-
Notifications
You must be signed in to change notification settings - Fork 183
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
GITBOOK-7898: Snyk Code security rules: updates to all pages
- Loading branch information
1 parent
35b4f12
commit 16541a2
Showing
15 changed files
with
780 additions
and
4,419 deletions.
There are no files selected for viewing
1,456 changes: 169 additions & 1,287 deletions
1,456
docs/scan-with-snyk/snyk-code/snyk-code-security-rules/README.md
Large diffs are not rendered by default.
Oops, something went wrong.
166 changes: 29 additions & 137 deletions
166
docs/scan-with-snyk/snyk-code/snyk-code-security-rules/apex-rules.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,139 +1,31 @@ | ||
# Apex rules | ||
|
||
## Rule (1) Command Injection | ||
|
||
**CWE** (78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | ||
|
||
**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection | ||
|
||
**OWASP Top 10/SANS 25:** SANS/CWE Top 25 | ||
|
||
## Rule (2) Cross-site Scripting (XSS) | ||
|
||
**CWE** (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | ||
|
||
**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection | ||
|
||
**OWASP Top 10/SANS 25:** SANS/CWE Top 25 | ||
|
||
## Rule (3) SOQL Injection | ||
|
||
**CWE** (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | ||
|
||
**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection | ||
|
||
**OWASP Top 10/SANS 25:** SANS/CWE Top 25 | ||
|
||
## Rule (4) SOSL Injection | ||
|
||
**CWE** (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | ||
|
||
**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection | ||
|
||
**OWASP Top 10/SANS 25:** SANS/CWE Top 25 | ||
|
||
## Rule (5) Unsafe SOQL Concatenation | ||
|
||
**CWE** (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | ||
|
||
**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection | ||
|
||
**OWASP Top 10/SANS 25:** SANS/CWE Top 25 | ||
|
||
## Rule (6) Unsafe SOSL Concatenation | ||
|
||
**CWE** (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | ||
|
||
**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection | ||
|
||
**OWASP Top 10/SANS 25:** SANS/CWE Top 25 | ||
|
||
## Rule (7) XML Injection | ||
|
||
**CWE** (91) XML Injection (aka Blind XPath Injection) | ||
|
||
**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection | ||
|
||
## Rule (8) Clear Text Sensitive Storage | ||
|
||
**CWE** (200, 312) Exposure of Sensitive Information to an Unauthorized Actor, Cleartext Storage of Sensitive Information | ||
|
||
**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control | ||
|
||
**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design | ||
|
||
**OWASP Top 10/SANS 25:** SANS/CWE Top 25 | ||
|
||
## Rule (9) Use of Hardcoded Credentials | ||
|
||
**CWE** (259, 798) Use of Hard-coded Password, Use of Hard-coded Credentials | ||
|
||
**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures | ||
|
||
**OWASP Top 10/SANS 25:** SANS/CWE Top 25 | ||
|
||
## Rule (10) Access Violation | ||
|
||
**CWE** (284, 285) Improper Access Control, Improper Authorization | ||
|
||
**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control | ||
|
||
**Autofixable** by DeepCode AI Fix | ||
|
||
## Rule (11) Improper Access Control: Email Content Injection | ||
|
||
**CWE** (284) Improper Access Control | ||
|
||
**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control | ||
|
||
## Rule (12) Insecure Data Transmission | ||
|
||
**CWE** (319) Cleartext Transmission of Sensitive Information | ||
|
||
**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures | ||
|
||
## Rule (13) Regular expression injection | ||
|
||
**CWE** (400, 730) Uncontrolled Resource Consumption, OWASP Top Ten 2004 Category A9 - Denial of Service | ||
|
||
## Rule (14) Hardcoded Secret | ||
|
||
**CWE** (547) Use of Hard-coded, Security-relevant Constants | ||
|
||
**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration | ||
|
||
## Rule (15) Open Redirect | ||
|
||
**CWE** (601) URL Redirection to Untrusted Site ('Open Redirect') | ||
|
||
**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control | ||
|
||
## Rule (16) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | ||
|
||
**CWE** (614) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | ||
|
||
**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration | ||
|
||
**Autofixable** by DeepCode AI Fix | ||
|
||
## Rule (17) Unverified Password Change | ||
|
||
**CWE** (620) Unverified Password Change | ||
|
||
**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures | ||
|
||
## Rule (18) Use of Password Hash With Insufficient Computational Effort | ||
|
||
**CWE** (916) Use of Password Hash With Insufficient Computational Effort | ||
|
||
**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures | ||
|
||
**Autofixable** by DeepCode AI Fix | ||
|
||
## Rule (19) Server-Side Request Forgery (SSRF) | ||
|
||
**CWE** (918) Server-Side Request Forgery (SSRF) | ||
|
||
**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A10:2021 - Server-Side Request Forgery (SSRF) | ||
|
||
**OWASP Top 10/SANS 25:** SANS/CWE Top 25 | ||
Each rule includes the following information. | ||
|
||
* **Rule Name**: Consecutive number for each rule and the Snyk name of the rule. | ||
* **CWE(s):** The [CWE numbers](https://cwe.mitre.org/) that are covered by this rule. | ||
* **Security Categories**: The [OWASP Top 10 ](https://owasp.org/Top10/)(2021 edition) category to which the rule belongs to, if any, and if it is included in [SANS 25](https://www.sans.org/top25-software-errors/). | ||
* **Autofixable**: Security rules that are autofixable by DeepCode AI Fix. This information is included only for the supported programming languages. | ||
|
||
| Rule Name | CWE(s) | Security Categories | Autofixable | | ||
| ------------------------------------------------------------ | ---------------- | ---------------------- | ----------- | | ||
| Access Violation | CWE-284, CWE-285 | OWASP:A01 | Yes | | ||
| Clear Text Sensitive Storage | CWE-200, CWE-312 | OWASP:A01, OWASP:A04 | No | | ||
| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | No | | ||
| Improper Access Control: Email Content Injection | CWE-284 | OWASP:A01 | No | | ||
| Use of Hardcoded Credentials | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | No | | ||
| Use of Hardcoded Passwords | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | No | | ||
| Hardcoded Secret | CWE-547 | OWASP:A05 | No | | ||
| Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | Yes | | ||
| Insecure Data Transmission | CWE-319 | OWASP:A02 | No | | ||
| Open Redirect | CWE-601 | OWASP:A01 | No | | ||
| Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | No | | ||
| Regular expression injection | CWE-400, CWE-730 | None | No | | ||
| SOQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | No | | ||
| SOSL Injection | CWE-89 | Sans Top 25, OWASP:A03 | No | | ||
| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | No | | ||
| Unverified Password Change | CWE-620 | OWASP:A07 | No | | ||
| Unsafe SOQL Concatenation | CWE-89 | Sans Top 25, OWASP:A03 | No | | ||
| Unsafe SOSL Concatenation | CWE-89 | Sans Top 25, OWASP:A03 | No | | ||
| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | CWE-614 | OWASP:A05 | Yes | | ||
| XML Injection | CWE-91 | OWASP:A03 | No | |
214 changes: 40 additions & 174 deletions
214
docs/scan-with-snyk/snyk-code/snyk-code-security-rules/c++-rules.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,177 +1,43 @@ | ||
# C++ rules | ||
|
||
## Rule (1) Path Traversal | ||
Each rule includes the following information. | ||
|
||
* **Rule Name**: Consecutive number for each rule and the Snyk name of the rule. | ||
* **CWE(s):** The [CWE numbers](https://cwe.mitre.org/) that are covered by this rule. | ||
* **Security Categories**: The [OWASP Top 10 ](https://owasp.org/Top10/)(2021 edition) category to which the rule belongs to, if any, and if it is included in [SANS 25](https://www.sans.org/top25-software-errors/). | ||
* **Autofixable**: Security rules that are autofixable by DeepCode AI Fix. This information is included only for the supported programming languages. | ||
|
||
| Rule Name | CWE(s) | Security Categories | Autofixable | | ||
| ------------------------------------------------------------------------ | ---------------- | ---------------------- | ----------- | | ||
| Memory Allocation Of String Length | CWE-170 | None | Yes | | ||
| Insecure Anonymous LDAP Binding | CWE-287 | Sans Top 25, OWASP:A07 | No | | ||
| Buffer Overflow | CWE-122 | None | Yes | | ||
| Division By Zero | CWE-369 | None | No | | ||
| Missing Release of File Descriptor or Handle after Effective Lifetime | CWE-775 | None | Yes | | ||
| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | No | | ||
| Dereference of a NULL Pointer | CWE-476 | Sans Top 25 | No | | ||
| Double Free | CWE-415 | None | Yes | | ||
| Use of Externally-Controlled Format String | CWE-134 | None | Yes | | ||
| Use of Hardcoded Cryptographic Key | CWE-321 | OWASP:A02 | No | | ||
| Improper Null Termination | CWE-170 | None | No | | ||
| Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | Yes | | ||
| Integer Overflow | CWE-190 | Sans Top 25 | No | | ||
| LDAP Injection | CWE-90 | OWASP:A03 | No | | ||
| Missing Release of Memory after Effective Lifetime | CWE-401 | None | Yes | | ||
| An optimizing compiler may remove memset non-zero leaving data in memory | CWE-1330 | None | No | | ||
| Potential Negative Number Used as Index | CWE-125, CWE-787 | Sans Top 25 | No | | ||
| Path Traversal | CWE-23 | OWASP:A01 | No | | ||
| Exposure of Private Personal Information to an Unauthorized Actor | CWE-359 | OWASP:A01 | No | | ||
| Size Used as Index | CWE-125, CWE-787 | Sans Top 25 | Yes | | ||
| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | No | | ||
| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | No | | ||
| Inadequate Encryption Strength | CWE-326 | OWASP:A02 | Yes | | ||
| Potential buffer overflow from usage of unsafe function | CWE-122 | None | Yes | | ||
| Use of Expired File Descriptor | CWE-910 | None | No | | ||
| Use After Free | CWE-416 | Sans Top 25 | No | | ||
| User Controlled Pointer | CWE-1285 | None | No | | ||
| Authentication Bypass by Spoofing | CWE-290 | OWASP:A07 | No | | ||
| Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | No | | ||
| XML External Entity (XXE) Injection | CWE-611 | OWASP:A05 | No | | ||
| XPath Injection | CWE-643 | OWASP:A03 | No | | ||
|
||
**CWE** (23) Relative Path Traversal | ||
|
||
**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control | ||
|
||
## Rule (2) Command Injection | ||
|
||
**CWE** (78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | ||
|
||
**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection | ||
|
||
**OWASP Top 10/SANS 25:** SANS/CWE Top 25 | ||
|
||
## Rule (3) SQL Injection | ||
|
||
**CWE** (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | ||
|
||
**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection | ||
|
||
**OWASP Top 10/SANS 25:** SANS/CWE Top 25 | ||
|
||
## Rule (4) LDAP Injection | ||
|
||
**CWE** (90) Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') | ||
|
||
**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection | ||
|
||
## Rule (5) Buffer Overflow | ||
|
||
**CWE** (122) Heap-based Buffer Overflow | ||
|
||
**Autofixable** by DeepCode AI Fix | ||
|
||
## Rule (6) Potential buffer overflow from usage of unsafe function | ||
|
||
**CWE** (122) Heap-based Buffer Overflow | ||
|
||
**Autofixable** by DeepCode AI Fix | ||
|
||
## Rule (7) Potential Negative Number Used as Index | ||
|
||
**CWE** (125, 787) Out-of-bounds Read, Out-of-bounds Write | ||
|
||
**OWASP Top 10/SANS 25:** SANS/CWE Top 25 | ||
|
||
**Autofixable** by DeepCode AI Fix | ||
|
||
## Rule (8) Size Used as Index | ||
|
||
**CWE** (125, 787) Out-of-bounds Read, Out-of-bounds Write | ||
|
||
**OWASP Top 10/SANS 25:** SANS/CWE Top 25 | ||
|
||
**Autofixable** by DeepCode AI Fix | ||
|
||
## Rule (9) Use of Externally-Controlled Format String | ||
|
||
**CWE** (134) Use of Externally-Controlled Format String | ||
|
||
**Autofixable** by DeepCode AI Fix | ||
|
||
## Rule (10) Memory Allocation Of String Length | ||
|
||
**CWE** (170) Improper Null Termination | ||
|
||
**Autofixable** by DeepCode AI Fix | ||
|
||
## Rule (11) Improper Null Termination | ||
|
||
**CWE** (170) Improper Null Termination | ||
|
||
**Autofixable** by DeepCode AI Fix | ||
|
||
## Rule (12) Integer Overflow | ||
|
||
**CWE** (190) Integer Overflow or Wraparound | ||
|
||
**OWASP Top 10/SANS 25:** SANS/CWE Top 25 | ||
|
||
## Rule (13) Anonymous LDAP binding allows a client to connect without logging in | ||
|
||
**CWE** (287) Improper Authentication | ||
|
||
**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures | ||
|
||
**OWASP Top 10/SANS 25:** SANS/CWE Top 25 | ||
|
||
## Rule (14) Use of Hardcoded Cryptographic Key | ||
|
||
**CWE** (321) Use of Hard-coded Cryptographic Key | ||
|
||
**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures | ||
|
||
**Autofixable** by DeepCode AI Fix | ||
|
||
## Rule (15) Inadequate Encryption Strength | ||
|
||
**CWE** (326) Inadequate Encryption Strength | ||
|
||
**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures | ||
|
||
**Autofixable** by DeepCode AI Fix | ||
|
||
## Rule (16) Division By Zero | ||
|
||
**CWE** (369) Divide By Zero | ||
|
||
**Autofixable** by DeepCode AI Fix | ||
|
||
## Rule (17) Missing Release of Memory after Effective Lifetime | ||
|
||
**CWE** (401) Missing Release of Memory after Effective Lifetime | ||
|
||
**Autofixable** by DeepCode AI Fix | ||
|
||
## Rule (18) Double Free | ||
|
||
**CWE** (415) Double Free | ||
|
||
## Rule (19) Use After Free | ||
|
||
**CWE** (416) Use After Free | ||
|
||
**OWASP Top 10/SANS 25:** SANS/CWE Top 25 | ||
|
||
## Rule (20) Dereference of a NULL Pointer | ||
|
||
**CWE** (476) NULL Pointer Dereference | ||
|
||
**OWASP Top 10/SANS 25:** SANS/CWE Top 25 | ||
|
||
## Rule (21) XML External Entity (XXE) Injection | ||
|
||
**CWE** (611) Improper Restriction of XML External Entity Reference | ||
|
||
**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration | ||
|
||
**OWASP Top 10/SANS 25:** SANS/CWE Top 25 | ||
|
||
## Rule (22) XPath Injection | ||
|
||
**CWE** (643) Improper Neutralization of Data within XPath Expressions ('XPath Injection') | ||
|
||
**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection | ||
|
||
## Rule (23) Missing Release of File Descriptor or Handle after Effective Lifetime | ||
|
||
**CWE** (775) Missing Release of File Descriptor or Handle after Effective Lifetime | ||
|
||
## Rule (24) Use of Expired File Descriptor | ||
|
||
**CWE** (910) Use of Expired File Descriptor | ||
|
||
## Rule (25) Use of Password Hash With Insufficient Computational Effort | ||
|
||
**CWE** (916) Use of Password Hash With Insufficient Computational Effort | ||
|
||
**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures | ||
|
||
## Rule (26) Server-Side Request Forgery (SSRF) | ||
|
||
**CWE** (918) Server-Side Request Forgery (SSRF) | ||
|
||
**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A10:2021 - Server-Side Request Forgery (SSRF) | ||
|
||
**OWASP Top 10/SANS 25:** SANS/CWE Top 25 | ||
|
||
## Rule (27) User Controlled Pointer | ||
|
||
**CWE** (1285) Improper Validation of Specified Index, Position, or Offset in Input | ||
|
||
## Rule (28) An optimizing compiler may remove memset non-zero leaving data in memory | ||
|
||
**CWE** (1330) Remanent Data Readable after Memory Erase |
Oops, something went wrong.