Snyk Code security rules
Snyk Code rules are updated continuously. The list expands continually, and the rules may change to provide the best protection and security solutions for your code.
This page lists all security rules used by Snyk Code when scanning your source code for vulnerabilities.
Each rule includes the following information.
Rule Name: The Snyk name of the rule.
Languages: The programming languages to which this specific rule applies. Note that there might be two rules with the same name that apply to different languages.
CWE(s): The CWE numbers that are covered by this rule.
Security Categories: The OWASP Top 10 (2021 edition) category to which the rule belongs to, if any, and if it is included in SANS 25.
ASP SSL Disabled
XML
CWE-319
OWASP:A02
Access Violation
Apex
CWE-284, CWE-285
OWASP:A01
Allocation of Resources Without Limits or Throttling
JavaScript, PHP
CWE-770
An optimizing compiler may remove memset non-zero leaving data in memory
C++
CWE-1330
Android Debug Mode Enabled
XML
CWE-489
Android Fragment Injection
Java, Kotlin
CWE-470
OWASP:A03
Android Intent Forwarding
Java, Kotlin
CWE-940
OWASP:A07
Android Uri Permission Manipulation
Java, Kotlin
CWE-266
OWASP:A04
Android World Writeable/Readable File Permission Found
Java, Kotlin, Scala
CWE-732
Anti-forgery token validation disabled
C#
CWE-352
Sans Top 25, OWASP:A01
Arbitrary File Write via Archive Extraction (Tar Slip)
Python
CWE-22
Sans Top 25, OWASP:A01
Arbitrary File Write via Archive Extraction (Zip Slip)
C#, JavaScript, PHP
CWE-22
Sans Top 25, OWASP:A01
Authentication Bypass by Spoofing
C++
CWE-290
OWASP:A07
Authentication over HTTP
Python
CWE-319
OWASP:A02
Binding to all network interfaces may open service to unintended traffic
Python
CWE-284
OWASP:A01
Broken User Authentication
Python
CWE-287
Sans Top 25, OWASP:A07
Buffer Over-read
JavaScript
CWE-126
Buffer Overflow
C++
CWE-122
Clear Text Logging
Go, Swift
CWE-200, CWE-312
OWASP:A01, OWASP:A04
Clear Text Sensitive Storage
Apex, JavaScript
CWE-200, CWE-312
OWASP:A01, OWASP:A04
Cleartext Storage of Sensitive Information in a Cookie
C#, Java, Kotlin, Scala
CWE-315
OWASP:A05
Cleartext Transmission of Sensitive Information
Java, JavaScript, Kotlin, Scala
CWE-319
OWASP:A02
Code Execution via Third Party Package Context
Java, Kotlin
CWE-94
Sans Top 25, OWASP:A03
Code Execution via Third Party Package Installation
Java, Kotlin
CWE-940
OWASP:A07
Code Injection
C#, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Swift, Visual Basic
CWE-94
Sans Top 25, OWASP:A03
Command Injection
Apex, C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic
CWE-78
Sans Top 25, OWASP:A03
Cross-Site Request Forgery (CSRF)
Java, JavaScript, Kotlin, Python, Scala
CWE-352
Sans Top 25, OWASP:A01
Cross-site Scripting (XSS)
Apex, C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic
CWE-79
Sans Top 25, OWASP:A03
Cryptographic Issues
Java, JavaScript, Kotlin, Python, Scala
CWE-310
OWASP:A02
Debug Features Enabled
C#, Visual Basic, XML
CWE-215
Debug Mode Enabled
Python
CWE-489
Denial of Service (DoS) through Nested GraphQL Queries
JavaScript
CWE-400
Dereference of a NULL Pointer
C++
CWE-476
Sans Top 25
Deserialization of Untrusted Data
C#, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Visual Basic
CWE-502
Sans Top 25, OWASP:A08
Device Authentication Bypass
Swift
CWE-287
Sans Top 25, OWASP:A07
Disabled Neutralization of CRLF Sequences in HTTP Headers
Java, Kotlin, Scala
CWE-113
OWASP:A03
Disabling Strict Contextual escaping (SCE) could provide additional attack surface for Cross-site Scripting (XSS)
JavaScript
CWE-79
Sans Top 25, OWASP:A03
Division By Zero
C++
CWE-369
Double Free
C++
CWE-415
Electron Disable Security Warnings
JavaScript
CWE-16
OWASP:A05
Electron Insecure Web Preferences
JavaScript
CWE-16
OWASP:A05
Electron Load Insecure Content
JavaScript
CWE-16
OWASP:A05
Exposure of Private Personal Information to an Unauthorized Actor
C#, C++
CWE-359
OWASP:A01
External Control of System or Configuration Setting
Java, Kotlin, Scala
CWE-15
OWASP:A05
File Access Enabled
Java, Kotlin
CWE-200
OWASP:A01
File Inclusion
PHP
CWE-98
OWASP:A03
Generation of Error Message Containing Sensitive Information
Go, XML
CWE-209
OWASP:A04
GraphQL Injection
JavaScript
CWE-89
Sans Top 25, OWASP:A03
Hardcoded Secret
Apex, C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic
CWE-547
OWASP:A05
Improper Access Control: Email Content Injection
Apex, Go, PHP
CWE-284
OWASP:A01
Improper Authentication
Java, Kotlin, Scala
CWE-287
Sans Top 25, OWASP:A07
Improper Certificate Validation
Go, Java, Kotlin, Python, Ruby, Scala, Swift
CWE-295
OWASP:A07
Improper Code Sanitization
JavaScript
CWE-116, CWE-79, CWE-94
Sans Top 25, OWASP:A03
Improper Handling of Insufficient Permissions or Privileges
Java, Kotlin, Python
CWE-280
OWASP:A04
Improper Input Validation
Ruby
CWE-20
Sans Top 25, OWASP:A03
Improper Neutralization of CRLF Sequences in HTTP Headers
C#, Java, Kotlin, Scala, Visual Basic
CWE-113
OWASP:A03
Improper Neutralization of Directives in Statically Saved Code
Go, JavaScript, Python, Ruby
CWE-96
OWASP:A03
Improper Null Termination
C++
CWE-170
Improper Restriction of Rendered UI Layers or Frames
JavaScript, PHP, XML
CWE-1021
OWASP:A04
Improper Type Validation
JavaScript
CWE-1287
Improper Validation of Certificate with Host Mismatch
Java, Kotlin, Scala
CWE-297
OWASP:A07
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Ruby
CWE-915
OWASP:A08
Inadequate Encryption Strength
C#, C++, Go, Java, Kotlin, PHP, Python, Scala, Swift, Visual Basic
CWE-326
OWASP:A02
Inadequate Padding for AES encryption
Java, Kotlin, Scala
CWE-326
OWASP:A02
Inadequate Padding for Public Key Encryption
PHP, Rust
CWE-326
OWASP:A02
Incorrect Permission Assignment
Java, Kotlin
CWE-732
Incorrect regular expression for validating values
Ruby
CWE-1286
Indirect Command Injection via User Controlled Environment
Java, Kotlin, Scala
CWE-78
Sans Top 25, OWASP:A03
Information Exposure
C#, Java, JavaScript, Kotlin, PHP, Ruby, Scala, Swift
CWE-200
OWASP:A01
Insecure Anonymous LDAP Binding
C++
CWE-287
Sans Top 25, OWASP:A07
Insecure Data Storage
Swift
CWE-922
OWASP:A01
Insecure Data Transmission
Apex, C#, Ruby
CWE-319
OWASP:A02
Insecure Deserialization
Swift
CWE-502
Sans Top 25, OWASP:A08
Insecure File Permissions
Python, Rust
CWE-732
Insecure JWT Verification Method
JavaScript
CWE-347
OWASP:A02
Insecure TLS Configuration
Go, JavaScript
CWE-327
OWASP:A02
Insecure Temporary File
Python
CWE-377
OWASP:A01
Insecure Xml Parser
Python
CWE-611
OWASP:A05
Insecure default value
Python
CWE-453
Insufficient Session Expiration
Java, Kotlin, Scala
CWE-613
OWASP:A07
Insufficient postMessage Validation
JavaScript
CWE-20
Sans Top 25, OWASP:A03
Integer Overflow
C++
CWE-190
Sans Top 25
Introspection Enabled
JavaScript
CWE-200
OWASP:A01
JWT 'none' Algorithm Supported
JavaScript
CWE-347
OWASP:A02
JWT Signature Verification Bypass
Java
CWE-347
OWASP:A02
JWT Signature Verification Method Disabled
JavaScript
CWE-347
OWASP:A02
Java Naming and Directory Interface (JNDI) Injection
Java, Kotlin, Scala
CWE-074
JavaScript Enabled
Java, Kotlin
CWE-79
Sans Top 25, OWASP:A03
Jinja auto-escape is set to false.
Python
CWE-79
Sans Top 25, OWASP:A03
LDAP Injection
C#, C++, Java, Kotlin, Python, Scala
CWE-90
OWASP:A03
Log Forging
C#
CWE-117
OWASP:A09
Memory Allocation Of String Length
C++
CWE-170
Memory Corruption
Swift
CWE-822
Missing Release of File Descriptor or Handle after Effective Lifetime
C++
CWE-775
Missing Release of Memory after Effective Lifetime
C++
CWE-401
No Weak Password Requirements
Ruby
CWE-521
OWASP:A07
NoSQL Injection
Java, JavaScript, Python
CWE-943
Observable Timing Discrepancy
Rust
CWE-208
Observable Timing Discrepancy (Timing Attack)
Java, JavaScript, Kotlin, Scala
CWE-208
Open Redirect
Apex, C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Visual Basic
CWE-601
OWASP:A01
Origin Validation Error
Java, JavaScript, Kotlin, PHP, Python, Rust, Scala
CWE-346, CWE-942
OWASP:A05, OWASP:A07
Password Requirements Not Enforced in Django Application
Python
CWE-521
OWASP:A07
Path Traversal
C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic
CWE-23
OWASP:A01
Permissive Cross-domain Policy
JavaScript
CWE-942
OWASP:A05
Potential Negative Number Used as Index
C++
CWE-125, CWE-787
Sans Top 25
Potential buffer overflow from usage of unsafe function
C++
CWE-122
Privacy Leak
Java
CWE-532
OWASP:A09
Process Control
Java, Kotlin, Scala
CWE-114
Prototype Pollution
JavaScript
CWE-1321
Python 2 source code
Python
CWE-1104
OWASP:A06
Regular Expression Denial of Service (ReDoS)
JavaScript, PHP, Python, Ruby
CWE-400
Regular expression injection
Apex, C#, Java, Kotlin, Scala, Visual Basic
CWE-400, CWE-730
Remote Code Execution via Endpoint
Ruby
CWE-94
Sans Top 25, OWASP:A03
Request Validation Disabled
C#, Visual Basic, XML
CWE-554
SOQL Injection
Apex
CWE-89
Sans Top 25, OWASP:A03
SOSL Injection
Apex
CWE-89
Sans Top 25, OWASP:A03
SQL Injection
C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic
CWE-89
Sans Top 25, OWASP:A03
Selection of Less-Secure Algorithm During Negotiation (Force SSL)
Ruby
CWE-311, CWE-757
OWASP:A04, OWASP:A02
Selection of Less-Secure Algorithm During Negotiation (SSL instead of TLS)
Python
CWE-757
OWASP:A02
Sensitive Cookie Without 'HttpOnly' Flag
C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Visual Basic
CWE-1004
OWASP:A05
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Apex, C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Swift, Visual Basic
CWE-614
OWASP:A05
Server Information Exposure
Java, Kotlin, Python, Scala
CWE-209
OWASP:A04
Server-Side Request Forgery (SSRF)
Apex, C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Rust, Scala, Swift, Visual Basic
CWE-918
Sans Top 25, OWASP:A10
Session Manipulation
Ruby
CWE-285
OWASP:A01
Sinatra Protection Layers Disabled
Ruby
CWE-1021, CWE-16, CWE-348, CWE-35, CWE-352, CWE-693, CWE-79
Sans Top 25, OWASP:A01, OWASP:A05, OWASP:A03, OWASP:A04
Size Used as Index
C++
CWE-125, CWE-787
Sans Top 25
Spring Cross-Site Request Forgery (CSRF)
Java
CWE-352
Sans Top 25, OWASP:A01
Struts Development Mode Enabled
XML
CWE-489
The cipher text is equal to the provided input plain text
Java, Kotlin, Scala
CWE-311
OWASP:A04
Trust Boundary Violation
Java, Kotlin, Scala
CWE-501
OWASP:A04
Unauthorized File Access
Java, Kotlin
CWE-79
Sans Top 25, OWASP:A03
Unchecked Input for Loop Condition
JavaScript
CWE-400, CWE-606
Unprotected Storage of Credentials
Java, Kotlin, Scala
CWE-256
OWASP:A04
Unrestricted Android Broadcast
Java, Kotlin
CWE-862
Sans Top 25, OWASP:A01
Unsafe JQuery Plugin
JavaScript
CWE-116, CWE-79
Sans Top 25, OWASP:A03
Unsafe Reflection
Java, Ruby
CWE-470
OWASP:A03
Unsafe SOQL Concatenation
Apex
CWE-89
Sans Top 25, OWASP:A03
Unsafe SOSL Concatenation
Apex
CWE-89
Sans Top 25, OWASP:A03
Unverified Password Change
Apex
CWE-620
OWASP:A07
Usage of BinaryFormatter
C#, Visual Basic
CWE-502
Sans Top 25, OWASP:A08
Use After Free
C++
CWE-416
Sans Top 25
Use dangerouslySetInnerHTML to Explicitly Handle XSS Risks
JavaScript
CWE-79
Sans Top 25, OWASP:A03
Use of Expired File Descriptor
C++
CWE-910
Use of Externally-Controlled Format String
C++, Java, JavaScript, Kotlin, Scala
CWE-134
Use of Hardcoded Credentials
Apex, C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic
CWE-259, CWE-798
Sans Top 25, OWASP:A07
Use of Hardcoded Cryptographic Initialization Value
Python
CWE-329
OWASP:A02
Use of Hardcoded Cryptographic Key
C++, Python, Ruby
CWE-321
OWASP:A02
Use of Hardcoded Passwords
Apex, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, XML
CWE-259, CWE-798
Sans Top 25, OWASP:A07
Use of Hardcoded, Security-relevant Constants
Java, Kotlin, Scala
CWE-547
OWASP:A05
Use of Insufficiently Random Values
C#, Go, Java, JavaScript, Kotlin, PHP, Ruby, Rust, Scala, Swift, Visual Basic
CWE-330
OWASP:A02
Use of Password Hash With Insufficient Computational Effort
Apex, C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic
CWE-916
OWASP:A02
Use of Potentially Dangerous Function
Java, Kotlin, Scala
CWE-676
Use of Sticky broadcasts
Java, Kotlin
CWE-265
Use of a Broken or Risky Cryptographic Algorithm
C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic
CWE-327
OWASP:A02
User Controlled Pointer
C++
CWE-1285
Weak Password Recovery Mechanism for Forgotten Password
JavaScript
CWE-640
OWASP:A07
XAML Injection
C#
CWE-611
OWASP:A05
XML External Entity (XXE) Injection
C#, C++, Java, JavaScript, Kotlin, PHP, Ruby, Scala, Swift, Visual Basic
CWE-611
OWASP:A05
XML Injection
Apex, C#, Visual Basic
CWE-91
OWASP:A03
XPath Injection
C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Visual Basic
CWE-643
OWASP:A03
Last updated