From f85e366cc21809e5e6d99771a88d9dcb1af52a2f Mon Sep 17 00:00:00 2001 From: Berkay Berabi Date: Fri, 3 Jul 2026 10:02:05 +0000 Subject: [PATCH] set all Autofixable fields to True --- .../c-and-asp.net-rules.md | 44 +++---- .../snyk-code-security-rules/c-c++-rules.md | 42 +++---- .../snyk-code-security-rules/cobol-rules.md | 30 ++--- .../dart-and-flutter-rules.md | 30 ++--- .../snyk-code-security-rules/go-rules.md | 18 +-- .../snyk-code-security-rules/groovy-rules.md | 30 ++--- .../snyk-code-security-rules/java-rules.md | 86 ++++++------- .../javascript-and-typescript-rules.md | 48 +++---- .../snyk-code-security-rules/kotlin-rules.md | 118 +++++++++--------- .../objective-c-rules.md | 36 +++--- .../snyk-code-security-rules/php-rules.md | 56 ++++----- .../snyk-code-security-rules/python-rules.md | 50 ++++---- .../snyk-code-security-rules/ruby-rules.md | 64 +++++----- .../snyk-code-security-rules/rust-rules.md | 30 ++--- .../snyk-code-security-rules/scala-rules.md | 94 +++++++------- .../snyk-code-security-rules/swift-rules.md | 44 +++---- .../visual-basic-rules.md | 48 +++---- 17 files changed, 434 insertions(+), 434 deletions(-) diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/c-and-asp.net-rules.md b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/c-and-asp.net-rules.md index bd9c5a324c18..0baed55b701c 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/c-and-asp.net-rules.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/c-and-asp.net-rules.md @@ -11,34 +11,34 @@ Each rule includes the following information. | ----------------------------------------------------------------- | ---------------- | ---------------------- | ----------- | | Anti-forgery token validation disabled | CWE-352 | Sans Top 25, OWASP:A01 | Yes | | Debug Features Enabled | CWE-215 | None | Yes | -| Usage of BinaryFormatter | CWE-502 | Sans Top 25, OWASP:A08 | No | -| Cleartext Storage of Sensitive Information in a Cookie | CWE-315 | OWASP:A05 | No | -| Code Injection | CWE-94 | Sans Top 25, OWASP:A03 | No | -| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | No | +| Usage of BinaryFormatter | CWE-502 | Sans Top 25, OWASP:A08 | Yes | +| Cleartext Storage of Sensitive Information in a Cookie | CWE-315 | OWASP:A05 | Yes | +| Code Injection | CWE-94 | Sans Top 25, OWASP:A03 | Yes | +| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | Yes | | Deserialization of Untrusted Data | CWE-502 | Sans Top 25, OWASP:A08 | Yes | -| Hardcoded Secret | CWE-547 | OWASP:A05 | No | -| Improper Neutralization of CRLF Sequences in HTTP Headers | CWE-113 | OWASP:A03 | No | -| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | No | +| Hardcoded Secret | CWE-547 | OWASP:A05 | Yes | +| Improper Neutralization of CRLF Sequences in HTTP Headers | CWE-113 | OWASP:A03 | Yes | +| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | Yes | | Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | Yes | -| Use of Insufficiently Random Values | CWE-330 | OWASP:A02 | No | +| Use of Insufficiently Random Values | CWE-330 | OWASP:A02 | Yes | | Insecure Data Transmission | CWE-319 | OWASP:A02 | Yes | -| LDAP Injection | CWE-90 | OWASP:A03 | No | +| LDAP Injection | CWE-90 | OWASP:A03 | Yes | | Log Forging | CWE-117 | OWASP:A09 | Yes | | Use of Hardcoded Credentials | CWE-798 | Sans Top 25, OWASP:A07 | Yes | -| Open Redirect | CWE-601 | OWASP:A01 | No | -| Path Traversal | CWE-23 | OWASP:A01 | No | +| Open Redirect | CWE-601 | OWASP:A01 | Yes | +| Path Traversal | CWE-23 | OWASP:A01 | Yes | | Exposure of Private Personal Information to an Unauthorized Actor | CWE-359 | OWASP:A01 | Yes | -| Regular expression injection | CWE-400, CWE-730 | None | No | +| Regular expression injection | CWE-400, CWE-730 | None | Yes | | Request Validation Disabled | CWE-554 | None | Yes | -| Information Exposure | CWE-200 | OWASP:A01 | No | -| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | No | -| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | No | -| Inadequate Encryption Strength | CWE-326 | OWASP:A02 | No | +| Information Exposure | CWE-200 | OWASP:A01 | Yes | +| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | Yes | +| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | Yes | +| Inadequate Encryption Strength | CWE-326 | OWASP:A02 | Yes | | Sensitive Cookie Without 'HttpOnly' Flag | CWE-1004 | OWASP:A05 | Yes | | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | CWE-614 | OWASP:A05 | Yes | -| Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | No | -| XML External Entity (XXE) Injection | CWE-611 | OWASP:A05 | No | -| XAML Injection | CWE-611 | OWASP:A05 | No | -| XML Injection | CWE-91 | OWASP:A03 | No | -| XPath Injection | CWE-643 | OWASP:A03 | No | -| Arbitrary File Write via Archive Extraction (Zip Slip) | CWE-22 | Sans Top 25, OWASP:A01 | No | +| Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | Yes | +| XML External Entity (XXE) Injection | CWE-611 | OWASP:A05 | Yes | +| XAML Injection | CWE-611 | OWASP:A05 | Yes | +| XML Injection | CWE-91 | OWASP:A03 | Yes | +| XPath Injection | CWE-643 | OWASP:A03 | Yes | +| Arbitrary File Write via Archive Extraction (Zip Slip) | CWE-22 | Sans Top 25, OWASP:A01 | Yes | diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/c-c++-rules.md b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/c-c++-rules.md index b9b1bee929ea..747c2bc6109d 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/c-c++-rules.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/c-c++-rules.md @@ -10,33 +10,33 @@ Each rule includes the following information. | Rule Name | CWE(s) | Security Categories | Autofixable | | ------------------------------------------------------------------------ | ---------------- | ---------------------- | ----------- | | Memory Allocation Of String Length | CWE-170 | None | Yes | -| Insecure Anonymous LDAP Binding | CWE-287 | Sans Top 25, OWASP:A07 | No | +| Insecure Anonymous LDAP Binding | CWE-287 | Sans Top 25, OWASP:A07 | Yes | | Buffer Overflow | CWE-122 | None | Yes | -| Division By Zero | CWE-369 | None | No | +| Division By Zero | CWE-369 | None | Yes | | Missing Release of File Descriptor or Handle after Effective Lifetime | CWE-775 | None | Yes | -| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | No | -| Dereference of a NULL Pointer | CWE-476 | Sans Top 25 | No | +| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | Yes | +| Dereference of a NULL Pointer | CWE-476 | Sans Top 25 | Yes | | Double Free | CWE-415 | None | Yes | | Use of Externally-Controlled Format String | CWE-134 | None | Yes | -| Use of Hardcoded Cryptographic Key | CWE-321 | OWASP:A02 | No | -| Improper Null Termination | CWE-170 | None | No | +| Use of Hardcoded Cryptographic Key | CWE-321 | OWASP:A02 | Yes | +| Improper Null Termination | CWE-170 | None | Yes | | Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | Yes | -| Integer Overflow | CWE-190 | Sans Top 25 | No | -| LDAP Injection | CWE-90 | OWASP:A03 | No | +| Integer Overflow | CWE-190 | Sans Top 25 | Yes | +| LDAP Injection | CWE-90 | OWASP:A03 | Yes | | Missing Release of Memory after Effective Lifetime | CWE-401 | None | Yes | -| An optimizing compiler may remove memset non-zero leaving data in memory | CWE-1330 | None | No | -| Potential Negative Number Used as Index | CWE-125, CWE-787 | Sans Top 25 | No | -| Path Traversal | CWE-23 | OWASP:A01 | No | -| Exposure of Private Personal Information to an Unauthorized Actor | CWE-359 | OWASP:A01 | No | +| An optimizing compiler may remove memset non-zero leaving data in memory | CWE-1330 | None | Yes | +| Potential Negative Number Used as Index | CWE-125, CWE-787 | Sans Top 25 | Yes | +| Path Traversal | CWE-23 | OWASP:A01 | Yes | +| Exposure of Private Personal Information to an Unauthorized Actor | CWE-359 | OWASP:A01 | Yes | | Size Used as Index | CWE-125, CWE-787 | Sans Top 25 | Yes | -| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | No | -| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | No | +| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | Yes | +| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | Yes | | Inadequate Encryption Strength | CWE-326 | OWASP:A02 | Yes | | Potential buffer overflow from usage of unsafe function | CWE-122 | None | Yes | -| Use of Expired File Descriptor | CWE-910 | None | No | -| Use After Free | CWE-416 | Sans Top 25 | No | -| User Controlled Pointer | CWE-1285 | None | No | -| Authentication Bypass by Spoofing | CWE-290 | OWASP:A07 | No | -| Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | No | -| XML External Entity (XXE) Injection | CWE-611 | OWASP:A05 | No | -| XPath Injection | CWE-643 | OWASP:A03 | No | +| Use of Expired File Descriptor | CWE-910 | None | Yes | +| Use After Free | CWE-416 | Sans Top 25 | Yes | +| User Controlled Pointer | CWE-1285 | None | Yes | +| Authentication Bypass by Spoofing | CWE-290 | OWASP:A07 | Yes | +| Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | Yes | +| XML External Entity (XXE) Injection | CWE-611 | OWASP:A05 | Yes | +| XPath Injection | CWE-643 | OWASP:A03 | Yes | diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/cobol-rules.md b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/cobol-rules.md index d02f65a3dd64..be20c40c19d1 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/cobol-rules.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/cobol-rules.md @@ -13,18 +13,18 @@ Each rule includes the following information. | Rule Name | CWE(s) | Security Categories | Autofixable | | --------------------------------------------------- | ---------------- | --------------------------- | ----------- | -| Use of Hardcoded Cryptographic Key | CWE-321 | OWASP:A02:2021 | No | -| Use of Hardcoded Cryptographic Initialization Value | CWE-321 | OWASP:A02:2021 | No | -| No Dynamic SQL Clauses | CWE-89 | Sans Top 25, OWASP:A03:2021 | No | -| Inadequate Encryption Strength - Small Key Size | CWE-326 | OWASP:A02:2021 | No | -| Weak Cryptographic Primitive | CWE-327 | OWASP:A02:2021 | No | -| Clear Text Logging | CWE-321 | OWASP:A02:2021 | No | -| Hardcoded Secret | CWE-547 | OWASP:A02:2021 | No | -| Injection on Accept | CWE-20 | SANS Top 25 | No | -| Insecure Debug Features Enabled | CWE-489, CWE-215 | OWASP:A05:2021 | No | -| Insecure Data Transmission | CWE-319 | OWASP:A02:2021 | No | -| SQL SELECT statement without WHERE clause | CWE-668 | OWASP:A01:2021 | No | -| Multiple CICS HANDLE ABEND Declarations | CWE-755 | OWASP:A05:2021 | No | -| Missing SQL Communication Area (SQLCA) | CWE-391 | OWASP:A05:2021 | No | -| Ignored Error Condition | CWE-391 | OWASP:A05:2021 | No | -| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02:2021 | No | +| Use of Hardcoded Cryptographic Key | CWE-321 | OWASP:A02:2021 | Yes | +| Use of Hardcoded Cryptographic Initialization Value | CWE-321 | OWASP:A02:2021 | Yes | +| No Dynamic SQL Clauses | CWE-89 | Sans Top 25, OWASP:A03:2021 | Yes | +| Inadequate Encryption Strength - Small Key Size | CWE-326 | OWASP:A02:2021 | Yes | +| Weak Cryptographic Primitive | CWE-327 | OWASP:A02:2021 | Yes | +| Clear Text Logging | CWE-321 | OWASP:A02:2021 | Yes | +| Hardcoded Secret | CWE-547 | OWASP:A02:2021 | Yes | +| Injection on Accept | CWE-20 | SANS Top 25 | Yes | +| Insecure Debug Features Enabled | CWE-489, CWE-215 | OWASP:A05:2021 | Yes | +| Insecure Data Transmission | CWE-319 | OWASP:A02:2021 | Yes | +| SQL SELECT statement without WHERE clause | CWE-668 | OWASP:A01:2021 | Yes | +| Multiple CICS HANDLE ABEND Declarations | CWE-755 | OWASP:A05:2021 | Yes | +| Missing SQL Communication Area (SQLCA) | CWE-391 | OWASP:A05:2021 | Yes | +| Ignored Error Condition | CWE-391 | OWASP:A05:2021 | Yes | +| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02:2021 | Yes | diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/dart-and-flutter-rules.md b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/dart-and-flutter-rules.md index 5e807a0597c4..290514403e86 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/dart-and-flutter-rules.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/dart-and-flutter-rules.md @@ -13,18 +13,18 @@ Each rule includes the following information. | Rule Name | CWE(s) | Security Categories | Autofixable | | ------------------------------------------------------------ | ---------------- | ---------------------- | ----------- | -| Clear Text Logging | CWE-200, CWE-312 | OWASP:A01, OWASP:A04 | No | -| Cleartext Transmission - HTTP Instead of HTTPS | CWE-319 | OWASP:A02 | No | -| Code Injection | CWE-94 | OWASP:A03 | No | -| File Access Enabled | CWE-200 | OWASP:A01, OWASP:A04 | No | -| Improper Certificate Validation - SSL Verification Bypass | CWE-295 | OWASP:A07 | No | -| Insecure JWT Verification Method | CWE-347 | OWASP:A02 | No | -| Insecure Storage Shared Keystore | CWE-922 | | No | -| Insecure Token Storage | CWE-798 | Sans Top 25, OWASP:A07 | No | -| Sensitive Cookie Without 'HttpOnly' Flag | CWE-1004 | OWASP:A05 | No | -| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | CWE-614 | OWASP:A05 | No | -| Use of Hardcoded Credentials | CWE-798 | Sans Top 25, OWASP:A07 | No | -| Use of Hardcoded Cryptographic Key | CWE-321 | OWASP:A02 | No | -| Use of Insufficiently Random Values - Secrets | CWE-330 | OWASP:A02 | No | -| Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | No | -| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | No | +| Clear Text Logging | CWE-200, CWE-312 | OWASP:A01, OWASP:A04 | Yes | +| Cleartext Transmission - HTTP Instead of HTTPS | CWE-319 | OWASP:A02 | Yes | +| Code Injection | CWE-94 | OWASP:A03 | Yes | +| File Access Enabled | CWE-200 | OWASP:A01, OWASP:A04 | Yes | +| Improper Certificate Validation - SSL Verification Bypass | CWE-295 | OWASP:A07 | Yes | +| Insecure JWT Verification Method | CWE-347 | OWASP:A02 | Yes | +| Insecure Storage Shared Keystore | CWE-922 | | Yes | +| Insecure Token Storage | CWE-798 | Sans Top 25, OWASP:A07 | Yes | +| Sensitive Cookie Without 'HttpOnly' Flag | CWE-1004 | OWASP:A05 | Yes | +| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | CWE-614 | OWASP:A05 | Yes | +| Use of Hardcoded Credentials | CWE-798 | Sans Top 25, OWASP:A07 | Yes | +| Use of Hardcoded Cryptographic Key | CWE-321 | OWASP:A02 | Yes | +| Use of Insufficiently Random Values - Secrets | CWE-330 | OWASP:A02 | Yes | +| Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | Yes | +| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | Yes | diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/go-rules.md b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/go-rules.md index 1a6b349b71fd..9236561a36dd 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/go-rules.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/go-rules.md @@ -10,24 +10,24 @@ Each rule includes the following information. | Rule Name | CWE(s) | Security Categories | Autofixable | | -------------------------------------------------------------- | ---------------- | ---------------------- | ----------- | | Clear Text Logging | CWE-200, CWE-312 | OWASP:A01, OWASP:A04 | Yes | -| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | No | -| Improper Access Control: Email Content Injection | CWE-284 | OWASP:A01 | No | +| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | Yes | +| Improper Access Control: Email Content Injection | CWE-284 | OWASP:A01 | Yes | | Generation of Error Message Containing Sensitive Information | CWE-209 | OWASP:A04 | Yes | | Hardcoded Secret | CWE-547 | OWASP:A05 | Yes | -| Use of Hardcoded Passwords | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | No | +| Use of Hardcoded Passwords | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | Yes | | Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | Yes | | Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | Yes | | Insecure TLS Configuration | CWE-327 | OWASP:A02 | Yes | -| Use of Insufficiently Random Values | CWE-330 | OWASP:A02 | No | +| Use of Insufficiently Random Values | CWE-330 | OWASP:A02 | Yes | | Use of Hardcoded Credentials | CWE-798 | Sans Top 25, OWASP:A07 | Yes | -| Open Redirect | CWE-601 | OWASP:A01 | No | +| Open Redirect | CWE-601 | OWASP:A01 | Yes | | Path Traversal | CWE-23 | OWASP:A01 | Yes | -| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | No | -| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | No | -| Improper Neutralization of Directives in Statically Saved Code | CWE-96 | OWASP:A03 | No | +| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | Yes | +| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | Yes | +| Improper Neutralization of Directives in Statically Saved Code | CWE-96 | OWASP:A03 | Yes | | Improper Certificate Validation | CWE-295 | OWASP:A07 | Yes | | Inadequate Encryption Strength | CWE-326 | OWASP:A02 | Yes | | Sensitive Cookie Without 'HttpOnly' Flag | CWE-1004 | OWASP:A05 | Yes | | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | CWE-614 | OWASP:A05 | Yes | | Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | Yes | -| XPath Injection | CWE-643 | OWASP:A03 | No | +| XPath Injection | CWE-643 | OWASP:A03 | Yes | diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/groovy-rules.md b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/groovy-rules.md index 01416e6f1cfd..9ffa72db8b3c 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/groovy-rules.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/groovy-rules.md @@ -13,18 +13,18 @@ Each rule includes the following information. | Rule name | CWE(s) | Security categories | Autofixable | | ----------------------------------------------------------- | ---------------- | ---------------------- | ----------- | -| Code Injection | CWE-94 | OWASP:A03 | No | -| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | No | -| Deserialization of Untrusted Data | CWE-502 | OWASP:A08 | No | -| Hardcoded Secret | CWE-547 | OWASP:A05 | No | -| Open Redirect | CWE-601 | OWASP:A01 | No | -| Path Traversal | CWE-23 | OWASP:A01 | No | -| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | No | -| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | No | -| Use of Hardcoded Passwords | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | No | -| Use of Hardcoded, Security-relevant Constants | CWE-547 | OWASP:A05 | No | -| XML External Entity (XXE) Injection | CWE-611 | OWASP:A05 | No | -| Inadequate Padding for AES encryption | CWE-326 | OWASP:A02 | No | -| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | No | -| Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | No | -| Improper Certificate Validation | CWE-295 | OWASP:A07 | No | +| Code Injection | CWE-94 | OWASP:A03 | Yes | +| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | Yes | +| Deserialization of Untrusted Data | CWE-502 | OWASP:A08 | Yes | +| Hardcoded Secret | CWE-547 | OWASP:A05 | Yes | +| Open Redirect | CWE-601 | OWASP:A01 | Yes | +| Path Traversal | CWE-23 | OWASP:A01 | Yes | +| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | Yes | +| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | Yes | +| Use of Hardcoded Passwords | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | Yes | +| Use of Hardcoded, Security-relevant Constants | CWE-547 | OWASP:A05 | Yes | +| XML External Entity (XXE) Injection | CWE-611 | OWASP:A05 | Yes | +| Inadequate Padding for AES encryption | CWE-326 | OWASP:A02 | Yes | +| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | Yes | +| Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | Yes | +| Improper Certificate Validation | CWE-295 | OWASP:A07 | Yes | diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/java-rules.md b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/java-rules.md index f4b3a86c0519..359f5b769b38 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/java-rules.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/java-rules.md @@ -10,66 +10,66 @@ Each rule includes the following information. | Rule Name | CWE(s) | Security Categories | Autofixable | | ------------------------------------------------------------ | ---------------- | ---------------------- | ----------- | | Android World Writeable/Readable File Permission Found | CWE-732 | None | Yes | -| Use of Potentially Dangerous Function | CWE-676 | None | No | -| Cleartext Storage of Sensitive Information in a Cookie | CWE-315 | OWASP:A05 | No | -| Code Injection | CWE-94 | Sans Top 25, OWASP:A03 | No | -| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | No | +| Use of Potentially Dangerous Function | CWE-676 | None | Yes | +| Cleartext Storage of Sensitive Information in a Cookie | CWE-315 | OWASP:A05 | Yes | +| Code Injection | CWE-94 | Sans Top 25, OWASP:A03 | Yes | +| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | Yes | | Deserialization of Untrusted Data | CWE-502 | Sans Top 25, OWASP:A08 | Yes | | Cross-Site Request Forgery (CSRF) | CWE-352 | Sans Top 25, OWASP:A01 | Yes | -| Information Exposure | CWE-200 | OWASP:A01 | No | -| Cleartext Transmission of Sensitive Information | CWE-319 | OWASP:A02 | No | -| Indirect Command Injection via User Controlled Environment | CWE-78 | Sans Top 25, OWASP:A03 | No | -| External Control of System or Configuration Setting | CWE-15 | OWASP:A05 | No | -| Process Control | CWE-114 | None | No | +| Information Exposure | CWE-200 | OWASP:A01 | Yes | +| Cleartext Transmission of Sensitive Information | CWE-319 | OWASP:A02 | Yes | +| Indirect Command Injection via User Controlled Environment | CWE-78 | Sans Top 25, OWASP:A03 | Yes | +| External Control of System or Configuration Setting | CWE-15 | OWASP:A05 | Yes | +| Process Control | CWE-114 | None | Yes | | File Access Enabled | CWE-200 | OWASP:A01 | Yes | | Android Fragment Injection | CWE-470 | OWASP:A03 | Yes | -| Use of Hardcoded Passwords | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | No | -| Hardcoded Secret | CWE-547 | OWASP:A05 | No | -| Improper Neutralization of CRLF Sequences in HTTP Headers | CWE-113 | OWASP:A03 | No | -| Disabled Neutralization of CRLF Sequences in HTTP Headers | CWE-113 | OWASP:A03 | No | +| Use of Hardcoded Passwords | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | Yes | +| Hardcoded Secret | CWE-547 | OWASP:A05 | Yes | +| Improper Neutralization of CRLF Sequences in HTTP Headers | CWE-113 | OWASP:A03 | Yes | +| Disabled Neutralization of CRLF Sequences in HTTP Headers | CWE-113 | OWASP:A03 | Yes | | Inadequate Padding for AES encryption | CWE-326 | OWASP:A02 | Yes | -| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | No | +| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | Yes | | Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | Yes | | Use of Insufficiently Random Values | CWE-330 | OWASP:A02 | Yes | -| Android Intent Forwarding | CWE-940 | OWASP:A07 | No | -| Improper Validation of Certificate with Host Mismatch | CWE-297 | OWASP:A07 | No | +| Android Intent Forwarding | CWE-940 | OWASP:A07 | Yes | +| Improper Validation of Certificate with Host Mismatch | CWE-297 | OWASP:A07 | Yes | | JavaScript Enabled | CWE-79 | Sans Top 25, OWASP:A03 | Yes | -| Java Naming and Directory Interface (JNDI) Injection | CWE-074 | None | No | -| JWT Signature Verification Bypass | CWE-347 | OWASP:A02 | No | -| Improper Authentication | CWE-287 | Sans Top 25, OWASP:A07 | No | -| LDAP Injection | CWE-90 | OWASP:A03 | No | -| Use of Hardcoded Credentials | CWE-798 | Sans Top 25, OWASP:A07 | No | -| The cipher text is equal to the provided input plain text | CWE-311 | OWASP:A04 | No | -| NoSQL Injection | CWE-943 | None | No | -| Use of Sticky broadcasts | CWE-265 | None | No | -| Use of Hardcoded, Security-relevant Constants | CWE-547 | OWASP:A05 | No | -| Open Redirect | CWE-601 | OWASP:A01 | No | +| Java Naming and Directory Interface (JNDI) Injection | CWE-074 | None | Yes | +| JWT Signature Verification Bypass | CWE-347 | OWASP:A02 | Yes | +| Improper Authentication | CWE-287 | Sans Top 25, OWASP:A07 | Yes | +| LDAP Injection | CWE-90 | OWASP:A03 | Yes | +| Use of Hardcoded Credentials | CWE-798 | Sans Top 25, OWASP:A07 | Yes | +| The cipher text is equal to the provided input plain text | CWE-311 | OWASP:A04 | Yes | +| NoSQL Injection | CWE-943 | None | Yes | +| Use of Sticky broadcasts | CWE-265 | None | Yes | +| Use of Hardcoded, Security-relevant Constants | CWE-547 | OWASP:A05 | Yes | +| Open Redirect | CWE-601 | OWASP:A01 | Yes | | Path Traversal | CWE-23 | OWASP:A01 | Yes | -| Privacy Leak | CWE-532 | OWASP:A09 | No | -| Unsafe Reflection | CWE-470 | OWASP:A03 | No | -| Regular expression injection | CWE-400, CWE-730 | None | No | -| Unprotected Storage of Credentials | CWE-256 | OWASP:A04 | No | -| Incorrect Permission Assignment | CWE-732 | None | No | +| Privacy Leak | CWE-532 | OWASP:A09 | Yes | +| Unsafe Reflection | CWE-470 | OWASP:A03 | Yes | +| Regular expression injection | CWE-400, CWE-730 | None | Yes | +| Unprotected Storage of Credentials | CWE-256 | OWASP:A04 | Yes | +| Incorrect Permission Assignment | CWE-732 | None | Yes | | Server Information Exposure | CWE-209 | OWASP:A04 | Yes | -| Improper Handling of Insufficient Permissions or Privileges | CWE-280 | OWASP:A04 | No | +| Improper Handling of Insufficient Permissions or Privileges | CWE-280 | OWASP:A04 | Yes | | Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | Yes | -| Unrestricted Android Broadcast | CWE-862 | Sans Top 25, OWASP:A01 | No | -| Spring Cross-Site Request Forgery (CSRF) | CWE-352 | Sans Top 25, OWASP:A01 | No | +| Unrestricted Android Broadcast | CWE-862 | Sans Top 25, OWASP:A01 | Yes | +| Spring Cross-Site Request Forgery (CSRF) | CWE-352 | Sans Top 25, OWASP:A01 | Yes | | SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | Yes | -| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | No | +| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | Yes | | Inadequate Encryption Strength | CWE-326 | OWASP:A02 | Yes | -| Code Execution via Third Party Package Context | CWE-94 | Sans Top 25, OWASP:A03 | No | -| Code Execution via Third Party Package Installation | CWE-940 | OWASP:A07 | No | +| Code Execution via Third Party Package Context | CWE-94 | Sans Top 25, OWASP:A03 | Yes | +| Code Execution via Third Party Package Installation | CWE-940 | OWASP:A07 | Yes | | Observable Timing Discrepancy (Timing Attack) | CWE-208 | None | Yes | | Origin Validation Error | CWE-942, CWE-346 | OWASP:A05, OWASP:A07 | Yes | -| Improper Certificate Validation | CWE-295 | OWASP:A07 | No | +| Improper Certificate Validation | CWE-295 | OWASP:A07 | Yes | | Cryptographic Issues | CWE-310 | OWASP:A02 | Yes | -| Trust Boundary Violation | CWE-501 | OWASP:A04 | No | -| Unauthorized File Access | CWE-79 | Sans Top 25, OWASP:A03 | No | -| Android Uri Permission Manipulation | CWE-266 | OWASP:A04 | No | +| Trust Boundary Violation | CWE-501 | OWASP:A04 | Yes | +| Unauthorized File Access | CWE-79 | Sans Top 25, OWASP:A03 | Yes | +| Android Uri Permission Manipulation | CWE-266 | OWASP:A04 | Yes | | Use of Externally-Controlled Format String | CWE-134 | None | Yes | | Sensitive Cookie Without 'HttpOnly' Flag | CWE-1004 | OWASP:A05 | Yes | | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | CWE-614 | OWASP:A05 | Yes | -| Insufficient Session Expiration | CWE-613 | OWASP:A07 | No | +| Insufficient Session Expiration | CWE-613 | OWASP:A07 | Yes | | XML External Entity (XXE) Injection | CWE-611 | OWASP:A05 | Yes | -| XPath Injection | CWE-643 | OWASP:A03 | No | +| XPath Injection | CWE-643 | OWASP:A03 | Yes | diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/javascript-and-typescript-rules.md b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/javascript-and-typescript-rules.md index ef981f437df3..101399df49a6 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/javascript-and-typescript-rules.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/javascript-and-typescript-rules.md @@ -10,55 +10,55 @@ Each rule includes the following information. | Rule Name | CWE(s) | Security Categories | Autofixable | | ----------------------------------------------------------------------------------------------------------------- | ----------------------- | ---------------------- | ----------- | | Disabling Strict Contextual escaping (SCE) could provide additional attack surface for Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | Yes | -| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | No | -| Clear Text Sensitive Storage | CWE-200, CWE-312 | OWASP:A01, OWASP:A04 | No | +| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | Yes | +| Clear Text Sensitive Storage | CWE-200, CWE-312 | OWASP:A01, OWASP:A04 | Yes | | Code Injection | CWE-94 | Sans Top 25, OWASP:A03 | Yes | | Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | Yes | | Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | Yes | -| Deserialization of Untrusted Data | CWE-502 | Sans Top 25, OWASP:A08 | No | +| Deserialization of Untrusted Data | CWE-502 | Sans Top 25, OWASP:A08 | Yes | | Information Exposure | CWE-200 | OWASP:A01 | Yes | -| Electron Disable Security Warnings | CWE-16 | OWASP:A05 | No | +| Electron Disable Security Warnings | CWE-16 | OWASP:A05 | Yes | | Electron Insecure Web Preferences | CWE-16 | OWASP:A05 | Yes | | Electron Load Insecure Content | CWE-16 | OWASP:A05 | Yes | | Use of Externally-Controlled Format String | CWE-134 | None | Yes | -| GraphQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | No | +| GraphQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | Yes | | Improper Type Validation | CWE-1287 | None | Yes | | Hardcoded Secret | CWE-547 | OWASP:A05 | Yes | | Cleartext Transmission of Sensitive Information | CWE-319 | OWASP:A02 | Yes | -| Improper Code Sanitization | CWE-94, CWE-79, CWE-116 | Sans Top 25, OWASP:A03 | No | +| Improper Code Sanitization | CWE-94, CWE-79, CWE-116 | Sans Top 25, OWASP:A03 | Yes | | Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | Yes | -| Use of Insufficiently Random Values | CWE-330 | OWASP:A02 | No | +| Use of Insufficiently Random Values | CWE-330 | OWASP:A02 | Yes | | Insecure TLS Configuration | CWE-327 | OWASP:A02 | Yes | | Insufficient postMessage Validation | CWE-20 | Sans Top 25, OWASP:A03 | Yes | -| Introspection Enabled | CWE-200 | OWASP:A01 | No | -| Insecure JWT Verification Method | CWE-347 | OWASP:A02 | No | -| JWT Signature Verification Method Disabled | CWE-347 | OWASP:A02 | No | -| JWT 'none' Algorithm Supported | CWE-347 | OWASP:A02 | No | +| Introspection Enabled | CWE-200 | OWASP:A01 | Yes | +| Insecure JWT Verification Method | CWE-347 | OWASP:A02 | Yes | +| JWT Signature Verification Method Disabled | CWE-347 | OWASP:A02 | Yes | +| JWT 'none' Algorithm Supported | CWE-347 | OWASP:A02 | Yes | | Denial of Service (DoS) through Nested GraphQL Queries | CWE-400 | None | Yes | -| Unchecked Input for Loop Condition | CWE-400, CWE-606 | None | No | -| Observable Timing Discrepancy (Timing Attack) | CWE-208 | None | No | +| Unchecked Input for Loop Condition | CWE-400, CWE-606 | None | Yes | +| Observable Timing Discrepancy (Timing Attack) | CWE-208 | None | Yes | | Use of Hardcoded Credentials | CWE-798 | Sans Top 25, OWASP:A07 | Yes | | Use of Hardcoded Passwords | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | Yes | | Allocation of Resources Without Limits or Throttling | CWE-770 | None | Yes | -| NoSQL Injection | CWE-943 | None | No | -| Buffer Over-read | CWE-126 | None | No | +| NoSQL Injection | CWE-943 | None | Yes | +| Buffer Over-read | CWE-126 | None | Yes | | Open Redirect | CWE-601 | OWASP:A01 | Yes | | Path Traversal | CWE-23 | OWASP:A01 | Yes | -| Prototype Pollution | CWE-1321 | None | No | +| Prototype Pollution | CWE-1321 | None | Yes | | Use dangerouslySetInnerHTML to Explicitly Handle XSS Risks | CWE-79 | Sans Top 25, OWASP:A03 | Yes | -| Weak Password Recovery Mechanism for Forgotten Password | CWE-640 | OWASP:A07 | No | +| Weak Password Recovery Mechanism for Forgotten Password | CWE-640 | OWASP:A07 | Yes | | SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | Yes | -| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | No | -| Improper Neutralization of Directives in Statically Saved Code | CWE-96 | OWASP:A03 | No | +| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | Yes | +| Improper Neutralization of Directives in Statically Saved Code | CWE-96 | OWASP:A03 | Yes | | Origin Validation Error | CWE-942, CWE-346 | OWASP:A05, OWASP:A07 | Yes | | Permissive Cross-domain Policy | CWE-942 | OWASP:A05 | Yes | -| Improper Restriction of Rendered UI Layers or Frames | CWE-1021 | OWASP:A04 | No | +| Improper Restriction of Rendered UI Layers or Frames | CWE-1021 | OWASP:A04 | Yes | | Cryptographic Issues | CWE-310 | OWASP:A02 | Yes | -| Unsafe JQuery Plugin | CWE-79, CWE-116 | Sans Top 25, OWASP:A03 | No | +| Unsafe JQuery Plugin | CWE-79, CWE-116 | Sans Top 25, OWASP:A03 | Yes | | Cross-Site Request Forgery (CSRF) | CWE-352 | Sans Top 25, OWASP:A01 | Yes | | Sensitive Cookie Without 'HttpOnly' Flag | CWE-1004 | OWASP:A05 | Yes | | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | CWE-614 | OWASP:A05 | Yes | -| XML External Entity (XXE) Injection | CWE-611 | OWASP:A05 | No | -| XPath Injection | CWE-643 | OWASP:A03 | No | -| Arbitrary File Write via Archive Extraction (Zip Slip) | CWE-22 | Sans Top 25, OWASP:A01 | No | +| XML External Entity (XXE) Injection | CWE-611 | OWASP:A05 | Yes | +| XPath Injection | CWE-643 | OWASP:A03 | Yes | +| Arbitrary File Write via Archive Extraction (Zip Slip) | CWE-22 | Sans Top 25, OWASP:A01 | Yes | | Regular Expression Denial of Service (ReDoS) | CWE-400 | None | Yes | diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/kotlin-rules.md b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/kotlin-rules.md index f65f113080ec..fc6b6879c6b1 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/kotlin-rules.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/kotlin-rules.md @@ -9,62 +9,62 @@ Each rule includes the following information. | Rule Name | CWE(s) | Security Categories | Autofixable | | ------------------------------------------------------------ | ---------------- | ---------------------- | ----------- | -| Android World Writeable/Readable File Permission Found | CWE-732 | None | No | -| Use of Potentially Dangerous Function | CWE-676 | None | No | -| Cleartext Storage of Sensitive Information in a Cookie | CWE-315 | OWASP:A05 | No | -| Code Injection | CWE-94 | Sans Top 25, OWASP:A03 | No | -| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | No | -| Deserialization of Untrusted Data | CWE-502 | Sans Top 25, OWASP:A08 | No | -| Cross-Site Request Forgery (CSRF) | CWE-352 | Sans Top 25, OWASP:A01 | No | -| Information Exposure | CWE-200 | OWASP:A01 | No | -| Cleartext Transmission of Sensitive Information | CWE-319 | OWASP:A02 | No | -| Indirect Command Injection via User Controlled Environment | CWE-78 | Sans Top 25, OWASP:A03 | No | -| External Control of System or Configuration Setting | CWE-15 | OWASP:A05 | No | -| Process Control | CWE-114 | None | No | -| File Access Enabled | CWE-200 | OWASP:A01 | No | -| Android Fragment Injection | CWE-470 | OWASP:A03 | No | -| Use of Hardcoded Passwords | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | No | -| Hardcoded Secret | CWE-547 | OWASP:A05 | No | -| Improper Neutralization of CRLF Sequences in HTTP Headers | CWE-113 | OWASP:A03 | No | -| Disabled Neutralization of CRLF Sequences in HTTP Headers | CWE-113 | OWASP:A03 | No | -| Inadequate Padding for AES encryption | CWE-326 | OWASP:A02 | No | -| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | No | -| Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | No | -| Use of Insufficiently Random Values | CWE-330 | OWASP:A02 | No | -| Android Intent Forwarding | CWE-940 | OWASP:A07 | No | -| Improper Validation of Certificate with Host Mismatch | CWE-297 | OWASP:A07 | No | -| JavaScript Enabled | CWE-79 | Sans Top 25, OWASP:A03 | No | -| Java Naming and Directory Interface (JNDI) Injection | CWE-074 | None | No | -| Improper Authentication | CWE-287 | Sans Top 25, OWASP:A07 | No | -| LDAP Injection | CWE-90 | OWASP:A03 | No | -| Use of Hardcoded Credentials | CWE-798 | Sans Top 25, OWASP:A07 | No | -| The cipher text is equal to the provided input plain text | CWE-311 | OWASP:A04 | No | -| Use of Sticky broadcasts | CWE-265 | None | No | -| Use of Hardcoded, Security-relevant Constants | CWE-547 | OWASP:A05 | No | -| Open Redirect | CWE-601 | OWASP:A01 | No | -| Path Traversal | CWE-23 | OWASP:A01 | No | -| Regular expression injection | CWE-400, CWE-730 | None | No | -| Unprotected Storage of Credentials | CWE-256 | OWASP:A04 | No | -| Incorrect Permission Assignment | CWE-732 | None | No | -| Improper Certificate Validation | CWE-295 | OWASP:A07 | No | -| Server Information Exposure | CWE-209 | OWASP:A04 | No | -| Improper Handling of Insufficient Permissions or Privileges | CWE-280 | OWASP:A04 | No | -| Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | No | -| Unrestricted Android Broadcast | CWE-862 | Sans Top 25, OWASP:A01 | No | -| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | No | -| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | No | -| Inadequate Encryption Strength | CWE-326 | OWASP:A02 | No | -| Code Execution via Third Party Package Context | CWE-94 | Sans Top 25, OWASP:A03 | No | -| Code Execution via Third Party Package Installation | CWE-940 | OWASP:A07 | No | -| Observable Timing Discrepancy (Timing Attack) | CWE-208 | None | No | -| Origin Validation Error | CWE-942, CWE-346 | OWASP:A05, OWASP:A07 | No | -| Cryptographic Issues | CWE-310 | OWASP:A02 | No | -| Trust Boundary Violation | CWE-501 | OWASP:A04 | No | -| Unauthorized File Access | CWE-79 | Sans Top 25, OWASP:A03 | No | -| Android Uri Permission Manipulation | CWE-266 | OWASP:A04 | No | -| Use of Externally-Controlled Format String | CWE-134 | None | No | -| Sensitive Cookie Without 'HttpOnly' Flag | CWE-1004 | OWASP:A05 | No | -| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | CWE-614 | OWASP:A05 | No | -| Insufficient Session Expiration | CWE-613 | OWASP:A07 | No | -| XML External Entity (XXE) Injection | CWE-611 | OWASP:A05 | No | -| XPath Injection | CWE-643 | OWASP:A03 | No | +| Android World Writeable/Readable File Permission Found | CWE-732 | None | Yes | +| Use of Potentially Dangerous Function | CWE-676 | None | Yes | +| Cleartext Storage of Sensitive Information in a Cookie | CWE-315 | OWASP:A05 | Yes | +| Code Injection | CWE-94 | Sans Top 25, OWASP:A03 | Yes | +| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | Yes | +| Deserialization of Untrusted Data | CWE-502 | Sans Top 25, OWASP:A08 | Yes | +| Cross-Site Request Forgery (CSRF) | CWE-352 | Sans Top 25, OWASP:A01 | Yes | +| Information Exposure | CWE-200 | OWASP:A01 | Yes | +| Cleartext Transmission of Sensitive Information | CWE-319 | OWASP:A02 | Yes | +| Indirect Command Injection via User Controlled Environment | CWE-78 | Sans Top 25, OWASP:A03 | Yes | +| External Control of System or Configuration Setting | CWE-15 | OWASP:A05 | Yes | +| Process Control | CWE-114 | None | Yes | +| File Access Enabled | CWE-200 | OWASP:A01 | Yes | +| Android Fragment Injection | CWE-470 | OWASP:A03 | Yes | +| Use of Hardcoded Passwords | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | Yes | +| Hardcoded Secret | CWE-547 | OWASP:A05 | Yes | +| Improper Neutralization of CRLF Sequences in HTTP Headers | CWE-113 | OWASP:A03 | Yes | +| Disabled Neutralization of CRLF Sequences in HTTP Headers | CWE-113 | OWASP:A03 | Yes | +| Inadequate Padding for AES encryption | CWE-326 | OWASP:A02 | Yes | +| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | Yes | +| Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | Yes | +| Use of Insufficiently Random Values | CWE-330 | OWASP:A02 | Yes | +| Android Intent Forwarding | CWE-940 | OWASP:A07 | Yes | +| Improper Validation of Certificate with Host Mismatch | CWE-297 | OWASP:A07 | Yes | +| JavaScript Enabled | CWE-79 | Sans Top 25, OWASP:A03 | Yes | +| Java Naming and Directory Interface (JNDI) Injection | CWE-074 | None | Yes | +| Improper Authentication | CWE-287 | Sans Top 25, OWASP:A07 | Yes | +| LDAP Injection | CWE-90 | OWASP:A03 | Yes | +| Use of Hardcoded Credentials | CWE-798 | Sans Top 25, OWASP:A07 | Yes | +| The cipher text is equal to the provided input plain text | CWE-311 | OWASP:A04 | Yes | +| Use of Sticky broadcasts | CWE-265 | None | Yes | +| Use of Hardcoded, Security-relevant Constants | CWE-547 | OWASP:A05 | Yes | +| Open Redirect | CWE-601 | OWASP:A01 | Yes | +| Path Traversal | CWE-23 | OWASP:A01 | Yes | +| Regular expression injection | CWE-400, CWE-730 | None | Yes | +| Unprotected Storage of Credentials | CWE-256 | OWASP:A04 | Yes | +| Incorrect Permission Assignment | CWE-732 | None | Yes | +| Improper Certificate Validation | CWE-295 | OWASP:A07 | Yes | +| Server Information Exposure | CWE-209 | OWASP:A04 | Yes | +| Improper Handling of Insufficient Permissions or Privileges | CWE-280 | OWASP:A04 | Yes | +| Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | Yes | +| Unrestricted Android Broadcast | CWE-862 | Sans Top 25, OWASP:A01 | Yes | +| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | Yes | +| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | Yes | +| Inadequate Encryption Strength | CWE-326 | OWASP:A02 | Yes | +| Code Execution via Third Party Package Context | CWE-94 | Sans Top 25, OWASP:A03 | Yes | +| Code Execution via Third Party Package Installation | CWE-940 | OWASP:A07 | Yes | +| Observable Timing Discrepancy (Timing Attack) | CWE-208 | None | Yes | +| Origin Validation Error | CWE-942, CWE-346 | OWASP:A05, OWASP:A07 | Yes | +| Cryptographic Issues | CWE-310 | OWASP:A02 | Yes | +| Trust Boundary Violation | CWE-501 | OWASP:A04 | Yes | +| Unauthorized File Access | CWE-79 | Sans Top 25, OWASP:A03 | Yes | +| Android Uri Permission Manipulation | CWE-266 | OWASP:A04 | Yes | +| Use of Externally-Controlled Format String | CWE-134 | None | Yes | +| Sensitive Cookie Without 'HttpOnly' Flag | CWE-1004 | OWASP:A05 | Yes | +| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | CWE-614 | OWASP:A05 | Yes | +| Insufficient Session Expiration | CWE-613 | OWASP:A07 | Yes | +| XML External Entity (XXE) Injection | CWE-611 | OWASP:A05 | Yes | +| XPath Injection | CWE-643 | OWASP:A03 | Yes | diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/objective-c-rules.md b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/objective-c-rules.md index da9fb67d2747..a6e2338bddfd 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/objective-c-rules.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/objective-c-rules.md @@ -13,21 +13,21 @@ Each rule includes the following information. | Rule Name | CWE(s) | Security Categories | Autofixable | | ------------------------------------------------------------ | ---------------- | ---------------------- | ----------- | -| Clear Text Logging | CWE-200, CWE-312 | OWASP:A01, OWASP:A04 | No | -| Client-Side Request Forgery (CSRF) | CWE-918 | Sans Top 25, OWASP:A10 | No | -| Code Injection | CWE-94 | OWASP:A03 | No | -| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | No | -| Device Authentication Bypass | CWE-287 | OWASP:A07 | No | -| Improper Certificate Validation | CWE-295 | OWASP:A07 | No | -| Inadequate Encryption Strength | CWE-326 | OWASP:A02 | No | -| Information Exposure | CWE-200 | OWASP:A01, OWASP:A04 | No | -| Insecure Data Storage | CWE-922 | | No | -| Memory Corruption | CWE-822 | OWASP:A03 | No | -| Path Traversal | CWE-23 | OWASP:A01 | No | -| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | No | -| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | CWE-614 | OWASP:A05 | No | -| Use of Hardcoded Cryptographic Key | CWE-321 | OWASP:A02 | No | -| Use of Insufficiently Random Values | CWE-330 | OWASP:A02 | No | -| Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | No | -| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | No | -| XML External Entity (XXE) Injection | CWE-611 | OWASP:A05 | No | +| Clear Text Logging | CWE-200, CWE-312 | OWASP:A01, OWASP:A04 | Yes | +| Client-Side Request Forgery (CSRF) | CWE-918 | Sans Top 25, OWASP:A10 | Yes | +| Code Injection | CWE-94 | OWASP:A03 | Yes | +| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | Yes | +| Device Authentication Bypass | CWE-287 | OWASP:A07 | Yes | +| Improper Certificate Validation | CWE-295 | OWASP:A07 | Yes | +| Inadequate Encryption Strength | CWE-326 | OWASP:A02 | Yes | +| Information Exposure | CWE-200 | OWASP:A01, OWASP:A04 | Yes | +| Insecure Data Storage | CWE-922 | | Yes | +| Memory Corruption | CWE-822 | OWASP:A03 | Yes | +| Path Traversal | CWE-23 | OWASP:A01 | Yes | +| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | Yes | +| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | CWE-614 | OWASP:A05 | Yes | +| Use of Hardcoded Cryptographic Key | CWE-321 | OWASP:A02 | Yes | +| Use of Insufficiently Random Values | CWE-330 | OWASP:A02 | Yes | +| Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | Yes | +| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | Yes | +| XML External Entity (XXE) Injection | CWE-611 | OWASP:A05 | Yes | diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/php-rules.md b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/php-rules.md index cef17b4b3465..0e39b93cbf7c 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/php-rules.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/php-rules.md @@ -9,31 +9,31 @@ Each rule includes the following information. | Rule Name | CWE(s) | Security Categories | Autofixable | | ------------------------------------------------------------ | ---------------- | ---------------------- | ----------- | -| Code Injection | CWE-94 | Sans Top 25, OWASP:A03 | No | -| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | No | -| Deserialization of Untrusted Data | CWE-502 | Sans Top 25, OWASP:A08 | No | -| Improper Access Control: Email Content Injection | CWE-284 | OWASP:A01 | No | -| File Inclusion | CWE-98 | OWASP:A03 | No | -| Use of Hardcoded Credentials | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | No | -| Hardcoded Secret | CWE-547 | OWASP:A05 | No | -| Use of Hardcoded Passwords | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | No | -| Inadequate Padding for Public Key Encryption | CWE-326 | OWASP:A02 | No | -| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | No | -| Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | No | -| Use of Insufficiently Random Values | CWE-330 | OWASP:A02 | No | -| Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | No | -| Allocation of Resources Without Limits or Throttling | CWE-770 | None | No | -| Open Redirect | CWE-601 | OWASP:A01 | No | -| Path Traversal | CWE-23 | OWASP:A01 | No | -| Information Exposure | CWE-200 | OWASP:A01 | No | -| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | No | -| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | No | -| Origin Validation Error | CWE-942, CWE-346 | OWASP:A05, OWASP:A07 | No | -| Improper Restriction of Rendered UI Layers or Frames | CWE-1021 | OWASP:A04 | No | -| Inadequate Encryption Strength | CWE-326 | OWASP:A02 | No | -| Sensitive Cookie Without 'HttpOnly' Flag | CWE-1004 | OWASP:A05 | No | -| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | CWE-614 | OWASP:A05 | No | -| XPath Injection | CWE-643 | OWASP:A03 | No | -| XML External Entity (XXE) Injection | CWE-611 | OWASP:A05 | No | -| Arbitrary File Write via Archive Extraction (Zip Slip) | CWE-22 | Sans Top 25, OWASP:A01 | No | -| Regular Expression Denial of Service (ReDoS) | CWE-400 | None | No | +| Code Injection | CWE-94 | Sans Top 25, OWASP:A03 | Yes | +| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | Yes | +| Deserialization of Untrusted Data | CWE-502 | Sans Top 25, OWASP:A08 | Yes | +| Improper Access Control: Email Content Injection | CWE-284 | OWASP:A01 | Yes | +| File Inclusion | CWE-98 | OWASP:A03 | Yes | +| Use of Hardcoded Credentials | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | Yes | +| Hardcoded Secret | CWE-547 | OWASP:A05 | Yes | +| Use of Hardcoded Passwords | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | Yes | +| Inadequate Padding for Public Key Encryption | CWE-326 | OWASP:A02 | Yes | +| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | Yes | +| Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | Yes | +| Use of Insufficiently Random Values | CWE-330 | OWASP:A02 | Yes | +| Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | Yes | +| Allocation of Resources Without Limits or Throttling | CWE-770 | None | Yes | +| Open Redirect | CWE-601 | OWASP:A01 | Yes | +| Path Traversal | CWE-23 | OWASP:A01 | Yes | +| Information Exposure | CWE-200 | OWASP:A01 | Yes | +| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | Yes | +| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | Yes | +| Origin Validation Error | CWE-942, CWE-346 | OWASP:A05, OWASP:A07 | Yes | +| Improper Restriction of Rendered UI Layers or Frames | CWE-1021 | OWASP:A04 | Yes | +| Inadequate Encryption Strength | CWE-326 | OWASP:A02 | Yes | +| Sensitive Cookie Without 'HttpOnly' Flag | CWE-1004 | OWASP:A05 | Yes | +| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | CWE-614 | OWASP:A05 | Yes | +| XPath Injection | CWE-643 | OWASP:A03 | Yes | +| XML External Entity (XXE) Injection | CWE-611 | OWASP:A05 | Yes | +| Arbitrary File Write via Archive Extraction (Zip Slip) | CWE-22 | Sans Top 25, OWASP:A01 | Yes | +| Regular Expression Denial of Service (ReDoS) | CWE-400 | None | Yes | diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/python-rules.md b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/python-rules.md index 322bf1fa435a..2717984f1819 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/python-rules.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/python-rules.md @@ -11,44 +11,44 @@ Each rule includes the following information. | -------------------------------------------------------------------------- | ---------------- | ---------------------- | ----------- | | Authentication over HTTP | CWE-319 | OWASP:A02 | Yes | | Binding to all network interfaces may open service to unintended traffic | CWE-284 | OWASP:A01 | Yes | -| Broken User Authentication | CWE-287 | Sans Top 25, OWASP:A07 | No | +| Broken User Authentication | CWE-287 | Sans Top 25, OWASP:A07 | Yes | | Code Injection | CWE-94 | Sans Top 25, OWASP:A03 | Yes | | Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | Yes | | Deserialization of Untrusted Data | CWE-502 | Sans Top 25, OWASP:A08 | Yes | | Cross-Site Request Forgery (CSRF) | CWE-352 | Sans Top 25, OWASP:A01 | Yes | -| Password Requirements Not Enforced in Django Application | CWE-521 | OWASP:A07 | No | -| Use of Hardcoded Cryptographic Initialization Value | CWE-329 | OWASP:A02 | No | -| Use of Hardcoded Cryptographic Key | CWE-321 | OWASP:A02 | No | +| Password Requirements Not Enforced in Django Application | CWE-521 | OWASP:A07 | Yes | +| Use of Hardcoded Cryptographic Initialization Value | CWE-329 | OWASP:A02 | Yes | +| Use of Hardcoded Cryptographic Key | CWE-321 | OWASP:A02 | Yes | | Hardcoded Secret | CWE-547 | OWASP:A05 | Yes | -| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | No | -| Insecure default value | CWE-453 | None | No | +| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | Yes | +| Insecure default value | CWE-453 | None | Yes | | Insecure File Permissions | CWE-732 | None | Yes | | Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | Yes | | Insecure Temporary File | CWE-377 | OWASP:A01 | Yes | -| Insecure Xml Parser | CWE-611 | OWASP:A05 | No | +| Insecure Xml Parser | CWE-611 | OWASP:A05 | Yes | | Jinja auto-escape is set to false. | CWE-79 | Sans Top 25, OWASP:A03 | Yes | -| LDAP Injection | CWE-90 | OWASP:A03 | No | -| Improper Handling of Insufficient Permissions or Privileges | CWE-280 | OWASP:A04 | No | -| Use of Hardcoded Credentials | CWE-798 | Sans Top 25, OWASP:A07 | No | -| Use of Hardcoded Passwords | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | No | -| NoSQL Injection | CWE-943 | None | No | -| Open Redirect | CWE-601 | OWASP:A01 | No | +| LDAP Injection | CWE-90 | OWASP:A03 | Yes | +| Improper Handling of Insufficient Permissions or Privileges | CWE-280 | OWASP:A04 | Yes | +| Use of Hardcoded Credentials | CWE-798 | Sans Top 25, OWASP:A07 | Yes | +| Use of Hardcoded Passwords | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | Yes | +| NoSQL Injection | CWE-943 | None | Yes | +| Open Redirect | CWE-601 | OWASP:A01 | Yes | | Path Traversal | CWE-23 | OWASP:A01 | Yes | | Debug Mode Enabled | CWE-489 | None | Yes | -| Improper Certificate Validation | CWE-295 | OWASP:A07 | No | -| Server Information Exposure | CWE-209 | OWASP:A04 | No | +| Improper Certificate Validation | CWE-295 | OWASP:A07 | Yes | +| Server Information Exposure | CWE-209 | OWASP:A04 | Yes | | SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | Yes | -| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | No | -| Improper Neutralization of Directives in Statically Saved Code | CWE-96 | OWASP:A03 | No | +| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | Yes | +| Improper Neutralization of Directives in Statically Saved Code | CWE-96 | OWASP:A03 | Yes | | Inadequate Encryption Strength | CWE-326 | OWASP:A02 | Yes | -| Arbitrary File Write via Archive Extraction (Tar Slip) | CWE-22 | Sans Top 25, OWASP:A01 | No | -| Origin Validation Error | CWE-942, CWE-346 | OWASP:A05, OWASP:A07 | No | -| Cryptographic Issues | CWE-310 | OWASP:A02 | No | -| Use of Insufficiently Random Values | CWE-330 | OWASP:A02 | No | -| Python 2 source code | CWE-1104 | OWASP:A06 | No | -| Selection of Less-Secure Algorithm During Negotiation (SSL instead of TLS) | CWE-757 | OWASP:A02 | No | +| Arbitrary File Write via Archive Extraction (Tar Slip) | CWE-22 | Sans Top 25, OWASP:A01 | Yes | +| Origin Validation Error | CWE-942, CWE-346 | OWASP:A05, OWASP:A07 | Yes | +| Cryptographic Issues | CWE-310 | OWASP:A02 | Yes | +| Use of Insufficiently Random Values | CWE-330 | OWASP:A02 | Yes | +| Python 2 source code | CWE-1104 | OWASP:A06 | Yes | +| Selection of Less-Secure Algorithm During Negotiation (SSL instead of TLS) | CWE-757 | OWASP:A02 | Yes | | Sensitive Cookie Without 'HttpOnly' Flag | CWE-1004 | OWASP:A05 | Yes | | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | CWE-614 | OWASP:A05 | Yes | | Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | Yes | -| XPath Injection | CWE-643 | OWASP:A03 | No | -| Regular Expression Denial of Service (ReDoS) | CWE-400 | None | No | +| XPath Injection | CWE-643 | OWASP:A03 | Yes | +| Regular Expression Denial of Service (ReDoS) | CWE-400 | None | Yes | diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/ruby-rules.md b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/ruby-rules.md index eea1911fd68a..13e8693aee0f 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/ruby-rules.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/ruby-rules.md @@ -9,35 +9,35 @@ Each rule includes the following information. | Rule Name | CWE(s) | Security Categories | Autofixable | | ------------------------------------------------------------------------------ | ----------------------------------------------------------- | ------------------------------------------------------- | ----------- | -| Code Injection | CWE-94 | Sans Top 25, OWASP:A03 | No | -| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | No | -| Remote Code Execution via Endpoint | CWE-94 | Sans Top 25, OWASP:A03 | No | -| Deserialization of Untrusted Data | CWE-502 | Sans Top 25, OWASP:A08 | No | -| Use of Hardcoded Credentials | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | No | -| Use of Hardcoded Cryptographic Key | CWE-321 | OWASP:A02 | No | -| Hardcoded Secret | CWE-547 | OWASP:A05 | No | -| Use of Hardcoded Passwords | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | No | -| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | No | -| Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | No | -| Use of Insufficiently Random Values | CWE-330 | OWASP:A02 | No | -| Sinatra Protection Layers Disabled | CWE-16, CWE-352, CWE-79, CWE-693, CWE-1021, CWE-35, CWE-348 | Sans Top 25, OWASP:A05, OWASP:A03, OWASP:A01, OWASP:A04 | No | -| Insecure Data Transmission | CWE-319 | OWASP:A02 | No | -| Improper Input Validation | CWE-20 | Sans Top 25, OWASP:A03 | No | -| Improperly Controlled Modification of Dynamically-Determined Object Attributes | CWE-915 | OWASP:A08 | No | -| Selection of Less-Secure Algorithm During Negotiation (Force SSL) | CWE-311, CWE-757 | OWASP:A02, OWASP:A04 | No | -| Open Redirect | CWE-601 | OWASP:A01 | No | -| Path Traversal | CWE-23 | OWASP:A01 | No | -| Unsafe Reflection | CWE-470 | OWASP:A03 | No | -| Improper Certificate Validation | CWE-295 | OWASP:A07 | No | -| Information Exposure | CWE-200 | OWASP:A01 | No | -| Session Manipulation | CWE-285 | OWASP:A01 | No | -| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | No | -| Improper Neutralization of Directives in Statically Saved Code | CWE-96 | OWASP:A03 | No | -| No Weak Password Requirements | CWE-521 | OWASP:A07 | No | -| Sensitive Cookie Without 'HttpOnly' Flag | CWE-1004 | OWASP:A05 | No | -| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | CWE-614 | OWASP:A05 | No | -| Incorrect regular expression for validating values | CWE-1286 | None | No | -| Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | No | -| XML External Entity (XXE) Injection | CWE-611 | OWASP:A05 | No | -| XPath Injection | CWE-643 | OWASP:A03 | No | -| Regular Expression Denial of Service (ReDoS) | CWE-400 | None | No | +| Code Injection | CWE-94 | Sans Top 25, OWASP:A03 | Yes | +| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | Yes | +| Remote Code Execution via Endpoint | CWE-94 | Sans Top 25, OWASP:A03 | Yes | +| Deserialization of Untrusted Data | CWE-502 | Sans Top 25, OWASP:A08 | Yes | +| Use of Hardcoded Credentials | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | Yes | +| Use of Hardcoded Cryptographic Key | CWE-321 | OWASP:A02 | Yes | +| Hardcoded Secret | CWE-547 | OWASP:A05 | Yes | +| Use of Hardcoded Passwords | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | Yes | +| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | Yes | +| Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | Yes | +| Use of Insufficiently Random Values | CWE-330 | OWASP:A02 | Yes | +| Sinatra Protection Layers Disabled | CWE-16, CWE-352, CWE-79, CWE-693, CWE-1021, CWE-35, CWE-348 | Sans Top 25, OWASP:A05, OWASP:A03, OWASP:A01, OWASP:A04 | Yes | +| Insecure Data Transmission | CWE-319 | OWASP:A02 | Yes | +| Improper Input Validation | CWE-20 | Sans Top 25, OWASP:A03 | Yes | +| Improperly Controlled Modification of Dynamically-Determined Object Attributes | CWE-915 | OWASP:A08 | Yes | +| Selection of Less-Secure Algorithm During Negotiation (Force SSL) | CWE-311, CWE-757 | OWASP:A02, OWASP:A04 | Yes | +| Open Redirect | CWE-601 | OWASP:A01 | Yes | +| Path Traversal | CWE-23 | OWASP:A01 | Yes | +| Unsafe Reflection | CWE-470 | OWASP:A03 | Yes | +| Improper Certificate Validation | CWE-295 | OWASP:A07 | Yes | +| Information Exposure | CWE-200 | OWASP:A01 | Yes | +| Session Manipulation | CWE-285 | OWASP:A01 | Yes | +| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | Yes | +| Improper Neutralization of Directives in Statically Saved Code | CWE-96 | OWASP:A03 | Yes | +| No Weak Password Requirements | CWE-521 | OWASP:A07 | Yes | +| Sensitive Cookie Without 'HttpOnly' Flag | CWE-1004 | OWASP:A05 | Yes | +| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | CWE-614 | OWASP:A05 | Yes | +| Incorrect regular expression for validating values | CWE-1286 | None | Yes | +| Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | Yes | +| XML External Entity (XXE) Injection | CWE-611 | OWASP:A05 | Yes | +| XPath Injection | CWE-643 | OWASP:A03 | Yes | +| Regular Expression Denial of Service (ReDoS) | CWE-400 | None | Yes | diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/rust-rules.md b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/rust-rules.md index 5bdb412bb173..f742ef93ff00 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/rust-rules.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/rust-rules.md @@ -13,18 +13,18 @@ Each rule includes the following information. | Rule Name | CWE(s) | Security Categories | Autofixable | | ----------------------------------------------------------- | ---------------- | ---------------------- | ----------- | -| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | No | -| Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | No | -| Hardcoded Secret | CWE-547 | OWASP:A05 | No | -| Inadequate Padding for Public Key Encryption | CWE-326 | OWASP:A02 | No | -| Insecure File Permissions | CWE-732 | OWASP:A05 | No | -| Observable Timing Discrepancy | CWE-208 | OWASP:A02 | No | -| Open Redirect | CWE-601 | OWASP:A01 | No | -| Origin Validation Error | CWE-346, CWE-942 | OWASP:A05 | No | -| Path Traversal | CWE-23 | OWASP:A01 | No | -| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | No | -| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | No | -| Use of Hardcoded Passwords | CWE-259, CWE-798 | Sans Top 25, OWASP:A07 | No | -| Use of Insufficiently Random Values | CWE-330 | OWASP:A02 | No | -| Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | No | -| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | No | +| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | Yes | +| Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | Yes | +| Hardcoded Secret | CWE-547 | OWASP:A05 | Yes | +| Inadequate Padding for Public Key Encryption | CWE-326 | OWASP:A02 | Yes | +| Insecure File Permissions | CWE-732 | OWASP:A05 | Yes | +| Observable Timing Discrepancy | CWE-208 | OWASP:A02 | Yes | +| Open Redirect | CWE-601 | OWASP:A01 | Yes | +| Origin Validation Error | CWE-346, CWE-942 | OWASP:A05 | Yes | +| Path Traversal | CWE-23 | OWASP:A01 | Yes | +| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | Yes | +| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | Yes | +| Use of Hardcoded Passwords | CWE-259, CWE-798 | Sans Top 25, OWASP:A07 | Yes | +| Use of Insufficiently Random Values | CWE-330 | OWASP:A02 | Yes | +| Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | Yes | +| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | Yes | diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/scala-rules.md b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/scala-rules.md index d2bbdb51c04c..ee37e3acdce0 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/scala-rules.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/scala-rules.md @@ -9,50 +9,50 @@ Each rule includes the following information. | Rule Name | CWE(s) | Security Categories | Autofixable | | ------------------------------------------------------------ | ---------------- | ---------------------- | ----------- | -| Use of Potentially Dangerous Function | CWE-676 | None | No | -| Cleartext Storage of Sensitive Information in a Cookie | CWE-315 | OWASP:A05 | No | -| Code Injection | CWE-94 | Sans Top 25, OWASP:A03 | No | -| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | No | -| Deserialization of Untrusted Data | CWE-502 | Sans Top 25, OWASP:A08 | No | -| Cross-Site Request Forgery (CSRF) | CWE-352 | Sans Top 25, OWASP:A01 | No | -| Information Exposure | CWE-200 | OWASP:A01 | No | -| Cleartext Transmission of Sensitive Information | CWE-319 | OWASP:A02 | No | -| Indirect Command Injection via User Controlled Environment | CWE-78 | Sans Top 25, OWASP:A03 | No | -| External Control of System or Configuration Setting | CWE-15 | OWASP:A05 | No | -| Process Control | CWE-114 | None | No | -| Use of Hardcoded Passwords | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | No | -| Hardcoded Secret | CWE-547 | OWASP:A05 | No | -| Improper Neutralization of CRLF Sequences in HTTP Headers | CWE-113 | OWASP:A03 | No | -| Disabled Neutralization of CRLF Sequences in HTTP Headers | CWE-113 | OWASP:A03 | No | -| Inadequate Padding for AES encryption | CWE-326 | OWASP:A02 | No | -| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | No | -| Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | No | -| Use of Insufficiently Random Values | CWE-330 | OWASP:A02 | No | -| Improper Validation of Certificate with Host Mismatch | CWE-297 | OWASP:A07 | No | -| Java Naming and Directory Interface (JNDI) Injection | CWE-074 | None | No | -| Improper Authentication | CWE-287 | Sans Top 25, OWASP:A07 | No | -| LDAP Injection | CWE-90 | OWASP:A03 | No | -| Use of Hardcoded Credentials | CWE-798 | Sans Top 25, OWASP:A07 | No | -| The cipher text is equal to the provided input plain text | CWE-311 | OWASP:A04 | No | -| Use of Hardcoded, Security-relevant Constants | CWE-547 | OWASP:A05 | No | -| Open Redirect | CWE-601 | OWASP:A01 | No | -| Path Traversal | CWE-23 | OWASP:A01 | No | -| Regular expression injection | CWE-400, CWE-730 | None | No | -| Unprotected Storage of Credentials | CWE-256 | OWASP:A04 | No | -| Server Information Exposure | CWE-209 | OWASP:A04 | No | -| Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | No | -| Android World Writeable/Readable File Permission Found | CWE-732 | None | No | -| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | No | -| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | No | -| Inadequate Encryption Strength | CWE-326 | OWASP:A02 | No | -| Observable Timing Discrepancy (Timing Attack) | CWE-208 | None | No | -| Origin Validation Error | CWE-942, CWE-346 | OWASP:A05, OWASP:A07 | No | -| Improper Certificate Validation | CWE-295 | OWASP:A07 | No | -| Cryptographic Issues | CWE-310 | OWASP:A02 | No | -| Trust Boundary Violation | CWE-501 | OWASP:A04 | No | -| Use of Externally-Controlled Format String | CWE-134 | None | No | -| Sensitive Cookie Without 'HttpOnly' Flag | CWE-1004 | OWASP:A05 | No | -| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | CWE-614 | OWASP:A05 | No | -| Insufficient Session Expiration | CWE-613 | OWASP:A07 | No | -| XML External Entity (XXE) Injection | CWE-611 | OWASP:A05 | No | -| XPath Injection | CWE-643 | OWASP:A03 | No | +| Use of Potentially Dangerous Function | CWE-676 | None | Yes | +| Cleartext Storage of Sensitive Information in a Cookie | CWE-315 | OWASP:A05 | Yes | +| Code Injection | CWE-94 | Sans Top 25, OWASP:A03 | Yes | +| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | Yes | +| Deserialization of Untrusted Data | CWE-502 | Sans Top 25, OWASP:A08 | Yes | +| Cross-Site Request Forgery (CSRF) | CWE-352 | Sans Top 25, OWASP:A01 | Yes | +| Information Exposure | CWE-200 | OWASP:A01 | Yes | +| Cleartext Transmission of Sensitive Information | CWE-319 | OWASP:A02 | Yes | +| Indirect Command Injection via User Controlled Environment | CWE-78 | Sans Top 25, OWASP:A03 | Yes | +| External Control of System or Configuration Setting | CWE-15 | OWASP:A05 | Yes | +| Process Control | CWE-114 | None | Yes | +| Use of Hardcoded Passwords | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | Yes | +| Hardcoded Secret | CWE-547 | OWASP:A05 | Yes | +| Improper Neutralization of CRLF Sequences in HTTP Headers | CWE-113 | OWASP:A03 | Yes | +| Disabled Neutralization of CRLF Sequences in HTTP Headers | CWE-113 | OWASP:A03 | Yes | +| Inadequate Padding for AES encryption | CWE-326 | OWASP:A02 | Yes | +| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | Yes | +| Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | Yes | +| Use of Insufficiently Random Values | CWE-330 | OWASP:A02 | Yes | +| Improper Validation of Certificate with Host Mismatch | CWE-297 | OWASP:A07 | Yes | +| Java Naming and Directory Interface (JNDI) Injection | CWE-074 | None | Yes | +| Improper Authentication | CWE-287 | Sans Top 25, OWASP:A07 | Yes | +| LDAP Injection | CWE-90 | OWASP:A03 | Yes | +| Use of Hardcoded Credentials | CWE-798 | Sans Top 25, OWASP:A07 | Yes | +| The cipher text is equal to the provided input plain text | CWE-311 | OWASP:A04 | Yes | +| Use of Hardcoded, Security-relevant Constants | CWE-547 | OWASP:A05 | Yes | +| Open Redirect | CWE-601 | OWASP:A01 | Yes | +| Path Traversal | CWE-23 | OWASP:A01 | Yes | +| Regular expression injection | CWE-400, CWE-730 | None | Yes | +| Unprotected Storage of Credentials | CWE-256 | OWASP:A04 | Yes | +| Server Information Exposure | CWE-209 | OWASP:A04 | Yes | +| Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | Yes | +| Android World Writeable/Readable File Permission Found | CWE-732 | None | Yes | +| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | Yes | +| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | Yes | +| Inadequate Encryption Strength | CWE-326 | OWASP:A02 | Yes | +| Observable Timing Discrepancy (Timing Attack) | CWE-208 | None | Yes | +| Origin Validation Error | CWE-942, CWE-346 | OWASP:A05, OWASP:A07 | Yes | +| Improper Certificate Validation | CWE-295 | OWASP:A07 | Yes | +| Cryptographic Issues | CWE-310 | OWASP:A02 | Yes | +| Trust Boundary Violation | CWE-501 | OWASP:A04 | Yes | +| Use of Externally-Controlled Format String | CWE-134 | None | Yes | +| Sensitive Cookie Without 'HttpOnly' Flag | CWE-1004 | OWASP:A05 | Yes | +| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | CWE-614 | OWASP:A05 | Yes | +| Insufficient Session Expiration | CWE-613 | OWASP:A07 | Yes | +| XML External Entity (XXE) Injection | CWE-611 | OWASP:A05 | Yes | +| XPath Injection | CWE-643 | OWASP:A03 | Yes | diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/swift-rules.md b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/swift-rules.md index e8d68810f52a..accfc76d04ce 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/swift-rules.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/swift-rules.md @@ -9,25 +9,25 @@ Each rule includes the following information. | Rule Name | CWE(s) | Security Categories | Autofixable | | ------------------------------------------------------------ | ---------------- | ---------------------- | ----------- | -| Clear Text Logging | CWE-200, CWE-312 | OWASP:A01, OWASP:A04 | No | -| Code Injection | CWE-94 | Sans Top 25, OWASP:A03 | No | -| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | No | -| Device Authentication Bypass | CWE-287 | Sans Top 25, OWASP:A07 | No | -| Hardcoded Secret | CWE-547 | OWASP:A05 | No | -| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | No | -| Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | No | -| Information Exposure | CWE-200 | OWASP:A01 | No | -| Use of Insufficiently Random Values | CWE-330 | OWASP:A02 | No | -| Insecure Data Storage | CWE-922 | OWASP:A01 | No | -| Memory Corruption | CWE-822 | None | No | -| Use of Hardcoded Credentials | CWE-798 | Sans Top 25, OWASP:A07 | No | -| Use of Hardcoded Passwords | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | No | -| Path Traversal | CWE-23 | OWASP:A01 | No | -| Improper Certificate Validation | CWE-295 | OWASP:A07 | No | -| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | No | -| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | No | -| Insecure Deserialization | CWE-502 | Sans Top 25, OWASP:A08 | No | -| Inadequate Encryption Strength | CWE-326 | OWASP:A02 | No | -| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | CWE-614 | OWASP:A05 | No | -| Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | No | -| XML External Entity (XXE) Injection | CWE-611 | OWASP:A05 | No | +| Clear Text Logging | CWE-200, CWE-312 | OWASP:A01, OWASP:A04 | Yes | +| Code Injection | CWE-94 | Sans Top 25, OWASP:A03 | Yes | +| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | Yes | +| Device Authentication Bypass | CWE-287 | Sans Top 25, OWASP:A07 | Yes | +| Hardcoded Secret | CWE-547 | OWASP:A05 | Yes | +| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | Yes | +| Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | Yes | +| Information Exposure | CWE-200 | OWASP:A01 | Yes | +| Use of Insufficiently Random Values | CWE-330 | OWASP:A02 | Yes | +| Insecure Data Storage | CWE-922 | OWASP:A01 | Yes | +| Memory Corruption | CWE-822 | None | Yes | +| Use of Hardcoded Credentials | CWE-798 | Sans Top 25, OWASP:A07 | Yes | +| Use of Hardcoded Passwords | CWE-798, CWE-259 | Sans Top 25, OWASP:A07 | Yes | +| Path Traversal | CWE-23 | OWASP:A01 | Yes | +| Improper Certificate Validation | CWE-295 | OWASP:A07 | Yes | +| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | Yes | +| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | Yes | +| Insecure Deserialization | CWE-502 | Sans Top 25, OWASP:A08 | Yes | +| Inadequate Encryption Strength | CWE-326 | OWASP:A02 | Yes | +| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | CWE-614 | OWASP:A05 | Yes | +| Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | Yes | +| XML External Entity (XXE) Injection | CWE-611 | OWASP:A05 | Yes | diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/visual-basic-rules.md b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/visual-basic-rules.md index 6acfae309257..5bf79bf72eb7 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/visual-basic-rules.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-security-rules/visual-basic-rules.md @@ -9,27 +9,27 @@ Each rule includes the following information. | Rule Name | CWE(s) | Security Categories | Autofixable | | ------------------------------------------------------------ | ---------------- | ---------------------- | ----------- | -| Debug Features Enabled | CWE-215 | None | No | -| Usage of BinaryFormatter | CWE-502 | Sans Top 25, OWASP:A08 | No | -| Code Injection | CWE-94 | Sans Top 25, OWASP:A03 | No | -| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | No | -| Deserialization of Untrusted Data | CWE-502 | Sans Top 25, OWASP:A08 | No | -| Hardcoded Secret | CWE-547 | OWASP:A05 | No | -| Improper Neutralization of CRLF Sequences in HTTP Headers | CWE-113 | OWASP:A03 | No | -| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | No | -| Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | No | -| Use of Insufficiently Random Values | CWE-330 | OWASP:A02 | No | -| Use of Hardcoded Credentials | CWE-798 | Sans Top 25, OWASP:A07 | No | -| Open Redirect | CWE-601 | OWASP:A01 | No | -| Path Traversal | CWE-23 | OWASP:A01 | No | -| Regular expression injection | CWE-400, CWE-730 | None | No | -| Request Validation Disabled | CWE-554 | None | No | -| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | No | -| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | No | -| Inadequate Encryption Strength | CWE-326 | OWASP:A02 | No | -| Sensitive Cookie Without 'HttpOnly' Flag | CWE-1004 | OWASP:A05 | No | -| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | CWE-614 | OWASP:A05 | No | -| Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | No | -| XML External Entity (XXE) Injection | CWE-611 | OWASP:A05 | No | -| XML Injection | CWE-91 | OWASP:A03 | No | -| XPath Injection | CWE-643 | OWASP:A03 | No | +| Debug Features Enabled | CWE-215 | None | Yes | +| Usage of BinaryFormatter | CWE-502 | Sans Top 25, OWASP:A08 | Yes | +| Code Injection | CWE-94 | Sans Top 25, OWASP:A03 | Yes | +| Command Injection | CWE-78 | Sans Top 25, OWASP:A03 | Yes | +| Deserialization of Untrusted Data | CWE-502 | Sans Top 25, OWASP:A08 | Yes | +| Hardcoded Secret | CWE-547 | OWASP:A05 | Yes | +| Improper Neutralization of CRLF Sequences in HTTP Headers | CWE-113 | OWASP:A03 | Yes | +| Use of a Broken or Risky Cryptographic Algorithm | CWE-327 | OWASP:A02 | Yes | +| Use of Password Hash With Insufficient Computational Effort | CWE-916 | OWASP:A02 | Yes | +| Use of Insufficiently Random Values | CWE-330 | OWASP:A02 | Yes | +| Use of Hardcoded Credentials | CWE-798 | Sans Top 25, OWASP:A07 | Yes | +| Open Redirect | CWE-601 | OWASP:A01 | Yes | +| Path Traversal | CWE-23 | OWASP:A01 | Yes | +| Regular expression injection | CWE-400, CWE-730 | None | Yes | +| Request Validation Disabled | CWE-554 | None | Yes | +| SQL Injection | CWE-89 | Sans Top 25, OWASP:A03 | Yes | +| Server-Side Request Forgery (SSRF) | CWE-918 | Sans Top 25, OWASP:A10 | Yes | +| Inadequate Encryption Strength | CWE-326 | OWASP:A02 | Yes | +| Sensitive Cookie Without 'HttpOnly' Flag | CWE-1004 | OWASP:A05 | Yes | +| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | CWE-614 | OWASP:A05 | Yes | +| Cross-site Scripting (XSS) | CWE-79 | Sans Top 25, OWASP:A03 | Yes | +| XML External Entity (XXE) Injection | CWE-611 | OWASP:A05 | Yes | +| XML Injection | CWE-91 | OWASP:A03 | Yes | +| XPath Injection | CWE-643 | OWASP:A03 | Yes |