Java rules
Rule (1) External Control of System or Configuration Setting
CWE (15) External Control of System or Configuration Setting
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Rule (2) Path Traversal
CWE (23) Relative Path Traversal
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
Rule (3) Java Naming and Directory Interface (JNDI) Injection
CWE (74) Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
Rule (4) Command Injection
CWE (78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (5) Indirect Command Injection via User Controlled Environment
CWE (78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (6) Cross-site Scripting (XSS)
CWE (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (7) JavaScript Enabled
CWE (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (8) Unauthorized File Access
CWE (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (9) SQL Injection
CWE (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (10) LDAP Injection
CWE (90) Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
Rule (11) Code Injection
CWE (94) Improper Control of Generation of Code ('Code Injection')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
Rule (12) Code Execution via Third Party Package Context
CWE (94) Improper Control of Generation of Code ('Code Injection')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
Rule (13) Improper Neutralization of CRLF Sequences in HTTP Headers
CWE (113) Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
Rule (14) Disabled Neutralization of CRLF Sequences in HTTP Headers
CWE (113) Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
Rule (15) Process Control
CWE (114) Process Control
Rule (16) Use of Externally-Controlled Format String
CWE (134) Use of Externally-Controlled Format String
Rule (17) Information Exposure
CWE (200) Exposure of Sensitive Information to an Unauthorized Actor
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (18) File Access Enabled
CWE (200) Exposure of Sensitive Information to an Unauthorized Actor
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (19) Observable Timing Discrepancy (Timing Attack)
CWE (208) Observable Timing Discrepancy
Rule (20) Server Information Exposure
CWE (209) Generation of Error Message Containing Sensitive Information
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A04:2021 - Insecure Design
Rule (21) Unprotected Storage of Credentials
CWE (256) Plaintext Storage of a Password
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A04:2021 - Insecure Design
Rule (22) Use of Hardcoded Credentials
CWE (259, 798) Use of Hard-coded Password, Use of Hard-coded Credentials
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (23) Use of Sticky broadcasts
CWE (265) Privilege Issues
Rule (24) Android Uri Permission Manipulation
CWE (266) Incorrect Privilege Assignment
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A04:2021 - Insecure Design
Rule (25) Improper Handling of Insufficient Permissions or Privileges
CWE (280) Improper Handling of Insufficient Permissions or Privileges
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A04:2021 - Insecure Design
Rule (26) Improper Authentication
CWE (287) Improper Authentication
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (27) Improper Certificate Validation
CWE (295) Improper Certificate Validation
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
Rule (28) Improper Validation of Certificate with Host Mismatch
CWE (297) Improper Validation of Certificate with Host Mismatch
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
Rule (29) Cryptographic Issues
CWE (310) Cryptographic Issues
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Rule (30) The cipher text is equal to the provided input plain text
CWE (311) Missing Encryption of Sensitive Data
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A04:2021 - Insecure Design
Rule (31) Cleartext Storage of Sensitive Information in a Cookie
CWE (315) Cleartext Storage of Sensitive Information in a Cookie
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Rule (32) Cleartext Transmission of Sensitive Information
CWE (319) Cleartext Transmission of Sensitive Information
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Rule (33) Inadequate Padding for AES encryption
CWE (326) Inadequate Encryption Strength
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Rule (34) Inadequate Encryption Strength
CWE (326) Inadequate Encryption Strength
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Rule (35) Use of a Broken or Risky Cryptographic Algorithm
CWE (327) Use of a Broken or Risky Cryptographic Algorithm
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Rule (36) Use of Insufficiently Random Values
CWE (330) Use of Insufficiently Random Values
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Rule (37) Origin Validation Error
CWE (346, 942) Origin Validation Error, Permissive Cross-domain Policy with Untrusted Domains
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Rule (38) JWT Signature Verification Bypass
CWE (347) Improper Verification of Cryptographic Signature
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Rule (39) Cross-Site Request Forgery (CSRF)
CWE (352) Cross-Site Request Forgery (CSRF)
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (40) Spring Cross-Site Request Forgery (CSRF)
CWE (352) Cross-Site Request Forgery (CSRF)
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (41) Regular expression injection
CWE (400, 730) Uncontrolled Resource Consumption, OWASP Top Ten 2004 Category A9 - Denial of Service
Rule (42) Android Fragment Injection
CWE (470) Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
Rule (43) Unsafe Reflection
CWE (470) Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
Rule (44) Trust Boundary Violation
CWE (501) Trust Boundary Violation
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A04:2021 - Insecure Design
Rule (45) Deserialization of Untrusted Data
CWE (502) Deserialization of Untrusted Data
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (46) Privacy Leak
CWE (532) Insertion of Sensitive Information into Log File
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A09:2021 - Security Logging and Monitoring Failures
Rule (47) Hardcoded Secret
CWE (547) Use of Hard-coded, Security-relevant Constants
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Rule (48) Use of Hardcoded, Security-relevant Constants
CWE (547) Use of Hard-coded, Security-relevant Constants
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Rule (49) Open Redirect
CWE (601) URL Redirection to Untrusted Site ('Open Redirect')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
Rule (50) XML External Entity (XXE) Injection
CWE (611) Improper Restriction of XML External Entity Reference
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (51) Insufficient Session Expiration
CWE (613) Insufficient Session Expiration
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
Rule (52) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
CWE (614) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Rule (53) XPath Injection
CWE (643) Improper Neutralization of Data within XPath Expressions ('XPath Injection')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
Rule (54) Use of Potentially Dangerous Function
CWE (676) Use of Potentially Dangerous Function
Rule (55) Android World Writeable/Readable File Permission Found
CWE (732) Incorrect Permission Assignment for Critical Resource
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (56) Incorrect Permission Assignment
CWE (732) Incorrect Permission Assignment for Critical Resource
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (57) Unrestricted Android Broadcast
CWE (862) Missing Authorization
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (58) Use of Password Hash With Insufficient Computational Effort
CWE (916) Use of Password Hash With Insufficient Computational Effort
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Rule (59) Server-Side Request Forgery (SSRF)
CWE (918) Server-Side Request Forgery (SSRF)
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A10:2021 - Server-Side Request Forgery (SSRF)
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (60) Android Intent Forwarding
CWE (940) Improper Verification of Source of a Communication Channel
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
Rule (61) Code Execution via Third Party Package Installation
CWE (940) Improper Verification of Source of a Communication Channel
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
Rule (62) NoSQL Injection
CWE (943) Improper Neutralization of Special Elements in Data Query Logic
Rule (63) Sensitive Cookie Without 'HttpOnly' Flag
CWE (1004) Sensitive Cookie Without 'HttpOnly' Flag
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Last updated