SupportSnyk LearnAPI referenceProduct updatesSign up for free

Snyk Code security rules

Snyk Code rules are updated continuously. The list expands continually, and the rules may change to provide the best protection and security solutions for your code.

This page lists all security rules used by Snyk Code when scanning your source code for vulnerabilities.

Each rule includes the following information.

  • Rule Name: The Snyk name of the rule.

  • Languages: The programming languages to which this specific rule applies. Note that there might be two rules with the same name that apply to different languages.

  • CWE(s): The CWE numbers that are covered by this rule.

  • Security Categories: The OWASP Top 10 (2021 edition) category to which the rule belongs to, if any, and if it is included in SANS 25.

Rule Name
Language(s)
CWE(s)
Security Categories

ASP SSL Disabled

XML

CWE-319

OWASP:A02

Access Violation

Apex

CWE-284, CWE-285

OWASP:A01

Allocation of Resources Without Limits or Throttling

JavaScript, PHP

CWE-770

An optimizing compiler may remove memset non-zero leaving data in memory

C++

CWE-1330

Android Debug Mode Enabled

XML

CWE-489

Android Fragment Injection

Java, Kotlin

CWE-470

OWASP:A03

Android Intent Forwarding

Java, Kotlin

CWE-940

OWASP:A07

Android Uri Permission Manipulation

Java, Kotlin

CWE-266

OWASP:A04

Android World Writeable/Readable File Permission Found

Java, Kotlin, Scala

CWE-732

Anti-forgery token validation disabled

C#

CWE-352

Sans Top 25, OWASP:A01

Arbitrary File Write via Archive Extraction (Tar Slip)

Python

CWE-22

Sans Top 25, OWASP:A01

Arbitrary File Write via Archive Extraction (Zip Slip)

C#, JavaScript, PHP

CWE-22

Sans Top 25, OWASP:A01

Authentication Bypass by Spoofing

C++

CWE-290

OWASP:A07

Authentication over HTTP

Python

CWE-319

OWASP:A02

Binding to all network interfaces may open service to unintended traffic

Python

CWE-284

OWASP:A01

Broken User Authentication

Python

CWE-287

Sans Top 25, OWASP:A07

Buffer Over-read

JavaScript

CWE-126

Buffer Overflow

C++

CWE-122

Clear Text Logging

Go, Swift

CWE-200, CWE-312

OWASP:A01, OWASP:A04

Clear Text Sensitive Storage

Apex, JavaScript

CWE-200, CWE-312

OWASP:A01, OWASP:A04

Cleartext Storage of Sensitive Information in a Cookie

C#, Java, Kotlin, Scala

CWE-315

OWASP:A05

Cleartext Transmission of Sensitive Information

Java, JavaScript, Kotlin, Scala

CWE-319

OWASP:A02

Code Execution via Third Party Package Context

Java, Kotlin

CWE-94

Sans Top 25, OWASP:A03

Code Execution via Third Party Package Installation

Java, Kotlin

CWE-940

OWASP:A07

Code Injection

C#, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Swift, Visual Basic

CWE-94

Sans Top 25, OWASP:A03

Command Injection

Apex, C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic

CWE-78

Sans Top 25, OWASP:A03

Cross-Site Request Forgery (CSRF)

Java, JavaScript, Kotlin, Python, Scala

CWE-352

Sans Top 25, OWASP:A01

Cross-site Scripting (XSS)

Apex, C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic

CWE-79

Sans Top 25, OWASP:A03

Cryptographic Issues

Java, JavaScript, Kotlin, Python, Scala

CWE-310

OWASP:A02

Debug Features Enabled

C#, Visual Basic, XML

CWE-215

Debug Mode Enabled

Python

CWE-489

Denial of Service (DoS) through Nested GraphQL Queries

JavaScript

CWE-400

Dereference of a NULL Pointer

C++

CWE-476

Sans Top 25

Deserialization of Untrusted Data

C#, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Visual Basic

CWE-502

Sans Top 25, OWASP:A08

Device Authentication Bypass

Swift

CWE-287

Sans Top 25, OWASP:A07

Disabled Neutralization of CRLF Sequences in HTTP Headers

Java, Kotlin, Scala

CWE-113

OWASP:A03

Disabling Strict Contextual escaping (SCE) could provide additional attack surface for Cross-site Scripting (XSS)

JavaScript

CWE-79

Sans Top 25, OWASP:A03

Division By Zero

C++

CWE-369

Double Free

C++

CWE-415

Electron Disable Security Warnings

JavaScript

CWE-16

OWASP:A05

Electron Insecure Web Preferences

JavaScript

CWE-16

OWASP:A05

Electron Load Insecure Content

JavaScript

CWE-16

OWASP:A05

Exposure of Private Personal Information to an Unauthorized Actor

C#, C++

CWE-359

OWASP:A01

External Control of System or Configuration Setting

Java, Kotlin, Scala

CWE-15

OWASP:A05

File Access Enabled

Java, Kotlin

CWE-200

OWASP:A01

File Inclusion

PHP

CWE-98

OWASP:A03

Generation of Error Message Containing Sensitive Information

Go, XML

CWE-209

OWASP:A04

GraphQL Injection

JavaScript

CWE-89

Sans Top 25, OWASP:A03

Hardcoded Secret

Apex, C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic

CWE-547

OWASP:A05

Improper Access Control: Email Content Injection

Apex, Go, PHP

CWE-284

OWASP:A01

Improper Authentication

Java, Kotlin, Scala

CWE-287

Sans Top 25, OWASP:A07

Improper Certificate Validation

Go, Java, Kotlin, Python, Ruby, Scala, Swift

CWE-295

OWASP:A07

Improper Code Sanitization

JavaScript

CWE-116, CWE-79, CWE-94

Sans Top 25, OWASP:A03

Improper Handling of Insufficient Permissions or Privileges

Java, Kotlin, Python

CWE-280

OWASP:A04

Improper Input Validation

Ruby

CWE-20

Sans Top 25, OWASP:A03

Improper Neutralization of CRLF Sequences in HTTP Headers

C#, Java, Kotlin, Scala, Visual Basic

CWE-113

OWASP:A03

Improper Neutralization of Directives in Statically Saved Code

Go, JavaScript, Python, Ruby

CWE-96

OWASP:A03

Improper Null Termination

C++

CWE-170

Improper Restriction of Rendered UI Layers or Frames

JavaScript, PHP, XML

CWE-1021

OWASP:A04

Improper Type Validation

JavaScript

CWE-1287

Improper Validation of Certificate with Host Mismatch

Java, Kotlin, Scala

CWE-297

OWASP:A07

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Ruby

CWE-915

OWASP:A08

Inadequate Encryption Strength

C#, C++, Go, Java, Kotlin, PHP, Python, Scala, Swift, Visual Basic

CWE-326

OWASP:A02

Inadequate Padding for AES encryption

Java, Kotlin, Scala

CWE-326

OWASP:A02

Inadequate Padding for Public Key Encryption

PHP, Rust

CWE-326

OWASP:A02

Incorrect Permission Assignment

Java, Kotlin

CWE-732

Incorrect regular expression for validating values

Ruby

CWE-1286

Indirect Command Injection via User Controlled Environment

Java, Kotlin, Scala

CWE-78

Sans Top 25, OWASP:A03

Information Exposure

C#, Java, JavaScript, Kotlin, PHP, Ruby, Scala, Swift

CWE-200

OWASP:A01

Insecure Anonymous LDAP Binding

C++

CWE-287

Sans Top 25, OWASP:A07

Insecure Data Storage

Swift

CWE-922

OWASP:A01

Insecure Data Transmission

Apex, C#, Ruby

CWE-319

OWASP:A02

Insecure Deserialization

Swift

CWE-502

Sans Top 25, OWASP:A08

Insecure File Permissions

Python, Rust

CWE-732

Insecure JWT Verification Method

JavaScript

CWE-347

OWASP:A02

Insecure TLS Configuration

Go, JavaScript

CWE-327

OWASP:A02

Insecure Temporary File

Python

CWE-377

OWASP:A01

Insecure Xml Parser

Python

CWE-611

OWASP:A05

Insecure default value

Python

CWE-453

Insufficient Session Expiration

Java, Kotlin, Scala

CWE-613

OWASP:A07

Insufficient postMessage Validation

JavaScript

CWE-20

Sans Top 25, OWASP:A03

Integer Overflow

C++

CWE-190

Sans Top 25

Introspection Enabled

JavaScript

CWE-200

OWASP:A01

JWT 'none' Algorithm Supported

JavaScript

CWE-347

OWASP:A02

JWT Signature Verification Bypass

Java

CWE-347

OWASP:A02

JWT Signature Verification Method Disabled

JavaScript

CWE-347

OWASP:A02

Java Naming and Directory Interface (JNDI) Injection

Java, Kotlin, Scala

CWE-074

JavaScript Enabled

Java, Kotlin

CWE-79

Sans Top 25, OWASP:A03

Jinja auto-escape is set to false.

Python

CWE-79

Sans Top 25, OWASP:A03

LDAP Injection

C#, C++, Java, Kotlin, Python, Scala

CWE-90

OWASP:A03

Log Forging

C#

CWE-117

OWASP:A09

Memory Allocation Of String Length

C++

CWE-170

Memory Corruption

Swift

CWE-822

Missing Release of File Descriptor or Handle after Effective Lifetime

C++

CWE-775

Missing Release of Memory after Effective Lifetime

C++

CWE-401

No Weak Password Requirements

Ruby

CWE-521

OWASP:A07

NoSQL Injection

Java, JavaScript, Python

CWE-943

Observable Timing Discrepancy

Rust

CWE-208

Observable Timing Discrepancy (Timing Attack)

Java, JavaScript, Kotlin, Scala

CWE-208

Open Redirect

Apex, C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Visual Basic

CWE-601

OWASP:A01

Origin Validation Error

Java, JavaScript, Kotlin, PHP, Python, Rust, Scala

CWE-346, CWE-942

OWASP:A05, OWASP:A07

Password Requirements Not Enforced in Django Application

Python

CWE-521

OWASP:A07

Path Traversal

C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic

CWE-23

OWASP:A01

Permissive Cross-domain Policy

JavaScript

CWE-942

OWASP:A05

Potential Negative Number Used as Index

C++

CWE-125, CWE-787

Sans Top 25

Potential buffer overflow from usage of unsafe function

C++

CWE-122

Privacy Leak

Java

CWE-532

OWASP:A09

Process Control

Java, Kotlin, Scala

CWE-114

Prototype Pollution

JavaScript

CWE-1321

Python 2 source code

Python

CWE-1104

OWASP:A06

Regular Expression Denial of Service (ReDoS)

JavaScript, PHP, Python, Ruby

CWE-400

Regular expression injection

Apex, C#, Java, Kotlin, Scala, Visual Basic

CWE-400, CWE-730

Remote Code Execution via Endpoint

Ruby

CWE-94

Sans Top 25, OWASP:A03

Request Validation Disabled

C#, Visual Basic, XML

CWE-554

SOQL Injection

Apex

CWE-89

Sans Top 25, OWASP:A03

SOSL Injection

Apex

CWE-89

Sans Top 25, OWASP:A03

SQL Injection

C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic

CWE-89

Sans Top 25, OWASP:A03

Selection of Less-Secure Algorithm During Negotiation (Force SSL)

Ruby

CWE-311, CWE-757

OWASP:A04, OWASP:A02

Selection of Less-Secure Algorithm During Negotiation (SSL instead of TLS)

Python

CWE-757

OWASP:A02

Sensitive Cookie Without 'HttpOnly' Flag

C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Visual Basic

CWE-1004

OWASP:A05

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

Apex, C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Swift, Visual Basic

CWE-614

OWASP:A05

Server Information Exposure

Java, Kotlin, Python, Scala

CWE-209

OWASP:A04

Server-Side Request Forgery (SSRF)

Apex, C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Rust, Scala, Swift, Visual Basic

CWE-918

Sans Top 25, OWASP:A10

Session Manipulation

Ruby

CWE-285

OWASP:A01

Sinatra Protection Layers Disabled

Ruby

CWE-1021, CWE-16, CWE-348, CWE-35, CWE-352, CWE-693, CWE-79

Sans Top 25, OWASP:A01, OWASP:A05, OWASP:A03, OWASP:A04

Size Used as Index

C++

CWE-125, CWE-787

Sans Top 25

Spring Cross-Site Request Forgery (CSRF)

Java

CWE-352

Sans Top 25, OWASP:A01

Struts Development Mode Enabled

XML

CWE-489

The cipher text is equal to the provided input plain text

Java, Kotlin, Scala

CWE-311

OWASP:A04

Trust Boundary Violation

Java, Kotlin, Scala

CWE-501

OWASP:A04

Unauthorized File Access

Java, Kotlin

CWE-79

Sans Top 25, OWASP:A03

Unchecked Input for Loop Condition

JavaScript

CWE-400, CWE-606

Unprotected Storage of Credentials

Java, Kotlin, Scala

CWE-256

OWASP:A04

Unrestricted Android Broadcast

Java, Kotlin

CWE-862

Sans Top 25, OWASP:A01

Unsafe JQuery Plugin

JavaScript

CWE-116, CWE-79

Sans Top 25, OWASP:A03

Unsafe Reflection

Java, Ruby

CWE-470

OWASP:A03

Unsafe SOQL Concatenation

Apex

CWE-89

Sans Top 25, OWASP:A03

Unsafe SOSL Concatenation

Apex

CWE-89

Sans Top 25, OWASP:A03

Unverified Password Change

Apex

CWE-620

OWASP:A07

Usage of BinaryFormatter

C#, Visual Basic

CWE-502

Sans Top 25, OWASP:A08

Use After Free

C++

CWE-416

Sans Top 25

Use dangerouslySetInnerHTML to Explicitly Handle XSS Risks

JavaScript

CWE-79

Sans Top 25, OWASP:A03

Use of Expired File Descriptor

C++

CWE-910

Use of Externally-Controlled Format String

C++, Java, JavaScript, Kotlin, Scala

CWE-134

Use of Hardcoded Credentials

Apex, C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic

CWE-259, CWE-798

Sans Top 25, OWASP:A07

Use of Hardcoded Cryptographic Initialization Value

Python

CWE-329

OWASP:A02

Use of Hardcoded Cryptographic Key

C++, Python, Ruby

CWE-321

OWASP:A02

Use of Hardcoded Passwords

Apex, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, XML

CWE-259, CWE-798

Sans Top 25, OWASP:A07

Use of Hardcoded, Security-relevant Constants

Java, Kotlin, Scala

CWE-547

OWASP:A05

Use of Insufficiently Random Values

C#, Go, Java, JavaScript, Kotlin, PHP, Ruby, Rust, Scala, Swift, Visual Basic

CWE-330

OWASP:A02

Use of Password Hash With Insufficient Computational Effort

Apex, C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic

CWE-916

OWASP:A02

Use of Potentially Dangerous Function

Java, Kotlin, Scala

CWE-676

Use of Sticky broadcasts

Java, Kotlin

CWE-265

Use of a Broken or Risky Cryptographic Algorithm

C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic

CWE-327

OWASP:A02

User Controlled Pointer

C++

CWE-1285

Weak Password Recovery Mechanism for Forgotten Password

JavaScript

CWE-640

OWASP:A07

XAML Injection

C#

CWE-611

OWASP:A05

XML External Entity (XXE) Injection

C#, C++, Java, JavaScript, Kotlin, PHP, Ruby, Scala, Swift, Visual Basic

CWE-611

OWASP:A05

XML Injection

Apex, C#, Visual Basic

CWE-91

OWASP:A03

XPath Injection

C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Visual Basic

CWE-643

OWASP:A03

PreviousBest practices for Snyk Code custom rulesNextApex rules

Last updated

Was this helpful?