Download Brochure
Contact Us
Contact Us
Contact Us
  • Software Integrity
  • Tools
  • Services
  • Training
  • Solutions
  • Resources
  • Customers
  • Partners
  • Blog
Contact Sales
  • Company
  • About Us
  • Investor Relations
  • Community
  • Newsroom
  • Resources
  • Careers
Contact Us
All Synopsys
+ Silicon Design & Verification + Silicon IP + Software Integrity + About Us
Support
SolvNet Software Integrity
Global SItes
日本サイ ト 中文网站 中文網站 Сайт Россия

Coverity Coverage for Common Weakness Enumeration (CWE)

At its core, Common Weakness Enumeration (CWE) is a community-developed list of software weaknesses. CWE provides a taxonomy to categorize and describe software weaknesses—giving developers and security practitioners a common language for software security.

MITRE owns and maintains the project. To learn more about CWE, click here.

Search below to see Coverity's CWE support of languages in your codebase:

Interested in a specific language?



Language CWE Name      Coverity Checker
Android 22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • PATH_MANIPULATION
Android 78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • OS_CMD_INJECTION
Android 79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • XSS
Android 89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
  • SQLI
Android 94 Improper Control of Generation of Code ('Code Injection')
  • SQLIREGEX_INJECTION
Android 99 Improper Control of Resource Identifiers ('Resource Injection')
  • URL_MANIPULATION
Android 209 Information Exposure Through an Error Message
  • SENSITIVE_DATA_LEAK
Android 215 Information Exposure Through Debug Information
  • ANDROID_DEBUG_MODE
Android 259 Use of Hard-coded Password
  • HARDCODED_CREDENTIALS
Android 296 Improper Following of a Certificate's Chain of Trust
  • BAD_CERT_VERIFICATION
Android 297 Improper Validation of Certificate with Host Mismatch
  • BAD_CERT_VERIFICATION
Android 299 Improper Check for Certificate Revocation
  • BAD_CERT_VERIFICATION
Android 311 Missing Encryption of Sensitive Data
  • SENSITIVE_DATA_LEAK
Android 312 Cleartext Storage of Sensitive Information
  • SENSITIVE_DATA_LEAK
Android 313 Cleartext Storage in a File or on Disk
  • SENSITIVE_DATA_LEAK
Android 317 Cleartext Storage of Sensitive Information in GUI
  • SENSITIVE_DATA_LEAK
Android 319 Cleartext Transmission of Sensitive Information
  • SENSITIVE_DATA_LEAK
Android 321 Use of Hard-coded Cryptographic Key
  • HARDCODED_CREDENTIALS
Android 327 Use of a Broken or Risky Cryptographic Algorithm
  • RISKY_CRYPTO
Android 328 Reversible One-Way Hash
  • RISKY_CRYPTO
Android 330 Use of Insufficiently Random Values
  • MOBILE_ID_MISUSE
Android 336 Same Seed in PRNG
  • PREDICTABLE_RANDOM_SEED
Android 337 Predictable Seed in PRNG
  • PREDICTABLE_RANDOM_SEED
Android 470 Use of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’)
  • UNSAFE_REFLECTION
Android 502 Deserialization of Untrusted Data
  • UNSAFE_DESERIALIZATION
Android 530 Exposure of Backup File to an Unauthorized Control Sphere
  • CONFIG.ANDROID_BACKUPS_ALLOWED
Android 532 Information Exposure Through Log Files
  • SENSITIVE_DATA_LEAK
Android 538 File and Directory Information Exposure
  • UNRESTRICTED_ACCESS_TO_FILE
  • EXPOSED_PREFERENCES
Android 611 Improper Restriction of XML External Entity Reference ('XXE')
  • ML_EXTERNAL_ENTITY
Android 759 Use of a One-Way Hash without a Salt
  • WEAK_PASSWORD_HASH
Android 760 Use of a One-Way Hash with a Predictable Salt
  • WEAK_PASSWORD_HASH
Android 776 Use of a One-Way Hash with a Predictable Salt
  • XML_EXTERNAL_ENTITY
Android 798 Use of Hard-coded Credentials
  • HARDCODED_CREDENTIALS
Android 827 Improper Control of Document Type Definition
  • XML_EXTERNAL_ENTITY
Android 916 Use of Password Hash With Insufficient Computational Effort
  • WEAK_PASSWORD_HASH
Android 921 Storage of Sensitive Data in a Mechanism without Access Control
  • UNRESTRICTED_ACCESS_TO_FILE
Android 926 Improper Export of Android Application Components
  • MISSING_PERMISSION_ON_EXPORTED_COMPONENT
Android 927 Use of Implicit Intent for Sensitive Communication
  • IMPLICIT_INTENT
  • SENSITIVE_DATA_LEAK
  • MISSING_PERMISSION_FOR_BROADCAST
C# 10 ASP.NET Environment Issues
  • CONFIG.ASP_VIEWSTATE_MAC
C# 11 Security Misconfiguration
  • CONFIG.ENABLED_DEBUG_MODE
  • CONFIG.ENABLED_TRACE_MODE
C# 12 Missing Custom Error Page
  • CONFIG.MISSING_CUSTOM_ERROR_PAGE
C# 13 Unencrypted Connection String Password
  • CONFIG.CONNECTION_STRING_PASSWORD
C# 20 Improper Input Validation
  • OS_CMD_INJECTION
  • PATH_MANIPULATION
  • XSS
C# 21 Pathname Traversal and Equivalence Errors
  • PATH_MANIPULATION
C# 22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
  • PATH_MANIPULATION
C# 23 Relative Path Traversal
  • PATH_MANIPULATION
C# 36 Absolute Path Traversal
  • PATH_MANIPULATION
C# 73 External Control of File Name or Path
  • UNRESTRICTED_DISPATCH
C# 77 Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
  • OS_CMD_INJECTION
C# 78 Improper Neutralization of Special Elements used in an OS Command (‘OSCommand Injection’)
  • OS_CMD_INJECTION
C# 79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • XSS
C# 80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
  • XSS
C# 82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
  • XSS
C# 83 Improper Neutralization of Script in Attributes in a Web Page
  • XSS
C# 85 Doubled Character XSS Manipulations
  • XSS
C# 86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
  • XSS
C# 87 Improper Neutralization of Alternate XSS Syntax
  • XSS
C# 88 Argument Injection or Modification
  • OS_CMD_INJECTION
C# 89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
  • SQL_NOT_CONSTANT
  • SQLI
C# 90 Improper Neutralization of Special Elements used in an LDAP Query
  • LDAP_INJECTION
C# 91 XML Injection (aka Blind XPath Injection)
  • XML_INJECTION
C# 94 Improper Control of Generation of Code (‘Code Injection’)
  • NOSQL_QUERY_INJECTION
  • REGEX_INJECTION
  • SCRIPT_CODE_INJECTION
  • UNKNOWN_LANGUAGE_INJECTION
  • XPATH_INJECTION
C# 117 Improper Output Neutralization for Logs
  • LOG_INJECTION
C# 171 Cleansing, Canonicalization, and Comparison Errors
  • BAD_EQ
C# 190 Integer Overflow or Wraparound
  • OVERFLOW_BEFORE_WIDEN
C# 200 Information Exposure
  • ASPNET_MVC_VERSION_HEADER
  • CONFIG.ASPNET_VERSION_HEADER
  • CONFIG.COOKIES_MISSING_HTTPONLY
C# 209 Information Exposure Through an Error Message
  • SENSITIVE_DATA_LEAK
C# 259 Use of Hard-coded Password
  • HARDCODED_CREDENTIALS
C# 285 Missing Authorization Check
  • MISSING_AUTHZ
C# 313 Cleartext Storage in a File or on Disk
  • UNENCRYPTED_SENSITIVE_DATA
  • SENSITIVE_DATA_LEAK
C# 315 Cleartext Storage of Sensitive Information in a Cookie
  • UNENCRYPTED_SENSITIVE_DATA
C# 319 Cleartext Transmission of Sensitive Information
  • UNENCRYPTED_SENSITIVE_DATA
  • SENSITIVE_DATA_LEAK
  • CONFIG.SEQUELIZE_INSECURE_CONNECTION
C# 321 Use of Hard-coded Cryptographic Key
  • HARDCODED_CREDENTIALS
C# 327 Use of a Broken or Risky Cryptographic Algorithm
  • RISKY_CRYPTO
C# 328 Reversible One-Way Hash
  • RISKY_CRYPTO
C# 330 Use of Insufficiently Random Values
  • INSECURE_RANDOM
C# 352 Cross-Site Request Forgery (CSRF)
  • CSRF
C# 366 Race Condition within a Thread
  • GUARDED_BY_VIOLATION
  • NON_STATIC_GUARDING_STATIC
  • VOLATILE_ATOMICITY
C# 369 Divide By Zero
  • DIVIDE_BY_ZERO
C# 390 Detection of Error Condition Without Action
  • MISSING_THROW
C# 398 Indicator of Poor Code Quality
  • UNEXPECTED_CONTROL_FLOW
  • COPY_PASTE_ERROR
  • IDENTICAL_BRANCHES
  • PROPERTY_MIXUP
C# 403 Exposure of File Descriptor to Unintended Control Sphere (‘File Descriptor Leak’)
  • RESOURCE_LEAK
C# 404 Improper Resource Shutdown or Release
  • RESOURCE_LEAK
C# 476 NULL Pointer Dereference
  • FORWARD_NULL
  • NULL_RETURNS
  • REVERSE_INULL
C# 480 Use of Incorrect Operator
  • CONSTANT_EXPRESSION_RESULT
C# 502 Deserialization of Untrusted Data
  • UNSAFE_DESERIALIZATION
C# 519 Disabled View State MAC generation
  • CONFIG.ASP_VIEWSTATE_MAC
C# 532 Information Exposure Through Log Files
  • SENSITIVE_DATA_LEAK
C# 543 Use of Singleton Pattern Without Synchronization in a Multithreaded Context
  • BAD_LOCK_OBJECT
  • LOCK_EVASION
C# 561 Dead Code
  • DEADCODE
  • UNREACHABLE
C# 563 Assignment to Variable without Use (‘Unused Variable’)
  • UNUSED_VALUE
C# 569 Expression Issues
  • CONSTANT_EXPRESSION_RESULT
C# 570 Expression is Always False
  • BAD_EQ_TYPES
C# 573 Improper Following of Specification by Caller
  • CALL_SUPER
  • MISSING_RESTORE
C# 595 Comparison of Object References Instead of Object Contents
  • BAD_EQ
C# 601 URL Redirection to Untrusted Site ('Open Redirect')
  • OPEN_REDIRECT
C# 609 Double-Checked Locking
  • LOCK_EVASION
C# 610 Externally Controlled Reference to a Resource in Another Sphere
  • HEADER_INJECTION
C# 611 Improper Restriction of XML External Entity Reference ('XXE')
  • XML_EXTERNAL_ENTITY
C# 670 Always-Incorrect Control Flow Implementation
  • STRAY_SEMICOLON
C# 683 Function Call With Incorrect Order of Arguments
  • SWAPPED_ARGUMENTS
C# 759 Use of a One-Way Hash without a Salt
  • WEAK_PASSWORD_HASH
C# 760 Use of a One-Way Hash with a Predictable Salt
  • WEAK_PASSWORD_HASH
C# 776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
  • XML_EXTERNAL_ENTITY
C# 778 Insufficient Logging
  • UNLOGGED_SECURITY_EXCEPTION
C# 783 Operator Precedence Logic Error
  • CONSTANT_EXPRESSION_RESULT
C# 798 Use of Hard-coded Credentials
  • HARDCODED_CREDENTIALS
C# 827 Improper Control of Document Type Definition
  • XML_EXTERNAL_ENTITY
C# 833 Deadlock
  • LOCK_INVERSION
C# 835 Loop with Unreachable Exit Condition (‘Infinite Loop’)
  • INFINITE_LOOP
C# 863 Incorrect Authorization
  • CONFIG.DEAD_AUTHORIZATION_RULE
C# 916 Use of Password Hash With Insufficient Computational Effort
  • WEAK_PASSWORD_HASH
C/C++ & Objective-C 20 Improper Input Validation
  • TAINTED_SCALAR
  • TAINTED_STRING
  • USER_POINTER
C/C++ & Objective-C 22 Filesystem path, filename, or URI manipulation
  • PATH_MANIPULATION
C/C++ & Objective-C 78 OS Command Injection
  • OS_CMD_INJECTION
C/C++ & Objective-C 89 SQL injection
  • SQLI
C/C++ & Objective-C 119 Improper Restriction of Operations within the Bounds of a Memory Buffer
  • ARRAY_VS_SINGLETON
  • BAD_ALLOC_ARITHMETIC
  • COM.BSTR.CONV
  • INCOMPATIBLE_CAST
  • INTEGER_OVERFLOW
  • INVALIDATE_ITERATOR
  • MISMATCHED_ITERATOR
  • OVERRUN
  • REVERSE_NEGATIVE
C/C++ & Objective-C 120 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
  • BUFFER_SIZE
  • SIZECHECK
  • STRING_OVERFLOW
  • STRING_SIZE
C/C++ & Objective-C 125 Out-of-bounds Read
  • INTEGER_OVERFLOW
  • OVERRUN
C/C++ & Objective-C 129 Improper Validation of Array Index
  • NEGATIVE_RETURNS
  • REVERSE_NEGATIVE
  • TAINTED_SCALAR
C/C++ & Objective-C 131 Incorrect Calculation of Buffer Size
  • BAD_ALLOC_STRLEN
  • SIZECHECK
C/C++ & Objective-C 134 Uncontrolled Format String
  • PARSE_WARNINGS
  • TAINTED_STRING
C/C++ & Objective-C 170 Improper Null Termination
  • BUFFER_SIZE
  • READLINK
  • SIZECHECK
  • STRING_NULL
C/C++ & Objective-C 188 Reliance on Data/Memory Layout
  • INCOMPATIBLE_CAST
C/C++ & Objective-C 190 Integer Overflow or Wraparound
  • INTEGER_OVERFLOW
  • OVERFLOW_BEFORE_WIDEN
  • PARSE_WARNINGS
C/C++ & Objective-C 194 Unexpected Sign Extension
  • SIGN_EXTENSION
C/C++ & Objective-C 195 Signed to Unsigned Conversion Error
  • MISRA_CAST
C/C++ & Objective-C 197 Numeric Truncation Error
  • CHAR_IO
  • MISRA_CAST
  • NO_EFFECT
C/C++ & Objective-C 243 Creation of chroot Jail Without Changing Working Directory
  • CHROOT
C/C++ & Objective-C 248 Uncaught Exception
  • UNCAUGHT_EXCEPT
C/C++ & Objective-C 252 Unchecked Return Value
  • CHECKED_RETURN
C/C++ & Objective-C 253 Incorrect Check of Function Return Value
  • BAD_COMPARE
C/C++ & Objective-C 259 Use of Hard-coded Password
  • HARDCODED_CREDENTIALS
C/C++ & Objective-C 290 Authentication Bypass by Spoofing
  • WEAK_GUARD
C/C++ & Objective-C 291 Reliance on IP Address for Authentication
  • WEAK_GUARD
C/C++ & Objective-C 293 Using Referer Field for Authentication
  • WEAK_GUARD
C/C++ & Objective-C 313 Cleartext Storage in a File or on Disk
  • UNENCRYPTED_SENSITIVE_DATA
C/C++ & Objective-C 315 Cleartext Storage of Sensitive Information in a Cookie
  • UNENCRYPTED_SENSITIVE_DATA
C/C++ & Objective-C 319 Cleartext Transmission of Sensitive Information
  • UNENCRYPTED_SENSITIVE_DATA
C/C++ & Objective-C 321 Use of Hard-coded Cryptographic Key
  • HARDCODED_CREDENTIALS
C/C++ & Objective-C 327 Use of a Broken or Risky Cryptographic Algorithm
  • RISKY_CRYPTO
C/C++ & Objective-C 328 Reversible One-Way Hash
  • RISKY_CRYPTO
C/C++ & Objective-C 350 Reliance on Reverse DNS Resolution for a Security-Critical Action
  • WEAK_GUARD
C/C++ & Objective-C 366 Race Condition within a Thread
  • MISSING_LOCK
C/C++ & Objective-C 367 Time-of-check Time-of-use (TOCTOU) Race Condition
  • TOCTOU
C/C++ & Objective-C 369 Divide By Zero
  • DIVIDE_BY_ZERO
  • PARSE_WARNINGS
C/C++ & Objective-C 377 Insecure Temporary File
  • SECURE_TEMP
C/C++ & Objective-C 394 Unexpected Status Code or Return Value
  • NEGATIVE_RETURNS
  • REVERSE_NEGATIVE
C/C++ & Objective-C 398 Indicator of Poor Code Quality
  • COPY_PASTE_ERROR
  • ENUM_AS_BOOLEAN
  • IDENTICAL_BRANCHES
  • MISMATCHED_ITERATOR
  • MIXED_ENUMS
  • NO_EFFECT
  • PASS_BY_VALUE
  • VIRTUAL_DTOR
C/C++ & Objective-C 400 Uncontrolled Resource Consumption (‘Resource Exhaustion’)
  • STACK_USE
C/C++ & Objective-C 401 Improper Release of Memory Before Removing Last Reference (‘Memory Leak’)
  • COM.BSTR.ALLOC
  • CTOR_DTOR_LEAK
  • NO_EFFECT
  • SYMBIAN.CLEANUP_STACK
C/C++ & Objective-C 404 Improper Resource Shutdown or Release
  • RESOURCE_LEAK
C/C++ & Objective-C 415 Double Free
  • SYMBIAN.CLEANUP_STACK
  • USE_AFTER_FREE
C/C++ & Objective-C 416 Use After Free
  • COM.BAD_FREE
  • COM.BSTR.ALLOC
  • WRAPPER_ESCAPE
  • USE_AFTER_FREE
C/C++ & Objective-C 456 Missing Initialization of a Variable
  • NO_EFFECT
C/C++ & Objective-C 457 Use of Uninitialized Variable
  • PARSE_WARNINGS
  • UNINIT
  • UNINIT_CTOR
C/C++ & Objective-C 459 Incomplete Cleanup
  • DELETE_ARRAY
  • SYMBIAN.CLEANUP_STACK
C/C++ & Objective-C 465 Pointer Issues
  • NO_EFFECT
C/C++ & Objective-C 467 Use of sizeof() on a Pointer Type
  • BAD_SIZEOF
  • SIZEOF_MISMATCH
C/C++ & Objective-C 475 Invalid printf format string
  • PRINTF_ARGS
C/C++ & Objective-C 476 NULL Pointer Dereference
  • FORWARD_NULL
  • NULL_RETURNS
  • REVERSE_INULL
C/C++ & Objective-C 480 Use of Incorrect Operator
  • CONSTANT_EXPRESSION_RESULT
  • NO_EFFECT
C/C++ & Objective-C 481 Assigning instead of Comparing
  • PARSE_WARNINGS
C/C++ & Objective-C 482 Comparing instead of Assigning
  • NO_EFFECT
C/C++ & Objective-C 483 Incorrect Block Delimitation
  • NESTING_INDENT_MISMATCH
C/C++ & Objective-C 484 Omitted Break Statement in Switch
  • MISSING_BREAK
C/C++ & Objective-C 561 Dead Code
  • DEADCODE
  • UNREACHABLE
C/C++ & Objective-C 562 Return of Stack Variable Address
  • PARSE_WARNINGS
  • RETURN_LOCAL
C/C++ & Objective-C 563 Assignment to Variable without Use (‘Unused Variable’)
  • UNUSED_VALUE
C/C++ & Objective-C 569 Expression Issues
  • CONSTANT_EXPRESSION_RESULT
  • SIZEOF_MISMATCH
C/C++ & Objective-C 570 Expression is Always False
  • NO_EFFECT
  • PARSE_WARNINGS
C/C++ & Objective-C 573 Improper Following of Specification by Caller
  • MISSING_RESTORE
  • OPEN_ARGS
  • VARARGS
C/C++ & Objective-C 584 Return Inside Finally Block
  • PARSE_WARNINGS
C/C++ & Objective-C 590 Free of Memory not on the Heap
  • BAD_FREE
C/C++ & Objective-C 597 Use of Wrong Operator in String Comparison
  • BAD_COMPARE
C/C++ & Objective-C 606 Unchecked Input for Loop Condition
  • NEGATIVE_RETURNS
  • TAINTED_SCALAR
C/C++ & Objective-C 617 Reachable Assertion
  • LOCK
C/C++ & Objective-C 628 Function Call with Incorrectly Specified Arguments
  • BAD_COMPARE
  • PARSE_WARNINGS
C/C++ & Objective-C 633 Weaknesses that Affect Memory
  • COM.BSTR.ALLOC
C/C++ & Objective-C 643 XML Path (XPath) Language injection
  • XPATH_INJECTION
C/C++ & Objective-C 662 Improper Synchronization
  • ATOMICITY
C/C++ & Objective-C 665 Improper Initialization
  • NO_EFFECT
C/C++ & Objective-C 667 Improper Locking
  • LOCK
  • SLEEP
C/C++ & Objective-C 670 Always-Incorrect Control Flow Implementation
  • STRAY_SEMICOLON
C/C++ & Objective-C 672 Operation on a Resource after Expiration or Release
  • USE_AFTER_FREE
C/C++ & Objective-C 676 Use of Potentially Dangerous Function
  • DC.STREAM_BUFFER
  • DC.STRING_BUFFER
  • DC.WEAK_CRYPTO
  • DC.PREDICTABLE_KEY_PASSWORD
  • SECURE_CODING
C/C++ & Objective-C 681 Incorrect Conversion between Numeric Types
  • MISRA_CAST
C/C++ & Objective-C 683 Function Call With Incorrect Order of Arguments
  • SWAPPED_ARGUMENTS
C/C++ & Objective-C 685 Function Call With Incorrect Number of Arguments
  • PARSE_WARNINGS
C/C++ & Objective-C 685 Extra argument to printf format specifier
  • PRINTF_ARGS
C/C++ & Objective-C 686 Function Call With Incorrect Argument Type
  • PARSE_WARNINGS
C/C++ & Objective-C 686 Invalid type in argument to printf format specifier
  • PRINTF_ARGS
C/C++ & Objective-C 687 Function Call With Incorrectly Specified Argument Value
  • NEGATIVE_RETURNS
C/C++ & Objective-C 704 Incorrect Type Conversion or Cast
  • INCOMPATIBLE_CAST
  • PARSE_WARNINGS
C/C++ & Objective-C 710 Coding Standards Violation
  • ASSIGN_NOT_RETURNING_STAR_THIS
  • BAD_OVERRIDE
  • HFA
  • MISSING_COPY_OR_ASSIGN
  • MISSING_RETURN
  • SELF_ASSIGN
C/C++ & Objective-C 758 Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
  • DELETE_VOID
  • EVALUATION_ORDER
C/C++ & Objective-C 759 Use of a One-Way Hash without a Salt
  • WEAK_PASSWORD_HASH
C/C++ & Objective-C 760 Use of a One-Way Hash with a Predictable Salt
  • WEAK_PASSWORD_HASH
C/C++ & Objective-C 762 Mismatched Memory Management Routines
  • ALLOC_FREE_MISMATCH
C/C++ & Objective-C 764 Multiple Locks of a Critical Resource
  • LOCK
C/C++ & Objective-C 772 Missing Release of Resource after Effective Lifetime
  • VIRTUAL_DTOR
C/C++ & Objective-C 775 Missing Release of File Descriptor or Handle after Effective Lifetime
  • RESOURCE_LEAK
C/C++ & Objective-C 783 Operator Precedence Logic Error
  • BAD_COMPARE
  • CONSTANT_EXPRESSION_RESULT
  • SIZEOF_MISMATCH
C/C++ & Objective-C 798 Use of Hard-coded Credentials
  • HARDCODED_CREDENTIALS
C/C++ & Objective-C 833 Deadlock
  • ORDER_REVERSAL
C/C++ & Objective-C 835 Loop with Unreachable Exit Condition (‘Infinite Loop’)
  • INFINITE_LOOP
C/C++ & Objective-C 916 Use of Password Hash With Insufficient Computational Effort
  • WEAK_PASSWORD_HASH
Java 4 J2EE Environment Issues
  • CONFIG
Java 7 J2EE Misconfiguration: Missing Custom Error Page
  • CONFIG
Java 11 ASP.NET Misconfiguration: Creating Debug Binary
  • CONFIG.ENABLED_DEBUG_MODE, CONFIG.ENABLED_TRACE_MODE
Java 20 Improper Input Validation
  • OS_CMD_INJECTION
  • PATH_MANIPULATION
  • SQLI
  • UNRESTRICTED_DISPATCH
  • UNSAFE_REFLECTION
  • XSS
Java 21 Pathname Traversal and Equivalence Errors
  • PATH_MANIPULATION
Java 22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
  • JSP_DYNAMIC_INCLUDE
  • PATH_MANIPULATION
Java 23 Relative Path Traversal
  • FB.PT_RELATIVE_PATH_TRAVERSAL
  • PATH_MANIPULATION
Java 36 Absolute Path Traversal
  • FB.PT_ABSOLUTE_PATH_TRAVERSAL
  • PATH_MANIPULATION
Java 73 External Control of File Name or Path
  • UNRESTRICTED_DISPATCH
Java 77 Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
  • OS_CMD_INJECTION
Java 78 Improper Neutralization of Special Elements used in an OS Command (‘OSCommand Injection’)
  • OS_CMD_INJECTION, TAINTED_ENVIRONMENT_WITH_EXECUTION
Java 79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • FB.XSS_REQUEST_PARAMETER_TO_JSP_WRITER
  • FB.XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER
  • XSS
Java 80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
  • XSS
Java 81 Improper Neutralization of Script in an Error Message Web Page
  • FB.XSS_REQUEST_PARAMETER_TO_SEND_ERROR
Java 82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
  • XSS
Java 83 Improper Neutralization of Script in Attributes in a Web Page
  • XSS
Java 85 Doubled Character XSS Manipulations
  • XSS
Java 86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
  • XSS
Java 87 Improper Neutralization of Alternate XSS Syntax
  • XSS
Java 88 Argument Injection or Modification
  • OS_CMD_INJECTION
Java 89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
  • FB.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE
  • FB.SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
  • JSP_SQL_INJECTION
  • SQLI
  • SQL_NOT_CONSTANT
Java 90 Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’)
  • LDAP_INJECTION
Java 91 XML Injection (aka Blind XPath Injection)
  • XML_INJECTION
Java 94 Improper Control of Generation of Code (‘Code Injection’)
  • JAVA_CODE_INJECTION
  • JCR_INJECTION
  • NOSQL_QUERY_INJECTION
  • OGNL_INJECTION
  • REGEX_INJECTION
  • SCRIPT_CODE_INJECTION
  • UNKNOWN_LANGUAGE_INJECTION
  • XPATH_INJECTION
Java 99 Improper Control of Resource Identifiers (‘Resource Injection’)
  • URL_MANIPULATION
Java 113 Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Response Splitting’)
  • FB.HRS_REQUEST_PARAMETER_TO_COOKIE
  • FB.HRS_REQUEST_PARAMETER_TO_HTTP_HEADER
Java 185 Incorrect Regular Expression
  • FB.RE_BAD_SYNTAX_FOR_REGULAR_EXPRESSION
  • FB.RE_CANT_USE_FILE_SEPARATOR_AS_REGULAR_EXPRESSION
  • FB.RE_POSSIBLE_UNINTENDED_PATTERN
  • REGEX_CONFUSION
Java 190 Integer Overflow or Wraparound
  • OVERFLOW_BEFORE_WIDEN
Java 192 Integer Coercion Error
  • FB.BX_BOXING_IMMEDIATELY_UNBOXED_TO_PERFORM_COERCION
  • FB.ICAST_BAD_SHIFT_AMOUNT
  • FB.ICAST_IDIV_CAST_TO_DOUBLE
  • FB.ICAST_INT_2_LONG_AS_INSTANT
  • FB.ICAST_INT_CAST_TO_DOUBLE_PASSED_TO_CEIL
  • FB.ICAST_INT_CAST_TO_FLOAT_PASSED_TO_ROUND
  • FB.ICAST_INTEGER_MULTIPLY_CAST_TO_LONG
  • FB.ICAST_QUESTIONABLE_UNSIGNED_RIGHT_SHIFT
Java 200 Information Exposure
  • CONFIG
Java 209 Information Exposure Through an Error Message
  • SENSITIVE_DATA_LEAK
Java 218 DEPRECATED (Duplicate): Failure to provide confidentiality for stored data
  • FB.EI_EXPOSE_STATIC_REP2
  • FB.MS_CANNOT_BE_FINAL
  • FB.MS_EXPOSE_REP
  • FB.MS_FINAL_PKGPROTECT
  • FB.MS_MUTABLE_ARRAY
  • FB.MS_MUTABLE_HASHTABLE
  • FB.MS_OOI_PKGPROTECT
  • FB.MS_PKGPROTECT
  • FB.MS_SHOULD_BE_FINAL
  • FB.MS_SHOULD_BE_REFACTORED_TO_BE_FINAL
Java 227 Improper Fulfillment of API Contract (‘API Abuse’)
  • FB.AM_CREATES_EMPTY_JAR_FILE_ENTRY
  • AM_CREATES_EMPTY_ZIP_FILE_ENTRY
Java 247 DEPRECATED (Duplicate): Reliance on DNS Lookups in a Security Decision
  • WEAK_GUARD
Java 252 Unchecked Return Value
  • CHECKED_RETURN
Java 253 Incorrect Check of Function Return Value
  • FB.RV_RETURN_VALUE_IGNORED_BAD_PRACTICE
  • ORM_LOAD_NULL_CHECK
Java 259 Use of Hard-coded Password
  • FB.DMI_CONSTANT_DB_PASSWORD
  • FB.DMI_EMPTY_DB_PASSWORD
  • HARDCODED_CREDENTIALS
Java 285 Improper Authorization
  • MISSING_AUTHZ
Java 290 Authentication Bypass by Spoofing
  • WEAK_GUARD
Java 291 Reliance on IP Address for Authentication
  • WEAK_GUARD
Java 293 Using Referer Field for Authentication
  • WEAK_GUARD
Java 296 Improper Following of a Certificate’s Chain of Trust
  • BAD_CERT_VERIFICATION
Java 297 Improper Validation of Certificate with Host Mismatch
  • BAD_CERT_VERIFICATION
Java 299 Improper Check for Certificate Revocation
  • BAD_CERT_VERIFICATION
Java 311 Missing Encryption of Sensitive Data
  • SENSITIVE_DATA_LEAK
  • UNENCRYPTED_SENSITIVE_DATA
Java 312 Cleartext Storage of Sensitive Information
  • SENSITIVE_DATA_LEAK
  • UNENCRYPTED_SENSITIVE_DATA
Java 313 Cleartext Storage in a File or on Disk
  • SENSITIVE_DATA_LEAK
  • UNENCRYPTED_SENSITIVE_DATA
Java 315 Cleartext Storage of Sensitive Information in a Cookie
  • SENSITIVE_DATA_LEAK
  • UNENCRYPTED_SENSITIVE_DATA
Java 317 Cleartext Storage of Sensitive Information in GUI
  • SENSITIVE_DATA_LEAK
Java 319 Cleartext Transmission of Sensitive Information
  • SENSITIVE_DATA_LEAK
  • UNENCRYPTED_SENSITIVE_DATA
Java 321 Use of Hard-coded Cryptographic Key
  • HARDCODED_CREDENTIALS
Java 327 Use of a Broken or Risky Cryptographic Algorithm
  • RISKY_CRYPTO
Java 328 Reversible One-Way Hash
  • RISKY_CRYPTO
Java 330 Use of Insufficiently Random Values
  • MOBILE_ID_MISUSE
  • INSECURE_RANDOM
Java 337 Predictable Seed in PRNG
  • PREDICTABLE_RANDOM_SEED
Java 350 Reliance on Reverse DNS Resolution for a Security-Critical Action
  • WEAK_GUARD
Java 352 Cross-Site Request Forgery (CSRF)
  • CSRF
Java 366 Race Condition within a Thread
  • FB.IS_FIELD_NOT_GUARDED
  • FB.IS_INCONSISTENT_SYNC
  • FB.IS2_INCONSISTENT_SYNC
  • FB.STCAL_INVOKE_ON_STATIC_CALENDAR_INSTANCE
  • FB.STCAL_INVOKE_ON_STATIC_DATE_FORMAT_INSTANCE
  • FB.STCAL_STATIC_CALENDAR_INSTANCE
  • FB.STCAL_STATIC_SIMPLE_DATE_FORMAT_INSTANCE
  • GUARDED_BY_VIOLATION
  • NON_STATIC_GUARDING_STATIC
  • RACE_CONDITION
  • VOLATILE_ATOMICITY
Java 369 Divide By Zero
  • DIVIDE_BY_ZERO
Java 374 Passing Mutable Objects to an Untrusted Method
  • FB.EI_EXPOSE_REP
  • FB.EI_EXPOSE_REP2
Java 382 J2EE Bad Practices: Use of System.exit()
  • FB.DM_EXIT
Java 384 Session Fixation
  • CONFIG.SPRING_SECURITY_SESSION_FIXATION
  • SESSION_FIXATION
Java 390 Detection of Error Condition Without Action
  • MISSING_THROW
Java 391 Unchecked Error Condition
  • FB.DE_MIGHT_DROP
  • FB.DE_MIGHT_IGNORE
Java 396 Declaration of Catch for Generic Exception
  • FB.REC_CATCH_EXCEPTION
Java 398 Indicator of Poor Code Quality
  • COPY_PASTE_ERROR
  • IDENTICAL_BRANCHES
  • PROPERTY_MIXUP
  • UNEXPECTED_CONTROL_FLOW
Java 403 Exposure of File Descriptor to Unintended Control Sphere (‘File Descriptor Leak’)
  • RESOURCE_LEAK
Java 404 J2EE Misconfiguration: Missing Custom Error PageImproper Resource Shutdown or Release
  • RESOURCE_LEAK
Java 425 Direct Request (‘Forced Browsing’)
  • CONFIG
Java 427 Uncontrolled Search Path Element
  • UNSAFE_JNI
Java 440 Expected Behavior Violation
  • FB.DMI_ANNOTATION_IS_NOT_VISIBLE_TO_REFLECTION
  • FB.DMI_ARGUMENTS_WRONG_ORDER
  • FB.DMI_BAD_MONTH
  • FB.DMI_BIGDECIMAL_CONSTRUCTED_FROM_DOUBLE
  • FB.DMI_BLOCKING_METHODS_ON_URL
  • FB.DMI_CALLING_NEXT_FROM_HASNEXT
  • FB.DMI_COLLECTION_OF_URLS
  • FB.DMI_COLLECTIONS_SHOULD_NOT_CONTAIN_THEMSELVES
  • FB.DMI_DOH
  • FB.DMI_ENTRY_SETS_MAY_REUSE_ENTRY_OBJECTS
  • FB.DMI_FUTILE_ATTEMPT_TO_CHANGE_MAXPOOL_SIZE_OF_SCHEDULED_THREAD_POOL_EXECUTOR
  • FB.DMI_HARDCODED_ABSOLUTE_FILENAME
  • FB.DMI_INVOKING_HASHCODE_ON_ARRAY
  • FB.DMI_INVOKING_TOSTRING_ON_ANONYMOUS_ARRAY
  • FB.DMI_INVOKING_TOSTRING_ON_ARRAY
  • FB.DMI_LONG_BITS_TO_DOUBLE_INVOKED_ON_INT
  • FB.DMI_NONSERIALIZABLE_OBJECT_WRITTEN
  • FB.DMI_RANDOM_USED_ONLY_ONCE
  • FB.DMI_SCHEDULED_THREAD_POOL_EXECUTOR_WITH_ZERO_CORE_THREADS
  • FB.DMI_THREAD_PASSED_WHERE_RUNNABLE_EXPECTED
  • FB.DMI_UNSUPPORTED_METHOD
  • FB.DMI_USELESS_SUBSTRING
  • FB.DMI_USING_REMOVEALL_TO_CLEAR_COLLECTION
  • FB.DMI_VACUOUS_CALL_TO_EASYMOCK_METHOD
  • FB.DMI_VACUOUS_SELF_COLLECTION_CALL
  • FB.RV_01_TO_INT
  • FB.RV_ABSOLUTE_VALUE_OF_HASHCODE
  • FB.RV_ABSOLUTE_VALUE_OF_RANDOM_INT
  • FB.RV_CHECK_COMPARETO_FOR_SPECIFIC_RETURN_VALUE
  • FB.RV_CHECK_FOR_POSITIVE_INDEXOF
  • FB.RV_DONT_JUST_NULL_CHECK_READLINE
  • FB.RV_EXCEPTION_NOT_THROWN
  • FB.RV_NEGATING_RESULT_OF_COMPARETO
  • FB.RV_REM_OF_HASHCODE
  • FB.RV_REM_OF_RANDOM_INT
  • FB.RV_RETURN_VALUE_IGNORED
  • FB.RV_RETURN_VALUE_IGNORED_INFERRED
  • FB.RV_RETURN_VALUE_IGNORED2
  • FB.RV_RETURN_VALUE_OF_PUTIFABSENT_IGNORED
Java 470 Use of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’)
  • UNSAFE_REFLECTION
  • UNSAFE_NAMED_QUERY
Java 476 NULL Pointer Dereference
  • FB.BC_NULL_INSTANCEOF
  • FB.NP_ALWAYS_NULL
  • FB.NP_ALWAYS_NULL_EXCEPTION
  • FB.NP_ARGUMENT_MIGHT_BE_NULL
  • FB.NP_BOOLEAN_RETURN_NULL
  • FB.NP_CLONE_COULD_RETURN_NULL
  • FB.NP_CLOSING_NULL
  • FB.NP_DEREFERENCE_OF_READLINE_VALUE
  • FB.NP_DOES_NOT_HANDLE_NUL
  • FB.NP_EQUALS_SHOULD_HANDLE_NULL_ARGUMENT
  • FB.NP_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR
  • FB.NP_GUARANTEED_DEREF
  • FB.NP_GUARANTEED_DEREF_ON_EXCEPTION_PATH
  • FB.NP_IMMEDIATE_DEREFERENCE_OF_READLINE
  • FB.NP_LOAD_OF_KNOWN_NULL_VALUE
  • FB.NP_METHOD_PARAMETER_RELAXING_ANNOTATION
  • FB.NP_METHOD_PARAMETER_TIGHTENS_ANNOTATION
  • FB.NP_METHOD_RETURN_RELAXING_ANNOTATION
  • FB.NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR
  • FB.NP_NONNULL_PARAM_VIOLATION
  • FB.NP_NONNULL_RETURN_VIOLATION
  • FB.NP_NULL_INSTANCEOF
  • FB.NP_NULL_ON_SOME_PATH
  • FB.NP_NULL_ON_SOME_PATH_EXCEPTION
  • FB.NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE
  • FB.NP_NULL_ON_SOME_PATH_MIGHT_BE_INFEASIBLE
  • FB.NP_NULL_PARAM_DEREF
  • FB.NP_NULL_PARAM_DEREF_ALL_TARGETS_DANGEROUS
  • FB.NP_NULL_PARAM_DEREF_NONVIRTUAL
  • FB.NP_OPTIONAL_RETURN_NULL
  • FB.NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE
  • FB.NP_STORE_INTO_NONNULL_FIELD
  • FB.NP_TOSTRING_COULD_RETURN_NULL
  • FB.NP_UNWRITTEN_FIELD
  • FB.NP_UNWRITTEN_PUBLIC_OR_PROTECTED_FIELD
  • FB.RCN_REDUNDANT_COMPARISON_OF_NULL_AND_NONNULL_VALUE
  • FB.RCN_REDUNDANT_COMPARISON_TWO_NULL_VALUES
  • FB.RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
  • FB.RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE
  • FB.RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE
  • FORWARD_NULL
  • NULL_RETURNS
  • REVERSE_INULL
Java 480 Use of Incorrect Operator
  • CONSTANT_EXPRESSION_RESULT
Java 481 Assigning instead of Comparing
  • FB.QBA_QUESTIONABLE_BOOLEAN_ASSIGNMENT
Java 483 Incorrect Block Delimitation
  • NESTING_INDENT_MISMATCH
Java 484 Omitted Break Statement in Switch
  • FB.SF_DEAD_STORE_DUE_TO_SWITCH_FALLTHROUGH
  • FB.SF_DEAD_STORE_DUE_TO_SWITCH_FALLTHROUGH_TO_THROW
  • FB.SF_SWITCH_FALLTHROUGH
  • MISSING_BREAK
Java 501 Trust Boundary Violation
  • TRUST_BOUNDARY_VIOLATION
Java 502 Deserialization of Untrusted Data
  • UNSAFE_DESERIALIZATION
Java 532 Information Exposure Through Log Files
  • SENSITIVE_DATA_LEAK
Java 538 File and Directory Information Exposure
  • EXPOSED_PREFERENCES
  • UNRESTRICTED_ACCESS_TO_FILE
Java 543 Use of Singleton Pattern Without Synchronization in a Multithreaded Context
  • BAD_LOCK_OBJECT
  • FB.LI_LAZY_INIT_STATIC
  • FB.LI_LAZY_INIT_UPDATE_STATIC
  • LOCK_EVASION
  • SINGLETON_RACE
Java 561 Dead Code
  • DEADCODE
  • UNREACHABLE
Java 563 Assignment to Variable without Use (‘Unused Variable’)
  • FB.DLS_DEAD_LOCAL_INCREMENT_IN_RETURN
  • FB.DLS_DEAD_LOCAL_STORE
  • FB.DLS_DEAD_LOCAL_STORE_IN_RETURN
  • FB.DLS_DEAD_LOCAL_STORE_OF_NULL
  • FB.DLS_DEAD_LOCAL_STORE_SHADOWS_FIELD
  • FB.DLS_DEAD_STORE_OF_CLASS_LITERAL
  • FB.DLS_OVERWRITTEN_INCREMENT
  • FB.IP_PARAMETER_IS_DEAD_BUT_OVERWRITTEN
  • UNUSED_VALUE
Java 564 SQL Injection: Hibernate
  • SQLI
Java 567 Unsynchronized Access to Shared Data in a Multithreaded Context
  • SERVLET_ATOMICITY
Java 568 finalize() Method Without super.finalize()
  • CALL_SUPER
Java 569 Expression Issues
  • CONSTANT_EXPRESSION_RESULT
Java 570 Expression is Always False
  • FB.BC_IMPOSSIBLE_CAST
  • FB.BC_IMPOSSIBLE_DOWNCAST
  • FB.BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY
  • FB.BC_IMPOSSIBLE_INSTANCEOF
Java 571 Expression is Always True
  • FB.BC_VACUOUS_INSTANCEOF
Java 572 Call to Thread run() instead of start()
  • FB.RU_INVOKE_RUN
Java 573 Improper Following of Specification by Caller
  • CALL_SUPER
  • INVALIDATE_ITERATOR
  • MISSING_RESTORE
  • ATTRIBUTE_NAME_CONFLICT
Java 579 J2EE Bad Practices: Non-serializable Object Stored in Session
  • FB.J2EE_STORE_OF_NON_SERIALIZABLE_OBJECT_INTO_SESSION
Java 580 clone() Method Without super.clone()
  • CALL_SUPER
  • FB.CN_IDIOM
  • FB.CN_IDIOM_NO_SUPER_CALL
  • FB.CN_IMPLEMENTS_CLONE_BUT_NOT_CLONEABLE
Java 583 finalize() Method Declared Public
  • FB.FI_PUBLIC_SHOULD_BE_PROTECTED
Java 585 Empty Synchronized Block
  • FB.ESYNC_EMPTY_SYNC
  • FB.NP_SYNC_AND_NULL_CHECK_FIELD
Java 586 Explicit Call to Finalize()
  • FB.FI_EMPTY
  • FB.FI_EXPLICIT_INVOCATION
  • FB.FI_FINALIZER_NULLS_FIELDS
  • FB.FI_FINALIZER_ONLY_NULLS_FIELDS
  • FB.FI_MISSING_SUPER_CALL
  • FB.FI_NULLIFY_SUPER
  • FB.FI_USELESS
Java 595 Comparison of Object References Instead of Object Contents
  • FB.EQ_ABSTRACT_SELF
  • FB.EQ_ALWAYS_FALSE
  • FB.EQ_ALWAYS_TRUE
  • FB.EQ_CHECK_FOR_OPERAND_NOT_COMPATIBLE_WITH_THIS
  • FB.EQ_COMPARETO_USE_OBJECT_EQUALS
  • FB.EQ_COMPARING_CLASS_NAMES
  • FB.EQ_DOESNT_OVERRIDE_EQUALS
  • FB.EQ_DONT_DEFINE_EQUALS_FOR_ENUM
  • FB.EQ_GETCLASS_AND_CLASS_CONSTANT
  • FB.EQ_OTHER_NO_OBJECT
  • FB.EQ_OTHER_USE_OBJECT
  • FB.EQ_OVERRIDING_EQUALS_NOT_SYMMETRIC
  • FB.EQ_SELF_NO_OBJECT
  • FB.EQ_SELF_USE_OBJECT
  • FB.EQ_UNUSUAL
Java 596 Incorrect Semantic Object Comparison
  • HIBERNATE_BAD_HASHCODE
Java 597 Use of Wrong Operator in String Comparison
  • FB.ES_COMPARING_PARAMETER_STRING_WITH_EQ
  • FB.ES_COMPARING_STRINGS_WITH_EQ
Java 601 URL Redirection to Untrusted Site (‘Open Redirect’)
  • OPEN_REDIRECT
Java 609 Double-Checked Locking
  • FB.DC_DOUBLECHECK
Java 610 Externally Controlled Reference to a Resource in Another Sphere
  • HEADER_INJECTION
Java 611 Improper Restriction of XML External Entity Reference (‘XXE’)
  • XML_EXTERNAL_ENTITY
Java 613 Insufficient Session Expiration
  • CONFIG.UNSAFE_SESSION_TIMEOUT
Java 615 Information Exposure Through Comments
  • CONFIG
Java 643 Improper Neutralization of Data within XPath Expressions (‘XPath Injection’)
  • XPATH_INJECTION
Java 650 Trusting HTTP Permission Methods on the Server Side
  • CONFIG
Java 662 Improper Synchronization
  • ATOMICITY
Java 670 Always-Incorrect Control Flow Implementation
  • STRAY_SEMICOLON
Java 672 Operation on a Resource after Expiration or Release
  • USE_AFTER_FREE
Java 674 Uncontrolled Recursion
  • FB.IL_INFINITE_RECURSIVE_LOOP
Java 676 Use of Potentially Dangerous Function
  • DC.DANGEROUS
Java 683 Function Call With Incorrect Order of Arguments
  • SWAPPED_ARGUMENTS
Java 731 OWASP Top Ten 2004 Category A10 – Insecure Configuration Management
  • CONFIG
Java 759 Use of a One-Way Hash without a Salt
  • WEAK_PASSWORD_HASH
Java 760 Use of a One-Way Hash with a Predictable Salt
  • WEAK_PASSWORD_HASH
Java 776 Improper Restriction of Recursive Entity References in DTDs (‘XML Entity Expansion’)
  • XML_EXTERNAL_ENTITY
Java 778 Insufficient Logging
  • UNLOGGED_SECURITY_EXCEPTION
Java 783 Operator Precedence Logic Error
  • CONSTANT_EXPRESSION_RESULT
Java 798 Use of Hard-coded Credentials
  • CONFIG
  • CONFIG.SPRING_SECURITY_REMEMBER_ME_HARDCODED_KEY
  • HARDCODED_CREDENTIALS
Javascript 20 Improper Input Validation
  • COOKIE_INJECTION
Javascript 22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
  • PATH_MANIPULATION
Javascript 74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
  • CSS_INJECTION
Javascript 78 Improper Neutralization of Special Elements used in an OS Command (‘OSCommand Injection’)
  • OS_CMD_INJECTION
Javascript 79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • DOM_XSS
  • XSS
  • ANGULAR_BYPASS_SECURITY
  • ANGULAR_ELEMENT_REFERENCE
Javascript 88 Argument Injection or Modification
  • HEADER_INJECTION
Javascript 89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
  • SQLI
Javascript 94 Improper Control of Generation of Code (‘Code Injection’)
  • REGEX_INJECTION
  • NOSQL_QUERY_INJECTION
  • TEMPLATE_INJECTION
  • ANGULAR_EXPRESSION_INJECTION
Javascript 95 Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
  • SCRIPT_CODE_INJECTION
Javascript 99 Improper Control of Resource Identifiers ('Resource Injection')
  • PURL_MANIPULATION
  • SESSIONSTORAGE_MANIPULATION
  • LOCALSTORAGE_MANIPULATION
Javascript 209 Information Exposure Through an Error Message
  • SENSITIVE_DATA_LEAK
Javascript 285 Improper Authorization
  • MISSING_AUTHZ
Javascript 295 Improper Certificate Validation
  • CONFIG.MYSQL_SSL_VERIFY_DISABLED
  • CONFIG.REQUEST_STRICTSSL_DISABLED
Javascript 313 Cleartext Storage in a File or on Disk
  • SENSITIVE_DATA_LEAK
Javascript 313 Cleartext Sensitive Data in a Database
  • SENSITIVE_DATA_LEAK
Javascript 314 Cleartext Storage in the Registry
  • SENSITIVE_DATA_LEAK
Javascript 315 Cleartext Storage of Sensitive Information in a Cookie
  • SENSITIVE_DATA_LEAK
Javascript 317 Cleartext Storage of Sensitive Information in GUI
  • SENSITIVE_DATA_LEAK
Javascript 319 Cleartext Transmission of Sensitive Information
  • SENSITIVE_DATA_LEAK
  • CONFIG.SEQUELIZE_INSECURE_CONNECTION
Javascript 327 Use of a Broken or Risky Cryptographic Algorithm
  • RISKY_CRYPTO
Javascript 328 Reversible One-Way Hash
  • RISKY_CRYPTO
Javascript 346 Origin Validation Error
  • UNCHECKED_ORIGIN
Javascript 352 Cross-Site Request Forgery (CSRF)
  • CSRF
  • CONFIG.HANA_XS_PREVENT_XSRF_DISABLED
Javascript 398 Indicator of Poor Code Quality
  • COPY_PASTE_ERROR
  • IDENTICAL_BRANCHES
  • UNEXPECTED_CONTROL_FLOW
  • NO_EFFECT
Javascript 400 Uncontrolled Resource Consumption
  • CONFIG.SOCKETIO_ORIGINS_ACCEPT_ALL
  • CONFIG.SOCKETIO_MAXHTTPBUFFERSIZE_SET_TOO_LARGE
Javascript 476 NULL Pointer Dereference
  • FORWARD_NULL
  • NULL_RETURNS
  • REVERSE_INULL
Javascript 480 Use of Incorrect Operator
  • CONSTANT_EXPRESSION_RESULT
Javascript 482 Comparing instead of Assigning
  • NO_EFFECT
Javascript 483 Incorrect Block Delimitation
  • NESTING_INDENT_MISMATCH
Javascript 484 Omitted Break Statement in Switch
  • MISSING_BREAK
Javascript 532 Information Exposure Through Log Files
  • CONFIG.SEQUELIZE_ENABLED_LOGGING
  • SENSITIVE_DATA_LEAK
Javascript 561 Dead Code
  • DEADCODE
  • UNREACHABLE
Javascript 569 Expression Issues
  • CONSTANT_EXPRESSION_RESULT
Javascript 601 URL Redirection to Untrusted Site (‘Open Redirect’)
  • OPEN_REDIRECT
Javascript 611 Improper Restriction of XML External Entity Reference ('XXE')
  • XML_EXTERNAL_ENTITY
Javascript 613 Insufficient Session Expiration
  • CONFIG.JSONWEBTOKEN_NON_EXPIRING_TOKEN
Javascript 628 Function Call with Incorrectly Specified Arguments
  • EXPLICIT_THIS_EXPECTED
Javascript 665 Improper Initialization
  • NO_EFFECT
Javascript 668 Exposure of Resource to Wrong Sphere
  • UNRESTRICTED_MESSAGE_TARGET
Javascript 670 Always-Incorrect Control Flow Implementation
  • STRAY_SEMICOLON
Javascript 688 Function Call With Incorrect Variable or Reference as Argument
  • IDENTIFIER_TYPO
Javascript 760 Use of a One-Way Hash with a Predictable Salt
  • INSECURE_SALT
Javascript 776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
  • XML_EXTERNAL_ENTITY
Javascript 778 Insufficient logging
  • INSUFFICIENT_LOGGING
Javascript 783 Operator Precedence Logic Error
  • CONSTANT_EXPRESSION_RESULT
Javascript 798 Use of Hard-coded Credentials
  • HARDCODED_CREDENTIALS
Javascript 829 Inclusion of Functionality from Untrusted Control Sphere
  • MISSING_IFRAME_SANDBOX
Javascript 922 Insecure Storage of Sensitive Information
  • LOCALSTORAGE_WRITE
Node.js 22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
  • PATH_MANIPULATION
Node.js 78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
  • OS_CMD_INJECTION
Node.js 79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • XSS
Node.js 88 Argument Injection or Modification
  • HEADER_INJECTION
Node.js 89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
  • SQLI
Node.js 94 Improper Control of Generation of Code (‘Code Injection’)
  • NOSQL_QUERY_INJECTION
Node.js 95 Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
  • SCRIPT_CODE_INJECTION
Node.js 209 Information Exposure Through an Error Message
  • SENSITIVE_DATA_LEAK
Node.js 285 Improper Authorization
  • MISSING_AUTHZ
Node.js 313 Cleartext Storage in a File or on Disk
  • SENSITIVE_DATA_LEAK
Node.js 313 Cleartext Sensitive Data in a Database
  • SENSITIVE_DATA_LEAK
Node.js 314 Cleartext Storage in the Registry
  • SENSITIVE_DATA_LEAK
Node.js 315 Cleartext Storage of Sensitive Information in a Cookie
  • SENSITIVE_DATA_LEAK
Node.js 317 Cleartext Storage of Sensitive Information in GUI
  • SENSITIVE_DATA_LEAK
Node.js 319 Cleartext Transmission of Sensitive Information
  • SENSITIVE_DATA_LEAK
Node.js 327 Use of a Broken or Risky Cryptographic Algorithm
  • RISKY_CRYPTO
Node.js 328 Reversible One-Way Hash
  • RISKY_CRYPTO
Node.js 352 Cross-Site Request Forgery (CSRF)
  • CONFIG.HANA_XS_PREVENT_XSRF_DISABLED
  • CSRF
Node.js 398 Indicator of Poor Code Quality
  • COPY_PASTE_ERROR
  • IDENTICAL_BRANCHES
  • NO_EFFECT
Node.js 476 NULL Pointer Dereference
  • FORWARD_NULL
  • NULL_RETURNS
  • REVERSE_INULL
Node.js 480 Use of Incorrect Operator
  • CONSTANT_EXPRESSION_RESULT
Node.js 483 Incorrect Block Delimitation
  • NESTING_INDENT_MISMATCH
Node.js 484 Omitted Break Statement in Switch
  • MISSING_BREAK
Node.js 532 Information Exposure Through Log Files
  • SENSITIVE_DATA_LEAK
Node.js 561 Dead Code
  • DEADCODE
  • UNREACHABLE
Node.js 569 Expression Issues
  • CONSTANT_EXPRESSION_RESULT
Node.js 601 URL Redirection to Untrusted Site (‘Open Redirect’)
  • OPEN_REDIRECT
Node.js 665 Improper Initialization
  • NO_EFFECT
Node.js 688 Function Call With Incorrect Variable or Reference as Argument
  • IDENTIFIER_TYPO
Node.js 670 Always-Incorrect Control Flow Implementation
  • STRAY_SEMICOLON
Node.js 783 Operator Precedence Logic Error
  • CONSTANT_EXPRESSION_RESULT
Node.js 798 Use of Hard-coded Credentials
  • HARDCODED_CREDENTIALS
PHP 20 Improper Input Validation
  • XSS
  • PATH_MANIPULATION
PHP 21 Pathname Traversal and Equivalence Errors
  • PATH_MANIPULATION
PHP 22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
  • PATH_MANIPULATION
PHP 23 Relative Path Traversal
  • PATH_MANIPULATION
PHP 36 Relative Path Traversal
  • PATH_MANIPULATION
PHP 74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)
  • XSS
PHP 78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
  • OS_CMD_INJECTION
PHP 79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • XSS
PHP 80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
  • XSS
PHP 82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
  • XSS
PHP 83 Improper Neutralization of Script in Attributes in a Web Page
  • XSS
PHP 85 Doubled Character XSS Manipulations
  • XSS
PHP 86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
  • XSS
PHP 87 Improper Neutralization of Alternate XSS Syntax
  • XSS
PHP 88 Argument Injection or Modification
  • HEADER_INJECTION
PHP 89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
  • SQLI
PHP 95 Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
  • SCRIPT_CODE_INJECTION
PHP 209 Information Exposure Through an Error Message
  • SENSITIVE_DATA_LEAK
PHP 313 Cleartext Sensitive Data in a Database
  • SENSITIVE_DATA_LEAK
PHP 313 Cleartext Storage in a File or on Disk
  • SENSITIVE_DATA_LEAK
PHP 314 Cleartext Storage in the Registry
  • SENSITIVE_DATA_LEAK
PHP 315 Cleartext Storage of Sensitive Information in a Cookie
  • SENSITIVE_DATA_LEAK
PHP 317 Cleartext Storage of Sensitive Information in GUI
  • SENSITIVE_DATA_LEAK
PHP 319 Cleartext Transmission of Sensitive Information
  • SENSITIVE_DATA_LEAK
PHP 398 Indicator of Poor Code Quality
  • COPY_PASTE_ERROR
  • IDENTICAL_BRANCHES
  • NO_EFFECT
PHP 476 NULL Pointer Dereference
  • FORWARD_NULL
PHP 480 Use of Incorrect Operator
  • CONSTANT_EXPRESSION_RESULT
PHP 482 Comparing instead of Assigning
  • NO_EFFECT
PHP 483 Incorrect Block Delimitation
  • NESTING_INDENT_MISMATCH
PHP 484 Omitted Break Statement in Switch
  • MISSING_BREAK
PHP 502 Deserialization of Untrusted Data
  • UNSAFE_DESERIALIZATION
PHP 532 Information Exposure Through Log Files
  • SENSITIVE_DATA_LEAK
PHP 561 Dead Code
  • UNREACHABLE
  • DEADCODE
PHP 569 Expression Issues
  • CONSTANT_EXPRESSION_RESULT
PHP 611 Improper Restriction of XML External Entity Reference ('XXE')
  • XML_EXTERNAL_ENTITY
PHP 665 Improper Initialization
  • NO_EFFECT
PHP 670 Always-Incorrect Control Flow Implementation
  • STRAY_SEMICOLON
PHP 688 Function Call With Incorrect Variable or Reference as Argument
  • IDENTIFIER_TYPO
PHP 783 Operator Precedence Logic Error
  • CONSTANT_EXPRESSION_RESULT
PHP 798 Use of Hard-coded Credentials
  • HARDCODED_CREDENTIALS
Python 20 Improper Input Validation
  • XSS
  • PATH_MANIPULATION
Python 21 Pathname Traversal and Equivalence Errors
  • PATH_MANIPULATION
Python 22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
  • PATH_MANIPULATION
Python 23 Relative Path Traversal
  • PATH_MANIPULATION
Python 36 Absolute Path Traversal
  • PATH_MANIPULATION
Python 74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)
  • XSS
Python 78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
  • OS_CMD_INJECTION
Python 79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • XSS
Python 80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
  • XSS
Python 82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
  • XSS
Python 83 Improper Neutralization of Script in Attributes in a Web Page
  • XSS
Python 85 Doubled Character XSS Manipulations
  • XSS
Python 86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
  • XSS
Python 87 Improper Neutralization of Alternate XSS Syntax
  • XSS
Python 89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
  • SQLI
Python 94 Improper Control of Generation of Code (‘Code Injection’)
  • NOSQL_QUERY_INJECTION
Python 95 Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
  • SCRIPT_CODE_INJECTION
Python 209 Information Exposure Through an Error Message
  • SENSITIVE_DATA_LEAK
Python 313 Cleartext Sensitive Data in a Database
  • SENSITIVE_DATA_LEAK
Python 313 Cleartext Storage in a File or on Disk
  • SENSITIVE_DATA_LEAK
Python 314 Cleartext Storage in the Registry
  • SENSITIVE_DATA_LEAK
Python 315 Cleartext Storage of Sensitive Information in a Cookie
  • SENSITIVE_DATA_LEAK
Python 317 Cleartext Storage of Sensitive Information in GUI
  • SENSITIVE_DATA_LEAK
Python 319 Cleartext Transmission of Sensitive Information
  • SENSITIVE_DATA_LEAK
Python 398 Indicator of Poor Code Quality
  • COPY_PASTE_ERROR
  • IDENTICAL_BRANCHES
Python 476 NULL Pointer Dereference
  • FORWARD_NULL
  • REVERSE_INULL
Python 480 Use of Incorrect Operator
  • CONSTANT_EXPRESSION_RESULT
Python 502 Deserialization of Untrusted Data
  • UNSAFE_DESERIALIZATION
Python 532 Information Exposure Through Log Files
  • SENSITIVE_DATA_LEAK
Python 561 Dead Code
  • UNREACHABLE
  • DEADCODE
Python 569 Expression Issues
  • CONSTANT_EXPRESSION_RESULT
Python 601 URL Redirection to Untrusted Site (‘Open Redirect’)
  • OPEN_REDIRECT
Python 611 Improper Restriction of XML External Entity Reference ('XXE')
  • XML_EXTERNAL_ENTITY
Python 688 Function Call With Incorrect Variable or Reference as Argument
  • IDENTIFIER_TYPO
Python 783 Operator Precedence Logic Error
  • CONSTANT_EXPRESSION_RESULT
Ruby 22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • PATH_MANIPULATION
  • RUBY_VULNERABLE_LIBRARY
Ruby 73 External Control of File Name or Path
  • RUBY_VULNERABLE_LIBRARY
Ruby 78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • OS_CMD_INJECTION
Ruby 79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • RUBY_VULNERABLE_LIBRARY
  • UNESCAPED_HTML
  • XSS
Ruby 83 Improper Neutralization of Script in Attributes in a Web Page
  • XSS
Ruby 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • DYNAMIC_OBJECT_ATTRIBUTES
  • RUBY_VULNERABLE_LIBRARY
  • SQLI
Ruby 94 Improper Control of Generation of Code ('Code Injection')
  • REGEX_INJECTION
Ruby 95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
  • PATH_MANIPULATION
  • SCRIPT_CODE_INJECTION
Ruby 113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting').
  • RUBY_VULNERABLE_LIBRARY
Ruby 183 Permissive Whitelist
  • DYNAMIC_OBJECT_ATTRIBUTES
Ruby 184 Incomplete Blacklist
  • BLACKLIST_FOR_AUTHN
Ruby 209 Information Exposure Through an Error Message
  • SENSITIVE_DATA_LEAK
Ruby 215 Information Exposure Through Debug Information
  • SENSITIVE_DATA_LEAK
Ruby 259 Use of Hard-coded Password
  • HARDCODED_CREDENTIALS
Ruby 263 Password Aging with Long Expiration
  • RAILS_DEVISE_CONFIG
Ruby 287 Improper Authentication
  • UNSAFE_BASIC_AUTH
Ruby 289 Authentication Bypass by Alternate Name
  • RUBY_VULNERABLE_LIBRARY
  • UNSAFE_BASIC_AUTH
Ruby 307 Improper Restriction of Excessive Authentication Attempts
  • RAILS_DEVISE_CONFIG
Ruby 321 Use of Hard-coded Cryptographic Key
  • UNSAFE_SESSION_SETTING
Ruby 352 Cross-Site Request Forgery (CSRF)
  • CSRF
Ruby 369 Divide By Zero
  • DIVIDE_BY_ZERO
Ruby 398 Indicator of Poor Code Quality
  • COPY_PASTE_ERROR
  • IDENTICAL_BRANCHES
  • NO_EFFECT
  • UNEXPECTED_CONTROL_FLOW
Ruby 400 Uncontrolled Resource Consumption ('Resource Exhaustion').
  • RAILS_DEFAULT_ROUTES
  • RESOURCE_LEAK
  • RUBY_VULNERABLE_LIBRARY
Ruby 470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
  • UNSAFE_REFLECTION
Ruby 476 NULL Pointer Dereference
  • FORWARD_NULL
  • REVERSE_INULL
Ruby 480 Use of Incorrect Operator
  • CONSTANT_EXPRESSION_RESULT
Ruby 482 Comparing instead of Assigning
  • NO_EFFECT
Ruby 483 Incorrect Block Delimitation
  • NESTING_INDENT_MISMATCH
Ruby 484 Omitted Break Statement in Switch
  • MISSING_BREAK
Ruby 502 Deserialization of Untrusted Data
  • RUBY_VULNERABLE_LIBRARY
  • UNSAFE_DESERIALIZATION
Ruby 521 Weak Password Requirements
  • RAILS_DEVISE_CONFIG
Ruby 561 Dead Code
  • DEADCODE
  • UNREACHABLE
Ruby 569 Expression Issues
  • CONSTANT_EXPRESSION_RESULT
Ruby 599 Missing Validation of OpenSSL Certificate
  • BAD_CERT_VERIFICATION
Ruby 601 URL Redirection to Untrusted Site ('Open Redirect')
  • OPEN_REDIRECT
Ruby 614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
  • INSECURE_COOKIE
  • UNSAFE_SESSION_SETTING
Ruby 639 Authorization Bypass Through User-Controlled Key
  • INSECURE_DIRECT_OBJECT_REFERENCE
Ruby 642 External Control of Critical State Data
  • SESSION_MANIPULATION
Ruby 665 Improper Initialization
  • NO_EFFECT
Ruby 688 Function Call With Incorrect Variable or Reference as Argument
  • IDENTIFIER_TYPO
Ruby 704 Incorrect Type Conversion or Cast
  • SQLI
Ruby 777 Regular Expression without Anchors.
  • REGEX_MISSING_ANCHOR
Ruby 783 Operator Precedence Logic Error
  • CONSTANT_EXPRESSION_RESULT
Ruby 798 Use of Hard-coded Credentials
  • UNSAFE_BASIC_AUTH
Ruby 862 Missing Authorization
  • RAILS_DEFAULT_ROUTES
  • RAILS_MISSING_FILTER_ACTION
Ruby 915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
  • DYNAMIC_OBJECT_ATTRIBUTES
Ruby 916 Use of Password Hash With Insufficient Computational Effort
  • RAILS_DEVISE_CONFIG
  • WEAK_PASSWORD_HASH
Ruby 1004 Sensitive Cookie Without 'HttpOnly' Flag
  • INSECURE_COOKIE
  • UNSAFE_SESSION_SETTING
Scala 190 Integer Overflow or Wraparound
  • OVERFLOW_BEFORE_WIDEN
Scala 398 Indicator of Poor Code Quality
  • COPY_PASTE_ERROR
  • IDENTICAL_BRANCHES
  • NO_EFFECT
Scala 476 NULL Pointer Dereference
  • FORWARD_NULL
  • REVERSE_INULL
Scala 480 Use of Incorrect Operator
  • CONSTANT_EXPRESSION_RESULT
Scala 482 Comparing instead of Assigning
  • NO_EFFECT
Scala 483 Incorrect Block Delimitation
  • NESTING_INDENT_MISMATCH
Scala 561 Dead Code
  • DEADCODE
Scala 569 Expression Issues
  • CONSTANT_EXPRESSION_RESULT
Scala 783 Operator Precedence Logic Error
  • CONSTANT_EXPRESSION_RESULT
Swift 20 Improper Input Validation
  • REGEX_INJECTION
  • SCRIPT_CODE_INJECTION
Swift 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • SQLI
Swift 209 Information Exposure Through an Error Message
  • SENSITIVE_DATA_LEAK
Swift 227 Improper Fulfillment of API Contract ('API Abuse')
  • BAD_CERT_VERIFICATION
Swift 287 Improper Authentication
  • WEAK_BIOMETRIC_AUTH
Swift 313 Cleartext Sensitive Data in a Database
  • SENSITIVE_DATA_LEAK
  • UNENCRYPTED_SENSITIVE_DATA
Swift 314 Cleartext Storage in the Registry
  • SENSITIVE_DATA_LEAK
Swift 315 Cleartext Storage of Sensitive Information in a Cookie
  • SENSITIVE_DATA_LEAK
  • UNENCRYPTED_SENSITIVE_DATA
Swift 317 Cleartext Storage of Sensitive Information in GUI
  • SENSITIVE_DATA_LEAK
Swift 319 Cleartext Transmission of Sensitive Information
  • SENSITIVE_DATA_LEAK
  • INSECURE_MULTIPEER_CONNECTION
  • INSECURE_COMMUNICATION
  • CONFIG.ATS_INSECURE
  • UNENCRYPTED_SENSITIVE_DATA
Swift 327 Use of a Broken or Risky Cryptographic Algorithm
  • RISKY_CRYPTO
Swift 328 Reversible One-Way Hash
  • RISKY_CRYPTO
Swift 391 Unchecked Error Condition
  • UNEXPECTED_CONTROL_FLOW
Swift 398 Indicator of Poor Code Quality
  • COPY_PASTE_ERROR
  • UNEXPECTED_CONTROL_FLOW
  • IDENTICAL_BRANCHES
  • PW.*
Swift 476 NULL Pointer Dereference
  • FORWARD_NULL
  • REVERSE_INULL
Swift 480 Use of Incorrect Operator
  • CONSTANT_EXPRESSION_RESULT
Swift 532 Information Exposure Through Log Files
  • SENSITIVE_DATA_LEAK
Swift 561 Dead Code
  • DEADCODE
Swift 569 Expression Issues
  • CONSTANT_EXPRESSION_RESULT
Swift 710 Improper Adherence to Coding Standards
  • PROPERTY_MIXUP
Swift 798 Use of Hard-coded Credentials
  • HARDCODED_CREDENTIALS
Swift 829 Inclusion of Functionality from Untrusted Control Sphere
  • CUSTOM_KEYBOARD_DATA_LEAK
VB.NET 79 Improper Neutralization of Input During Web Page Generation (‘Crosssite Scripting’)
  • XSS
VB.NET 89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
  • SQLI
  • SQLI_NOT_CONSTANT
VB.NET 90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
  • LDAP_INJECTION
VB.NET 209 Information Exposure Through an Error Message
  • SENSITIVE_DATA_LEAK
VB.NET 223 Omission of Security-relevant Information
  • UNLOGGED_SECURITY_EXCEPTION
VB.NET 285 Improper Authorization
  • MISSING_AUTHZ
  • SQLI
  • SQL_NOT_CONSTANT
VB.NET 311 Missing Encryption of Sensitive Data
  • SENSITIVE_DATA_LEAK
VB.NET 312 Cleartext Storage of Sensitive Information
  • SENSITIVE_DATA_LEAK
VB.NET 319 Cleartext Transmission of Sensitive Information
  • SENSITIVE_DATA_LEAK
VB.NET 321 Key Management Errors
  • HARDCODED_CREDENTIALS
VB.NET 327 Use of a Broken or Risky Cryptographic Algorithm
  • RISKY_CRYPTO
  • WEAK_PASSWORD_HASH
VB.NET 328 Reversible One-Way Hash
  • RISKY_CRYPTO
VB.NET 398 Indicator of Poor Code Quality
  • COPY_PASTE_ERROR
  • UNEXPECTED_CONTROL_FLOW
  • IDENTICAL_BRANCHES
VB.NET 404 Improper Resource Shutdown or Release
  • RESOURCE_LEAK
VB.NET 459 Incomplete Cleanup
  • RESOURCE_LEAK
VB.NET 476 NULL Pointer Dereference
  • FORWARD_NULL
  • REVERSE_INULL
  • NULL_RETURNS
VB.NET 502 Deserialization of Untrusted Data
  • UNSAFE_DESERIALIZATION
VB.NET 561 Dead Code
  • DEADCODE
  • UNREACHABLE
VB.NET 573 Improper Following of Specification by Caller
  • CALL_SUPER
VB.NET 611 Improper Restriction of XML External Entity Reference ('XXE')
  • XML_EXTERNAL_ENTITY
VB.NET 619 Dangling Database Cursor ('Cursor Injection')
  • RESOURCE_LEAK
VB.NET 639 Authorization Bypass Through User-Controlled Key
  • SQLI
  • SQL_NOT_CONSTANT
VB.NET 683 Function Call With Incorrect Order of Arguments
  • SWAPPED_ARGUMENTS
  • RESOURCE_LEAK
VB.NET 690 Unchecked Return Value to NULL Pointer Dereference
  • REVERSE_INULL
VB.NET 763 Release of Invalid Pointer or Reference
  • RESOURCE_LEAK
VB.NET 772 Missing Release of Resource after Effective Lifetime
  • RESOURCE_LEAK
VB.NET 776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
  • XML_EXTERNAL_ENTITY
VB.NET 778 Insufficient Logging
  • UNLOGGED_SECURITY_EXCEPTION