandInjection
CWE:79COBOLImproper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)OPT.COBOL.SEC.CrossSiteScripting
CWE:823COBOLAvoid pointer arithmetic in CobolOPT.COBOL.SEC.PointerArithmetic
CWE:824COBOLAccess of Uninitialized PointerOPT.COBOL.SEC.IllegalValuesForPointers
CWE:89COBOLImproper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)OPT.COBOL.SEC.SqlInjection
CWE:99COBOLImproper Control of Resource Identifiers (‘Resource Injection’)OPT.COBOL.SEC.Cobol_ResourceInjection

 

C++

Jump to top of page

Rule numberLanguageDescriptionRule
CWE:119CPPGuarantee that copies are made into storage of sufficient sizeOPT.CPP.CERTC.ARR33
CWE:119CPPDo not allow loops to iterate beyond the end of an arrayOPT.CPP.CERTC.ARR35
CWE:119CPPDo not make assumptions about the size of an environment variableOPT.CPP.CERTC.ENV01
CWE:119CPPGuarantee that storage for strings has sufficient space for character data and the null terminatorOPT.CPP.CERTC.STR31
CWE:119CPPSize wide character strings correctlyOPT.CPP.CERTC.STR33
CWE:120CPPDo not copy data from an unbounded source to a fixed-length arrayOPT.CPP.CERTC.STR35
CWE:129CPPDo not form or use out-of-bounds pointers or array subscripts on arrays.OPT.CPP.CERTC.ARR30
CWE:129CPPDo not add or subtract an integer to a pointer if resulting value does not refer to a valid array elementOPT.CPP.CERTC.ARR38
CWE:131CPPGuarantee that copies are made into storage of sufficient sizeOPT.CPP.CERTC.ARR33
CWE:131CPPDo not allow loops to iterate beyond the end of an arrayOPT.CPP.CERTC.ARR35
CWE:131CPPDo not make assumptions about the size of an environment variableOPT.CPP.CERTC.ENV01
CWE:131CPPIncorrect Calculation of Buffer Size.OPT.CPP.CERTC.MEM35
CWE:131CPPGuarantee that storage for strings has sufficient space for character data and the null terminatorOPT.CPP.CERTC.STR31
CWE:131CPPSize wide character strings correctlyOPT.CPP.CERTC.STR33
CWE:134CPPExclude unsanitized user input from format stringsOPT.CPP.CERTC.FIO30
CWE:135CPPSize wide character strings correctlyOPT.CPP.CERTC.STR33
CWE:170CPPUse the readlink() function properlyOPT.CPP.CERTC.POS30
CWE:170CPPNull-terminate byte strings as requiredOPT.CPP.CERTC.STR32
CWE:190CPPEvaluate integer expressions in a larger size before comparing or assigning to that sizeOPT.CPP.CERTC.INT35
CWE:193CPPGuarantee that storage for strings has sufficient space for character data and the null terminatorOPT.CPP.CERTC.STR31
CWE:242CPPDo not use vfork()OPT.CPP.CERTC.POS33
CWE:252CPPDetect and handle memory allocation errorsOPT.CPP.CERTC.MEM32
CWE:273CPPImproper Check for Dropped PrivilegesOPT.CPP.CERTC.POS37
CWE:363CPPRace Condition Enabling Link FollowingOPT.CPP.CERTC.POS35
CWE:367CPPBe careful using functions that use file names for identificationOPT.CPP.CERTC.FIO01
CWE:379CPPCreation of Temporary File in Directory with Incorrect PermissionsOPT.CPP.CERTC.FIO43
CWE:401CPPAllocated memory must be released in same scopeOPT.CPP.CorrectUseMemoryLeaks
CWE:415CPPAllocate and free memory in the same module at the same level of abstractionOPT.CPP.CERTC.MEM00
CWE:415CPPFree dynamically allocated memory exactly once (Double Free)OPT.CPP.CERTC.MEM31
CWE:416CPPAllocate and free memory in the same module at the same level of abstractionOPT.CPP.CERTC.MEM00
CWE:416CPPDo not access freed memory (Use after free)OPT.CPP.CERTC.MEM30
CWE:457CPPUse of Uninitialized VariableOPT.CPP.CERTC.EXP33
CWE:467CPPDo not apply the sizeof operator to a pointer when taking the size of an arrayOPT.CPP.CERTC.ARR01
CWE:467CPPUse of sizeof() on a Pointer TypeOPT.CPP.CERTC.EXP01
CWE:476CPPNULL Pointer DereferenceOPT.CPP.CERTC.EXP34
CWE:476CPPDetect and handle memory allocation errorsOPT.CPP.CERTC.MEM32
CWE:479CPPSignal Handler Use of a Non-reentrant FunctionOPT.CPP.CERTC.SIG30
CWE:479CPPSignal Handler Use of a Non-reentrant FunctionOPT.CPP.CERTC.SIG32
CWE:563CPPLocal variables never usedOPT.CPP.VariablesNeverUsed
CWE:590CPPFree of Memory not on the HeapOPT.CPP.CERTC.MEM34
CWE:628CPPUse realloc() only to resize dynamically allocated arraysOPT.CPP.CERTC.MEM08
CWE:676CPPGuarantee that copies are made into storage of sufficient sizeOPT.CPP.CERTC.ARR33
CWE:676CPPBe careful using functions that use file names for identificationOPT.CPP.CERTC.FIO01
CWE:676CPPGuarantee that storage for strings has sufficient space for character data and the null terminatorOPT.CPP.CERTC.STR31
CWE:681CPPMISRA 10.1: The value of an expression of integer type shall not be implicitly converted to a different underlying typeOPT.CPP.MISRAC.IntegerImplicitConversions
CWE:682CPPUse bitwise operators only on unsigned operandsOPT.CPP.CERTC.INT13
CWE:684CPPDo not replace secure functions with less secure functionsOPT.CPP.CERTC.PRE09
CWE:696CPPObserve correct revocation order while relinquishing privilegesOPT.CPP.CERTC.POS36
CWE:705CPPNo atexit handler should terminate in any way other than by returningOPT.CPP.CERTC.ENV32
CWE:77CPPDo not call system() if you do not need a command processorOPT.CPP.CERTC.ENV04
CWE:77CPPSanitize data passed to sensitive subsystemsOPT.CPP.CERTC.STR02
CWE:78CPPDo not call system() if you do not need a command processorOPT.CPP.CERTC.ENV04
CWE:78CPPSanitize data passed to sensitive subsystemsOPT.CPP.CERTC.STR02
CWE:835CPPLoop with Unreachable Exit Condition (‘Infinite Loop’)OPT.CPP.PotentialInfiniteLoop
CWE:88CPPDo not call system() if you do not need a command processorOPT.CPP.CERTC.ENV04
CWE:88CPPSanitize data passed to sensitive subsystemsOPT.CPP.CERTC.STR02

 

C#

Jump to top of page

Rule numberLanguageDescriptionRule
CWE:113CSHARPImproper neutralization of CR/LF Sequences in HTTP headersOPT.CSHARP.SEC.HttpSplittingRule
CWE:114CSHARPDo not load executables or libraries from untrusted sourcesOPT.CSHARP.SEC.ProcessControl
CWE:117CSHARPImproper Output Neutralization for LogsOPT.CSHARP.SEC.LogForging
CWE:120CSHARPPotential memory corruptionOPT.CSHARP.SEC.BufferOverflow
CWE:15CSHARPRegistry manipulationOPT.CSHARP.SEC.RegistryManipulation
CWE:185CSHARPPrevent denial of service attack through malicious regular expressionOPT.CSHARP.DoSRegexp
CWE:20CSHARPUnvalidated model in MVC controllerOPT.CSHARP.SEC.UnvalidatedAspNetModel
CWE:200CSHARPInsecure Mail TransportOPT.CSHARP.SEC.InsecureEmailTransport
CWE:200CSHARPGenerate server-side cookies with adequate security propertiesOPT.CSHARP.SEC.UnsafeCookieRule
CWE:203CSHARPCross-Site History Manipulation (XSHM)OPT.CSHARP.SEC.CrossSiteHistoryManipulation
CWE:209CSHARPAvoid sensitive information exposure through error messagesOPT.CSHARP.SEC.InformationExposureThroughErrorMessage
CWE:22CSHARPExternal Control of File Name or PathOPT.CSHARP.PathTraversal
CWE:233CSHARPRequest data is accessed in an ambiguous way, which can leave it open to attackOPT.CSHARP.SEC.HttpRequestValueShadowing
CWE:235CSHARPHTTP parameter pollution (HPP)OPT.CSHARP.SEC.HttpParameterPollution
CWE:252CSHARPUnchecked return value.OPT.CSHARP.UncheckedReturnValue
CWE:256CSHARPPlaintext Storage of a PasswordOPT.CSHARP.SEC.PlaintextStorageOfPassword
CWE:284CSHARP.Net access restriction subverted (Reflection)OPT.CSHARP.SEC.AccessibilitySubversionRule
CWE:285CSHARPAccess Control – Anonymous LDAP BindOPT.CSHARP.SEC.AnonymousLdapBind
CWE:287CSHARPAvoid that a user can perform actions to which he does not have accessOPT.CSHARP.SEC.ImproperAuthentication
CWE:310CSHARPWeak cryptography, insufficient key lengthOPT.CSHARP.WeakKeySize
CWE:311CSHARPInsecure transportOPT.CSHARP.SEC.InsecureTransport
CWE:311CSHARPInsecure transport in HTTP servers]OPT.CSHARP.SEC.ServerInsecureTransport
CWE:312CSHARPCleartext Storage of Sensitive Information in a CookieOPT.CSHARP.PlaintextStorageInACookie
CWE:315CSHARPCleartext Storage of Sensitive Information in a CookieOPT.CSHARP.PlaintextStorageInACookie
CWE:320CSHARPUse of Hard-coded Cryptographic KeyOPT.CSHARP.SEC.HardcodedCryptoKey
CWE:320CSHARPWeak cryptography, insufficient key lengthOPT.CSHARP.WeakKeySize
CWE:321CSHARPUse of Hard-coded Cryptographic KeyOPT.CSHARP.SEC.HardcodedCryptoKey
CWE:326CSHARPInsufficient RSA key lengthOPT.CSHARP.WeakEncryption
CWE:326CSHARPWeak cryptography, insufficient key lengthOPT.CSHARP.WeakKeySize
CWE:327CSHARPWeak cryptographic hashOPT.CSHARP.WeakCryptographicHash
CWE:327CSHARPWeak symmetric encryption algorithmOPT.CSHARP.WeakSymmetricEncryptionAlgorithm
CWE:327CSHARPDo not use weak modes of operation with symmetric encryptionOPT.CSHARP.WeakSymmetricEncryptionModeOfOperation
CWE:330CSHARPStandard pseudo-random number generators cannot withstand cryptographic attacksOPT.CSHARP.InsecureRandomness
CWE:338CSHARPStandard pseudo-random number generators cannot withstand cryptographic attacksOPT.CSHARP.InsecureRandomness
CWE:345CSHARPPrevent over-posting attacks in model definitionOPT.CSHARP.MVCPreventOverpostingModelDefinition
CWE:345CSHARPPrevent under-posting attacks in model compositionOPT.CSHARP.MVCPreventUnderpostingModelComposition
CWE:345CSHARPPrevent under-posting attacks in model definitionOPT.CSHARP.MVCPreventUnderpostingModelDefinition
CWE:346CSHARPCORS policy (Cross-origin resource sharing) too broadOPT.CSHARP.TooMuchOriginsAllowed
CWE:350CSHARPAvoid checks on client-side hostname, that are not reliable due to DNS poisoningOPT.CSHARP.SEC.AvoidHostNameChecks
CWE:352CSHARPCross-Site Request Forgery (CSRF)OPT.CSHARP.CrossSiteRequestForgery
CWE:352CSHARPRestrict allowed HTTP verbs for state-change operations in MVC controllersOPT.CSHARP.MVCPostInControllers
CWE:377CSHARPTemporary files not deletedOPT.CSHARP.SEC.TemporaryFilesLeft
CWE:390CSHARPAvoid empty catch blocksOPT.CSHARP.Csharp.AvoidEmptyCatchBlock
CWE:395CSHARPUse of NullPointerException Catch to Detect NULL Pointer DereferenceOPT.CSHARP.AvoidNullReferenceException
CWE:396CSHARPDeclaration of Catch for Generic ExceptionOPT.CSHARP.Csharp.DoNotCatchGeneralExceptionTypes
CWE:398CSHARPUsing Console.Out or Console.Error rather than a dedicated log interface, makes it more difficult to monitor the behavior of the softwareOPT.CSHARP.AvoidSystemOutputStream
CWE:404CSHARPUnreleased database resourceOPT.CSHARP.ResourceLeakDatabase
CWE:404CSHARPUnreleased LDAP resourceOPT.CSHARP.ResourceLeakLdap
CWE:404CSHARPUnreleased stream resourceOPT.CSHARP.ResourceLeakStream
CWE:404CSHARPUnreleased unmanaged resourceOPT.CSHARP.ResourceLeakUnmanaged
CWE:426CSHARPDo not hardcode absolute pathsOPT.CSHARP.HardcodedAbsolutePath
CWE:434CSHARPUnrestricted Upload of File with Dangerous TypeOPT.CSHARP.SEC.DangerousFileUpload
CWE:449CSHARPImplement Dispose method provided by IDisposable interfaceOPT.CSHARP.Csharp.ImplementIDisposableWithFinalize
CWE:459CSHARPCall Dispose method of fields that implements System.IDisposableOPT.CSHARP.Csharp.DisposableFieldsShouldBeDisposed
CWE:459CSHARPDispose objects before losing scopeOPT.CSHARP.Csharp.DisposeObjectsBeforeLosingScope
CWE:470CSHARPUse of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’)OPT.CSHARP.SEC.UnsafeReflection
CWE:476CSHARPNULL Pointer DereferenceOPT.CSHARP.NullDereference
CWE:489CSHARPMain() method not allowed in web applicationOPT.CSHARP.SEC.MainMethodInWebApplication
CWE:494CSHARPDo not load executables or libraries from untrusted sourcesOPT.CSHARP.SEC.ProcessControl
CWE:494CSHARPAvoid using non-neutralized user-controlled input when creating XSL stylesheetsOPT.CSHARP.XSLTInjection
CWE:497CSHARPRemove ASP.NET MVC version from HTTP headersOPT.CSHARP.MVCRemoveVersionHeader
CWE:497CSHARPExposure of System Data to an Unauthorized Control SphereOPT.CSHARP.SystemInformationLeak
CWE:499CSHARPSerializable Class Containing Sensitive DataOPT.CSHARP.SEC.SerializableClassContainingSensitiveData
CWE:501CSHARPTrust boundary violationOPT.CSHARP.SEC.TrustBoundaryViolation
CWE:502CSHARPDynamic code injection during object deserializationOPT.CSHARP.CodeInjectionWithDeserialization
CWE:532CSHARPAvoid exposing sensible information through logOPT.CSHARP.SEC.InformationExposureThroughDebugLog
CWE:539CSHARPGenerate server-side cookies with adequate security propertiesOPT.CSHARP.SEC.UnsafeCookieRule
CWE:544CSHARPMissing Standardized Error Handling Mechanism in ASP.NetOPT.CSHARP.SEC.MissingStandardErrorHandling
CWE:563CSHARPUnused local variableOPT.CSHARP.Csharp.RemoveUnusedLocals
CWE:566CSHARPAvoid using an user controlled Primary Key into a queryOPT.CSHARP.SEC.UserControlledSQLPrimaryKey
CWE:567CSHARPStatic database connection / sessionOPT.CSHARP.SEC.StaticDatabaseConnection
CWE:581CSHARPAny type that overrides GetHashCode method should also override Equals methodOPT.CSHARP.Csharp.OverridingEqualsAndGetHashCode
CWE:601CSHARPURL Redirection to Untrusted Site (‘Open Redirect’)OPT.CSHARP.OpenRedirect
CWE:606CSHARPUnchecked input in loop conditionOPT.CSHARP.UncheckedInputInLoopCondition
CWE:611CSHARPXML entity injectionOPT.CSHARP.SEC.XMLEntityInjection
CWE:614CSHARPGenerate server-side cookies with adequate security propertiesOPT.CSHARP.SEC.UnsafeCookieRule
CWE:643CSHARPImproper Neutralization of Data within XPath Expressions (‘XPath Injection’)OPT.CSHARP.XPathInjection
CWE:652CSHARPImproper Neutralization of Data within XQuery Expressions (‘XQuery Injection’)OPT.CSHARP.XQueryInjection
CWE:73CSHARPExternal Control of File Name or PathOPT.CSHARP.PathTraversal
CWE:754CSHARPUnchecked return value.OPT.CSHARP.UncheckedReturnValue
CWE:760CSHARPA hardcoded salt can compromise system securityOPT.CSHARP.SEC.HardcodedSalt
CWE:77CSHARPImproper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)OPT.CSHARP.CommandInjection
CWE:776CSHARPXML entity injectionOPT.CSHARP.SEC.XMLEntityInjection
CWE:78CSHARPImproper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)OPT.CSHARP.CommandInjection
CWE:780CSHARPUse of RSA Algorithm without Optimal Asymmetric Encryption Padding (OAEP)OPT.CSHARP.SEC.ProperPaddingWithPublicKeyCrypto
CWE:784CSHARPReliance on Cookies without Validation and Integrity Checking in a Security DecisionOPT.CSHARP.SEC.CookiesInSecurityDecision
CWE:79CSHARPImproper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)OPT.CSHARP.CrossSiteScripting
CWE:79CSHARPWeb content generation from improper sanitized database data and escaped output (Stored Cross-site Scripting, XSS)OPT.CSHARP.StoredCrossSiteScripting
CWE:798CSHARPUse of Hard-coded CredentialsOPT.CSHARP.SEC.HardcodedCredential
CWE:835CSHARPLoop with Unreachable Exit Condition (‘Infinite Loop’)OPT.CSHARP.PotentialInfiniteLoop
CWE:862CSHARPProtect public methods that are not action methods in controllersOPT.CSHARP.MVCNonActionPublicMethods
CWE:89CSHARPImproper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)OPT.CSHARP.SqlInjection
CWE:90CSHARPAvoid non-neutralized user-controlled input in LDAP search filtersOPT.CSHARP.LdapInjection
CWE:91CSHARPAvoid using non-neutralized user-controlled input in JSON entitiesOPT.CSHARP.JSONInjection
CWE:91CSHARPXML Injection (aka Blind XPath Injection)OPT.CSHARP.XMLInjection
CWE:918CSHARPServer-Side Request Forgery (SSRF)OPT.CSHARP.ServerSideRequestForgery
CWE:93CSHARPMail Command InjectionOPT.CSHARP.SEC.MailCommandInjection
CWE:94CSHARPImproper Control of Generation of Code (‘Code Injection’)OPT.CSHARP.CodeInjection
CWE:943CSHARPImproper neutralization of special elements in data query logic (NoSQL injection)OPT.CSHARP.SEC.NoSQLInjection
CWE:99CSHARPConnection string polluted with untrusted inputOPT.CSHARP.SEC.ConnectionStringParameterPollution
CWE:99CSHARPImproper control of resource identifiers (“Resource Injection”)OPT.CSHARP.SEC.ResourceInjection

 

Hibernate

Jump to top of page

Rule numberLanguageDescriptionRule
CWE:564HIBERNATEUse bind (or named) parameters in HQL and native SQL queriesOPT.HIBERNATE.BindParametersInQueries
CWE:89HIBERNATEUse bind (or named) parameters in HQL and native SQL queriesOPT.HIBERNATE.BindParametersInQueries

 

HTML

Jump to top of page

Rule numberLanguageDescriptionRule
CWE:1022HTMLImproper Neutralization of links to external sitesOPT.HTML.TargetBlankVulnerability
CWE:20HTMLForm validation disabledOPT.HTML.FormValidationOff
CWE:358HTMLAdd a CSP to every pageOPT.HTML.CORDOVA.ShouldUseContentSecurityPolicy
CWE:359HTMLPassword in GET FORMOPT.HTML.PasswordInHttpGet
CWE:434HTMLFile upload enabledOPT.HTML.FileUploadEnabled
CWE:525HTMLAutocomplete enabled for sensitive form fieldsOPT.HTML.AutocompleteOnForSensitiveFields
CWE:549HTMLPassword input field is not maskedOPT.HTML.MissingPasswordFieldMasking
CWE:830HTMLUnsafe sandbox with allow-scripts and allow-same-originOPT.HTML.SandboxAllowScriptsAndSameOrigin

 

Informix

Jump to top of page

Rule numberLanguageDescriptionRule
CWE:563INFORMIXAvoid unused local variablesOPT.INFORMIX.UnusedLocalVar

 

Java

Jump to top of page

Rule numberLanguageDescriptionRule
CWE:111JAVAAvoid calls from Java to native (JNI) codeOPT.JAVA.SEC_JAVA.AvoidNativeCallsRule
CWE:113JAVAImproper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Response Splitting’)OPT.JAVA.SEC_JAVA.HttpSplittingRule
CWE:114JAVADiscourage dynamically loading codeOPT.JAVA.ANDROID.DynamicallyLoadingCode
CWE:114JAVALibrary loaded from untrusted sourceOPT.JAVA.SEC_JAVA.ProcessControlRule
CWE:117JAVAImproper Output Neutralization for LogsOPT.JAVA.SEC_JAVA.LogForging
CWE:129JAVAArray index coming from a non neutralized vulnerable inputOPT.JAVA.SEC_JAVA.ImproperValidationOfArrayIndex
CWE:134JAVAExclude unsanitized user input from format stringsOPT.JAVA.SEC_JAVA.FormatStringInjectionRule
CWE:15JAVAExternal Control of System or Configuration SettingOPT.JAVA.SEC_JAVA.ExternalControlOfConfigurationSetting
CWE:159JAVAConnection string polluted with untrusted inputOPT.JAVA.SEC_JAVA.ConnectionStringParameterPollution
CWE:16JAVAInadecuate backup configurationOPT.JAVA.ANDROID.PreventBackupVulnerability
CWE:16JAVAUse defaultHtmlEscape=true with SpringMVC for better cross-site scripting preventionOPT.JAVA.SEC_JAVA.SpringNoAntiXssConfiguration
CWE:16JAVAAvoid misconfiguring security properties in web.xml descriptorOPT.JAVA.SEC_JAVA.WebXmlSecurityMisconfigurationsRule
CWE:180JAVAIncorrect Behavior Order: Validate Before CanonicalizeOPT.JAVA.SEC_JAVA.InputPathNotCanonicalizedRule
CWE:180JAVAAlways normalize system inputsOPT.JAVA.SEC_JAVA.UnnormalizedInputString
CWE:185JAVAPrevent denial of service attack through malicious regular expression (‘Regex Injection’)OPT.JAVA.SEC_JAVA.RegexInjectionRule
CWE:20JAVARequest parameters should not be passed into Session without sanitizingOPT.JAVA.SEC_JAVA.RequestParametersInSessionRule
CWE:200JAVASpecify an endpoint interface to avoid exposing all the public methodsOPT.JAVA.JAX.AvoidExposingAllEndpointlPublicMethods
CWE:200JAVACheck the HTTP method used to send the requestOPT.JAVA.JAX.CheckHTTPMethods
CWE:200JAVAGenerate server-side cookies with adequate security propertiesOPT.JAVA.SEC_JAVA.UnsafeCookieRule
CWE:209JAVAAvoid sensitive information exposure through error messagesOPT.JAVA.SEC_JAVA.InformationExposureThroughErrorMessage
CWE:22JAVAAvoid non-neutralized user-controlled input composed in a pathname to a resourceOPT.JAVA.SEC_JAVA.PathTraversalRule
CWE:235JAVAHTTP parameter pollution (HPP)OPT.JAVA.SEC_JAVA.HttpParameterPollutionRule
CWE:245JAVAJ2EE Bad Practices: Direct Management of ConnectionsOPT.JAVA.SEC_JAVA.AvoidJ2EEDirectDatabaseConnection
CWE:246JAVAJ2EE Bad Practices: Direct Use of SocketsOPT.JAVA.SEC_JAVA.AvoidJ2EEExplicitSocket
CWE:256JAVAPlaintext Storage of a PasswordOPT.JAVA.SEC_JAVA.PlaintextStorageOfPassword
CWE:260JAVAUse of credentials into configuration fileOPT.JAVA.SEC_JAVA.PasswordInConfigurationFile
CWE:265JAVACheck permission usage conformance (External Storage Permission)OPT.JAVA.ANDROID.CheckExternalStoragePermission
CWE:265JAVACheck permission usage conformance (Internet Permission)OPT.JAVA.ANDROID.CheckInternetPermission
CWE:265JAVACheck permission usage conformance (Location Permission)OPT.JAVA.ANDROID.CheckLocationPermission
CWE:275JAVADon’t allow applications to execute code using other applications privilegesOPT.JAVA.ANDROID.PrivilegeEscalationAttack
CWE:284JAVAJava access restriction subverted (Reflection)OPT.JAVA.SEC_JAVA.AccessibilitySubversionRule
CWE:285JAVAAccess Control – Anonymous LDAP BindOPT.JAVA.SEC_JAVA.AnonymousLdapBindRule
CWE:285JAVAAvoid queries in the database except from the specific classesOPT.JAVA.SEC_JAVA.DatabaseAccessControlRule
CWE:285JAVADynamic method invocation in Struts 2OPT.JAVA.SEC_JAVA.DynamicMethodInvocation
CWE:287JAVAUse SOAP messages authenticationOPT.JAVA.JAX.UseAuthenticatedSOAPMessages
CWE:287JAVAAcegi Misconfiguration – Run-As Authentication ReplacementOPT.JAVA.SEC_JAVA.AcegiRunAsAuthenticationReplacementRule
CWE:296JAVAInsecure SSL configurationOPT.JAVA.SEC_JAVA.InsecureSSL
CWE:297JAVAInsecure SSL configurationOPT.JAVA.SEC_JAVA.InsecureSSL
CWE:298JAVAInsecure SSL configurationOPT.JAVA.SEC_JAVA.InsecureSSL
CWE:299JAVAInsecure SSL configurationOPT.JAVA.SEC_JAVA.InsecureSSL
CWE:310JAVAWeak cryptography, insufficient key lengthOPT.JAVA.SEC_JAVA.InsufficientKeySizeRule
CWE:311JAVAUse encrypted SOAP messagesOPT.JAVA.JAX.UseEncryptedSOAPMessages
CWE:311JAVAAvoid using HTTP instead of HTTPSOPT.JAVA.JAX.UseSecuredTransportLayer
CWE:312JAVACleartext Storage of Sensitive Information in a CookieOPT.JAVA.SEC_JAVA.PlaintextStorageInACookieRule
CWE:315JAVACleartext Storage of Sensitive Information in a CookieOPT.JAVA.SEC_JAVA.PlaintextStorageInACookieRule
CWE:320JAVAHardcoded cryptographic keysOPT.JAVA.SEC_JAVA.HardcodedCryptoKey
CWE:320JAVAWeak cryptography, insufficient key lengthOPT.JAVA.SEC_JAVA.InsufficientKeySizeRule
CWE:321JAVAHardcoded cryptographic keysOPT.JAVA.SEC_JAVA.HardcodedCryptoKey
CWE:325JAVAInadequate paddingOPT.JAVA.SEC_JAVA.InadequatePaddingRule
CWE:326JAVAWeak cryptography, insufficient key lengthOPT.JAVA.SEC_JAVA.InsufficientKeySizeRule
CWE:327JAVAWeak symmetric encryption algorithmOPT.JAVA.SEC_JAVA.WeakEncryptionRule
CWE:328JAVAWeak cryptographic hashOPT.JAVA.SEC_JAVA.WeakCryptographicHashRule
CWE:329JAVANot using a Random IV with CBC ModeOPT.JAVA.SEC_JAVA.NonRandomIVWithCBCMode
CWE:330JAVAStandard pseudo-random number generators cannot withstand cryptographic attacksOPT.JAVA.SEC_JAVA.InsecureRandomnessRule
CWE:338JAVADo not use SecureRandom with a fixed seedOPT.JAVA.ANDROID.SecureRandom
CWE:338JAVAStandard pseudo-random number generators cannot withstand cryptographic attacksOPT.JAVA.SEC_JAVA.InsecureRandomnessRule
CWE:345JAVAAvoid using non-neutralized user-controlled input into JSON entities – JSON InjectionOPT.JAVA.SEC_JAVA.JSONInjection
CWE:346JAVACORS policy (Cross-origin resource sharing) too broadOPT.JAVA.SEC_JAVA.TooMuchOriginsAllowedRule
CWE:350JAVAAvoid checks on client-side hostname, that are not reliable due to DNS poisoningOPT.JAVA.SEC_JAVA.AvoidHostNameChecksRule
CWE:352JAVACross-site request forgery (CSRF)OPT.JAVA.SEC_JAVA.CrossSiteRequestForgeryRule
CWE:353JAVAUse signed SOAP messagesOPT.JAVA.JAX.UseSignedSOAPMessages
CWE:358JAVANot overridable methodOPT.JAVA.SEC_JAVA.NotOverridableMethodRule
CWE:358JAVAMethods that perform a security check must be declared private or finalOPT.JAVA.SEC_JAVA.SecurityCheckInOverridableMethodRule
CWE:359JAVAInadecuate backup configurationOPT.JAVA.ANDROID.PreventBackupVulnerability
CWE:359JAVAPassword Management – Password in RedirectOPT.JAVA.SEC_JAVA.PasswordInRedirectRule
CWE:362JAVAConcurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)OPT.JAVA.SEC_JAVA.RaceConditionFormatFlaw
CWE:362JAVARace Condition in a Java ServletOPT.JAVA.SEC_JAVA.RaceConditionServlet
CWE:374JAVADo not directly return or store references to mutable membersOPT.JAVA.DoNotReturnStoreMutableMembers
CWE:375JAVADo not directly return or store references to mutable membersOPT.JAVA.DoNotReturnStoreMutableMembers
CWE:382JAVAJ2EE Bad Practices: Use of System.exit()OPT.JAVA.SEC_JAVA.AvoidEJBJVMShutdown
CWE:382JAVAAvoid JVM shutdown code in J2EE applicationsOPT.JAVA.SEC_JAVA.AvoidJ2EEJvmExit
CWE:383JAVAAvoid explicit thread management in EJBOPT.JAVA.SEC_JAVA.AvoidEJBExplicitThreadManagement
CWE:383JAVAJ2EE Bad Practices: Direct Use of ThreadsOPT.JAVA.SEC_JAVA.AvoidJ2EEExplicitThreadManagement
CWE:384JAVAAvoid misconfiguring security properties in web.xml descriptorOPT.JAVA.SEC_JAVA.WebXmlSecurityMisconfigurationsRule
CWE:391JAVAUnhandled SSL exceptionOPT.JAVA.SEC_JAVA.UnhandledSSLExceptionRule
CWE:395JAVAAvoid capturing NullPointerExceptionsOPT.JAVA.EXCP.AvoidNullPointerException
CWE:396JAVAAvoid java.lang.Error catch exceptionsOPT.JAVA.EXCP.AvoidExcpError
CWE:396JAVAAvoid capturing java.lang.Exception exceptionsOPT.JAVA.EXCP.AvoidExcpException
CWE:396JAVAAvoid Exception, RuntimeException o Throwable in catch or throw statementsOPT.JAVA.FMETODOS.NCE
CWE:397JAVAAvoid throwing ‘Exception’. Always use a proper Exception subclassOPT.JAVA.DECLARA.NTX
CWE:397JAVAAvoid creating new instances of java.lang.ThrowableOPT.JAVA.EXCP.AvoidNewThrowable
CWE:397JAVAAvoid Exception, RuntimeException o Throwable in catch or throw statementsOPT.JAVA.FMETODOS.NCE
CWE:404JAVAPrevent potential memory leaks in ObjectOutputStreams by calling reset () or close ()OPT.JAVA.GC.OSTM
CWE:459JAVAClose input and output resources in finally blocksOPT.JAVA.IO.CS
CWE:459JAVAClose JDBC connections in finally blocksOPT.JAVA.JDBC.CDBC
CWE:459JAVAClose JDBC resources when finishing usingOPT.JAVA.JDBC.RRWD
CWE:470JAVAActivities extending PreferenceActivity should not be exportedOPT.JAVA.ANDROID.ExportedPreferenceActivity
CWE:470JAVAUse of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’)OPT.JAVA.SEC_JAVA.UnsafeReflection
CWE:476JAVANULL Pointer DereferenceOPT.JAVA.NullDereference
CWE:478JAVAProvide ‘default’ label for each switch statementOPT.JAVA.PB.PDS
CWE:481JAVAAvoid assigning values to variables inside for loopsOPT.JAVA.BUC.AvoidAssignInFor
CWE:481JAVAAvoid assignments in while / do-while loop conditionOPT.JAVA.BUC.AvoidAssignInWhile
CWE:481JAVAAvoid assignments inside conditional expressionsOPT.JAVA.COND.AvoidAsignmentsWithinIF
CWE:481JAVAPossible confusion between assignment and comparison in a conditional expressionOPT.JAVA.PB.ASI
CWE:484JAVAAvoid using a switch structure with a bad case statementOPT.JAVA.PB.SBC
CWE:486JAVADo not compare class objects with getName() or getSimpleName() methodsOPT.JAVA.RGS.CMP
CWE:489JAVALeftover Debug Code in J2EE applicationsOPT.JAVA.SEC_JAVA.AvoidJ2EELeftoverDebugCode
CWE:491JAVAMake your clone() method final for securityOPT.JAVA.RGS.CLONE
CWE:494JAVALibrary loaded from untrusted sourceOPT.JAVA.SEC_JAVA.ProcessControlRule
CWE:497JAVADo not send detail error information to clientOPT.JAVA.SEC_JAVA.DetailErrorLeakRule
CWE:499JAVASerializable Class Containing Sensitive DataOPT.JAVA.SEC_JAVA.SerializableClassContainingSensitiveData
CWE:5JAVAAcegi Misconfiguration – Insecure Channel MixingOPT.JAVA.SEC_JAVA.AcegiInsecureChannelMixingRule
CWE:5JAVAAvoid misconfiguring security properties in web.xml descriptorOPT.JAVA.SEC_JAVA.WebXmlSecurityMisconfigurationsRule
CWE:500JAVAAvoid non-final public static fieldsOPT.JAVA.J2SE.AvoidStaticPublicNoFinalField
CWE:501JAVATrust boundary violationOPT.JAVA.SEC_JAVA.TrustBoundaryViolationRule
CWE:502JAVAMark as transient the fields with system resourcesOPT.JAVA.J2SE.TransientForSystemResources
CWE:502JAVADynamic code injection during XML deserializationOPT.JAVA.SEC_JAVA.CodeInjectionWithDeserializationRule
CWE:522JAVAUse of credentials into configuration fileOPT.JAVA.SEC_JAVA.PasswordInConfigurationFile
CWE:532JAVAAvoid exposing sensible information through logOPT.JAVA.SEC_JAVA.InformationExposureThroughDebugLog
CWE:539JAVAGenerate server-side cookies with adequate security propertiesOPT.JAVA.SEC_JAVA.UnsafeCookieRule
CWE:552JAVAFile disclosure in server-side J2EE forward/includeOPT.JAVA.SEC_JAVA.J2eeFileDisclosureRule
CWE:563JAVAAvoid unused local variablesOPT.JAVA.CNU.EVNU
CWE:563JAVAAvoid unused private fieldsOPT.JAVA.CNU.PF
CWE:563JAVAAvoid unused fieldsOPT.JAVA.DECL.AvoidNotUseField
CWE:564JAVAImproper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)OPT.JAVA.SEC_JAVA.SqlInjectionRule
CWE:566JAVAAvoid using an user controlled Primary Key into a queryOPT.JAVA.SEC_JAVA.UserControlledSQLPrimaryKey
CWE:567JAVAStatic database connection / sessionOPT.JAVA.SEC_JAVA.StaticDatabaseConnection
CWE:568JAVACall super.finalize() from finalize()OPT.JAVA.GC.FCF
CWE:572JAVAAvoid calling Thread.run()OPT.JAVA.HEB.AvoidCallRun
CWE:574JAVAAvoid use of synchronization primitives in EJBOPT.JAVA.SEC_JAVA.AvoidEJBSynchronizationPrimitives
CWE:575JAVAEJB Bad Practices: Use of AWT SwingOPT.JAVA.SEC_JAVA.AvoidEJBAWTSwing
CWE:576JAVAEJB Bad Practices: Use of Java I/OOPT.JAVA.SEC_JAVA.AvoidEJBJavaIo
CWE:577JAVAEJB Bad Practices: Use of SocketsOPT.JAVA.SEC_JAVA.AvoidEJBExplicitServerSocket
CWE:578JAVAAvoid changing the input, output, and error streams in EJBOPT.JAVA.SEC_JAVA.AvoidEJBRedirectStreams
CWE:578JAVAAvoid setting context ClassLoader in EJBOPT.JAVA.SEC_JAVA.AvoidEJBSetClassLoader
CWE:578JAVAAvoid setting system SecurityManager in EJBOPT.JAVA.SEC_JAVA.AvoidEJBSetSecurityManager
CWE:579JAVAAvoid non-serializable objects stored in session in J2EE applicationsOPT.JAVA.SEC_JAVA.AvoidJ2EENonSerializableObjectsStored
CWE:580JAVACall super.clone() in all clone() methodsOPT.JAVA.RGM.CLONE
CWE:581JAVAAlways overwrite java.lang.Object.equals() and java.lang.Object.hashCode()OPT.JAVA.COMP.EqualsHashCode
CWE:581JAVAOverride Object.equals ()when you override Object.hashCode ()OPT.JAVA.FMETODOS.OVERRIDE
CWE:582JAVAAvoid using public static final array fieldsOPT.JAVA.RGM.PSFA
CWE:584JAVAReturn from finally blocksOPT.JAVA.PB.RFFB
CWE:585JAVAAvoid empty synchronized blocksOPT.JAVA.PB.ESBL
CWE:586JAVANever call finalize() explicitlyOPT.JAVA.FIN.DontCallFinalize
CWE:597JAVAUse equals() when comparing StringsOPT.JAVA.PB.UEI2
CWE:601JAVAURL Redirection to Untrusted Site (‘Open Redirect’)OPT.JAVA.SEC_JAVA.OpenRedirectRule
CWE:606JAVAUnchecked input in loop conditionOPT.JAVA.SEC_JAVA.UncheckedInputInLoopCondition
CWE:611JAVAXML entity injectionOPT.JAVA.SEC_JAVA.XmlEntityInjectionRule
CWE:613JAVAChecks that session expiration interval is positive and does not exceed a limitOPT.JAVA.SEC_JAVA.InsufficientSessionExpirationRule
CWE:613JAVAAvoid misconfiguring security properties in web.xml descriptorOPT.JAVA.SEC_JAVA.WebXmlSecurityMisconfigurationsRule
CWE:614JAVAGenerate server-side cookies with adequate security propertiesOPT.JAVA.SEC_JAVA.UnsafeCookieRule
CWE:615JAVAAvoid hard-coded or in-comment passwords in codeOPT.JAVA.SEC_JAVA.PasswordInCommentRule
CWE:617JAVADo not use assert and do not launch AssertionErrorOPT.JAVA.RGM.DontUseAssert
CWE:643JAVAImproper Neutralization of Data within XPath Expressions (‘XPath Injection’)OPT.JAVA.SEC_JAVA.XPathInjectionRule
CWE:676JAVAAvoid using Runtime.exec()OPT.JAVA.RGP.EXEC
CWE:676JAVALibrary loaded from untrusted sourceOPT.JAVA.SEC_JAVA.ProcessControlRule
CWE:693JAVASecurity misconfiguration in Play framework.OPT.JAVA.SEC_JAVA.PlaySecurityMisconfiguration
CWE:698JAVAExecution After Redirect (EAR)OPT.JAVA.SEC_JAVA.ExecutionAfterRedirect
CWE:7JAVAAvoid misconfiguring security properties in web.xml descriptorOPT.JAVA.SEC_JAVA.WebXmlSecurityMisconfigurationsRule
CWE:73JAVAAvoid non-neutralized user-controlled input composed in a pathname to a resourceOPT.JAVA.SEC_JAVA.PathTraversalRule
CWE:749JAVAEnabling JavaScript is not recommendedOPT.JAVA.ANDROID.JavascriptEnabled
CWE:749JAVAPotential code injection via WebView.addJavaScriptInterface()OPT.JAVA.ANDROID.JavascriptInterfaceAnnotation
CWE:749JAVADon’t use SMS for data input or commandOPT.JAVA.ANDROID.SMSMonitoring
CWE:760JAVAA hardcoded salt can compromise system securityOPT.JAVA.SEC_JAVA.HardcodedSaltRule
CWE:77JAVAImproper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)OPT.JAVA.SEC_JAVA.CommandInjectionRule
CWE:776JAVAXML entity injectionOPT.JAVA.SEC_JAVA.XmlEntityInjectionRule
CWE:78JAVAImproper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)OPT.JAVA.SEC_JAVA.CommandInjectionRule
CWE:784JAVAReliance on Cookies without Validation and Integrity Checking in a Security DecisionOPT.JAVA.SEC_JAVA.CookiesInSecurityDecision
CWE:79JAVAImproper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)OPT.JAVA.SEC_JAVA.CrossSiteScriptingRule
CWE:79JAVASame Origin Method Execution (SOME)OPT.JAVA.SEC_JAVA.SameOriginMethodExecution
CWE:798JAVAUse of Hard-coded CredentialsOPT.JAVA.SEC_JAVA.HardcodedUsernamePassword
CWE:80JAVAUse defaultHtmlEscape=true with SpringMVC for better cross-site scripting preventionOPT.JAVA.SEC_JAVA.SpringNoAntiXssConfiguration
CWE:835JAVAAvoid loops without an initiator and an increaseOPT.JAVA.BUC.AvoidForWithoutIniIncr
CWE:835JAVALoop with Unreachable Exit Condition (‘Infinite Loop’)OPT.JAVA.SEC_JAVA.PotentialInfiniteLoop
CWE:89JAVAContent Provider URI InjectionOPT.JAVA.ANDROID.ContentProviderUriInjection
CWE:89JAVAImproper Neutralization of Special Elements used in an SQL Command in iBatis (‘SQL Injection’)OPT.JAVA.SEC_JAVA.IBatisSqlInjectionRule
CWE:89JAVAImproper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)OPT.JAVA.SEC_JAVA.SqlInjectionRule
CWE:90JAVAAvoid non-neutralized user-controlled input in LDAP search filtersOPT.JAVA.SEC_JAVA.LdapInjectionRule
CWE:91JAVAXML Injection (aka Blind XPath Injection)OPT.JAVA.SEC_JAVA.XsltInjection
CWE:915JAVAAvoid data submissions to non editable fieldsOPT.JAVA.SPRING.AvoidDataSubmissionToNonEditableField
CWE:918JAVAServer-Side Request Forgery (SSRF)OPT.JAVA.SEC_JAVA.ServerSideRequestForgeryRule
CWE:927JAVAAvoid Sticky BroadcastsOPT.JAVA.ANDROID.AndroidStickyBroadcast
CWE:93JAVAMail Command InjectionOPT.JAVA.SEC_JAVA.MailCommandInjection
CWE:943JAVAImproper neutralization of special elements in data query logic (NoSQL injection)OPT.JAVA.SEC_JAVA.NoSQLInjection
CWE:95JAVADynamic code injection in scripting APIOPT.JAVA.SEC_JAVA.CodeInjectionRule
CWE:99JAVAIntent ManipulationOPT.JAVA.ANDROID.IntentManipulation
CWE:99JAVAImproper control of resource identifiers (“Resource Injection”)OPT.JAVA.SEC_JAVA.ResourceInjection

 

JavaScript

Jump to top of page

Rule numberLanguageDescriptionRule
CWE:1004JAVASCRIPTGenerate server-side cookies with adequate security propertiesOPT.JAVASCRIPT.UnsafeCookie
CWE:11JAVASCRIPTDebug logs enabledOPT.JAVASCRIPT.CORDOVA.AvoidEnabledDebugMode
CWE:113JAVASCRIPTUnvalidated data in HTTP response header or in cookies (‘HTTP Response Splitting’)OPT.JAVASCRIPT.HeaderManipulation
CWE:16JAVASCRIPTAndroid SDK version too oldOPT.JAVASCRIPT.CORDOVA.InsecureAndroidMinSdkVersion
CWE:183JAVASCRIPTLoading Angular templates insecurelyOPT.JAVASCRIPT.ANGULARJS.UnsafeResourceUrlWhitelist
CWE:183JAVASCRIPTUnsafe URL whitelistOPT.JAVASCRIPT.ANGULARJS.UnsafeUrlWhitelist
CWE:183JAVASCRIPTAvoid post cross-document messages with an overly permissive target originOPT.JAVASCRIPT.AvoidOverlyPermissiveMessagePosting
CWE:185JAVASCRIPTPotential denial-of-service attack through malicious regular expression (ReDoS)OPT.JAVASCRIPT.DoSRegexp
CWE:20JAVASCRIPTStrict Contextual Escaping (SCE) disabledOPT.JAVASCRIPT.ANGULARJS.ContextualEscapingDisabled
CWE:200JAVASCRIPTAngularJS local storage information leakageOPT.JAVASCRIPT.ANGULARJS.AngularLocalStorageInformationLeak
CWE:200JAVASCRIPTAvoid Web SQLOPT.JAVASCRIPT.AvoidWebSQL
CWE:200JAVASCRIPTUse of sensitive information into configuration fileOPT.JAVASCRIPT.SensitiveInfoInConfigurationFile
CWE:200JAVASCRIPTGenerate server-side cookies with adequate security propertiesOPT.JAVASCRIPT.UnsafeCookie
CWE:209JAVASCRIPTAvoid sensitive information exposure through error messagesOPT.JAVASCRIPT.InformationExposureThroughErrorMessage
CWE:22JAVASCRIPTExternal Control of File Name or PathOPT.JAVASCRIPT.PathManipulation
CWE:235JAVASCRIPTHTTP parameter pollution (HPP)OPT.JAVASCRIPT.HttpParameterPollution
CWE:259JAVASCRIPTEmpty or hardcoded passwords may compromise system security in a way that cannot be easily remediedOPT.JAVASCRIPT.EmptyOrHardcodedPassword
CWE:295JAVASCRIPTImproper Certificate ValidationOPT.JAVASCRIPT.ImproperCertificateValidation
CWE:311JAVASCRIPTInsecure transportOPT.JAVASCRIPT.InsecureTransport
CWE:311JAVASCRIPTInsecure transport in Node.js HTTP serversOPT.JAVASCRIPT.ServerInsecureTransport
CWE:312JAVASCRIPTCleartext Storage of Sensitive Information in a CookieOPT.JAVASCRIPT.PlaintextStorageInACookie
CWE:315JAVASCRIPTCleartext Storage of Sensitive Information in a CookieOPT.JAVASCRIPT.PlaintextStorageInACookie
CWE:319JAVASCRIPTUse HTTP Strict Transport SecurityOPT.JAVASCRIPT.UseStrictTransportSecurity
CWE:320JAVASCRIPTHardcoded cryptographic keysOPT.JAVASCRIPT.HardcodedCryptoKey
CWE:321JAVASCRIPTHardcoded cryptographic keysOPT.JAVASCRIPT.HardcodedCryptoKey
CWE:326JAVASCRIPTAn otherwise strong encryption algorithm is vulnerable to brute force attack when a small key size is usedOPT.JAVASCRIPT.InsuficientKeySize
CWE:327JAVASCRIPTWeak cryptographic hashOPT.JAVASCRIPT.WeakCryptographicHash
CWE:327JAVASCRIPTWeak symmetric encryption algorithmOPT.JAVASCRIPT.WeakEncryption
CWE:330JAVASCRIPTDo not use easy-to-guess Web SQL database nameOPT.JAVASCRIPT.EasyToGuestDatabaseName
CWE:330JAVASCRIPTStandard pseudo-random number generators cannot withstand cryptographic attacksOPT.JAVASCRIPT.InsecureRandomness
CWE:338JAVASCRIPTStandard pseudo-random number generators cannot withstand cryptographic attacksOPT.JAVASCRIPT.InsecureRandomness
CWE:346JAVASCRIPTAccess policy too broadOPT.JAVASCRIPT.CORDOVA.TooBroadAccessOrigin
CWE:352JAVASCRIPTExecution of an action on user behalf in a previously authenticated web site (cross-site request forgery, CSRF)OPT.JAVASCRIPT.CrossSiteRequestForgery
CWE:358JAVASCRIPTWhitelist plugin not installedOPT.JAVASCRIPT.CORDOVA.WhitelistPluginNotInstalled
CWE:359JAVASCRIPTExposure of Private Information (‘Privacy Violation’)OPT.JAVASCRIPT.PrivacyViolation
CWE:398JAVASCRIPTThe Content-Length header should not have a negative valueOPT.JAVASCRIPT.AvoidNegativeContentLenght
CWE:472JAVASCRIPTCookie PoisoningOPT.JAVASCRIPT.CookiePoisoning
CWE:476JAVASCRIPTAvoid accessing unreliable variable propertiesOPT.JAVASCRIPT.AvoidAccesingUnreliableVariableProperties
CWE:501JAVASCRIPTAvoid transferring data between localStorage and sessionStorage as it can expose confidential informationOPT.JAVASCRIPT.AvoidTransferValuesLocalSessionStorage
CWE:501JAVASCRIPTDo not use JavaScript to transport sensitive dataOPT.JAVASCRIPT.HijackingAdHocAjax
CWE:501JAVASCRIPTTrust boundary violationOPT.JAVASCRIPT.TrustBoundaryViolation
CWE:502JAVASCRIPTDynamic code injection during object deserializationOPT.JAVASCRIPT.CodeInjectionWithDeserialization
CWE:539JAVASCRIPTGenerate server-side cookies with adequate security propertiesOPT.JAVASCRIPT.UnsafeCookie
CWE:563JAVASCRIPTAvoid unused local variableOPT.JAVASCRIPT.ERRORCOMUN.UnusedLocalVar
CWE:601JAVASCRIPTURL Redirection to Untrusted Site (‘Open Redirect’)OPT.JAVASCRIPT.OpenRedirect
CWE:601JAVASCRIPTOpen Redirect (HANA XS)OPT.JAVASCRIPT.OpenRedirectHanaXS
CWE:611JAVASCRIPTXML entity injectionOPT.JAVASCRIPT.XmlEntityInjection
CWE:614JAVASCRIPTGenerate server-side cookies with adequate security propertiesOPT.JAVASCRIPT.UnsafeCookie
CWE:615JAVASCRIPTAvoid hard-coded or in-comment passwords in codeOPT.JAVASCRIPT.PasswordInComments
CWE:643JAVASCRIPTImproper Neutralization of Data within XPath Expressions (‘XPath Injection’)OPT.JAVASCRIPT.XPathInjection
CWE:644JAVASCRIPTDeactivate X-Powered-By headerOPT.JAVASCRIPT.HidePoweredByHeader
CWE:646JAVASCRIPTPrevent MIME sniffingOPT.JAVASCRIPT.PreventMIMESniffing
CWE:693JAVASCRIPTNo clickjacking protection configuredOPT.JAVASCRIPT.ClickjackingProtection
CWE:73JAVASCRIPTExternal Control of File Name or PathOPT.JAVASCRIPT.PathManipulation
CWE:730JAVASCRIPTAn attacker could cause the program becomes unavailable to legitimate usersOPT.JAVASCRIPT.DenialOfService
CWE:77JAVASCRIPTAvoid non-neutralized user-controlled input to be part of an OS commandOPT.JAVASCRIPT.CommandInjection
CWE:776JAVASCRIPTXML entity injectionOPT.JAVASCRIPT.XmlEntityInjection
CWE:78JAVASCRIPTAvoid non-neutralized user-controlled input to be part of an OS commandOPT.JAVASCRIPT.CommandInjection
CWE:79JAVASCRIPTImproper neutralization of input during web content generation (Cross-site Scripting, XSS) – AngularJSOPT.JAVASCRIPT.ANGULARJS.AngularCrossSiteScripting
CWE:79JAVASCRIPTImproper neutralization of input during web content generation (Cross-site Scripting, XSS)OPT.JAVASCRIPT.CrossSiteScripting
CWE:79JAVASCRIPTSame Origin Method Execution (SOME)OPT.JAVASCRIPT.SameOriginMethodExecution
CWE:79JAVASCRIPTWeb content generation from improper sanitized database data and escaped output (Stored Cross-site Scripting, XSS)OPT.JAVASCRIPT.StoredCrossSiteScripting
CWE:79JAVASCRIPTCross-site scripting protection disabledOPT.JAVASCRIPT.XssProtectionDisabled
CWE:798JAVASCRIPTEmpty or hardcoded passwords may compromise system security in a way that cannot be easily remediedOPT.JAVASCRIPT.EmptyOrHardcodedPassword
CWE:80JAVASCRIPTImproper neutralization of input during web content generation (Cross-site Scripting, XSS) – AngularJSOPT.JAVASCRIPT.ANGULARJS.AngularCrossSiteScripting
CWE:80JAVASCRIPTImproper neutralization of input during web content generation (Cross-site Scripting, XSS)OPT.JAVASCRIPT.CrossSiteScripting
CWE:80JAVASCRIPTWeb content generation from improper sanitized database data and escaped output (Stored Cross-site Scripting, XSS)OPT.JAVASCRIPT.StoredCrossSiteScripting
CWE:80JAVASCRIPTCross-site scripting protection disabledOPT.JAVASCRIPT.XssProtectionDisabled
CWE:89JAVASCRIPTImproper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)OPT.JAVASCRIPT.SqlInjection
CWE:90JAVASCRIPTAvoid non-neutralized user-controlled input in LDAP search filtersOPT.JAVASCRIPT.LdapInjection
CWE:93JAVASCRIPTMail Command InjectionOPT.JAVASCRIPT.MailCommandInjection
CWE:94JAVASCRIPTImproper Control of Generation of Code (‘Code Injection’)OPT.JAVASCRIPT.CodeInjection
CWE:943JAVASCRIPTImproper neutralization of special elements in data query logic (NoSQL injection)OPT.JAVASCRIPT.NoSQLInjection
CWE:95JAVASCRIPTClient-side Template InjectionOPT.JAVASCRIPT.ClientSideTemplateInjection
CWE:95JAVASCRIPTImproper Control of Generation of Code (‘Code Injection’)OPT.JAVASCRIPT.CodeInjection
CWE:95JAVASCRIPTServer-side Template InjectionOPT.JAVASCRIPT.ServerSideTemplateInjection
CWE:99JAVASCRIPTDo not allow external input to control resource identifiersOPT.JAVASCRIPT.ResourceInjection

 

JSP

Jump to top of page

Rule numberLanguageDescriptionRule
CWE:1022JSPImproper Neutralization of links to external sitesOPT.JSP.SEC_JSP.TargetBlankVulnerability
CWE:523JSPUnprotected transport of credentialsOPT.JSP.SEC_JSP.UnprotectedTransportCredential
CWE:549JSPPassword input field is not maskedOPT.JSP.SEC_JSP.MissingPasswordFieldMasking
CWE:598JSPInformation exposure through strings sent by GETOPT.JSP.SEC_JSP.InformationExposureInGetRequest
CWE:917JSPExpression Language (EL / OGNL) injectionOPT.JSP.SEC_JSP.ExpressionLanguageInjection
CWE:94JSPJSP File Inclusion vulnerabilityOPT.JSP.SEC_JSP.FileInclusionVulnerability
CWE:95JSPExpression Language (EL / OGNL) injectionOPT.JSP.SEC_JSP.ExpressionLanguageInjection

 

Kotlin

Jump to top of page

Rule numberLanguageDescriptionRule
CWE:111KOTLINNative Code Exposed.OPT.KOTLIN.SEC.NativeCodeExposed
CWE:200KOTLINDo not write IP address in source codeOPT.KOTLIN.SEC.HardcodedIp
CWE:200KOTLINGenerate server-side cookies with adequate security propertiesOPT.KOTLIN.SEC.UnsafeCookie
CWE:311KOTLINInsecure transportOPT.KOTLIN.SEC.InsecureTransport
CWE:326KOTLINInsecure transportOPT.KOTLIN.SEC.InsecureTransport
CWE:359KOTLINSensitive information exposed through JSONPOPT.KOTLIN.SEC.JSONPHijacking
CWE:359KOTLINPassword Management – Password in RedirectOPT.KOTLIN.SEC.PasswordInRedirect
CWE:359KOTLINExposure of Private Information (‘Privacy Violation’)OPT.KOTLIN.SEC.PrivacyViolation
CWE:502KOTLINDeserialization of untrusted dataOPT.KOTLIN.SEC.SerializationInjection
CWE:539KOTLINGenerate server-side cookies with adequate security propertiesOPT.KOTLIN.SEC.UnsafeCookie
CWE:561KOTLINUnreachable (“dead”) code.OPT.KOTLIN.UnreachableCode
CWE:581KOTLINObject Model Violation: Just one of equals and hashcode defined.OPT.KOTLIN.UnpairedEqualsHashCode
CWE:614KOTLINGenerate server-side cookies with adequate security propertiesOPT.KOTLIN.SEC.UnsafeCookie
CWE:79KOTLINSame Origin Method Execution (SOME)OPT.KOTLIN.SEC.SameOriginMethodExecution

 

Objective-C

Jump to top of page

Rule numberLanguageDescriptionRule
CWE:113OBJECTIVECImproper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Response Splitting’)OPT.OBJECTIVEC.SECURITY.HttpSplittingRule
CWE:117OBJECTIVECImproper Output Neutralization for LogsOPT.OBJECTIVEC.SECURITY.LogForging
CWE:120OBJECTIVECAvoid C library functions that do not check for boundsOPT.OBJECTIVEC.AvoidInsecureCStringFunctions
CWE:134OBJECTIVECExclude unsanitized user input from format stringsOPT.OBJECTIVEC.FormatStringVulnerability
CWE:159OBJECTIVECConnection string polluted with untrusted inputOPT.OBJECTIVEC.SECURITY.ConnectionStringParameterPollution
CWE:185OBJECTIVECPrevent denial of service attack through malicious regular expressionOPT.OBJECTIVEC.DoSRegularExpression
CWE:200OBJECTIVECDo not write IP address in source codeOPT.OBJECTIVEC.SECURITY.HardcodedIp
CWE:200OBJECTIVECGenerate server-side cookies with adequate security propertiesOPT.OBJECTIVEC.SECURITY.UnsafeCookie
CWE:209OBJECTIVECAvoid sensitive information exposure through error messagesOPT.OBJECTIVEC.SECURITY.InformationExposureThroughErrorMessage
CWE:22OBJECTIVECAvoid non-neutralized user-controlled input to be part of a pathname (file or directory) used in I/O operationsOPT.OBJECTIVEC.PathManipulationVulnerability
CWE:235OBJECTIVECHTTP parameter pollution (HPP)OPT.OBJECTIVEC.SECURITY.HttpParameterPollutionRule
CWE:260OBJECTIVECUse of credentials into configuration fileOPT.OBJECTIVEC.SECURITY.PasswordInConfigurationFile
CWE:265OBJECTIVECAvoid performing SMS-related operationsOPT.OBJECTIVEC.SECURITY.AvoidSMS
CWE:271OBJECTIVECAvoid setuid() / setreuid() / setgid() / setregid() to change program privilege levelsOPT.OBJECTIVEC.AvoidConfusingUserIdCalls
CWE:284OBJECTIVECAvoid using sudo programmaticallyOPT.OBJECTIVEC.AvoidSudo
CWE:285OBJECTIVECAvoid using sudo programmaticallyOPT.OBJECTIVEC.AvoidSudo
CWE:295OBJECTIVECDo not bypass certificate validation failsOPT.OBJECTIVEC.CertificateVerifyFailedBypass
CWE:295OBJECTIVECEvaluate server certificate trust chainOPT.OBJECTIVEC.SECURITY.ServerTrustCredentialCheck
CWE:311OBJECTIVECAvoid using HTTP instead of HTTPSOPT.OBJECTIVEC.InsecureTransportLayer
CWE:311OBJECTIVECSensitive data stored into CoreData(‘Privacy Violation’)OPT.OBJECTIVEC.SECURITY.SensitiveCoreData
CWE:311OBJECTIVECSensitive data stored into a NoSQL database(‘Privacy Violation’)OPT.OBJECTIVEC.SECURITY.SensitiveNoSQL
CWE:311OBJECTIVECSensitive data stored into a SQL database(‘Privacy Violation’)OPT.OBJECTIVEC.SECURITY.SensitiveSQL
CWE:311OBJECTIVECSensitive data stored into NSUserDefaults(‘Privacy Violation’)OPT.OBJECTIVEC.SECURITY.SensitiveUserDefaults
CWE:312OBJECTIVECCleartext Storage of Sensitive Information in a CookieOPT.OBJECTIVEC.SECURITY.PlaintextStorageInACookieRule
CWE:313OBJECTIVECHTTP sensitive responses being cachedOPT.OBJECTIVEC.SECURITY.HttpResponseCachingLeak
CWE:315OBJECTIVECCleartext Storage of Sensitive Information in a CookieOPT.OBJECTIVEC.SECURITY.PlaintextStorageInACookieRule
CWE:320OBJECTIVECHardcoded cryptographic keysOPT.OBJECTIVEC.SECURITY.HardcodedCryptoKey
CWE:320OBJECTIVECEmpty or nil password used in key derivationOPT.OBJECTIVEC.SECURITY.WeakKeyDerivationPassword
CWE:321OBJECTIVECHardcoded cryptographic keysOPT.OBJECTIVEC.SECURITY.HardcodedCryptoKey
CWE:321OBJECTIVECEmpty or nil password used in key derivationOPT.OBJECTIVEC.SECURITY.WeakKeyDerivationPassword
CWE:327OBJECTIVECWeak encryption algorithmOPT.OBJECTIVEC.WeakEncryption
CWE:328OBJECTIVECWeak cryptographic hashes cannot guarantee data integrityOPT.OBJECTIVEC.WeakCryptographicHash
CWE:359OBJECTIVECSensitive data leaked through keyboard cacheOPT.OBJECTIVEC.SECURITY.KeyboardCachingLeak
CWE:359OBJECTIVECSensitive data leaked through the pasteboard caching mechanismOPT.OBJECTIVEC.SECURITY.PasteboardCachingLeak
CWE:359OBJECTIVECExposure of Private Information (‘Privacy Violation’)OPT.OBJECTIVEC.SECURITY.PrivacyViolation
CWE:359OBJECTIVECSensitive data leaked through the screen caching mechanism when app is backgroundedOPT.OBJECTIVEC.SECURITY.ScreenCachingLeak
CWE:359OBJECTIVECSensitive data accessed from Itunes (‘Privacy Violation’)OPT.OBJECTIVEC.SECURITY.SensitiveDataAccessedFromItunes
CWE:367OBJECTIVECUse safe file access POSIX functionsOPT.OBJECTIVEC.AvoidUnsafeFileFunctions
CWE:377OBJECTIVECCreating and using insecure temporary files can leave application and system data vulnerable to attack.OPT.OBJECTIVEC.SECURITY.InsecureTemporaryFile
CWE:467OBJECTIVECDo not apply the sizeof operator to a pointer when taking the size of an arrayOPT.OBJECTIVEC.SizeofPointerInsteadArray
CWE:470OBJECTIVECAvoid external control over performSelectorOPT.OBJECTIVEC.PerformSelectorWithUntrustedData
CWE:494OBJECTIVECAvoid external control over performSelectorOPT.OBJECTIVEC.PerformSelectorWithUntrustedData
CWE:499OBJECTIVECSerializable Class Containing Sensitive DataOPT.OBJECTIVEC.SECURITY.SerializableClassContainingSensitiveData
CWE:501OBJECTIVECMissing Content ValidationOPT.OBJECTIVEC.SECURITY.MissingContentValidation
CWE:502OBJECTIVECDeserialization of untrusted dataOPT.OBJECTIVEC.SECURITY.SerializationInjection
CWE:522OBJECTIVECUser is asked for fingerprints without reasonOPT.OBJECTIVEC.SECURITY.BiometricWithoutMessage
CWE:522OBJECTIVECAvoid exposing sensitive data to third party keyboards.OPT.OBJECTIVEC.SECURITY.ThirdPartyKeyboardAllowed
CWE:532OBJECTIVECExposure of Private Information (‘Privacy Violation’)OPT.OBJECTIVEC.SECURITY.PrivacyViolation
CWE:539OBJECTIVECGenerate server-side cookies with adequate security propertiesOPT.OBJECTIVEC.SECURITY.UnsafeCookie
CWE:549OBJECTIVECPassword input field is not maskedOPT.OBJECTIVEC.SECURITY.MissingPasswordFieldMasking
CWE:563OBJECTIVECAvoid unused local variableOPT.OBJECTIVEC.UnusedLocalVar
CWE:566OBJECTIVECAvoid using an user controlled Primary Key into a queryOPT.OBJECTIVEC.SECURITY.UserControlledSQLPrimaryKey
CWE:601OBJECTIVECURL Redirection to Untrusted Site (‘Open Redirect’)OPT.OBJECTIVEC.OpenRedirect
CWE:606OBJECTIVECUnchecked input in loop conditionOPT.OBJECTIVEC.SECURITY.UncheckedInputInLoopCondition
CWE:611OBJECTIVECXML entity injectionOPT.OBJECTIVEC.XMLEntityInjection
CWE:614OBJECTIVECAvoid creating cookies without security attributesOPT.OBJECTIVEC.CookieWithoutSSL
CWE:614OBJECTIVECGenerate server-side cookies with adequate security propertiesOPT.OBJECTIVEC.SECURITY.UnsafeCookie
CWE:615OBJECTIVECStoring passwords or password details in plaintext anywhere in the system or system code can compromise system securityOPT.OBJECTIVEC.SECURITY.PasswordInCommentRule
CWE:643OBJECTIVECImproper Neutralization of Data within XPath Expressions (‘XPath Injection’)OPT.OBJECTIVEC.XPathInjection
CWE:684OBJECTIVECDo not replace secure functions with less secure functionsOPT.OBJECTIVEC.ReplaceWithLessSecureFunc
CWE:698OBJECTIVECExecution After Redirect (EAR)OPT.OBJECTIVEC.SECURITY.ExecutionAfterRedirect
CWE:73OBJECTIVECAvoid non-neutralized user-controlled input to be part of a pathname (file or directory) used in I/O operationsOPT.OBJECTIVEC.PathManipulationVulnerability
CWE:759OBJECTIVECWeak cryptographic hashes cannot guarantee data integrityOPT.OBJECTIVEC.WeakCryptographicHash
CWE:760OBJECTIVECWeak cryptographic hashes cannot guarantee data integrityOPT.OBJECTIVEC.WeakCryptographicHash
CWE:77OBJECTIVECDo not call system() if you do not need a command processorOPT.OBJECTIVEC.DoNotUseSystem
CWE:77OBJECTIVECImproper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)OPT.OBJECTIVEC.SECURITY.CommandInjectionRule
CWE:776OBJECTIVECXML entity injectionOPT.OBJECTIVEC.XMLEntityInjection
CWE:78OBJECTIVECDo not call system() if you do not need a command processorOPT.OBJECTIVEC.DoNotUseSystem
CWE:78OBJECTIVECImproper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)OPT.OBJECTIVEC.SECURITY.CommandInjectionRule
CWE:79OBJECTIVECImproper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)OPT.OBJECTIVEC.CrossSiteScripting
CWE:798OBJECTIVECUse of Hard-coded CredentialsOPT.OBJECTIVEC.SECURITY.HardcodedUsernamePassword
CWE:829OBJECTIVECUser is asked for fingerprints without reasonOPT.OBJECTIVEC.SECURITY.BiometricWithoutMessage
CWE:829OBJECTIVECAvoid exposing sensitive data to third party keyboards.OPT.OBJECTIVEC.SECURITY.ThirdPartyKeyboardAllowed
CWE:835OBJECTIVECLoop with Unreachable Exit Condition (‘Infinite Loop’)OPT.OBJECTIVEC.SECURITY.PotentialInfiniteLoop
CWE:88OBJECTIVECDo not call system() if you do not need a command processorOPT.OBJECTIVEC.DoNotUseSystem
CWE:89OBJECTIVECImproper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)OPT.OBJECTIVEC.AvoidSqlInjection
CWE:91OBJECTIVECAvoid using non-neutralized user-controlled input into JSON entities – JSON InjectionOPT.OBJECTIVEC.JSONInjection
CWE:91OBJECTIVECXML Injection (aka Blind XPath Injection)OPT.OBJECTIVEC.SECURITY.XMLInjection
CWE:916OBJECTIVECToo weak iteration count on key derivationOPT.OBJECTIVEC.SECURITY.WeakKeyDerivationIteration
CWE:916OBJECTIVECWeak cryptographic hashes cannot guarantee data integrityOPT.OBJECTIVEC.WeakCryptographicHash
CWE:93OBJECTIVECMail Command InjectionOPT.OBJECTIVEC.SECURITY.MailCommandInjection
CWE:939OBJECTIVECURL scheme hijacking though user inputOPT.OBJECTIVEC.SECURITY.URLSchemeHijacking
CWE:939OBJECTIVECVerify invoker application identityOPT.OBJECTIVEC.URLSchemesHandling
CWE:94OBJECTIVECImproper Control of Generation of Code (‘Code Injection’)OPT.OBJECTIVEC.CodeInjection
CWE:943OBJECTIVECImproper neutralization of special elements in data query logic (NoSQL injection)OPT.OBJECTIVEC.SECURITY.NoSQLInjection
CWE:95OBJECTIVECImproper Control of Generation of Code (‘Code Injection’)OPT.OBJECTIVEC.CodeInjection
CWE:99OBJECTIVECImproper control of resource identifiers (“Resource Injection”)OPT.OBJECTIVEC.SECURITY.ResourceInjection

 

Oracle Forms

Jump to top of page

Rule numberLanguageDescriptionRule
CWE:89ORACLEFORMSImproper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)OPT.ORACLEFORMS.SqlInjection

 

PHP

Jump to top of page

Rule numberLanguageDescriptionRule
CWE:113PHPImproper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Response Splitting’)OPT.PHP.HttpSplitting
CWE:116PHPCSV Excel macro injectionOPT.PHP.CsvFormulaInjection
CWE:117PHPImproper Output Neutralization for LogsOPT.PHP.LogForging
CWE:129PHPArray index coming from a non neutralized vulnerable inputOPT.PHP.SEC.ImproperValidationOfArrayIndex
CWE:134PHPExclude unsanitized user input from format stringsOPT.PHP.SEC.FormatStringInjectionRule
CWE:15PHPExternal Control of System or Configuration SettingOPT.PHP.SEC.ExternalControlOfConfigurationSetting
CWE:159PHPConnection string polluted with untrusted inputOPT.PHP.ConnectionStringParameterPollution
CWE:16PHPAvoid insecure configuration settings in php.ini / .htaccess descriptorsOPT.PHP.InsecurePhpConfiguration
CWE:16PHPWeak session cookies configurationOPT.PHP.SessionCookieConfiguration
CWE:185PHPPrevent denial of service attack through malicious regular expression (‘Regex Injection’)]OPT.PHP.DoSRegexp
CWE:200PHPZend framework session management configurationOPT.PHP.ZendConfiguration
CWE:209PHPAvoid sensitive information exposure through error messagesOPT.PHP.InformationExposureThroughErrorMessage
CWE:22PHPAvoid non-neutralized user-controlled input to be part of a pathname (file or directory) used in I/O operationsOPT.PHP.PathTraversal
CWE:235PHPHTTP parameter pollution (HPP)OPT.PHP.HttpParameterPollution
CWE:256PHPPlaintext Storage of a PasswordOPT.PHP.SEC.PlaintextStorageOfPassword
CWE:310PHPWeak cryptography, insufficient key lengthOPT.PHP.SEC.InsufficientKeySizeRule
CWE:311PHPAvoid using HTTP instead of HTTPSOPT.PHP.HttpToSendData
CWE:311PHPEncrypt sensitive data before transmission or storageOPT.PHP.MissingEncryptionOfSensitiveData
CWE:312PHPCleartext Storage of Sensitive Information in a CookieOPT.PHP.SEC.PlaintextStorageInACookieRule
CWE:315PHPCleartext Storage of Sensitive Information in a CookieOPT.PHP.SEC.PlaintextStorageInACookieRule
CWE:320PHPUse of Hard-coded Cryptographic KeyOPT.PHP.HardcodedCryptoKey
CWE:320PHPWeak cryptography, insufficient key lengthOPT.PHP.SEC.InsufficientKeySizeRule
CWE:321PHPUse of Hard-coded Cryptographic KeyOPT.PHP.HardcodedCryptoKey
CWE:326PHPWeak cryptography, insufficient key lengthOPT.PHP.SEC.InsufficientKeySizeRule
CWE:327PHPWeak cryptographic hashOPT.PHP.WeakCryptographicHash
CWE:327PHPWeak symmetric encryption algorithmOPT.PHP.WeakEncryptionAlgorithm
CWE:330PHPStandard pseudo-random number generators cannot withstand cryptographic attacksOPT.PHP.InsecureRandomness
CWE:338PHPStandard pseudo-random number generators cannot withstand cryptographic attacksOPT.PHP.InsecureRandomness
CWE:346PHPCORS policy (Cross-origin resource sharing) too broadOPT.PHP.TooBroadCORSPolicy
CWE:352PHPCross-Site Request Forgery (CSRF)OPT.PHP.CrossSiteRequestForgery
CWE:359PHPExposure of Private InformationOPT.PHP.PrivacyViolation
CWE:359PHPPassword Management – Password in RedirectOPT.PHP.SEC.PasswordInRedirectRule
CWE:434PHPUnrestricted Upload of File with Dangerous TypeOPT.PHP.DangerousFileUpload
CWE:473PHPPHP External Variable ModificationOPT.PHP.ExternalVariableModification
CWE:489PHPCakePHP framework weak configurationOPT.PHP.CakePHPConfiguration
CWE:489PHPNo use debug statement in productionOPT.PHP.NoUseDebugStatements
CWE:501PHPTrust boundary violationOPT.PHP.SEC.TrustBoundaryViolationRule
CWE:502PHPDeserialization of untrusted dataOPT.PHP.SerializationInjection
CWE:522PHPPlaintext Storage of a PasswordOPT.PHP.SEC.PlaintextStorageOfPassword
CWE:539PHPWeak cookies configurationOPT.PHP.CookiesConfiguration
CWE:539PHPWeak session cookies configurationOPT.PHP.SessionCookieConfiguration
CWE:563PHPAvoid unused local variablesOPT.PHP.UnusedLocalVar
CWE:566PHPAvoid using an user controlled Primary Key into a query.OPT.PHP.SEC.UserControlledSQLPrimaryKey
CWE:601PHPURL Redirection to Untrusted Site (‘Open Redirect’)OPT.PHP.OpenRedirect
CWE:606PHPUnchecked input in loop conditionOPT.PHP.SEC.UncheckedInputInLoopCondition
CWE:611PHPXML entity injectionOPT.PHP.XmlEntityInjection
CWE:613PHPCakePHP framework weak configurationOPT.PHP.CakePHPConfiguration
CWE:613PHPChecks that session expiration interval does not exceed a limitOPT.PHP.SEC.InsufficientSessionExpirationRule
CWE:614PHPWeak session cookies configurationOPT.PHP.SessionCookieConfiguration
CWE:614PHPZend framework session management configurationOPT.PHP.ZendConfiguration
CWE:615PHPUse of empty or hardcoded password, or storing password in commentsOPT.PHP.PasswordManagement
CWE:643PHPImproper Neutralization of Data within XPath Expressions (‘XPath Injection’)OPT.PHP.XPathInjection
CWE:676PHPUse of Potentially Dangerous FunctionOPT.PHP.UnsafeFunction
CWE:698PHPExecution After Redirect (EAR)OPT.PHP.SEC.ExecutionAfterRedirect
CWE:73PHPAvoid non-neutralized user-controlled input to be part of a pathname (file or directory) used in I/O operationsOPT.PHP.PathTraversal
CWE:760PHPUse of hardcoded saltOPT.PHP.HardcodedSalt
CWE:77PHPImproper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)OPT.PHP.CommandInjection
CWE:776PHPXML entity injectionOPT.PHP.XmlEntityInjection
CWE:78PHPImproper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)OPT.PHP.CommandInjection
CWE:784PHPReliance on Cookies without Validation and Integrity Checking in a Security DecisionOPT.PHP.SEC.CookiesInSecurityDecision
CWE:79PHPImproper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)OPT.PHP.CrossSiteScripting
CWE:79PHPImproper neutralization of stored data during web content generation (Cross-site Scripting, XSS)OPT.PHP.StoredCrossSiteScripting
CWE:835PHPLoop with Unreachable Exit Condition (‘Infinite Loop’)OPT.PHP.SEC.PotentialInfiniteLoop
CWE:862PHPInadequate authorization check to access a resource or perform an actionOPT.PHP.MissingAuthorization
CWE:89PHPImproper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)OPT.PHP.SqlInjection
CWE:90PHPAvoid non-neutralized user-controlled input in LDAP search filtersOPT.PHP.LdapInjection
CWE:91PHPXML Injection (aka Blind XPath Injection)OPT.PHP.SEC.XsltInjection
CWE:918PHPServer-Side Request Forgery (SSRF)OPT.PHP.ServerSideRequestForgery
CWE:93PHPSMTP Header manipulationOPT.PHP.MailHeaderManipulation
CWE:93PHPMail Command InjectionOPT.PHP.SEC.MailCommandInjection
CWE:943PHPImproper neutralization of special elements in data query logic (NoSQL injection)OPT.PHP.SEC.NoSQLInjection
CWE:95PHPDo not use eval()OPT.PHP.AvoidEval
CWE:95PHPImproper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)OPT.PHP.CodeInjection
CWE:98PHPImproper Control of filename for include / require statementOPT.PHP.IncludeFileInjection
CWE:99PHPImproper Control of Resource Identifiers (‘Resource Injection’)OPT.PHP.ResourceInjection

 

PL/SQL

Jump to top of page

Rule numberLanguageDescriptionRule
CWE:113PLSQLUnvalidated data in HTTP response header or in cookies (‘HTTP Response Splitting’)OPT.PLSQL.SEC.HeaderManipulation
CWE:22PLSQLExternal Control of File Name or PathOPT.PLSQL.SEC.PathTraversal
CWE:242PLSQLDangerous procedure / function called.OPT.PLSQL.SEC.ForbiddenCall
CWE:266PLSQLToo broad privileges granted.OPT.PLSQL.SEC.TooBroadGrant
CWE:269PLSQLNo explicit AUTHID clause.OPT.PLSQL.SEC.DefaultAuthid
CWE:327PLSQLWeak cryptographic hashes cannot guarantee data integrityOPT.PLSQL.SEC.WeakCryptographicHash
CWE:327PLSQLWeak symmetric encryption algorithm.OPT.PLSQL.SEC.WeakSymmetricEncryptionAlgorithm
CWE:330PLSQLStandard pseudo-random number generators cannot withstand cryptographic attacks.OPT.PLSQL.SEC.InsecureRandomness
CWE:338PLSQLStandard pseudo-random number generators cannot withstand cryptographic attacks.OPT.PLSQL.SEC.InsecureRandomness
CWE:391PLSQLAvoid WHEN OTHERS THEN NULL in exceptionsOPT.PLSQL.GEN_PLSQL.GER3
CWE:404PLSQLClose all opened cursorsOPT.PLSQL.GEN_PLSQL.CC
CWE:404PLSQLClose all opened ref cursorsOPT.PLSQL.GEN_PLSQL.CRC
CWE:506PLSQLPotential malicious code.OPT.PLSQL.SEC.SuspiciousCode
CWE:563PLSQLDetects local variables declared but not usedOPT.PLSQL.CNU_PLSQL.UselessVar
CWE:566PLSQLAvoid using an user controlled Primary Key into a queryOPT.PLSQL.SEC.UserControlledSQLPrimaryKey
CWE:601PLSQLDo not allow to control the URL used in a redirect by an unvalidated inputOPT.PLSQL.SEC.OpenRedirect
CWE:619PLSQLCursor SnarfingOPT.PLSQL.SEC.CursorSnarfing
CWE:706PLSQLUnqualified database items in AUTHID CURRENT_USER routine.OPT.PLSQL.SEC.UnqualifiedItemAtInvokerRightsRoutine
CWE:730PLSQLDenial of Service by externally controlled sleep timeOPT.PLSQL.SEC.SleepInjection
CWE:77PLSQLImproper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)OPT.PLSQL.SEC.CommandInjection
CWE:79PLSQLImproper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)OPT.PLSQL.SEC.CrossSiteScripting
CWE:79PLSQLImproper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)OPT.PLSQL.SEC.PersistedCrossSiteScripting
CWE:798PLSQLUse of Hard-coded CredentialsOPT.PLSQL.SEC.HardcodedCredential
CWE:89PLSQLImproper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)OPT.PLSQL.SEC.SqlInjection
CWE:918PLSQLServer-Side Request Forgery (SSRF)OPT.PLSQL.SEC.ServerSideRequestForgery

 

Python

Jump to top of page

CWE:1004PYTHONCookie-based session with a unsafe configurationOPT.PYTHON.DJANGO.CookieBasedSessions
CWE:1004PYTHONGenerate server-side cookies with adequate security propertiesOPT.PYTHON.SECURITY.UnsafeCookie
CWE:113PYTHONAvoid including unvalidated data in HTTP response header or in CookiesOPT.PYTHON.SECURITY.HeaderManipulation
CWE:117PYTHONUnvalidated untrusted input in logOPT.PYTHON.SECURITY.LogForging
CWE:134PYTHONExclude unsanitized user input from format stringsOPT.PYTHON.SECURITY.FormatStringInjectionRule
CWE:185PYTHONPotential denial-of-service attack through malicious regular expression (ReDoS)OPT.PYTHON.SECURITY.DoSRegexp
CWE:20PYTHONAvoid non-neutralized user-controlled input to be stored into a cacheOPT.PYTHON.SECURITY.MemcachedInjection
CWE:200PYTHONDo not write IP address in source codeOPT.PYTHON.SECURITY.HardcodedIp
CWE:200PYTHONGenerate server-side cookies with adequate security propertiesOPT.PYTHON.SECURITY.UnsafeCookie
CWE:209PYTHONAvoid sensitive information exposure through error messagesOPT.PYTHON.SECURITY.InformationExposureThroughErrorMessage
CWE:22PYTHONAvoid non-neutralized user-controlled input to be part of a pathname (file or directory) used in I/O operationsOPT.PYTHON.SECURITY.PathTraversal
CWE:235PYTHONHTTP parameter pollution (HPP)OPT.PYTHON.SECURITY.HttpParameterPollutionRule
CWE:259PYTHONEmpty or hardcoded passwords may compromise system security in a way that cannot be easily remediedOPT.PYTHON.SECURITY.HardcodedCredential
CWE:260PYTHONUse of credentials into configuration fileOPT.PYTHON.SECURITY.PasswordInConfigurationFile
CWE:285PYTHONPerform an authorization check when performing an action which requires authorizationOPT.PYTHON.DJANGO.MissingFunctionLevelAccessControl
CWE:287PYTHONPerform an authorization check when performing an action which requires authorizationOPT.PYTHON.DJANGO.MissingFunctionLevelAccessControl
CWE:310PYTHONWeak cryptography, insufficient key lengthOPT.PYTHON.SECURITY.InsufficientKeySizeRule
CWE:311PYTHONInsecure transportOPT.PYTHON.SECURITY.InsecureTransport
CWE:311PYTHONInsecure transport in HTTP serversOPT.PYTHON.SECURITY.ServerInsecureTransport
CWE:312PYTHONCleartext Storage of Sensitive Information in a CookieOPT.PYTHON.SECURITY.PlaintextStorageInACookieRule
CWE:315PYTHONCleartext Storage of Sensitive Information in a CookieOPT.PYTHON.SECURITY.PlaintextStorageInACookieRule
CWE:320PYTHONHardcoded cryptographic keysOPT.PYTHON.SECURITY.HardcodedCryptoKey
CWE:320PYTHONWeak cryptography, insufficient key lengthOPT.PYTHON.SECURITY.InsufficientKeySizeRule
CWE:321PYTHONHardcoded cryptographic keysOPT.PYTHON.SECURITY.HardcodedCryptoKey
CWE:326PYTHONWeak cryptography, insufficient key lengthOPT.PYTHON.SECURITY.InsufficientKeySizeRule
CWE:327PYTHONWeak cryptographic hashOPT.PYTHON.SECURITY.WeakCryptographicHash
CWE:327PYTHONWeak symmetric encryption algorithmOPT.PYTHON.SECURITY.WeakEncryptionAlgorithm
CWE:328PYTHONWeak cryptographic hashes cannot guarantee data integrityOPT.PYTHON.DJANGO.WeakCryptographicHashInSettings
CWE:329PYTHONNot using a Random IV with CBC ModeOPT.PYTHON.SECURITY.NonRandomIVWithCBCMode
CWE:330PYTHONStandard pseudo-random number generators cannot withstand cryptographic attacksOPT.PYTHON.SECURITY.InsecureRandomness
CWE:338PYTHONStandard pseudo-random number generators cannot withstand cryptographic attacksOPT.PYTHON.SECURITY.InsecureRandomness
CWE:345PYTHONAvoid using non-neutralized user-controlled input into JSON entities – JSON InjectionOPT.PYTHON.SECURITY.JSONInjection
CWE:346PYTHONCORS policy (Cross-origin resource sharing) too broadOPT.PYTHON.SECURITY.TooMuchOriginsAllowedRule
CWE:350PYTHONAvoid checks on client-side hostname, that are not reliable due to DNS poisoningOPT.PYTHON.SECURITY.AvoidHostNameChecksRule
CWE:352PYTHONCross-site request forgery (CSRF)OPT.PYTHON.SECURITY.CrossSiteRequestForgery
CWE:359PYTHONPassword Management – Password in RedirectOPT.PYTHON.SECURITY.PasswordInRedirectRule
CWE:391PYTHONUnhandled SSL exceptionOPT.PYTHON.SECURITY.UnhandledSSLErrorRule
CWE:426PYTHONDo not hardcode absolute pathsOPT.PYTHON.PORTABILITY.HardcodedAbsolutePath
CWE:470PYTHONUse of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’)OPT.PYTHON.SECURITY.UnsafeReflection
CWE:472PYTHONCookie PoisoningOPT.PYTHON.SECURITY.CookiePoisoning
CWE:501PYTHONTrust boundary violationOPT.PYTHON.SECURITY.TrustBoundary
CWE:502PYTHONDeserialization of untrusted dataOPT.PYTHON.SECURITY.SerializationInjection
CWE:532PYTHONAvoid exposing sensitive information through logOPT.PYTHON.SECURITY.InformationExposureThroughDebugLog
CWE:539PYTHONGenerate server-side cookies with adequate security propertiesOPT.PYTHON.SECURITY.UnsafeCookie
CWE:561PYTHONAvoid dead codeOPT.PYTHON.MAINTAINABILITY.DeadCode
CWE:561PYTHONStatements after a jump are dead codeOPT.PYTHON.MAINTAINABILITY.RemoveStatementsAfterJump
CWE:561PYTHONAvoid unreachable codeOPT.PYTHON.RELIABILITY.UnreachableCode
CWE:566PYTHONAvoid using an user controlled Primary Key into a queryOPT.PYTHON.SECURITY.UserControlledSQLPrimaryKey
CWE:601PYTHONDo not allow to control the URL used in a redirect by an unvalidated inputOPT.PYTHON.SECURITY.OpenRedirect
CWE:606PYTHONUnchecked input in loop conditionOPT.PYTHON.SECURITY.UncheckedInputInLoopCondition
CWE:611PYTHONXML entity injectionOPT.PYTHON.SECURITY.XmlEntityInjection
CWE:613PYTHONChecks that session expiration interval is positive and does not exceed a limitOPT.PYTHON.DJANGO.InsufficientDjangoSettingsSessionExpiration
CWE:613PYTHONChecks that session expiration interval is positive and does not exceed a limitOPT.PYTHON.SECURITY.InsufficientSessionExpirationRule
CWE:614PYTHONGenerate server-side cookies with adequate security propertiesOPT.PYTHON.SECURITY.UnsafeCookie
CWE:615PYTHONStoring passwords or password details in plaintext anywhere in the system or system code can compromise system securityOPT.PYTHON.SECURITY.PasswordInComments
CWE:639PYTHONCheck for user authentication and/ or authorization before let him modifying a sensible system resourceOPT.PYTHON.DJANGO.InsecureDirectObjectReferences
CWE:643PYTHONAvoid XPath expressions formed with non neutralized user inputOPT.PYTHON.SECURITY.XpathInjection
CWE:698PYTHONExecution After Redirect (EAR)OPT.PYTHON.SECURITY.ExecutionAfterRedirect
CWE:73PYTHONAvoid non-neutralized user-controlled input to be part of a pathname (file or directory) used in I/O operationsOPT.PYTHON.SECURITY.PathTraversal
CWE:760PYTHONUse of hardcoded saltOPT.PYTHON.SECURITY.HardcodedSalt
CWE:77PYTHONImproper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)OPT.PYTHON.SECURITY.CommandInjection
CWE:776PYTHONXML entity injectionOPT.PYTHON.SECURITY.XmlEntityInjection
CWE:78PYTHONImproper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)OPT.PYTHON.SECURITY.CommandInjection
CWE:784PYTHONReliance on Cookies without Validation and Integrity Checking in a Security DecisionOPT.PYTHON.SECURITY.CookiesInSecurityDecision
CWE:79PYTHONImproper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)OPT.PYTHON.SECURITY.CrossSiteScripting
CWE:79PYTHONImproper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)OPT.PYTHON.SECURITY.StoredCrossSiteScripting
CWE:798PYTHONUse of Hard-coded CredentialsOPT.PYTHON.SECURITY.HardcodedAuthData
CWE:798PYTHONEmpty or hardcoded passwords may compromise system security in a way that cannot be easily remediedOPT.PYTHON.SECURITY.HardcodedCredential
CWE:80PYTHONSecure browser XSS filterOPT.PYTHON.DJANGO.MissingBrowserXssFilter
CWE:835PYTHONLoop with Unreachable Exit Condition (‘Infinite Loop’)OPT.PYTHON.SECURITY.PotentialInfiniteLoop
CWE:89PYTHONAvoid SQL code formed with non neutralized user input (vulnerable to SQL Injection attacks)OPT.PYTHON.SECURITY.SqlInjection
CWE:90PYTHONAvoid non-neutralized user-controlled input in LDAP search filtersOPT.PYTHON.SECURITY.LdapInjection
CWE:91PYTHONAvoid using non-neutralized user-controlled input when creating XML documentsOPT.PYTHON.SECURITY.XmlInjection
CWE:915PYTHONInsufficient form fields validationOPT.PYTHON.DJANGO.MassAssigmentAttack
CWE:918PYTHONCreation of requests from a vulnerable server using untrusted input (server side request forgery, SSRF)OPT.PYTHON.SECURITY.ServerSideRequestForgery
CWE:93PYTHONMail Command InjectionOPT.PYTHON.SECURITY.MailCommandInjection
CWE:94PYTHONAvoid non-neutralized user-controlled input in dynamic code evaluationOPT.PYTHON.SECURITY.CodeInjection
CWE:943PYTHONImproper neutralization of special elements in data query logic (NoSQL injection)OPT.PYTHON.SECURITY.NoSQLInjection
CWE:99PYTHONImproper control of resource identifiers (“Resource Injection”)OPT.PYTHON.SECURITY.ResourceInjection

 

RPG4

Jump to top of page

Rule numberLanguageDescriptionRule
CWE:114RPG4Avoid calling subprogram where its name could be controlled by user inputOPT.RPG4.SEC.ProcessControl
CWE:200RPG4Every READE command must be preceeded by SETLLOPT.RPG4.SEC.PositionBeforeReadFile
CWE:215RPG4Information Exposure Through Debug InformationOPT.RPG4.SEC.NoActiveDebugRule
CWE:22RPG4External Control of File Name or PathOPT.RPG4.SEC.PathManipulation
CWE:252RPG4Validate return code for cryptographic operationsOPT.RPG4.SEC.CheckCryptoReturnCode
CWE:272RPG4Least privilege failure due to special authority grantedOPT.RPG4.SEC.SpecialAuthorityGranted
CWE:327RPG4Weak encryption algorithmOPT.RPG4.SEC.WeakEncryptionAlgorithm
CWE:328RPG4Weak cryptographic hashes cannot guarantee data integrityOPT.RPG4.SEC.WeakCryptoHash
CWE:391RPG4Ignoring error conditions may allow an attacker to induce unexpected behavior unnoticedOPT.RPG4.SEC.PoorErrorHandling
CWE:401RPG4Check that allocated memory is properly freedOPT.RPG4.REL.AllocHeapMisuse
CWE:415RPG4Check that allocated memory is properly freedOPT.RPG4.REL.AllocHeapMisuse
CWE:416RPG4Check that allocated memory is properly freedOPT.RPG4.REL.AllocHeapMisuse
CWE:489RPG4Do not use DEBUG in control-specification statementsOPT.RPG4.AvoidDebugControlSentences
CWE:566RPG4Authorization Bypass Through User-Controlled SQL Primary KeyOPT.RPG4.SEC.UnexpectedKeySelect
CWE:628RPG4Parameter mismatch in CALLOPT.RPG4.REL.CallParameterMismatch
CWE:639RPG4A record UPDATE or DELETE operation must be preceeded by a record read operation (CHAIN or READxxx)OPT.RPG4.SEC.ReadRecordBeforeUpdateDelete
CWE:710RPG4Do not use GOTO / TAG, CABXX and COMP statementsOPT.RPG4.AvoidDangerousConditionalSentences
CWE:73RPG4External Control of File Name or PathOPT.RPG4.SEC.PathManipulation
CWE:77RPG4Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)OPT.RPG4.SEC.OSCommandInjection
CWE:78RPG4Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)OPT.RPG4.SEC.OSCommandInjection
CWE:823RPG4Avoid pointer arithmetic in RPGOPT.RPG4.SEC.PointerArithmetic
CWE:89RPG4Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)OPT.RPG4.SEC.SqlInjection

 

Scala

Jump to top of page

Rule numberLanguageDescriptionRule
CWE:111SCALAAvoid calls from Scala to native (JNI) codeOPT.SCALA.SECURITY.AvoidNativeCalls
CWE:113SCALAImproper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Response Splitting’)OPT.SCALA.SECURITY.HttpSplitting
CWE:114SCALALibrary loaded from untrusted sourceOPT.SCALA.SECURITY.ProcessControl
CWE:117SCALAImproper Output Neutralization for LogsOPT.SCALA.SECURITY.LogForging
CWE:134SCALAExclude unsanitized user input from format stringsOPT.SCALA.SECURITY.FormatStringInjection
CWE:15SCALASecurity misconfiguration in Akka framework.OPT.SCALA.SECURITY.AkkaSecurityMisconfiguration
CWE:15SCALAExternal Control of System or Configuration SettingOPT.SCALA.SECURITY.ExternalControlOfConfigurationSetting
CWE:159SCALAConnection string polluted with untrusted inputOPT.SCALA.SECURITY.ConnectionStringParameterPollution
CWE:185SCALAPrevent denial of service attack through malicious regular expression (‘Regex Injection’)OPT.SCALA.SECURITY.RegexInjection
CWE:200SCALASecurity misconfiguration in Akka framework.OPT.SCALA.SECURITY.AkkaSecurityMisconfiguration
CWE:200SCALADo not write IP address in source codeOPT.SCALA.SECURITY.HardcodedIp
CWE:200SCALAGenerate server-side cookies with adequate security propertiesOPT.SCALA.SECURITY.UnsafeCookie
CWE:209SCALAAvoid sensitive information exposure through error messagesOPT.SCALA.SECURITY.InformationExposureThroughErrorMessage
CWE:22SCALAAvoid non-neutralized user-controlled input composed in a pathname to a resourceOPT.SCALA.SECURITY.PathTraversal
CWE:235SCALAHTTP parameter pollution (HPP)OPT.SCALA.SECURITY.HttpParameterPollution
CWE:256SCALAPlaintext Storage of a PasswordOPT.SCALA.SECURITY.PlaintextStorageOfPassword
CWE:260SCALAUse of credentials into configuration fileOPT.SCALA.SECURITY.PasswordInConfigurationFile
CWE:285SCALAAccess Control – Anonymous LDAP BindOPT.SCALA.SECURITY.AnonymousLdapBind
CWE:310SCALAWeak cryptography, insufficient key lengthOPT.SCALA.SECURITY.InsufficientKeySize
CWE:311SCALASecurity misconfiguration in Akka framework.OPT.SCALA.SECURITY.AkkaSecurityMisconfiguration
CWE:311SCALAInsecure transportOPT.SCALA.SECURITY.InsecureTransport
CWE:312SCALACleartext Storage of Sensitive Information in a CookieOPT.SCALA.SECURITY.PlaintextStorageInACookieRule
CWE:315SCALACleartext Storage of Sensitive Information in a CookieOPT.SCALA.SECURITY.PlaintextStorageInACookieRule
CWE:320SCALAHardcoded cryptographic keysOPT.SCALA.SECURITY.HardcodedCryptoKey
CWE:320SCALAWeak cryptography, insufficient key lengthOPT.SCALA.SECURITY.InsufficientKeySize
CWE:321SCALAHardcoded cryptographic keysOPT.SCALA.SECURITY.HardcodedCryptoKey
CWE:325SCALAInadequate paddingOPT.SCALA.SECURITY.InadequatePadding
CWE:326SCALAInsecure transportOPT.SCALA.SECURITY.InsecureTransport
CWE:326SCALAWeak cryptography, insufficient key lengthOPT.SCALA.SECURITY.InsufficientKeySize
CWE:327SCALAWeak symmetric encryption algorithmOPT.SCALA.SECURITY.WeakEncryption
CWE:328SCALAWeak cryptographic hashOPT.SCALA.SECURITY.WeakCryptographicHash
CWE:329SCALANot using a Random IV with CBC ModeOPT.SCALA.SECURITY.NonRandomIVWithCBCMode
CWE:330SCALAStandard pseudo-random number generators cannot withstand cryptographic attacksOPT.SCALA.SECURITY.InsecureRandomness
CWE:338SCALAStandard pseudo-random number generators cannot withstand cryptographic attacksOPT.SCALA.SECURITY.InsecureRandomness
CWE:345SCALAAvoid using non-neutralized user-controlled input into JSON entities – JSON InjectionOPT.SCALA.SECURITY.JSONInjection
CWE:346SCALAToo much allowed origins in HTML5 Access-Control-Allow-Origin headerOPT.SCALA.SECURITY.TooBroadCORSPolicy
CWE:350SCALAAvoid checks on client-side hostname, that are not reliable due to DNS poisoningOPT.SCALA.SECURITY.AvoidHostNameChecks
CWE:352SCALACross-site request forgery (CSRF)OPT.SCALA.SECURITY.CrossSiteRequestForgery
CWE:359SCALASensitive information exposed through JSONPOPT.SCALA.SECURITY.JSONPHijacking
CWE:359SCALAPassword Management – Password in RedirectOPT.SCALA.SECURITY.PasswordInRedirect
CWE:359SCALAExposure of Private Information (‘Privacy Violation’)OPT.SCALA.SECURITY.PrivacyViolation
CWE:400SCALASecurity misconfiguration in Akka framework.OPT.SCALA.SECURITY.AkkaSecurityMisconfiguration
CWE:470SCALAUse of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’)OPT.SCALA.SECURITY.UnsafeReflection
CWE:494SCALALibrary loaded from untrusted sourceOPT.SCALA.SECURITY.ProcessControl
CWE:499SCALASerializable Class Containing Sensitive DataOPT.SCALA.SECURITY.SerializableClassContainingSensitiveData
CWE:501SCALATrust boundary violationOPT.SCALA.SECURITY.TrustBoundaryViolation
CWE:502SCALASecurity misconfiguration in Akka framework.OPT.SCALA.SECURITY.AkkaSecurityMisconfiguration
CWE:502SCALADeserialization of untrusted dataOPT.SCALA.SECURITY.SerializationInjection
CWE:522SCALAUse of credentials into configuration fileOPT.SCALA.SECURITY.PasswordInConfigurationFile
CWE:539SCALAGenerate server-side cookies with adequate security propertiesOPT.SCALA.SECURITY.UnsafeCookie
CWE:566SCALAAvoid using an user controlled Primary Key into a queryOPT.SCALA.SECURITY.UserControlledSQLPrimaryKey
CWE:601SCALAURL Redirection to Untrusted Site (‘Open Redirect’)OPT.SCALA.SECURITY.ExecutionAfterRedirect
CWE:601SCALADo not allow to control the URL used in a redirect by an unvalidated inputOPT.SCALA.SECURITY.OpenRedirect
CWE:606SCALAUnchecked input in loop conditionOPT.SCALA.SECURITY.UncheckedInputInLoopCondition
CWE:611SCALAXML entity injectionOPT.SCALA.SECURITY.XmlEntityInjection
CWE:613SCALASecurity misconfiguration in Akka framework.OPT.SCALA.SECURITY.AkkaSecurityMisconfiguration
CWE:614SCALAGenerate server-side cookies with adequate security propertiesOPT.SCALA.SECURITY.UnsafeCookie
CWE:643SCALAImproper Neutralization of Data within XPath Expressions (‘XPath Injection’)OPT.SCALA.SECURITY.XPathInjection
CWE:676SCALALibrary loaded from untrusted sourceOPT.SCALA.SECURITY.ProcessControl
CWE:760SCALAA hardcoded salt can compromise system securityOPT.SCALA.SECURITY.HardcodedSalt
CWE:77SCALAImproper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)OPT.SCALA.SECURITY.CommandInjection
CWE:776SCALAXML entity injectionOPT.SCALA.SECURITY.XmlEntityInjection
CWE:78SCALAImproper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)OPT.SCALA.SECURITY.CommandInjection
CWE:784SCALAReliance on Cookies without Validation and Integrity Checking in a Security DecisionOPT.SCALA.SECURITY.CookiesInSecurityDecision
CWE:79SCALAImproper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)OPT.SCALA.SECURITY.CrossSiteScripting
CWE:79SCALASame Origin Method Execution (SOME)OPT.SCALA.SECURITY.SameOriginMethodExecution
CWE:798SCALAUse of Hard-coded CredentialsOPT.SCALA.SECURITY.HardcodedUsernamePassword
CWE:835SCALALoop with Unreachable Exit Condition (‘Infinite Loop’)OPT.SCALA.SECURITY.PotentialInfiniteLoop
CWE:89SCALAAvoid SQL code formed with non neutralized user input (vulnerable to SQL Injection attacks)OPT.SCALA.SECURITY.SqlInjection
CWE:90SCALAAvoid non-neutralized user-controlled input in LDAP search filtersOPT.SCALA.SECURITY.LdapInjection
CWE:91SCALAXML Injection (aka Blind XPath Injection)OPT.SCALA.SECURITY.XsltInjection
CWE:918SCALACreation of requests from a vulnerable server using untrusted input (server side request forgery, SSRF)OPT.SCALA.SECURITY.ServerSideRequestForgery
CWE:93SCALAMail Command InjectionOPT.SCALA.SECURITY.MailCommandInjection
CWE:94SCALAAvoid non-neutralized user-controlled input in dynamic code evaluationOPT.SCALA.SECURITY.CodeInjection
CWE:943SCALAImproper neutralization of special elements in data query logic (NoSQL injection)OPT.SCALA.SECURITY.NoSQLInjection
CWE:95SCALAAvoid non-neutralized user-controlled input in dynamic code evaluationOPT.SCALA.SECURITY.CodeInjection
CWE:99SCALAImproper control of resource identifiers (“Resource Injection”)OPT.SCALA.SECURITY.ResourceInjection

 

SQL Script

Jump to top of page

Rule numberLanguageDescriptionRule
CWE:272SQLSCRIPTExcessive privileges granted.OPT.HANA.SEC.ExcessivePrivilegesGranted
CWE:489SQLSCRIPTAvoid TRACE in production code.OPT.HANA.EFFICIENCY.AvoidTraceInProduction
CWE:563SQLSCRIPTUnused local variable.OPT.HANA.EFFICIENCY.UnusedVariable
CWE:676SQLSCRIPTCall to unsafe or dangerous procedure / function.OPT.HANA.SEC.ForbiddenCall
CWE:89SQLSCRIPTImproper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)OPT.HANA.SEC.SqlInjection

 

Swift

Jump to top of page

Rule numberLanguageDescriptionRule
CWE:113SWIFTAvoid including unvalidated data in HTTP response header or in CookiesOPT.SWIFT.SECURITY.HeaderManipulation
CWE:117SWIFTImproper Output Neutralization for LogsOPT.SWIFT.SECURITY.LogForging
CWE:120SWIFTPotential memory corruptionOPT.SWIFT.RELIABILITY.BufferOverflow
CWE:134SWIFTExclude unsanitized user input from format stringsOPT.SWIFT.SECURITY.StringFormatInjection
CWE:159SWIFTConnection string polluted with untrusted inputOPT.SWIFT.SECURITY.ConnectionStringParameterPollution
CWE:176SWIFTPotential memory corruptionOPT.SWIFT.RELIABILITY.PotentialEncodingBufferOverflow
CWE:185SWIFTPrevent denial of service attack through malicious regular expression (‘Regex Injection’)OPT.SWIFT.SECURITY.RegexInjection
CWE:200SWIFTDo not write IP address in source codeOPT.SWIFT.SECURITY.HardcodedIp
CWE:200SWIFTGenerate server-side cookies with adequate security propertiesOPT.SWIFT.SECURITY.UnsafeCookie
CWE:22SWIFTAvoid non-neutralized user-controlled input composed in a pathname to a resourceOPT.SWIFT.SECURITY.PathTraversal
CWE:235SWIFTHTTP parameter pollution (HPP)OPT.SWIFT.SECURITY.HttpParameterPollutionRule
CWE:259SWIFTWeak keys used for cryptographic purposesOPT.SWIFT.SECURITY.WeakCryptographicKey
CWE:260SWIFTUse of credentials into configuration fileOPT.SWIFT.SECURITY.PasswordInConfigurationFile
CWE:265SWIFTAvoid performing SMS-related operationsOPT.SWIFT.SECURITY.AvoidSMS
CWE:295SWIFTEvaluate server certificate trust chainOPT.SWIFT.SECURITY.ServerTrustCredentialCheck
CWE:311SWIFTInsecure transportOPT.SWIFT.SECURITY.InsecureTransport
CWE:311SWIFTSensitive data stored into CoreData(‘Privacy Violation’)OPT.SWIFT.SECURITY.SensitiveCoreData
CWE:311SWIFTSensitive data stored into a NoSQL database(‘Privacy Violation’)OPT.SWIFT.SECURITY.SensitiveNoSQL
CWE:311SWIFTSensitive data stored into a SQL database(‘Privacy Violation’)OPT.SWIFT.SECURITY.SensitiveSQL
CWE:311SWIFTSensitive data stored into UserDefaults(‘Privacy Violation’)OPT.SWIFT.SECURITY.SensitiveUserDefaults
CWE:312SWIFTCleartext Storage of Sensitive Information in a CookieOPT.SWIFT.SECURITY.PlaintextStorageInACookieRule
CWE:313SWIFTHTTP sensitive responses being cachedOPT.SWIFT.SECURITY.HTTPResponseCachingLeak
CWE:315SWIFTCleartext Storage of Sensitive Information in a CookieOPT.SWIFT.SECURITY.PlaintextStorageInACookieRule
CWE:320SWIFTWeak keys used for cryptographic purposesOPT.SWIFT.SECURITY.WeakCryptographicKey
CWE:320SWIFTEmpty or nil password used in key derivationOPT.SWIFT.SECURITY.WeakKeyDerivationPassword
CWE:321SWIFTWeak keys used for cryptographic purposesOPT.SWIFT.SECURITY.WeakCryptographicKey
CWE:321SWIFTEmpty or nil password used in key derivationOPT.SWIFT.SECURITY.WeakKeyDerivationPassword
CWE:326SWIFTInsecure transportOPT.SWIFT.SECURITY.InsecureTransport
CWE:327SWIFTWeak symmetric encryption algorithmOPT.SWIFT.SECURITY.WeakEncryption
CWE:327SWIFTDo not use weak modes of operation with symmetric encryptionOPT.SWIFT.SECURITY.WeakSymmetricEncryptionModeOfOperation
CWE:328SWIFTWeak cryptographic hashes cannot guarantee data integrityOPT.SWIFT.SECURITY.WeakCryptographicHash
CWE:328SWIFTWeak cryptographic salts cannot guarantee data integrityOPT.SWIFT.SECURITY.WeakCryptographicHashSalt
CWE:329SWIFTWeak encryption initialization vectorOPT.SWIFT.SECURITY.WeakSymmetricEncryptionInitializationVector
CWE:345SWIFTAvoid using non-neutralized user-controlled input into JSON entities – JSON InjectionOPT.SWIFT.SECURITY.JSONInjection
CWE:359SWIFTSensitive data leaked through keyboard cacheOPT.SWIFT.SECURITY.KeyboardCachingLeak
CWE:359SWIFTSensitive data leaked through the pasteboard caching mechanismOPT.SWIFT.SECURITY.PasteboardCachingLeak
CWE:359SWIFTExposure of Private Information (‘Privacy Violation’)OPT.SWIFT.SECURITY.PrivacyViolation
CWE:359SWIFTSensitive data leaked through the screen caching mechanism when app is backgroundedOPT.SWIFT.SECURITY.ScreenCachingLeak
CWE:359SWIFTExposure of Private Information (‘Privacy Violation’)OPT.SWIFT.SECURITY.SensitiveDataAccessedFromItunes
CWE:377SWIFTCreating and using insecure temporary files can leave application and system data vulnerable to attack.OPT.SWIFT.SECURITY.InsecureTemporaryFile
CWE:390SWIFTAvoid use empty CATCH blocksOPT.SWIFT.RELIABILITY.AvoidEmptyCatchBlocks
CWE:426SWIFTDo not hardcode absolute pathsOPT.SWIFT.PORTABILITY.HardcodedAbsolutePath
CWE:470SWIFTUse of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’)OPT.SWIFT.SECURITY.UnsafeReflection
CWE:499SWIFTSerializable Class Containing Sensitive DataOPT.SWIFT.SECURITY.SerializableClassContainingSensitiveData
CWE:501SWIFTMissing Content ValidationOPT.SWIFT.SECURITY.MissingContentValidation
CWE:502SWIFTDeserialization of untrusted dataOPT.SWIFT.SECURITY.SerializationInjection
CWE:522SWIFTUser is asked for fingerprints without reasonOPT.SWIFT.SECURITY.BiometricWithoutMessage
CWE:522SWIFTAvoid exposing sensitive data to third party keyboards.OPT.SWIFT.SECURITY.ThirdPartyKeyboardAllowed
CWE:539SWIFTGenerate server-side cookies with adequate security propertiesOPT.SWIFT.SECURITY.UnsafeCookie
CWE:549SWIFTPassword input field is not maskedOPT.SWIFT.SECURITY.MissingPasswordFieldMasking
CWE:561SWIFTUnused function parameterOPT.SWIFT.MAINTAINABILITY.UnusedParameter
CWE:561SWIFTAvoid unused private methods and constructorsOPT.SWIFT.MAINTAINABILITY.UnusedPrivateFunction
CWE:561SWIFTAvoid unreachable codeOPT.SWIFT.RELIABILITY.UnreachableCode
CWE:563SWIFTBound local variable value is never usedOPT.SWIFT.MAINTAINABILITY.DeadStores
CWE:563SWIFTUnused local variableOPT.SWIFT.MAINTAINABILITY.UnusedLocalVar
CWE:566SWIFTAvoid using an user controlled Primary Key into a queryOPT.SWIFT.SECURITY.UserControlledSQLPrimaryKey
CWE:601SWIFTDo not allow to control the URL used in a redirect by an unvalidated inputOPT.SWIFT.SECURITY.OpenRedirect
CWE:606SWIFTUnchecked input in loop conditionOPT.SWIFT.SECURITY.UncheckedInputInLoopCondition
CWE:611SWIFTXML entity injectionOPT.SWIFT.SECURITY.XMLEntityInjection
CWE:614SWIFTGenerate server-side cookies with adequate security propertiesOPT.SWIFT.SECURITY.UnsafeCookie
CWE:615SWIFTStoring passwords or password details in plaintext anywhere in the system or system code can compromise system securityOPT.SWIFT.SECURITY.PasswordInCommentRule
CWE:643SWIFTAvoid XPath expressions formed with non neutralized user inputOPT.SWIFT.SECURITY.XpathInjection
CWE:698SWIFTExecution After Redirect (EAR)OPT.SWIFT.SECURITY.ExecutionAfterRedirect
CWE:759SWIFTWeak cryptographic salts cannot guarantee data integrityOPT.SWIFT.SECURITY.WeakCryptographicHashSalt
CWE:760SWIFTWeak cryptographic salts cannot guarantee data integrityOPT.SWIFT.SECURITY.WeakCryptographicHashSalt
CWE:77SWIFTImproper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)OPT.SWIFT.SECURITY.CommandInjection
CWE:776SWIFTXML entity injectionOPT.SWIFT.SECURITY.XMLEntityInjection
CWE:78SWIFTImproper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)OPT.SWIFT.SECURITY.CommandInjection
CWE:79SWIFTImproper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)OPT.SWIFT.SECURITY.CrossSiteScripting
CWE:798SWIFTUse of Hard-coded CredentialsOPT.SWIFT.SECURITY.HardcodedUsernamePassword
CWE:829SWIFTUser is asked for fingerprints without reasonOPT.SWIFT.SECURITY.BiometricWithoutMessage
CWE:829SWIFTAvoid exposing sensitive data to third party keyboards.OPT.SWIFT.SECURITY.ThirdPartyKeyboardAllowed
CWE:835SWIFTLoop with Unreachable Exit Condition (‘Infinite Loop’)OPT.SWIFT.SECURITY.PotentialInfiniteLoop
CWE:89SWIFTAvoid SQL code formed with non neutralized user input (vulnerable to SQL Injection attacks)OPT.SWIFT.SECURITY.SqlInjection
CWE:91SWIFTXML Injection (aka Blind XPath Injection)OPT.SWIFT.SECURITY.XMLInjection
CWE:911SWIFTDelegate protocols must be class-onlyOPT.SWIFT.RELIABILITY.UseWeakReferencesWithDelegateProtocols
CWE:916SWIFTToo weak iteration count on key derivationOPT.SWIFT.SECURITY.WeakKeyDerivationIteration
CWE:93SWIFTMail Command InjectionOPT.SWIFT.SECURITY.MailCommandInjection
CWE:939SWIFTURL scheme hijacking though user inputOPT.SWIFT.SECURITY.URLSchemeHijacking
CWE:94SWIFTAvoid non-neutralized user-controlled input in dynamic code evaluationOPT.SWIFT.SECURITY.CodeInjection
CWE:943SWIFTImproper neutralization of special elements in data query logic (NoSQL injection)OPT.SWIFT.SECURITY.NoSQLInjection
CWE:95SWIFTAvoid non-neutralized user-controlled input in dynamic code evaluationOPT.SWIFT.SECURITY.CodeInjection
CWE:99SWIFTImproper control of resource identifiers (“Resource Injection”)OPT.SWIFT.SECURITY.ResourceInjection

 

Transact-SQL

Jump to top of page

Rule numberLanguageDescriptionRule
CWE:242TRANSACTSQLDangerous procedure / function called.OPT.TRANSACTSQL.SEC.ForbiddenCall
CWE:266TRANSACTSQLToo broad privileges granted.OPT.TRANSACTSQL.SEC.TooBroadGrant
CWE:327TRANSACTSQLWeak cryptographic hashes cannot guarantee data integrityOPT.TRANSACTSQL.SEC.WeakCryptographicHash
CWE:327TRANSACTSQLWeak symmetric encryption algorithm.OPT.TRANSACTSQL.SEC.WeakSymmetricEncryptionAlgorithm
CWE:330TRANSACTSQLStandard pseudo-random number generators cannot withstand cryptographic attacks.OPT.TRANSACTSQL.SEC.InsecureRandomness
CWE:338TRANSACTSQLStandard pseudo-random number generators cannot withstand cryptographic attacks.OPT.TRANSACTSQL.SEC.InsecureRandomness
CWE:404TRANSACTSQLClose/deallocate cursors and deallocate cursor variables in the same T-SQL scope where they are declaredOPT.TRANSACTSQL.CloseDeallocateCursors
CWE:563TRANSACTSQLLooks for unused local variables and procedure/function parameter.sOPT.TRANSACTSQL.DeadVariableOrParameter
CWE:566TRANSACTSQLAvoid using an user controlled Primary Key into a queryOPT.TRANSACTSQL.SEC.UserControlledSQLPrimaryKey
CWE:615TRANSACTSQLAvoid hardcoded or in-comment emails in source codeOPT.TRANSACTSQL.AvoidEmailHardcoded
CWE:730TRANSACTSQLDenial of Service by externally controlled sleep timeOPT.TRANSACTSQL.SEC.SleepInjection
CWE:77TRANSACTSQLImproper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)OPT.TRANSACTSQL.SEC.CommandInjection
CWE:798TRANSACTSQLAvoid hardcoded or in-comment emails in source codeOPT.TRANSACTSQL.AvoidEmailHardcoded
CWE:89TRANSACTSQLAvoid dynamic SQL statements as much as possibleOPT.TRANSACTSQL.AvoidDynamicSql
CWE:89TRANSACTSQLImproper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)OPT.TRANSACTSQL.SEC.SqlInjection

 

VB6

Jump to top of page

Rule numberLanguageDescriptionRule
CWE:563VB6Avoid unused Local variablesOPT.VB6.VBDC.VLSU

 

VB.NET

Jump to top of page

CWE:390VBNETDo not leave empty catch blocksOPT.VBNET.VBnet.EmptyCatch
CWE:459VBNETDispose objects before losing scopeOPT.VBNET.VBnet.DisposeObjectsBeforeLosingScope
CWE:563VBNETUnused local variableOPT.VBNET.VBnet.RemoveUnusedLocals