Snyk Code security rules

Snyk Code rules are updated continuously. The list expands continually, and the rules may change to provide the best protection and security solutions for your code.

If you have followed a link for code quality from an IDE, see the language documentation for that information.

This page lists all security rules used by Snyk Code when scanning your source code for vulnerabilities.

Each rule includes the following information.

  • Rule Name: The Snyk name of the rule.

  • Languages: The programming languages to which this specific rule applies. Note that there might be two rules with the same name that apply to different languages.

  • CWE(s): The CWE numbers that are covered by this rule.

  • Security Categories: The OWASP Top 10 (2021 edition) category to which the rule belongs to, if any, and if it is included in SANS 25.

Rule NameLanguage(s)CWE(s)Security Categories

ASP SSL Disabled

XML

CWE-319

OWASP:A02

Access Violation

Apex

CWE-284, CWE-285

OWASP:A01

Allocation of Resources Without Limits or Throttling

JavaScript, PHP

CWE-770

An optimizing compiler may remove memset non-zero leaving data in memory

C++

CWE-1330

Android Debug Mode Enabled

XML

CWE-489

Android Fragment Injection

Java, Kotlin

CWE-470

OWASP:A03

Android Intent Forwarding

Java, Kotlin

CWE-940

OWASP:A07

Android Uri Permission Manipulation

Java, Kotlin

CWE-266

OWASP:A04

Android World Writeable/Readable File Permission Found

Java, Kotlin, Scala

CWE-732

Anti-forgery token validation disabled

C#

CWE-352

Sans Top 25, OWASP:A01

Arbitrary File Write via Archive Extraction (Tar Slip)

Python

CWE-22

Sans Top 25, OWASP:A01

Arbitrary File Write via Archive Extraction (Zip Slip)

C#, JavaScript, PHP

CWE-22

Sans Top 25, OWASP:A01

Authentication Bypass by Spoofing

C++

CWE-290

OWASP:A07

Authentication over HTTP

Python

CWE-319

OWASP:A02

Binding to all network interfaces may open service to unintended traffic

Python

CWE-284

OWASP:A01

Broken User Authentication

Python

CWE-287

Sans Top 25, OWASP:A07

Buffer Over-read

JavaScript

CWE-126

Buffer Overflow

C++

CWE-122

Clear Text Logging

Go, Swift

CWE-200, CWE-312

OWASP:A01, OWASP:A04

Clear Text Sensitive Storage

Apex, JavaScript

CWE-200, CWE-312

OWASP:A01, OWASP:A04

Cleartext Storage of Sensitive Information in a Cookie

C#, Java, Kotlin, Scala

CWE-315

OWASP:A05

Cleartext Transmission of Sensitive Information

Java, JavaScript, Kotlin, Scala

CWE-319

OWASP:A02

Code Execution via Third Party Package Context

Java, Kotlin

CWE-94

Sans Top 25, OWASP:A03

Code Execution via Third Party Package Installation

Java, Kotlin

CWE-940

OWASP:A07

Code Injection

C#, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Swift, Visual Basic

CWE-94

Sans Top 25, OWASP:A03

Command Injection

Apex, C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic

CWE-78

Sans Top 25, OWASP:A03

Cross-Site Request Forgery (CSRF)

Java, JavaScript, Kotlin, Python, Scala

CWE-352

Sans Top 25, OWASP:A01

Cross-site Scripting (XSS)

Apex, C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic

CWE-79

Sans Top 25, OWASP:A03

Cryptographic Issues

Java, JavaScript, Kotlin, Python, Scala

CWE-310

OWASP:A02

Debug Features Enabled

C#, Visual Basic, XML

CWE-215

Debug Mode Enabled

Python

CWE-489

Denial of Service (DoS) through Nested GraphQL Queries

JavaScript

CWE-400

Dereference of a NULL Pointer

C++

CWE-476

Sans Top 25

Deserialization of Untrusted Data

C#, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Visual Basic

CWE-502

Sans Top 25, OWASP:A08

Device Authentication Bypass

Swift

CWE-287

Sans Top 25, OWASP:A07

Disabled Neutralization of CRLF Sequences in HTTP Headers

Java, Kotlin, Scala

CWE-113

OWASP:A03

Disabling Strict Contextual escaping (SCE) could provide additional attack surface for Cross-site Scripting (XSS)

JavaScript

CWE-79

Sans Top 25, OWASP:A03

Division By Zero

C++

CWE-369

Double Free

C++

CWE-415

Electron Disable Security Warnings

JavaScript

CWE-16

OWASP:A05

Electron Insecure Web Preferences

JavaScript

CWE-16

OWASP:A05

Electron Load Insecure Content

JavaScript

CWE-16

OWASP:A05

Exposure of Private Personal Information to an Unauthorized Actor

C#, C++

CWE-359

OWASP:A01

External Control of System or Configuration Setting

Java, Kotlin, Scala

CWE-15

OWASP:A05

File Access Enabled

Java, Kotlin

CWE-200

OWASP:A01

File Inclusion

PHP

CWE-98

OWASP:A03

Generation of Error Message Containing Sensitive Information

Go, XML

CWE-209

OWASP:A04

GraphQL Injection

JavaScript

CWE-89

Sans Top 25, OWASP:A03

Hardcoded Secret

Apex, C#, Cobol, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic

CWE-547

OWASP:A05

Improper Access Control: Email Content Injection

Apex, Go, PHP

CWE-284

OWASP:A01

Improper Authentication

Java, Kotlin, Scala

CWE-287

Sans Top 25, OWASP:A07

Improper Certificate Validation

Go, Java, Kotlin, Python, Ruby, Scala, Swift

CWE-295

OWASP:A07

Improper Code Sanitization

JavaScript

CWE-116, CWE-79, CWE-94

Sans Top 25, OWASP:A03

Improper Handling of Insufficient Permissions or Privileges

Java, Kotlin, Python

CWE-280

OWASP:A04

Improper Input Validation

Ruby

CWE-20

Sans Top 25, OWASP:A03

Improper Neutralization of CRLF Sequences in HTTP Headers

C#, Java, Kotlin, Scala, Visual Basic

CWE-113

OWASP:A03

Improper Neutralization of Directives in Statically Saved Code

Go, JavaScript, Python, Ruby

CWE-96

OWASP:A03

Improper Null Termination

C++

CWE-170

Improper Restriction of Rendered UI Layers or Frames

JavaScript, PHP, XML

CWE-1021

OWASP:A04

Improper Type Validation

JavaScript

CWE-1287

Improper Validation of Certificate with Host Mismatch

Java, Kotlin, Scala

CWE-297

OWASP:A07

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Ruby

CWE-915

OWASP:A08

Inadequate Encryption Strength

C#, C++, Go, Java, Kotlin, PHP, Python, Scala, Swift, Visual Basic

CWE-326

OWASP:A02

Inadequate Padding for AES encryption

Java, Kotlin, Scala

CWE-326

OWASP:A02

Inadequate Padding for Public Key Encryption

PHP, Rust

CWE-326

OWASP:A02

Incorrect Permission Assignment

Java, Kotlin

CWE-732

Incorrect regular expression for validating values

Ruby

CWE-1286

Indirect Command Injection via User Controlled Environment

Java, Kotlin, Scala

CWE-78

Sans Top 25, OWASP:A03

Information Exposure

C#, Java, JavaScript, Kotlin, PHP, Ruby, Scala, Swift

CWE-200

OWASP:A01

Insecure Anonymous LDAP Binding

C++

CWE-287

Sans Top 25, OWASP:A07

Insecure Data Storage

Swift

CWE-922

OWASP:A01

Insecure Data Transmission

Apex, C#, Ruby

CWE-319

OWASP:A02

Insecure Deserialization

Swift

CWE-502

Sans Top 25, OWASP:A08

Insecure File Permissions

Python, Rust

CWE-732

Insecure JWT Verification Method

JavaScript

CWE-347

OWASP:A02

Insecure TLS Configuration

Go, JavaScript

CWE-327

OWASP:A02

Insecure Temporary File

Python

CWE-377

OWASP:A01

Insecure Xml Parser

Python

CWE-611

OWASP:A05

Insecure default value

Python

CWE-453

Insufficient Session Expiration

Java, Kotlin, Scala

CWE-613

OWASP:A07

Insufficient postMessage Validation

JavaScript

CWE-20

Sans Top 25, OWASP:A03

Integer Overflow

C++

CWE-190

Sans Top 25

Introspection Enabled

JavaScript

CWE-200

OWASP:A01

JWT 'none' Algorithm Supported

JavaScript

CWE-347

OWASP:A02

JWT Signature Verification Bypass

Java

CWE-347

OWASP:A02

JWT Signature Verification Method Disabled

JavaScript

CWE-347

OWASP:A02

Java Naming and Directory Interface (JNDI) Injection

Java, Kotlin, Scala

CWE-074

JavaScript Enabled

Java, Kotlin

CWE-79

Sans Top 25, OWASP:A03

Jinja auto-escape is set to false.

Python

CWE-79

Sans Top 25, OWASP:A03

LDAP Injection

C#, C++, Java, Kotlin, Python, Scala

CWE-90