Rule updates

Rule updates in AppScan® Source version 10.7.0

  1. New rules
  2. New autofix rules
  3. Rule fixes
Language CWE Change
General CWE-319 Better handling of open communications rules for all languages to avoid noisy findings.
.NET ASP.NET CWE-1188 Cookieless session state enabled in ASP.NET project configuration.2
C# CWE-319 Open communications scheme detected.2
CWE-328 Weak cipher algorithm detected.2
CWE-327 JWT Builder with no signature verification is detected.2
VB.NET CWE-1173 HTTP request validation is disabled in VB code.2
CWE-328 Use of weak cryptographic algorithm in VB code.2
Angular CWE-94 Potential code injection vulnerability in sandbox VM.1
CWE-312 The local storage avoids setItem calls which relate to sort direction.
AngularJS CWE-477 Deprecated call found: (ng-bind-html-unsafe).2
Apex CWE-943 SOQL injection.2
CWE-943 SOSL injection.2
CWE-328 Weak hash algorithm chosen.2
CWE-79 Script or style cross-site scripting (XSS).2
ASP CWE-319 Open communications scheme detected in ASP code.2
CWE-79 Checks for proper validation using Server.HTMLEncode.
C/C++ CWE-367 Potentially dangerous use of temp file name function. Corrected context and auto fix enabled.3
CWE-78 Potential command injection detected. Expanded coverage.3
CWE-250 CreateFile call which appears to violate principle of least privilege.2
CWE-250 CreateNamedPipe is missing FILE_FLAG_FIRST_PIPE_INSTANCE flag.2
CWE-757 Insecure use of (SSL/TLS) protocol discovered.2
CWE-295 Potentially dangerous use of Curl configuration discovered (seven different rules in this category).2
CWE-427 Potential principle of least privilege registry manipulation detected.2
CWE-611 Unsafe external entity processing enabled.2
ColdFusion CWE-524 cfCache caching secure pages.2
CWE-502 cfWddx missing WDDX validation.2
CWE-862 Client not verified In cfFunction.2
CWE-319 Insecure communications.2
CWE-307 Multiple submission validation.2
CWE-327 Unsafe algorithm used in encrypt function.2
CSS CWE-79 Adjusted to avoid noisy findings.
Dart CWE-522 AutoComplete turned on for potentially sensitive field.2
CWE-319 Open communications scheme detected with HttpServer.2
CWE-319 Open socket communications detected.2
CWE-319 Open communications scheme with Uri detected.2
CWE-79 Insecure use of window open in Dart code.2
CWE-319 Open communications scheme detected in string.2
CWE-79 Unsafe content security policy keyword found.2
CWE-328 More selective when presenting findings and avoid more obvious noise findings.
CWE-319 Adjusted to avoid noisy findings.
Docker CWE-770 Limit CPU to prevent a denial-of-service (DoS) attack.2
CWE-770 Limit the number of restarts on failure to prevent a denial-of-service (DoS).2
Go CWE-489 Debugging package pprof for HTTP detected.2
CWE-1004 Golang code contains insecure http.Cookie.2
CWE-319 Open communications scheme detected in Golang code.2
Groovy CWE-319 Open communications scheme detected in Groovy code.2
CWE-79 Potential cross-site scripting vulnerability detected in Groovy source code added additional autofixes for all instances.2
Java CWE-489 Enabling debug in web security reveals data in Spring.2
CWE-1390 Ignore comments in SAML leads to broken authentication.2
CWE-548 Insecure directory listing for default servlet in tomcat configuration.2
CWE-276 Insecure file permission use detected in Java.2
CWE-489 Print stack trace is detected in Java code.2
CWE-489 Debuggable flag is set to true in Android application.2
CWE-1188 Improper shared preferences mode detected in Android code.2
JavaScript CWE-359 Insecure event transmission policy: corrected context and auto fix enabled.3
CWE-79 Potential XSS vulnerability detected in jQuery.append. Faster performance now.3
CWE-79 Overriding the Mustache escape method is dangerous.2
CWE-319 Insecure event transmission policy.2
CWE-200 Added a check for dangerous target origin checks in window.postMessage calls.
CWE-913 Modified to avoid noisy findings.
Java source code scanner CWE-918 Looking for SSRF in RestTemplate().exchange calls.
CWE-303 Looking for NoOpPasswordEncoder.getInstance dangerous calls.
CWE-89 Looking for additional cases for SQLi.
CWE-22 Looking in more places for possible path traversal issues
CWE-798 Looking for hard coded credentials in HashMap.put calls and setters.
Jquery CWE-79 Modified to avoid noisy findings.
Kotlin CWE-319 Open communication detected in Kotlin code.2
NodeJS CWE-614 Cookie is missing a security flag or has a flag set to an insecure value.2
CWE-328 Unsafe algorithm is used in crypto createCipheriv.2
CWE-295 Insecure configuration of SSL certificate verification for disabling node-curl.2
CWE-78 Exec shell spawn discovered.2
CWE-1004 Insecure configuration of missing HTTPOnly cookie attribute.2
Objective-C CWE-319 Open communications scheme detected in Objective-C code.2
CWE-798 Modified to avoid some additional noisy findings.
PHP CWE-10041 Sensitive cookie Without HttpOnly flag.2
CWE-6141 Sensitive cookie in HTTPS session without secure attribute.2
CWE-791 Embedded PHP variable detected2
CWE-981 Potential file inclusion vulnerability detected in PHP code.2
CWE-6111 XML external entity injection detected in PHP code.2
CWE-78 PHP command execution potentially using user-supplied data. Expanded coverage.3
CWE-644 Potential header injection discovered. Expanded coverage.3
CWE-327 Insecure algorithm use detected expanded checks. Expanded coverage.3
CWE-319 Open communication detected in PHP Symfony framework.2
CWE-1004 Missing or insecure HTTPOnly flag in setcookie.2
CWE-319 Open communications scheme detected.2
CWE-544 The error_reporting directive has not been set to allow the highest level of error reporting possible2
CWE-798 Checks the value and ascertains if the value is truly a string literal that represents a likely password in plain text stored in the code.
PL/SQL CWE-331 Insecure use of DBMS_RANDOM.2
Python CWE-311 URL using http. Expanded coverage.3
CWE-311 TOCTTOU race condition temporary file. Fixed coverage and enabled auto fix.3
CWE-367 TOCTTOU race condition temporary file.2
CWE-319 URL using http.2
CWE-78 Python OS injection.2
CWE-319 Insecure FTP usage.2
CWE-78 Popen command injection.2
CWE-276 Using 777 with umask.2
CWE-319 Autofix corrected to address an errant replacement in some circumstances.
ReactNative CWE-319 Open communication detected. Corrected context and auto fix enabled.3
CWE-319 Open communication detected.2
CWE-295 Disabling SSL pinning detected.2
RPG CWE-319 Open communication detected in the code.2
Ruby CWE-78 Insecure use of backticks regex needs improvement. Expanded coverage.3
CWE-78 Insecure use of backticks. Expanded coverage.3
CWE-425 Ruby mass assignment.2
CWE-359 Ruby information disclosure.2
Scala CWE-319 Open communications scheme detected in Scala code.2
CWE-79 Potential client side scripting vulnerability via cookie access detected in Scala source code.2
Secrets CWE-1051 Hardcoded IP address detected. Expanded coverage.3
CWE-798 Hardcoded credentials detected. Expanded coverage.3
CWE-798 Avoids minified JS files.
CWE-798 Avoids analyzing translation files to reduce noise
Swift CWE-319 Open communications scheme detected in Swift code.2
CWE-79 Potential cross-site scripting vulnerability when using loadRequest() in iOS UIWebView.2
Terraform CWE-359 AWS instance exposing user data secrets is detected.2
CWE-778 Azure log monitor profile should define all mandatory categories.2
CWE-732 Default service account is used at folder, project, or organization level.2
CWE-671 Email service and co-administrators are not enabled in SQL servers.2
CWE-923 Ensure Azure storage account default network access is set to Deny.2
CWE-923 Ensure GCP Firewall rule does not allow unrestricted access.2
CWE-732 Google Compute instance is publicly accessible.2
CWE-732 Google storage bucket is publicly accessible.2
CWE-732 Insecure access permissions for Amazon S3 bucket.2
CWE-1220 New rule checking for egress security group cidr_blocks being set too permissively.
TypeScript CWE-943 Looks for NoSQL MongoDB injection in TypeScript files.
CWE-943 Looks for additional cases for SQLi.
Visual Basic CWE-319 Open communications scheme detected in VB code.2
VueJS CWE-79 Adjusted to avoid generating a finding if found in a method declaration.
Xamarin CWE-319 Open communication detected in Xamarin.2