Snyk Code security rules
Snyk Code rules are updated continuously. The list expands continually, and the rules may change to provide the best protection and security solutions for your code.
This page lists all security rules used by Snyk Code when scanning your source code for vulnerabilities.
Each rule includes the following information.
Rule Name: The Snyk name of the rule.
Languages: The programming languages to which this specific rule applies. Note that there might be two rules with the same name that apply to different languages.
CWE(s): The CWE numbers that are covered by this rule.
Security Categories: The OWASP Top 10 (2021 edition) category to which the rule belongs to, if any, and if it is included in SANS 25.
| Rule Name | Language(s) | CWE(s) | Security Categories |
|---|---|---|---|
ASP SSL Disabled | XML | CWE-319 | OWASP:A02 |
Access Violation | Apex | CWE-284, CWE-285 | OWASP:A01 |
Allocation of Resources Without Limits or Throttling | JavaScript, PHP | CWE-770 | |
An optimizing compiler may remove memset non-zero leaving data in memory | C++ | CWE-1330 | |
Android Debug Mode Enabled | XML | CWE-489 | |
Android Fragment Injection | Java, Kotlin | CWE-470 | OWASP:A03 |
Android Intent Forwarding | Java, Kotlin | CWE-940 | OWASP:A07 |
Android Uri Permission Manipulation | Java, Kotlin | CWE-266 | OWASP:A04 |
Android World Writeable/Readable File Permission Found | Java, Kotlin, Scala | CWE-732 | |
Anti-forgery token validation disabled | C# | CWE-352 | Sans Top 25, OWASP:A01 |
Arbitrary File Write via Archive Extraction (Tar Slip) | Python | CWE-22 | Sans Top 25, OWASP:A01 |
Arbitrary File Write via Archive Extraction (Zip Slip) | C#, JavaScript, PHP | CWE-22 | Sans Top 25, OWASP:A01 |
Authentication Bypass by Spoofing | C++ | CWE-290 | OWASP:A07 |
Authentication over HTTP | Python | CWE-319 | OWASP:A02 |
Binding to all network interfaces may open service to unintended traffic | Python | CWE-284 | OWASP:A01 |
Broken User Authentication | Python | CWE-287 | Sans Top 25, OWASP:A07 |
Buffer Over-read | JavaScript | CWE-126 | |
Buffer Overflow | C++ | CWE-122 | |
Clear Text Logging | Go, Swift | CWE-200, CWE-312 | OWASP:A01, OWASP:A04 |
Clear Text Sensitive Storage | Apex, JavaScript | CWE-200, CWE-312 | OWASP:A01, OWASP:A04 |
Cleartext Storage of Sensitive Information in a Cookie | C#, Java, Kotlin, Scala | CWE-315 | OWASP:A05 |
Cleartext Transmission of Sensitive Information | Java, JavaScript, Kotlin, Scala | CWE-319 | OWASP:A02 |
Code Execution via Third Party Package Context | Java, Kotlin | CWE-94 | Sans Top 25, OWASP:A03 |
Code Execution via Third Party Package Installation | Java, Kotlin | CWE-940 | OWASP:A07 |
Code Injection | C#, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Swift, Visual Basic | CWE-94 | Sans Top 25, OWASP:A03 |
Command Injection | Apex, C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic | CWE-78 | Sans Top 25, OWASP:A03 |
Cross-Site Request Forgery (CSRF) | Java, JavaScript, Kotlin, Python, Scala | CWE-352 | Sans Top 25, OWASP:A01 |
Cross-site Scripting (XSS) | Apex, C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic | CWE-79 | Sans Top 25, OWASP:A03 |
Cryptographic Issues | Java, JavaScript, Kotlin, Python, Scala | CWE-310 | OWASP:A02 |
Debug Features Enabled | C#, Visual Basic, XML | CWE-215 | |
Debug Mode Enabled | Python | CWE-489 | |
Denial of Service (DoS) through Nested GraphQL Queries | JavaScript | CWE-400 | |
Dereference of a NULL Pointer | C++ | CWE-476 | Sans Top 25 |
Deserialization of Untrusted Data | C#, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Visual Basic | CWE-502 | Sans Top 25, OWASP:A08 |
Device Authentication Bypass | Swift | CWE-287 | Sans Top 25, OWASP:A07 |
Disabled Neutralization of CRLF Sequences in HTTP Headers | Java, Kotlin, Scala | CWE-113 | OWASP:A03 |
Disabling Strict Contextual escaping (SCE) could provide additional attack surface for Cross-site Scripting (XSS) | JavaScript | CWE-79 | Sans Top 25, OWASP:A03 |
Division By Zero | C++ | CWE-369 | |
Double Free | C++ | CWE-415 | |
Electron Disable Security Warnings | JavaScript | CWE-16 | OWASP:A05 |
Electron Insecure Web Preferences | JavaScript | CWE-16 | OWASP:A05 |
Electron Load Insecure Content | JavaScript | CWE-16 | OWASP:A05 |
Exposure of Private Personal Information to an Unauthorized Actor | C#, C++ | CWE-359 | OWASP:A01 |
External Control of System or Configuration Setting | Java, Kotlin, Scala | CWE-15 | OWASP:A05 |
File Access Enabled | Java, Kotlin | CWE-200 | OWASP:A01 |
File Inclusion | PHP | CWE-98 | OWASP:A03 |
Generation of Error Message Containing Sensitive Information | Go, XML | CWE-209 | OWASP:A04 |
GraphQL Injection | JavaScript | CWE-89 | Sans Top 25, OWASP:A03 |
Hardcoded Secret | Apex, C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic | CWE-547 | OWASP:A05 |
Improper Access Control: Email Content Injection | Apex, Go, PHP | CWE-284 | OWASP:A01 |
Improper Authentication | Java, Kotlin, Scala | CWE-287 | Sans Top 25, OWASP:A07 |
Improper Certificate Validation | Go, Java, Kotlin, Python, Ruby, Scala, Swift | CWE-295 | OWASP:A07 |
Improper Code Sanitization | JavaScript | CWE-116, CWE-79, CWE-94 | Sans Top 25, OWASP:A03 |
Improper Handling of Insufficient Permissions or Privileges | Java, Kotlin, Python | CWE-280 | OWASP:A04 |
Improper Input Validation | Ruby | CWE-20 | Sans Top 25, OWASP:A03 |
Improper Neutralization of CRLF Sequences in HTTP Headers | C#, Java, Kotlin, Scala, Visual Basic | CWE-113 | OWASP:A03 |
Improper Neutralization of Directives in Statically Saved Code | Go, JavaScript, Python, Ruby | CWE-96 | OWASP:A03 |
Improper Null Termination | C++ | CWE-170 | |
Improper Restriction of Rendered UI Layers or Frames | JavaScript, PHP, XML | CWE-1021 | OWASP:A04 |
Improper Type Validation | JavaScript | CWE-1287 | |
Improper Validation of Certificate with Host Mismatch | Java, Kotlin, Scala | CWE-297 | OWASP:A07 |
Improperly Controlled Modification of Dynamically-Determined Object Attributes | Ruby | CWE-915 | OWASP:A08 |
Inadequate Encryption Strength | C#, C++, Go, Java, Kotlin, PHP, Python, Scala, Swift, Visual Basic | CWE-326 | OWASP:A02 |
Inadequate Padding for AES encryption | Java, Kotlin, Scala | CWE-326 | OWASP:A02 |
Inadequate Padding for Public Key Encryption | PHP, Rust | CWE-326 | OWASP:A02 |
Incorrect Permission Assignment | Java, Kotlin | CWE-732 | |
Incorrect regular expression for validating values | Ruby | CWE-1286 | |
Indirect Command Injection via User Controlled Environment | Java, Kotlin, Scala | CWE-78 | Sans Top 25, OWASP:A03 |
Information Exposure | C#, Java, JavaScript, Kotlin, PHP, Ruby, Scala, Swift | CWE-200 | OWASP:A01 |
Insecure Anonymous LDAP Binding | C++ | CWE-287 | Sans Top 25, OWASP:A07 |
Insecure Data Storage | Swift | CWE-922 | OWASP:A01 |
Insecure Data Transmission | Apex, C#, Ruby | CWE-319 | OWASP:A02 |
Insecure Deserialization | Swift | CWE-502 | Sans Top 25, OWASP:A08 |
Insecure File Permissions | Python, Rust | CWE-732 | |
Insecure JWT Verification Method | JavaScript | CWE-347 | OWASP:A02 |
Insecure TLS Configuration | Go, JavaScript | CWE-327 | OWASP:A02 |
Insecure Temporary File | Python | CWE-377 | OWASP:A01 |
Insecure Xml Parser | Python | CWE-611 | OWASP:A05 |
Insecure default value | Python | CWE-453 | |
Insufficient Session Expiration | Java, Kotlin, Scala | CWE-613 | OWASP:A07 |
Insufficient postMessage Validation | JavaScript | CWE-20 | Sans Top 25, OWASP:A03 |
Integer Overflow | C++ | CWE-190 | Sans Top 25 |
Introspection Enabled | JavaScript | CWE-200 | OWASP:A01 |
JWT 'none' Algorithm Supported | JavaScript | CWE-347 | OWASP:A02 |
JWT Signature Verification Bypass | Java | CWE-347 | OWASP:A02 |
JWT Signature Verification Method Disabled | JavaScript | CWE-347 | OWASP:A02 |
Java Naming and Directory Interface (JNDI) Injection | Java, Kotlin, Scala | CWE-074 | |
JavaScript Enabled | Java, Kotlin | CWE-79 | Sans Top 25, OWASP:A03 |
Jinja auto-escape is set to false. | Python | CWE-79 | Sans Top 25, OWASP:A03 |
LDAP Injection | C#, C++, Java, Kotlin, Python, Scala | CWE-90 | OWASP:A03 |
Log Forging | C# | CWE-117 | OWASP:A09 |
Memory Allocation Of String Length | C++ | CWE-170 | |
Memory Corruption | Swift | CWE-822 | |
Missing Release of File Descriptor or Handle after Effective Lifetime | C++ | CWE-775 | |
Missing Release of Memory after Effective Lifetime | C++ | CWE-401 | |
No Weak Password Requirements | Ruby | CWE-521 | OWASP:A07 |
NoSQL Injection | Java, JavaScript, Python | CWE-943 | |
Observable Timing Discrepancy | Rust | CWE-208 | |
Observable Timing Discrepancy (Timing Attack) | Java, JavaScript, Kotlin, Scala | CWE-208 | |
Open Redirect | Apex, C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Visual Basic | CWE-601 | OWASP:A01 |
Origin Validation Error | Java, JavaScript, Kotlin, PHP, Python, Rust, Scala | CWE-346, CWE-942 | OWASP:A05, OWASP:A07 |
Password Requirements Not Enforced in Django Application | Python | CWE-521 | OWASP:A07 |
Path Traversal | C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic | CWE-23 | OWASP:A01 |
Permissive Cross-domain Policy | JavaScript | CWE-942 | OWASP:A05 |
Potential Negative Number Used as Index | C++ | CWE-125, CWE-787 | Sans Top 25 |
Potential buffer overflow from usage of unsafe function | C++ | CWE-122 | |
Privacy Leak | Java | CWE-532 | OWASP:A09 |
Process Control | Java, Kotlin, Scala | CWE-114 | |
Prototype Pollution | JavaScript | CWE-1321 | |
Python 2 source code | Python | CWE-1104 | OWASP:A06 |
Regular Expression Denial of Service (ReDoS) | JavaScript, PHP, Python, Ruby | CWE-400 | |
Regular expression injection | Apex, C#, Java, Kotlin, Scala, Visual Basic | CWE-400, CWE-730 | |
Remote Code Execution via Endpoint | Ruby | CWE-94 | Sans Top 25, OWASP:A03 |
Request Validation Disabled | C#, Visual Basic, XML | CWE-554 | |
SOQL Injection | Apex | CWE-89 | Sans Top 25, OWASP:A03 |
SOSL Injection | Apex | CWE-89 | Sans Top 25, OWASP:A03 |
SQL Injection | C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic | CWE-89 | Sans Top 25, OWASP:A03 |
Selection of Less-Secure Algorithm During Negotiation (Force SSL) | Ruby | CWE-311, CWE-757 | OWASP:A04, OWASP:A02 |
Selection of Less-Secure Algorithm During Negotiation (SSL instead of TLS) | Python | CWE-757 | OWASP:A02 |
Sensitive Cookie Without 'HttpOnly' Flag | C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Visual Basic | CWE-1004 | OWASP:A05 |
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | Apex, C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Swift, Visual Basic | CWE-614 | OWASP:A05 |
Server Information Exposure | Java, Kotlin, Python, Scala | CWE-209 | OWASP:A04 |
Server-Side Request Forgery (SSRF) | Apex, C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Rust, Scala, Swift, Visual Basic | CWE-918 | Sans Top 25, OWASP:A10 |
Session Manipulation | Ruby | CWE-285 | OWASP:A01 |
Sinatra Protection Layers Disabled | Ruby | CWE-1021, CWE-16, CWE-348, CWE-35, CWE-352, CWE-693, CWE-79 | Sans Top 25, OWASP:A01, OWASP:A05, OWASP:A03, OWASP:A04 |
Size Used as Index | C++ | CWE-125, CWE-787 | Sans Top 25 |
Spring Cross-Site Request Forgery (CSRF) | Java | CWE-352 | Sans Top 25, OWASP:A01 |
Struts Development Mode Enabled | XML | CWE-489 | |
The cipher text is equal to the provided input plain text | Java, Kotlin, Scala | CWE-311 | OWASP:A04 |
Trust Boundary Violation | Java, Kotlin, Scala | CWE-501 | OWASP:A04 |
Unauthorized File Access | Java, Kotlin | CWE-79 | Sans Top 25, OWASP:A03 |
Unchecked Input for Loop Condition | JavaScript | CWE-400, CWE-606 | |
Unprotected Storage of Credentials | Java, Kotlin, Scala | CWE-256 | OWASP:A04 |
Unrestricted Android Broadcast | Java, Kotlin | CWE-862 | Sans Top 25, OWASP:A01 |
Unsafe JQuery Plugin | JavaScript | CWE-116, CWE-79 | Sans Top 25, OWASP:A03 |
Unsafe Reflection | Java, Ruby | CWE-470 | OWASP:A03 |
Unsafe SOQL Concatenation | Apex | CWE-89 | Sans Top 25, OWASP:A03 |
Unsafe SOSL Concatenation | Apex | CWE-89 | Sans Top 25, OWASP:A03 |
Unverified Password Change | Apex | CWE-620 | OWASP:A07 |
Usage of BinaryFormatter | C#, Visual Basic | CWE-502 | Sans Top 25, OWASP:A08 |
Use After Free | C++ | CWE-416 | Sans Top 25 |
Use dangerouslySetInnerHTML to Explicitly Handle XSS Risks | JavaScript | CWE-79 | Sans Top 25, OWASP:A03 |
Use of Expired File Descriptor | C++ | CWE-910 | |
Use of Externally-Controlled Format String | C++, Java, JavaScript, Kotlin, Scala | CWE-134 | |
Use of Hardcoded Credentials | Apex, C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic | CWE-259, CWE-798 | Sans Top 25, OWASP:A07 |
Use of Hardcoded Cryptographic Initialization Value | Python | CWE-329 | OWASP:A02 |
Use of Hardcoded Cryptographic Key | C++, Python, Ruby | CWE-321 | OWASP:A02 |
Use of Hardcoded Passwords | Apex, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, XML | CWE-259, CWE-798 | Sans Top 25, OWASP:A07 |
Use of Hardcoded, Security-relevant Constants | Java, Kotlin, Scala | CWE-547 | OWASP:A05 |
Use of Insufficiently Random Values | C#, Go, Java, JavaScript, Kotlin, PHP, Ruby, Rust, Scala, Swift, Visual Basic | CWE-330 | OWASP:A02 |
Use of Password Hash With Insufficient Computational Effort | Apex, C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic | CWE-916 | OWASP:A02 |
Use of Potentially Dangerous Function | Java, Kotlin, Scala | CWE-676 | |
Use of Sticky broadcasts | Java, Kotlin | CWE-265 | |
Use of a Broken or Risky Cryptographic Algorithm | C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic | CWE-327 | OWASP:A02 |
User Controlled Pointer | C++ | CWE-1285 | |
Weak Password Recovery Mechanism for Forgotten Password | JavaScript | CWE-640 | OWASP:A07 |
XAML Injection | C# | CWE-611 | OWASP:A05 |
XML External Entity (XXE) Injection | C#, C++, Java, JavaScript, Kotlin, PHP, Ruby, Scala, Swift, Visual Basic | CWE-611 | OWASP:A05 |
XML Injection | Apex, C#, Visual Basic | CWE-91 | OWASP:A03 |
XPath Injection | C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Visual Basic | CWE-643 | OWASP:A03 |
Last updated