Java rules

Each rule includes the following information.

  • Rule Name: The Snyk name of the rule.

  • CWE(s): The CWE numbers that are covered by this rule.

  • Security Categories: The OWASP Top 10 (2021 edition) category to which the rule belongs to, if any, and if it is included in SANS 25.

  • Autofixable: Security rules that are autofixable by DeepCode AI Fix. This information is included only for the supported programming languages.

Rule NameCWE(s)Security CategoriesAutofixable

Android World Writeable/Readable File Permission Found

CWE-732

None

Yes

Use of Potentially Dangerous Function

CWE-676

None

No

Cleartext Storage of Sensitive Information in a Cookie

CWE-315

OWASP:A05

No

Code Injection

CWE-94

Sans Top 25, OWASP:A03

No

Command Injection

CWE-78

Sans Top 25, OWASP:A03

No

Deserialization of Untrusted Data

CWE-502

Sans Top 25, OWASP:A08

Yes

Cross-Site Request Forgery (CSRF)

CWE-352

Sans Top 25, OWASP:A01

Yes

Information Exposure

CWE-200

OWASP:A01

No

Cleartext Transmission of Sensitive Information

CWE-319

OWASP:A02

No

Indirect Command Injection via User Controlled Environment

CWE-78

Sans Top 25, OWASP:A03

No

External Control of System or Configuration Setting

CWE-15

OWASP:A05

No

Process Control

CWE-114

None

No

File Access Enabled

CWE-200

OWASP:A01

Yes

Android Fragment Injection

CWE-470

OWASP:A03

Yes

Use of Hardcoded Passwords

CWE-798, CWE-259

Sans Top 25, OWASP:A07

No

Hardcoded Secret

CWE-547

OWASP:A05

No

Improper Neutralization of CRLF Sequences in HTTP Headers

CWE-113

OWASP:A03

No

Disabled Neutralization of CRLF Sequences in HTTP Headers

CWE-113

OWASP:A03

No

Inadequate Padding for AES encryption

CWE-326

OWASP:A02

Yes

Use of a Broken or Risky Cryptographic Algorithm

CWE-327

OWASP:A02

No

Use of Password Hash With Insufficient Computational Effort

CWE-916

OWASP:A02

Yes

Use of Insufficiently Random Values

CWE-330

OWASP:A02

Yes

Android Intent Forwarding

CWE-940

OWASP:A07

No

Improper Validation of Certificate with Host Mismatch

CWE-297

OWASP:A07

No

JavaScript Enabled

CWE-79

Sans Top 25, OWASP:A03

Yes

Java Naming and Directory Interface (JNDI) Injection

CWE-074

None

No

JWT Signature Verification Bypass

CWE-347

OWASP:A02

No

Improper Authentication

CWE-287

Sans Top 25, OWASP:A07

No

LDAP Injection

CWE-90

OWASP:A03

No

Use of Hardcoded Credentials

CWE-798

Sans Top 25, OWASP:A07

No

The cipher text is equal to the provided input plain text

CWE-311

OWASP:A04

No

NoSQL Injection

CWE-943

None

No

Use of Sticky broadcasts

CWE-265

None

No

Use of Hardcoded, Security-relevant Constants

CWE-547

OWASP:A05

No

Open Redirect

CWE-601

OWASP:A01

No

Path Traversal

CWE-23

OWASP:A01

Yes

Privacy Leak

CWE-532

OWASP:A09

No

Unsafe Reflection

CWE-470

OWASP:A03

No

Regular expression injection

CWE-400, CWE-730

None

No

Unprotected Storage of Credentials

CWE-256

OWASP:A04

No

Incorrect Permission Assignment

CWE-732

None

No

Server Information Exposure

CWE-209

OWASP:A04

Yes

Improper Handling of Insufficient Permissions or Privileges

CWE-280

OWASP:A04

No

Cross-site Scripting (XSS)

CWE-79

Sans Top 25, OWASP:A03

Yes

Unrestricted Android Broadcast

CWE-862

Sans Top 25, OWASP:A01

No

Spring Cross-Site Request Forgery (CSRF)

CWE-352

Sans Top 25, OWASP:A01

No

SQL Injection

CWE-89

Sans Top 25, OWASP:A03

Yes

Server-Side Request Forgery (SSRF)

CWE-918

Sans Top 25, OWASP:A10

No

Inadequate Encryption Strength

CWE-326

OWASP:A02

Yes

Code Execution via Third Party Package Context

CWE-94

Sans Top 25, OWASP:A03

No

Code Execution via Third Party Package Installation

CWE-940

OWASP:A07

No

Observable Timing Discrepancy (Timing Attack)

CWE-208

None

Yes

Origin Validation Error

CWE-942, CWE-346

OWASP:A05, OWASP:A07

Yes

Improper Certificate Validation

CWE-295

OWASP:A07

No

Cryptographic Issues

CWE-310

OWASP:A02

Yes

Trust Boundary Violation

CWE-501

OWASP:A04

No

Unauthorized File Access

CWE-79

Sans Top 25, OWASP:A03

No

Android Uri Permission Manipulation

CWE-266

OWASP:A04

No

Use of Externally-Controlled Format String

CWE-134

None

Yes

Sensitive Cookie Without 'HttpOnly' Flag

CWE-1004

OWASP:A05

Yes

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

CWE-614

OWASP:A05

Yes

Insufficient Session Expiration

CWE-613

OWASP:A07

No

XML External Entity (XXE) Injection

CWE-611

OWASP:A05

Yes

XPath Injection

CWE-643

OWASP:A03

No

Last updated

More information

Snyk privacy policy

© 2024 Snyk Limited | All product and company names and logos are trademarks of their respective owners.