GitLab Advanced SAST CWE coverage
{{< details >}}
- Tier: Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
{{< /details >}}
GitLab Advanced SAST finds many types of potential security vulnerabilities in code written in supported languages.
GitLab assigns a matching Common Weakness Enumeration (CWE) identifier to each potential vulnerability. CWE identifiers are an industry-standard way to identify security weaknesses, but it’s important to know:
- CWEs are arranged in a tree structure. For example, CWE-22: Path Traversal is a parent of CWE-23: Relative Path Traversal. A scanner that specifically detects relative path traversal weaknesses (CWE-23) by definition also detects a portion of the more general path traversal category (CWE-22).
- For clarity, this table identifies the exact CWE identifiers that are assigned to GitLab Advanced SAST rules. It doesn’t report parent identifiers.
To learn more about the rules used in GitLab Advanced SAST, see SAST rules.
CWE coverage by language
GitLab Advanced SAST finds the following types of weaknesses in each programming language:
| CWE | CWE Description | C# | Go | Java | JavaScript, TypeScript | Python | Ruby |
|---|---|---|---|---|---|---|---|
| CWE-15 | External Control of System or Configuration Setting | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-22 | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes |
| CWE-23 | Relative Path Traversal | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No |
| CWE-73 | External Control of File Name or Path | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes |
| CWE-76 | Improper Neutralization of Equivalent Special Elements | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes |
| CWE-77 | Improper Neutralization of Special Elements used in a Command (‘Command Injection’) | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes |
| CWE-79 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes |
| CWE-80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-88 | Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’) | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-89 | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes |
| CWE-90 | Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’) | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-91 | XML Injection (aka Blind XPath Injection) | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-94 | Improper Control of Generation of Code (‘Code Injection’) | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes |
| CWE-95 | Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes |
| CWE-113 | Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Request/Response Splitting’) | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-116 | Improper Encoding or Escaping of Output | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No |
| CWE-117 | Improper Output Neutralization for Logs | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-118 | Incorrect Access of Indexable Resource (‘Range Error’) | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-125 | Out-of-bounds Read | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-134 | Use of Externally-Controlled Format String | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-155 | Improper Neutralization of Wildcards or Matching Symbols | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No |
| CWE-180 | Incorrect Behavior Order: Validate Before Canonicalize | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-182 | Collapse of Data into Unsafe Value | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-185 | Incorrect Regular Expression | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes |
| CWE-190 | Integer Overflow or Wraparound | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-208 | Observable Timing Discrepancy | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-209 | Generation of Error Message Containing Sensitive Information | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes |
| CWE-242 | Use of Inherently Dangerous Function | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-272 | Least Privilege Violation | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-276 | Incorrect Default Permissions | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes |
| CWE-295 | Improper Certificate Validation | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes |
| CWE-297 | Improper Validation of Certificate with Host Mismatch | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-306 | Missing Authentication for Critical Function | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-311 | Missing Encryption of Sensitive Data | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes |
| CWE-319 | Cleartext Transmission of Sensitive Information | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No |
| CWE-322 | Key Exchange without Entity Authentication | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No |
| CWE-323 | Reusing a Nonce, Key Pair in Encryption | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-326 | Inadequate Encryption Strength | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes |
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No |
| CWE-328 | Use of Weak Hash | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes |
| CWE-338 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No |
| CWE-346 | Origin Validation Error | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-347 | Improper Verification of Cryptographic Signature | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-348 | Use of Less Trusted Source | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-352 | Cross-Site Request Forgery (CSRF) | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes |
| CWE-358 | Improperly Implemented Security Check for Standard | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-369 | Divide By Zero | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes |
| CWE-377 | Insecure Temporary File | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No |
| CWE-409 | Improper Handling of Highly Compressed Data (Data Amplification) | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-470 | Use of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’) | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-489 | Active Debug Code | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No |
| CWE-502 | Deserialization of Untrusted Data | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes |
| CWE-521 | Weak Password Requirements | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-522 | Insufficiently Protected Credentials | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-552 | Files or Directories Accessible to External Parties | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-554 | ASP.NET Misconfiguration: Not Using Input Validation Framework | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-599 | Missing Validation of OpenSSL Certificate | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-601 | URL Redirection to Untrusted Site (‘Open Redirect’) | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes |
| CWE-606 | Unchecked Input for Loop Condition | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-611 | Improper Restriction of XML External Entity Reference | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No |
| CWE-613 | Insufficient Session Expiration | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-614 | Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-639 | Authorization Bypass Through User-Controlled Key | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes |
| CWE-643 | Improper Neutralization of Data within XPath Expressions (‘XPath Injection’) | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-704 | Incorrect Type Conversion or Cast | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-732 | Incorrect Permission Assignment for Critical Resource | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No |
| CWE-749 | Exposed Dangerous Method or Function | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes |
| CWE-754 | Improper Check for Unusual or Exceptional Conditions | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes |
| CWE-757 | Selection of Less-Secure Algorithm During Negotiation (‘Algorithm Downgrade’) | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-770 | Allocation of Resources Without Limits or Throttling | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No |
| CWE-776 | Improper Restriction of Recursive Entity References in DTDs (‘XML Entity Expansion’) | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-780 | Use of RSA Algorithm without OAEP | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-787 | Out-of-bounds Write | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-798 | Use of Hard-coded Credentials | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-913 | Improper Control of Dynamically-Managed Code Resources | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-915 | Improperly Controlled Modification of Dynamically-Determined Object Attributes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes |
| CWE-917 | Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’) | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-918 | Server-Side Request Forgery (SSRF) | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes |
| CWE-942 | Permissive Cross-domain Policy with Untrusted Domains | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-943 | Improper Neutralization of Special Elements in Data Query Logic | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-1004 | Sensitive Cookie Without ‘HttpOnly’ Flag | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes |
| CWE-1104 | Use of Unmaintained Third Party Components | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No |
| CWE-1204 | Generation of Weak Initialization Vector (IV) | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-1275 | Sensitive Cookie with Improper SameSite Attribute | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-1321 | Improperly Controlled Modification of Object Prototype Attributes (‘Prototype Pollution’) | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
| CWE-1327 | Binding to an Unrestricted IP Address | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No |
| CWE-1390 | Weak Authentication | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”check-circle” >}} Yes | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No | {{< icon name=”dotted-circle” >}} No |
{{< alert type=”note” >}}
Did this page answer the question you had? If not, please comment on epic 15343 to share your use case.
{{< /alert >}}