From 16541a25d73e63e59c9211ca966acac3aad5adb7 Mon Sep 17 00:00:00 2001 From: Ann Wiley Date: Mon, 16 Sep 2024 19:27:29 +0000 Subject: [PATCH] GITBOOK-7898: Snyk Code security rules: updates to all pages --- .../snyk-code-security-rules/README.md | 1456 ++--------------- .../snyk-code-security-rules/apex-rules.md | 166 +- .../snyk-code-security-rules/c++-rules.md | 214 +-- .../c-and-asp.net-rules.md | 249 +-- .../snyk-code-security-rules/go-rules.md | 172 +- .../snyk-code-security-rules/java-rules.md | 510 +----- .../javascript-and-typescript-rules.md | 449 +---- .../snyk-code-security-rules/kotlin-rules.md | 435 +---- .../snyk-code-security-rules/php-rules.md | 228 +-- .../snyk-code-security-rules/python-rules.md | 348 +--- .../snyk-code-security-rules/ruby-rules.md | 234 +-- .../snyk-code-security-rules/scala-rules.md | 344 +--- .../snyk-code-security-rules/swift-rules.md | 176 +- .../visual-basic-rules.md | 172 +- .../snyk-code-security-rules/xml-rules.md | 46 +- 15 files changed, 780 insertions(+), 4419 deletions(-) diff --git a/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/README.md b/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/README.md index 0d6aaca5e354..bea64b9c5a42 100644 --- a/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/README.md +++ b/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/README.md @@ -8,1294 +8,176 @@ Snyk Code rules are updated continuously. The list expands continually, and the If you have followed a link for code quality from an IDE, see the [language documentation for that information](../../../supported-languages-package-managers-and-frameworks/technical-specifications.md#code-quality). {% endhint %} -This page lists the security rules used by Snyk Code when scanning your source code for vulnerabilities. +This page lists all security rules used by Snyk Code when scanning your source code for vulnerabilities. Each rule includes the following information. -* **Number and Rule Name**: Consecutive number for each rule and the Snyk name of the rule. +* **Rule Name**: Consecutive number for each rule and the Snyk name of the rule. +* **Languages**: The programming languages to which this specific rule applies. Note that there might be two rules with the same name that apply to different languages. * **CWE(s):** The [CWE numbers](https://cwe.mitre.org/) that are covered by this rule. -* **OWASP Top 10/SANS 25**: The [OWASP Top 10 ](https://owasp.org/Top10/)(2021 edition) category to which the rule belongs to, if any, and if it is included in [SANS 25](https://www.sans.org/top25-software-errors/). -* **Supported Languages**: The programming languages to which this specific rule applies. Note that there might be two rules with the same name that apply to different languages. -* **Autofixable**: Security rules that are autofixable by DeepCode AI Fix. This information is included only for the supported programming languages. - -## Rule (1) External Control of System or Configuration Setting - -**CWE** (15) External Control of System or Configuration Setting - -**Supported languages:** Java, Kotlin, Scala - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (2) Configuration Issue: Electron Disable Security Warnings - -**CWE** (16) Configuration - -**Supported languages:** JavaScript and TypeScript - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (3) Configuration Issues: Electron Insecure Web Preferences - -**CWE** (16) Configuration - -**Supported languages:** JavaScript and TypeScript - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (4) Configuration Issues: Electron Load Insecure Content - -**CWE** (16) Configuration - -**Supported languages:** JavaScript and TypeScript - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (5) Insufficient postMessage Validation - -**CWE** (20) Improper Input Validation - -**Supported languages:** JavaScript and TypeScript - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (6) Improper Input Validation - -**CWE** (20) Improper Input Validation - -**Supported languages:** Ruby - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (7) Incomplete URL sanitization - -**CWE** (20) Improper Input Validation - -**Supported languages:** Python - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (8) Arbitrary File Write via Archive Extraction (Tar Slip) - -**CWE** (22) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - -**Supported languages:** Python - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (9) Arbitrary File Write via Archive Extraction (Zip Slip) - -**CWE** (22) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - -**Supported languages:** C# and ASP.NET, JavaScript and TypeScript, PHP - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (10) Path Traversal - -**CWE** (23) Relative Path Traversal - -**Supported languages:** C++ (Beta), C# and ASP.NET, Go, Java, JavaScript and TypeScript, Kotlin, PHP, Python, Ruby, Scala, Swift, Visual Basic - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (11) Java Naming and Directory Interface (JNDI) Injection - -**CWE** (74) Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') - -**Supported languages:** Java, Kotlin, Scala - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (12) Command Injection - -**CWE** (78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - -**Supported languages:** Apex, C++ (Beta), C# and ASP.NET, Go, Java, JavaScript and TypeScript, Kotlin, PHP, Python, Ruby, Scala, Swift, Visual Basic - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (13) Indirect Command Injection via User Controlled Environment - -**CWE** (78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - -**Supported languages:** Java, Kotlin, Scala - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (14) Disabling Strict Contextual escaping (SCE) could provide additional attack surface for Cross-site Scripting (XSS) - -**CWE** (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - -**Supported languages:** JavaScript and TypeScript - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (15) Cross-site Scripting (XSS) - -**CWE** (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - -**Supported languages:** Apex, C# and ASP.NET, Go, Java, JavaScript and TypeScript, Kotlin, PHP, Python, Ruby, Scala, Swift, Visual Basic - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (16) JavaScript Enabled - -**CWE** (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - -**Supported languages:** Java, Kotlin - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (17) Jinja auto-escape is set to false. - -**CWE** (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - -**Supported languages:** Python - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (18) Use dangerouslySetInnerHTML to be explicit that this function is dangerous and also trigger react updates - -**CWE** (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - -**Supported languages:** JavaScript and TypeScript - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (19) Unauthorized File Access - -**CWE** (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - -**Supported languages:** Java, Kotlin - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (20) GraphQL Injection - -**CWE** (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - -**Supported languages:** JavaScript and TypeScript - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (21) SOQL Injection - -**CWE** (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - -**Supported languages:** Apex - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (22) SOSL Injection - -**CWE** (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - -**Supported languages:** Apex - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (23) SQL Injection - -**CWE** (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - -**Supported languages:** C++ (Beta), C# and ASP.NET, Go, Java, JavaScript and TypeScript, Kotlin, PHP, Python, Ruby, Scala, Swift, Visual Basic - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (24) Unsafe SOQL Concatenation - -**CWE** (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - -**Supported languages:** Apex - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (25) Unsafe SOSL Concatenation - -**CWE** (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - -**Supported languages:** Apex - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (26) LDAP Injection - -**CWE** (90) Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') - -**Supported languages:** C++ (Beta), C# and ASP.NET, Java, Kotlin, Scala - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (27) XML Injection - -**CWE** (91) XML Injection (aka Blind XPath Injection) - -**Supported languages:** Apex, C# and ASP.NET, Visual Basic - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (28) Code Injection - -**CWE** (94) Improper Control of Generation of Code ('Code Injection') - -**Supported languages:** C# and ASP.NET, Java, JavaScript and TypeScript, Kotlin, PHP, Python, Ruby, Scala, Swift, Visual Basic - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (29) Remote Code Execution via Endpoint - -**CWE** (94) Improper Control of Generation of Code ('Code Injection') - -**Supported languages:** Ruby - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (30) Code Execution via Third Party Package Context - -**CWE** (94) Improper Control of Generation of Code ('Code Injection') - -**Supported languages:** Java, Kotlin - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (31) Improper Neutralization of Directives in Statically Saved Code - -**CWE** (96) Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') - -**Supported languages:** JavaScript and TypeScript, Python, Ruby - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (32) File Inclusion - -**CWE** (98) Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') - -**Supported languages:** PHP - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (33) Improper Neutralization of CRLF Sequences in HTTP Headers - -**CWE** (113) Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') - -**Supported languages:** Java, Kotlin, Scala - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (34) Disabled Neutralization of CRLF Sequences in HTTP Headers - -**CWE** (113) Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') - -**Supported languages:** Java, Kotlin, Scala - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (35) Process Control - -**CWE** (114) Process Control - -**Supported languages:** Java, Kotlin, Scala - -## Rule (36) Log Forging - -**CWE** (117) Improper Output Neutralization for Logs - -**Supported languages:** C# and ASP.NET - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A09:2021 - Security Logging and Monitoring Failures - -## Rule (37) Buffer Overflow - -**CWE** (122) Heap-based Buffer Overflow - -**Supported languages:** C++ (Beta) - -## Rule (38) Potential buffer overflow from usage of unsafe function - -**CWE** (122) Heap-based Buffer Overflow - -**Supported languages:** C++ (Beta) - -## Rule (39) Potential Negative Number Used as Index - -**CWE** (125, 787) Out-of-bounds Read, Out-of-bounds Write - -**Supported languages:** C++ (Beta) - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (40) Size Used as Index - -**CWE** (125, 787) Out-of-bounds Read, Out-of-bounds Write - -**Supported languages:** C++ (Beta) - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (41) Buffer Over-read - -**CWE** (126) Buffer Over-read - -**Supported languages:** JavaScript and TypeScript - -## Rule (42) Use of Externally-Controlled Format String - -**CWE** (134) Use of Externally-Controlled Format String - -**Supported languages:** C++ (Beta), Java, JavaScript and TypeScript, Kotlin, Scala - -## Rule (43) Memory Allocation Of String Length - -**CWE** (170) Improper Null Termination - -**Supported languages:** C++ (Beta) - -## Rule (44) Improper Null Termination - -**CWE** (170) Improper Null Termination - -**Supported languages:** C++ (Beta) - -## Rule (45) Integer Overflow - -**CWE** (190) Integer Overflow or Wraparound - -**Supported languages:** C++ (Beta) - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (46) Clear Text Logging - -**CWE** (200, 312) Exposure of Sensitive Information to an Unauthorized Actor, Cleartext Storage of Sensitive Information - -**Supported languages:** Go, Swift - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (47) Clear Text Sensitive Storage - -**CWE** (200, 312) Exposure of Sensitive Information to an Unauthorized Actor, Cleartext Storage of Sensitive Information - -**Supported languages:** Apex, JavaScript and TypeScript - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (48) Information Exposure - -**CWE** (200) Exposure of Sensitive Information to an Unauthorized Actor - -**Supported languages:** C# and ASP.NET, Java, JavaScript and TypeScript, Kotlin, PHP, Ruby, Scala, Swift - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (49) File Access Enabled - -**CWE** (200) Exposure of Sensitive Information to an Unauthorized Actor - -**Supported languages:** Java, Kotlin - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (50) Introspection Enabled - -**CWE** (200) Exposure of Sensitive Information to an Unauthorized Actor - -**Supported languages:** JavaScript and TypeScript - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (51) Observable Timing Discrepancy (Timing Attack) - -**CWE** (208) Observable Timing Discrepancy - -**Supported languages:** Java, JavaScript and TypeScript, Kotlin, Scala - -## Rule (52) Generation of Error Message Containing Sensitive Information - -**CWE** (209) Generation of Error Message Containing Sensitive Information - -**Supported languages:** Go - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -## Rule (53) Server Information Exposure - -**CWE** (209) Generation of Error Message Containing Sensitive Information - -**Supported languages:** Java, Kotlin, Python, Scala - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -## Rule (54) Debug Features Enabled - -**CWE** (215) Insertion of Sensitive Information Into Debugging Code - -**Supported languages:** C# and ASP.NET, Visual Basic, XML - -## Rule (55) Unprotected Storage of Credentials - -**CWE** (256) Plaintext Storage of a Password - -**Supported languages:** Java, Kotlin, Scala - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -## Rule (56) Use of Hardcoded Credentials - -**CWE** (259, 798) Use of Hard-coded Password, Use of Hard-coded Credentials - -**Supported languages:** Apex, C# and ASP.NET, Go, Java, JavaScript and TypeScript, Kotlin, PHP, Python, Ruby, Scala, Swift, Visual Basic, XML - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (57) Use of Sticky broadcasts - -**CWE** (265) Privilege Issues - -**Supported languages:** Java, Kotlin - -## Rule (58) Android Uri Permission Manipulation - -**CWE** (266) Incorrect Privilege Assignment - -**Supported languages:** Java, Kotlin - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -## Rule (59) Improper Handling of Insufficient Permissions or Privileges - -**CWE** (280) Improper Handling of Insufficient Permissions or Privileges - -**Supported languages:** Java, Kotlin, Python - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -## Rule (60) Access Violation - -**CWE** (284, 285) Improper Access Control, Improper Authorization - -**Supported languages:** Apex - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (61) Binding to all network interfaces may open service to unintended traffic - -**CWE** (284) Improper Access Control - -**Supported languages:** Python - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (62) Improper Access Control: Email Content Injection - -**CWE** (284) Improper Access Control - -**Supported languages:** Apex, Go - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (63) Session Manipulation - -**CWE** (285) Improper Authorization - -**Supported languages:** Ruby - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (64) Anonymous LDAP binding allows a client to connect without logging in - -**CWE** (287) Improper Authentication - -**Supported languages:** C++ (Beta) - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (65) Broken User Authentication - -**CWE** (287) Improper Authentication - -**Supported languages:** Python - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (66) Device Authentication Bypass - -**CWE** (287) Improper Authentication - -**Supported languages:** Swift - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (67) Improper Authentication - -**CWE** (287) Improper Authentication - -**Supported languages:** Java, Kotlin, Scala - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (68) Improper Certificate Validation - -**CWE** (295) Improper Certificate Validation - -**Supported languages:** Go, Java, Kotlin, Python, Ruby, Scala, Swift - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -## Rule (69) Improper Validation of Certificate with Host Mismatch - -**CWE** (297) Improper Validation of Certificate with Host Mismatch - -**Supported languages:** Java, Kotlin, Scala - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -## Rule (70) Cryptographic Issues - -**CWE** (310) Cryptographic Issues - -**Supported languages:** Java, JavaScript and TypeScript, Kotlin, Python, Scala - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (71) Selection of Less-Secure Algorithm During Negotiation (Force SSL) - -**CWE** (311, 757) Missing Encryption of Sensitive Data, Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') - -**Supported languages:** Ruby - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (72) The cipher text is equal to the provided input plain text - -**CWE** (311) Missing Encryption of Sensitive Data - -**Supported languages:** Java, Kotlin, Scala - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -## Rule (73) Cleartext Storage of Sensitive Information in a Cookie - -**CWE** (315) Cleartext Storage of Sensitive Information in a Cookie - -**Supported languages:** C# and ASP.NET, Java, Kotlin, Scala - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (74) ASP SSL Disabled - -**CWE** (319) Cleartext Transmission of Sensitive Information - -**Supported languages:** XML - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (75) Authentication over HTTP - -**CWE** (319) Cleartext Transmission of Sensitive Information - -**Supported languages:** Python - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (76) Cleartext Transmission of Sensitive Information - -**CWE** (319) Cleartext Transmission of Sensitive Information - -**Supported languages:** Java, JavaScript and TypeScript, Kotlin, Scala - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (77) Insecure Data Transmission - -**CWE** (319) Cleartext Transmission of Sensitive Information - -**Supported languages:** Apex, C# and ASP.NET, Ruby - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (78) Use of Hardcoded Cryptographic Key - -**CWE** (321) Use of Hard-coded Cryptographic Key - -**Supported languages:** C++ (Beta), Python, Ruby - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (79) Inadequate Padding for Public Key Encryption - -**CWE** (326) Inadequate Encryption Strength - -**Supported languages:** PHP - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (80) Inadequate Padding for AES encryption - -**CWE** (326) Inadequate Encryption Strength - -**Supported languages:** Java, Kotlin, Scala - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (81) Inadequate Encryption Strength - -**CWE** (326) Inadequate Encryption Strength - -**Supported languages:** C++ (Beta), C# and ASP.NET, Go, Java, Kotlin, PHP, Python, Scala, Swift, Visual Basic - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (82) Use of a Broken or Risky Cryptographic Algorithm - -**CWE** (327) Use of a Broken or Risky Cryptographic Algorithm - -**Supported languages:** C# and ASP.NET, Go, Java, JavaScript and TypeScript, Kotlin, PHP, Python, Ruby, Scala, Swift, Visual Basic - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (83) Insecure TLS Configuration - -**CWE** (327) Use of a Broken or Risky Cryptographic Algorithm - -**Supported languages:** Go, JavaScript and TypeScript - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (84) Weak Cryptographic Primitive - -**CWE** (327) Use of a Broken or Risky Cryptographic Algorithm - -**Supported languages:** COBOL (Beta) - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (85) Missing protocol in ssl.wrap\_socket - -**CWE** (327) Use of a Broken or Risky Cryptographic Algorithm - -**Supported languages:** Python - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (86) Use of Hardcoded Cryptographic Initialization Value - -**CWE** (329) Generation of Predictable IV with CBC Mode - -**Supported languages:** Python - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (87) Use of Insufficiently Random Values - -**CWE** (330) Use of Insufficiently Random Values - -**Supported languages:** C# and ASP.NET, Go, Java, JavaScript and TypeScript, Kotlin, PHP, Ruby, Scala, Swift, Visual Basic - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (88) Origin Validation Error - -**CWE** (346, 942) Origin Validation Error, Permissive Cross-domain Policy with Untrusted Domains - -**Supported languages:** Java, JavaScript and TypeScript, Kotlin, PHP, Python, Scala - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (89) Insecure JWT Verification Method - -**CWE** (347) Improper Verification of Cryptographic Signature - -**Supported languages:** JavaScript and TypeScript - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (90) JWT Signature Verification Method Disabled - -**CWE** (347) Improper Verification of Cryptographic Signature - -**Supported languages:** JavaScript and TypeScript - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (91) JWT 'none' Algorithm Supported - -**CWE** (347) Improper Verification of Cryptographic Signature - -**Supported languages:** JavaScript and TypeScript - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (92) JWT Signature Verification Bypass - -**CWE** (347) Improper Verification of Cryptographic Signature - -**Supported languages:** Java - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (93) Anti-forgery token validation disabled - -**CWE** (352) Cross-Site Request Forgery (CSRF) - -**Supported languages:** C# and ASP.NET - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (94) Cross-Site Request Forgery (CSRF) - -**CWE** (352) Cross-Site Request Forgery (CSRF) - -**Supported languages:** Java, JavaScript and TypeScript, Kotlin, PHP, Python, Scala - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (95) Spring Cross-Site Request Forgery (CSRF) - -**CWE** (352) Cross-Site Request Forgery (CSRF) - -**Supported languages:** Java - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (96) Exposure of Private Personal Information to an Unauthorized Actor - -**CWE** (359) Exposure of Private Personal Information to an Unauthorized Actor - -**Supported languages:** C# and ASP.NET - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (97) Division By Zero - -**CWE** (369) Divide By Zero - -**Supported languages:** C++ (Beta) - -## Rule (98) Insecure Temporary File - -**CWE** (377) Insecure Temporary File - -**Supported languages:** Python - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (99) Denial of Service (DoS) through Nested GraphQL Queries - -**CWE** (400) Uncontrolled Resource Consumption - -**Supported languages:** JavaScript and TypeScript - -## Rule (100) Unchecked Input for Loop Condition - -**CWE** (400, 606) Uncontrolled Resource Consumption, Unchecked Input for Loop Condition - -**Supported languages:** JavaScript and TypeScript - -## Rule (101) Regular expression injection - -**CWE** (400, 730) Uncontrolled Resource Consumption, OWASP Top Ten 2004 Category A9 - Denial of Service - -**Supported languages:** Apex, C# and ASP.NET, Java, Kotlin, Scala, Visual Basic - -## Rule (102) Regular Expression Denial of Service (ReDoS) - -**CWE** (400) Uncontrolled Resource Consumption - -**Supported languages:** JavaScript and TypeScript, PHP, Python, Ruby - -## Rule (103) Missing Release of Memory after Effective Lifetime - -**CWE** (401) Missing Release of Memory after Effective Lifetime - -**Supported languages:** C++ (Beta) - -## Rule (104) Double Free - -**CWE** (415) Double Free - -**Supported languages:** C++ (Beta) - -## Rule (105) Use After Free - -**CWE** (416) Use After Free - -**Supported languages:** C++ (Beta) - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (106) Insecure default value - -**CWE** (453) Insecure Default Variable Initialization - -**Supported languages:** Python - -## Rule (107) Android Fragment Injection - -**CWE** (470) Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') - -**Supported languages:** Java, Kotlin - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (108) Unsafe Reflection - -**CWE** (470) Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') - -**Supported languages:** Java, Ruby - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (109) Dereference of a NULL Pointer - -**CWE** (476) NULL Pointer Dereference - -**Supported languages:** C++ (Beta) - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (110) Android Debug Mode Enabled - -**CWE** (489) Active Debug Code - -**Supported languages:** XML - -## Rule (111) Debug Mode Enabled - -**CWE** (489) Active Debug Code - -**Supported languages:** Python - -## Rule (112) Struts Development Mode Enabled - -**CWE** (489) Active Debug Code - -**Supported languages:** XML - -## Rule (113) Trust Boundary Violation - -**CWE** (501) Trust Boundary Violation - -**Supported languages:** Java, Kotlin, Scala - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -## Rule (114) Deserialization of Untrusted Data - -**CWE** (502) Deserialization of Untrusted Data - -**Supported languages:** C# and ASP.NET, Java, JavaScript and TypeScript, Kotlin, PHP, Python, Ruby, Scala, Visual Basic - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (115) Insecure Deserialization - -**CWE** (502) Deserialization of Untrusted Data - -**Supported languages:** Swift - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (116) No Weak Password Requirements - -**CWE** (521) Weak Password Requirements - -**Supported languages:** Ruby - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -## Rule (117) Privacy Leak - -**CWE** (532) Insertion of Sensitive Information into Log File - -**Supported languages:** Java, PHP - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A09:2021 - Security Logging and Monitoring Failures - -## Rule (118) Hardcoded Secret - -**CWE** (547) Use of Hard-coded, Security-relevant Constants - -**Supported languages:** Apex, COBOL (Beta), C# and ASP.NET, Go, Java, JavaScript and TypeScript, Kotlin, PHP, Python, Ruby, Scala, Swift, Visual Basic - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (119) Use of Hardcoded, Security-relevant Constants - -**CWE** (547) Use of Hard-coded, Security-relevant Constants - -**Supported languages:** Java, Kotlin, Scala - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (120) Request Validation Disabled - -**CWE** (554) ASP.NET Misconfiguration: Not Using Input Validation Framework - -**Supported languages:** C# and ASP.NET, Visual Basic, XML - -## Rule (121) Open Redirect - -**CWE** (601) URL Redirection to Untrusted Site ('Open Redirect') - -**Supported languages:** Apex, C# and ASP.NET, Go, Java, JavaScript and TypeScript, Kotlin, PHP, Python, Ruby, Scala, Visual Basic - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (122) Insecure Xml Parser - -**CWE** (611) Improper Restriction of XML External Entity Reference - -**Supported languages:** Python - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (123) XML External Entity (XXE) Injection - -**CWE** (611) Improper Restriction of XML External Entity Reference - -**Supported languages:** C++ (Beta), C# and ASP.NET, Java, JavaScript and TypeScript, Kotlin, PHP, Ruby, Scala, Swift, Visual Basic - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (124) XAML Injection - -**CWE** (611) Improper Restriction of XML External Entity Reference - -**Supported languages:** C# and ASP.NET - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (125) Insufficient Session Expiration - -**CWE** (613) Insufficient Session Expiration - -**Supported languages:** Java, Kotlin, Scala - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -## Rule (126) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - -**CWE** (614) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - -**Supported languages:** Apex, C# and ASP.NET, Go, Java, JavaScript and TypeScript, Kotlin, PHP, Python, Ruby, Scala, Swift, Visual Basic - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (127) Unverified Password Change - -**CWE** (620) Unverified Password Change - -**Supported languages:** Apex - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -## Rule (128) Weak Password Recovery Mechanism for Forgotten Password - -**CWE** (640) Weak Password Recovery Mechanism for Forgotten Password - -**Supported languages:** JavaScript and TypeScript, PHP - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -## Rule (129) XPath Injection - -**CWE** (643) Improper Neutralization of Data within XPath Expressions ('XPath Injection') - -**Supported languages:** C++ (Beta), C# and ASP.NET, Go, Java, JavaScript and TypeScript, Kotlin, PHP, Python, Ruby, Scala, Visual Basic - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (130) SQL SELECT statement without WHERE clause - -**CWE** (668) Exposure of Resource to Wrong Sphere - -**Supported languages:** COBOL (Beta) - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (131) Use of Potentially Dangerous Function - -**CWE** (676) Use of Potentially Dangerous Function - -**Supported languages:** Java, Kotlin, Scala - -## Rule (132) Android World Writeable/Readable File Permission Found - -**CWE** (732) Incorrect Permission Assignment for Critical Resource - -**Supported languages:** Java, Kotlin, Scala - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (133) Insecure File Permissions - -**CWE** (732) Incorrect Permission Assignment for Critical Resource - -**Supported languages:** Python - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (134) Incorrect Permission Assignment - -**CWE** (732) Incorrect Permission Assignment for Critical Resource - -**Supported languages:** Java, Kotlin - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (135) Selection of Less-Secure Algorithm During Negotiation (SSL instead of TLS) - -**CWE** (757) Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') - -**Supported languages:** Python - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (136) Allocation of Resources Without Limits or Throttling - -**CWE** (770) Allocation of Resources Without Limits or Throttling - -**Supported languages:** JavaScript and TypeScript, PHP - -## Rule (137) Missing Release of File Descriptor or Handle after Effective Lifetime - -**CWE** (775) Missing Release of File Descriptor or Handle after Effective Lifetime - -**Supported languages:** C++ (Beta) - -## Rule (138) XML internal entity expansion - -**CWE** (776) Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') - -**Supported languages:** JavaScript and TypeScript - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (139) Memory Corruption - -**CWE** (822) Untrusted Pointer Dereference - -**Supported languages:** Swift - -## Rule (140) Unrestricted Android Broadcast - -**CWE** (862) Missing Authorization - -**Supported languages:** Java, Kotlin - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (141) Use of Expired File Descriptor - -**CWE** (910) Use of Expired File Descriptor - -**Supported languages:** C++ (Beta) - -## Rule (142) Improperly Controlled Modification of Dynamically-Determined Object Attributes - -**CWE** (915) Improperly Controlled Modification of Dynamically-Determined Object Attributes - -**Supported languages:** Ruby - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures - -## Rule (143) Use of Password Hash With Insufficient Computational Effort - -**CWE** (916) Use of Password Hash With Insufficient Computational Effort - -**Supported languages:** Apex, C++ (Beta), C# and ASP.NET, Go, Java, JavaScript and TypeScript, Kotlin, PHP, Python, Ruby, Scala, Swift, Visual Basic - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (144) Server-Side Request Forgery (SSRF) - -**CWE** (918) Server-Side Request Forgery (SSRF) - -**Supported languages:** Apex, C++ (Beta), C# and ASP.NET, Go, Java, JavaScript and TypeScript, Kotlin, PHP, Python, Scala, Swift, Visual Basic - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A10:2021 - Server-Side Request Forgery (SSRF) - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (145) Insecure Data Storage - -**CWE** (922) Insecure Storage of Sensitive Information - -**Supported languages:** Swift - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (146) Android Intent Forwarding - -**CWE** (940) Improper Verification of Source of a Communication Channel - -**Supported languages:** Java, Kotlin - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -## Rule (147) Code Execution via Third Party Package Installation - -**CWE** (940) Improper Verification of Source of a Communication Channel - -**Supported languages:** Java, Kotlin - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -## Rule (148) Permissive Cross-domain Policy - -**CWE** (942) Permissive Cross-domain Policy with Untrusted Domains - -**Supported languages:** JavaScript and TypeScript - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (149) NoSQL Injection - -**CWE** (943) Improper Neutralization of Special Elements in Data Query Logic - -**Supported languages:** Java, JavaScript and TypeScript, Python - -## Rule (150) Sensitive Cookie Without 'HttpOnly' Flag - -**CWE** (1004) Sensitive Cookie Without 'HttpOnly' Flag - -**Supported languages:** C# and ASP.NET, Go, Java, JavaScript and TypeScript, Kotlin, PHP, Python, Ruby, Scala, Visual Basic - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (151) Bad Coding Practices - -**CWE** (1006) Bad Coding Practices - -**Supported languages:** JavaScript and TypeScript - -## Rule (152) Improper Restriction of Rendered UI Layers or Frames - -**CWE** (1021) Improper Restriction of Rendered UI Layers or Frames - -**Supported languages:** JavaScript and TypeScript, PHP - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -## Rule (153) Python 2 source code - -**CWE** (1104) Use of Unmaintained Third Party Components - -**Supported languages:** Python - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A06:2021 - Vulnerable and Outdated Components - -## Rule (154) User Controlled Pointer - -**CWE** (1285) Improper Validation of Specified Index, Position, or Offset in Input - -**Supported languages:** C++ (Beta) - -## Rule (155) Incorrect regular expression for validating values - -**CWE** (1286) Improper Validation of Syntactic Correctness of Input - -**Supported languages:** Ruby - -## Rule (156) Improper Type Validation - -**CWE** (1287) Improper Validation of Specified Type of Input - -**Supported languages:** JavaScript and TypeScript - -## Rule (157) Prototype Pollution - -**CWE** (1321) Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') - -**Supported languages:** JavaScript and TypeScript - -## Rule (158) An optimizing compiler may remove memset non-zero leaving data in memory - -**CWE** (1330) Remanent Data Readable after Memory Erase - -**Supported languages:** C++ (Beta) +* **Security Categories**: The [OWASP Top 10 ](https://owasp.org/Top10/)(2021 edition) category to which the rule belongs to, if any, and if it is included in [SANS 25](https://www.sans.org/top25-software-errors/). + +| Rule Name | Language(s) | CWE(s) | Security Categories | +| ----------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------- | ----------------------------------------------------------- | ------------------------------------------------------- | +| ASP SSL Disabled | XML | CWE-319 | OWASP:A02 | +| Access Violation | Apex | CWE-284, CWE-285 | OWASP:A01 | +| Allocation of Resources Without Limits or Throttling | JavaScript, PHP | CWE-770 | | +| An optimizing compiler may remove memset non-zero leaving data in memory | C++ | CWE-1330 | | +| Android Debug Mode Enabled | XML | CWE-489 | | +| Android Fragment Injection | Java, Kotlin | CWE-470 | OWASP:A03 | +| Android Intent Forwarding | Java, Kotlin | CWE-940 | OWASP:A07 | +| Android Uri Permission Manipulation | Java, Kotlin | CWE-266 | OWASP:A04 | +| Android World Writeable/Readable File Permission Found | Java, Kotlin, Scala | CWE-732 | | +| Anti-forgery token validation disabled | C# | CWE-352 | Sans Top 25, OWASP:A01 | +| Arbitrary File Write via Archive Extraction (Tar Slip) | Python | CWE-22 | Sans Top 25, OWASP:A01 | +| Arbitrary File Write via Archive Extraction (Zip Slip) | C#, JavaScript, PHP | CWE-22 | Sans Top 25, OWASP:A01 | +| Authentication Bypass by Spoofing | C++ | CWE-290 | OWASP:A07 | +| Authentication over HTTP | Python | CWE-319 | OWASP:A02 | +| Binding to all network interfaces may open service to unintended traffic | Python | CWE-284 | OWASP:A01 | +| Broken User Authentication | Python | CWE-287 | Sans Top 25, OWASP:A07 | +| Buffer Over-read | JavaScript | CWE-126 | | +| Buffer Overflow | C++ | CWE-122 | | +| Clear Text Logging | Go, Swift | CWE-200, CWE-312 | OWASP:A01, OWASP:A04 | +| Clear Text Sensitive Storage | Apex, JavaScript | CWE-200, CWE-312 | OWASP:A01, OWASP:A04 | +| Cleartext Storage of Sensitive Information in a Cookie | C#, Java, Kotlin, Scala | CWE-315 | OWASP:A05 | +| Cleartext Transmission of Sensitive Information | Java, JavaScript, Kotlin, Scala | CWE-319 | OWASP:A02 | +| Code Execution via Third Party Package Context | Java, Kotlin | CWE-94 | Sans Top 25, OWASP:A03 | +| Code Execution via Third Party Package Installation | Java, Kotlin | CWE-940 | OWASP:A07 | +| Code Injection | C#, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Swift, Visual Basic | CWE-94 | Sans Top 25, OWASP:A03 | +| Command Injection | Apex, C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic | CWE-78 | Sans Top 25, OWASP:A03 | +| Cross-Site Request Forgery (CSRF) | Java, JavaScript, Kotlin, Python, Scala | CWE-352 | Sans Top 25, OWASP:A01 | +| Cross-site Scripting (XSS) | Apex, C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic | CWE-79 | Sans Top 25, OWASP:A03 | +| Cryptographic Issues | Java, JavaScript, Kotlin, Python, Scala | CWE-310 | OWASP:A02 | +| Debug Features Enabled | C#, Visual Basic, XML | CWE-215 | | +| Debug Mode Enabled | Python | CWE-489 | | +| Denial of Service (DoS) through Nested GraphQL Queries | JavaScript | CWE-400 | | +| Dereference of a NULL Pointer | C++ | CWE-476 | Sans Top 25 | +| Deserialization of Untrusted Data | C#, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Visual Basic | CWE-502 | Sans Top 25, OWASP:A08 | +| Device Authentication Bypass | Swift | CWE-287 | Sans Top 25, OWASP:A07 | +| Disabled Neutralization of CRLF Sequences in HTTP Headers | Java, Kotlin, Scala | CWE-113 | OWASP:A03 | +| Disabling Strict Contextual escaping (SCE) could provide additional attack surface for Cross-site Scripting (XSS) | JavaScript | CWE-79 | Sans Top 25, OWASP:A03 | +| Division By Zero | C++ | CWE-369 | | +| Double Free | C++ | CWE-415 | | +| Electron Disable Security Warnings | JavaScript | CWE-16 | OWASP:A05 | +| Electron Insecure Web Preferences | JavaScript | CWE-16 | OWASP:A05 | +| Electron Load Insecure Content | JavaScript | CWE-16 | OWASP:A05 | +| Exposure of Private Personal Information to an Unauthorized Actor | C#, C++ | CWE-359 | OWASP:A01 | +| External Control of System or Configuration Setting | Java, Kotlin, Scala | CWE-15 | OWASP:A05 | +| File Access Enabled | Java, Kotlin | CWE-200 | OWASP:A01 | +| File Inclusion | PHP | CWE-98 | OWASP:A03 | +| Generation of Error Message Containing Sensitive Information | Go, XML | CWE-209 | OWASP:A04 | +| GraphQL Injection | JavaScript | CWE-89 | Sans Top 25, OWASP:A03 | +| Hardcoded Secret | Apex, C#, Cobol, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic | CWE-547 | OWASP:A05 | +| Improper Access Control: Email Content Injection | Apex, Go, PHP | CWE-284 | OWASP:A01 | +| Improper Authentication | Java, Kotlin, Scala | CWE-287 | Sans Top 25, OWASP:A07 | +| Improper Certificate Validation | Go, Java, Kotlin, Python, Ruby, Scala, Swift | CWE-295 | OWASP:A07 | +| Improper Code Sanitization | JavaScript | CWE-116, CWE-79, CWE-94 | Sans Top 25, OWASP:A03 | +| Improper Handling of Insufficient Permissions or Privileges | Java, Kotlin, Python | CWE-280 | OWASP:A04 | +| Improper Input Validation | Ruby | CWE-20 | Sans Top 25, OWASP:A03 | +| Improper Neutralization of CRLF Sequences in HTTP Headers | C#, Java, Kotlin, Scala, Visual Basic | CWE-113 | OWASP:A03 | +| Improper Neutralization of Directives in Statically Saved Code | Go, JavaScript, Python, Ruby | CWE-96 | OWASP:A03 | +| Improper Null Termination | C++ | CWE-170 | | +| Improper Restriction of Rendered UI Layers or Frames | JavaScript, PHP, XML | CWE-1021 | OWASP:A04 | +| Improper Type Validation | JavaScript | CWE-1287 | | +| Improper Validation of Certificate with Host Mismatch | Java, Kotlin, Scala | CWE-297 | OWASP:A07 | +| Improperly Controlled Modification of Dynamically-Determined Object Attributes | Ruby | CWE-915 | OWASP:A08 | +| Inadequate Encryption Strength | C#, C++, Go, Java, Kotlin, PHP, Python, Scala, Swift, Visual Basic | CWE-326 | OWASP:A02 | +| Inadequate Padding for AES encryption | Java, Kotlin, Scala | CWE-326 | OWASP:A02 | +| Inadequate Padding for Public Key Encryption | PHP, Rust | CWE-326 | OWASP:A02 | +| Incorrect Permission Assignment | Java, Kotlin | CWE-732 | | +| Incorrect regular expression for validating values | Ruby | CWE-1286 | | +| Indirect Command Injection via User Controlled Environment | Java, Kotlin, Scala | CWE-78 | Sans Top 25, OWASP:A03 | +| Information Exposure | C#, Java, JavaScript, Kotlin, PHP, Ruby, Scala, Swift | CWE-200 | OWASP:A01 | +| Insecure Anonymous LDAP Binding | C++ | CWE-287 | Sans Top 25, OWASP:A07 | +| Insecure Data Storage | Swift | CWE-922 | OWASP:A01 | +| Insecure Data Transmission | Apex, C#, Ruby | CWE-319 | OWASP:A02 | +| Insecure Deserialization | Swift | CWE-502 | Sans Top 25, OWASP:A08 | +| Insecure File Permissions | Python, Rust | CWE-732 | | +| Insecure JWT Verification Method | JavaScript | CWE-347 | OWASP:A02 | +| Insecure TLS Configuration | Go, JavaScript | CWE-327 | OWASP:A02 | +| Insecure Temporary File | Python | CWE-377 | OWASP:A01 | +| Insecure Xml Parser | Python | CWE-611 | OWASP:A05 | +| Insecure default value | Python | CWE-453 | | +| Insufficient Session Expiration | Java, Kotlin, Scala | CWE-613 | OWASP:A07 | +| Insufficient postMessage Validation | JavaScript | CWE-20 | Sans Top 25, OWASP:A03 | +| Integer Overflow | C++ | CWE-190 | Sans Top 25 | +| Introspection Enabled | JavaScript | CWE-200 | OWASP:A01 | +| JWT 'none' Algorithm Supported | JavaScript | CWE-347 | OWASP:A02 | +| JWT Signature Verification Bypass | Java | CWE-347 | OWASP:A02 | +| JWT Signature Verification Method Disabled | JavaScript | CWE-347 | OWASP:A02 | +| Java Naming and Directory Interface (JNDI) Injection | Java, Kotlin, Scala | CWE-074 | | +| JavaScript Enabled | Java, Kotlin | CWE-79 | Sans Top 25, OWASP:A03 | +| Jinja auto-escape is set to false. | Python | CWE-79 | Sans Top 25, OWASP:A03 | +| LDAP Injection | C#, C++, Java, Kotlin, Python, Scala | CWE-90 | OWASP:A03 | +| Log Forging | C# | CWE-117 | OWASP:A09 | +| Memory Allocation Of String Length | C++ | CWE-170 | | +| Memory Corruption | Swift | CWE-822 | | +| Missing Release of File Descriptor or Handle after Effective Lifetime | C++ | CWE-775 | | +| Missing Release of Memory after Effective Lifetime | C++ | CWE-401 | | +| No Weak Password Requirements | Ruby | CWE-521 | OWASP:A07 | +| NoSQL Injection | Java, JavaScript, Python | CWE-943 | | +| Observable Timing Discrepancy | Rust | CWE-208 | | +| Observable Timing Discrepancy (Timing Attack) | Java, JavaScript, Kotlin, Scala | CWE-208 | | +| Open Redirect | Apex, C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Visual Basic | CWE-601 | OWASP:A01 | +| Origin Validation Error | Java, JavaScript, Kotlin, PHP, Python, Rust, Scala | CWE-346, CWE-942 | OWASP:A05, OWASP:A07 | +| Password Requirements Not Enforced in Django Application | Python | CWE-521 | OWASP:A07 | +| Path Traversal | C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic | CWE-23 | OWASP:A01 | +| Permissive Cross-domain Policy | JavaScript | CWE-942 | OWASP:A05 | +| Potential Negative Number Used as Index | C++ | CWE-125, CWE-787 | Sans Top 25 | +| Potential buffer overflow from usage of unsafe function | C++ | CWE-122 | | +| Privacy Leak | Java | CWE-532 | OWASP:A09 | +| Process Control | Java, Kotlin, Scala | CWE-114 | | +| Prototype Pollution | JavaScript | CWE-1321 | | +| Python 2 source code | Python | CWE-1104 | OWASP:A06 | +| Regular Expression Denial of Service (ReDoS) | JavaScript, PHP, Python, Ruby | CWE-400 | | +| Regular expression injection | Apex, C#, Java, Kotlin, Scala, Visual Basic | CWE-400, CWE-730 | | +| Remote Code Execution via Endpoint | Ruby | CWE-94 | Sans Top 25, OWASP:A03 | +| Request Validation Disabled | C#, Visual Basic, XML | CWE-554 | | +| SOQL Injection | Apex | CWE-89 | Sans Top 25, OWASP:A03 | +| SOSL Injection | Apex | CWE-89 | Sans Top 25, OWASP:A03 | +| SQL Injection | C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic | CWE-89 | Sans Top 25, OWASP:A03 | +| SQL SELECT statement without WHERE clause | Cobol | CWE-668 | OWASP:A01 | +| Selection of Less-Secure Algorithm During Negotiation (Force SSL) | Ruby | CWE-311, CWE-757 | OWASP:A04, OWASP:A02 | +| Selection of Less-Secure Algorithm During Negotiation (SSL instead of TLS) | Python | CWE-757 | OWASP:A02 | +| Sensitive Cookie Without 'HttpOnly' Flag | C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Visual Basic | CWE-1004 | OWASP:A05 | +| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | Apex, C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Swift, Visual Basic | CWE-614 | OWASP:A05 | +| Server Information Exposure | Java, Kotlin, Python, Scala | CWE-209 | OWASP:A04 | +| Server-Side Request Forgery (SSRF) | Apex, C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Rust, Scala, Swift, Visual Basic | CWE-918 | Sans Top 25, OWASP:A10 | +| Session Manipulation | Ruby | CWE-285 | OWASP:A01 | +| Sinatra Protection Layers Disabled | Ruby | CWE-1021, CWE-16, CWE-348, CWE-35, CWE-352, CWE-693, CWE-79 | Sans Top 25, OWASP:A01, OWASP:A05, OWASP:A03, OWASP:A04 | +| Size Used as Index | C++ | CWE-125, CWE-787 | Sans Top 25 | +| Spring Cross-Site Request Forgery (CSRF) | Java | CWE-352 | Sans Top 25, OWASP:A01 | +| Struts Development Mode Enabled | XML | CWE-489 | | +| The cipher text is equal to the provided input plain text | Java, Kotlin, Scala | CWE-311 | OWASP:A04 | +| Trust Boundary Violation | Java, Kotlin, Scala | CWE-501 | OWASP:A04 | +| Unauthorized File Access | Java, Kotlin | CWE-79 | Sans Top 25, OWASP:A03 | +| Unchecked Input for Loop Condition | JavaScript | CWE-400, CWE-606 | | +| Unprotected Storage of Credentials | Java, Kotlin, Scala | CWE-256 | OWASP:A04 | +| Unrestricted Android Broadcast | Java, Kotlin | CWE-862 | Sans Top 25, OWASP:A01 | +| Unsafe JQuery Plugin | JavaScript | CWE-116, CWE-79 | Sans Top 25, OWASP:A03 | +| Unsafe Reflection | Java, Ruby | CWE-470 | OWASP:A03 | +| Unsafe SOQL Concatenation | Apex | CWE-89 | Sans Top 25, OWASP:A03 | +| Unsafe SOSL Concatenation | Apex | CWE-89 | Sans Top 25, OWASP:A03 | +| Unverified Password Change | Apex | CWE-620 | OWASP:A07 | +| Usage of BinaryFormatter | C#, Visual Basic | CWE-502 | Sans Top 25, OWASP:A08 | +| Use After Free | C++ | CWE-416 | Sans Top 25 | +| Use dangerouslySetInnerHTML to Explicitly Handle XSS Risks | JavaScript | CWE-79 | Sans Top 25, OWASP:A03 | +| Use of Expired File Descriptor | C++ | CWE-910 | | +| Use of Externally-Controlled Format String | C++, Java, JavaScript, Kotlin, Scala | CWE-134 | | +| Use of Hardcoded Credentials | Apex, C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic | CWE-259, CWE-798 | Sans Top 25, OWASP:A07 | +| Use of Hardcoded Cryptographic Initialization Value | Python | CWE-329 | OWASP:A02 | +| Use of Hardcoded Cryptographic Key | C++, Python, Ruby | CWE-321 | OWASP:A02 | +| Use of Hardcoded Passwords | Apex, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, XML | CWE-259, CWE-798 | Sans Top 25, OWASP:A07 | +| Use of Hardcoded, Security-relevant Constants | Java, Kotlin, Scala | CWE-547 | OWASP:A05 | +| Use of Insufficiently Random Values | C#, Go, Java, JavaScript, Kotlin, PHP, Ruby, Rust, Scala, Swift, Visual Basic | CWE-330 | OWASP:A02 | +| Use of Password Hash With Insufficient Computational Effort | Apex, C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic | CWE-916 | OWASP:A02 | +| Use of Potentially Dangerous Function | Java, Kotlin, Scala | CWE-676 | | +| Use of Sticky broadcasts | Java, Kotlin | CWE-265 | | +| Use of a Broken or Risky Cryptographic Algorithm | C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic | CWE-327 | OWASP:A02 | +| User Controlled Pointer | C++ | CWE-1285 | | +| Weak Cryptographic Primitive | Cobol | CWE-327 | OWASP:A02 | +| Weak Password Recovery Mechanism for Forgotten Password | JavaScript | CWE-640 | OWASP:A07 | +| XAML Injection | C# | CWE-611 | OWASP:A05 | +| XML External Entity (XXE) Injection | C#, C++, Java, JavaScript, Kotlin, PHP, Ruby, Scala, Swift, Visual Basic | CWE-611 | OWASP:A05 | +| XML Injection | Apex, C#, Visual Basic | CWE-91 | OWASP:A03 | +| XPath Injection | C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Visual Basic | CWE-643 | OWASP:A03 | diff --git a/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/apex-rules.md b/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/apex-rules.md index 74b5be30ff70..17bd780549fa 100644 --- a/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/apex-rules.md +++ b/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/apex-rules.md @@ -1,139 +1,31 @@ # Apex rules -## Rule (1) Command Injection - -**CWE** (78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (2) Cross-site Scripting (XSS) - -**CWE** (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (3) SOQL Injection - -**CWE** (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (4) SOSL Injection - -**CWE** (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (5) Unsafe SOQL Concatenation - -**CWE** (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (6) Unsafe SOSL Concatenation - -**CWE** (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (7) XML Injection - -**CWE** (91) XML Injection (aka Blind XPath Injection) - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (8) Clear Text Sensitive Storage - -**CWE** (200, 312) Exposure of Sensitive Information to an Unauthorized Actor, Cleartext Storage of Sensitive Information - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (9) Use of Hardcoded Credentials - -**CWE** (259, 798) Use of Hard-coded Password, Use of Hard-coded Credentials - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (10) Access Violation - -**CWE** (284, 285) Improper Access Control, Improper Authorization - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**Autofixable** by DeepCode AI Fix - -## Rule (11) Improper Access Control: Email Content Injection - -**CWE** (284) Improper Access Control - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (12) Insecure Data Transmission - -**CWE** (319) Cleartext Transmission of Sensitive Information - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (13) Regular expression injection - -**CWE** (400, 730) Uncontrolled Resource Consumption, OWASP Top Ten 2004 Category A9 - Denial of Service - -## Rule (14) Hardcoded Secret - -**CWE** (547) Use of Hard-coded, Security-relevant Constants - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (15) Open Redirect - -**CWE** (601) URL Redirection to Untrusted Site ('Open Redirect') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (16) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - -**CWE** (614) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -**Autofixable** by DeepCode AI Fix - -## Rule (17) Unverified Password Change - -**CWE** (620) Unverified Password Change - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -## Rule (18) Use of Password Hash With Insufficient Computational Effort - -**CWE** (916) Use of Password Hash With Insufficient Computational Effort - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -**Autofixable** by DeepCode AI Fix - -## Rule (19) Server-Side Request Forgery (SSRF) - -**CWE** (918) Server-Side Request Forgery (SSRF) - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A10:2021 - Server-Side Request Forgery (SSRF) - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 +Each rule includes the following information. + +* **Rule Name**: Consecutive number for each rule and the Snyk name of the rule. +* **CWE(s):** The [CWE numbers](https://cwe.mitre.org/) that are covered by this rule. +* **Security Categories**: The [OWASP Top 10 ](https://owasp.org/Top10/)(2021 edition) category to which the rule belongs to, if any, and if it is included in [SANS 25](https://www.sans.org/top25-software-errors/). +* **Autofixable**: Security rules that are autofixable by DeepCode AI Fix. This information is included only for the supported programming languages. + +| Rule Name | CWE(s) | Security Categories | Autofixable | +| ------------------------------------------------------------ | ---------------- | ---------------------- | ----------- | +| Access Violation | CWE-284, CWE-285 | OWASP:A01 | Yes | +| Clear Text Sensitive Storage | CWE-200, CWE-312 | OWASP:A01, OWASP:A04 | No | +| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | No | +| Improper Access Control: Email Content Injection | CWE-284 | OWASP:A01 | No | +| Use of Hardcoded Credentials | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | No | +| Use of Hardcoded Passwords | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | No | +| Hardcoded Secret | CWE-547 | OWASP:A05 | No | +| Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | Yes | +| Insecure Data Transmission | CWE-319 | OWASP:A02 | No | +| Open Redirect | CWE-601 | OWASP:A01 | No | +| Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | No | +| Regular expression injection | CWE-400, CWE-730 | None | No | +| SOQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | No | +| SOSL Injection | CWE-89 | Sans Top 25, OWASP:A03 | No | +| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | No | +| Unverified Password Change | CWE-620 | OWASP:A07 | No | +| Unsafe SOQL Concatenation | CWE-89 | Sans Top 25, OWASP:A03 | No | +| Unsafe SOSL Concatenation | CWE-89 | Sans Top 25, OWASP:A03 | No | +| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | CWE-614 | OWASP:A05 | Yes | +| XML Injection | CWE-91 | OWASP:A03 | No | diff --git a/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/c++-rules.md b/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/c++-rules.md index 58caf5e0e5ee..fe00fbe78575 100644 --- a/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/c++-rules.md +++ b/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/c++-rules.md @@ -1,177 +1,43 @@ # C++ rules -## Rule (1) Path Traversal +Each rule includes the following information. + +* **Rule Name**: Consecutive number for each rule and the Snyk name of the rule. +* **CWE(s):** The [CWE numbers](https://cwe.mitre.org/) that are covered by this rule. +* **Security Categories**: The [OWASP Top 10 ](https://owasp.org/Top10/)(2021 edition) category to which the rule belongs to, if any, and if it is included in [SANS 25](https://www.sans.org/top25-software-errors/). +* **Autofixable**: Security rules that are autofixable by DeepCode AI Fix. This information is included only for the supported programming languages. + +| Rule Name | CWE(s) | Security Categories | Autofixable | +| ------------------------------------------------------------------------ | ---------------- | ---------------------- | ----------- | +| Memory Allocation Of String Length | CWE-170 | None | Yes | +| Insecure Anonymous LDAP Binding | CWE-287 | Sans Top 25, OWASP:A07 | No | +| Buffer Overflow | CWE-122 | None | Yes | +| Division By Zero | CWE-369 | None | No | +| Missing Release of File Descriptor or Handle after Effective Lifetime | CWE-775 | None | Yes | +| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | No | +| Dereference of a NULL Pointer | CWE-476 | Sans Top 25 | No | +| Double Free | CWE-415 | None | Yes | +| Use of Externally-Controlled Format String | CWE-134 | None | Yes | +| Use of Hardcoded Cryptographic Key | CWE-321 | OWASP:A02 | No | +| Improper Null Termination | CWE-170 | None | No | +| Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | Yes | +| Integer Overflow | CWE-190 | Sans Top 25 | No | +| LDAP Injection | CWE-90 | OWASP:A03 | No | +| Missing Release of Memory after Effective Lifetime | CWE-401 | None | Yes | +| An optimizing compiler may remove memset non-zero leaving data in memory | CWE-1330 | None | No | +| Potential Negative Number Used as Index | CWE-125, CWE-787 | Sans Top 25 | No | +| Path Traversal | CWE-23 | OWASP:A01 | No | +| Exposure of Private Personal Information to an Unauthorized Actor | CWE-359 | OWASP:A01 | No | +| Size Used as Index | CWE-125, CWE-787 | Sans Top 25 | Yes | +| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | No | +| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | No | +| Inadequate Encryption Strength | CWE-326 | OWASP:A02 | Yes | +| Potential buffer overflow from usage of unsafe function | CWE-122 | None | Yes | +| Use of Expired File Descriptor | CWE-910 | None | No | +| Use After Free | CWE-416 | Sans Top 25 | No | +| User Controlled Pointer | CWE-1285 | None | No | +| Authentication Bypass by Spoofing | CWE-290 | OWASP:A07 | No | +| Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | No | +| XML External Entity (XXE) Injection | CWE-611 | OWASP:A05 | No | +| XPath Injection | CWE-643 | OWASP:A03 | No | -**CWE** (23) Relative Path Traversal - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (2) Command Injection - -**CWE** (78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (3) SQL Injection - -**CWE** (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (4) LDAP Injection - -**CWE** (90) Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (5) Buffer Overflow - -**CWE** (122) Heap-based Buffer Overflow - -**Autofixable** by DeepCode AI Fix - -## Rule (6) Potential buffer overflow from usage of unsafe function - -**CWE** (122) Heap-based Buffer Overflow - -**Autofixable** by DeepCode AI Fix - -## Rule (7) Potential Negative Number Used as Index - -**CWE** (125, 787) Out-of-bounds Read, Out-of-bounds Write - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -**Autofixable** by DeepCode AI Fix - -## Rule (8) Size Used as Index - -**CWE** (125, 787) Out-of-bounds Read, Out-of-bounds Write - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -**Autofixable** by DeepCode AI Fix - -## Rule (9) Use of Externally-Controlled Format String - -**CWE** (134) Use of Externally-Controlled Format String - -**Autofixable** by DeepCode AI Fix - -## Rule (10) Memory Allocation Of String Length - -**CWE** (170) Improper Null Termination - -**Autofixable** by DeepCode AI Fix - -## Rule (11) Improper Null Termination - -**CWE** (170) Improper Null Termination - -**Autofixable** by DeepCode AI Fix - -## Rule (12) Integer Overflow - -**CWE** (190) Integer Overflow or Wraparound - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (13) Anonymous LDAP binding allows a client to connect without logging in - -**CWE** (287) Improper Authentication - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (14) Use of Hardcoded Cryptographic Key - -**CWE** (321) Use of Hard-coded Cryptographic Key - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -**Autofixable** by DeepCode AI Fix - -## Rule (15) Inadequate Encryption Strength - -**CWE** (326) Inadequate Encryption Strength - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -**Autofixable** by DeepCode AI Fix - -## Rule (16) Division By Zero - -**CWE** (369) Divide By Zero - -**Autofixable** by DeepCode AI Fix - -## Rule (17) Missing Release of Memory after Effective Lifetime - -**CWE** (401) Missing Release of Memory after Effective Lifetime - -**Autofixable** by DeepCode AI Fix - -## Rule (18) Double Free - -**CWE** (415) Double Free - -## Rule (19) Use After Free - -**CWE** (416) Use After Free - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (20) Dereference of a NULL Pointer - -**CWE** (476) NULL Pointer Dereference - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (21) XML External Entity (XXE) Injection - -**CWE** (611) Improper Restriction of XML External Entity Reference - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (22) XPath Injection - -**CWE** (643) Improper Neutralization of Data within XPath Expressions ('XPath Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (23) Missing Release of File Descriptor or Handle after Effective Lifetime - -**CWE** (775) Missing Release of File Descriptor or Handle after Effective Lifetime - -## Rule (24) Use of Expired File Descriptor - -**CWE** (910) Use of Expired File Descriptor - -## Rule (25) Use of Password Hash With Insufficient Computational Effort - -**CWE** (916) Use of Password Hash With Insufficient Computational Effort - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (26) Server-Side Request Forgery (SSRF) - -**CWE** (918) Server-Side Request Forgery (SSRF) - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A10:2021 - Server-Side Request Forgery (SSRF) - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (27) User Controlled Pointer - -**CWE** (1285) Improper Validation of Specified Index, Position, or Offset in Input - -## Rule (28) An optimizing compiler may remove memset non-zero leaving data in memory - -**CWE** (1330) Remanent Data Readable after Memory Erase diff --git a/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/c-and-asp.net-rules.md b/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/c-and-asp.net-rules.md index 073c208fd373..9acc802a5b9c 100644 --- a/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/c-and-asp.net-rules.md +++ b/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/c-and-asp.net-rules.md @@ -1,209 +1,44 @@ # C# and ASP.NET rules -## Rule (1) Arbitrary File Write via Archive Extraction (Zip Slip) - -**CWE** (22) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (2) Path Traversal - -**CWE** (23) Relative Path Traversal - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (3) Command Injection - -**CWE** (78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (4) Cross-site Scripting (XSS) - -**CWE** (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (5) SQL Injection - -**CWE** (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (6) LDAP Injection - -**CWE** (90) Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (7) XML Injection - -**CWE** (91) XML Injection (aka Blind XPath Injection) - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (8) Code Injection - -**CWE** (94) Improper Control of Generation of Code ('Code Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (9) Log Forging - -**CWE** (117) Improper Output Neutralization for Logs - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A09:2021 - Security Logging and Monitoring Failures - -## Rule (10) Information Exposure - -**CWE** (200) Exposure of Sensitive Information to an Unauthorized Actor - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (11) Debug Features Enabled - -**CWE** (215) Insertion of Sensitive Information Into Debugging Code - -**Autofixable** by DeepCode AI Fix - -## Rule (12) Use of Hardcoded Credentials - -**CWE** (259, 798) Use of Hard-coded Password, Use of Hard-coded Credentials - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (13) Cleartext Storage of Sensitive Information in a Cookie - -**CWE** (315) Cleartext Storage of Sensitive Information in a Cookie - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (14) Insecure Data Transmission - -**CWE** (319) Cleartext Transmission of Sensitive Information - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (15) Inadequate Encryption Strength - -**CWE** (326) Inadequate Encryption Strength - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (16) Use of a Broken or Risky Cryptographic Algorithm - -**CWE** (327) Use of a Broken or Risky Cryptographic Algorithm - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (17) Use of Insufficiently Random Values - -**CWE** (330) Use of Insufficiently Random Values - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (18) Anti-forgery token validation disabled - -**CWE** (352) Cross-Site Request Forgery (CSRF) - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -**Autofixable** by DeepCode AI Fix - -## Rule (19) Exposure of Private Personal Information to an Unauthorized Actor - -**CWE** (359) Exposure of Private Personal Information to an Unauthorized Actor - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (20) Regular expression injection - -**CWE** (400, 730) Uncontrolled Resource Consumption, OWASP Top Ten 2004 Category A9 - Denial of Service - -## Rule (21) Deserialization of Untrusted Data - -**CWE** (502) Deserialization of Untrusted Data - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (22) Hardcoded Secret - -**CWE** (547) Use of Hard-coded, Security-relevant Constants - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (23) Request Validation Disabled - -**CWE** (554) ASP.NET Misconfiguration: Not Using Input Validation Framework - -**Autofixable** by DeepCode AI Fix - -## Rule (24) Open Redirect - -**CWE** (601) URL Redirection to Untrusted Site ('Open Redirect') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (25) XML External Entity (XXE) Injection - -**CWE** (611) Improper Restriction of XML External Entity Reference - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (26) XAML Injection - -**CWE** (611) Improper Restriction of XML External Entity Reference - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (27) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - -**CWE** (614) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (28) XPath Injection - -**CWE** (643) Improper Neutralization of Data within XPath Expressions ('XPath Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (29) Use of Password Hash With Insufficient Computational Effort - -**CWE** (916) Use of Password Hash With Insufficient Computational Effort - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (30) Server-Side Request Forgery (SSRF) - -**CWE** (918) Server-Side Request Forgery (SSRF) - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A10:2021 - Server-Side Request Forgery (SSRF) - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (31) Sensitive Cookie Without 'HttpOnly' Flag - -**CWE** (1004) Sensitive Cookie Without 'HttpOnly' Flag - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration +Each rule includes the following information. + +* **Rule Name**: Consecutive number for each rule and the Snyk name of the rule. +* **CWE(s):** The [CWE numbers](https://cwe.mitre.org/) that are covered by this rule. +* **Security Categories**: The [OWASP Top 10 ](https://owasp.org/Top10/)(2021 edition) category to which the rule belongs to, if any, and if it is included in [SANS 25](https://www.sans.org/top25-software-errors/). +* **Autofixable**: Security rules that are autofixable by DeepCode AI Fix. This information is included only for the supported programming languages. + +| Rule Name | CWE(s) | Security Categories | Autofixable | +| ----------------------------------------------------------------- | ---------------- | ---------------------- | ----------- | +| Anti-forgery token validation disabled | CWE-352 | Sans Top 25, OWASP:A01 | Yes | +| Debug Features Enabled | CWE-215 | None | Yes | +| Usage of BinaryFormatter | CWE-502 | Sans Top 25, OWASP:A08 | No | +| Cleartext Storage of Sensitive Information in a Cookie | CWE-315 | OWASP:A05 | No | +| Code Injection | CWE-94 | Sans Top 25, OWASP:A03 | No | +| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | No | +| Deserialization of Untrusted Data | CWE-502 | Sans Top 25, OWASP:A08 | No | +| Hardcoded Secret | CWE-547 | OWASP:A05 | No | +| Improper Neutralization of CRLF Sequences in HTTP Headers | CWE-113 | OWASP:A03 | No | +| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | No | +| Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | No | +| Use of Insufficiently Random Values | CWE-330 | OWASP:A02 | No | +| Insecure Data Transmission | CWE-319 | OWASP:A02 | No | +| LDAP Injection | CWE-90 | OWASP:A03 | No | +| Log Forging | CWE-117 | OWASP:A09 | No | +| Use of Hardcoded Credentials | CWE-798 | Sans Top 25, OWASP:A07 | No | +| Open Redirect | CWE-601 | OWASP:A01 | No | +| Path Traversal | CWE-23 | OWASP:A01 | No | +| Exposure of Private Personal Information to an Unauthorized Actor | CWE-359 | OWASP:A01 | No | +| Regular expression injection | CWE-400, CWE-730 | None | No | +| Request Validation Disabled | CWE-554 | None | Yes | +| Information Exposure | CWE-200 | OWASP:A01 | No | +| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | No | +| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | No | +| Inadequate Encryption Strength | CWE-326 | OWASP:A02 | No | +| Sensitive Cookie Without 'HttpOnly' Flag | CWE-1004 | OWASP:A05 | No | +| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | CWE-614 | OWASP:A05 | No | +| Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | No | +| XML External Entity (XXE) Injection | CWE-611 | OWASP:A05 | No | +| XAML Injection | CWE-611 | OWASP:A05 | No | +| XML Injection | CWE-91 | OWASP:A03 | No | +| XPath Injection | CWE-643 | OWASP:A03 | No | +| Arbitrary File Write via Archive Extraction (Zip Slip) | CWE-22 | Sans Top 25, OWASP:A01 | No | diff --git a/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/go-rules.md b/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/go-rules.md index 1d93816babd1..5792264f5342 100644 --- a/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/go-rules.md +++ b/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/go-rules.md @@ -1,143 +1,33 @@ # Go rules -## Rule (1) Path Traversal - -**CWE** (23) Relative Path Traversal - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (2) Command Injection - -**CWE** (78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (3) Cross-site Scripting (XSS) - -**CWE** (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (4) SQL Injection - -**CWE** (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (5) Clear Text Logging - -**CWE** (200, 312) Exposure of Sensitive Information to an Unauthorized Actor, Cleartext Storage of Sensitive Information - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (6) Generation of Error Message Containing Sensitive Information - -**CWE** (209) Generation of Error Message Containing Sensitive Information - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -## Rule (7) Use of Hardcoded Credentials - -**CWE** (259, 798) Use of Hard-coded Password, Use of Hard-coded Credentials - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (8) Improper Access Control: Email Content Injection - -**CWE** (284) Improper Access Control - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (9) Improper Certificate Validation - -**CWE** (295) Improper Certificate Validation - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -## Rule (10) Inadequate Encryption Strength - -**CWE** (326) Inadequate Encryption Strength - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -**Autofixable** by DeepCode AI Fix - -## Rule (11) Use of a Broken or Risky Cryptographic Algorithm - -**CWE** (327) Use of a Broken or Risky Cryptographic Algorithm - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -**Autofixable** by DeepCode AI Fix - -## Rule (12) Insecure TLS Configuration - -**CWE** (327) Use of a Broken or Risky Cryptographic Algorithm - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (13) Use of Insufficiently Random Values - -**CWE** (330) Use of Insufficiently Random Values - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (14) Hardcoded Secret - -**CWE** (547) Use of Hard-coded, Security-relevant Constants - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (15) Open Redirect - -**CWE** (601) URL Redirection to Untrusted Site ('Open Redirect') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (16) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - -**CWE** (614) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -**Autofixable** by DeepCode AI Fix - -## Rule (17) XPath Injection - -**CWE** (643) Improper Neutralization of Data within XPath Expressions ('XPath Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (18) Use of Password Hash With Insufficient Computational Effort - -**CWE** (916) Use of Password Hash With Insufficient Computational Effort - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (19) Server-Side Request Forgery (SSRF) - -**CWE** (918) Server-Side Request Forgery (SSRF) - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A10:2021 - Server-Side Request Forgery (SSRF) - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (20) Sensitive Cookie Without 'HttpOnly' Flag - -**CWE** (1004) Sensitive Cookie Without 'HttpOnly' Flag - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -**Autofixable** by DeepCode AI Fix +Each rule includes the following information. + +* **Rule Name**: Consecutive number for each rule and the Snyk name of the rule. +* **CWE(s):** The [CWE numbers](https://cwe.mitre.org/) that are covered by this rule. +* **Security Categories**: The [OWASP Top 10 ](https://owasp.org/Top10/)(2021 edition) category to which the rule belongs to, if any, and if it is included in [SANS 25](https://www.sans.org/top25-software-errors/). +* **Autofixable**: Security rules that are autofixable by DeepCode AI Fix. This information is included only for the supported programming languages. + +| Rule Name | CWE(s) | Security Categories | Autofixable | +| -------------------------------------------------------------- | ---------------- | ---------------------- | ----------- | +| Clear Text Logging | CWE-200, CWE-312 | OWASP:A01, OWASP:A04 | No | +| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | No | +| Improper Access Control: Email Content Injection | CWE-284 | OWASP:A01 | No | +| Generation of Error Message Containing Sensitive Information | CWE-209 | OWASP:A04 | No | +| Hardcoded Secret | CWE-547 | OWASP:A05 | No | +| Use of Hardcoded Passwords | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | No | +| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | Yes | +| Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | Yes | +| Insecure TLS Configuration | CWE-327 | OWASP:A02 | No | +| Use of Insufficiently Random Values | CWE-330 | OWASP:A02 | No | +| Use of Hardcoded Credentials | CWE-798 | Sans Top 25, OWASP:A07 | No | +| Open Redirect | CWE-601 | OWASP:A01 | No | +| Path Traversal | CWE-23 | OWASP:A01 | No | +| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | No | +| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | No | +| Improper Neutralization of Directives in Statically Saved Code | CWE-96 | OWASP:A03 | No | +| Improper Certificate Validation | CWE-295 | OWASP:A07 | No | +| Inadequate Encryption Strength | CWE-326 | OWASP:A02 | Yes | +| Sensitive Cookie Without 'HttpOnly' Flag | CWE-1004 | OWASP:A05 | Yes | +| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | CWE-614 | OWASP:A05 | Yes | +| Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | No | +| XPath Injection | CWE-643 | OWASP:A03 | No | diff --git a/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/java-rules.md b/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/java-rules.md index 69f3e94fcb65..28245a31563c 100644 --- a/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/java-rules.md +++ b/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/java-rules.md @@ -1,439 +1,75 @@ # Java rules -## Rule (1) External Control of System or Configuration Setting - -**CWE** (15) External Control of System or Configuration Setting - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (2) Path Traversal - -**CWE** (23) Relative Path Traversal - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (3) Java Naming and Directory Interface (JNDI) Injection - -**CWE** (74) Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (4) Command Injection - -**CWE** (78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (5) Indirect Command Injection via User Controlled Environment - -**CWE** (78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (6) Cross-site Scripting (XSS) - -**CWE** (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -**Autofixable** by DeepCode AI Fix - -## Rule (7) JavaScript Enabled - -**CWE** (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -**Autofixable** by DeepCode AI Fix - -## Rule (8) Unauthorized File Access - -**CWE** (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -**Autofixable** by DeepCode AI Fix - -## Rule (9) SQL Injection - -**CWE** (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -**Autofixable** by DeepCode AI Fix - -## Rule (10) LDAP Injection - -**CWE** (90) Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (11) Code Injection - -**CWE** (94) Improper Control of Generation of Code ('Code Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (12) Code Execution via Third Party Package Context - -**CWE** (94) Improper Control of Generation of Code ('Code Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (13) Improper Neutralization of CRLF Sequences in HTTP Headers - -**CWE** (113) Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (14) Disabled Neutralization of CRLF Sequences in HTTP Headers - -**CWE** (113) Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (15) Process Control - -**CWE** (114) Process Control - -**Autofixable** by DeepCode AI Fix - -## Rule (16) Use of Externally-Controlled Format String - -**CWE** (134) Use of Externally-Controlled Format String - -## Rule (17) Information Exposure - -**CWE** (200) Exposure of Sensitive Information to an Unauthorized Actor - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (18) File Access Enabled - -**CWE** (200) Exposure of Sensitive Information to an Unauthorized Actor - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -**Autofixable** by DeepCode AI Fix - -## Rule (19) Observable Timing Discrepancy (Timing Attack) - -**CWE** (208) Observable Timing Discrepancy - -**Autofixable** by DeepCode AI Fix - -## Rule (20) Server Information Exposure - -**CWE** (209) Generation of Error Message Containing Sensitive Information - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -**Autofixable** by DeepCode AI Fix - -## Rule (21) Unprotected Storage of Credentials - -**CWE** (256) Plaintext Storage of a Password - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -## Rule (22) Use of Hardcoded Credentials - -**CWE** (259, 798) Use of Hard-coded Password, Use of Hard-coded Credentials - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (23) Use of Sticky broadcasts - -**CWE** (265) Privilege Issues - -## Rule (24) Android Uri Permission Manipulation - -**CWE** (266) Incorrect Privilege Assignment - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -## Rule (25) Improper Handling of Insufficient Permissions or Privileges - -**CWE** (280) Improper Handling of Insufficient Permissions or Privileges - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -## Rule (26) Improper Authentication - -**CWE** (287) Improper Authentication - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (27) Improper Certificate Validation - -**CWE** (295) Improper Certificate Validation - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -## Rule (28) Improper Validation of Certificate with Host Mismatch - -**CWE** (297) Improper Validation of Certificate with Host Mismatch - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -## Rule (29) Cryptographic Issues - -**CWE** (310) Cryptographic Issues - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -**Autofixable** by DeepCode AI Fix - -## Rule (30) The cipher text is equal to the provided input plain text - -**CWE** (311) Missing Encryption of Sensitive Data - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -## Rule (31) Cleartext Storage of Sensitive Information in a Cookie - -**CWE** (315) Cleartext Storage of Sensitive Information in a Cookie - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -**Autofixable** by DeepCode AI Fix - -## Rule (32) Cleartext Transmission of Sensitive Information - -**CWE** (319) Cleartext Transmission of Sensitive Information - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -**Autofixable** by DeepCode AI Fix - -## Rule (33) Inadequate Padding for AES encryption - -**CWE** (326) Inadequate Encryption Strength - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -**Autofixable** by DeepCode AI Fix - -## Rule (34) Inadequate Encryption Strength - -**CWE** (326) Inadequate Encryption Strength - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (35) Use of a Broken or Risky Cryptographic Algorithm - -**CWE** (327) Use of a Broken or Risky Cryptographic Algorithm - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -**Autofixable** by DeepCode AI Fix - -## Rule (36) Use of Insufficiently Random Values - -**CWE** (330) Use of Insufficiently Random Values - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -**Autofixable** by DeepCode AI Fix - -## Rule (37) Origin Validation Error - -**CWE** (346, 942) Origin Validation Error, Permissive Cross-domain Policy with Untrusted Domains - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -**Autofixable** by DeepCode AI Fix - -## Rule (38) JWT Signature Verification Bypass - -**CWE** (347) Improper Verification of Cryptographic Signature - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (39) Cross-Site Request Forgery (CSRF) - -**CWE** (352) Cross-Site Request Forgery (CSRF) - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (40) Spring Cross-Site Request Forgery (CSRF) - -**CWE** (352) Cross-Site Request Forgery (CSRF) - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (41) Regular expression injection - -**CWE** (400, 730) Uncontrolled Resource Consumption, OWASP Top Ten 2004 Category A9 - Denial of Service - -**Autofixable** by DeepCode AI Fix - -## Rule (42) Android Fragment Injection - -**CWE** (470) Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (43) Unsafe Reflection - -**CWE** (470) Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (44) Trust Boundary Violation - -**CWE** (501) Trust Boundary Violation - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -## Rule (45) Deserialization of Untrusted Data - -**CWE** (502) Deserialization of Untrusted Data - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -**Autofixable** by DeepCode AI Fix - -## Rule (46) Privacy Leak - -**CWE** (532) Insertion of Sensitive Information into Log File - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A09:2021 - Security Logging and Monitoring Failures - -## Rule (47) Hardcoded Secret - -**CWE** (547) Use of Hard-coded, Security-relevant Constants - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -**Autofixable** by DeepCode AI Fix - -## Rule (48) Use of Hardcoded, Security-relevant Constants - -**CWE** (547) Use of Hard-coded, Security-relevant Constants - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -**Autofixable** by DeepCode AI Fix - -## Rule (49) Open Redirect - -**CWE** (601) URL Redirection to Untrusted Site ('Open Redirect') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (50) XML External Entity (XXE) Injection - -**CWE** (611) Improper Restriction of XML External Entity Reference - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (51) Insufficient Session Expiration - -**CWE** (613) Insufficient Session Expiration - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -## Rule (52) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - -**CWE** (614) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (53) XPath Injection - -**CWE** (643) Improper Neutralization of Data within XPath Expressions ('XPath Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (54) Use of Potentially Dangerous Function - -**CWE** (676) Use of Potentially Dangerous Function - -**Autofixable** by DeepCode AI Fix - -## Rule (55) Android World Writeable/Readable File Permission Found - -**CWE** (732) Incorrect Permission Assignment for Critical Resource - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (56) Incorrect Permission Assignment - -**CWE** (732) Incorrect Permission Assignment for Critical Resource - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (57) Unrestricted Android Broadcast - -**CWE** (862) Missing Authorization - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (58) Use of Password Hash With Insufficient Computational Effort - -**CWE** (916) Use of Password Hash With Insufficient Computational Effort - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (59) Server-Side Request Forgery (SSRF) - -**CWE** (918) Server-Side Request Forgery (SSRF) - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A10:2021 - Server-Side Request Forgery (SSRF) - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (60) Android Intent Forwarding - -**CWE** (940) Improper Verification of Source of a Communication Channel - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -## Rule (61) Code Execution via Third Party Package Installation - -**CWE** (940) Improper Verification of Source of a Communication Channel - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -## Rule (62) NoSQL Injection - -**CWE** (943) Improper Neutralization of Special Elements in Data Query Logic - -## Rule (63) Sensitive Cookie Without 'HttpOnly' Flag - -**CWE** (1004) Sensitive Cookie Without 'HttpOnly' Flag - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration +Each rule includes the following information. + +* **Rule Name**: Consecutive number for each rule and the Snyk name of the rule. +* **CWE(s):** The [CWE numbers](https://cwe.mitre.org/) that are covered by this rule. +* **Security Categories**: The [OWASP Top 10 ](https://owasp.org/Top10/)(2021 edition) category to which the rule belongs to, if any, and if it is included in [SANS 25](https://www.sans.org/top25-software-errors/). +* **Autofixable**: Security rules that are autofixable by DeepCode AI Fix. This information is included only for the supported programming languages. + +| Rule Name | CWE(s) | Security Categories | Autofixable | +| ------------------------------------------------------------ | ---------------- | ---------------------- | ----------- | +| Android World Writeable/Readable File Permission Found | CWE-732 | None | Yes | +| Use of Potentially Dangerous Function | CWE-676 | None | No | +| Cleartext Storage of Sensitive Information in a Cookie | CWE-315 | OWASP:A05 | No | +| Code Injection | CWE-94 | Sans Top 25, OWASP:A03 | No | +| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | No | +| Deserialization of Untrusted Data | CWE-502 | Sans Top 25, OWASP:A08 | Yes | +| Cross-Site Request Forgery (CSRF) | CWE-352 | Sans Top 25, OWASP:A01 | Yes | +| Information Exposure | CWE-200 | OWASP:A01 | No | +| Cleartext Transmission of Sensitive Information | CWE-319 | OWASP:A02 | No | +| Indirect Command Injection via User Controlled Environment | CWE-78 | Sans Top 25, OWASP:A03 | No | +| External Control of System or Configuration Setting | CWE-15 | OWASP:A05 | No | +| Process Control | CWE-114 | None | No | +| File Access Enabled | CWE-200 | OWASP:A01 | Yes | +| Android Fragment Injection | CWE-470 | OWASP:A03 | Yes | +| Use of Hardcoded Passwords | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | No | +| Hardcoded Secret | CWE-547 | OWASP:A05 | No | +| Improper Neutralization of CRLF Sequences in HTTP Headers | CWE-113 | OWASP:A03 | No | +| Disabled Neutralization of CRLF Sequences in HTTP Headers | CWE-113 | OWASP:A03 | No | +| Inadequate Padding for AES encryption | CWE-326 | OWASP:A02 | Yes | +| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | No | +| Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | Yes | +| Use of Insufficiently Random Values | CWE-330 | OWASP:A02 | Yes | +| Android Intent Forwarding | CWE-940 | OWASP:A07 | No | +| Improper Validation of Certificate with Host Mismatch | CWE-297 | OWASP:A07 | No | +| JavaScript Enabled | CWE-79 | Sans Top 25, OWASP:A03 | Yes | +| Java Naming and Directory Interface (JNDI) Injection | CWE-074 | None | No | +| JWT Signature Verification Bypass | CWE-347 | OWASP:A02 | No | +| Improper Authentication | CWE-287 | Sans Top 25, OWASP:A07 | No | +| LDAP Injection | CWE-90 | OWASP:A03 | No | +| Use of Hardcoded Credentials | CWE-798 | Sans Top 25, OWASP:A07 | No | +| The cipher text is equal to the provided input plain text | CWE-311 | OWASP:A04 | No | +| NoSQL Injection | CWE-943 | None | No | +| Use of Sticky broadcasts | CWE-265 | None | No | +| Use of Hardcoded, Security-relevant Constants | CWE-547 | OWASP:A05 | No | +| Open Redirect | CWE-601 | OWASP:A01 | No | +| Path Traversal | CWE-23 | OWASP:A01 | Yes | +| Privacy Leak | CWE-532 | OWASP:A09 | No | +| Unsafe Reflection | CWE-470 | OWASP:A03 | No | +| Regular expression injection | CWE-400, CWE-730 | None | No | +| Unprotected Storage of Credentials | CWE-256 | OWASP:A04 | No | +| Incorrect Permission Assignment | CWE-732 | None | No | +| Server Information Exposure | CWE-209 | OWASP:A04 | Yes | +| Improper Handling of Insufficient Permissions or Privileges | CWE-280 | OWASP:A04 | No | +| Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | Yes | +| Unrestricted Android Broadcast | CWE-862 | Sans Top 25, OWASP:A01 | No | +| Spring Cross-Site Request Forgery (CSRF) | CWE-352 | Sans Top 25, OWASP:A01 | No | +| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | Yes | +| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | No | +| Inadequate Encryption Strength | CWE-326 | OWASP:A02 | Yes | +| Code Execution via Third Party Package Context | CWE-94 | Sans Top 25, OWASP:A03 | No | +| Code Execution via Third Party Package Installation | CWE-940 | OWASP:A07 | No | +| Observable Timing Discrepancy (Timing Attack) | CWE-208 | None | Yes | +| Origin Validation Error | CWE-942, CWE-346 | OWASP:A05, OWASP:A07 | Yes | +| Improper Certificate Validation | CWE-295 | OWASP:A07 | No | +| Cryptographic Issues | CWE-310 | OWASP:A02 | Yes | +| Trust Boundary Violation | CWE-501 | OWASP:A04 | No | +| Unauthorized File Access | CWE-79 | Sans Top 25, OWASP:A03 | No | +| Android Uri Permission Manipulation | CWE-266 | OWASP:A04 | No | +| Use of Externally-Controlled Format String | CWE-134 | None | Yes | +| Sensitive Cookie Without 'HttpOnly' Flag | CWE-1004 | OWASP:A05 | Yes | +| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | CWE-614 | OWASP:A05 | Yes | +| Insufficient Session Expiration | CWE-613 | OWASP:A07 | No | +| XML External Entity (XXE) Injection | CWE-611 | OWASP:A05 | Yes | +| XPath Injection | CWE-643 | OWASP:A03 | No | diff --git a/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/javascript-and-typescript-rules.md b/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/javascript-and-typescript-rules.md index c6341b595c1f..f5f00f04661d 100644 --- a/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/javascript-and-typescript-rules.md +++ b/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/javascript-and-typescript-rules.md @@ -1,389 +1,64 @@ # JavaScript and TypeScript rules -## Rule (1) Configuration Issue: Electron Disable Security Warnings - -**CWE** (16) Configuration - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -**Autofixable** by DeepCode AI Fix - -## Rule (2) Configuration Issues: Electron Insecure Web Preferences - -**CWE** (16) Configuration - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -**Autofixable** by DeepCode AI Fix - -## Rule (3) Configuration Issues: Electron Load Insecure Content - -**CWE** (16) Configuration - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -**Autofixable** by DeepCode AI Fix - -## Rule (4) Insufficient postMessage Validation - -**CWE** (20) Improper Input Validation - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -**Autofixable** by DeepCode AI Fix - -## Rule (5) Arbitrary File Write via Archive Extraction (Zip Slip) - -**CWE** (22) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (6) Path Traversal - -**CWE** (23) Relative Path Traversal - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**Autofixable** by DeepCode AI Fix - -## Rule (7) Command Injection - -**CWE** (78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -**Autofixable** by DeepCode AI Fix - -## Rule (8) Disabling Strict Contextual escaping (SCE) could provide additional attack surface for Cross-site Scripting (XSS) - -**CWE** (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -**Autofixable** by DeepCode AI Fix - -## Rule (9) Cross-site Scripting (XSS) - -**CWE** (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -**Autofixable** by DeepCode AI Fix - -## Rule (10) Use dangerouslySetInnerHTML to be explicit that this function is dangerous and also trigger react updates - -**CWE** (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -**Autofixable** by DeepCode AI Fix - -## Rule (11) GraphQL Injection - -**CWE** (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -**Autofixable** by DeepCode AI Fix - -## Rule (12) SQL Injection - -**CWE** (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -**Autofixable** by DeepCode AI Fix - -## Rule (13) Code Injection - -**CWE** (94) Improper Control of Generation of Code ('Code Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**Autofixable** by DeepCode AI Fix - -## Rule (14) Improper Neutralization of Directives in Statically Saved Code - -**CWE** (96) Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (15) Buffer Over-read - -**CWE** (126) Buffer Over-read - -## Rule (16) Use of Externally-Controlled Format String - -**CWE** (134) Use of Externally-Controlled Format String - -**Autofixable** by DeepCode AI Fix - -## Rule (17) Clear Text Sensitive Storage - -**CWE** (200, 312) Exposure of Sensitive Information to an Unauthorized Actor, Cleartext Storage of Sensitive Information - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -**Autofixable** by DeepCode AI Fix - -## Rule (18) Information Exposure - -**CWE** (200) Exposure of Sensitive Information to an Unauthorized Actor - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -**Autofixable** by DeepCode AI Fix - -## Rule (19) Introspection Enabled - -**CWE** (200) Exposure of Sensitive Information to an Unauthorized Actor - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (20) Observable Timing Discrepancy (Timing Attack) - -**CWE** (208) Observable Timing Discrepancy - -## Rule (21) Use of Hardcoded Credentials - -**CWE** (259, 798) Use of Hard-coded Password, Use of Hard-coded Credentials - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -**Autofixable** by DeepCode AI Fix - -## Rule (22) Cryptographic Issues - -**CWE** (310) Cryptographic Issues - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -**Autofixable** by DeepCode AI Fix - -## Rule (23) Cleartext Transmission of Sensitive Information - -**CWE** (319) Cleartext Transmission of Sensitive Information - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -**Autofixable** by DeepCode AI Fix - -## Rule (24) Use of a Broken or Risky Cryptographic Algorithm - -**CWE** (327) Use of a Broken or Risky Cryptographic Algorithm - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -**Autofixable** by DeepCode AI Fix - -## Rule (25) Insecure TLS Configuration - -**CWE** (327) Use of a Broken or Risky Cryptographic Algorithm - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -**Autofixable** by DeepCode AI Fix - -## Rule (26) Use of Insufficiently Random Values - -**CWE** (330) Use of Insufficiently Random Values - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -**Autofixable** by DeepCode AI Fix - -## Rule (27) Origin Validation Error - -**CWE** (346, 942) Origin Validation Error, Permissive Cross-domain Policy with Untrusted Domains - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (28) Insecure JWT Verification Method - -**CWE** (347) Improper Verification of Cryptographic Signature - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (29) JWT Signature Verification Method Disabled - -**CWE** (347) Improper Verification of Cryptographic Signature - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (30) JWT 'none' Algorithm Supported - -**CWE** (347) Improper Verification of Cryptographic Signature - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (31) Cross-Site Request Forgery (CSRF) - -**CWE** (352) Cross-Site Request Forgery (CSRF) - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (32) Denial of Service (DoS) through Nested GraphQL Queries - -**CWE** (400) Uncontrolled Resource Consumption - -## Rule (33) Unchecked Input for Loop Condition - -**CWE** (400, 606) Uncontrolled Resource Consumption, Unchecked Input for Loop Condition - -## Rule (34) Regular Expression Denial of Service (ReDoS) - -**CWE** (400) Uncontrolled Resource Consumption - -**Autofixable** by DeepCode AI Fix - -## Rule (35) Deserialization of Untrusted Data - -**CWE** (502) Deserialization of Untrusted Data - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (36) Hardcoded Secret - -**CWE** (547) Use of Hard-coded, Security-relevant Constants - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (37) Open Redirect - -**CWE** (601) URL Redirection to Untrusted Site ('Open Redirect') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (38) XML External Entity (XXE) Injection - -**CWE** (611) Improper Restriction of XML External Entity Reference - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (39) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - -**CWE** (614) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -**Autofixable** by DeepCode AI Fix - -## Rule (40) Weak Password Recovery Mechanism for Forgotten Password - -**CWE** (640) Weak Password Recovery Mechanism for Forgotten Password - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -## Rule (41) XPath Injection - -**CWE** (643) Improper Neutralization of Data within XPath Expressions ('XPath Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (42) Allocation of Resources Without Limits or Throttling - -**CWE** (770) Allocation of Resources Without Limits or Throttling - -**Autofixable** by DeepCode AI Fix - -## Rule (43) XML internal entity expansion - -**CWE** (776) Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (44) Use of Password Hash With Insufficient Computational Effort - -**CWE** (916) Use of Password Hash With Insufficient Computational Effort - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -**Autofixable** by DeepCode AI Fix - -## Rule (45) Server-Side Request Forgery (SSRF) - -**CWE** (918) Server-Side Request Forgery (SSRF) - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A10:2021 - Server-Side Request Forgery (SSRF) - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (46) Permissive Cross-domain Policy - -**CWE** (942) Permissive Cross-domain Policy with Untrusted Domains - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -**Autofixable** by DeepCode AI Fix - -## Rule (47) NoSQL Injection - -**CWE** (943) Improper Neutralization of Special Elements in Data Query Logic - -## Rule (48) Sensitive Cookie Without 'HttpOnly' Flag - -**CWE** (1004) Sensitive Cookie Without 'HttpOnly' Flag - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -**Autofixable** by DeepCode AI Fix - -## Rule (49) Bad Coding Practices - -**CWE** (1006) Bad Coding Practices - -**Autofixable** by DeepCode AI Fix - -## Rule (50) Improper Restriction of Rendered UI Layers or Frames - -**CWE** (1021) Improper Restriction of Rendered UI Layers or Frames - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -**Autofixable** by DeepCode AI Fix - -## Rule (51) Improper Type Validation - -**CWE** (1287) Improper Validation of Specified Type of Input - -**Autofixable** by DeepCode AI Fix - -## Rule (52) Prototype Pollution - -**CWE** (1321) Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') - -**Autofixable** by DeepCode AI Fix +Each rule includes the following information. + +* **Rule Name**: Consecutive number for each rule and the Snyk name of the rule. +* **CWE(s):** The [CWE numbers](https://cwe.mitre.org/) that are covered by this rule. +* **Security Categories**: The [OWASP Top 10 ](https://owasp.org/Top10/)(2021 edition) category to which the rule belongs to, if any, and if it is included in [SANS 25](https://www.sans.org/top25-software-errors/). +* **Autofixable**: Security rules that are autofixable by DeepCode AI Fix. This information is included only for the supported programming languages. + +| Rule Name | CWE(s) | Security Categories | Autofixable | +| ----------------------------------------------------------------------------------------------------------------- | ----------------------- | ---------------------- | ----------- | +| Disabling Strict Contextual escaping (SCE) could provide additional attack surface for Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | Yes | +| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | No | +| Clear Text Sensitive Storage | CWE-200, CWE-312 | OWASP:A01, OWASP:A04 | No | +| Code Injection | CWE-94 | Sans Top 25, OWASP:A03 | Yes | +| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | Yes | +| Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | Yes | +| Deserialization of Untrusted Data | CWE-502 | Sans Top 25, OWASP:A08 | No | +| Information Exposure | CWE-200 | OWASP:A01 | Yes | +| Electron Disable Security Warnings | CWE-16 | OWASP:A05 | No | +| Electron Insecure Web Preferences | CWE-16 | OWASP:A05 | Yes | +| Electron Load Insecure Content | CWE-16 | OWASP:A05 | Yes | +| Use of Externally-Controlled Format String | CWE-134 | None | Yes | +| GraphQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | No | +| Improper Type Validation | CWE-1287 | None | Yes | +| Hardcoded Secret | CWE-547 | OWASP:A05 | Yes | +| Cleartext Transmission of Sensitive Information | CWE-319 | OWASP:A02 | Yes | +| Improper Code Sanitization | CWE-94, CWE-79, CWE-116 | Sans Top 25, OWASP:A03 | No | +| Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | Yes | +| Use of Insufficiently Random Values | CWE-330 | OWASP:A02 | No | +| Insecure TLS Configuration | CWE-327 | OWASP:A02 | Yes | +| Insufficient postMessage Validation | CWE-20 | Sans Top 25, OWASP:A03 | Yes | +| Introspection Enabled | CWE-200 | OWASP:A01 | No | +| Insecure JWT Verification Method | CWE-347 | OWASP:A02 | No | +| JWT Signature Verification Method Disabled | CWE-347 | OWASP:A02 | No | +| JWT 'none' Algorithm Supported | CWE-347 | OWASP:A02 | No | +| Denial of Service (DoS) through Nested GraphQL Queries | CWE-400 | None | Yes | +| Unchecked Input for Loop Condition | CWE-400, CWE-606 | None | No | +| Observable Timing Discrepancy (Timing Attack) | CWE-208 | None | No | +| Use of Hardcoded Credentials | CWE-798 | Sans Top 25, OWASP:A07 | Yes | +| Use of Hardcoded Passwords | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | Yes | +| Allocation of Resources Without Limits or Throttling | CWE-770 | None | Yes | +| NoSQL Injection | CWE-943 | None | No | +| Buffer Over-read | CWE-126 | None | No | +| Open Redirect | CWE-601 | OWASP:A01 | Yes | +| Path Traversal | CWE-23 | OWASP:A01 | Yes | +| Prototype Pollution | CWE-1321 | None | No | +| Use dangerouslySetInnerHTML to Explicitly Handle XSS Risks | CWE-79 | Sans Top 25, OWASP:A03 | Yes | +| Weak Password Recovery Mechanism for Forgotten Password | CWE-640 | OWASP:A07 | No | +| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | Yes | +| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | No | +| Improper Neutralization of Directives in Statically Saved Code | CWE-96 | OWASP:A03 | No | +| Origin Validation Error | CWE-942, CWE-346 | OWASP:A05, OWASP:A07 | Yes | +| Permissive Cross-domain Policy | CWE-942 | OWASP:A05 | Yes | +| Improper Restriction of Rendered UI Layers or Frames | CWE-1021 | OWASP:A04 | No | +| Cryptographic Issues | CWE-310 | OWASP:A02 | Yes | +| Unsafe JQuery Plugin | CWE-79, CWE-116 | Sans Top 25, OWASP:A03 | No | +| Cross-Site Request Forgery (CSRF) | CWE-352 | Sans Top 25, OWASP:A01 | Yes | +| Sensitive Cookie Without 'HttpOnly' Flag | CWE-1004 | OWASP:A05 | Yes | +| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | CWE-614 | OWASP:A05 | Yes | +| XML External Entity (XXE) Injection | CWE-611 | OWASP:A05 | No | +| XPath Injection | CWE-643 | OWASP:A03 | No | +| Arbitrary File Write via Archive Extraction (Zip Slip) | CWE-22 | Sans Top 25, OWASP:A01 | No | +| Regular Expression Denial of Service (ReDoS) | CWE-400 | None | Yes | diff --git a/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/kotlin-rules.md b/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/kotlin-rules.md index cdacd47a6287..9df67b67c6cd 100644 --- a/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/kotlin-rules.md +++ b/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/kotlin-rules.md @@ -1,369 +1,70 @@ # Kotlin rules -## Rule (1) External Control of System or Configuration Setting - -**CWE** (15) External Control of System or Configuration Setting - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (2) Path Traversal - -**CWE** (23) Relative Path Traversal - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (3) Java Naming and Directory Interface (JNDI) Injection - -**CWE** (74) Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (4) Command Injection - -**CWE** (78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (5) Indirect Command Injection via User Controlled Environment - -**CWE** (78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (6) Cross-site Scripting (XSS) - -**CWE** (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (7) JavaScript Enabled - -**CWE** (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (8) Unauthorized File Access - -**CWE** (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (9) SQL Injection - -**CWE** (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (10) LDAP Injection - -**CWE** (90) Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (11) Code Injection - -**CWE** (94) Improper Control of Generation of Code ('Code Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (12) Code Execution via Third Party Package Context - -**CWE** (94) Improper Control of Generation of Code ('Code Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (13) Improper Neutralization of CRLF Sequences in HTTP Headers - -**CWE** (113) Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (14) Disabled Neutralization of CRLF Sequences in HTTP Headers - -**CWE** (113) Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (15) Process Control - -**CWE** (114) Process Control - -## Rule (16) Use of Externally-Controlled Format String - -**CWE** (134) Use of Externally-Controlled Format String - -## Rule (17) Information Exposure - -**CWE** (200) Exposure of Sensitive Information to an Unauthorized Actor - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (18) File Access Enabled - -**CWE** (200) Exposure of Sensitive Information to an Unauthorized Actor - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (19) Observable Timing Discrepancy (Timing Attack) - -**CWE** (208) Observable Timing Discrepancy - -## Rule (20) Server Information Exposure - -**CWE** (209) Generation of Error Message Containing Sensitive Information - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -## Rule (21) Unprotected Storage of Credentials - -**CWE** (256) Plaintext Storage of a Password - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -## Rule (22) Use of Hardcoded Credentials - -**CWE** (259, 798) Use of Hard-coded Password, Use of Hard-coded Credentials - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (23) Use of Sticky broadcasts - -**CWE** (265) Privilege Issues - -## Rule (24) Android Uri Permission Manipulation - -**CWE** (266) Incorrect Privilege Assignment - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -## Rule (25) Improper Handling of Insufficient Permissions or Privileges - -**CWE** (280) Improper Handling of Insufficient Permissions or Privileges - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -## Rule (26) Improper Authentication - -**CWE** (287) Improper Authentication - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (27) Improper Certificate Validation - -**CWE** (295) Improper Certificate Validation - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -## Rule (28) Improper Validation of Certificate with Host Mismatch - -**CWE** (297) Improper Validation of Certificate with Host Mismatch - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -## Rule (29) Cryptographic Issues - -**CWE** (310) Cryptographic Issues - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (30) The cipher text is equal to the provided input plain text - -**CWE** (311) Missing Encryption of Sensitive Data - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -## Rule (31) Cleartext Storage of Sensitive Information in a Cookie - -**CWE** (315) Cleartext Storage of Sensitive Information in a Cookie - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (32) Cleartext Transmission of Sensitive Information - -**CWE** (319) Cleartext Transmission of Sensitive Information - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (33) Inadequate Padding for AES encryption - -**CWE** (326) Inadequate Encryption Strength - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (34) Inadequate Encryption Strength - -**CWE** (326) Inadequate Encryption Strength - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (35) Use of a Broken or Risky Cryptographic Algorithm - -**CWE** (327) Use of a Broken or Risky Cryptographic Algorithm - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (36) Use of Insufficiently Random Values - -**CWE** (330) Use of Insufficiently Random Values - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (37) Origin Validation Error - -**CWE** (346, 942) Origin Validation Error, Permissive Cross-domain Policy with Untrusted Domains - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (38) Cross-Site Request Forgery (CSRF) - -**CWE** (352) Cross-Site Request Forgery (CSRF) - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (39) Regular expression injection - -**CWE** (400, 730) Uncontrolled Resource Consumption, OWASP Top Ten 2004 Category A9 - Denial of Service - -## Rule (40) Android Fragment Injection - -**CWE** (470) Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (41) Trust Boundary Violation - -**CWE** (501) Trust Boundary Violation - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -## Rule (42) Deserialization of Untrusted Data - -**CWE** (502) Deserialization of Untrusted Data - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (43) Hardcoded Secret - -**CWE** (547) Use of Hard-coded, Security-relevant Constants - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (44) Use of Hardcoded, Security-relevant Constants - -**CWE** (547) Use of Hard-coded, Security-relevant Constants - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (45) Open Redirect - -**CWE** (601) URL Redirection to Untrusted Site ('Open Redirect') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (46) XML External Entity (XXE) Injection - -**CWE** (611) Improper Restriction of XML External Entity Reference - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (47) Insufficient Session Expiration - -**CWE** (613) Insufficient Session Expiration - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -## Rule (48) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - -**CWE** (614) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (49) XPath Injection - -**CWE** (643) Improper Neutralization of Data within XPath Expressions ('XPath Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (50) Use of Potentially Dangerous Function - -**CWE** (676) Use of Potentially Dangerous Function - -## Rule (51) Android World Writeable/Readable File Permission Found - -**CWE** (732) Incorrect Permission Assignment for Critical Resource - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (52) Incorrect Permission Assignment - -**CWE** (732) Incorrect Permission Assignment for Critical Resource - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (53) Unrestricted Android Broadcast - -**CWE** (862) Missing Authorization - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (54) Use of Password Hash With Insufficient Computational Effort - -**CWE** (916) Use of Password Hash With Insufficient Computational Effort - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (55) Server-Side Request Forgery (SSRF) - -**CWE** (918) Server-Side Request Forgery (SSRF) - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A10:2021 - Server-Side Request Forgery (SSRF) - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (56) Android Intent Forwarding - -**CWE** (940) Improper Verification of Source of a Communication Channel - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -## Rule (57) Code Execution via Third Party Package Installation - -**CWE** (940) Improper Verification of Source of a Communication Channel - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -## Rule (58) Sensitive Cookie Without 'HttpOnly' Flag - -**CWE** (1004) Sensitive Cookie Without 'HttpOnly' Flag - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration +Each rule includes the following information. + +* **Rule Name**: Consecutive number for each rule and the Snyk name of the rule. +* **CWE(s):** The [CWE numbers](https://cwe.mitre.org/) that are covered by this rule. +* **Security Categories**: The [OWASP Top 10 ](https://owasp.org/Top10/)(2021 edition) category to which the rule belongs to, if any, and if it is included in [SANS 25](https://www.sans.org/top25-software-errors/). +* **Autofixable**: Security rules that are autofixable by DeepCode AI Fix. This information is included only for the supported programming languages. + +| Rule Name | CWE(s) | Security Categories | Autofixable | +| ------------------------------------------------------------ | ---------------- | ---------------------- | ----------- | +| Android World Writeable/Readable File Permission Found | CWE-732 | None | No | +| Use of Potentially Dangerous Function | CWE-676 | None | No | +| Cleartext Storage of Sensitive Information in a Cookie | CWE-315 | OWASP:A05 | No | +| Code Injection | CWE-94 | Sans Top 25, OWASP:A03 | No | +| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | No | +| Deserialization of Untrusted Data | CWE-502 | Sans Top 25, OWASP:A08 | No | +| Cross-Site Request Forgery (CSRF) | CWE-352 | Sans Top 25, OWASP:A01 | No | +| Information Exposure | CWE-200 | OWASP:A01 | No | +| Cleartext Transmission of Sensitive Information | CWE-319 | OWASP:A02 | No | +| Indirect Command Injection via User Controlled Environment | CWE-78 | Sans Top 25, OWASP:A03 | No | +| External Control of System or Configuration Setting | CWE-15 | OWASP:A05 | No | +| Process Control | CWE-114 | None | No | +| File Access Enabled | CWE-200 | OWASP:A01 | No | +| Android Fragment Injection | CWE-470 | OWASP:A03 | No | +| Use of Hardcoded Passwords | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | No | +| Hardcoded Secret | CWE-547 | OWASP:A05 | No | +| Improper Neutralization of CRLF Sequences in HTTP Headers | CWE-113 | OWASP:A03 | No | +| Disabled Neutralization of CRLF Sequences in HTTP Headers | CWE-113 | OWASP:A03 | No | +| Inadequate Padding for AES encryption | CWE-326 | OWASP:A02 | No | +| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | No | +| Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | No | +| Use of Insufficiently Random Values | CWE-330 | OWASP:A02 | No | +| Android Intent Forwarding | CWE-940 | OWASP:A07 | No | +| Improper Validation of Certificate with Host Mismatch | CWE-297 | OWASP:A07 | No | +| JavaScript Enabled | CWE-79 | Sans Top 25, OWASP:A03 | No | +| Java Naming and Directory Interface (JNDI) Injection | CWE-074 | None | No | +| Improper Authentication | CWE-287 | Sans Top 25, OWASP:A07 | No | +| LDAP Injection | CWE-90 | OWASP:A03 | No | +| Use of Hardcoded Credentials | CWE-798 | Sans Top 25, OWASP:A07 | No | +| The cipher text is equal to the provided input plain text | CWE-311 | OWASP:A04 | No | +| Use of Sticky broadcasts | CWE-265 | None | No | +| Use of Hardcoded, Security-relevant Constants | CWE-547 | OWASP:A05 | No | +| Open Redirect | CWE-601 | OWASP:A01 | No | +| Path Traversal | CWE-23 | OWASP:A01 | No | +| Regular expression injection | CWE-400, CWE-730 | None | No | +| Unprotected Storage of Credentials | CWE-256 | OWASP:A04 | No | +| Incorrect Permission Assignment | CWE-732 | None | No | +| Improper Certificate Validation | CWE-295 | OWASP:A07 | No | +| Server Information Exposure | CWE-209 | OWASP:A04 | No | +| Improper Handling of Insufficient Permissions or Privileges | CWE-280 | OWASP:A04 | No | +| Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | No | +| Unrestricted Android Broadcast | CWE-862 | Sans Top 25, OWASP:A01 | No | +| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | No | +| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | No | +| Inadequate Encryption Strength | CWE-326 | OWASP:A02 | No | +| Code Execution via Third Party Package Context | CWE-94 | Sans Top 25, OWASP:A03 | No | +| Code Execution via Third Party Package Installation | CWE-940 | OWASP:A07 | No | +| Observable Timing Discrepancy (Timing Attack) | CWE-208 | None | No | +| Origin Validation Error | CWE-942, CWE-346 | OWASP:A05, OWASP:A07 | No | +| Cryptographic Issues | CWE-310 | OWASP:A02 | No | +| Trust Boundary Violation | CWE-501 | OWASP:A04 | No | +| Unauthorized File Access | CWE-79 | Sans Top 25, OWASP:A03 | No | +| Android Uri Permission Manipulation | CWE-266 | OWASP:A04 | No | +| Use of Externally-Controlled Format String | CWE-134 | None | No | +| Sensitive Cookie Without 'HttpOnly' Flag | CWE-1004 | OWASP:A05 | No | +| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | CWE-614 | OWASP:A05 | No | +| Insufficient Session Expiration | CWE-613 | OWASP:A07 | No | +| XML External Entity (XXE) Injection | CWE-611 | OWASP:A05 | No | +| XPath Injection | CWE-643 | OWASP:A03 | No | diff --git a/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/php-rules.md b/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/php-rules.md index 01b0d7e8d5de..cdce6e38f4da 100644 --- a/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/php-rules.md +++ b/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/php-rules.md @@ -1,193 +1,39 @@ # PHP rules -## Rule (1) Arbitrary File Write via Archive Extraction (Zip Slip) - -**CWE** (22) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (2) Path Traversal - -**CWE** (23) Relative Path Traversal - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (3) Command Injection - -**CWE** (78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (4) Cross-site Scripting (XSS) - -**CWE** (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (5) SQL Injection - -**CWE** (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (6) Code Injection - -**CWE** (94) Improper Control of Generation of Code ('Code Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (7) File Inclusion - -**CWE** (98) Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (8) Information Exposure - -**CWE** (200) Exposure of Sensitive Information to an Unauthorized Actor - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (9) Use of Hardcoded Credentials - -**CWE** (259, 798) Use of Hard-coded Password, Use of Hard-coded Credentials - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (10) Inadequate Padding for Public Key Encryption - -**CWE** (326) Inadequate Encryption Strength - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (11) Inadequate Encryption Strength - -**CWE** (326) Inadequate Encryption Strength - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (12) Use of a Broken or Risky Cryptographic Algorithm - -**CWE** (327) Use of a Broken or Risky Cryptographic Algorithm - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (13) Use of Insufficiently Random Values - -**CWE** (330) Use of Insufficiently Random Values - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (14) Origin Validation Error - -**CWE** (346, 942) Origin Validation Error, Permissive Cross-domain Policy with Untrusted Domains - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (15) Cross-Site Request Forgery (CSRF) - -**CWE** (352) Cross-Site Request Forgery (CSRF) - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (16) Regular Expression Denial of Service (ReDoS) - -**CWE** (400) Uncontrolled Resource Consumption - -## Rule (17) Deserialization of Untrusted Data - -**CWE** (502) Deserialization of Untrusted Data - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (18) Privacy Leak - -**CWE** (532) Insertion of Sensitive Information into Log File - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A09:2021 - Security Logging and Monitoring Failures - -## Rule (19) Hardcoded Secret - -**CWE** (547) Use of Hard-coded, Security-relevant Constants - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (20) Open Redirect - -**CWE** (601) URL Redirection to Untrusted Site ('Open Redirect') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (21) XML External Entity (XXE) Injection - -**CWE** (611) Improper Restriction of XML External Entity Reference - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (22) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - -**CWE** (614) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (23) Weak Password Recovery Mechanism for Forgotten Password - -**CWE** (640) Weak Password Recovery Mechanism for Forgotten Password - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -## Rule (24) XPath Injection - -**CWE** (643) Improper Neutralization of Data within XPath Expressions ('XPath Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (25) Allocation of Resources Without Limits or Throttling - -**CWE** (770) Allocation of Resources Without Limits or Throttling - -## Rule (26) Use of Password Hash With Insufficient Computational Effort - -**CWE** (916) Use of Password Hash With Insufficient Computational Effort - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (27) Server-Side Request Forgery (SSRF) - -**CWE** (918) Server-Side Request Forgery (SSRF) - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A10:2021 - Server-Side Request Forgery (SSRF) - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (28) Sensitive Cookie Without 'HttpOnly' Flag - -**CWE** (1004) Sensitive Cookie Without 'HttpOnly' Flag - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (29) Improper Restriction of Rendered UI Layers or Frames - -**CWE** (1021) Improper Restriction of Rendered UI Layers or Frames - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design +Each rule includes the following information. + +* **Rule Name**: Consecutive number for each rule and the Snyk name of the rule. +* **CWE(s):** The [CWE numbers](https://cwe.mitre.org/) that are covered by this rule. +* **Security Categories**: The [OWASP Top 10 ](https://owasp.org/Top10/)(2021 edition) category to which the rule belongs to, if any, and if it is included in [SANS 25](https://www.sans.org/top25-software-errors/). +* **Autofixable**: Security rules that are autofixable by DeepCode AI Fix. This information is included only for the supported programming languages. + +| Rule Name | CWE(s) | Security Categories | Autofixable | +| ------------------------------------------------------------ | ---------------- | ---------------------- | ----------- | +| Code Injection | CWE-94 | Sans Top 25, OWASP:A03 | No | +| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | No | +| Deserialization of Untrusted Data | CWE-502 | Sans Top 25, OWASP:A08 | No | +| Improper Access Control: Email Content Injection | CWE-284 | OWASP:A01 | No | +| File Inclusion | CWE-98 | OWASP:A03 | No | +| Use of Hardcoded Credentials | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | No | +| Hardcoded Secret | CWE-547 | OWASP:A05 | No | +| Use of Hardcoded Passwords | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | No | +| Inadequate Padding for Public Key Encryption | CWE-326 | OWASP:A02 | No | +| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | No | +| Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | No | +| Use of Insufficiently Random Values | CWE-330 | OWASP:A02 | No | +| Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | No | +| Allocation of Resources Without Limits or Throttling | CWE-770 | None | No | +| Open Redirect | CWE-601 | OWASP:A01 | No | +| Path Traversal | CWE-23 | OWASP:A01 | No | +| Information Exposure | CWE-200 | OWASP:A01 | No | +| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | No | +| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | No | +| Origin Validation Error | CWE-942, CWE-346 | OWASP:A05, OWASP:A07 | No | +| Improper Restriction of Rendered UI Layers or Frames | CWE-1021 | OWASP:A04 | No | +| Inadequate Encryption Strength | CWE-326 | OWASP:A02 | No | +| Sensitive Cookie Without 'HttpOnly' Flag | CWE-1004 | OWASP:A05 | No | +| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | CWE-614 | OWASP:A05 | No | +| XPath Injection | CWE-643 | OWASP:A03 | No | +| XML External Entity (XXE) Injection | CWE-611 | OWASP:A05 | No | +| Arbitrary File Write via Archive Extraction (Zip Slip) | CWE-22 | Sans Top 25, OWASP:A01 | No | +| Regular Expression Denial of Service (ReDoS) | CWE-400 | None | No | diff --git a/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/python-rules.md b/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/python-rules.md index fddb8d7999dd..f97e884927af 100644 --- a/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/python-rules.md +++ b/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/python-rules.md @@ -1,299 +1,53 @@ # Python rules -## Rule (1) Incomplete URL sanitization - -**CWE** (20) Improper Input Validation - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (2) Arbitrary File Write via Archive Extraction (Tar Slip) - -**CWE** (22) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (3) Path Traversal - -**CWE** (23) Relative Path Traversal - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (4) Command Injection - -**CWE** (78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -**Autofixable** by DeepCode AI Fix - -## Rule (5) Cross-site Scripting (XSS) - -**CWE** (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -**Autofixable** by DeepCode AI Fix - -## Rule (6) Jinja auto-escape is set to false. - -**CWE** (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -**Autofixable** by DeepCode AI Fix - -## Rule (7) SQL Injection - -**CWE** (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -**Autofixable** by DeepCode AI Fix - -## Rule (8) Code Injection - -**CWE** (94) Improper Control of Generation of Code ('Code Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**Autofixable** by DeepCode AI Fix - -## Rule (9) Improper Neutralization of Directives in Statically Saved Code - -**CWE** (96) Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (10) Server Information Exposure - -**CWE** (209) Generation of Error Message Containing Sensitive Information - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -## Rule (11) Use of Hardcoded Credentials - -**CWE** (259, 798) Use of Hard-coded Password, Use of Hard-coded Credentials - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (12) Improper Handling of Insufficient Permissions or Privileges - -**CWE** (280) Improper Handling of Insufficient Permissions or Privileges - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -## Rule (13) Binding to all network interfaces may open service to unintended traffic - -**CWE** (284) Improper Access Control - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**Autofixable** by DeepCode AI Fix - -## Rule (14) Broken User Authentication - -**CWE** (287) Improper Authentication - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (15) Improper Certificate Validation - -**CWE** (295) Improper Certificate Validation - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -**Autofixable** by DeepCode AI Fix - -## Rule (16) Cryptographic Issues - -**CWE** (310) Cryptographic Issues - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (17) Authentication over HTTP - -**CWE** (319) Cleartext Transmission of Sensitive Information - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -**Autofixable** by DeepCode AI Fix - -## Rule (18) Use of Hardcoded Cryptographic Key - -**CWE** (321) Use of Hard-coded Cryptographic Key - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (19) Inadequate Encryption Strength - -**CWE** (326) Inadequate Encryption Strength - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (20) Use of a Broken or Risky Cryptographic Algorithm - -**CWE** (327) Use of a Broken or Risky Cryptographic Algorithm - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (21) Missing protocol in ssl.wrap\_socket - -**CWE** (327) Use of a Broken or Risky Cryptographic Algorithm - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (22) Use of Hardcoded Cryptographic Initialization Value - -**CWE** (329) Generation of Predictable IV with CBC Mode - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (23) Origin Validation Error - -**CWE** (346, 942) Origin Validation Error, Permissive Cross-domain Policy with Untrusted Domains - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (24) Cross-Site Request Forgery (CSRF) - -**CWE** (352) Cross-Site Request Forgery (CSRF) - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -**Autofixable** by DeepCode AI Fix - -## Rule (25) Insecure Temporary File - -**CWE** (377) Insecure Temporary File - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**Autofixable** by DeepCode AI Fix - -## Rule (26) Regular Expression Denial of Service (ReDoS) - -**CWE** (400) Uncontrolled Resource Consumption - -## Rule (27) Insecure default value - -**CWE** (453) Insecure Default Variable Initialization - -## Rule (28) Debug Mode Enabled - -**CWE** (489) Active Debug Code - -**Autofixable** by DeepCode AI Fix - -## Rule (29) Deserialization of Untrusted Data - -**CWE** (502) Deserialization of Untrusted Data - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -**Autofixable** by DeepCode AI Fix - -## Rule (30) Hardcoded Secret - -**CWE** (547) Use of Hard-coded, Security-relevant Constants - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -**Autofixable** by DeepCode AI Fix - -## Rule (31) Open Redirect - -**CWE** (601) URL Redirection to Untrusted Site ('Open Redirect') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (32) Insecure Xml Parser - -**CWE** (611) Improper Restriction of XML External Entity Reference - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (33) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - -**CWE** (614) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -**Autofixable** by DeepCode AI Fix - -## Rule (34) XPath Injection - -**CWE** (643) Improper Neutralization of Data within XPath Expressions ('XPath Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (35) Insecure File Permissions - -**CWE** (732) Incorrect Permission Assignment for Critical Resource - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (36) Selection of Less-Secure Algorithm During Negotiation (SSL instead of TLS) - -**CWE** (757) Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -**Autofixable** by DeepCode AI Fix - -## Rule (37) Use of Password Hash With Insufficient Computational Effort - -**CWE** (916) Use of Password Hash With Insufficient Computational Effort - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -**Autofixable** by DeepCode AI Fix - -## Rule (38) Server-Side Request Forgery (SSRF) - -**CWE** (918) Server-Side Request Forgery (SSRF) - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A10:2021 - Server-Side Request Forgery (SSRF) - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (39) NoSQL Injection - -**CWE** (943) Improper Neutralization of Special Elements in Data Query Logic - -## Rule (40) Sensitive Cookie Without 'HttpOnly' Flag - -**CWE** (1004) Sensitive Cookie Without 'HttpOnly' Flag - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -**Autofixable** by DeepCode AI Fix - -## Rule (41) Python 2 source code - -**CWE** (1104) Use of Unmaintained Third Party Components - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A06:2021 - Vulnerable and Outdated Components +Each rule includes the following information. + +* **Rule Name**: Consecutive number for each rule and the Snyk name of the rule. +* **CWE(s):** The [CWE numbers](https://cwe.mitre.org/) that are covered by this rule. +* **Security Categories**: The [OWASP Top 10 ](https://owasp.org/Top10/)(2021 edition) category to which the rule belongs to, if any, and if it is included in [SANS 25](https://www.sans.org/top25-software-errors/). +* **Autofixable**: Security rules that are autofixable by DeepCode AI Fix. This information is included only for the supported programming languages. + +| Rule Name | CWE(s) | Security Categories | Autofixable | +| -------------------------------------------------------------------------- | ---------------- | ---------------------- | ----------- | +| Authentication over HTTP | CWE-319 | OWASP:A02 | Yes | +| Binding to all network interfaces may open service to unintended traffic | CWE-284 | OWASP:A01 | Yes | +| Broken User Authentication | CWE-287 | Sans Top 25, OWASP:A07 | No | +| Code Injection | CWE-94 | Sans Top 25, OWASP:A03 | Yes | +| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | Yes | +| Deserialization of Untrusted Data | CWE-502 | Sans Top 25, OWASP:A08 | Yes | +| Cross-Site Request Forgery (CSRF) | CWE-352 | Sans Top 25, OWASP:A01 | Yes | +| Password Requirements Not Enforced in Django Application | CWE-521 | OWASP:A07 | No | +| Use of Hardcoded Cryptographic Initialization Value | CWE-329 | OWASP:A02 | No | +| Use of Hardcoded Cryptographic Key | CWE-321 | OWASP:A02 | No | +| Hardcoded Secret | CWE-547 | OWASP:A05 | Yes | +| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | No | +| Insecure default value | CWE-453 | None | No | +| Insecure File Permissions | CWE-732 | None | Yes | +| Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | Yes | +| Insecure Temporary File | CWE-377 | OWASP:A01 | Yes | +| Insecure Xml Parser | CWE-611 | OWASP:A05 | No | +| Jinja auto-escape is set to false. | CWE-79 | Sans Top 25, OWASP:A03 | Yes | +| LDAP Injection | CWE-90 | OWASP:A03 | No | +| Improper Handling of Insufficient Permissions or Privileges | CWE-280 | OWASP:A04 | No | +| Use of Hardcoded Credentials | CWE-798 | Sans Top 25, OWASP:A07 | No | +| Use of Hardcoded Passwords | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | No | +| NoSQL Injection | CWE-943 | None | No | +| Open Redirect | CWE-601 | OWASP:A01 | No | +| Path Traversal | CWE-23 | OWASP:A01 | Yes | +| Debug Mode Enabled | CWE-489 | None | Yes | +| Improper Certificate Validation | CWE-295 | OWASP:A07 | No | +| Server Information Exposure | CWE-209 | OWASP:A04 | No | +| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | Yes | +| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | No | +| Improper Neutralization of Directives in Statically Saved Code | CWE-96 | OWASP:A03 | No | +| Inadequate Encryption Strength | CWE-326 | OWASP:A02 | Yes | +| Arbitrary File Write via Archive Extraction (Tar Slip) | CWE-22 | Sans Top 25, OWASP:A01 | No | +| Origin Validation Error | CWE-942, CWE-346 | OWASP:A05, OWASP:A07 | No | +| Cryptographic Issues | CWE-310 | OWASP:A02 | No | +| Python 2 source code | CWE-1104 | OWASP:A06 | No | +| Selection of Less-Secure Algorithm During Negotiation (SSL instead of TLS) | CWE-757 | OWASP:A02 | No | +| Sensitive Cookie Without 'HttpOnly' Flag | CWE-1004 | OWASP:A05 | Yes | +| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | CWE-614 | OWASP:A05 | Yes | +| Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | Yes | +| XPath Injection | CWE-643 | OWASP:A03 | No | +| Regular Expression Denial of Service (ReDoS) | CWE-400 | None | No | diff --git a/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/ruby-rules.md b/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/ruby-rules.md index 09f57de98ba8..c755183bc853 100644 --- a/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/ruby-rules.md +++ b/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/ruby-rules.md @@ -1,195 +1,43 @@ # Ruby rules -## Rule (1) Improper Input Validation - -**CWE** (20) Improper Input Validation - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (2) Path Traversal - -**CWE** (23) Relative Path Traversal - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (3) Command Injection - -**CWE** (78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (4) Cross-site Scripting (XSS) - -**CWE** (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (5) SQL Injection - -**CWE** (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (6) Code Injection - -**CWE** (94) Improper Control of Generation of Code ('Code Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (7) Remote Code Execution via Endpoint - -**CWE** (94) Improper Control of Generation of Code ('Code Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (8) Improper Neutralization of Directives in Statically Saved Code - -**CWE** (96) Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (9) Information Exposure - -**CWE** (200) Exposure of Sensitive Information to an Unauthorized Actor - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (10) Use of Hardcoded Credentials - -**CWE** (259, 798) Use of Hard-coded Password, Use of Hard-coded Credentials - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (11) Session Manipulation - -**CWE** (285) Improper Authorization - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (12) Improper Certificate Validation - -**CWE** (295) Improper Certificate Validation - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -## Rule (13) Selection of Less-Secure Algorithm During Negotiation (Force SSL) - -**CWE** (311, 757) Missing Encryption of Sensitive Data, Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (14) Insecure Data Transmission - -**CWE** (319) Cleartext Transmission of Sensitive Information - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (15) Use of Hardcoded Cryptographic Key - -**CWE** (321) Use of Hard-coded Cryptographic Key - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (16) Use of a Broken or Risky Cryptographic Algorithm - -**CWE** (327) Use of a Broken or Risky Cryptographic Algorithm - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (17) Use of Insufficiently Random Values - -**CWE** (330) Use of Insufficiently Random Values - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (18) Regular Expression Denial of Service (ReDoS) - -**CWE** (400) Uncontrolled Resource Consumption - -## Rule (19) Unsafe Reflection - -**CWE** (470) Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (20) Deserialization of Untrusted Data - -**CWE** (502) Deserialization of Untrusted Data - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (21) No Weak Password Requirements - -**CWE** (521) Weak Password Requirements - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -## Rule (22) Hardcoded Secret - -**CWE** (547) Use of Hard-coded, Security-relevant Constants - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (23) Open Redirect - -**CWE** (601) URL Redirection to Untrusted Site ('Open Redirect') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (24) XML External Entity (XXE) Injection - -**CWE** (611) Improper Restriction of XML External Entity Reference - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (25) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - -**CWE** (614) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (26) XPath Injection - -**CWE** (643) Improper Neutralization of Data within XPath Expressions ('XPath Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (27) Improperly Controlled Modification of Dynamically-Determined Object Attributes - -**CWE** (915) Improperly Controlled Modification of Dynamically-Determined Object Attributes - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures - -## Rule (28) Use of Password Hash With Insufficient Computational Effort - -**CWE** (916) Use of Password Hash With Insufficient Computational Effort - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (29) Sensitive Cookie Without 'HttpOnly' Flag - -**CWE** (1004) Sensitive Cookie Without 'HttpOnly' Flag - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (30) Incorrect regular expression for validating values - -**CWE** (1286) Improper Validation of Syntactic Correctness of Input +Each rule includes the following information. + +* **Rule Name**: Consecutive number for each rule and the Snyk name of the rule. +* **CWE(s):** The [CWE numbers](https://cwe.mitre.org/) that are covered by this rule. +* **Security Categories**: The [OWASP Top 10 ](https://owasp.org/Top10/)(2021 edition) category to which the rule belongs to, if any, and if it is included in [SANS 25](https://www.sans.org/top25-software-errors/). +* **Autofixable**: Security rules that are autofixable by DeepCode AI Fix. This information is included only for the supported programming languages. + +| Rule Name | CWE(s) | Security Categories | Autofixable | +| ------------------------------------------------------------------------------ | ----------------------------------------------------------- | ------------------------------------------------------- | ----------- | +| Code Injection | CWE-94 | Sans Top 25, OWASP:A03 | No | +| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | No | +| Remote Code Execution via Endpoint | CWE-94 | Sans Top 25, OWASP:A03 | No | +| Deserialization of Untrusted Data | CWE-502 | Sans Top 25, OWASP:A08 | No | +| Use of Hardcoded Credentials | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | No | +| Use of Hardcoded Cryptographic Key | CWE-321 | OWASP:A02 | No | +| Hardcoded Secret | CWE-547 | OWASP:A05 | No | +| Use of Hardcoded Passwords | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | No | +| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | No | +| Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | No | +| Use of Insufficiently Random Values | CWE-330 | OWASP:A02 | No | +| Sinatra Protection Layers Disabled | CWE-16, CWE-352, CWE-79, CWE-693, CWE-1021, CWE-35, CWE-348 | Sans Top 25, OWASP:A05, OWASP:A03, OWASP:A01, OWASP:A04 | No | +| Insecure Data Transmission | CWE-319 | OWASP:A02 | No | +| Improper Input Validation | CWE-20 | Sans Top 25, OWASP:A03 | No | +| Improperly Controlled Modification of Dynamically-Determined Object Attributes | CWE-915 | OWASP:A08 | No | +| Selection of Less-Secure Algorithm During Negotiation (Force SSL) | CWE-311, CWE-757 | OWASP:A02, OWASP:A04 | No | +| Open Redirect | CWE-601 | OWASP:A01 | No | +| Path Traversal | CWE-23 | OWASP:A01 | No | +| Unsafe Reflection | CWE-470 | OWASP:A03 | No | +| Improper Certificate Validation | CWE-295 | OWASP:A07 | No | +| Information Exposure | CWE-200 | OWASP:A01 | No | +| Session Manipulation | CWE-285 | OWASP:A01 | No | +| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | No | +| Improper Neutralization of Directives in Statically Saved Code | CWE-96 | OWASP:A03 | No | +| No Weak Password Requirements | CWE-521 | OWASP:A07 | No | +| Sensitive Cookie Without 'HttpOnly' Flag | CWE-1004 | OWASP:A05 | No | +| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | CWE-614 | OWASP:A05 | No | +| Incorrect regular expression for validating values | CWE-1286 | None | No | +| Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | No | +| XML External Entity (XXE) Injection | CWE-611 | OWASP:A05 | No | +| XPath Injection | CWE-643 | OWASP:A03 | No | +| Regular Expression Denial of Service (ReDoS) | CWE-400 | None | No | diff --git a/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/scala-rules.md b/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/scala-rules.md index 389602556b81..1e3089209b0b 100644 --- a/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/scala-rules.md +++ b/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/scala-rules.md @@ -1,291 +1,59 @@ # Scala rules -## Rule (1) External Control of System or Configuration Setting +Each rule includes the following information. + +* **Rule Name**: Consecutive number for each rule and the Snyk name of the rule. +* **CWE(s):** The [CWE numbers](https://cwe.mitre.org/) that are covered by this rule. +* **Security Categories**: The [OWASP Top 10 ](https://owasp.org/Top10/)(2021 edition) category to which the rule belongs to, if any, and if it is included in [SANS 25](https://www.sans.org/top25-software-errors/). +* **Autofixable**: Security rules that are autofixable by DeepCode AI Fix. This information is included only for the supported programming languages. + +| Rule Name | CWE(s) | Security Categories | Autofixable | +| ------------------------------------------------------------ | ---------------- | ---------------------- | ----------- | +| Use of Potentially Dangerous Function | CWE-676 | None | No | +| Cleartext Storage of Sensitive Information in a Cookie | CWE-315 | OWASP:A05 | No | +| Code Injection | CWE-94 | Sans Top 25, OWASP:A03 | No | +| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | No | +| Deserialization of Untrusted Data | CWE-502 | Sans Top 25, OWASP:A08 | No | +| Cross-Site Request Forgery (CSRF) | CWE-352 | Sans Top 25, OWASP:A01 | No | +| Information Exposure | CWE-200 | OWASP:A01 | No | +| Cleartext Transmission of Sensitive Information | CWE-319 | OWASP:A02 | No | +| Indirect Command Injection via User Controlled Environment | CWE-78 | Sans Top 25, OWASP:A03 | No | +| External Control of System or Configuration Setting | CWE-15 | OWASP:A05 | No | +| Process Control | CWE-114 | None | No | +| Use of Hardcoded Passwords | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | No | +| Hardcoded Secret | CWE-547 | OWASP:A05 | No | +| Improper Neutralization of CRLF Sequences in HTTP Headers | CWE-113 | OWASP:A03 | No | +| Disabled Neutralization of CRLF Sequences in HTTP Headers | CWE-113 | OWASP:A03 | No | +| Inadequate Padding for AES encryption | CWE-326 | OWASP:A02 | No | +| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | No | +| Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | No | +| Use of Insufficiently Random Values | CWE-330 | OWASP:A02 | No | +| Improper Validation of Certificate with Host Mismatch | CWE-297 | OWASP:A07 | No | +| Java Naming and Directory Interface (JNDI) Injection | CWE-074 | None | No | +| Improper Authentication | CWE-287 | Sans Top 25, OWASP:A07 | No | +| LDAP Injection | CWE-90 | OWASP:A03 | No | +| Use of Hardcoded Credentials | CWE-798 | Sans Top 25, OWASP:A07 | No | +| The cipher text is equal to the provided input plain text | CWE-311 | OWASP:A04 | No | +| Use of Hardcoded, Security-relevant Constants | CWE-547 | OWASP:A05 | No | +| Open Redirect | CWE-601 | OWASP:A01 | No | +| Path Traversal | CWE-23 | OWASP:A01 | No | +| Regular expression injection | CWE-400, CWE-730 | None | No | +| Unprotected Storage of Credentials | CWE-256 | OWASP:A04 | No | +| Server Information Exposure | CWE-209 | OWASP:A04 | No | +| Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | No | +| Android World Writeable/Readable File Permission Found | CWE-732 | None | No | +| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | No | +| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | No | +| Inadequate Encryption Strength | CWE-326 | OWASP:A02 | No | +| Observable Timing Discrepancy (Timing Attack) | CWE-208 | None | No | +| Origin Validation Error | CWE-942, CWE-346 | OWASP:A05, OWASP:A07 | No | +| Improper Certificate Validation | CWE-295 | OWASP:A07 | No | +| Cryptographic Issues | CWE-310 | OWASP:A02 | No | +| Trust Boundary Violation | CWE-501 | OWASP:A04 | No | +| Use of Externally-Controlled Format String | CWE-134 | None | No | +| Sensitive Cookie Without 'HttpOnly' Flag | CWE-1004 | OWASP:A05 | No | +| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | CWE-614 | OWASP:A05 | No | +| Insufficient Session Expiration | CWE-613 | OWASP:A07 | No | +| XML External Entity (XXE) Injection | CWE-611 | OWASP:A05 | No | +| XPath Injection | CWE-643 | OWASP:A03 | No | -**CWE** (15) External Control of System or Configuration Setting - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (2) Path Traversal - -**CWE** (23) Relative Path Traversal - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (3) Java Naming and Directory Interface (JNDI) Injection - -**CWE** (74) Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (4) Command Injection - -**CWE** (78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (5) Indirect Command Injection via User Controlled Environment - -**CWE** (78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (6) Cross-site Scripting (XSS) - -**CWE** (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (7) SQL Injection - -**CWE** (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (8) LDAP Injection - -**CWE** (90) Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (9) Code Injection - -**CWE** (94) Improper Control of Generation of Code ('Code Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (10) Improper Neutralization of CRLF Sequences in HTTP Headers - -**CWE** (113) Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (11) Disabled Neutralization of CRLF Sequences in HTTP Headers - -**CWE** (113) Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (12) Process Control - -**CWE** (114) Process Control - -## Rule (13) Use of Externally-Controlled Format String - -**CWE** (134) Use of Externally-Controlled Format String - -## Rule (14) Information Exposure - -**CWE** (200) Exposure of Sensitive Information to an Unauthorized Actor - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (15) Observable Timing Discrepancy (Timing Attack) - -**CWE** (208) Observable Timing Discrepancy - -## Rule (16) Server Information Exposure - -**CWE** (209) Generation of Error Message Containing Sensitive Information - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -## Rule (17) Unprotected Storage of Credentials - -**CWE** (256) Plaintext Storage of a Password - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -## Rule (18) Use of Hardcoded Credentials - -**CWE** (259, 798) Use of Hard-coded Password, Use of Hard-coded Credentials - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (19) Improper Authentication - -**CWE** (287) Improper Authentication - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (20) Improper Certificate Validation - -**CWE** (295) Improper Certificate Validation - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -## Rule (21) Improper Validation of Certificate with Host Mismatch - -**CWE** (297) Improper Validation of Certificate with Host Mismatch - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -## Rule (22) Cryptographic Issues - -**CWE** (310) Cryptographic Issues - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (23) The cipher text is equal to the provided input plain text - -**CWE** (311) Missing Encryption of Sensitive Data - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -## Rule (24) Cleartext Storage of Sensitive Information in a Cookie - -**CWE** (315) Cleartext Storage of Sensitive Information in a Cookie - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (25) Cleartext Transmission of Sensitive Information - -**CWE** (319) Cleartext Transmission of Sensitive Information - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (26) Inadequate Padding for AES encryption - -**CWE** (326) Inadequate Encryption Strength - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (27) Inadequate Encryption Strength - -**CWE** (326) Inadequate Encryption Strength - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (28) Use of a Broken or Risky Cryptographic Algorithm - -**CWE** (327) Use of a Broken or Risky Cryptographic Algorithm - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (29) Use of Insufficiently Random Values - -**CWE** (330) Use of Insufficiently Random Values - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (30) Origin Validation Error - -**CWE** (346, 942) Origin Validation Error, Permissive Cross-domain Policy with Untrusted Domains - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (31) Cross-Site Request Forgery (CSRF) - -**CWE** (352) Cross-Site Request Forgery (CSRF) - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (32) Regular expression injection - -**CWE** (400, 730) Uncontrolled Resource Consumption, OWASP Top Ten 2004 Category A9 - Denial of Service - -## Rule (33) Trust Boundary Violation - -**CWE** (501) Trust Boundary Violation - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -## Rule (34) Deserialization of Untrusted Data - -**CWE** (502) Deserialization of Untrusted Data - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (35) Hardcoded Secret - -**CWE** (547) Use of Hard-coded, Security-relevant Constants - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (36) Use of Hardcoded, Security-relevant Constants - -**CWE** (547) Use of Hard-coded, Security-relevant Constants - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (37) Open Redirect - -**CWE** (601) URL Redirection to Untrusted Site ('Open Redirect') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (38) XML External Entity (XXE) Injection - -**CWE** (611) Improper Restriction of XML External Entity Reference - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (39) Insufficient Session Expiration - -**CWE** (613) Insufficient Session Expiration - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -## Rule (40) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - -**CWE** (614) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (41) XPath Injection - -**CWE** (643) Improper Neutralization of Data within XPath Expressions ('XPath Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (42) Use of Potentially Dangerous Function - -**CWE** (676) Use of Potentially Dangerous Function - -## Rule (43) Android World Writeable/Readable File Permission Found - -**CWE** (732) Incorrect Permission Assignment for Critical Resource - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (44) Use of Password Hash With Insufficient Computational Effort - -**CWE** (916) Use of Password Hash With Insufficient Computational Effort - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (45) Server-Side Request Forgery (SSRF) - -**CWE** (918) Server-Side Request Forgery (SSRF) - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A10:2021 - Server-Side Request Forgery (SSRF) - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (46) Sensitive Cookie Without 'HttpOnly' Flag - -**CWE** (1004) Sensitive Cookie Without 'HttpOnly' Flag - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration diff --git a/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/swift-rules.md b/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/swift-rules.md index af318c60fd1e..5744f1482240 100644 --- a/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/swift-rules.md +++ b/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/swift-rules.md @@ -1,147 +1,33 @@ # Swift rules -## Rule (1) Path Traversal - -**CWE** (23) Relative Path Traversal - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (2) Command Injection - -**CWE** (78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (3) Cross-site Scripting (XSS) - -**CWE** (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (4) SQL Injection - -**CWE** (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (5) Code Injection - -**CWE** (94) Improper Control of Generation of Code ('Code Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (6) Clear Text Logging - -**CWE** (200, 312) Exposure of Sensitive Information to an Unauthorized Actor, Cleartext Storage of Sensitive Information - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A04:2021 - Insecure Design - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (7) Information Exposure - -**CWE** (200) Exposure of Sensitive Information to an Unauthorized Actor - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (8) Use of Hardcoded Credentials - -**CWE** (259, 798) Use of Hard-coded Password, Use of Hard-coded Credentials - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (9) Device Authentication Bypass - -**CWE** (287) Improper Authentication - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (10) Improper Certificate Validation - -**CWE** (295) Improper Certificate Validation - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -## Rule (11) Inadequate Encryption Strength - -**CWE** (326) Inadequate Encryption Strength - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (12) Use of a Broken or Risky Cryptographic Algorithm - -**CWE** (327) Use of a Broken or Risky Cryptographic Algorithm - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (13) Use of Insufficiently Random Values - -**CWE** (330) Use of Insufficiently Random Values - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (14) Insecure Deserialization - -**CWE** (502) Deserialization of Untrusted Data - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (15) Hardcoded Secret - -**CWE** (547) Use of Hard-coded, Security-relevant Constants - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (16) XML External Entity (XXE) Injection - -**CWE** (611) Improper Restriction of XML External Entity Reference - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (17) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - -**CWE** (614) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (18) Memory Corruption - -**CWE** (822) Untrusted Pointer Dereference - -## Rule (19) Use of Password Hash With Insufficient Computational Effort - -**CWE** (916) Use of Password Hash With Insufficient Computational Effort - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (20) Server-Side Request Forgery (SSRF) - -**CWE** (918) Server-Side Request Forgery (SSRF) - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A10:2021 - Server-Side Request Forgery (SSRF) - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (21) Insecure Data Storage - -**CWE** (922) Insecure Storage of Sensitive Information - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control +Each rule includes the following information. + +* **Rule Name**: Consecutive number for each rule and the Snyk name of the rule. +* **CWE(s):** The [CWE numbers](https://cwe.mitre.org/) that are covered by this rule. +* **Security Categories**: The [OWASP Top 10 ](https://owasp.org/Top10/)(2021 edition) category to which the rule belongs to, if any, and if it is included in [SANS 25](https://www.sans.org/top25-software-errors/). +* **Autofixable**: Security rules that are autofixable by DeepCode AI Fix. This information is included only for the supported programming languages. + +| Rule Name | CWE(s) | Security Categories | Autofixable | +| ------------------------------------------------------------ | ---------------- | ---------------------- | ----------- | +| Clear Text Logging | CWE-200, CWE-312 | OWASP:A01, OWASP:A04 | No | +| Code Injection | CWE-94 | Sans Top 25, OWASP:A03 | No | +| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | No | +| Device Authentication Bypass | CWE-287 | Sans Top 25, OWASP:A07 | No | +| Hardcoded Secret | CWE-547 | OWASP:A05 | No | +| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | No | +| Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | No | +| Information Exposure | CWE-200 | OWASP:A01 | No | +| Use of Insufficiently Random Values | CWE-330 | OWASP:A02 | No | +| Insecure Data Storage | CWE-922 | OWASP:A01 | No | +| Memory Corruption | CWE-822 | None | No | +| Use of Hardcoded Credentials | CWE-798 | Sans Top 25, OWASP:A07 | No | +| Use of Hardcoded Passwords | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | No | +| Path Traversal | CWE-23 | OWASP:A01 | No | +| Improper Certificate Validation | CWE-295 | OWASP:A07 | No | +| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | No | +| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | No | +| Insecure Deserialization | CWE-502 | Sans Top 25, OWASP:A08 | No | +| Inadequate Encryption Strength | CWE-326 | OWASP:A02 | No | +| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | CWE-614 | OWASP:A05 | No | +| Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | No | +| XML External Entity (XXE) Injection | CWE-611 | OWASP:A05 | No | diff --git a/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/visual-basic-rules.md b/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/visual-basic-rules.md index e50dbe7ad650..da40077299f8 100644 --- a/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/visual-basic-rules.md +++ b/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/visual-basic-rules.md @@ -1,141 +1,35 @@ # Visual Basic rules -## Rule (1) Path Traversal - -**CWE** (23) Relative Path Traversal - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (2) Command Injection - -**CWE** (78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (3) Cross-site Scripting (XSS) - -**CWE** (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (4) SQL Injection - -**CWE** (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (5) XML Injection - -**CWE** (91) XML Injection (aka Blind XPath Injection) - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (6) Code Injection - -**CWE** (94) Improper Control of Generation of Code ('Code Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (7) Debug Features Enabled - -**CWE** (215) Insertion of Sensitive Information Into Debugging Code - -## Rule (8) Use of Hardcoded Credentials - -**CWE** (259, 798) Use of Hard-coded Password, Use of Hard-coded Credentials - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (9) Inadequate Encryption Strength - -**CWE** (326) Inadequate Encryption Strength - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (10) Use of a Broken or Risky Cryptographic Algorithm - -**CWE** (327) Use of a Broken or Risky Cryptographic Algorithm - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (11) Use of Insufficiently Random Values - -**CWE** (330) Use of Insufficiently Random Values - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (12) Regular expression injection - -**CWE** (400, 730) Uncontrolled Resource Consumption, OWASP Top Ten 2004 Category A9 - Denial of Service - -## Rule (13) Deserialization of Untrusted Data - -**CWE** (502) Deserialization of Untrusted Data - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (14) Hardcoded Secret - -**CWE** (547) Use of Hard-coded, Security-relevant Constants - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (15) Request Validation Disabled - -**CWE** (554) ASP.NET Misconfiguration: Not Using Input Validation Framework - -## Rule (16) Open Redirect - -**CWE** (601) URL Redirection to Untrusted Site ('Open Redirect') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A01:2021 - Broken Access Control - -## Rule (17) XML External Entity (XXE) Injection - -**CWE** (611) Improper Restriction of XML External Entity Reference - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (18) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - -**CWE** (614) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration - -## Rule (19) XPath Injection - -**CWE** (643) Improper Neutralization of Data within XPath Expressions ('XPath Injection') - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A03:2021 - Injection - -## Rule (20) Use of Password Hash With Insufficient Computational Effort - -**CWE** (916) Use of Password Hash With Insufficient Computational Effort - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (21) Server-Side Request Forgery (SSRF) - -**CWE** (918) Server-Side Request Forgery (SSRF) - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A10:2021 - Server-Side Request Forgery (SSRF) - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (22) Sensitive Cookie Without 'HttpOnly' Flag - -**CWE** (1004) Sensitive Cookie Without 'HttpOnly' Flag - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration +Each rule includes the following information. + +* **Rule Name**: Consecutive number for each rule and the Snyk name of the rule. +* **CWE(s):** The [CWE numbers](https://cwe.mitre.org/) that are covered by this rule. +* **Security Categories**: The [OWASP Top 10 ](https://owasp.org/Top10/)(2021 edition) category to which the rule belongs to, if any, and if it is included in [SANS 25](https://www.sans.org/top25-software-errors/). +* **Autofixable**: Security rules that are autofixable by DeepCode AI Fix. This information is included only for the supported programming languages. + +| Rule Name | CWE(s) | Security Categories | Autofixable | +| ------------------------------------------------------------ | ---------------- | ---------------------- | ----------- | +| Debug Features Enabled | CWE-215 | None | No | +| Usage of BinaryFormatter | CWE-502 | Sans Top 25, OWASP:A08 | No | +| Code Injection | CWE-94 | Sans Top 25, OWASP:A03 | No | +| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | No | +| Deserialization of Untrusted Data | CWE-502 | Sans Top 25, OWASP:A08 | No | +| Hardcoded Secret | CWE-547 | OWASP:A05 | No | +| Improper Neutralization of CRLF Sequences in HTTP Headers | CWE-113 | OWASP:A03 | No | +| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | No | +| Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | No | +| Use of Insufficiently Random Values | CWE-330 | OWASP:A02 | No | +| Use of Hardcoded Credentials | CWE-798 | Sans Top 25, OWASP:A07 | No | +| Open Redirect | CWE-601 | OWASP:A01 | No | +| Path Traversal | CWE-23 | OWASP:A01 | No | +| Regular expression injection | CWE-400, CWE-730 | None | No | +| Request Validation Disabled | CWE-554 | None | No | +| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | No | +| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | No | +| Inadequate Encryption Strength | CWE-326 | OWASP:A02 | No | +| Sensitive Cookie Without 'HttpOnly' Flag | CWE-1004 | OWASP:A05 | No | +| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | CWE-614 | OWASP:A05 | No | +| Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | No | +| XML External Entity (XXE) Injection | CWE-611 | OWASP:A05 | No | +| XML Injection | CWE-91 | OWASP:A03 | No | +| XPath Injection | CWE-643 | OWASP:A03 | No | diff --git a/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/xml-rules.md b/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/xml-rules.md index 435b80f6ecb9..4a6404dc0546 100644 --- a/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/xml-rules.md +++ b/docs/scan-with-snyk/snyk-code/snyk-code-security-rules/xml-rules.md @@ -1,31 +1,19 @@ # XML rules -## Rule (1) Debug Features Enabled - -**CWE** (215) Insertion of Sensitive Information Into Debugging Code - -## Rule (2) Use of Hardcoded Credentials - -**CWE** (259, 798) Use of Hard-coded Password, Use of Hard-coded Credentials - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures - -**OWASP Top 10/SANS 25:** SANS/CWE Top 25 - -## Rule (3) ASP SSL Disabled - -**CWE** (319) Cleartext Transmission of Sensitive Information - -**OWASP Top 10/SANS 25:** OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures - -## Rule (4) Android Debug Mode Enabled - -**CWE** (489) Active Debug Code - -## Rule (5) Struts Development Mode Enabled - -**CWE** (489) Active Debug Code - -## Rule (6) Request Validation Disabled - -**CWE** (554) ASP.NET Misconfiguration: Not Using Input Validation Framework +Each rule includes the following information. + +* **Rule Name**: Consecutive number for each rule and the Snyk name of the rule. +* **CWE(s):** The [CWE numbers](https://cwe.mitre.org/) that are covered by this rule. +* **Security Categories**: The [OWASP Top 10 ](https://owasp.org/Top10/)(2021 edition) category to which the rule belongs to, if any, and if it is included in [SANS 25](https://www.sans.org/top25-software-errors/). +* **Autofixable**: Security rules that are autofixable by DeepCode AI Fix. This information is included only for the supported programming languages. + +| Rule Name | CWE(s) | Security Categories | Autofixable | +| ------------------------------------------------------------ | ---------------- | ---------------------- | ----------- | +| Android Debug Mode Enabled | CWE-489 | None | No | +| Debug Features Enabled | CWE-215 | None | No | +| Generation of Error Message Containing Sensitive Information | CWE-209 | OWASP:A04 | No | +| Improper Restriction of Rendered UI Layers or Frames | CWE-1021 | OWASP:A04 | No | +| ASP SSL Disabled | CWE-319 | OWASP:A02 | No | +| Use of Hardcoded Passwords | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | No | +| Request Validation Disabled | CWE-554 | None | No | +| Struts Development Mode Enabled | CWE-489 | None | No |