JavaScript and TypeScript rules
Rule (1) Configuration Issue: Electron Disable Security Warnings
CWE (16) Configuration
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Rule (2) Configuration Issues: Electron Insecure Web Preferences
CWE (16) Configuration
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Rule (3) Configuration Issues: Electron Load Insecure Content
CWE (16) Configuration
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Rule (4) Insufficient postMessage Validation
CWE (20) Improper Input Validation
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (5) Arbitrary File Write via Archive Extraction (Zip Slip)
CWE (22) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (6) Path Traversal
CWE (23) Relative Path Traversal
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
Rule (7) Command Injection
CWE (78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (8) Disabling Strict Contextual escaping (SCE) could provide additional attack surface for Cross-site Scripting (XSS)
CWE (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (9) Cross-site Scripting (XSS)
CWE (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (10) Use dangerouslySetInnerHTML to be explicit that this function is dangerous and also trigger react updates
CWE (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (11) GraphQL Injection
CWE (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (12) SQL Injection
CWE (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (13) Code Injection
CWE (94) Improper Control of Generation of Code ('Code Injection')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
Rule (14) Improper Neutralization of Directives in Statically Saved Code
CWE (96) Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
Rule (15) Buffer Over-read
CWE (126) Buffer Over-read
Rule (16) Use of Externally-Controlled Format String
CWE (134) Use of Externally-Controlled Format String
Rule (17) Clear Text Sensitive Storage
CWE (200, 312) Exposure of Sensitive Information to an Unauthorized Actor, Cleartext Storage of Sensitive Information
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A04:2021 - Insecure Design
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (18) Information Exposure
CWE (200) Exposure of Sensitive Information to an Unauthorized Actor
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (19) Introspection Enabled
CWE (200) Exposure of Sensitive Information to an Unauthorized Actor
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (20) Observable Timing Discrepancy (Timing Attack)
CWE (208) Observable Timing Discrepancy
Rule (21) Use of Hardcoded Credentials
CWE (259, 798) Use of Hard-coded Password, Use of Hard-coded Credentials
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (22) Cryptographic Issues
CWE (310) Cryptographic Issues
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Rule (23) Cleartext Transmission of Sensitive Information
CWE (319) Cleartext Transmission of Sensitive Information
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Rule (24) Use of a Broken or Risky Cryptographic Algorithm
CWE (327) Use of a Broken or Risky Cryptographic Algorithm
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Rule (25) Insecure TLS Configuration
CWE (327) Use of a Broken or Risky Cryptographic Algorithm
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Rule (26) Use of Insufficiently Random Values
CWE (330) Use of Insufficiently Random Values
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Rule (27) Origin Validation Error
CWE (346, 942) Origin Validation Error, Permissive Cross-domain Policy with Untrusted Domains
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Rule (28) Insecure JWT Verification Method
CWE (347) Improper Verification of Cryptographic Signature
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Rule (29) JWT Signature Verification Method Disabled
CWE (347) Improper Verification of Cryptographic Signature
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Rule (30) JWT 'none' Algorithm Supported
CWE (347) Improper Verification of Cryptographic Signature
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Rule (31) Cross-Site Request Forgery (CSRF)
CWE (352) Cross-Site Request Forgery (CSRF)
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (32) Denial of Service (DoS) through Nested GraphQL Queries
CWE (400) Uncontrolled Resource Consumption
Rule (33) Unchecked Input for Loop Condition
CWE (400, 606) Uncontrolled Resource Consumption, Unchecked Input for Loop Condition
Rule (34) Regular Expression Denial of Service (ReDoS)
CWE (400) Uncontrolled Resource Consumption
Rule (35) Deserialization of Untrusted Data
CWE (502) Deserialization of Untrusted Data
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (36) Hardcoded Secret
CWE (547) Use of Hard-coded, Security-relevant Constants
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Rule (37) Open Redirect
CWE (601) URL Redirection to Untrusted Site ('Open Redirect')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
Rule (38) XML External Entity (XXE) Injection
CWE (611) Improper Restriction of XML External Entity Reference
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (39) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
CWE (614) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Rule (40) Weak Password Recovery Mechanism for Forgotten Password
CWE (640) Weak Password Recovery Mechanism for Forgotten Password
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
Rule (41) XPath Injection
CWE (643) Improper Neutralization of Data within XPath Expressions ('XPath Injection')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
Rule (42) Allocation of Resources Without Limits or Throttling
CWE (770) Allocation of Resources Without Limits or Throttling
Rule (43) XML internal entity expansion
CWE (776) Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Rule (44) Use of Password Hash With Insufficient Computational Effort
CWE (916) Use of Password Hash With Insufficient Computational Effort
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Rule (45) Server-Side Request Forgery (SSRF)
CWE (918) Server-Side Request Forgery (SSRF)
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A10:2021 - Server-Side Request Forgery (SSRF)
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (46) Permissive Cross-domain Policy
CWE (942) Permissive Cross-domain Policy with Untrusted Domains
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Rule (47) NoSQL Injection
CWE (943) Improper Neutralization of Special Elements in Data Query Logic
Rule (48) Sensitive Cookie Without 'HttpOnly' Flag
CWE (1004) Sensitive Cookie Without 'HttpOnly' Flag
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Rule (49) Bad Coding Practices
CWE (1006) Bad Coding Practices
Rule (50) Improper Restriction of Rendered UI Layers or Frames
CWE (1021) Improper Restriction of Rendered UI Layers or Frames
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A04:2021 - Insecure Design
Rule (51) Improper Type Validation
CWE (1287) Improper Validation of Specified Type of Input
Rule (52) Prototype Pollution
CWE (1321) Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Last updated