Rule updates

Rule updates in AppScan® Source version 10.11.0

Language CWE Description
Andoid Java CWE-319 New coverage: Checks if usesCleartextTraffic or cleartextTrafficPermitted is set to true in the AndroidManifest.xml file which is an insecure practice.
C# CWE-89 New coverage: Added a SQL injection check to consider += pattern as well as some stored procedure patterns.
CWE-89 New coverage: More constrained check to be sure we are in a query to reduce noise.
CWE-215 Check logging calls for suspicious variables containing sensitive information.
CWE-397 Look for generic, potentially unsafe, generic throws such as throw new Exception or throw new SystemException.
CWE-1004 Noise reduction: Check for http=true, and if it is set avoid a finding.
Dart: Flutter

(new framework support, new coverage)		 CWE-35 Checks if MethodChannel is using a path argument which is potentially user controlled.
CWE-78 Looks for potential OS injection in MethodChannel calls.
CWE-80 Checks WebView or InAppWebView to see if javascript is unrestricted which is a dangerous practice.
CWE-89 Support for sqflite flutter-specific DB API
CWE-117 Uncovers print and similar statements which are not wrapped by debug controls. These calls generally should not be in production code outside of a debug branch.
CWE-312 Rule checks to see if FlutterSecureStorage is storing suspected private informaton such as passwords or other session information.
CWE-598 Checks the Navigator object for potentially unsafe usages of the query parameters.
CWE-918 Looks for user controlled URLs in MethodChannel.invokeMethod as an SSRF attack vector.
CWE-943 Look forNoSQL injection.
CWE-338 Look for eak psuedo random numbers.
CWE-116 Look for File.writeAs style calls.
CWE-79 Review potentially insecure usage of Response.ok and similar calls.
CWE-348 Look for potentially unsafe directory listing.
CWE-78 Check for unsafe usage of Process.run.
CWE-89 Cover query/execute/prepare style calls for SQL Injection potential.
Java CWE-215 Check logging calls for suspicious variables which contain sensitive information.
CWE-397 Look for generic, potentially unsafe, generic throws such as throws Exception or throws Throwable.
CWE-396 Look for generic catch blocks such as catch(Exception e) or catch (Throwable t).
JavaScript: Angular CWE-80 Noise reduction: Check to make sure we are not in an @if template
JavaScript CWE-397 Look for generic, potentially unsafe, generic throws such as throw "message".
CWE-80 Fixed a flaw where the @if pattern is used and is not a handlebars template.
NodeJS CWE-78 Additional check for unsafe child_process.exec calls.
Perl CWE-89 Reduce noise in the SQL injection rule which errantly produced findings for parameterized statements.
CWE-732 Reduce noise for open calls using STDIN as the input.
CWE-732 More complete coverage for IO::File::open calls.
PHP CWE-213 Added check for lingering phpInfo calls in PHP code.
CWE-89 New check to validate away findings using sqlite_escape_string.
CWE-397 Look for generic, potentially unsafe, generic throws such as throw Error("foo").
Python CWE-397 Look for generic, potentially unsafe, generic throws such as raise BaseException.
Secrets CWE-798 Add a check for privateKey for hard coded secrets.
CWE-798 New coverage: Support for Tuleap added.
CWE-798 New coverage: Check for hard coded passwords inside of equalsIgnoreCase calls.
CWE-798 Noise reduction: Avoid adding a finding for commented C\C++ code for the secrets scanner.
Swift CWE-1188 New coverage Checks info.plist file for UIFileSharingEnabled or LSSupportsOpeningDocumentsInPlace set to true which is insecure.
TypeScript CWE-94 Additional check for eval containing a potentially user controlled variable.

In addition, there is an update to CWE-319 in general. We removed rules looking for unsafe http-style strings in code as they are too noisy. We still look for specific instances of open communications being used in our hybrid scanner where it makes sense, such as for fetch calls in JavaScript.

This change to CWE-319 impacts the following languages:
  • ASP
  • Golang
  • Groovy
  • Kotlin
  • Objective-C
  • PHP
  • Scala
  • Swift
  • C#
  • Dart
  • RPG
  • VB
  • Xamarin

Rule updates in AppScan® Source version 10.10.0

Language CWE Description
C# CWE-89 Reduce noise in SQLi detection.
CSS CWE-79 Reduce noise found on hardcoded variable check in .css files.
Go CWE-79 Reduce noise produced in fprintf check.
IaC Docker CWE-22 Check for sensitive paths being added in a DockerFile.
IaC Kubernetes CWE-209 Added a check for left behind stack trace code in .yaml configuration files.
Java CWE-78 Looks for inline calls of Runtime.getRunTime().
CWE-757 Enhanced the list of what we check for as insecure and broken.
CWE-916 Check for a weak iteration count for PBEKeySpec and PBEParameterSpec.
CWE-1188 Denial of service check with StringBuilder constructor using large or user controlled values.
CWE-209 Check for System.out and System.err usage in code (debug calls that should be removed from production code).
PHP CWE-89 Added a validator check for sqlite_escape_string.
Python CWE-78 Looks for unsafe use of os.system.
CWE-79 Improved clarity of rule for Python Django.
Secrets CWE-798 Some noisy patterns removed as a finding.
CWE-798 Looks in web.config files for hard-coded credentials.
CWE-1051 Check for hard coded IP addresses adjusted to avoid strings that appear to be IP addresses but are not.
CWE-1051 Removed noisy patterns for hardcoded IP address check.
CWE-798 Removed noisy patterns for hardcoded credentials:
  • Avoid noisy patterns in Rust code.
  • Added checks in Secrets - Creds - Key : value pair rule to eliminate findings without quotes for Python files.
  • Added check to filter noisy passwords such as 1234, wrongpassword, testpassword, noreply.
  • Adjusted other snippets to eliminate findings like passwords with 1234.
  • Currently Key:value pair rule finds context till end of line. So removed the line endings that has , or ".
CWE-1051 Noise reduction: Hard coded IP Address check avoids likely version numbers
CWE-798 Reduce noise in Atlassian secret detection.
CWE-798 Reduce noise in key\value pairs of secrets.
CWE-798 Additional coverage to find passwords with 1234 in the string as part of the hard coded password.

Rule updates in AppScan® Source version 10.9.0

Note:
  1. New rules
Language CWE Description
All languages CWE-798 Improved noise reduction
C# CWE-1333 Checking for timeouts applied to regex objects1
CWE-89 New captures of SQLi through building the query through String.Append
Security information updated for Microsoft.CodeAnalysis.CSharp.Scripting and Microsoft.AspNetCore.Mvc.ViewFeatures
C# source code scanner CWE-94 Check for CSharpScript.EvaluateAsync.1
CWE-532 Check for logging of personally identifying information (PII), such as usernames or passwords.1
CWE-111 Check for dangerous uses of DllImport.1
ColdFusion CWE-328 Adjusted the check for improved performance
HTML CWE-319 Avoid localhost style noise in the URL
IaC CWE-311 Additional check for proper TLS settings in Amazon Load Balancer
Java source code scanner CWE-532 Check for logging of personally identifying information (PII), such as usernames or passwords.1
CWE-102 Check for duplicate form names within Struts validation XML files.1
CWE-104 Check for a class extending an ActionForm without validation.1
JavaScript CWE-598 Looking for URLSearchParams flaws in JavaScript files.1
PHP CWE-111 Check for uses of FFI::cdef containing unsafe calls.1
Python CWE-502 Looking for unsafe reflection in Java1
CWE-111 Check for uses of ctypes.DLL not using a fully qualified path for the argument.1

Rule updates in AppScan® Source version 10.8.0

Note:
  1. New rules
  2. Reduced noise in rule
Language CWE Description
ASP.NET CWE-1188 Cookieless session state enabled in project configuration. 2
CWE-79 Potential XSS for inline expression in code. 2
C# CWE-601 Request redirect with potential user-controlled data in variable. 2
CWE-185 Regular expression injection.2
CWE-78 Adjusted to reduce noisy findings for OS injection.
HTML CWE-79 New rules for file extensions:
  • htm
  • html
  • rhtml
  • xhtml
  • cshtml
  • vbhtml
CWE-319
CWE-524
CWE-525
CWE-598
CWE-1021
CWE-1022
IaC CWE-798 Adjusted to reduce noisy findings for TypeScript code constructs.
CWE-1051 Adjusted to reduce noisy findings for IP patterns in HTML files.
CWE-1328 Adjusted to reduce noisy findings for Docker image references.
IaC Terraform CWE-410 Insecure load balancer configuration.1
Java CWE-337 Predictable seed for SecureRandom instance in Java code.2
CWE-918 Server-side request forgery in RestTemplate().exchange. 2
CWE-185 Regular expression injection in Java code.2
CWE-244 Password stored in Java string object.2
JavaScript CWE-79 Insecure use of document.referrer.2
CWE-209 Adjusted to reduce noisy findings.
CWE-359 Adjusted to reduce noisy findings.
CWE-1022 Adjusted to reduce noisy findings for window.open findings.
PHP CWE-79 User-controlled data within PHP converted to HTML.2
Python Django CWE-79
  • Now collecting HTML files to review for Python
  • New rules added.
CWE-89
CWE-200
CWE-201
CWE-212
CWE-352
CWE-497
CWE-522
CWE-523
CWE-795
CWE-918
CWE-1021
CWE-1188
CWE-1295
Secrets CWE-798 Hardcoded basic auth credentials.1
CWE-798 Looking for hard coded passwords found within URL query strings.
CWE-284 Adjusted to reduce noisy findings in Azure shared access signatures token exposure findings.
VB.NET CWE-502 Possible deserialization.2
Visual Basic CWE-78 Adjusted to reduce noisy findings.
CWE-328 Adjusted to reduce noisy findings.

Rule updates in AppScan® Source version 10.7.0

  1. New rules
  2. Rule fixes
Language CWE Change
General CWE-319 Better handling of open communications rules for all languages to avoid noisy findings.
.NET ASP.NET CWE-1188 Cookieless session state enabled in ASP.NET project configuration.
C# CWE-319 Open communications scheme detected.
CWE-328 Weak cipher algorithm detected.
CWE-327 JWT Builder with no signature verification is detected.
VB.NET CWE-1173 HTTP request validation is disabled in VB code.
CWE-328 Use of weak cryptographic algorithm in VB code.
Angular CWE-94 Potential code injection vulnerability in sandbox VM.1
CWE-312 The local storage avoids setItem calls which relate to sort direction.
AngularJS and AllFolders property tab CWE-477 Deprecated call found: (ng-bind-html-unsafe).
Apex CWE-943 SOQL injection.
CWE-943 SOSL injection.
CWE-328 Weak hash algorithm chosen.
CWE-79 Script or style cross-site scripting (XSS).
ASP CWE-319 Open communications scheme detected in ASP code.
CWE-79 Checks for proper validation using Server.HTMLEncode.
C/C++ CWE-367 Potentially dangerous use of temp file name function. Corrected context.2
CWE-78 Potential command injection detected. Expanded coverage.2
CWE-250 CreateFile call which appears to violate principle of least privilege.
CWE-250 CreateNamedPipe is missing FILE_FLAG_FIRST_PIPE_INSTANCE flag.
CWE-757 Insecure use of (SSL/TLS) protocol discovered.
CWE-295 Potentially dangerous use of Curl configuration discovered (seven different rules in this category).
CWE-427 Potential principle of least privilege registry manipulation detected.
CWE-611 Unsafe external entity processing enabled.
ColdFusion CWE-524 cfCache caching secure pages.
CWE-502 cfWddx missing WDDX validation.
CWE-862 Client not verified In cfFunction.
CWE-319 Insecure communications.
CWE-307 Multiple submission validation.
CWE-327 Unsafe algorithm used in encrypt function.
CSS CWE-79 Adjusted to avoid noisy findings.
Dart CWE-522 AutoComplete turned on for potentially sensitive field.
CWE-319 Open communications scheme detected with HttpServer.
CWE-319 Open socket communications detected.
CWE-319 Open communications scheme with Uri detected.
CWE-79 Insecure use of window open in Dart code.
CWE-319 Open communications scheme detected in string.
CWE-79 Unsafe content security policy keyword found.
CWE-328 More selective when presenting findings and avoid more obvious noise findings.
CWE-319 Adjusted to avoid noisy findings.
Docker CWE-770 Limit CPU to prevent a denial-of-service (DoS) attack.
CWE-770 Limit the number of restarts on failure to prevent a denial-of-service (DoS).
Go CWE-489 Debugging package pprof for HTTP detected.
CWE-1004 Golang code contains insecure http.Cookie.
CWE-319 Open communications scheme detected in Golang code.
Groovy CWE-319 Open communications scheme detected in Groovy code.
CWE-79 Potential cross-site scripting vulnerability detected in Groovy source code.
Java CWE-489 Enabling debug in web security reveals data in Spring.
CWE-1390 Ignore comments in SAML leads to broken authentication.
CWE-548 Insecure directory listing for default servlet in tomcat configuration.
CWE-276 Insecure file permission use detected in Java.
CWE-489 Print stack trace is detected in Java code.
CWE-489 Debuggable flag is set to true in Android application.
CWE-1188 Improper shared preferences mode detected in Android code.
JavaScript CWE-359 Insecure event transmission policy: corrected context.2
CWE-79 Potential XSS vulnerability detected in jQuery.append. Faster performance now.2
CWE-79 Overriding the Mustache escape method is dangerous.
CWE-319 Insecure event transmission policy.
CWE-200 Added a check for dangerous target origin checks in window.postMessage calls.
CWE-913 Modified to avoid noisy findings.
Java source code scanner CWE-918 Looking for SSRF in RestTemplate().exchange calls.
CWE-303 Looking for NoOpPasswordEncoder.getInstance dangerous calls.
CWE-89 Looking for additional cases for SQLi.
CWE-22 Looking in more places for possible path traversal issues
CWE-798 Looking for hard coded credentials in HashMap.put calls and setters.
Jquery CWE-79 Modified to avoid noisy findings.
Kotlin CWE-319 Open communication detected in Kotlin code.
NodeJS CWE-614 Cookie is missing a security flag or has a flag set to an insecure value.
CWE-328 Unsafe algorithm is used in crypto createCipheriv.
CWE-295 Insecure configuration of SSL certificate verification for disabling node-curl.
CWE-78 Exec shell spawn discovered.
CWE-1004 Insecure configuration of missing HTTPOnly cookie attribute.
Objective-C CWE-319 Open communications scheme detected in Objective-C code.
CWE-798 Modified to avoid some additional noisy findings.
PHP CWE-10041 Sensitive cookie Without HttpOnly flag.
CWE-6141 Sensitive cookie in HTTPS session without secure attribute.
CWE-791 Embedded PHP variable detected.
CWE-981 Potential file inclusion vulnerability detected in PHP code.
CWE-6111 XML external entity injection detected in PHP code.
CWE-78 PHP command execution potentially using user-supplied data. Expanded coverage.2
CWE-644 Potential header injection discovered. Expanded coverage.2
CWE-327 Insecure algorithm use detected. Expanded checks and coverage.2
CWE-319 Open communication detected in PHP Symfony framework.
CWE-1004 Missing or insecure HTTPOnly flag in setcookie.
CWE-319 Open communications scheme detected.
CWE-544 The error_reporting directive has not been set to allow the highest level of error reporting possible.
CWE-798 Checks the value and ascertains if the value is truly a string literal that represents a likely password in plain text stored in the code.
PL/SQL CWE-331 Insecure use of DBMS_RANDOM.
Python CWE-311 URL using http. Expanded coverage.2
CWE-311 TOCTTOU race condition temporary file. Fixed coverage.2
CWE-367 TOCTTOU race condition temporary file.
CWE-319 URL using http.
CWE-78 Python OS injection.
CWE-319 Insecure FTP usage.
CWE-78 Popen command injection.
CWE-276 Using 777 with umask.
ReactNative CWE-319 Open communication detected. Corrected context.2
CWE-319 Open communication detected.
CWE-295 Disabling SSL pinning detected.
RPG CWE-319 Open communication detected in the code.
Ruby CWE-78 Insecure use of backticks regex needs improvement. Expanded coverage.2
CWE-78 Insecure use of backticks. Expanded coverage.2
CWE-425 Ruby mass assignment.
CWE-359 Ruby information disclosure.
Scala CWE-319 Open communications scheme detected in Scala code.
CWE-79 Potential client side scripting vulnerability via cookie access detected in Scala source code.
Secrets CWE-1051 Hardcoded IP address detected. Expanded coverage.2
CWE-798 Hardcoded credentials detected. Expanded coverage.2
CWE-798 Avoids minified JS files.
CWE-798 Avoids analyzing translation files to reduce noise
Swift CWE-319 Open communications scheme detected in Swift code.
CWE-79 Potential cross-site scripting vulnerability when using loadRequest() in iOS UIWebView.
Terraform CWE-359 AWS instance exposing user data secrets is detected.
CWE-778 Azure log monitor profile should define all mandatory categories.
CWE-732 Default service account is used at folder, project, or organization level.
CWE-671 Email service and co-administrators are not enabled in SQL servers.
CWE-923 Ensure Azure storage account default network access is set to Deny.
CWE-923 Ensure GCP Firewall rule does not allow unrestricted access.
CWE-732 Google Compute instance is publicly accessible.
CWE-732 Google storage bucket is publicly accessible.
CWE-732 Insecure access permissions for Amazon S3 bucket.
CWE-1220 New rule checking for egress security group cidr_blocks being set too permissively.
TypeScript CWE-943 Looks for NoSQL MongoDB injection in TypeScript files.
CWE-943 Looks for additional cases for SQLi.
Visual Basic CWE-319 Open communications scheme detected in VB code.
VueJS CWE-79 Adjusted to avoid generating a finding if found in a method declaration.
Xamarin CWE-319 Open communication detected in Xamarin.