Rule updates
Rule updates in version 2.1.0
Note:
- New rules
| Language | CWE | Description |
|---|---|---|
| Android Java | CWE-319 | New coverage: Checks if usesCleartextTraffic
or cleartextTrafficPermitted is set to true in
the AndroidManifest.xml file which is an
insecure practice. |
| C# | CWE-89 | Reduce noise in SQLi detection. |
| CWE-215 | Check logging calls for suspicious variables containing sensitive information.1 | |
| CWE-397 | Look for generic, potentially unsafe, generic throws such as throw new Exception or throw new SystemException. | |
| CWE-89 | New coverage: Added a SQL injection check to consider += pattern as well as some stored procedure patterns. | |
| CWE-89 | New coverage: More constrained check to be sure we are in a query to reduce noise. | |
| CWE-1004 | Noise reduction: Check for http=true, and if it is set avoid a finding. | |
| CSS | CWE-79 | Reduce noise found on hardcoded variable check in
.css files. |
| Dart | CWE-943 | Look forNoSQL injection.1 |
| CWE-338 | Look for eak pseudo random numbers.1 | |
| CWE-116 | Look for File.writeAs style calls.1 | |
| CWE-79 | Review potentially insecure usage of Response.ok and similar calls.1 | |
| CWE-348 | Look for potentially unsafe directory listing.1 | |
| CWE-78 | Check for unsafe usage of Process.run.1 | |
| CWE-89 | Cover query/execute/prepare style calls for SQL Injection potential.1 | |
| Dart: Flutter (new framework support, new coverage) | CWE-35 | Checks if MethodChannel is using a path
argument which is potentially user controlled. |
| CWE-78 | Looks for potential OS injection in
MethodChannel calls. |
|
| CWE-80 | Checks WebView or
InAppWebView to see if javascript is
unrestricted which is a dangerous practice. |
|
| CWE-89 | Support for sqflite flutter-specific DB API | |
| CWE-117 | Uncovers print and similar statements which are not wrapped by debug controls. These calls generally should not be in production code outside of a debug branch. | |
| CWE-312 | Rule checks to see if FlutterSecureStorage
is storing suspected private informaton such as passwords or
other session information. |
|
| CWE-598 | Checks the Navigator object for potentially unsafe usages of the query parameters. | |
| CWE-918 | Looks for user controlled URLs in
MethodChannel.invokeMethod as an SSRF
attack vector. |
|
| Go | CWE-79 | Reduce noise produced in fprintf
check. |
| IaC Docker | CWE-22 | Check for sensitive paths being added in a DockerFile.1 |
| IaC Kubernetes | CWE-209 | Added a check for left behind stack trace code in
.yaml configuration files.
1 |
| Java | CWE-209 | Check for System.out and
System.err usage in code (debug calls that
should be removed from production code). 1 |
| CWE-78 | Looks for inline calls of
Runtime.getRunTime(). |
|
| CWE-757 | Enhanced the list of what we check for as insecure and broken. | |
| CWE-916 | Check for a weak iteration count for
PBEKeySpec and
PBEParameterSpec. 1 |
|
| CWE-1188 | Denial of service check with StringBuilder
constructor using large or user controlled values.
1 |
|
| CWE-215 | Check logging calls for suspicious variables which contain sensitive information.1 | |
| CWE-397 | Look for generic, potentially unsafe, generic throws such as throws Exception or throws Throwable. | |
| CWE-396 | Look for generic catch blocks such as catch(Exception e) or catch (Throwable t).1 | |
| JavaScript | CWE-397 | Look for generic, potentially unsafe, generic throws such as throw "message". |
| CWE-80 | Fixed a flaw where the @if pattern is used and is not a handlebars template. | |
| JavaScript: Angular | CWE-80 | Noise reduction: Check to make sure we are not in an @if template |
| NodeJS | CWE-78 | Additional check for unsafe
child_process.exec calls. |
| Perl | CWE-732 | More complete coverage for IO::File::open calls. |
| CWE-89 | Reduce noise in the SQL injection rule which errantly produced findings for parameterized statements. | |
| CWE-732 | Reduce noise for open calls using STDIN as the input. | |
| CWE-397 | Look for generic, potentially unsafe, generic throws such as throw Error("foo"). | |
| PHP | CWE-89 | Added a validator check for
sqlite_escape_string. |
| CWE-213 | Added check for lingering phpInfo calls in PHP code. 1 | |
| CWE-89 | New check to validate away findings using
sqlite_escape_string. |
|
| Python | CWE-397 | Look for generic, potentially unsafe, generic throws such as raise BaseException. |
| Secrets | CWE-798 | Add a check for privateKey for hard coded secrets. |
| CWE-798 | New coverage: Support for Tuleap added. | |
| CWE-798 | New coverage: Check for hard coded passwords inside of
equalsIgnoreCase calls. |
|
| CWE-798 | Noise reduction: Avoid adding a finding for commented C\C++ code for the secrets scanner. | |
| CWE-798 | Some noisy patterns removed as a finding. | |
| CWE-798 | Looks in web.config files for hard-coded
credentials. |
|
| CWE-1051 | Check for hard coded IP addresses adjusted to avoid strings that appear to be IP addresses but are not. | |
| CWE-1051 | Noise reduction: Hard coded IP Address check avoids likely version numbers | |
| CWE-798 | Reduce noise in Atlassian secret detection. | |
| CWE-798 | Reduce noise in key\value pairs of secrets. | |
| CWE-798 | Additional coverage to find passwords with 1234 in the string as part of the hard coded password. | |
| Swift | CWE-1188 | New coverage Checks info.plist file for
UIFileSharingEnabled or
LSSupportsOpeningDocumentsInPlace set to
true which is insecure. |
| TypeScript | CWE-94 | Additional check for eval containing a potentially user controlled variable. |
In addition, there is an update to CWE-319 in general. We removed rules looking for
unsafe http-style strings in codeas they are too noisy. We still
look for specific instances of open communications being used in our hybrid scanner
where it makes sense, such as for fetch calls in JavaScript.
This change to CWE-319 impacts the following languages:
- ASP
- Golang
- Groovy
- Kotlin
- Objective-C
- PHP
- Scala
- Swift
- C#
- Dart
- RPG
- VB
- Xamarin