Rule updates

Recent rule updates in ASoC.

February 10, 2026

  1. New rule.
Language CWE Description
C# CWE-215 Check logging calls for suspicious variables containing sensitive information.1
CWE-397 Look for generic, potentially unsafe, generic throws such as throw new Exception or throw new SystemException.
Dart CWE-943 Look forNoSQL injection.1
CWE-338 Look for eak psuedo random numbers.1
CWE-116 Look for File.writeAs style calls.1
CWE-79 Review potentially insecure usage of Response.ok and similar calls.1
CWE-348 Look for potentially unsafe directory listing.1
CWE-78 Check for unsafe usage of Process.run.1
CWE-89 Cover query/execute/prepare style calls for SQL Injection potential.1
Java CWE-215 Check logging calls for suspicious variables which contain sensitive information.1
CWE-397 Look for generic, potentially unsafe, generic throws such as throws Exception or throws Throwable.
CWE-396 Look for generic catch blocks such as catch(Exception e) or catch (Throwable t).1
JavaScript CWE-397 Look for generic, potentially unsafe, generic throws such as throw "message".
CWE-80 Fixed a flaw where the @if pattern is used and is not a handlebars template.
Perl CWE-732 More complete coverage for IO::File::open calls.
PHP CWE-397 Look for generic, potentially unsafe, generic throws such as throw Error("foo").
Python CWE-397 Look for generic, potentially unsafe, generic throws such as raise BaseException.
Secrets CWE-798 Add a check for privateKey for hard coded secrets.

In addition, there is an update to CWE-319 in general. We removed rules looking for unsafe http-style strings in codeas they are too noisy. We still look for specific instances of open communications being used in our hybrid scanner where it makes sense, such as for fetch calls in JavaScript.

This change to CWE-319 impacts the following languages:
  • ASP
  • Golang
  • Groovy
  • Kotlin
  • Objective-C
  • PHP
  • Scala
  • Swift
  • C#
  • Dart
  • RPG
  • VB
  • Xamarin

December 18, 2025

Language CWE Description
Andoid Java CWE-319 New coverage: Checks if usesCleartextTraffic or cleartextTrafficPermitted is set to true in the AndroidManifest.xml file which is an insecure practice.
C# CWE-89 New coverage: Added a SQL injection check to consider += pattern as well as some stored procedure patterns.
CWE-89 New coverage: More constrained check to be sure we are in a query to reduce noise.
CWE-1004 Noise reduction: Check for http=true, and if it is set avoid a finding.
Dart: Flutter

(new framework support, new coverage)		 CWE-35 Checks if MethodChannel is using a path argument which is potentially user controlled.
CWE-78 Looks for potential OS injection in MethodChannel calls.
CWE-80 Checks WebView or InAppWebView to see if javascript is unrestricted which is a dangerous practice.
CWE-89 Support for sqflite flutter-specific DB API
CWE-117 Uncovers print and similar statements which are not wrapped by debug controls. These calls generally should not be in production code outside of a debug branch.
CWE-312 Rule checks to see if FlutterSecureStorage is storing suspected private informaton such as passwords or other session information.
CWE-598 Checks the Navigator object for potentially unsafe usages of the query parameters.
CWE-918 Looks for user controlled URLs in MethodChannel.invokeMethod as an SSRF attack vector.
JavaScript: Angular CWE-80 Noise reduction: Check to make sure we are not in an @if template
Secrets CWE-798 New coverage: Support for Tuleap added.
CWE-798 New coverage: Check for hard coded passwords inside of equalsIgnoreCase calls.
CWE-798 Noise reduction: Avoid adding a finding for commented C\C++ code for the secrets scanner.
Swift CWE-1188 New coverage Checks info.plist file for UIFileSharingEnabled or LSSupportsOpeningDocumentsInPlace set to true which is insecure.

November 6, 2025

  1. New rule.
Language CWE Description
NodeJS CWE-78 Additional check for unsafe child_process.exec calls.
Perl CWE-89 Reduce noise in the SQL injection rule which errantly produced findings for parameterized statements.
CWE-732 Reduce noise for open calls using STDIN as the input.
PHP CWE-213 Added check for lingering phpInfo calls in PHP code. 1
CWE-89 New check to validate away findings using sqlite_escape_string.
TypeScript CWE-94 Additional check for eval containing a potentially user controlled variable.

October 7, 2025

  1. New rule.
Language CWE Description
C# CWE-89 Reduce noise in SQLi detection.
Java CWE-209 Check for System.out and System.err usage in code (debug calls that should be removed from production code). 1
Secrets CWE-1051 Noise reduction: Hard coded IP Address check avoids likely version numbers
CWE-798 Reduce noise in Atlassian secret detection.
CWE-798 Reduce noise in key\value pairs of secrets.
CWE-798 Additional coverage to find passwords with 1234 in the string as part of the hard coded password.

September 10, 2025

  1. New rule.
Language CWE Description
CSS CWE-79 Reduce noise found on hardcoded variable check in .css files.
Go CWE-79 Reduce noise produced in fprintf check.
IaC Docker CWE-22 Check for sensitive paths being added in a DockerFile.1
IaC Kubernetes CWE-209 Added a check for left behind stack trace code in .yaml configuration files. 1
Java CWE-78 Looks for inline calls of Runtime.getRunTime().
CWE-757 Enhanced the list of what we check for as insecure and broken.
CWE-916 Check for a weak iteration count for PBEKeySpec and PBEParameterSpec. 1
CWE-1188 Denial of service check with StringBuilder constructor using large or user controlled values. 1
PHP CWE-89 Added a validator check for sqlite_escape_string.
Secrets CWE-798 Some noisy patterns removed as a finding.
CWE-798 Looks in web.config files for hard-coded credentials.
CWE-1051 Check for hard coded IP addresses adjusted to avoid strings that appear to be IP addresses but are not.

July 14, 2025

  1. New rule.
Language CWE Description
Python CWE-78 Looks for unsafe use of os.system. 1
CWE-79 Improved clarity of rule for Python Django.
Secrets CWE-1051 Removed noisy patterns for hardcoded IP address check.
CWE-798 Removed noisy patterns for hardcoded credentials:
  • Avoid noisy patterns in Rust code.
  • Added checks in Secrets - Creds - Key : value pair rule to eliminate findings without quotes for Python files.
  • Added check to filter noisy passwords such as 1234, wrongpassword, testpassword, noreply.
  • Adjusted other snippets to eliminate findings like passwords with 1234.
  • Currently Key:value pair rule finds context till end of line. So removed the line endings that has , or ".

June 13, 2025

Markup additions for Java:
  • 68 new sources
  • 10 new sinks
Language CWE Description
Secrets Some noisy patterns removed as a finding.
Java source code CWE-111 Added a check for dangerous uses of DllImport.
CWE-918 Added check for URL openStream with potential user controlled data.

May 7, 2025

All rule updates in this release are new rules.

Language CWE Description
C# source code scanner CWE-94 Check for CSharpScript.EvaluateAsync.
CWE-532 Check for logging of personally identifying information (PII), such as usernames or passwords.
CWE-111 Check for dangerous uses of DllImport.
Java source code scanner CWE-532 Check for logging of personally identifying information (PII), such as usernames or passwords.
CWE-102 Check for duplicate form names within Struts validation XML files.
CWE-104 Check for a class extending an ActionForm without validation.
PHP CWE-111 Check for uses of FFI::cdef containing unsafe calls.
Python CWE-111 Check for uses of ctypes.DLL not using a fully qualified path for the argument.

April 1, 2025

  1. New rules
Language CWE Description
All languages CWE-798 Improved noise reduction
C# CWE-328 Autofix applies more modern function calls
CWE-1333 Checking for timeouts applied to regex objects1
CWE-89 New captures of SQLi through building the query through String.Append
Security information updated for Microsoft.CodeAnalysis.CSharp.Scripting and Microsoft.AspNetCore.Mvc.ViewFeatures
ColdFusion CWE-328 Adjusted the check for improved performance
HTML CWE-319 Avoid localhost style noise in the URL
IaC CWE-770 Two new autofixes
CWE-311 Additional check for proper TLS settings in Amazon Load Balancer
Java CWE-479 Updated autofix
JavaScript CWE-598 Looking for URLSearchParams flaws in JavaScript files.1
Python CWE-502 Looking for unsafe reflection in Java1

December 11, 2024

Language CWE Description
C# CWE-78 Adjusted to reduce noisy findings for OS injection.
IaC CWE-798 Adjusted to reduce noisy findings for TypeScript code constructs.
CWE-1051 Adjusted to reduce noisy findings for IP patterns in HTML files.
CWE-1328 Adjusted to reduce noisy findings for Docker image references.
HTML CWE-79 New rules for file extensions:
  • htm
  • html
  • rhtml
  • xhtml
  • cshtml
  • vbhtml
CWE-319
CWE-524
CWE-525
CWE-598
CWE-1021
CWE-1022
JavaScript CWE-209 Adjusted to reduce noisy findings.
CWE-359 Adjusted to reduce noisy findings.
CWE-1022 Adjusted to reduce noisy findings for window.open findings.
Secrets CWE-798 Looking for hard coded passwords found within URL query strings.
CWE-284 Adjusted to reduce noisy findings in Azure shared access signatures token exposure findings.
Visual Basic CWE-78 Adjusted to reduce noisy findings.
CWE-328 Adjusted to reduce noisy findings.

December 3, 2024

Note:
  1. New rules
  2. Reduced noise in rule
Language CWE Description
ASP.NET CWE-1188 Cookieless session state enabled in project configuration. 2
CWE-79 Potential XSS for inline expression in code. 2
C# CWE-601 Request redirect with potential user-controlled data in variable. 2
CWE-185 Regular expression injection.2
IaC Terraform CWE-410 Insecure load balancer configuration.1
Java CWE-337 Predictable seed for SecureRandom instance in Java code.2
CWE-918 Server-side request forgery in RestTemplate().exchange. 2
CWE-185 Regular expression injection in Java code.2
CWE-244 Password stored in Java string object.2
JavaScript CWE-79 Insecure use of document.referrer.2
PHP CWE-79 User-controlled data within PHP converted to HTML.2
Python Django CWE-79
  • Now collecting HTML files to review for Python
  • New rules added.
CWE-89
CWE-200
CWE-201
CWE-212
CWE-352
CWE-497
CWE-522
CWE-523
CWE-795
CWE-918
CWE-1021
CWE-1188
CWE-1295
Secrets CWE-798 Hardcoded basic auth credentials.1
VB.NET CWE-502 Possible deserialization.2

September 17, 2024

Note:
  1. New rules
  2. New or expanded autofix rules
Language CWE Change
Infrastructure as Code (IaC) CWE-250 Insecure use of apt-get command detected in Dockerfile. 1
CWE-1328 Insecure use of Base image version detected in Dockerfile. 1
CWE-276 Default security profile is disabled. 2
JavaScript CWE-1022 Leaked referrer information. 2
Kotlin CWE-922 Improper data storage access found in Kotlin code. 2
PHP CWE-98 The allow_url_fopen directive is enabled. 2
CWE-98 The allow_url_include directive is enabled. 2
CWE-94 The cgi.force_redirect directive is disabled. 2
CWE-614 Sensitive cookie in HTTPS session without Secure attribute. 2
Python CWE-732 Insecure use of ALLOWED_HOSTS in Django settings. 1
CWE-539 Insecure CSRF or session cookie settings in Django. 1
CWE-1021 Potential ClickjackingvAttack via X_FRAME_OPTIONS. 1
CWE-79 Potential XSS vulnerability from use of safe or safeseq filters in Django templates. 1
CWE-79 Potential XSS vulnerability in Django HttpResponse. 1
CWE-150 Expanded coverage for environment objects autoescape false. 2
CWE-539 Insecure CSRF or session cookie settings in Django. 2
Ruby CWE-78 Insecure use of backticks. 2
CWE-78 Insecure use of system method. 2
Rust CWE-295 Potential CMS message decryption without certificate checks detected. 2
CWE-327 Potential weak elliptic curve cryptography usage detected. 2
CWE-326 Potential weak RSA key length detected. 2

September 4, 2024

General updates:

  • Scan now avoids all minified files.

  • .NET data flow support for System.Data.SQLite.
Note:
  1. New rules
  2. New autofix rules
  3. Rule fixes
Language CWE Change
.NET ASP.NET CWE-1188 Cookieless session state enabled in ASP.NET project configuration.2
C# CWE-319 Open communications scheme detected.2
CWE-328 Weak cipher algorithm detected.2
CWE-327 JWT Builder with no signature verification is detected.2
VB.NET CWE-1173 HTTP request validation is disabled in VB code.2
CWE-328 Use of weak cryptographic algorithm in VB code.2
Angular CWE-94 Potential code injection vulnerability in sandbox VM.1
AngularJS CWE-477 Deprecated call found: (ng-bind-html-unsafe).2
Apex CWE-943 SOQL injection.2
CWE-943 SOSL injection.2
CWE-328 Weak hash algorithm chosen.2
CWE-79 Script or style cross-site scripting (XSS).2
ASP CWE-319 Open communications scheme detected in ASP code.2
C/C++ CWE-367 Potentially dangerous use of temp file name function. Corrected context and autofix enabled.3
CWE-78 Potential command injection detected. Expanded coverage.3
CWE-250 CreateFile call which appears to violate principle of least privilege.2
CWE-250 CreateNamedPipe is missing FILE_FLAG_FIRST_PIPE_INSTANCE flag.2
CWE-757 Insecure use of (SSL/TLS) protocol discovered.2
CWE-295 Potentially dangerous use of Curl configuration discovered (seven different rules in this category).2
CWE-427 Potential principle of least privilege registry manipulation detected.2
CWE-611 Unsafe external entity processing enabled.2
ColdFusion CWE-524 cfCache caching secure pages.2
CWE-502 cfWddx missing WDDX validation.2
CWE-862 Client not verified In cfFunction.2
CWE-319 Insecure communications.2
CWE-307 Multiple submission validation.2
CWE-327 Unsafe algorithm used in encrypt function.2
Dart CWE-522 AutoComplete turned on for potentially sensitive field.2
CWE-319 Open communications scheme detected with HttpServer.2
CWE-319 Open socket communications detected.2
CWE-319 Open communications scheme with Uri detected.2
CWE-79 Insecure use of window open in Dart code.2
CWE-319 Open communications scheme detected in string.2
CWE-79 Unsafe content security policy keyword found.2
Docker CWE-770 Limit CPU to prevent a denial-of-service (DoS) attack.2
CWE-770 Limit the number of restarts on failure to prevent a denial-of-service (DoS).2
Go CWE-489 Debugging package pprof for HTTP detected.2
CWE-1004 Golang code contains insecure http.Cookie.2
CWE-319 Open communications scheme detected in Golang code.2
Groovy CWE-319 Open communications scheme detected in Groovy code.2
CWE-79 Potential cross-site scripting vulnerability detected in Groovy source code added additional autofixes for all instances.2
Java CWE-489 Enabling debug in web security reveals data in Spring.2
CWE-1390 Ignore comments in SAML leads to broken authentication.2
CWE-548 Insecure directory listing for default servlet in tomcat configuration.2
CWE-276 Insecure file permission use detected in Java.2
CWE-489 Print stack trace is detected in Java code.2
CWE-489 Debuggable flag is set to true in Android application.2
CWE-1188 Improper shared preferences mode detected in Android code.2
JavaScript CWE-359 Insecure event transmission policy: corrected context and auto fix enabled.3
CWE-79 Potential XSS vulnerability detected in jQuery.append. Faster performance now.3
CWE-79 Overriding the Mustache escape method is dangerous.2
CWE-319 Insecure event transmission policy.2
Kotlin CWE-319 Open communication detected in Kotlin code.2
NodeJS CWE-614 Cookie is missing a security flag or has a flag set to an insecure value.2
CWE-328 Unsafe algorithm is used in crypto createCipheriv.2
CWE-295 Insecure configuration of SSL certificate verification for disabling node-curl.2
CWE-78 Exec shell spawn discovered.2
CWE-1004 Insecure configuration of missing HTTPOnly cookie attribute.2
Objective-C CWE-319 Open communications scheme detected in Objective-C code.2
PHP CWE-10041 Sensitive cookie Without HttpOnly flag.2
CWE-6141 Sensitive cookie in HTTPS session without secure attribute.2
CWE-791 Embedded PHP variable detected2
CWE-981 Potential file inclusion vulnerability detected in PHP code.2
CWE-6111 XML external entity injection detected in PHP code.2
CWE-78 PHP command execution potentially using user-supplied data. Expanded coverage.3
CWE-644 Potential header injection discovered. Expanded coverage.3
CWE-327 Insecure algorithm use detected. Expanded checks and coverage.3
CWE-319 Open communication detected in PHP Symfony framework.2
CWE-1004 Missing or insecure HTTPOnly flag in setcookie.2
CWE-319 Open communications scheme detected.2
CWE-544 The error_reporting directive has not been set to allow the highest level of error reporting possible2
PL/SQL CWE-331 Insecure use of DBMS_RANDOM.2
Python CWE-311 URL using http. Expanded coverage.3
CWE-311 TOCTTOU race condition temporary file. Fixed coverage and enabled auto fix.3
CWE-367 TOCTTOU race condition temporary file.2
CWE-319 URL using http.2
CWE-78 Python OS injection.2
CWE-319 Insecure FTP usage.2
CWE-78 Popen command injection.2
CWE-276 Using 777 with umask.2
ReactNative CWE-319 Open communication detected. Corrected context and auto fix enabled.3
CWE-319 Open communication detected.2
CWE-295 Disabling SSL pinning detected.2
RPG CWE-319 Open communication detected in the code.2
Ruby CWE-78 Insecure use of backticks regex needs improvement. Expanded coverage.3
CWE-78 Insecure use of backticks. Expanded coverage.3
CWE-425 Ruby mass assignment.2
CWE-359 Ruby information disclosure.2
Scala CWE-319 Open communications scheme detected in Scala code.2
CWE-79 Potential client side scripting vulnerability via cookie access detected in Scala source code.2
Secrets CWE-1051 Hardcoded IP address detected. Expanded coverage.3
CWE-798 Hardcoded credentials detected. Expanded coverage.3
Swift CWE-319 Open communications scheme detected in Swift code.2
CWE-79 Potential cross-site scripting vulnerability when using loadRequest() in iOS UIWebView.2
Terraform CWE-359 AWS instance exposing user data secrets is detected.2
CWE-778 Azure log monitor profile should define all mandatory categories.2
CWE-732 Default service account is used at folder, project, or organization level.2
CWE-671 Email service and co-administrators are not enabled in SQL servers.2
CWE-923 Ensure Azure storage account default network access is set to Deny.2
CWE-923 Ensure GCP Firewall rule does not allow unrestricted access.2
CWE-732 Google Compute instance is publicly accessible.2
CWE-732 Google storage bucket is publicly accessible.2
CWE-732 Insecure access permissions for Amazon S3 bucket.2
Visual Basic CWE-319 Open communications scheme detected in VB code.2
Xamarin CWE-319 Open communication detected in Xamarin.2

August 6, 2024

Language CWE Change
General CWE-319 Better handling of open communications rules for all languages to reduce noisy findings.
Angular CWE-312 The local storage avoids setItem calls which relate to sort direction.
ASP CWE-79 Checks for proper validation using Server.HTMLEncode.
CSS

CWE-79

 Adjusted to reduce noisy findings.
Dart CWE-328 More selective when presenting findings and avoid more obvious noise findings.
CWE-319

Adjusted to reduce noisy findings.
Java source code scanner CWE-918 Finding SSRF in RestTemplate().exchange calls.
CWE-303 Finding NoOpPasswordEncoder.getInstance dangerous calls.
CWE-89 Find additional cases for SQLi.
CWE-22 Finding more places for possible path traversal issues
CWE-798 Finding hard coded credentials in HashMap.put calls and setters.
JavaScript CWE-200 Added a check for dangerous target origin checks in window.postMessage calls.
CWE-913 Modified to reduce noisy findings.
JQuery CWE-79 Modified to reduce noisy findings.
Objective-C CWE-798 Modified to reduce some additional noisy findings.
PHP CWE-798 Checks the value and ascertains if the value is truly a string literal that represents a likely password in plain text stored in the code.
Python CWE-319 Autofix corrected to address an errant replacement in some circumstances.
Secrets scanning CWE-798 Avoids minified JS files.
Avoids analyzing translation files to reduce noise
TerraForm CWE-1220 New rule checking for egress security group cidr_blocks being set too permissively.
TypeScript CWE-943 Looks for NoSQL MongoDB injection in TypeScript files.
Looks for additional cases for SQLi.
VueJS CWE-79 Adjusted to reduce generating a finding if found in a method declaration.