Semgrep rules¶
Boost is maintaining its own set of Semgrep rules. Below is the list of available rules per languages.
c, cpp¶
| Id | Severity | Description |
|---|---|---|
| c_buffer_rule-gets--getts | High | Use of deprecated function (gets) |
| c_buffer_rule-getwd | High | Insufficient protection against buffer overflow (getwd) |
| c_buffer_rule-scanf-vscanf | High | scanf() functions may allow format string based overflows |
| c_format_rule-fprintf-vfprintf | High | Potential format string vulnerability |
| c_format_rule-printf-vprintf | High | Potential format string vulnerability |
| c_format_rule-snprintf-vsnprintf | High | Potential format string vulnerability |
| c_format_rule-syslog | High | Potential format string vulnerability in syslog call |
| c_shell_rule-CreateProcess | High | Possible executable path hijacking (CreateProcess) |
| c_shell_rule-CreateProcessAsUser-CreateProcessWithLogon | High | Possible executable path hijacking (CreateProcessAsUser/CreateProcessWithLogon) |
| c_shell_rule-execl-execlp | High | Potential for OS command injection |
| c_shell_rule-system | High | Potential for OS command injection |
| c_crypto_rule-EVP-des-ecb-EVP-des-cbc | Medium | Insecure encryption algorithm (DES) |
| c_crypto_rule-EVP-rc4-40-EVP-rc2-40-cbc | Medium | Insecure stream cipher (RC4) |
| c_crypto_rule-crypt-crypt-r | Medium | Insecure hashing algorithm |
| c_tmpfile_rule-mktemp | Medium | Use of deprecated function (mktemp) |
| c_tmpfile_rule-tmpnam-tempnam | Medium | Potential time of check time of use vulnerability (tmpnam/tempnam) |
csharp¶
| Id | Severity | Description |
|---|---|---|
| csharp_deserialization_rule-InsecureDeserialization | High | Deserialization of potentially untrusted data |
| csharp_deserialization_rule-InsecureDeserializationNewtonsoft | High | Deserialization of potentially untrusted data |
| csharp_injection_rule-CommandInjection | High | Improper neutralization of special elements used in an OS command ('OS Command Injection') |
| csharp_other_rule-UnsafeXSLTSettingUsed | High | XML injection (aka Blind XPath injection) |
| csharp_crypto_rule-CertificateValidationDisabled | Medium | Certificate validation disabled |
| csharp_crypto_rule-WeakCipherAlgorithm | Medium | Use of a broken or risky cryptographic algorithm |
| csharp_crypto_rule-WeakCipherMode | Medium | Use of a broken or risky cryptographic algorithm |
| csharp_crypto_rule-WeakHashingFunction | Medium | Use of a broken or risky cryptographic algorithm (SHA1/MD5) |
| csharp_crypto_rule-WeakRNG | Medium | Use of cryptographically weak Pseudo-Random Number Generator (PRNG) |
| csharp_csrf_rule-Csrf | Medium | Potential Cross-Site Request Forgery (CSRF) |
| csharp_injection_rule-LdapInjection | Medium | Improper neutralization of special elements used in an LDAP query ('LDAP Injection') |
| csharp_injection_rule-SQLInjection | Medium | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| csharp_injection_rule-XPathInjection | Medium | Improper neutralization of data within XPath expressions ('XPath Injection') |
| csharp_injection_rule-XmlDocumentXXEInjection | Medium | Improper restriction of XML external entity reference ('XXE') |
| csharp_injection_rule-XmlReaderXXEInjection | Medium | Improper restriction of XML external entity reference ('XXE') |
| csharp_path_rule-PathTraversal | Medium | Improper limitation of a pathname to a restricted directory ('Path Traversal') |
| csharp_xss_rule-HtmlElementXss | Medium | Improper neutralization of input during web page generation ('Cross-site Scripting') |
| csharp_xss_rule-ScriptXss | Medium | Improper neutralization of input during web page generation ('Cross-site Scripting') |
| csharp_cookies_rule-CookieWithoutHttpOnlyFlag | Low | Sensitive cookie without 'HttpOnly' flag |
| csharp_cookies_rule-CookieWithoutSSLFlag | Low | Sensitive cookie in HTTPS session without 'Secure' attribute |
| csharp_endpoint_rule-UnvalidatedRedirect | Info | URL redirection to untrusted site 'open redirect' |
| csharp_password_rule-PasswordComplexity | Info | Weak password requirements |
| csharp_validation_rule-InputValidation | Info | ASP.NET input validation disabled |
generic¶
| Id | Severity | Description |
|---|---|---|
| rules_lgpl_oc_other_rule-ios-self-signed-ssl | Critical | Use of potentially dangerous function |
| rules_lgpl_oc_other_rule-ios-webview-ignore-ssl | Critical | Improper certificate validation |
| html_django_rule_reflected_xss | High | Improper neutralization of user input rendered in HTML ('XSS') |
go¶
| Id | Severity | Description |
|---|---|---|
| go_sql_rule-concat-sqli | High | Improper neutralization of special elements used in an SQL command ('SQL Injection') |
| go_subproc_rule-subproc | High | Improper neutralization of special elements used in an OS command ('OS Command Injection') |
| go_unsafe_rule-unsafe | High | Use of inherently dangerous function (unsafe package) |
| go_blocklist_rule-blocklist-des | Medium | Use of a broken or risky cryptographic algorithm |
| go_blocklist_rule-blocklist-md5 | Medium | Use of a broken or risky cryptographic algorithm |
| go_blocklist_rule-blocklist-rc4 | Medium | Use of a broken or risky cryptographic algorithm |
| go_blocklist_rule-blocklist-sha1 | Medium | Use of a broken or risky cryptographic algorithm |
| go_crypto_rule-badtlssettings | Medium | Use of a broken or risky cryptographic algorithm |
| go_crypto_rule-insecure-ignore-host-key | Medium | Key exchange without entity authentication |
| go_crypto_rule-tlsversion | Medium | Use of deprecated TLS version |
| go_crypto_rule-weakkeystrength | Medium | Inadequate encryption strength |
| go_crypto_rule-weakrandsource | Medium | Use of cryptographically weak Pseudo-Random Number Generator (PRNG) |
| go_file-permissions_rule-fileperm | Medium | Incorrect permission assignment for critical resource |
| go_file-permissions_rule-mkdir | Medium | Incorrect permission assignment for critical resource |
| go_filesystem_rule-decompression-bomb | Medium | Improper handling of highly compressed data |
| go_filesystem_rule-fileread | Medium | Improper limitation of a pathname to a restricted directory ('Path Traversal') |
| go_filesystem_rule-httprootdir | Medium | Files or directories accessible to external parties |
| go_filesystem_rule-poorwritepermissions | Medium | Incorrect default permissions |
| go_filesystem_rule-tempfiles | Medium | Creation of temporary file with insecure permissions |
| go_filesystem_rule-ziparchive | Medium | Improper limitation of a pathname to a restricted directory ('Path Traversal') |
| go_injection_rule-ssrf | Medium | Server Side Request Forgery (SSRF) |
| go_injection_rule-template-injection | Medium | Improper neutralization of input during web page generation ('Cross-site Scripting') |
| go_leak_rule-pprof-endpoint | Medium | Active debug code (pprof enabled) |
| go_memory_rule-integer-overflow | Medium | Integer overflow or wraparound |
| go_http_rule-http-serve | Low | Allocation of resources without limits or throttling |
| go_network_rule-bind-to-all-interfaces | Low | Binding to an unrestricted IP address |
| go_memory_rule-memoryaliasing | Info | Incorrect access of indexable resource ('Range Error') |
html¶
| Id | Severity | Description |
|---|---|---|
| html_generic_rule_reflected_xss | High | Improper neutralization of user input rendered in HTML ('XSS') |
| html_tornado_rule_reflected_xss | High | Improper neutralization of user input rendered in HTML ('XSS') |
java¶
| Id | Severity | Description |
|---|---|---|
| java_password_rule-ConstantDBPassword | Critical | Use of hard-coded password |
| java_password_rule-EmptyDBPassword | Critical | Missing authentication for critical function (database) |
| rules_lgpl_java_webview_rule-webview-external-storage | Critical | Exposed dangerous method or function |
| java_cookie_rule-HttpResponseSplitting | High | Improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') |
| java_cookie_rule-RequestParamToHeader | High | Improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') |
| java_inject_rule-CommandInjection | High | Improper neutralization of special elements used in an OS command ('OS Command Injection') |
| java_inject_rule-FileDisclosureRequestDispatcher | High | Files or directories accessible to external parties |
| java_inject_rule-FileDisclosureSpringFramework | High | Files or directories accessible to external parties |
| java_inject_rule-OgnlInjection | High | Expression injection (OGNL) |
| java_ldap_rule-AnonymousLDAP | High | Missing authentication for critical function (LDAP) |
| java_password_rule-HardcodePassword | High | Use of hard-coded password |
| java_rule_sql_injection | High | Unsafe SQL query with non parameterized parameters in Java |
| java_script_rule-ScriptInjection | High | Improper control of generation of code ('Code Injection') |
| java_script_rule-SpringSpelExpressionParser | High | Improper neutralization of special elements used in an expression language statement ('Expression Language Injection') |
| java_templateinjection_rule-TemplateInjection | High | Improper control of generation of code ('Code Injection') |
| java_xml_rule-XmlDecoder | High | Deserialization of untrusted data |
| java_xss_injection | High | XSS vulnerability in Java web application |
| java_crypto_rule-BlowfishKeySize | Medium | Inadequate encryption strength |
| java_crypto_rule-CipherDESInsecure | Medium | Inadequate encryption strength |
| java_crypto_rule-CipherDESedeInsecure | Medium | Use of a broken or risky cryptographic algorithm |
| java_crypto_rule-CipherECBMode | Medium | Use of a broken or risky cryptographic algorithm |
| java_crypto_rule-CipherIntegrity | Medium | Use of a broken or risky cryptographic algorithm |
| java_crypto_rule-CipherPaddingOracle | Medium | Use of a broken or risky cryptographic algorithm |
| java_crypto_rule-CustomMessageDigest | Medium | Use of a broken or risky cryptographic algorithm |
| java_crypto_rule-HazelcastSymmetricEncryption | Medium | Inadequate encryption strength |
| java_crypto_rule-InsufficientKeySizeRsa | Medium | Inadequate encryption strength |
| java_crypto_rule-NullCipher | Medium | Use of a broken or risky cryptographic algorithm |
| java_crypto_rule-RsaNoPadding | Medium | Use of RSA algorithm without OAEP |
| java_crypto_rule-WeakMessageDigest | Medium | Use of a broken or risky cryptographic algorithm (SHA1/MD5) |
| java_crypto_rule-WeakTLSProtocol-DefaultHttpClient | Medium | Improper certificate validation |
| java_crypto_rule-WeakTLSProtocol-SSLContext | Medium | Improper certificate validation |
| java_crypto_rule-WeakTLSProtocolVersion | Medium | Inadequate encryption strength |
| java_endpoint_rule-HostnameVerifier | Medium | Improper certificate validation |
| java_endpoint_rule-X509TrustManager | Medium | Improper certificate validation |
| java_inject_rule-HttpParameterPollution | Medium | Improper neutralization of argument delimiters in a command ('Argument Injection') |
| java_inject_rule-LDAPInjection | Medium | Improper neutralization of special elements used in an LDAP query ('LDAP Injection') |
| java_inject_rule-SpotbugsPathTraversalAbsolute | Medium | Improper limitation of a pathname to a restricted directory ('Path Traversal') |
| java_perm_rule-DangerousPermissions | Medium | Incorrect permission assignment for critical resource |
| java_perm_rule-OverlyPermissiveFilePermissionInline | Medium | Incorrect permission assignment for critical resource |
| java_smtp_rule-InsecureSmtp | Medium | Improper validation of certificate with host mismatch |
| java_ssrf_rule-SSRF | Medium | Server-Side Request Forgery (SSRF) |
| java_strings_rule-FormatStringManipulation | Medium | Use of externally-controlled format string |
| java_xml_rule-SAMLIgnoreComments | Medium | Weak authentication |
| java_xml_rule-XsltTransform | Medium | XML injection (aka Blind XPath injection) |
| java_xss_rule-WicketXSS | Medium | Improper neutralization of input during web page generation ('Cross-site Scripting') |
| java_xss_rule-XSSReqParamToServletWriter | Medium | Improper neutralization of input during web page generation ('Cross-site Scripting') |
| java_xxe_rule-XMLRdr | Medium | Improper restriction of XML external entity reference ('XXE') |
| rules_lgpl_java_webview_rule-ignore-ssl-certificate-errors | Medium | Improper certificate validation" |
| rules_lgpl_java_webview_rule-webview-debugging | Medium | Active debug code |
| rules_lgpl_java_webview_rule-webview-set-allow-file-access | Medium | External control of file name or path |
| scala_xml_rule-XsltTransform | Medium | XML injection (aka Blind XPath injection) |
| java_cookie_rule-CookieInsecure | Low | Sensitive cookie in HTTPS session without 'Secure' attribute |
| java_cors_rule-PermissiveCORSInjection | Low | Permissive cross-domain policy with untrusted domains |
| java_smtp_rule-SmtpClient | Low | Improper neutralization of special elements used in a command |
| java_unsafe_rule-ExternalConfigControl | Low | External control of system or configuration setting |
| java_endpoint_rule-UnvalidatedRedirect | Info | URL redirection to untrusted site ('Open Redirect') |
| java_file_rule-FileUploadFileName | Info | Improper limitation of a pathname to a restricted directory ('Path Traversal') |
| java_file_rule-FilenameUtils | Info | Improper limitation of a pathname to a restricted directory ('Path Traversal') |
| java_inject_rule-ELInjection | Info | Improper neutralization of special elements used in an expression language statement ('Expression Language Injection') |
| java_strings_rule-BadHexConversion | Info | Incorrect type conversion or cast |
| java_strings_rule-ModifyAfterValidation | Info | Collapse of data into unsafe value |
| java_strings_rule-NormalizeAfterValidation | Info | Incorrect behavior order: validate before canonicalize |
javascript¶
| Id | Severity | Description |
|---|---|---|
| rules_lgpl_javascript_database_rule-node-knex-sqli-injection | Critical | Improper neutralization of special elements used in an SQL command (SQL Injection) |
| rules_lgpl_javascript_database_rule-node-nosqli-injection | Critical | Improper neutralization of special elements in data query logic |
| rules_lgpl_javascript_database_rule-node-nosqli-js-injection | Critical | Improper neutralization of special elements in data query logic |
| rules_lgpl_javascript_database_rule-node-sqli-injection | Critical | Improper neutralization of special elements used in an SQL command (SQL Injection) |
| rules_lgpl_javascript_database_rule-sequelize-weak-tls | Critical | Selection of Less-Secure Algorithm During Negotiation (Algorithm Downgrade) |
| rules_lgpl_javascript_electronjs_rule-electron-allow-http | Critical | Cleartext Transmission of Sensitive Information |
| rules_lgpl_javascript_electronjs_rule-electron-disable-websecurity | Critical | Origin validation error |
| rules_lgpl_javascript_electronjs_rule-electron-experimental-features | Critical | Least privilege violation |
| rules_lgpl_javascript_eval_rule-eval-require | Critical | Use of incorrectly-resolved name or reference |
| rules_lgpl_javascript_eval_rule-sandbox-code-injection | Critical | Improper control of generation of code (Code Injection) |
| rules_lgpl_javascript_eval_rule-server-side-template-injection | Critical | Improper control of generation of code (Code Injection) |
| rules_lgpl_javascript_eval_rule-vm-code-injection | Critical | Improper control of generation of code (Code Injection) |
| rules_lgpl_javascript_eval_rule-vm-compilefunction-injection | Critical | Improper control of generation of code (Code Injection) |
| rules_lgpl_javascript_eval_rule-vm-runincontext-injection | Critical | Improper control of generation of code (Code Injection) |
| rules_lgpl_javascript_eval_rule-vm-runinnewcontext-injection | Critical | Improper control of generation of code (Code Injection) |
| rules_lgpl_javascript_eval_rule-vm2-code-injection | Critical | Improper control of generation of code (Code Injection) |
| rules_lgpl_javascript_eval_rule-vm2-context-injection | Critical | Improper control of generation of code (Code Injection) |
| rules_lgpl_javascript_exec_rule-shelljs-os-command-exec | Critical | Improper neutralization of special elements used in an OS command ('OS Command Injection') |
| rules_lgpl_javascript_headers_rule-generic-header-injection | Critical | Improper neutralization of HTTP headers for scripting syntax |
| rules_lgpl_javascript_jwt_rule-jwt-express-hardcoded | Critical | Insufficiently protected credentials |
| rules_lgpl_javascript_jwt_rule-node-jwt-none-algorithm | Critical | Use of a broken or risky cryptographic algorithm |
| rules_lgpl_javascript_redirect_rule-express-open-redirect | Critical | URL redirection to untrusted site 'open redirect' |
| rules_lgpl_javascript_redirect_rule-express-open-redirect2 | Critical | URL redirection to untrusted site 'open redirect' |
| rules_lgpl_javascript_ssrf_rule-phantom-ssrf | Critical | Server-side request forgery (SSRF) |
| rules_lgpl_javascript_ssrf_rule-playwright-ssrf | Critical | Server-side request forgery (SSRF) |
| rules_lgpl_javascript_ssrf_rule-puppeteer-ssrf | Critical | Server-side request forgery (SSRF) |
| rules_lgpl_javascript_ssrf_rule-wkhtmltopdf-ssrf | Critical | Server-side request forgery (SSRF) |
| rules_lgpl_javascript_xml_rule-node-entity-expansion | Critical | Improper restriction of recursive entity references in DTDs (XML Entity Expansion) |
| rules_lgpl_javascript_xml_rule-node-xpath-injection | Critical | Improper neutralization of data within XPath expressions (XPath Injection) |
| rules_lgpl_javascript_xml_rule-node-xxe | Critical | Improper restriction of XML external entity reference |
| rules_lgpl_javascript_xml_rule-xxe-expat | Critical | Improper restriction of XML external entity reference |
| rule-js-ts-child-process-exec-injection | High | Command injection using exec() from child_process |
| rules_lgpl_javascript_database_rule-sequelize-tls-cert-validation | High | Improper certificate validation |
| rules_lgpl_javascript_eval_rule-eval-nodejs | High | Improper neutralization of directives in dynamically evaluated code ('Eval Injection') |
| rules_lgpl_javascript_jwt_rule-hardcoded-jwt-secret | High | Use of hard-coded credentials |
| rules_lgpl_javascript_jwt_rule-jwt-exposed-credentials | High | Insufficiently protected credentials |
| rules_lgpl_javascript_jwt_rule-jwt-exposed-data | High | Insufficiently protected credentials |
| rules_lgpl_javascript_jwt_rule-jwt-not-revoked | High | Insufficiently protected credentials |
| rules_lgpl_javascript_ssrf_rule-node-ssrf | High | Server-side request forgery (SSRF) |
| javascript_buf_rule-buffer-noassert-read | Medium | Out-of-bounds read |
| javascript_buf_rule-buffer-noassert-write | Medium | Out-of-bounds write |
| javascript_timing_rule-possible-timing-attacks | Medium | Observable timing discrepancy |
| rules_lgpl_javascript_crypto_rule-node-aes-ecb | Medium | Use of a broken or risky cryptographic algorithm |
| rules_lgpl_javascript_crypto_rule-node-aes-noiv | Medium | Use of a broken or risky cryptographic algorithm |
| rules_lgpl_javascript_crypto_rule-node-insecure-random-generator | Medium | Use of cryptographically weak pseudo-random number generator (PRNG) |
| rules_lgpl_javascript_crypto_rule-node-md5 | Medium | Use of weak hash |
| rules_lgpl_javascript_crypto_rule-node-sha1 | Medium | Use of weak hash |
| rules_lgpl_javascript_crypto_rule-node-timing-attack | Medium | Observable timing discrepancy |
| rules_lgpl_javascript_crypto_rule-node-tls-reject | Medium | Improper Certificate Validation |
| rules_lgpl_javascript_crypto_rule-node-weak-crypto | Medium | Use of a broken or risky cryptographic algorithm |
| rules_lgpl_javascript_database_rule-sequelize-tls | Medium | Cleartext transmission of sensitive information |
| rules_lgpl_javascript_dos_rule-layer7-object-dos | Medium | Unchecked input for loop condition |
| rules_lgpl_javascript_dos_rule-regex-dos | Medium | Incorrect regular expression |
| rules_lgpl_javascript_electronjs_rule-electron-blink-integration | Medium | Least privilege violation |
| rules_lgpl_javascript_electronjs_rule-electron-context-isolation | Medium | Improperly controlled modification of object prototype attributes ('Prototype Pollution') |
| rules_lgpl_javascript_electronjs_rule-electron-nodejs-integration | Medium | Least privilege violation |
| rules_lgpl_javascript_headers_rule-cookie-session-no-httponly | Medium | Sensitive cookie without 'HttpOnly' flag |
| rules_lgpl_javascript_headers_rule-cookie-session-no-samesite | Medium | Sensitive cookie with improper SameSite attribute |
| rules_lgpl_javascript_headers_rule-cookie-session-no-secure | Medium | Sensitive cookie in HTTPS session without 'Secure' attribute |
| rules_lgpl_javascript_headers_rule-express-cors | Medium | Origin validation error |
| rules_lgpl_javascript_headers_rule-generic-cors | Medium | Origin validation error |
| rules_lgpl_javascript_headers_rule-header-xss-generic | Medium | Improperly implemented security check for standard |
| rules_lgpl_javascript_headers_rule-header-xss-lusca | Medium | Improperly implemented security check for standard |
| rules_lgpl_javascript_headers_rule-helmet-feature-disabled | Medium | Improperly implemented security check for standard |
| rules_lgpl_javascript_headers_rule-host-header-injection | Medium | Use of less trusted source |
| rules_lgpl_javascript_ssrf_rule-wkhtmltoimage-ssrf | Medium | Server-side request forgery (SSRF) |
| rules_lgpl_javascript_traversal_rule-admzip-path-overwrite | Medium | Improper limitation of a pathname to a restricted directory ('Path Traversal') |
| rules_lgpl_javascript_traversal_rule-express-lfr | Medium | Relative path traversal |
| rules_lgpl_javascript_traversal_rule-express-lfr-warning | Medium | Relative path traversal |
| rules_lgpl_javascript_traversal_rule-generic-path-traversal | Medium | Relative path traversal |
| rules_lgpl_javascript_traversal_rule-join-resolve-path-traversal | Medium | Improper limitation of a pathname to a restricted directory ('Path Traversal') |
| rules_lgpl_javascript_traversal_rule-tar-path-overwrite | Medium | Improper limitation of a pathname to a restricted directory ('Path Traversal') |
| rules_lgpl_javascript_traversal_rule-zip-path-overwrite | Medium | Improper limitation of a pathname to a restricted directory ('Path Traversal') |
| rules_lgpl_javascript_headers_rule-cookie-session-default | Info | Insufficiently protected credentials |
| rules_lgpl_javascript_headers_rule-cookie-session-no-domain | Info | Insufficiently protected credentials |
| rules_lgpl_javascript_headers_rule-cookie-session-no-maxage | Info | Insufficient session expiration |
| rules_lgpl_javascript_headers_rule-cookie-session-no-path | Info | Insufficiently protected credentials |
| rules_lgpl_javascript_xss_rule-xss-disable-mustache-escape | Warning | None |
javascript, typescript¶
| Id | Severity | Description |
|---|---|---|
| rules_lgpl_javascript_eval_rule-grpc-insecure-connection | Critical | Deserialization of Untrusted Data |
| rules_lgpl_javascript_eval_rule-node-deserialize | Critical | Deserialization of Untrusted Data |
| rules_lgpl_javascript_eval_rule-serializetojs-deserialize | Critical | Deserialization of Untrusted Data |
| rules_lgpl_javascript_eval_rule-yaml-deserialize | Critical | Deserialization of Untrusted Data |
| javascript_eval_rule-eval-with-expression | High | Improper neutralization of directives in dynamically evaluated code ('Eval Injection') |
| javascript-rule-xss-angular | Medium | Use of bypassSecurityTrust* method in Angular ('Cross-site Scripting') |
| javascript-rule-xss-react | Medium | Improper neutralization of input during web page generation ('Cross-site Scripting') |
| javascript-rule-xss-svelte | Medium | Use of {@html * } in Svelte ('Cross-site Scripting') |
| javascript-rule-xss-vuejs | Medium | Usage of v-html in Vue js ('Cross-site Scripting') |
| javascript_buf_rule-detect-new-buffer | Medium | Allocation of resources without limits or throttling |
| javascript_dos_rule-non-literal-regexp | Medium | Regular expression with non-literal value |
| javascript_pathtraversal_rule-non-literal-fs-filename | Medium | Improper limitation of a pathname to a restricted directory ('Path Traversal') |
| javascript_random_rule-pseudo-random-bytes | Medium | Use of cryptographically weak pseudo-random number generator (PRNG) |
| javascript_xss_rule-mustache-escape | Medium | Improper neutralization of input during web page generation (XSS) |
| rules-javascript-xss-generic | Medium | Improper neutralization of input during web page generation ('Cross-site Scripting') |
| rules_javascript_xss_bad_csp | Medium | Unsafe CSP header |
| rules_lgpl_javascript_xss_rule-handlebars-noescape | Medium | Improper neutralization of script-related HTML tags in a web page (basic XSS) |
| rules_lgpl_javascript_xss_rule-handlebars-safestring | Medium | Improper neutralization of input during web page generation (Cross-site Scripting) |
| rules_lgpl_javascript_xss_rule-squirrelly-autoescape | Medium | Improper neutralization of input during web page generation ('Cross-site Scripting') |
| rules_lgpl_javascript_xss_rule-xss-serialize-javascript | Medium | Improper neutralization of script-related HTML tags in a web page (basic XSS) |
| javascript_require_rule-non-literal-require | Low | Improper neutralization of directives in dynamically evaluated code ('Eval Injection') |
kotlin¶
| Id | Severity | Description |
|---|---|---|
| kotlin_cookie_rule-RequestParamToHeader | Critical | Improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') |
| kotlin_cors_rule-PermissiveCORSInjection | Critical | Permissive cross-domain policy with untrusted domains |
| kotlin_crypto_rule-CipherECBMode | Critical | Inadequate Encryption Strength |
| kotlin_crypto_rule-CipherIntegrity | Critical | Use of a broken or risky cryptographic algorithm |
| kotlin_crypto_rule-CipherPaddingOracle | Critical | Use of a broken or risky cryptographic algorithm |
| kotlin_endpoint_rule-UnvalidatedRedirect | Critical | URL redirection to untrusted site ('Open Redirect') |
| kotlin_file_rule-FileUploadFileName | Critical | Improper limitation of a pathname to a restricted directory ('Path Traversal') |
| kotlin_inject_rule-FileDisclosure | Critical | Files or directories accessible to external parties |
| kotlin_inject_rule-HttpParameterPollution | Critical | Improper neutralization of argument delimiters in a command ('Argument Injection') |
| kotlin_inject_rule-SqlInjection | Critical | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| kotlin_password_rule-ConstantDBPassword | Critical | Use of hard-coded password |
| kotlin_password_rule-EmptyDBPassword | Critical | Missing authentication for critical function (database) |
| kotlin_script_rule-ScriptInjection | Critical | Improper control of generation of code ('Code Injection') |
| kotlin_smtp_rule-InsecureSmtp | Critical | Improper validation of certificate with host mismatch |
| kotlin_smtp_rule-SmtpClient | Critical | Improper neutralization of special elements used in a command |
| kotlin_ssrf_rule-SSRF | Critical | Server-Side Request Forgery (SSRF) |
| kotlin_strings_rule-FormatStringManipulation | Critical | Use of externally-controlled format string |
| kotlin_templateinjection_rule-TemplateInjection | Critical | Improper control of generation of code ('Code Injection') |
| kotlin_xpathi_rule-XpathInjection | Critical | Improper neutralization of data within XPath expressions ('XPath Injection') |
| kotlin_xxe_rule-SaxParserXXE | Critical | Improper restriction of XML external entity reference ('XXE') |
| kotlin_xxe_rule-XMLRdr | Critical | Improper restriction of XML external entity reference ('XXE') |
| kotlin_xxe_rule-XMLStreamRdr | Critical | Improper restriction of XML external entity reference ('XXE') |
| kotlin_password_rule-HardcodePassword | High | Use of hard-coded password |
| kotlin_cookie_rule-CookieHTTPOnly | Medium | Sensitive cookie without 'HttpOnly' flag |
| kotlin_cookie_rule-CookieInsecure | Medium | Sensitive cookie in HTTPS session without 'Secure' attribute |
| kotlin_cookie_rule-HttpResponseSplitting | Medium | Improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') |
| kotlin_crypto_rule-BlowfishKeySize | Medium | Inadequate encryption strength |
| kotlin_crypto_rule-CipherDESInsecure | Medium | Inadequate encryption strength |
| kotlin_crypto_rule-CipherDESedeInsecure | Medium | Use of a broken or risky cryptographic algorithm |
| kotlin_crypto_rule-CustomMessageDigest | Medium | Use of a broken or risky cryptographic algorithm |
| kotlin_crypto_rule-HazelcastSymmetricEncryption | Medium | Inadequate encryption strength |
| kotlin_crypto_rule-InsufficientKeySizeRsa | Medium | Inadequate encryption strength |
| kotlin_crypto_rule-NullCipher | Medium | Use of a broken or risky cryptographic algorithm |
| kotlin_crypto_rule-RsaNoPadding | Medium | Use of RSA algorithm without OAEP |
| kotlin_crypto_rule-WeakMessageDigest | Medium | Use of a broken or risky cryptographic algorithm (SHA1/MD5) |
| kotlin_crypto_rule-WeakTLSProtocol | Medium | Improper certificate validation |
| kotlin_crypto_rule-WeakTLSProtocolVersion | Medium | Inadequate encryption strength |
| kotlin_csrf_rule-SpringCSRFDisabled | Medium | Cross-Site Request Forgery (CSRF) |
| kotlin_endpoint_rule-WeakHostNameVerification | Medium | Improper Certificate Validation |
| kotlin_file_rule-FilenameUtils | Medium | Improper limitation of a pathname to a restricted directory ('Path Traversal') |
| kotlin_inject_rule-CommandInjection | Medium | Improper neutralization of special elements used in an OS command ('OS Command Injection') |
| kotlin_inject_rule-ELInjection | Medium | Improper neutralization of special elements used in an expression language statement ('Expression Language Injection') |
| kotlin_inject_rule-LDAPInjection | Medium | Improper neutralization of special elements used in an LDAP query ('LDAP Injection') |
| kotlin_inject_rule-OgnlInjection | Medium | Expression injection (OGNL) |
| kotlin_inject_rule-SpotbugsPathTraversalAbsolute | Medium | Improper limitation of a pathname to a restricted directory ('Path Traversal') |
| kotlin_ldap_rule-AnonymousLDAP | Medium | Missing authentication for critical function (LDAP) |
| kotlin_perm_rule-DangerousPermissions | Medium | Insecure inherited permissions |
| kotlin_perm_rule-OverlyPermissiveFilePermissionInline | Medium | Incorrect permission assignment for critical resource |
| kotlin_strings_rule-BadHexConversion | Medium | Incorrect type conversion or cast |
| kotlin_strings_rule-ModifyAfterValidation | Medium | Collapse of data into unsafe value |
| kotlin_strings_rule-NormalizeAfterValidation | Medium | Incorrect behavior order: validate before canonicalize |
| kotlin_unsafe_rule-ExternalConfigControl | Medium | External control of system or configuration setting |
| kotlin_xml_rule-SAMLIgnoreComments | Medium | Weak authentication |
| kotlin_xml_rule-XmlDecoder | Medium | Deserialization of untrusted data |
| kotlin_xml_rule-XsltTransform | Medium | XML injection (aka Blind XPath injection) |
| kotlin_xss_rule-WicketXSS | Medium | Improper neutralization of input during web page generation ('Cross-site Scripting') |
| kotlin_xss_rule-XSSReqParamToServletWriter | Medium | Improper neutralization of input during web page generation ('Cross-site Scripting') |
| rules_lgpl_kotlin_other_rule-android-kotlin-webview-debug | Medium | Leftover debug code |
python¶
| Id | Severity | Description |
|---|---|---|
| pyramid_jinja2_reflected_xss | High | Improper neutralization of user input rendered in HTML ('XSS') |
| pyramid_unsafe_user_input | High | Improper neutralization of user input rendered in HTML ('XSS') |
| python_deserialization_rule-cpickle | High | Deserialization of untrusted data |
| python_deserialization_rule-dill | High | Deserialization of untrusted data |
| python_deserialization_rule-marshal | High | Deserialization of untrusted data |
| python_deserialization_rule-pickle | High | Deserialization of untrusted data |
| python_deserialization_rule-shelve | High | Deserialization of untrusted data |
| python_deserialization_rule-yaml-load | High | Deserialization of untrusted data |
| python_django_rule-django-extra-used | High | Improper neutralization of special elements used in an SQL Command ('SQL Injection') |
| python_django_rule_reflected_xss_csp | High | Unsafe Content Security Policy (CSP) settings ('XSS') |
| python_django_rule_reflected_xss_global | High | Improper neutralization of user input rendered in HTML ('XSS') in Django |
| python_django_rule_reflected_xss_httpresponse | High | Improper neutralization of user input rendered in HTML ('XSS') in Django |
| python_django_rule_reflected_xss_render | High | Improper neutralization of user input rendered in HTML ('XSS') |
| python_eval_rule-eval | High | Improper neutralization of directives in dynamically evaluated code ('Eval Injection') |
| python_exec_rule-exec-used | High | Improper neutralization of special elements used in an OS command ('OS Command Injection') |
| python_exec_rule-linux-command-wildcard-injection | High | Improper neutralization of wildcards or matching symbols |
| python_exec_rule-os-path | High | Improper neutralization of special elements used in an OS Command ('OS Command Injection') |
| python_exec_rule-os-popen2 | High | Improper neutralization of special elements used in an OS Command ('OS Command Injection') |
| python_exec_rule-start-process-with-no-shell | High | Improper neutralization of special elements used in an OS Command ('OS Command Injection') |
| python_exec_rule-subprocess-call | High | Improper neutralization of special elements used in an OS Command ('OS Command Injection') |
| python_exec_rule-subprocess-popen-shell-true | High | Improper neutralization of special elements used in an OS Command ('OS Command Injection') |
| python_exec_rule-subprocess-shell-TRUE | High | Improper neutralization of special elements used in an OS Command ('OS Command Injection') |
| python_flask_rule_reflected_xss_make_response | High | Improper neutralization of user input rendered in HTML (XSS) |
| python_flask_rule_reflected_xss_render | High | Improper neutralization of user input rendered in HTML (XSS) |
| python_flask_rule_reflected_xss_user_input | High | Improper neutralization of user input rendered in HTML (XSS) |
| python_log_rule-logging-config-insecure-listen | High | Improper control of generation of code ('Code Injection') |
| python_rule_sql_injection | High | Unsafe SQL query with non parameterized parameters |
| python_rule_sql_injection_queries | High | Unsafe SQL query with non parameterized parameters |
| python_rule_ssrf | High | Request to a user controllable URL leading to SSRF |
| python_tornado_rule_reflected_xss | High | Improper neutralization of user input rendered in Tornado ('XSS') |
| python_tornado_rule_reflected_xss_csp | High | Improper neutralization of user input rendered in HTML ('XSS') |
| python_tornado_rule_reflected_xss_global | High | Improper neutralization of user input rendered in HTML ('XSS') |
| python_crypto_rule-cipher-modes | Medium | Use of a broken or risky cryptographic algorithm |
| python_crypto_rule-crypto-cipher-blowfish | Medium | Use of a broken or risky cryptographic algorithm |
| python_crypto_rule-crypto-cipher-des | Medium | Use of a broken or risky cryptographic algorithm |
| python_crypto_rule-crypto-cipher-rc2 | Medium | Use of a broken or risky cryptographic algorithm |
| python_crypto_rule-crypto-cipher-rc4 | Medium | Use of a broken or risky cryptographic algorithm |
| python_crypto_rule-crypto-cipher-xor | Medium | Use of a broken or risky cryptographic algorithm |
| python_crypto_rule-crypto-encrypt-dsa-rsa | Medium | Inadequate encryption strength |
| python_crypto_rule-crypto-encrypt-ec | Medium | Inadequate encryption strength |
| python_crypto_rule-crypto-hash-md5 | Medium | Use of a broken or risky cryptographic algorithm |
| python_crypto_rule-crypto-hash-sha1 | Medium | Use of a broken or risky cryptographic algorithm |
| python_crypto_rule-crypto-hazmat-cipher-arc4 | Medium | Use of a broken or risky cryptographic algorithm |
| python_crypto_rule-crypto-hazmat-cipher-blowfish | Medium | Use of a broken or risky cryptographic algorithm |
| python_crypto_rule-crypto-hazmat-cipher-idea | Medium | Use of a Broken or Risky Cryptographic Algorithm |
| python_crypto_rule-crypto.hazmat-hash-md5 | Medium | Use of a broken or risky cryptographic algorithm |
| python_crypto_rule-crypto.hazmat-hash-sha1 | Medium | Use of a broken or risky cryptographic algorithm |
| python_crypto_rule-hash-md2 | Medium | Use of a broken or risky cryptographic algorithm |
| python_crypto_rule-hash-md4 | Medium | Use of a broken or risky cryptographic algorithm |
| python_crypto_rule-hash-md5 | Medium | Use of a broken or risky cryptographic algorithm |
| python_crypto_rule-hash-sha1 | Medium | Use of a broken or risky cryptographic algorithm |
| python_crypto_rule-hashlib-new-insecure-functions | Medium | Use of a broken or risky cryptographic algorithm |
| python_crypto_rule-import-pycrypto | Medium | Use of unmaintained third party components |
| python_escaping_rule-jinja2-autoescape-false | Medium | Improper encoding or escaping of output |
| python_escaping_rule-use-of-mako-templates | Medium | Improper neutralization of input during web page generation ('Cross-site Scripting') |
| python_file-permissions_rule-general-bad-permission | Medium | Incorrect permission assignment for critical resource |
| python_files_rule-tarfile-unsafe-members | Medium | Improper limitation of a pathname to a restricted directory ('Path Traversal') |
| python_flask_rule-app-debug | Medium | Active debug code |
| python_ftp_rule-ftplib | Medium | Cleartext transmission of sensitive information |
| python_requests_rule-request-without-timeout | Medium | Allocation of resources without limits or throttling |
| python_snmp_rule-insecure-snmp-version | Medium | Cleartext transmission of sensitive information |
| python_snmp_rule-snmp-weak-cryptography | Medium | Cleartext transmission of sensitive information |
| python_ssh_rule-ssh-nohost-key-verification | Medium | Key exchange without entity authentication |
| python_ssl_rule-req-no-certvalid | Medium | Improper certificate validation |
| python_ssl_rule-ssl-no-version | Medium | Inadequate encryption strength |
| python_ssl_rule-ssl-with-bad-version | Medium | Inadequate Encryption Strength |
| python_ssl_rule-unverified-context | Medium | Improper certificate validation |
| python_telnet_rule-import-telnib | Medium | Cleartext transmission of sensitive information |
| python_tmpdir_rule-hardcodedtmp | Medium | Insecure temporary file |
| python_tmpdir_rule-mktemp-q | Medium | Insecure temporary file |
| python_urlopen_rule-urllib-urlopen | Medium | Improper authorization in handler for custom URL scheme |
| python_xml_rule-celement | Medium | Improper restriction of XML external entity reference |
| python_xml_rule-element | Medium | Improper restriction of XML external entity reference |
| python_xml_rule-etree | Medium | Improper restriction of XML external entity reference |
| python_xml_rule-expatbuilder | Medium | Improper restriction of XML external entity reference |
| python_xml_rule-expatreader | Medium | Improper restriction of XML external entity reference |
| python_xml_rule-minidom | Medium | Improper restriction of XML external entity reference |
| python_xml_rule-pulldom | Medium | Improper restriction of XML external entity reference |
| python_xml_rule-sax | Medium | Improper restriction of XML external entity reference |
| python_bind-all-interfaces_rule-general-bindall-interfaces | Low | Binding to an unrestricted IP address |
| python_prompt_injection | Low | Prompt injection in LLM API calls |
| python_random_rule-random | Low | Use of cryptographically weak pseudo-random number generator (PRNG) |
| python_assert_rule-assert-used | Info | Improper check for unusual or exceptional conditions |
scala¶
| Id | Severity | Description |
|---|---|---|
| scala_password_rule-ConstantDBPassword | Critical | Use of Hard-coded Password |
| scala_password_rule-EmptyDBPassword | Critical | Use of Hard-coded Password |
| scala_cookie_rule-HttpResponseSplitting | High | Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') |
| scala_cookie_rule-RequestParamToHeader | High | Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') |
| scala_inject_rule-CustomInjectionSQLString | High | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| scala_inject_rule-ELInjection | High | Improper Control of Generation of Code ('Code Injection') |
| scala_inject_rule-PathTraversalOut | High | Improper limitation of a pathname to a restricted directory ('Path Traversal') |
| scala_ldap_rule-EntryPoisoning | High | Improperly implemented security check for standard |
| scala_password_rule-HardcodePassword | High | Use of Hard-coded Password |
| scala_perm_rule-OverlyPermissiveFilePermissionInline | High | Incorrect Permission Assignment for Critical Resource |
| scala_smtp_rule-InsecureSmtp | High | Improper Validation of Certificate with Host Mismatch |
| scala_smtp_rule-SmtpClient | High | Improper Neutralization of Special Elements used in a Command |
| scala_unsafe_rule-ExternalConfigControl | High | External Control of System or Configuration Setting |
| scala_xml_rule-XmlDecoder | High | Deserialization of Untrusted Data |
| scala_crypto_rule-BlowfishKeySize | Medium | Inadequate Encryption Strength |
| scala_crypto_rule-CipherDESInsecure | Medium | Inadequate Encryption Strength |
| scala_crypto_rule-CipherDESedeInsecure | Medium | Inadequate Encryption Strength |
| scala_crypto_rule-CipherECBMode | Medium | Inadequate Encryption Strength |
| scala_crypto_rule-CipherIntegrity | Medium | Missing Support for Integrity Check |
| scala_crypto_rule-CipherPaddingOracle | Medium | Incorrect Behavior Order |
| scala_crypto_rule-CustomMessageDigest | Medium | Use of a Broken or Risky Cryptographic Algorithm |
| scala_crypto_rule-HazelcastSymmetricEncryption | Medium | Inadequate Encryption Strength |
| scala_crypto_rule-InsufficientKeySizeRsa | Medium | Inadequate Encryption Strength |
| scala_crypto_rule-NullCipher | Medium | Use of a Broken or Risky Cryptographic Algorithm |
| scala_crypto_rule-RsaNoPadding | Medium | Use of RSA Algorithm without OAEP |
| scala_crypto_rule-WeakMessageDigest | Medium | Inadequate Encryption Strength |
| scala_crypto_rule-WeakTLSProtocol | Medium | Improper Certificate Validation |
| scala_endpoint_rule-JaxRsEndpoint | Medium | Use of less trusted source |
| scala_file_rule-FilenameUtils | Medium | Improper limitation of a pathname to a restricted directory ('Path Traversal') |
| scala_inject_rule-LDAPInjection | Medium | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') |
| scala_inject_rule-OgnlInjection | Medium | Expression injection (OGNL) |
| scala_inject_rule-PathTraversalIn | Medium | Improper limitation of a pathname to a restricted directory ('Path Traversal') |
| scala_inject_rule-SqlInjection | Medium | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| scala_perm_rule-OverlyPermissiveFilePermissionObj | Medium | Incorrect Permission Assignment for Critical Resource |
| scala_script_rule-SpelView | Medium | Improper Control of Generation of Code ('Code Injection') |
| scala_ssrf_rule-PlaySSRF | Medium | Server-Side Request Forgery (SSRF) |
| scala_strings_rule-BadHexConversion | Medium | Incorrect Type Conversion or Cast |
| scala_strings_rule-ImproperUnicode | Medium | Improper Handling of Unicode Encoding |
| scala_xml_rule-SAMLIgnoreComments | Medium | Weak authentication |
| scala_xpathi_rule-XpathInjection | Medium | Improper Restriction of XML External Entity Reference ('XXE') |
| scala_xss_rule-RequestWrapper | Medium | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| scala_xss_rule-WicketXSS | Medium | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| scala_xss_rule-XSSReqParamToServletWriter | Medium | Improper Neutralization of Input During Web Page Generation |
| scala_xxe_rule-Document | Medium | Improper Restriction of XML External Entity Reference ('XXE') |
| scala_xxe_rule-Trans | Medium | Improper Restriction of XML External Entity Reference ('XXE') |
| scala_xxe_rule-XMLRdr | Medium | Improper Restriction of XML External Entity Reference ('XXE') |
| scala_xxe_rule-XMLStreamRdr | Medium | Improper Restriction of XML External Entity Reference ('XXE') |
| scala_xxe_rule-XPathXXE | Medium | Improper Restriction of XML External Entity Reference ('XXE') |
| scala_cookie_rule-CookieHTTPOnly | Low | Sensitive Cookie Without 'HttpOnly' Flag |
| scala_cookie_rule-CookieInsecure | Low | Information Exposure Through Persistent Cookies |
| scala_cors_rule-PermissiveCORSInjection | Low | Permissive Cross-domain Policy with Untrusted Domains |
| scala_inject_rule-CustomInjection | Low | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| scala_ssrf_rule-SSRF | Low | Server-Side Request Forgery (SSRF) |
| scala_unsafe_rule-InformationExposure | Low | Information Exposure Through an Error Message |
| scala_cookie_rule-CookiePersistent | Info | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute |
| scala_cookie_rule-CookieUsage | Info | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute |
| scala_cookie_rule-RequestParamToCookie | Info | Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') |
| scala_cookie_rule-TrustBoundaryViolation | Info | Trust Boundary Violation |
| scala_cors_rule-PermissiveCORS | Info | Permissive Cross-domain Policy with Untrusted Domains |
| scala_crypto_rule-DefaultHTTPClient | Info | Inadequate encryption strength |
| scala_endpoint_rule-JaxWsEndpoint | Info | Use of less trusted source |
| scala_endpoint_rule-UnencryptedSocket | Info | Cleartext transmission of sensitive information |
| scala_endpoint_rule-UnvalidatedRedirect | Info | URL Redirection to Untrusted Site ('Open Redirect') |
| scala_endpoint_rule-WeakHostNameVerification | Info | Improper Certificate Validation |
| scala_file_rule-FileUploadFileName | Info | Improper limitation of a pathname to a restricted directory ('Path Traversal') |
| scala_form_rule-FormValidate | Info | Improper validation of unsafe equivalence in input |
| scala_inject_rule-AWSQueryInjection | Info | Improper Neutralization of Special Elements in Data Query Logic |
| scala_inject_rule-BeanPropertyInjection | Info | External Control of System or Configuration Setting |
| scala_inject_rule-CLRFInjectionLogs | Info | Improper Neutralization of CRLF Sequences ('CRLF Injection') |
| scala_inject_rule-CommandInjection | Info | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| scala_inject_rule-FileDisclosure | Info | Files or Directories Accessible to External Parties |
| scala_inject_rule-HttpParameterPollution | Info | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') |
| scala_inject_rule-SpotbugsPathTraversalAbsolute | Info | Improper limitation of a pathname to a restricted directory ('Path Traversal') |
| scala_inject_rule-SpotbugsPathTraversalRelative | Info | Improper limitation of a pathname to a restricted directory ('Path Traversal') |
| scala_ldap_rule-AnonymousLDAP | Info | Improperly implemented security check for standard |
| scala_perm_rule-DangerousPermissions | Info | Insecure inherited permissions |
| scala_script_rule-ScriptInjection | Info | Improper Control of Generation of Code ('Code Injection') |
| scala_strings_rule-FormatStringManipulation | Info | Use of Externally-Controlled Format String |
| scala_strings_rule-ModifyAfterValidation | Info | Collapse of data into unsafe value |
| scala_strings_rule-NormalizeAfterValidation | Info | Collapse of data into unsafe value |
| scala_templateinjection_rule-TemplateInjection | Info | Improper Control of Generation of Code ('Code Injection') |
| scala_unsafe_rule-SensitiveDataExposure | Info | Exposure of sensitive system information to an unauthorized control sphere |
| scala_xml_rule-ApacheXmlRpc | Info | Deserialization of Untrusted Data |
| scala_xss_rule-MVCApi | Info | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| scala_xss_rule-XSSServlet | Info | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| scala_xxe_rule-SaxParserXXE | Info | Improper Restriction of XML External Entity Reference ('XXE') |
swift¶
| Id | Severity | Description |
|---|---|---|
| rules_lgpl_swift_other_rule-ios-biometric-acl | Critical | Authentication bypass by primary weakness |
| rules_lgpl_swift_other_rule-ios-file-no-special | Critical | Cleartext storage of sensitive information |
| rules_lgpl_swift_other_rule-ios-tls3-not-used | Critical | Selection of less-secure algorithm during negotiation ('algorithm downgrade') |
| rules_lgpl_swift_other_rule-ios-dtls1-used | Medium | Selection of less-secure algorithm during negotiation ('algorithm downgrade') |
| rules_lgpl_swift_other_rule-ios-keychain-weak-accessibility-value | Medium | Authentication bypass by primary weakness |