Links

Security Rules used by Snyk Code

Important! Snyk Security Rules list is updated continuously. This list is constantly growing, and the rules within it may change, in order to provide you with the best protection and security solutions for your code.
The following table lists the security rules that are used by Snyk Code when scanning your source code for vulnerabilities:
Notes:
  • No. & Rule Name column - __ contains consecutive numbers for each rule, and the Snyk name of the rule.
  • CWE(s) column - the CWE numbers covered by this rule.
  • OWASP Top 10/SANS 25 column - indicates if and to which OWASP Top 10 items (2021 edition) the rule belongs, and if it is included in SANS 25.
  • Supported Languages column - lists the programming languages to which this specific rule applies. Note that there might be two rules with the same name that apply to different languages.
No. & Rule Name
CWE(s)
OWASP Top 10/SANS 25
Supported Languages
(1) Use of Hardcoded Credentials
(798) Use of Hard-coded Credentials
OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
PHP
(259) Use of Hard-coded Password
SANS/CWE Top 25
Ruby
Go
Java
JavaScript, TypeScript
Python
C# & ASP.NET (Beta)
Apex
(2) Use of Password Hash With Insufficient Computational Effort
(916) Use of Password Hash With Insufficient Computational Effort
OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Python
JavaScript, TypeScript
C# & ASP.NET (Beta)
Java
Go
PHP
Apex
(3) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
(614) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
PHP
JavaScript, TypeScript
Ruby
C# & ASP.NET (Beta)
Java
Python
(4) Hardcoded Secret
(547) Use of Hard-coded, Security-relevant Constants
OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
JavaScript, TypeScript
C# & ASP.NET (Beta)
Java
Go
PHP
Python
Ruby
Apex
(5) Insecure Data Transmission
(319) Cleartext Transmission of Sensitive Information
OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Ruby
C# & ASP.NET (Beta)
(6) Command Injection
(78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
OWASP Top Ten 2021 Category A03:2021 - Injection
Python
SANS/CWE Top 25
JavaScript,
TypeScript
Ruby
C# & ASP.NET (Beta)
Java
Go
PHP
Apex
(7) Cross-site Scripting (XSS)
(79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OWASP Top Ten 2021 Category A03:2021 - Injection
Python
SANS/CWE Top 25
JavaScript, TypeScript
Ruby
C# & ASP.NET (Beta)
Java
Go
PHP
Apex
(8) Server-Side Request Forgery (SSRF)
(918) Server-Side Request Forgery (SSRF)
OWASP Top Ten 2021 Category A10:2021 - Server-Side Request Forgery (SSRF)
Python
SANS/CWE Top 25
JavaScript, TypeScript
C# & ASP.NET (Beta)
Java
Go
PHP
Apex
(9) Open Redirect
(601) URL Redirection to Untrusted Site ('Open Redirect')
OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
Python
JavaScript, TypeScript
Ruby
C# & ASP.NET (Beta)
Java
Go
PHP
Apex
(10) Regular expression injection
(400) Uncontrolled Resource Consumption
Java
(730)
C# & ASP.NET (Beta)
Apex
(11) XML Injection
(611) Improper Restriction of XML External Entity Reference
OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
C# & ASP.NET (Beta)
SANS/CWE Top 25
Apex
(12) SQL Injection
(89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
OWASP Top Ten 2021 Category A03:2021 - Injection
Python
SANS/CWE Top 25
JavaScript, TypeScript
Ruby
C# & ASP.NET (Beta)
Java
Go
PHP
Apex
(13) Log Forging
(117) Improper Output Neutralization for Logs
OWASP Top Ten 2021 Category A09:2021 - Security Logging and Monitoring Failures
C# & ASP.NET (Beta)
(14) Use of Hardcoded Cryptographic Key
(321) Use of Hard-coded Cryptographic Key
OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Python
Ruby
Apex
(15) XML External Entity (XXE) Injection
(611) Improper Restriction of XML External Entity Reference
OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
JavaScript, TypeScript
SANS/CWE Top 25
Ruby
C# & ASP.NET (Beta)
Java
PHP
(16) Inadequate Encryption Strength
(326) Inadequate Encryption Strength
OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
C# & ASP.NET (Beta)
Java
Go
PHP
(17) Use of Insufficiently Random Values
(330) Use of Insufficiently Random Values
OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
PHP
Java
C# & ASP.NET (Beta)
Go
JavaScript, TypeScript
Ruby
(18) Sensitive Cookie Without 'HttpOnly' Flag
(1004) Sensitive Cookie Without 'HttpOnly' Flag
OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Python
Java
C# & ASP.NET (Beta)
Go
JavaScript, TypeScript
PHP
Ruby
(19) Request Validation Disabled
(554) ASP.NET Misconfiguration: Not Using Input Validation Framework
C# & ASP.NET (Beta)
(20) IgnoreAntiforgeryToken in Use
(352) Cross-Site Request Forgery (CSRF)
OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
C# & ASP.NET (Beta)
SANS/CWE Top 25
(21) Debug Features Enabled
(215) Insertion of Sensitive Information Into Debugging Code
C# & ASP.NET (Beta)
(22) Deserialization of Untrusted Data
(502) Deserialization of Untrusted Data
OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures
Python
SANS/CWE Top 25
JavaScript, TypeScript
Ruby
C# & ASP.NET (Beta)
Java
PHP
(23) ASP SSL Disabled
(319) Cleartext Transmission of Sensitive Information
OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
C# & ASP.NET (Beta)
(24) Code Injection
(94) Improper Control of Generation of Code ('Code Injection')
OWASP Top Ten 2021 Category A03:2021 - Injection
Python
JavaScript, TypeScript
Ruby
C# & ASP.NET (Beta)
Java
PHP
(25) Information Exposure
(200) Exposure of Sensitive Information to an Unauthorized Actor
OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
PHP
SANS/CWE Top 25
JavaScript, TypeScript
Ruby
C# & ASP.NET (Beta)
Java
(26) Exposure of Private Personal Information to an Unauthorized Actor
(359) Exposure of Private Personal Information to an Unauthorized Actor
OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
C# & ASP.NET (Beta)
(27) Cleartext Storage of Sensitive Information in a Cookie
(315) Cleartext Storage of Sensitive Information in a Cookie
OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Java
C# & ASP.NET (Beta)
(28) LDAP Injection
(90) Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
OWASP Top Ten 2021 Category A03:2021 - Injection
Java
C# & ASP.NET (Beta)
(29) Path Traversal
(23) Relative Path Traversal
OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
Python
JavaScript, TypeScript
Ruby
C# & ASP.NET (Beta)
Java
Go
PHP
(30) XPath Injection
(643) Improper Neutralization of Data within XPath Expressions ('XPath Injection')
OWASP Top Ten 2021 Category A03:2021 - Injection
Python
JavaScript, TypeScript
Ruby
C# & ASP.NET (Beta)
Java
Go
PHP
(31) Arbitrary File Write via Archive Extraction (Zip Slip)
(22) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
PHP
SANS/CWE Top 25
JavaScript, TypeScript
C# & ASP.NET (Beta)