General |
CWE-319 |
Better handling of open communications rules for all
languages to avoid noisy findings. |
.NET |
ASP.NET |
CWE-1188 |
Cookieless session state enabled in ASP.NET project
configuration.2 |
C# |
CWE-319 |
Open communications scheme detected.2 |
CWE-328 |
Weak cipher algorithm detected.2 |
CWE-327 |
JWT Builder with no signature verification is
detected.2 |
VB.NET |
CWE-1173 |
HTTP request validation is disabled in VB
code.2 |
CWE-328 |
Use of weak cryptographic algorithm in VB
code.2 |
Angular |
CWE-94 |
Potential code injection vulnerability in sandbox
VM.1 |
CWE-312 |
The local storage avoids setItem calls which
relate to sort direction. |
AngularJS |
CWE-477 |
Deprecated call found:
(ng-bind-html-unsafe).2 |
Apex |
CWE-943 |
SOQL injection.2 |
CWE-943 |
SOSL injection.2 |
CWE-328 |
Weak hash algorithm chosen.2 |
CWE-79 |
Script or style cross-site scripting
(XSS).2 |
ASP |
CWE-319 |
Open communications scheme detected in ASP
code.2 |
CWE-79 |
Checks for proper validation using
Server.HTMLEncode . |
C/C++ |
CWE-367 |
Potentially dangerous use of temp file name function.
Corrected context and auto fix enabled.3 |
CWE-78 |
Potential command injection detected. Expanded
coverage.3 |
CWE-250 |
CreateFile call which appears to violate
principle of least privilege.2 |
CWE-250 |
CreateNamedPipe is missing
FILE_FLAG_FIRST_PIPE_INSTANCE
flag.2 |
CWE-757 |
Insecure use of (SSL/TLS) protocol
discovered.2 |
CWE-295 |
Potentially dangerous use of Curl configuration discovered
(seven different rules in this category).2 |
CWE-427 |
Potential principle of least privilege registry manipulation
detected.2 |
CWE-611 |
Unsafe external entity processing
enabled.2 |
ColdFusion |
CWE-524 |
cfCache caching secure
pages.2 |
CWE-502 |
cfWddx missing WDDX
validation.2 |
CWE-862 |
Client not verified In
cfFunction .2 |
CWE-319 |
Insecure communications.2 |
CWE-307 |
Multiple submission validation.2 |
CWE-327 |
Unsafe algorithm used in encrypt
function.2 |
CSS |
CWE-79 |
Adjusted to avoid noisy findings. |
Dart |
CWE-522 |
AutoComplete turned on for potentially
sensitive field.2 |
CWE-319 |
Open communications scheme detected with
HttpServer .2 |
CWE-319 |
Open socket communications detected.2 |
CWE-319 |
Open communications scheme with Uri
detected.2 |
CWE-79 |
Insecure use of window open in Dart code.2 |
CWE-319 |
Open communications scheme detected in
string.2 |
CWE-79 |
Unsafe content security policy keyword
found.2 |
CWE-328 |
More selective when presenting findings and avoid more
obvious noise findings. |
CWE-319 |
Adjusted to avoid noisy findings. |
Docker |
CWE-770 |
Limit CPU to prevent a denial-of-service (DoS)
attack.2 |
CWE-770 |
Limit the number of restarts on failure to prevent a
denial-of-service (DoS).2 |
Go |
CWE-489 |
Debugging package pprof for HTTP
detected.2 |
CWE-1004 |
Golang code contains insecure
http.Cookie .2 |
CWE-319 |
Open communications scheme detected in Golang
code.2 |
Groovy |
CWE-319 |
Open communications scheme detected in Groovy
code.2 |
CWE-79 |
Potential cross-site scripting vulnerability detected in
Groovy source code added additional autofixes for all
instances.2 |
Java |
CWE-489 |
Enabling debug in web security reveals data in
Spring.2 |
CWE-1390 |
Ignore comments in SAML leads to broken
authentication.2 |
CWE-548 |
Insecure directory listing for default servlet in tomcat
configuration.2 |
CWE-276 |
Insecure file permission use detected in
Java.2 |
CWE-489 |
Print stack trace is detected in Java
code.2 |
CWE-489 |
Debuggable flag is set to true in Android
application.2 |
CWE-1188 |
Improper shared preferences mode detected in Android
code.2 |
JavaScript |
CWE-359 |
Insecure event transmission policy: corrected context and
auto fix enabled.3 |
CWE-79 |
Potential XSS vulnerability detected in
jQuery.append . Faster performance
now.3 |
CWE-79 |
Overriding the Mustache escape method is
dangerous.2 |
CWE-319 |
Insecure event transmission policy.2 |
CWE-200 |
Added a check for dangerous target origin checks in
window.postMessage calls. |
CWE-913 |
Modified to avoid noisy findings. |
Java source code
scanner |
CWE-918 |
Looking for SSRF in RestTemplate().exchange
calls. |
CWE-303 |
Looking for NoOpPasswordEncoder.getInstance
dangerous calls. |
CWE-89 |
Looking for additional cases for SQLi. |
CWE-22 |
Looking in more places for possible path traversal
issues |
CWE-798 |
Looking for hard coded credentials in
HashMap.put calls and setters. |
Jquery |
CWE-79 |
Modified to avoid noisy findings. |
Kotlin |
CWE-319 |
Open communication detected in Kotlin
code.2 |
NodeJS |
CWE-614 |
Cookie is missing a security flag or has a flag set to an
insecure value.2 |
CWE-328 |
Unsafe algorithm is used in crypto
createCipheriv .2 |
CWE-295 |
Insecure configuration of SSL certificate verification for
disabling node-curl.2 |
CWE-78 |
Exec shell spawn discovered.2 |
CWE-1004 |
Insecure configuration of missing HTTPOnly
cookie attribute.2 |
Objective-C |
CWE-319 |
Open communications scheme detected in Objective-C
code.2 |
CWE-798 |
Modified to avoid some additional noisy findings. |
PHP |
CWE-10041 |
Sensitive cookie Without HttpOnly
flag.2 |
CWE-6141 |
Sensitive cookie in HTTPS session without
secure attribute.2 |
CWE-791 |
Embedded PHP variable detected2 |
CWE-981 |
Potential file inclusion vulnerability detected in PHP
code.2 |
CWE-6111 |
XML external entity injection detected in PHP
code.2 |
CWE-78 |
PHP command execution potentially using user-supplied data.
Expanded coverage.3 |
CWE-644 |
Potential header injection discovered. Expanded
coverage.3 |
CWE-327 |
Insecure algorithm use detected expanded checks. Expanded
coverage.3 |
CWE-319 |
Open communication detected in PHP Symfony
framework.2 |
CWE-1004 |
Missing or insecure HTTPOnly flag in
setcookie .2 |
CWE-319 |
Open communications scheme detected.2 |
CWE-544 |
The error_reporting directive has not been
set to allow the highest level of error reporting
possible2 |
CWE-798 |
Checks the value and ascertains if the value is truly a
string literal that represents a likely password in plain text
stored in the code. |
PL/SQL |
CWE-331 |
Insecure use of
DBMS_RANDOM .2 |
Python |
CWE-311 |
URL using http . Expanded
coverage.3 |
CWE-311 |
TOCTTOU race condition temporary file. Fixed coverage and
enabled auto fix.3 |
CWE-367 |
TOCTTOU race condition temporary file.2 |
CWE-319 |
URL using http .2 |
CWE-78 |
Python OS injection.2 |
CWE-319 |
Insecure FTP usage.2 |
CWE-78 |
Popen command injection.2 |
CWE-276 |
Using 777 with umask.2 |
CWE-319 |
Autofix corrected to address an errant replacement in some
circumstances. |
ReactNative |
CWE-319 |
Open communication detected. Corrected context and auto fix
enabled.3 |
CWE-319 |
Open communication detected.2 |
CWE-295 |
Disabling SSL pinning detected.2 |
RPG |
CWE-319 |
Open communication detected in the code.2 |
Ruby |
CWE-78 |
Insecure use of backticks regex needs improvement. Expanded
coverage.3 |
CWE-78 |
Insecure use of backticks. Expanded
coverage.3 |
CWE-425 |
Ruby mass assignment.2 |
CWE-359 |
Ruby information disclosure.2 |
Scala |
CWE-319 |
Open communications scheme detected in Scala
code.2 |
CWE-79 |
Potential client side scripting vulnerability via cookie
access detected in Scala source code.2 |
Secrets |
CWE-1051 |
Hardcoded IP address detected. Expanded
coverage.3 |
CWE-798 |
Hardcoded credentials detected. Expanded
coverage.3 |
CWE-798 |
Avoids minified JS files. |
CWE-798 |
Avoids analyzing translation files to reduce noise |
Swift |
CWE-319 |
Open communications scheme detected in Swift
code.2 |
CWE-79 |
Potential cross-site scripting vulnerability when using
loadRequest() in iOS
UIWebView .2 |
Terraform |
CWE-359 |
AWS instance exposing user data secrets is
detected.2 |
CWE-778 |
Azure log monitor profile should define all mandatory
categories.2 |
CWE-732 |
Default service account is used at folder, project, or
organization level.2 |
CWE-671 |
Email service and co-administrators are not enabled in SQL
servers.2 |
CWE-923 |
Ensure Azure storage account default network access is set to
Deny.2 |
CWE-923 |
Ensure GCP Firewall rule does not allow unrestricted
access.2 |
CWE-732 |
Google Compute instance is publicly
accessible.2 |
CWE-732 |
Google storage bucket is publicly
accessible.2 |
CWE-732 |
Insecure access permissions for Amazon S3
bucket.2 |
CWE-1220 |
New rule checking for egress security group
cidr_blocks being set too
permissively. |
TypeScript |
CWE-943 |
Looks for NoSQL MongoDB injection in TypeScript
files. |
CWE-943 |
Looks for additional cases for SQLi. |
Visual Basic |
CWE-319 |
Open communications scheme detected in VB
code.2 |
VueJS |
CWE-79 |
Adjusted to avoid generating a finding if found in a method
declaration. |
Xamarin |
CWE-319 |
Open communication detected in Xamarin.2 |