Security Rules used by Snyk Code
The following table lists the security rules that are used by Snyk Code when scanning your source code for vulnerabilities:
Notes:
No. & Rule Name column - __ contains consecutive numbers for each rule, and the Snyk name of the rule.
CWE(s) column - the CWE numbers covered by this rule.
OWASP Top 10/SANS 25 column - indicates if and to which OWASP Top 10 items (2021 edition) the rule belongs, and if it is included in SANS 25.
Supported Languages column - lists the programming languages to which this specific rule applies. Note that there might be two rules with the same name that apply to different languages.
(1) Use of Hardcoded Credentials
(798) Use of Hard-coded Credentials
OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
PHP
(259) Use of Hard-coded Password
SANS/CWE Top 25
Ruby
Go
Java
JavaScript, TypeScript
Python
C# & ASP.NET
Apex
(2) Use of Password Hash With Insufficient Computational Effort
(916) Use of Password Hash With Insufficient Computational Effort
OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Python
JavaScript, TypeScript
C# & ASP.NET
Java
Go
PHP
Apex
(3) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
(614) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
PHP
JavaScript, TypeScript
Ruby
C# & ASP.NET
Java
Python
(4) Hardcoded Secret
(547) Use of Hard-coded, Security-relevant Constants
OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
JavaScript, TypeScript
C# & ASP.NET
Java
Go
PHP
Python
Ruby
Apex
(5) Insecure Data Transmission
(319) Cleartext Transmission of Sensitive Information
OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Ruby
C# & ASP.NET
(6) Command Injection
(78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
OWASP Top Ten 2021 Category A03:2021 - Injection
Python
SANS/CWE Top 25
JavaScript,
TypeScript
Ruby
C# & ASP.NET
Java
Go
PHP
Apex
(7) Cross-site Scripting (XSS)
(79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OWASP Top Ten 2021 Category A03:2021 - Injection
Python
SANS/CWE Top 25
JavaScript, TypeScript
Ruby
C# & ASP.NET
Java
Go
PHP
Apex
(8) Server-Side Request Forgery (SSRF)
(918) Server-Side Request Forgery (SSRF)
OWASP Top Ten 2021 Category A10:2021 - Server-Side Request Forgery (SSRF)
Python
SANS/CWE Top 25
JavaScript, TypeScript
C# & ASP.NET
Java
Go
PHP
Apex
(9) Open Redirect
(601) URL Redirection to Untrusted Site ('Open Redirect')
OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
Python
JavaScript, TypeScript
Ruby
C# & ASP.NET
Java
Go
PHP
Apex
(10) Regular expression injection
(400) Uncontrolled Resource Consumption
Java
(730)
C# & ASP.NET
Apex
(11) XML Injection
(611) Improper Restriction of XML External Entity Reference
OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
C# & ASP.NET
SANS/CWE Top 25
Apex
(12) SQL Injection
(89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
OWASP Top Ten 2021 Category A03:2021 - Injection
Python
SANS/CWE Top 25
JavaScript, TypeScript
Ruby
C# & ASP.NET
Java
Go
PHP
Apex
(13) Log Forging
(117) Improper Output Neutralization for Logs
OWASP Top Ten 2021 Category A09:2021 - Security Logging and Monitoring Failures
C# & ASP.NET
(14) Use of Hardcoded Cryptographic Key
(321) Use of Hard-coded Cryptographic Key
OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Python
Ruby
Apex
(15) XML External Entity (XXE) Injection
(611) Improper Restriction of XML External Entity Reference
OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
JavaScript, TypeScript
SANS/CWE Top 25
Ruby
C# & ASP.NET
Java
PHP
(16) Inadequate Encryption Strength
(326) Inadequate Encryption Strength
OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
C# & ASP.NET
Java
Go
PHP
(17) Use of Insufficiently Random Values
(330) Use of Insufficiently Random Values
OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
PHP
Java
C# & ASP.NET
Go
JavaScript, TypeScript
Ruby
(18) Sensitive Cookie Without 'HttpOnly' Flag
(1004) Sensitive Cookie Without 'HttpOnly' Flag
OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Python
Java
C# & ASP.NET
Go
JavaScript, TypeScript
PHP
Ruby
(19) Request Validation Disabled
(554) ASP.NET Misconfiguration: Not Using Input Validation Framework
C# & ASP.NET
(20) IgnoreAntiforgeryToken in Use
(352) Cross-Site Request Forgery (CSRF)
OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
C# & ASP.NET
SANS/CWE Top 25
(21) Debug Features Enabled
(215) Insertion of Sensitive Information Into Debugging Code
C# & ASP.NET
(22) Deserialization of Untrusted Data
(502) Deserialization of Untrusted Data
OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures
Python
SANS/CWE Top 25
JavaScript, TypeScript
Ruby
C# & ASP.NET
Java
PHP
(23) ASP SSL Disabled
(319) Cleartext Transmission of Sensitive Information
OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
C# & ASP.NET
(24) Code Injection
(94) Improper Control of Generation of Code ('Code Injection')
OWASP Top Ten 2021 Category A03:2021 - Injection
Python
JavaScript, TypeScript
Ruby
C# & ASP.NET
Java
PHP
(25) Information Exposure
(200) Exposure of Sensitive Information to an Unauthorized Actor
OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
PHP
SANS/CWE Top 25
JavaScript, TypeScript
Ruby
C# & ASP.NET
Java
(26) Exposure of Private Personal Information to an Unauthorized Actor
(359) Exposure of Private Personal Information to an Unauthorized Actor
OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
C# & ASP.NET
(27) Cleartext Storage of Sensitive Information in a Cookie
(315) Cleartext Storage of Sensitive Information in a Cookie
OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Java
C# & ASP.NET
(28) LDAP Injection
(90) Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
OWASP Top Ten 2021 Category A03:2021 - Injection
Java
C# & ASP.NET
(29) Path Traversal
(23) Relative Path Traversal
OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
Python
JavaScript, TypeScript
Ruby
C# & ASP.NET
Java
Go
PHP
(30) XPath Injection
(643) Improper Neutralization of Data within XPath Expressions ('XPath Injection')
OWASP Top Ten 2021 Category A03:2021 - Injection
Python
JavaScript, TypeScript
Ruby
C# & ASP.NET
Java
Go
PHP
(31) Arbitrary File Write via Archive Extraction (Zip Slip)
(22) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
PHP
SANS/CWE Top 25
JavaScript, TypeScript
C# & ASP.NET
(32) Improper Certificate Validation
(295) Improper Certificate Validation
OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
Go
Java
Ruby
(33) Insecure TLS Configuration
(327) Use of a Broken or Risky Cryptographic Algorithm
OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Go
(34) Clear Text Logging
(200) Exposure of Sensitive Information to an Unauthorized Actor
OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
Go
(312) Cleartext Storage of Sensitive Information
OWASP Top Ten 2021 Category A04:2021 - Insecure Design
SANS/CWE Top 25
(35) Generation of Error Message Containing Sensitive Information
(209) Generation of Error Message Containing Sensitive Information
OWASP Top Ten 2021 Category A04:2021 - Insecure Design
Go
(36) Improper Authentication
(287) Improper Authentication
OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
Java
SANS/CWE Top 25
(37) Use of a Broken or Risky Cryptographic Algorithm
(327) Use of a Broken or Risky Cryptographic Algorithm
OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Java
JavaScript, TypeScript
(38) Use of Potentially Dangerous Function
(676) Use of Potentially Dangerous Function
Java
(39) Use of Hardcoded, Security-relevant Constants
(547) Use of Hard-coded, Security-relevant Constants
OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Java
(40) JWT Signature Verification Bypass
(347) Improper Verification of Cryptographic Signature
OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Java
(41) Cleartext Transmission of Sensitive Information
(319) Cleartext Transmission of Sensitive Information
OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Java
JavaScript, TypeScript
(42) Improper Validation of Certificate with Host Mismatch
(297) Improper Validation of Certificate with Host Mismatch
OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
Java
(43) Insufficient Session Expiration
(613) Insufficient Session Expiration
OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
Java
(44) Origin Validation Error
(942) Permissive Cross-domain Policy with Untrusted Domains
OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Python
(346) Origin Validation Error
OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
Java
JavaScript, TypeScript
PHP
(45) Cross-Site Request Forgery (CSRF)
(352) Cross-Site Request Forgery (CSRF)
OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
Python
SANS/CWE Top 25
Ruby
Java
JavaScript, TypeScript
PHP
(46) Disabled Neutralization of CRLF Sequences in HTTP Headers
(113) Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
OWASP Top Ten 2021 Category A03:2021 - Injection
Java
(47) JavaScript Enabled
(79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OWASP Top Ten 2021 Category A03:2021 - Injection
Java
SANS/CWE Top 25
(48) File Access Enabled
(200) Exposure of Sensitive Information to an Unauthorized Actor
OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
Java
SANS/CWE Top 25
(49) Android Fragment Injection
(470) Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
OWASP Top Ten 2021 Category A03:2021 - Injection
Java
(50) Spring Cross-Site Request Forgery (CSRF)
(352) Cross-Site Request Forgery (CSRF)
OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
Java
SANS/CWE Top 25
(51) Struts Development Mode Enabled
(489) Active Debug Code
Java
(52) Android Debug Mode Enabled
(489) Active Debug Code
Java
(53) Process Control
(114) Process Control
Java
(54) Use of Externally-Controlled Format String
(134) Use of Externally-Controlled Format String
Java
JavaScript, TypeScript
(55) External Control of System or Configuration Setting
(15) External Control of System or Configuration Setting
OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Java
(56) Server Information Exposure
(209) Generation of Error Message Containing Sensitive Information
OWASP Top Ten 2021 Category A04:2021 - Insecure Design
Python
Java
(57) Improper Neutralization of CRLF Sequences in HTTP Headers
(113) Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
OWASP Top Ten 2021 Category A03:2021 - Injection
Java
(58) Trust Boundary Violation
(501) Trust Boundary Violation
OWASP Top Ten 2021 Category A04:2021 - Insecure Design
Java
(59) Android Intent Forwarding
(940) Improper Verification of Source of a Communication Channel
OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
Java
(60) Unauthorized File Access
(79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OWASP Top Ten 2021 Category A03:2021 - Injection
Java
SANS/CWE Top 25
(61) Code Execution via Third Party Package Context
(94) Improper Control of Generation of Code ('Code Injection')
OWASP Top Ten 2021 Category A03:2021 - Injection
Java
(62) Android Uri Permission Manipulation
(266) Incorrect Privilege Assignment
OWASP Top Ten 2021 Category A04:2021 - Insecure Design
Java
(63) Java Naming and Directory Interface (JNDI) Injection
(74) Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
OWASP Top Ten 2021 Category A03:2021 - Injection
Java
(64) Code Execution via Third Party Package Installation
(940) Improper Verification of Source of a Communication Channel
OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
Java
(65) Observable Timing Discrepancy (Timing Attack)
(208) Observable Timing Discrepancy
JavaScript, TypeScript
(66) Buffer Over-read
(126) Buffer Over-read
JavaScript, TypeScript
(67) Improper Restriction of Rendered UI Layers or Frames
(1021) Improper Restriction of Rendered UI Layers or Frames
OWASP Top Ten 2021 Category A04:2021 - Insecure Design
PHP
JavaScript, TypeScript
(68) Unchecked Input for Loop Condition
(400) Uncontrolled Resource Consumption
JavaScript, TypeScript
(606) Unchecked Input for Loop Condition
(69) Improper Input Validation
(20) Improper Input Validation
OWASP Top Ten 2021 Category A03:2021 - Injection
JavaScript, TypeScript
SANS/CWE Top 25
Ruby
(70) Allocation of Resources Without Limits or Throttling
(770) Allocation of Resources Without Limits or Throttling
PHP
JavaScript, TypeScript
(71) Permissive Cross-domain Policy
(942) Permissive Cross-domain Policy with Untrusted Domains
OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
JavaScript, TypeScript
(72) Denial of Service (DoS) through Nested GraphQL Queries
(400) Uncontrolled Resource Consumption
JavaScript, TypeScript
(73) Introspection Enabled
(200) Exposure of Sensitive Information to an Unauthorized Actor
OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
JavaScript, TypeScript
SANS/CWE Top 25
(74) Weak Password Recovery Mechanism for Forgotten Password
(640) Weak Password Recovery Mechanism for Forgotten Password
OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
PHP
JavaScript, TypeScript
(75) Prototype Pollution
(1321) Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
JavaScript, TypeScript
(76) Regular Expression Denial of Service (ReDoS)
(400) Uncontrolled Resource Consumption
PHP
JavaScript, TypeScript
Python
Ruby
(77) Improper Neutralization of Directives in Statically Saved Code
(96) Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
OWASP Top Ten 2021 Category A03:2021 - Injection
JavaScript, TypeScript
Python
Ruby
(78) GraphQL Injection
(89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
OWASP Top Ten 2021 Category A03:2021 - Injection
JavaScript, TypeScript
SANS/CWE Top 25
Apex
(79) NoSQL Injection
(89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
OWASP Top Ten 2021 Category A03:2021 - Injection
JavaScript, TypeScript
SANS/CWE Top 25
Apex
(80) XML internal entity expansion
(776) Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
JavaScript, TypeScript
(81) Inadequate Padding for Public Key Encryption
(326) Inadequate Encryption Strength
OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
PHP
(82) File Inclusion
(98) Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
OWASP Top Ten 2021 Category A03:2021 - Injection
PHP
(83) Broken User Authentication
(287) Improper Authentication
OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
Python
SANS/CWE Top 25
(84) Insecure File Permissions
(732) Incorrect Permission Assignment for Critical Resource
SANS/CWE Top 25
Python
(85) Improper Handling of Insufficient Permissions or Privileges
(280) Improper Handling of Insufficient Permissions or Privileges
OWASP Top Ten 2021 Category A04:2021 - Insecure Design
Python
(86) Arbitrary File Write via Archive Extraction (Tar Slip)
(22) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
Python
SANS/CWE Top 25
(87) Improperly Controlled Modification of Dynamically-Determined Object Attributes
(915) Improperly Controlled Modification of Dynamically-Determined Object Attributes
OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures
Ruby
(88) Unsafe Reflection
(470) Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
OWASP Top Ten 2021 Category A03:2021 - Injection
Ruby
Last updated
Was this helpful?