Rule updates
Recent rule updates in AppScan 360°.
November 6, 2025
- New rule.
| Language | CWE | Description |
|---|---|---|
| NodeJS | CWE-78 | Additional check for unsafe
child_process.exec calls. |
| Perl | CWE-89 | Reduce noise in the SQL injection rule which errantly produced findings for parameterized statements. |
| CWE-732 | Reduce noise for open calls using STDIN as the input. | |
| PHP | CWE-213 | Added check for lingering phpInfo calls in PHP code. 1 |
| CWE-89 | New check to validate away findings using
sqlite_escape_string. |
|
| TypeScript | CWE-94 | Additional check for eval containing a potentially user controlled variable. |
October 7, 2025
- New rule.
| Language | CWE | Description |
|---|---|---|
| C# | CWE-89 | Reduce noise in SQLi detection. |
| Java | CWE-209 | Check for System.out and
System.err usage in code (debug calls that
should be removed from production code). 1 |
| Secrets | CWE-1051 | Noise reduction: Hard coded IP Address check avoids likely version numbers |
| CWE-798 | Reduce noise in Atlassian secret detection. | |
| CWE-798 | Reduce noise in key\value pairs of secrets. | |
| CWE-798 | Additional coverage to find passwords with 1234 in the string as part of the hard coded password. |
September 10, 2025
- New rule.
| Language | CWE | Description |
|---|---|---|
| CSS | CWE-79 | Reduce noise found on hardcoded variable check in
.css files. |
| Go | CWE-79 | Reduce noise produced in fprintf
check. |
| IaC Docker | CWE-22 | Check for sensitive paths being added in a DockerFile.1 |
| IaC Kubernetes | CWE-209 | Added a check for left behind stack trace code in
.yaml configuration files.
1 |
| Java | CWE-78 | Looks for inline calls of
Runtime.getRunTime(). |
| CWE-757 | Enhanced the list of what we check for as insecure and broken. | |
| CWE-916 | Check for a weak iteration count for
PBEKeySpec and
PBEParameterSpec. 1 |
|
| CWE-1188 | Denial of service check with StringBuilder
constructor using large or user controlled values.
1 |
|
| PHP | CWE-89 | Added a validator check for
sqlite_escape_string. |
| Secrets | CWE-798 | Some noisy patterns removed as a finding. |
| CWE-798 | Looks in web.config files for hard-coded
credentials. |
|
| CWE-1051 | Check for hard coded IP addresses adjusted to avoid strings that appear to be IP addresses but are not. |
July 14, 2025
- New rule.
| Language | CWE | Description |
|---|---|---|
| Python | CWE-78 | Looks for unsafe use of os.system.
1 |
| CWE-79 | Improved clarity of rule for Python Django. | |
| Secrets | CWE-1051 | Removed noisy patterns for hardcoded IP address check. |
| CWE-798 | Removed noisy patterns for hardcoded credentials:
|
June 13, 2025
Markup additions for Java:
- 68 new sources
- 10 new sinks
| Language | CWE | Description |
|---|---|---|
| Secrets | Some noisy patterns removed as a finding. | |
| Java source code | CWE-111 | Added a check for dangerous uses of
DllImport. |
| CWE-918 | Added check for URL openStream with potential user controlled data. |
May 7, 2025
All rule updates in this release are new rules.
| Language | CWE | Description |
|---|---|---|
| C# source code scanner | CWE-94 | Check for
CSharpScript.EvaluateAsync. |
| CWE-532 | Check for logging of personally identifying information (PII), such as usernames or passwords. | |
| CWE-111 | Check for dangerous uses of
DllImport. |
|
| Java source code scanner | CWE-532 | Check for logging of personally identifying information (PII), such as usernames or passwords. |
| CWE-102 | Check for duplicate form names within Struts validation XML files. | |
| CWE-104 | Check for a class extending an ActionForm
without validation. |
|
| PHP | CWE-111 | Check for uses of FFI::cdef containing
unsafe calls. |
| Python | CWE-111 | Check for uses of ctypes.DLL not using a
fully qualified path for the argument. |
April 1, 2025
- New rules
| Language | CWE | Description |
|---|---|---|
| All languages | CWE-798 | Improved noise reduction |
| C# | CWE-328 | Autofix applies more modern function calls |
| CWE-1333 | Checking for timeouts applied to regex objects1 | |
| CWE-89 | New captures of SQLi through building the query through
String.Append |
|
Security information updated for
Microsoft.CodeAnalysis.CSharp.Scripting and
Microsoft.AspNetCore.Mvc.ViewFeatures |
||
| ColdFusion | CWE-328 | Adjusted the check for improved performance |
| HTML | CWE-319 | Avoid localhost style noise in the URL |
| IaC | CWE-770 | Two new autofixes |
| CWE-311 | Additional check for proper TLS settings in Amazon Load Balancer | |
| Java | CWE-479 | Updated autofix |
| JavaScript | CWE-598 | Looking for URLSearchParams flaws in
JavaScript files.1 |
| Python | CWE-502 | Looking for unsafe reflection in Java1 |
December 11, 2024
| Language | CWE | Description |
|---|---|---|
| C# | CWE-78 | Adjusted to reduce noisy findings for OS injection. |
| IaC | CWE-798 | Adjusted to reduce noisy findings for TypeScript code constructs. |
| CWE-1051 | Adjusted to reduce noisy findings for IP patterns in HTML files. | |
| CWE-1328 | Adjusted to reduce noisy findings for Docker image references. | |
| HTML | CWE-79 | New rules for file extensions:
|
| CWE-319 | ||
| CWE-524 | ||
| CWE-525 | ||
| CWE-598 | ||
| CWE-1021 | ||
| CWE-1022 | ||
| JavaScript | CWE-209 | Adjusted to reduce noisy findings. |
| CWE-359 | Adjusted to reduce noisy findings. | |
| CWE-1022 | Adjusted to reduce noisy findings for
window.open findings. |
|
| Secrets | CWE-798 | Looking for hard coded passwords found within URL query strings. |
| CWE-284 | Adjusted to reduce noisy findings in Azure shared access signatures token exposure findings. | |
| Visual Basic | CWE-78 | Adjusted to reduce noisy findings. |
| CWE-328 | Adjusted to reduce noisy findings. |
December 3, 2024
Note:
- New rules
- Reduced noise in rule
| Language | CWE | Description |
|---|---|---|
| ASP.NET | CWE-1188 | Cookieless session state enabled in project configuration. 2 |
| CWE-79 | Potential XSS for inline expression in code. 2 | |
| C# | CWE-601 | Request redirect with potential user-controlled data in variable. 2 |
| CWE-185 | Regular expression injection.2 | |
| IaC Terraform | CWE-410 | Insecure load balancer configuration.1 |
| Java | CWE-337 | Predictable seed for SecureRandom instance
in Java code.2 |
| CWE-918 | Server-side request forgery in
RestTemplate().exchange.
2 |
|
| CWE-185 | Regular expression injection in Java code.2 | |
| CWE-244 | Password stored in Java string object.2 | |
| JavaScript | CWE-79 | Insecure use of
document.referrer.2 |
| PHP | CWE-79 | User-controlled data within PHP converted to HTML.2 |
| Python Django | CWE-79 |
|
| CWE-89 | ||
| CWE-200 | ||
| CWE-201 | ||
| CWE-212 | ||
| CWE-352 | ||
| CWE-497 | ||
| CWE-522 | ||
| CWE-523 | ||
| CWE-795 | ||
| CWE-918 | ||
| CWE-1021 | ||
| CWE-1188 | ||
| CWE-1295 | ||
| Secrets | CWE-798 | Hardcoded basic auth credentials.1 |
| VB.NET | CWE-502 | Possible deserialization.2 |
September 17, 2024
Note:
- New rules
- New or expanded autofix rules
| Language | CWE | Change |
|---|---|---|
| Infrastructure as Code (IaC) | CWE-250 | Insecure use of apt-get command detected in
Dockerfile. 1 |
| CWE-1328 | Insecure use of Base image version detected in Dockerfile. 1 | |
| CWE-276 | Default security profile is disabled. 2 | |
| JavaScript | CWE-1022 | Leaked referrer information. 2 |
| Kotlin | CWE-922 | Improper data storage access found in Kotlin code. 2 |
| PHP | CWE-98 | The allow_url_fopen directive is enabled.
2 |
| CWE-98 | The allow_url_include directive is enabled.
2 |
|
| CWE-94 | The cgi.force_redirect directive is
disabled. 2 |
|
| CWE-614 | Sensitive cookie in HTTPS session without
Secure attribute. 2 |
|
| Python | CWE-732 | Insecure use of ALLOWED_HOSTS in Django
settings. 1 |
| CWE-539 | Insecure CSRF or session cookie settings in Django. 1 | |
| CWE-1021 | Potential ClickjackingvAttack via
X_FRAME_OPTIONS. 1 |
|
| CWE-79 | Potential XSS vulnerability from use of safe
or safeseq filters in Django templates.
1 |
|
| CWE-79 | Potential XSS vulnerability in Django HttpResponse. 1 | |
| CWE-150 | Expanded coverage for environment objects autoescape false. 2 | |
| CWE-539 | Insecure CSRF or session cookie settings in Django. 2 | |
| Ruby | CWE-78 | Insecure use of backticks. 2 |
| CWE-78 | Insecure use of system method. 2 | |
| Rust | CWE-295 | Potential CMS message decryption without certificate checks detected. 2 |
| CWE-327 | Potential weak elliptic curve cryptography usage detected. 2 | |
| CWE-326 | Potential weak RSA key length detected. 2 |
September 4, 2024
General updates:
-
Scan now avoids all minified files.
- .NET data flow support for
System.Data.SQLite.
Note:
- New rules
- New autofix rules
- Rule fixes
| Language | CWE | Change | |
|---|---|---|---|
| .NET | ASP.NET | CWE-1188 | Cookieless session state enabled in ASP.NET project configuration.2 |
| C# | CWE-319 | Open communications scheme detected.2 | |
| CWE-328 | Weak cipher algorithm detected.2 | ||
| CWE-327 | JWT Builder with no signature verification is detected.2 | ||
| VB.NET | CWE-1173 | HTTP request validation is disabled in VB code.2 | |
| CWE-328 | Use of weak cryptographic algorithm in VB code.2 | ||
| Angular | CWE-94 | Potential code injection vulnerability in sandbox VM.1 | |
| AngularJS | CWE-477 | Deprecated call found:
(ng-bind-html-unsafe).2 |
|
| Apex | CWE-943 | SOQL injection.2 | |
| CWE-943 | SOSL injection.2 | ||
| CWE-328 | Weak hash algorithm chosen.2 | ||
| CWE-79 | Script or style cross-site scripting (XSS).2 | ||
| ASP | CWE-319 | Open communications scheme detected in ASP code.2 | |
| C/C++ | CWE-367 | Potentially dangerous use of temp file name function. Corrected context and autofix enabled.3 | |
| CWE-78 | Potential command injection detected. Expanded coverage.3 | ||
| CWE-250 | CreateFile call which appears to violate
principle of least privilege.2 |
||
| CWE-250 | CreateNamedPipe is missing
FILE_FLAG_FIRST_PIPE_INSTANCE
flag.2 |
||
| CWE-757 | Insecure use of (SSL/TLS) protocol discovered.2 | ||
| CWE-295 | Potentially dangerous use of Curl configuration discovered (seven different rules in this category).2 | ||
| CWE-427 | Potential principle of least privilege registry manipulation detected.2 | ||
| CWE-611 | Unsafe external entity processing enabled.2 | ||
| ColdFusion | CWE-524 | cfCache caching secure
pages.2 |
|
| CWE-502 | cfWddx missing WDDX
validation.2 |
||
| CWE-862 | Client not verified In
cfFunction.2 |
||
| CWE-319 | Insecure communications.2 | ||
| CWE-307 | Multiple submission validation.2 | ||
| CWE-327 | Unsafe algorithm used in encrypt function.2 | ||
| Dart | CWE-522 |
AutoComplete turned on for potentially sensitive
field.2 |
|
| CWE-319 | Open communications scheme detected with
HttpServer.2 |
||
| CWE-319 | Open socket communications detected.2 | ||
| CWE-319 | Open communications scheme with Uri detected.2 | ||
| CWE-79 | Insecure use of window open in Dart code.2 | ||
| CWE-319 | Open communications scheme detected in string.2 | ||
| CWE-79 | Unsafe content security policy keyword found.2 | ||
| Docker | CWE-770 | Limit CPU to prevent a denial-of-service (DoS) attack.2 | |
| CWE-770 | Limit the number of restarts on failure to prevent a denial-of-service (DoS).2 | ||
| Go | CWE-489 | Debugging package pprof for HTTP
detected.2 |
|
| CWE-1004 | Golang code contains insecure
http.Cookie.2 |
||
| CWE-319 | Open communications scheme detected in Golang code.2 | ||
| Groovy | CWE-319 | Open communications scheme detected in Groovy code.2 | |
| CWE-79 | Potential cross-site scripting vulnerability detected in Groovy source code added additional autofixes for all instances.2 | ||
| Java | CWE-489 | Enabling debug in web security reveals data in Spring.2 | |
| CWE-1390 | Ignore comments in SAML leads to broken authentication.2 | ||
| CWE-548 | Insecure directory listing for default servlet in tomcat configuration.2 | ||
| CWE-276 | Insecure file permission use detected in Java.2 | ||
| CWE-489 | Print stack trace is detected in Java code.2 | ||
| CWE-489 | Debuggable flag is set to true in Android application.2 | ||
| CWE-1188 | Improper shared preferences mode detected in Android code.2 | ||
| JavaScript | CWE-359 | Insecure event transmission policy: corrected context and auto fix enabled.3 | |
| CWE-79 | Potential XSS vulnerability detected in
jQuery.append. Faster performance
now.3 |
||
| CWE-79 | Overriding the Mustache escape method is dangerous.2 | ||
| CWE-319 | Insecure event transmission policy.2 | ||
| Kotlin | CWE-319 | Open communication detected in Kotlin code.2 | |
| NodeJS | CWE-614 | Cookie is missing a security flag or has a flag set to an insecure value.2 | |
| CWE-328 | Unsafe algorithm is used in crypto
createCipheriv.2 |
||
| CWE-295 | Insecure configuration of SSL certificate verification for disabling node-curl.2 | ||
| CWE-78 | Exec shell spawn discovered.2 | ||
| CWE-1004 | Insecure configuration of missing HTTPOnly
cookie attribute.2 |
||
| Objective-C | CWE-319 | Open communications scheme detected in Objective-C code.2 | |
| PHP | CWE-10041 | Sensitive cookie Without HttpOnly
flag.2 |
|
| CWE-6141 | Sensitive cookie in HTTPS session without secure
attribute.2 |
||
| CWE-791 | Embedded PHP variable detected2 | ||
| CWE-981 | Potential file inclusion vulnerability detected in PHP code.2 | ||
| CWE-6111 | XML external entity injection detected in PHP code.2 | ||
| CWE-78 | PHP command execution potentially using user-supplied data. Expanded coverage.3 | ||
| CWE-644 | Potential header injection discovered. Expanded coverage.3 | ||
| CWE-327 | Insecure algorithm use detected. Expanded checks and coverage.3 | ||
| CWE-319 | Open communication detected in PHP Symfony framework.2 | ||
| CWE-1004 | Missing or insecure HTTPOnly flag in
setcookie.2 |
||
| CWE-319 | Open communications scheme detected.2 | ||
| CWE-544 | The error_reporting directive has not been set
to allow the highest level of error reporting
possible2 |
||
| PL/SQL | CWE-331 | Insecure use of DBMS_RANDOM.2 |
|
| Python | CWE-311 | URL using http. Expanded
coverage.3 |
|
| CWE-311 | TOCTTOU race condition temporary file. Fixed coverage and enabled auto fix.3 | ||
| CWE-367 | TOCTTOU race condition temporary file.2 | ||
| CWE-319 | URL using http.2 |
||
| CWE-78 | Python OS injection.2 | ||
| CWE-319 | Insecure FTP usage.2 | ||
| CWE-78 | Popen command injection.2 | ||
| CWE-276 | Using 777 with umask.2 | ||
| ReactNative | CWE-319 | Open communication detected. Corrected context and auto fix enabled.3 | |
| CWE-319 | Open communication detected.2 | ||
| CWE-295 | Disabling SSL pinning detected.2 | ||
| RPG | CWE-319 | Open communication detected in the code.2 | |
| Ruby | CWE-78 | Insecure use of backticks regex needs improvement. Expanded coverage.3 | |
| CWE-78 | Insecure use of backticks. Expanded coverage.3 | ||
| CWE-425 | Ruby mass assignment.2 | ||
| CWE-359 | Ruby information disclosure.2 | ||
| Scala | CWE-319 | Open communications scheme detected in Scala code.2 | |
| CWE-79 | Potential client side scripting vulnerability via cookie access detected in Scala source code.2 | ||
| Secrets | CWE-1051 | Hardcoded IP address detected. Expanded coverage.3 | |
| CWE-798 | Hardcoded credentials detected. Expanded coverage.3 | ||
| Swift | CWE-319 | Open communications scheme detected in Swift code.2 | |
| CWE-79 | Potential cross-site scripting vulnerability when using
loadRequest() in iOS
UIWebView.2 |
||
| Terraform | CWE-359 | AWS instance exposing user data secrets is detected.2 | |
| CWE-778 | Azure log monitor profile should define all mandatory categories.2 | ||
| CWE-732 | Default service account is used at folder, project, or organization level.2 | ||
| CWE-671 | Email service and co-administrators are not enabled in SQL servers.2 | ||
| CWE-923 | Ensure Azure storage account default network access is set to Deny.2 | ||
| CWE-923 | Ensure GCP Firewall rule does not allow unrestricted access.2 | ||
| CWE-732 | Google Compute instance is publicly accessible.2 | ||
| CWE-732 | Google storage bucket is publicly accessible.2 | ||
| CWE-732 | Insecure access permissions for Amazon S3 bucket.2 | ||
| Visual Basic | CWE-319 | Open communications scheme detected in VB code.2 | |
| Xamarin | CWE-319 | Open communication detected in Xamarin.2 | |
August 6, 2024
| Language | CWE | Change |
|---|---|---|
| General | CWE-319 | Better handling of open communications rules for all languages to reduce noisy findings. |
| Angular | CWE-312 | The local storage avoids setItem calls which
relate to sort direction. |
| ASP | CWE-79 | Checks for proper validation using
Server.HTMLEncode. |
| CSS |
CWE-79 |
Adjusted to reduce noisy findings. |
| Dart | CWE-328 | More selective when presenting findings and avoid more obvious noise findings. |
| CWE-319 |
Adjusted to reduce noisy findings. |
|
| Java source code scanner | CWE-918 | Finding SSRF in RestTemplate().exchange
calls. |
| CWE-303 | Finding NoOpPasswordEncoder.getInstance
dangerous calls. |
|
| CWE-89 | Find additional cases for SQLi. | |
| CWE-22 | Finding more places for possible path traversal issues | |
| CWE-798 | Finding hard coded credentials in
HashMap.put calls and setters. |
|
| JavaScript | CWE-200 | Added a check for dangerous target origin checks in
window.postMessage calls. |
| CWE-913 | Modified to reduce noisy findings. | |
| JQuery | CWE-79 | Modified to reduce noisy findings. |
| Objective-C | CWE-798 | Modified to reduce some additional noisy findings. |
| PHP | CWE-798 | Checks the value and ascertains if the value is truly a string literal that represents a likely password in plain text stored in the code. |
| Python | CWE-319 | Autofix corrected to address an errant replacement in some circumstances. |
| Secrets scanning | CWE-798 | Avoids minified JS files. |
| Avoids analyzing translation files to reduce noise | ||
| TerraForm | CWE-1220 | New rule checking for egress security group
cidr_blocks being set too
permissively. |
| TypeScript | CWE-943 | Looks for NoSQL MongoDB injection in TypeScript files. |
| Looks for additional cases for SQLi. | ||
| VueJS | CWE-79 | Adjusted to reduce generating a finding if found in a method declaration. |