PHP rules

Each rule includes the following information.

Rule Name: The Snyk name of the rule.
CWE(s): The CWE numbers that are covered by this rule.
Security Categories: The OWASP Top 10 (2021 edition) category to which the rule belongs to, if any, and if it is included in SANS 25.
Autofixable: Security rules that are autofixable by DeepCode AI Fix. This information is included only for the supported programming languages.

Rule Name	CWE(s)	Security Categories	Autofixable
Code Injection	CWE-94	Sans Top 25, OWASP:A03	No
Command Injection	CWE-78	Sans Top 25, OWASP:A03	No
Deserialization of Untrusted Data	CWE-502	Sans Top 25, OWASP:A08	No
Improper Access Control: Email Content Injection	CWE-284	OWASP:A01	No
File Inclusion	CWE-98	OWASP:A03	No
Use of Hardcoded Credentials	CWE-798, CWE-259	Sans Top 25, OWASP:A07	No
Hardcoded Secret	CWE-547	OWASP:A05	No
Use of Hardcoded Passwords	CWE-798, CWE-259	Sans Top 25, OWASP:A07	No
Inadequate Padding for Public Key Encryption	CWE-326	OWASP:A02	No
Use of a Broken or Risky Cryptographic Algorithm	CWE-327	OWASP:A02	No
Use of Password Hash With Insufficient Computational Effort	CWE-916	OWASP:A02	No
Use of Insufficiently Random Values	CWE-330	OWASP:A02	No
Cross-site Scripting (XSS)	CWE-79	Sans Top 25, OWASP:A03	No
Allocation of Resources Without Limits or Throttling	CWE-770	None	No
Open Redirect	CWE-601	OWASP:A01	No
Path Traversal	CWE-23	OWASP:A01	No
Information Exposure	CWE-200	OWASP:A01	No
SQL Injection	CWE-89	Sans Top 25, OWASP:A03	No
Server-Side Request Forgery (SSRF)	CWE-918	Sans Top 25, OWASP:A10	No
Origin Validation Error	CWE-942, CWE-346	OWASP:A05, OWASP:A07	No
Improper Restriction of Rendered UI Layers or Frames	CWE-1021	OWASP:A04	No
Inadequate Encryption Strength	CWE-326	OWASP:A02	No
Sensitive Cookie Without 'HttpOnly' Flag	CWE-1004	OWASP:A05	No
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute	CWE-614	OWASP:A05	No
XPath Injection	CWE-643	OWASP:A03	No
XML External Entity (XXE) Injection	CWE-611	OWASP:A05	No
Arbitrary File Write via Archive Extraction (Zip Slip)	CWE-22	Sans Top 25, OWASP:A01	No
Regular Expression Denial of Service (ReDoS)	CWE-400	None	No

Rule Name

CWE(s)

Security Categories

Autofixable

Code Injection

CWE-94

Sans Top 25, OWASP:A03

Command Injection

CWE-78

Sans Top 25, OWASP:A03

Deserialization of Untrusted Data

CWE-502

Sans Top 25, OWASP:A08

Improper Access Control: Email Content Injection

CWE-284

OWASP:A01

File Inclusion

CWE-98

OWASP:A03

Use of Hardcoded Credentials

CWE-798, CWE-259

Sans Top 25, OWASP:A07

Hardcoded Secret

CWE-547

OWASP:A05

Use of Hardcoded Passwords

CWE-798, CWE-259

Sans Top 25, OWASP:A07

Inadequate Padding for Public Key Encryption

CWE-326

OWASP:A02

Use of a Broken or Risky Cryptographic Algorithm

CWE-327

OWASP:A02

Use of Password Hash With Insufficient Computational Effort

CWE-916

OWASP:A02

Use of Insufficiently Random Values

CWE-330

OWASP:A02

Cross-site Scripting (XSS)

CWE-79

Sans Top 25, OWASP:A03

Allocation of Resources Without Limits or Throttling

CWE-770

None

Open Redirect

CWE-601

OWASP:A01

Path Traversal

CWE-23

OWASP:A01

Information Exposure

CWE-200

OWASP:A01

SQL Injection

CWE-89

Sans Top 25, OWASP:A03

Server-Side Request Forgery (SSRF)

CWE-918

Sans Top 25, OWASP:A10

Origin Validation Error

CWE-942, CWE-346

OWASP:A05, OWASP:A07

Improper Restriction of Rendered UI Layers or Frames

CWE-1021

OWASP:A04

Inadequate Encryption Strength

CWE-326

OWASP:A02

Sensitive Cookie Without 'HttpOnly' Flag

CWE-1004

OWASP:A05

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

CWE-614

OWASP:A05

XPath Injection

CWE-643

OWASP:A03

XML External Entity (XXE) Injection

CWE-611

OWASP:A05

Arbitrary File Write via Archive Extraction (Zip Slip)

CWE-22

Sans Top 25, OWASP:A01

Regular Expression Denial of Service (ReDoS)

CWE-400

None

PreviousKotlin rules NextPython rules

Last updated 2 months ago