Rule updates
Recent rule updates in ASoC.
September 4, 2024
General updates:
-
Scan now avoids all minified files.
- .NET data flow support for
System.Data.SQLite.
Note:
- New rules
- New autofix rules
- Rule fixes
| Language | CWE | Change | |
|---|---|---|---|
| .NET | ASP.NET | CWE-1188 | Cookieless session state enabled in ASP.NET project configuration.2 |
| C# | CWE-319 | Open communications scheme detected.2 | |
| CWE-328 | Weak cipher algorithm detected.2 | ||
| CWE-327 | JWT Builder with no signature verification is detected.2 | ||
| VB.NET | CWE-1173 | HTTP request validation is disabled in VB code.2 | |
| CWE-328 | Use of weak cryptographic algorithm in VB code.2 | ||
| Angular | CWE-94 | Potential code injection vulnerability in sandbox VM.1 | |
| AngularJS | CWE-477 | Deprecated call found: (ng-bind-html-unsafe).2 | |
| Apex | CWE-943 | SOQL injection.2 | |
| CWE-943 | SOSL injection.2 | ||
| CWE-328 | Weak hash algorithm chosen.2 | ||
| CWE-79 | Script or style cross-site scripting (XSS).2 | ||
| ASP | CWE-319 | Open communications scheme detected in ASP code.2 | |
| C/C++ | CWE-367 | Potentially dangerous use of temp file name function. Corrected context and auto fix enabled.3 | |
| CWE-78 | Potential command injection detected. Expanded coverage.3 | ||
| CWE-250 | CreateFile call which appears to violate
principle of least privilege.2 |
||
| CWE-250 | CreateNamedPipe is missing
FILE_FLAG_FIRST_PIPE_INSTANCE
flag.2 |
||
| CWE-757 | Insecure use of (SSL/TLS) protocol discovered.2 | ||
| CWE-295 | Potentially dangerous use of Curl configuration discovered (seven different rules in this category).2 | ||
| CWE-427 | Potential principle of least privilege registry manipulation detected.2 | ||
| CWE-611 | Unsafe external entity processing enabled.2 | ||
| ColdFusion | CWE-524 | cfCache caching secure
pages.2 |
|
| CWE-502 | cfWddx missing WDDX
validation.2 |
||
| CWE-862 | Client not verified In
cfFunction.2 |
||
| CWE-319 | Insecure communications.2 | ||
| CWE-307 | Multiple submission validation.2 | ||
| CWE-327 | Unsafe algorithm used in encrypt function.2 | ||
| Dart | CWE-522 |
AutoComplete turned on for potentially sensitive
field.2 |
|
| CWE-319 | Open communications scheme detected with
HttpServer.2 |
||
| CWE-319 | Open socket communications detected.2 | ||
| CWE-319 | Open communications scheme with Uri detected.2 | ||
| CWE-79 | Insecure use of window open in Dart code.2 | ||
| CWE-319 | Open communications scheme detected in string.2 | ||
| CWE-79 | Unsafe content security policy keyword found.2 | ||
| Docker | CWE-770 | Limit CPU to prevent a denial-of-service (DoS) attack.2 | |
| CWE-770 | Limit the number of restarts on failure to prevent a denial-of-service (DoS).2 | ||
| Go | CWE-489 | Debugging package pprof for HTTP detected.2 | |
| CWE-1004 | Golang code contains insecure
http.Cookie.2 |
||
| CWE-319 | Open communications scheme detected in Golang code.2 | ||
| Groovy | CWE-319 | Open communications scheme detected in Groovy code.2 | |
| CWE-79 | Potential cross-site scripting vulnerability detected in Groovy source code added additional autofixes for all instances.2 | ||
| Java | CWE-489 | Enabling debug in web security reveals data in Spring.2 | |
| CWE-1390 | Ignore comments in SAML leads to broken authentication.2 | ||
| CWE-548 | Insecure directory listing for default servlet in tomcat configuration.2 | ||
| CWE-276 | Insecure file permission use detected in Java.2 | ||
| CWE-489 | Print stack trace is detected in Java code.2 | ||
| CWE-489 | Debuggable flag is set to true in Android application.2 | ||
| CWE-1188 | Improper shared preferences mode detected in Android code.2 | ||
| JavaScript | CWE-359 | Insecure event transmission policy: corrected context and auto fix enabled.3 | |
| CWE-79 | Potential XSS vulnerability detected in
jQuery.append. Faster performance
now.3 |
||
| CWE-79 | Overriding the Mustache escape method is dangerous.2 | ||
| CWE-319 | Insecure event transmission policy.2 | ||
| Kotlin | CWE-319 | Open communication detected in Kotlin code.2 | |
| NodeJS | CWE-614 | Cookie is missing a security flag or has a flag set to an insecure value.2 | |
| CWE-328 | Unsafe algorithm is used in crypto
createCipheriv.2 |
||
| CWE-295 | Insecure configuration of SSL certificate verification for disabling node-curl.2 | ||
| CWE-78 | Exec shell spawn discovered.2 | ||
| CWE-1004 | Insecure configuration of missing HTTPOnly
cookie attribute.2 |
||
| Objective-C | CWE-319 | Open communications scheme detected in Objective-C code.2 | |
| PHP | CWE-10041 | Sensitive cookie Without HttpOnly
flag.2 |
|
| CWE-6141 | Sensitive cookie in HTTPS session without secure
attribute.2 |
||
| CWE-791 | Embedded PHP variable detected2 | ||
| CWE-981 | Potential file inclusion vulnerability detected in PHP code.2 | ||
| CWE-6111 | XML external entity injection detected in PHP code.2 | ||
| CWE-78 | PHP command execution potentially using user-supplied data. Expanded coverage.3 | ||
| CWE-644 | Potential header injection discovered. Expanded coverage.3 | ||
| CWE-327 | Insecure algorithm use detected expanded checks. Expanded coverage.3 | ||
| CWE-319 | Open communication detected in PHP Symfony framework.2 | ||
| CWE-1004 | Missing or insecure HTTPOnly flag in
setcookie.2 |
||
| CWE-319 | Open communications scheme detected.2 | ||
| CWE-544 | The error_reporting directive has not been set
to allow the highest level of error reporting
possible2 |
||
| PL/SQL | CWE-331 | Insecure use of DBMS_RANDOM.2 |
|
| Python | CWE-311 | URL using http. Expanded
coverage.3 |
|
| CWE-311 | TOCTTOU race condition temporary file. Fixed coverage and enabled auto fix.3 | ||
| CWE-367 | TOCTTOU race condition temporary file.2 | ||
| CWE-319 | URL using http.2 |
||
| CWE-78 | Python OS injection.2 | ||
| CWE-319 | Insecure FTP usage.2 | ||
| CWE-78 | Popen command injection.2 | ||
| CWE-276 | Using 777 with umask.2 | ||
| ReactNative | CWE-319 | Open communication detected. Corrected context and auto fix enabled.3 | |
| CWE-319 | Open communication detected.2 | ||
| CWE-295 | Disabling SSL pinning detected.2 | ||
| RPG | CWE-319 | Open communication detected in the code.2 | |
| Ruby | CWE-78 | Insecure use of backticks regex needs improvement. Expanded coverage.3 | |
| CWE-78 | Insecure use of backticks. Expanded coverage.3 | ||
| CWE-425 | Ruby mass assignment.2 | ||
| CWE-359 | Ruby information disclosure.2 | ||
| Scala | CWE-319 | Open communications scheme detected in Scala code.2 | |
| CWE-79 | Potential client side scripting vulnerability via cookie access detected in Scala source code.2 | ||
| Secrets | CWE-1051 | Hardcoded IP address detected. Expanded coverage.3 | |
| CWE-798 | Hardcoded credentials detected. Expanded coverage.3 | ||
| Swift | CWE-319 | Open communications scheme detected in Swift code.2 | |
| CWE-79 | Potential cross-site scripting vulnerability when using
loadRequest() in iOS
UIWebView.2 |
||
| Terraform | CWE-359 | AWS instance exposing user data secrets is detected.2 | |
| CWE-778 | Azure log monitor profile should define all mandatory categories.2 | ||
| CWE-732 | Default service account is used at folder, project, or organization level.2 | ||
| CWE-671 | Email service and co-administrators are not enabled in SQL servers.2 | ||
| CWE-923 | Ensure Azure storage account default network access is set to Deny.2 | ||
| CWE-923 | Ensure GCP Firewall rule does not allow unrestricted access.2 | ||
| CWE-732 | Google Compute instance is publicly accessible.2 | ||
| CWE-732 | Google storage bucket is publicly accessible.2 | ||
| CWE-732 | Insecure access permissions for Amazon S3 bucket.2 | ||
| Visual Basic | CWE-319 | Open communications scheme detected in VB code.2 | |
| Xamarin | CWE-319 | Open communication detected in Xamarin.2 | |
August 6, 2024
| Language | CWE | Change |
|---|---|---|
| General | CWE-319 | Better handling of open communications rules for all languages to avoid noisy findings. |
| Angular | CWE-312 | The local storage avoids setItem calls which
relate to sort direction. |
| ASP | CWE-79 | Checks for proper validation using
Server.HTMLEncode. |
| CSS |
CWE-79 |
Adjusted to avoid noisy findings. |
| Dart | CWE-328 | More selective when presenting findings and avoid more obvious noise findings. |
| CWE-319 |
Adjusted to avoid noisy findings. |
|
| Java source code scanner | CWE-918 | Looking for SSRF in RestTemplate().exchange
calls. |
| CWE-352 | Reviews @RequestMapping settings and
suggests more secure variants if a potential problem is
found. |
|
| CWE-303 | Looking for NoOpPasswordEncoder.getInstance
dangerous calls. |
|
| CWE-89 | Looking for additional cases for SQLi. | |
| CWE-22 | Looking in more places for possible path traversal issues | |
| CWE-798 | Looking for hard coded credentials in
HashMap.put calls and setters. |
|
| JavaScript | CWE-200 | Added a check for dangerous target origin checks in
window.postMessage calls. |
| CWE-913 | Modified to avoid noisy findings. | |
| JQuery | CWE-79 | Modified to avoid noisy findings. |
| Objective-C | CWE-798 | Modified to avoid some additional noisy findings. |
| PHP | CWE-798 | Checks the value and ascertains if the value is truly a string literal that represents a likely password in plain text stored in the code. |
| Python | CWE-319 | Autofix corrected to address an errant replacement in some circumstances. |
| Secrets scanning | CWE-798 | Avoids minified JS files. |
| Avoids analyzing translation files to reduce noise | ||
| TerraForm | CWE-1220 | New rule checking for egress security group
cidr_blocks being set too
permissively. |
| TypeScript | CWE-943 | Looks for NoSQL MongoDB injection in TypeScript files. |
| Looks for additional cases for SQLi. | ||
| CWE-1024 | Strict comparators recommended (=== vs ==). | |
| VueJS | CWE-79 | Adjusted to avoid generating a finding if found in a method declaration. |