Rule updates

Recent rule updates in ASoC.

April 1, 2025

New rules


Language	CWE	Description
All languages	CWE-798	Improved noise reduction
C#	CWE-328	Autofix applies more modern function calls
	CWE-1333	Checking for timeouts applied to regex objects¹
	CWE-89	New captures of SQLi through building the query through `String.Append`
		Security information updated for `Microsoft.CodeAnalysis.CSharp.Scripting` and `Microsoft.AspNetCore.Mvc.ViewFeatures`
ColdFusion	CWE-328	Adjusted the check for improved performance
HTML	CWE-319	Avoid localhost style noise in the URL
IaC	CWE-770	Two new autofixes
IaC	CWE-311	Additional check for proper TLS settings in Amazon Load Balancer
Java	CWE-479	Updated autofix
JavaScript	CWE-598	Looking for `URLSearchParams` flaws in JavaScript files.¹
Python	CWE-502	Looking for unsafe reflection in Java¹

December 11, 2024


Language	CWE	Description
C#	CWE-78	Adjusted to reduce noisy findings for OS injection.
IaC	CWE-798	Adjusted to reduce noisy findings for TypeScript code constructs.
	CWE-1051	Adjusted to reduce noisy findings for IP patterns in HTML files.
	CWE-1328	Adjusted to reduce noisy findings for Docker image references.
HTML	CWE-79	New rules for file extensions: htm html rhtml xhtml cshtml vbhtml
	CWE-319
	CWE-524
	CWE-525
	CWE-598
	CWE-1021
	CWE-1022
JavaScript	CWE-209	Adjusted to reduce noisy findings.
	CWE-359	Adjusted to reduce noisy findings.
	CWE-1022	Adjusted to reduce noisy findings for window`.open` findings.
Secrets	CWE-798	Looking for hard coded passwords found within URL query strings.
Secrets	CWE-284	Adjusted to reduce noisy findings in Azure shared access signatures token exposure findings.
Visual Basic	CWE-78	Adjusted to reduce noisy findings.
Visual Basic	CWE-328	Adjusted to reduce noisy findings.

December 3, 2024

Note:

New rules
Reduced noise in rule


Language	CWE	Description
ASP.NET	CWE-1188	Cookieless session state enabled in project configuration. ²
ASP.NET	CWE-79	Potential XSS for inline expression in code. ²
C#	CWE-601	Request redirect with potential user-controlled data in variable. ²
C#	CWE-185	Regular expression injection.²
IaC Terraform	CWE-410	Insecure load balancer configuration.¹
Java	CWE-337	Predictable seed for `SecureRandom` instance in Java code.²
	CWE-918	Server-side request forgery in `RestTemplate().exchange`. ²
	CWE-185	Regular expression injection in Java code.²
	CWE-244	Password stored in Java string object.²
JavaScript	CWE-79	Insecure use of `document.referrer`.²
PHP	CWE-79	User-controlled data within PHP converted to HTML.²
Python Django	CWE-79	Now collecting HTML files to review for Python New rules added.
	CWE-89
	CWE-200
	CWE-201
	CWE-212
	CWE-352
	CWE-497
	CWE-522
	CWE-523
	CWE-795
	CWE-918
	CWE-1021
	CWE-1188
	CWE-1295
Secrets	CWE-798	Hardcoded basic auth credentials.¹
VB.NET	CWE-502	Possible deserialization.²

September 17, 2024

Note:

New rules
New or expanded autofix rules


Language	CWE	Change
Infrastructure as Code (IaC)	CWE-250	Insecure use of `apt-get` command detected in Dockerfile. ¹
	CWE-1328	Insecure use of Base image version detected in Dockerfile. ¹
	CWE-276	Default security profile is disabled. ²
JavaScript	CWE-1022	Leaked referrer information. ²
Kotlin	CWE-922	Improper data storage access found in Kotlin code. ²
PHP	CWE-98	The `allow_url_fopen` directive is enabled. ²
	CWE-98	The `allow_url_include` directive is enabled. ²
	CWE-94	The `cgi.force_redirect` directive is disabled. ²
	CWE-614	Sensitive cookie in HTTPS session without `Secure` attribute. ²
Python	CWE-732	Insecure use of `ALLOWED_HOSTS` in Django settings. ¹
	CWE-539	Insecure CSRF or session cookie settings in Django. ¹
	CWE-1021	Potential ClickjackingvAttack via `X_FRAME_OPTIONS`. ¹
	CWE-79	Potential XSS vulnerability from use of `safe` or `safeseq` filters in Django templates. ¹
	CWE-79	Potential XSS vulnerability in Django HttpResponse. ¹
	CWE-150	Expanded coverage for environment objects autoescape false. ²
	CWE-539	Insecure CSRF or session cookie settings in Django. ²
Ruby	CWE-78	Insecure use of backticks. ²
Ruby	CWE-78	Insecure use of system method. ²
Rust	CWE-295	Potential CMS message decryption without certificate checks detected. ²
	CWE-327	Potential weak elliptic curve cryptography usage detected. ²
	CWE-326	Potential weak RSA key length detected. ²

September 4, 2024

General updates:

Scan now avoids all minified files.
.NET data flow support for System.Data.SQLite.

Note:

New rules
New autofix rules
Rule fixes


Language		CWE	Change
.NET	ASP.NET	CWE-1188	Cookieless session state enabled in ASP.NET project configuration.²
	C#	CWE-319	Open communications scheme detected.²
		CWE-328	Weak cipher algorithm detected.²
		CWE-327	JWT Builder with no signature verification is detected.²
	VB.NET	CWE-1173	HTTP request validation is disabled in VB code.²
	VB.NET	CWE-328	Use of weak cryptographic algorithm in VB code.²
Angular		CWE-94	Potential code injection vulnerability in sandbox VM.¹
AngularJS		CWE-477	Deprecated call found: (`ng-bind-html-unsafe`).²
Apex		CWE-943	SOQL injection.²
		CWE-943	SOSL injection.²
		CWE-328	Weak hash algorithm chosen.²
		CWE-79	Script or style cross-site scripting (XSS).²
ASP		CWE-319	Open communications scheme detected in ASP code.²
C/C++		CWE-367	Potentially dangerous use of temp file name function. Corrected context and autofix enabled.³
		CWE-78	Potential command injection detected. Expanded coverage.³
		CWE-250	`CreateFile` call which appears to violate principle of least privilege.²
		CWE-250	`CreateNamedPipe` is missing `FILE_FLAG_FIRST_PIPE_INSTANCE` flag.²
		CWE-757	Insecure use of (SSL/TLS) protocol discovered.²
		CWE-295	Potentially dangerous use of Curl configuration discovered (seven different rules in this category).²
		CWE-427	Potential principle of least privilege registry manipulation detected.²
		CWE-611	Unsafe external entity processing enabled.²
ColdFusion		CWE-524	`cfCache` caching secure pages.²
		CWE-502	`cfWddx` missing WDDX validation.²
		CWE-862	Client not verified In `cfFunction`.²
		CWE-319	Insecure communications.²
		CWE-307	Multiple submission validation.²
		CWE-327	Unsafe algorithm used in encrypt function.²
Dart		CWE-522	`AutoComplete` turned on for potentially sensitive field.²
		CWE-319	Open communications scheme detected with `HttpServer`.²
		CWE-319	Open socket communications detected.²
		CWE-319	Open communications scheme with Uri detected.²
		CWE-79	Insecure use of window open in Dart code.²
		CWE-319	Open communications scheme detected in string.²
		CWE-79	Unsafe content security policy keyword found.²
Docker		CWE-770	Limit CPU to prevent a denial-of-service (DoS) attack.²
Docker		CWE-770	Limit the number of restarts on failure to prevent a denial-of-service (DoS).²
Go		CWE-489	Debugging package `pprof` for HTTP detected.²
		CWE-1004	Golang code contains insecure `http.Cookie`.²
		CWE-319	Open communications scheme detected in Golang code.²
Groovy		CWE-319	Open communications scheme detected in Groovy code.²
Groovy		CWE-79	Potential cross-site scripting vulnerability detected in Groovy source code added additional autofixes for all instances.²
Java		CWE-489	Enabling debug in web security reveals data in Spring.²
		CWE-1390	Ignore comments in SAML leads to broken authentication.²
		CWE-548	Insecure directory listing for default servlet in tomcat configuration.²
		CWE-276	Insecure file permission use detected in Java.²
		CWE-489	Print stack trace is detected in Java code.²
		CWE-489	Debuggable flag is set to true in Android application.²
		CWE-1188	Improper shared preferences mode detected in Android code.²
JavaScript		CWE-359	Insecure event transmission policy: corrected context and auto fix enabled.³
		CWE-79	Potential XSS vulnerability detected in `jQuery.append`. Faster performance now.³
		CWE-79	Overriding the Mustache escape method is dangerous.²
		CWE-319	Insecure event transmission policy.²
Kotlin		CWE-319	Open communication detected in Kotlin code.²
NodeJS		CWE-614	Cookie is missing a security flag or has a flag set to an insecure value.²
		CWE-328	Unsafe algorithm is used in crypto `createCipheriv`.²
		CWE-295	Insecure configuration of SSL certificate verification for disabling node-curl.²
		CWE-78	Exec shell spawn discovered.²
		CWE-1004	Insecure configuration of missing `HTTPOnly` cookie attribute.²
Objective-C		CWE-319	Open communications scheme detected in Objective-C code.²
PHP		CWE-1004¹	Sensitive cookie Without `HttpOnly` flag.²
		CWE-614¹	Sensitive cookie in HTTPS session without `secure` attribute.²
		CWE-79¹	Embedded PHP variable detected²
		CWE-98¹	Potential file inclusion vulnerability detected in PHP code.²
		CWE-611¹	XML external entity injection detected in PHP code.²
		CWE-78	PHP command execution potentially using user-supplied data. Expanded coverage.³
		CWE-644	Potential header injection discovered. Expanded coverage.³
		CWE-327	Insecure algorithm use detected. Expanded checks and coverage.³
		CWE-319	Open communication detected in PHP Symfony framework.²
		CWE-1004	Missing or insecure `HTTPOnly` flag in `setcookie`.²
		CWE-319	Open communications scheme detected.²
		CWE-544	The `error_reporting` directive has not been set to allow the highest level of error reporting possible²
PL/SQL		CWE-331	Insecure use of `DBMS_RANDOM`.²
Python		CWE-311	URL using `http`. Expanded coverage.³
		CWE-311	TOCTTOU race condition temporary file. Fixed coverage and enabled auto fix.³
		CWE-367	TOCTTOU race condition temporary file.²
		CWE-319	URL using `http`.²
		CWE-78	Python OS injection.²
		CWE-319	Insecure FTP usage.²
		CWE-78	Popen command injection.²
		CWE-276	Using 777 with umask.²
ReactNative		CWE-319	Open communication detected. Corrected context and auto fix enabled.³
		CWE-319	Open communication detected.²
		CWE-295	Disabling SSL pinning detected.²
RPG		CWE-319	Open communication detected in the code.²
Ruby		CWE-78	Insecure use of backticks regex needs improvement. Expanded coverage.³
		CWE-78	Insecure use of backticks. Expanded coverage.³
		CWE-425	Ruby mass assignment.²
		CWE-359	Ruby information disclosure.²
Scala		CWE-319	Open communications scheme detected in Scala code.²
Scala		CWE-79	Potential client side scripting vulnerability via cookie access detected in Scala source code.²
Secrets		CWE-1051	Hardcoded IP address detected. Expanded coverage.³
Secrets		CWE-798	Hardcoded credentials detected. Expanded coverage.³
Swift		CWE-319	Open communications scheme detected in Swift code.²
Swift		CWE-79	Potential cross-site scripting vulnerability when using `loadRequest()` in iOS `UIWebView`.²
Terraform		CWE-359	AWS instance exposing user data secrets is detected.²
		CWE-778	Azure log monitor profile should define all mandatory categories.²
		CWE-732	Default service account is used at folder, project, or organization level.²
		CWE-671	Email service and co-administrators are not enabled in SQL servers.²
		CWE-923	Ensure Azure storage account default network access is set to Deny.²
		CWE-923	Ensure GCP Firewall rule does not allow unrestricted access.²
		CWE-732	Google Compute instance is publicly accessible.²
		CWE-732	Google storage bucket is publicly accessible.²
		CWE-732	Insecure access permissions for Amazon S3 bucket.²
Visual Basic		CWE-319	Open communications scheme detected in VB code.²
Xamarin		CWE-319	Open communication detected in Xamarin.²

August 6, 2024


Language	CWE	Change
General	CWE-319	Better handling of open communications rules for all languages to reduce noisy findings.
Angular	CWE-312	The local storage avoids `setItem` calls which relate to sort direction.
ASP	CWE-79	Checks for proper validation using `Server.HTMLEncode`.
CSS	CWE-79	Adjusted to reduce noisy findings.
Dart	CWE-328	More selective when presenting findings and avoid more obvious noise findings.
Dart	CWE-319	Adjusted to reduce noisy findings.
Java source code scanner	CWE-918	Finding SSRF in `RestTemplate().exchange` calls.
	CWE-303	Finding `NoOpPasswordEncoder.getInstance` dangerous calls.
	CWE-89	Find additional cases for SQLi.
	CWE-22	Finding more places for possible path traversal issues
	CWE-798	Finding hard coded credentials in `HashMap.put` calls and setters.
JavaScript	CWE-200	Added a check for dangerous target origin checks in `window.postMessage` calls.
JavaScript	CWE-913	Modified to reduce noisy findings.
JQuery	CWE-79	Modified to reduce noisy findings.
Objective-C	CWE-798	Modified to reduce some additional noisy findings.
PHP	CWE-798	Checks the value and ascertains if the value is truly a string literal that represents a likely password in plain text stored in the code.
Python	CWE-319	Autofix corrected to address an errant replacement in some circumstances.
Secrets scanning	CWE-798	Avoids minified JS files.
Secrets scanning	CWE-798	Avoids analyzing translation files to reduce noise
TerraForm	CWE-1220	New rule checking for egress security group `cidr_blocks` being set too permissively.
TypeScript	CWE-943	Looks for NoSQL MongoDB injection in TypeScript files.
TypeScript	CWE-943	Looks for additional cases for SQLi.
VueJS	CWE-79	Adjusted to reduce generating a finding if found in a method declaration.