Rule updates

Rule updates in AppScan® Source version 10.10.0

Language CWE Description
C# CWE-89 Reduce noise in SQLi detection.
CSS CWE-79 Reduce noise found on hardcoded variable check in .css files.
Go CWE-79 Reduce noise produced in fprintf check.
IaC Docker CWE-22 Check for sensitive paths being added in a DockerFile.
IaC Kubernetes CWE-209 Added a check for left behind stack trace code in .yaml configuration files.
Java CWE-78 Looks for inline calls of Runtime.getRunTime().
CWE-757 Enhanced the list of what we check for as insecure and broken.
CWE-916 Check for a weak iteration count for PBEKeySpec and PBEParameterSpec.
CWE-1188 Denial of service check with StringBuilder constructor using large or user controlled values.
CWE-209 Check for System.out and System.err usage in code (debug calls that should be removed from production code).
PHP CWE-89 Added a validator check for sqlite_escape_string.
Python CWE-78 Looks for unsafe use of os.system.
CWE-79 Improved clarity of rule for Python Django.
Secrets CWE-798 Some noisy patterns removed as a finding.
CWE-798 Looks in web.config files for hard-coded credentials.
CWE-1051 Check for hard coded IP addresses adjusted to avoid strings that appear to be IP addresses but are not.
CWE-1051 Removed noisy patterns for hardcoded IP address check.
CWE-798 Removed noisy patterns for hardcoded credentials:
  • Avoid noisy patterns in Rust code.
  • Added checks in Secrets - Creds - Key : value pair rule to eliminate findings without quotes for Python files.
  • Added check to filter noisy passwords such as 1234, wrongpassword, testpassword, noreply.
  • Adjusted other snippets to eliminate findings like passwords with 1234.
  • Currently Key:value pair rule finds context till end of line. So removed the line endings that has , or ".
CWE-1051 Noise reduction: Hard coded IP Address check avoids likely version numbers
CWE-798 Reduce noise in Atlassian secret detection.
CWE-798 Reduce noise in key\value pairs of secrets.
CWE-798 Additional coverage to find passwords with 1234 in the string as part of the hard coded password.

Rule updates in AppScan® Source version 10.9.0

Note:
  1. New rules
Language CWE Description
All languages CWE-798 Improved noise reduction
C# CWE-1333 Checking for timeouts applied to regex objects1
CWE-89 New captures of SQLi through building the query through String.Append
Security information updated for Microsoft.CodeAnalysis.CSharp.Scripting and Microsoft.AspNetCore.Mvc.ViewFeatures
C# source code scanner CWE-94 Check for CSharpScript.EvaluateAsync.1
CWE-532 Check for logging of personally identifying information (PII), such as usernames or passwords.1
CWE-111 Check for dangerous uses of DllImport.1
ColdFusion CWE-328 Adjusted the check for improved performance
HTML CWE-319 Avoid localhost style noise in the URL
IaC CWE-311 Additional check for proper TLS settings in Amazon Load Balancer
Java source code scanner CWE-532 Check for logging of personally identifying information (PII), such as usernames or passwords.1
CWE-102 Check for duplicate form names within Struts validation XML files.1
CWE-104 Check for a class extending an ActionForm without validation.1
JavaScript CWE-598 Looking for URLSearchParams flaws in JavaScript files.1
PHP CWE-111 Check for uses of FFI::cdef containing unsafe calls.1
Python CWE-502 Looking for unsafe reflection in Java1
CWE-111 Check for uses of ctypes.DLL not using a fully qualified path for the argument.1

Rule updates in AppScan® Source version 10.8.0

Note:
  1. New rules
  2. Reduced noise in rule
Language CWE Description
ASP.NET CWE-1188 Cookieless session state enabled in project configuration. 2
CWE-79 Potential XSS for inline expression in code. 2
C# CWE-601 Request redirect with potential user-controlled data in variable. 2
CWE-185 Regular expression injection.2
CWE-78 Adjusted to reduce noisy findings for OS injection.
HTML CWE-79 New rules for file extensions:
  • htm
  • html
  • rhtml
  • xhtml
  • cshtml
  • vbhtml
CWE-319
CWE-524
CWE-525
CWE-598
CWE-1021
CWE-1022
IaC CWE-798 Adjusted to reduce noisy findings for TypeScript code constructs.
CWE-1051 Adjusted to reduce noisy findings for IP patterns in HTML files.
CWE-1328 Adjusted to reduce noisy findings for Docker image references.
IaC Terraform CWE-410 Insecure load balancer configuration.1
Java CWE-337 Predictable seed for SecureRandom instance in Java code.2
CWE-918 Server-side request forgery in RestTemplate().exchange. 2
CWE-185 Regular expression injection in Java code.2
CWE-244 Password stored in Java string object.2
JavaScript CWE-79 Insecure use of document.referrer.2
CWE-209 Adjusted to reduce noisy findings.
CWE-359 Adjusted to reduce noisy findings.
CWE-1022 Adjusted to reduce noisy findings for window.open findings.
PHP CWE-79 User-controlled data within PHP converted to HTML.2
Python Django CWE-79
  • Now collecting HTML files to review for Python
  • New rules added.
CWE-89
CWE-200
CWE-201
CWE-212
CWE-352
CWE-497
CWE-522
CWE-523
CWE-795
CWE-918
CWE-1021
CWE-1188
CWE-1295
Secrets CWE-798 Hardcoded basic auth credentials.1
CWE-798 Looking for hard coded passwords found within URL query strings.
CWE-284 Adjusted to reduce noisy findings in Azure shared access signatures token exposure findings.
VB.NET CWE-502 Possible deserialization.2
Visual Basic CWE-78 Adjusted to reduce noisy findings.
CWE-328 Adjusted to reduce noisy findings.

Rule updates in AppScan® Source version 10.7.0

  1. New rules
  2. Rule fixes
Language CWE Change
General CWE-319 Better handling of open communications rules for all languages to avoid noisy findings.
.NET ASP.NET CWE-1188 Cookieless session state enabled in ASP.NET project configuration.
C# CWE-319 Open communications scheme detected.
CWE-328 Weak cipher algorithm detected.
CWE-327 JWT Builder with no signature verification is detected.
VB.NET CWE-1173 HTTP request validation is disabled in VB code.
CWE-328 Use of weak cryptographic algorithm in VB code.
Angular CWE-94 Potential code injection vulnerability in sandbox VM.1
CWE-312 The local storage avoids setItem calls which relate to sort direction.
AngularJS and AllFolders property tab CWE-477 Deprecated call found: (ng-bind-html-unsafe).
Apex CWE-943 SOQL injection.
CWE-943 SOSL injection.
CWE-328 Weak hash algorithm chosen.
CWE-79 Script or style cross-site scripting (XSS).
ASP CWE-319 Open communications scheme detected in ASP code.
CWE-79 Checks for proper validation using Server.HTMLEncode.
C/C++ CWE-367 Potentially dangerous use of temp file name function. Corrected context.2
CWE-78 Potential command injection detected. Expanded coverage.2
CWE-250 CreateFile call which appears to violate principle of least privilege.
CWE-250 CreateNamedPipe is missing FILE_FLAG_FIRST_PIPE_INSTANCE flag.
CWE-757 Insecure use of (SSL/TLS) protocol discovered.
CWE-295 Potentially dangerous use of Curl configuration discovered (seven different rules in this category).
CWE-427 Potential principle of least privilege registry manipulation detected.
CWE-611 Unsafe external entity processing enabled.
ColdFusion CWE-524 cfCache caching secure pages.
CWE-502 cfWddx missing WDDX validation.
CWE-862 Client not verified In cfFunction.
CWE-319 Insecure communications.
CWE-307 Multiple submission validation.
CWE-327 Unsafe algorithm used in encrypt function.
CSS CWE-79 Adjusted to avoid noisy findings.
Dart CWE-522 AutoComplete turned on for potentially sensitive field.
CWE-319 Open communications scheme detected with HttpServer.
CWE-319 Open socket communications detected.
CWE-319 Open communications scheme with Uri detected.
CWE-79 Insecure use of window open in Dart code.
CWE-319 Open communications scheme detected in string.
CWE-79 Unsafe content security policy keyword found.
CWE-328 More selective when presenting findings and avoid more obvious noise findings.
CWE-319 Adjusted to avoid noisy findings.
Docker CWE-770 Limit CPU to prevent a denial-of-service (DoS) attack.
CWE-770 Limit the number of restarts on failure to prevent a denial-of-service (DoS).
Go CWE-489 Debugging package pprof for HTTP detected.
CWE-1004 Golang code contains insecure http.Cookie.
CWE-319 Open communications scheme detected in Golang code.
Groovy CWE-319 Open communications scheme detected in Groovy code.
CWE-79 Potential cross-site scripting vulnerability detected in Groovy source code.
Java CWE-489 Enabling debug in web security reveals data in Spring.
CWE-1390 Ignore comments in SAML leads to broken authentication.
CWE-548 Insecure directory listing for default servlet in tomcat configuration.
CWE-276 Insecure file permission use detected in Java.
CWE-489 Print stack trace is detected in Java code.
CWE-489 Debuggable flag is set to true in Android application.
CWE-1188 Improper shared preferences mode detected in Android code.
JavaScript CWE-359 Insecure event transmission policy: corrected context.2
CWE-79 Potential XSS vulnerability detected in jQuery.append. Faster performance now.2
CWE-79 Overriding the Mustache escape method is dangerous.
CWE-319 Insecure event transmission policy.
CWE-200 Added a check for dangerous target origin checks in window.postMessage calls.
CWE-913 Modified to avoid noisy findings.
Java source code scanner CWE-918 Looking for SSRF in RestTemplate().exchange calls.
CWE-303 Looking for NoOpPasswordEncoder.getInstance dangerous calls.
CWE-89 Looking for additional cases for SQLi.
CWE-22 Looking in more places for possible path traversal issues
CWE-798 Looking for hard coded credentials in HashMap.put calls and setters.
Jquery CWE-79 Modified to avoid noisy findings.
Kotlin CWE-319 Open communication detected in Kotlin code.
NodeJS CWE-614 Cookie is missing a security flag or has a flag set to an insecure value.
CWE-328 Unsafe algorithm is used in crypto createCipheriv.
CWE-295 Insecure configuration of SSL certificate verification for disabling node-curl.
CWE-78 Exec shell spawn discovered.
CWE-1004 Insecure configuration of missing HTTPOnly cookie attribute.
Objective-C CWE-319 Open communications scheme detected in Objective-C code.
CWE-798 Modified to avoid some additional noisy findings.
PHP CWE-10041 Sensitive cookie Without HttpOnly flag.
CWE-6141 Sensitive cookie in HTTPS session without secure attribute.
CWE-791 Embedded PHP variable detected.
CWE-981 Potential file inclusion vulnerability detected in PHP code.
CWE-6111 XML external entity injection detected in PHP code.
CWE-78 PHP command execution potentially using user-supplied data. Expanded coverage.2
CWE-644 Potential header injection discovered. Expanded coverage.2
CWE-327 Insecure algorithm use detected. Expanded checks and coverage.2
CWE-319 Open communication detected in PHP Symfony framework.
CWE-1004 Missing or insecure HTTPOnly flag in setcookie.
CWE-319 Open communications scheme detected.
CWE-544 The error_reporting directive has not been set to allow the highest level of error reporting possible.
CWE-798 Checks the value and ascertains if the value is truly a string literal that represents a likely password in plain text stored in the code.
PL/SQL CWE-331 Insecure use of DBMS_RANDOM.
Python CWE-311 URL using http. Expanded coverage.2
CWE-311 TOCTTOU race condition temporary file. Fixed coverage.2
CWE-367 TOCTTOU race condition temporary file.
CWE-319 URL using http.
CWE-78 Python OS injection.
CWE-319 Insecure FTP usage.
CWE-78 Popen command injection.
CWE-276 Using 777 with umask.
ReactNative CWE-319 Open communication detected. Corrected context.2
CWE-319 Open communication detected.
CWE-295 Disabling SSL pinning detected.
RPG CWE-319 Open communication detected in the code.
Ruby CWE-78 Insecure use of backticks regex needs improvement. Expanded coverage.2
CWE-78 Insecure use of backticks. Expanded coverage.2
CWE-425 Ruby mass assignment.
CWE-359 Ruby information disclosure.
Scala CWE-319 Open communications scheme detected in Scala code.
CWE-79 Potential client side scripting vulnerability via cookie access detected in Scala source code.
Secrets CWE-1051 Hardcoded IP address detected. Expanded coverage.2
CWE-798 Hardcoded credentials detected. Expanded coverage.2
CWE-798 Avoids minified JS files.
CWE-798 Avoids analyzing translation files to reduce noise
Swift CWE-319 Open communications scheme detected in Swift code.
CWE-79 Potential cross-site scripting vulnerability when using loadRequest() in iOS UIWebView.
Terraform CWE-359 AWS instance exposing user data secrets is detected.
CWE-778 Azure log monitor profile should define all mandatory categories.
CWE-732 Default service account is used at folder, project, or organization level.
CWE-671 Email service and co-administrators are not enabled in SQL servers.
CWE-923 Ensure Azure storage account default network access is set to Deny.
CWE-923 Ensure GCP Firewall rule does not allow unrestricted access.
CWE-732 Google Compute instance is publicly accessible.
CWE-732 Google storage bucket is publicly accessible.
CWE-732 Insecure access permissions for Amazon S3 bucket.
CWE-1220 New rule checking for egress security group cidr_blocks being set too permissively.
TypeScript CWE-943 Looks for NoSQL MongoDB injection in TypeScript files.
CWE-943 Looks for additional cases for SQLi.
Visual Basic CWE-319 Open communications scheme detected in VB code.
VueJS CWE-79 Adjusted to avoid generating a finding if found in a method declaration.
Xamarin CWE-319 Open communication detected in Xamarin.