Rule updates
Recent rule updates in ASoC.
September 4, 2024
General updates:
-
Scan now avoids all minified files.
- .NET data flow support for
System.Data.SQLite
.
Note:
- New rules
- New autofix rules
- Rule fixes
Language | CWE | Change | |
---|---|---|---|
.NET | ASP.NET | CWE-1188 | Cookieless session state enabled in ASP.NET project configuration.2 |
C# | CWE-319 | Open communications scheme detected.2 | |
CWE-328 | Weak cipher algorithm detected.2 | ||
CWE-327 | JWT Builder with no signature verification is detected.2 | ||
VB.NET | CWE-1173 | HTTP request validation is disabled in VB code.2 | |
CWE-328 | Use of weak cryptographic algorithm in VB code.2 | ||
Angular | CWE-94 | Potential code injection vulnerability in sandbox VM.1 | |
AngularJS | CWE-477 | Deprecated call found: (ng-bind-html-unsafe).2 | |
Apex | CWE-943 | SOQL injection.2 | |
CWE-943 | SOSL injection.2 | ||
CWE-328 | Weak hash algorithm chosen.2 | ||
CWE-79 | Script or style cross-site scripting (XSS).2 | ||
ASP | CWE-319 | Open communications scheme detected in ASP code.2 | |
C/C++ | CWE-367 | Potentially dangerous use of temp file name function. Corrected context and auto fix enabled.3 | |
CWE-78 | Potential command injection detected. Expanded coverage.3 | ||
CWE-250 | CreateFile call which appears to violate
principle of least privilege.2 |
||
CWE-250 | CreateNamedPipe is missing
FILE_FLAG_FIRST_PIPE_INSTANCE
flag.2 |
||
CWE-757 | Insecure use of (SSL/TLS) protocol discovered.2 | ||
CWE-295 | Potentially dangerous use of Curl configuration discovered (seven different rules in this category).2 | ||
CWE-427 | Potential principle of least privilege registry manipulation detected.2 | ||
CWE-611 | Unsafe external entity processing enabled.2 | ||
ColdFusion | CWE-524 | cfCache caching secure
pages.2 |
|
CWE-502 | cfWddx missing WDDX
validation.2 |
||
CWE-862 | Client not verified In
cfFunction .2 |
||
CWE-319 | Insecure communications.2 | ||
CWE-307 | Multiple submission validation.2 | ||
CWE-327 | Unsafe algorithm used in encrypt function.2 | ||
Dart | CWE-522 |
AutoComplete turned on for potentially sensitive
field.2 |
|
CWE-319 | Open communications scheme detected with
HttpServer .2 |
||
CWE-319 | Open socket communications detected.2 | ||
CWE-319 | Open communications scheme with Uri detected.2 | ||
CWE-79 | Insecure use of window open in Dart code.2 | ||
CWE-319 | Open communications scheme detected in string.2 | ||
CWE-79 | Unsafe content security policy keyword found.2 | ||
Docker | CWE-770 | Limit CPU to prevent a denial-of-service (DoS) attack.2 | |
CWE-770 | Limit the number of restarts on failure to prevent a denial-of-service (DoS).2 | ||
Go | CWE-489 | Debugging package pprof for HTTP detected.2 | |
CWE-1004 | Golang code contains insecure
http.Cookie .2 |
||
CWE-319 | Open communications scheme detected in Golang code.2 | ||
Groovy | CWE-319 | Open communications scheme detected in Groovy code.2 | |
CWE-79 | Potential cross-site scripting vulnerability detected in Groovy source code added additional autofixes for all instances.2 | ||
Java | CWE-489 | Enabling debug in web security reveals data in Spring.2 | |
CWE-1390 | Ignore comments in SAML leads to broken authentication.2 | ||
CWE-548 | Insecure directory listing for default servlet in tomcat configuration.2 | ||
CWE-276 | Insecure file permission use detected in Java.2 | ||
CWE-489 | Print stack trace is detected in Java code.2 | ||
CWE-489 | Debuggable flag is set to true in Android application.2 | ||
CWE-1188 | Improper shared preferences mode detected in Android code.2 | ||
JavaScript | CWE-359 | Insecure event transmission policy: corrected context and auto fix enabled.3 | |
CWE-79 | Potential XSS vulnerability detected in
jQuery.append . Faster performance
now.3 |
||
CWE-79 | Overriding the Mustache escape method is dangerous.2 | ||
CWE-319 | Insecure event transmission policy.2 | ||
Kotlin | CWE-319 | Open communication detected in Kotlin code.2 | |
NodeJS | CWE-614 | Cookie is missing a security flag or has a flag set to an insecure value.2 | |
CWE-328 | Unsafe algorithm is used in crypto
createCipheriv .2 |
||
CWE-295 | Insecure configuration of SSL certificate verification for disabling node-curl.2 | ||
CWE-78 | Exec shell spawn discovered.2 | ||
CWE-1004 | Insecure configuration of missing HTTPOnly
cookie attribute.2 |
||
Objective-C | CWE-319 | Open communications scheme detected in Objective-C code.2 | |
PHP | CWE-10041 | Sensitive cookie Without HttpOnly
flag.2 |
|
CWE-6141 | Sensitive cookie in HTTPS session without secure
attribute.2 |
||
CWE-791 | Embedded PHP variable detected2 | ||
CWE-981 | Potential file inclusion vulnerability detected in PHP code.2 | ||
CWE-6111 | XML external entity injection detected in PHP code.2 | ||
CWE-78 | PHP command execution potentially using user-supplied data. Expanded coverage.3 | ||
CWE-644 | Potential header injection discovered. Expanded coverage.3 | ||
CWE-327 | Insecure algorithm use detected expanded checks. Expanded coverage.3 | ||
CWE-319 | Open communication detected in PHP Symfony framework.2 | ||
CWE-1004 | Missing or insecure HTTPOnly flag in
setcookie .2 |
||
CWE-319 | Open communications scheme detected.2 | ||
CWE-544 | The error_reporting directive has not been set
to allow the highest level of error reporting
possible2 |
||
PL/SQL | CWE-331 | Insecure use of DBMS_RANDOM .2 |
|
Python | CWE-311 | URL using http . Expanded
coverage.3 |
|
CWE-311 | TOCTTOU race condition temporary file. Fixed coverage and enabled auto fix.3 | ||
CWE-367 | TOCTTOU race condition temporary file.2 | ||
CWE-319 | URL using http .2 |
||
CWE-78 | Python OS injection.2 | ||
CWE-319 | Insecure FTP usage.2 | ||
CWE-78 | Popen command injection.2 | ||
CWE-276 | Using 777 with umask.2 | ||
ReactNative | CWE-319 | Open communication detected. Corrected context and auto fix enabled.3 | |
CWE-319 | Open communication detected.2 | ||
CWE-295 | Disabling SSL pinning detected.2 | ||
RPG | CWE-319 | Open communication detected in the code.2 | |
Ruby | CWE-78 | Insecure use of backticks regex needs improvement. Expanded coverage.3 | |
CWE-78 | Insecure use of backticks. Expanded coverage.3 | ||
CWE-425 | Ruby mass assignment.2 | ||
CWE-359 | Ruby information disclosure.2 | ||
Scala | CWE-319 | Open communications scheme detected in Scala code.2 | |
CWE-79 | Potential client side scripting vulnerability via cookie access detected in Scala source code.2 | ||
Secrets | CWE-1051 | Hardcoded IP address detected. Expanded coverage.3 | |
CWE-798 | Hardcoded credentials detected. Expanded coverage.3 | ||
Swift | CWE-319 | Open communications scheme detected in Swift code.2 | |
CWE-79 | Potential cross-site scripting vulnerability when using
loadRequest() in iOS
UIWebView .2 |
||
Terraform | CWE-359 | AWS instance exposing user data secrets is detected.2 | |
CWE-778 | Azure log monitor profile should define all mandatory categories.2 | ||
CWE-732 | Default service account is used at folder, project, or organization level.2 | ||
CWE-671 | Email service and co-administrators are not enabled in SQL servers.2 | ||
CWE-923 | Ensure Azure storage account default network access is set to Deny.2 | ||
CWE-923 | Ensure GCP Firewall rule does not allow unrestricted access.2 | ||
CWE-732 | Google Compute instance is publicly accessible.2 | ||
CWE-732 | Google storage bucket is publicly accessible.2 | ||
CWE-732 | Insecure access permissions for Amazon S3 bucket.2 | ||
Visual Basic | CWE-319 | Open communications scheme detected in VB code.2 | |
Xamarin | CWE-319 | Open communication detected in Xamarin.2 |
August 6, 2024
Language | CWE | Change |
---|---|---|
General | CWE-319 | Better handling of open communications rules for all languages to avoid noisy findings. |
Angular | CWE-312 | The local storage avoids setItem calls which
relate to sort direction. |
ASP | CWE-79 | Checks for proper validation using
Server.HTMLEncode . |
CSS |
CWE-79 |
Adjusted to avoid noisy findings. |
Dart | CWE-328 | More selective when presenting findings and avoid more obvious noise findings. |
CWE-319 |
Adjusted to avoid noisy findings. |
|
Java source code scanner | CWE-918 | Looking for SSRF in RestTemplate().exchange
calls. |
CWE-352 | Reviews @RequestMapping settings and
suggests more secure variants if a potential problem is
found. |
|
CWE-303 | Looking for NoOpPasswordEncoder.getInstance
dangerous calls. |
|
CWE-89 | Looking for additional cases for SQLi. | |
CWE-22 | Looking in more places for possible path traversal issues | |
CWE-798 | Looking for hard coded credentials in
HashMap.put calls and setters. |
|
JavaScript | CWE-200 | Added a check for dangerous target origin checks in
window.postMessage calls. |
CWE-913 | Modified to avoid noisy findings. | |
JQuery | CWE-79 | Modified to avoid noisy findings. |
Objective-C | CWE-798 | Modified to avoid some additional noisy findings. |
PHP | CWE-798 | Checks the value and ascertains if the value is truly a string literal that represents a likely password in plain text stored in the code. |
Python | CWE-319 | Autofix corrected to address an errant replacement in some circumstances. |
Secrets scanning | CWE-798 | Avoids minified JS files. |
Avoids analyzing translation files to reduce noise | ||
TerraForm | CWE-1220 | New rule checking for egress security group
cidr_blocks being set too
permissively. |
TypeScript | CWE-943 | Looks for NoSQL MongoDB injection in TypeScript files. |
Looks for additional cases for SQLi. | ||
CWE-1024 | Strict comparators recommended (=== vs ==). | |
VueJS | CWE-79 | Adjusted to avoid generating a finding if found in a method declaration. |