Snyk Code security rules
Snyk Code rules are updated continuously. The list expands continually, and the rules may change to provide the best protection and security solutions for your code.
If you have followed a link for code quality from an IDE, see the language documentation for that information.
This page lists all security rules used by Snyk Code when scanning your source code for vulnerabilities.
Each rule includes the following information.
Rule Name: The Snyk name of the rule.
Languages: The programming languages to which this specific rule applies. Note that there might be two rules with the same name that apply to different languages.
CWE(s): The CWE numbers that are covered by this rule.
Security Categories: The OWASP Top 10 (2021 edition) category to which the rule belongs to, if any, and if it is included in SANS 25.
Rule Name | Language(s) | CWE(s) | Security Categories |
---|---|---|---|
ASP SSL Disabled | XML | CWE-319 | OWASP:A02 |
Access Violation | Apex | CWE-284, CWE-285 | OWASP:A01 |
Allocation of Resources Without Limits or Throttling | JavaScript, PHP | CWE-770 | |
An optimizing compiler may remove memset non-zero leaving data in memory | C++ | CWE-1330 | |
Android Debug Mode Enabled | XML | CWE-489 | |
Android Fragment Injection | Java, Kotlin | CWE-470 | OWASP:A03 |
Android Intent Forwarding | Java, Kotlin | CWE-940 | OWASP:A07 |
Android Uri Permission Manipulation | Java, Kotlin | CWE-266 | OWASP:A04 |
Android World Writeable/Readable File Permission Found | Java, Kotlin, Scala | CWE-732 | |
Anti-forgery token validation disabled | C# | CWE-352 | Sans Top 25, OWASP:A01 |
Arbitrary File Write via Archive Extraction (Tar Slip) | Python | CWE-22 | Sans Top 25, OWASP:A01 |
Arbitrary File Write via Archive Extraction (Zip Slip) | C#, JavaScript, PHP | CWE-22 | Sans Top 25, OWASP:A01 |
Authentication Bypass by Spoofing | C++ | CWE-290 | OWASP:A07 |
Authentication over HTTP | Python | CWE-319 | OWASP:A02 |
Binding to all network interfaces may open service to unintended traffic | Python | CWE-284 | OWASP:A01 |
Broken User Authentication | Python | CWE-287 | Sans Top 25, OWASP:A07 |
Buffer Over-read | JavaScript | CWE-126 | |
Buffer Overflow | C++ | CWE-122 | |
Clear Text Logging | Go, Swift | CWE-200, CWE-312 | OWASP:A01, OWASP:A04 |
Clear Text Sensitive Storage | Apex, JavaScript | CWE-200, CWE-312 | OWASP:A01, OWASP:A04 |
Cleartext Storage of Sensitive Information in a Cookie | C#, Java, Kotlin, Scala | CWE-315 | OWASP:A05 |
Cleartext Transmission of Sensitive Information | Java, JavaScript, Kotlin, Scala | CWE-319 | OWASP:A02 |
Code Execution via Third Party Package Context | Java, Kotlin | CWE-94 | Sans Top 25, OWASP:A03 |
Code Execution via Third Party Package Installation | Java, Kotlin | CWE-940 | OWASP:A07 |
Code Injection | C#, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Swift, Visual Basic | CWE-94 | Sans Top 25, OWASP:A03 |
Command Injection | Apex, C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic | CWE-78 | Sans Top 25, OWASP:A03 |
Cross-Site Request Forgery (CSRF) | Java, JavaScript, Kotlin, Python, Scala | CWE-352 | Sans Top 25, OWASP:A01 |
Cross-site Scripting (XSS) | Apex, C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic | CWE-79 | Sans Top 25, OWASP:A03 |
Cryptographic Issues | Java, JavaScript, Kotlin, Python, Scala | CWE-310 | OWASP:A02 |
Debug Features Enabled | C#, Visual Basic, XML | CWE-215 | |
Debug Mode Enabled | Python | CWE-489 | |
Denial of Service (DoS) through Nested GraphQL Queries | JavaScript | CWE-400 | |
Dereference of a NULL Pointer | C++ | CWE-476 | Sans Top 25 |
Deserialization of Untrusted Data | C#, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Visual Basic | CWE-502 | Sans Top 25, OWASP:A08 |
Device Authentication Bypass | Swift | CWE-287 | Sans Top 25, OWASP:A07 |
Disabled Neutralization of CRLF Sequences in HTTP Headers | Java, Kotlin, Scala | CWE-113 | OWASP:A03 |
Disabling Strict Contextual escaping (SCE) could provide additional attack surface for Cross-site Scripting (XSS) | JavaScript | CWE-79 | Sans Top 25, OWASP:A03 |
Division By Zero | C++ | CWE-369 | |
Double Free | C++ | CWE-415 | |
Electron Disable Security Warnings | JavaScript | CWE-16 | OWASP:A05 |
Electron Insecure Web Preferences | JavaScript | CWE-16 | OWASP:A05 |
Electron Load Insecure Content | JavaScript | CWE-16 | OWASP:A05 |
Exposure of Private Personal Information to an Unauthorized Actor | C#, C++ | CWE-359 | OWASP:A01 |
External Control of System or Configuration Setting | Java, Kotlin, Scala | CWE-15 | OWASP:A05 |
File Access Enabled | Java, Kotlin | CWE-200 | OWASP:A01 |
File Inclusion | PHP | CWE-98 | OWASP:A03 |
Generation of Error Message Containing Sensitive Information | Go, XML | CWE-209 | OWASP:A04 |
GraphQL Injection | JavaScript | CWE-89 | Sans Top 25, OWASP:A03 |
Hardcoded Secret | Apex, C#, Cobol, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic | CWE-547 | OWASP:A05 |
Improper Access Control: Email Content Injection | Apex, Go, PHP | CWE-284 | OWASP:A01 |
Improper Authentication | Java, Kotlin, Scala | CWE-287 | Sans Top 25, OWASP:A07 |
Improper Certificate Validation | Go, Java, Kotlin, Python, Ruby, Scala, Swift | CWE-295 | OWASP:A07 |
Improper Code Sanitization | JavaScript | CWE-116, CWE-79, CWE-94 | Sans Top 25, OWASP:A03 |
Improper Handling of Insufficient Permissions or Privileges | Java, Kotlin, Python | CWE-280 | OWASP:A04 |
Improper Input Validation | Ruby | CWE-20 | Sans Top 25, OWASP:A03 |
Improper Neutralization of CRLF Sequences in HTTP Headers | C#, Java, Kotlin, Scala, Visual Basic | CWE-113 | OWASP:A03 |
Improper Neutralization of Directives in Statically Saved Code | Go, JavaScript, Python, Ruby | CWE-96 | OWASP:A03 |
Improper Null Termination | C++ | CWE-170 | |
Improper Restriction of Rendered UI Layers or Frames | JavaScript, PHP, XML | CWE-1021 | OWASP:A04 |
Improper Type Validation | JavaScript | CWE-1287 | |
Improper Validation of Certificate with Host Mismatch | Java, Kotlin, Scala | CWE-297 | OWASP:A07 |
Improperly Controlled Modification of Dynamically-Determined Object Attributes | Ruby | CWE-915 | OWASP:A08 |
Inadequate Encryption Strength | C#, C++, Go, Java, Kotlin, PHP, Python, Scala, Swift, Visual Basic | CWE-326 | OWASP:A02 |
Inadequate Padding for AES encryption | Java, Kotlin, Scala | CWE-326 | OWASP:A02 |
Inadequate Padding for Public Key Encryption | PHP, Rust | CWE-326 | OWASP:A02 |
Incorrect Permission Assignment | Java, Kotlin | CWE-732 | |
Incorrect regular expression for validating values | Ruby | CWE-1286 | |
Indirect Command Injection via User Controlled Environment | Java, Kotlin, Scala | CWE-78 | Sans Top 25, OWASP:A03 |
Information Exposure | C#, Java, JavaScript, Kotlin, PHP, Ruby, Scala, Swift | CWE-200 | OWASP:A01 |
Insecure Anonymous LDAP Binding | C++ | CWE-287 | Sans Top 25, OWASP:A07 |
Insecure Data Storage | Swift | CWE-922 | OWASP:A01 |
Insecure Data Transmission | Apex, C#, Ruby | CWE-319 | OWASP:A02 |
Insecure Deserialization | Swift | CWE-502 | Sans Top 25, OWASP:A08 |
Insecure File Permissions | Python, Rust | CWE-732 | |
Insecure JWT Verification Method | JavaScript | CWE-347 | OWASP:A02 |
Insecure TLS Configuration | Go, JavaScript | CWE-327 | OWASP:A02 |
Insecure Temporary File | Python | CWE-377 | OWASP:A01 |
Insecure Xml Parser | Python | CWE-611 | OWASP:A05 |
Insecure default value | Python | CWE-453 | |
Insufficient Session Expiration | Java, Kotlin, Scala | CWE-613 | OWASP:A07 |
Insufficient postMessage Validation | JavaScript | CWE-20 | Sans Top 25, OWASP:A03 |
Integer Overflow | C++ | CWE-190 | Sans Top 25 |
Introspection Enabled | JavaScript | CWE-200 | OWASP:A01 |
JWT 'none' Algorithm Supported | JavaScript | CWE-347 | OWASP:A02 |
JWT Signature Verification Bypass | Java | CWE-347 | OWASP:A02 |
JWT Signature Verification Method Disabled | JavaScript | CWE-347 | OWASP:A02 |
Java Naming and Directory Interface (JNDI) Injection | Java, Kotlin, Scala | CWE-074 | |
JavaScript Enabled | Java, Kotlin | CWE-79 | Sans Top 25, OWASP:A03 |
Jinja auto-escape is set to false. | Python | CWE-79 | Sans Top 25, OWASP:A03 |
LDAP Injection | C#, C++, Java, Kotlin, Python, Scala | CWE-90 |