From f9594362042a4566773102aca039c6d76594cc15 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Lajeunesse-Robert?= Date: Thu, 27 Nov 2025 13:45:42 -0500 Subject: [PATCH 1/5] Updated the owasp top 10 2021 list --- .boost/scripts/owasp-top-10_2021.cwes.lst | 80 +++++++++++++---------- 1 file changed, 47 insertions(+), 33 deletions(-) diff --git a/.boost/scripts/owasp-top-10_2021.cwes.lst b/.boost/scripts/owasp-top-10_2021.cwes.lst index c7edcf96..5fdadb69 100644 --- a/.boost/scripts/owasp-top-10_2021.cwes.lst +++ b/.boost/scripts/owasp-top-10_2021.cwes.lst @@ -1,51 +1,45 @@ +cwe-100 +cwe-1004 +cwe-1021 +cwe-1032 cwe-11 -cwe-13 -cwe-15 -cwe-20 -cwe-22 -cwe-23 -cwe-35 -cwe-59 -cwe-73 -cwe-74 -cwe-75 -cwe-77 -cwe-78 -cwe-79 -cwe-80 -cwe-83 -cwe-87 -cwe-88 -cwe-89 -cwe-90 -cwe-91 -cwe-93 -cwe-94 -cwe-95 -cwe-96 -cwe-97 -cwe-98 -cwe-99 +cwe-1104 +cwe-1105 cwe-113 cwe-116 cwe-117 +cwe-1173 +cwe-1174 +cwe-1176 +cwe-1216 +cwe-1275 +cwe-13 cwe-138 +cwe-15 +cwe-16 cwe-183 cwe-184 +cwe-2 +cwe-20 cwe-200 cwe-201 cwe-209 cwe-213 cwe-219 +cwe-22 cwe-223 +cwe-23 cwe-235 +cwe-255 cwe-256 cwe-257 cwe-259 cwe-260 cwe-261 +cwe-264 cwe-266 cwe-269 +cwe-275 cwe-276 cwe-280 cwe-284 @@ -62,6 +56,7 @@ cwe-302 cwe-304 cwe-306 cwe-307 +cwe-310 cwe-311 cwe-312 cwe-313 @@ -87,6 +82,7 @@ cwe-340 cwe-345 cwe-346 cwe-347 +cwe-35 cwe-352 cwe-353 cwe-359 @@ -127,6 +123,7 @@ cwe-564 cwe-565 cwe-566 cwe-579 +cwe-59 cwe-598 cwe-601 cwe-602 @@ -149,22 +146,38 @@ cwe-656 cwe-657 cwe-668 cwe-706 +cwe-720 +cwe-73 +cwe-74 +cwe-75 cwe-756 cwe-757 cwe-759 cwe-760 +cwe-77 cwe-776 cwe-778 +cwe-78 cwe-780 cwe-784 +cwe-79 cwe-798 cwe-799 +cwe-80 cwe-807 +cwe-818 cwe-829 +cwe-83 cwe-830 +cwe-840 cwe-841 cwe-862 cwe-863 +cwe-87 +cwe-88 +cwe-89 +cwe-90 +cwe-91 cwe-913 cwe-915 cwe-916 @@ -172,11 +185,12 @@ cwe-917 cwe-918 cwe-922 cwe-927 +cwe-93 +cwe-94 cwe-940 cwe-942 -cwe-1004 -cwe-1021 -cwe-1104 -cwe-1173 -cwe-1174 -cwe-1275 \ No newline at end of file +cwe-95 +cwe-96 +cwe-97 +cwe-98 +cwe-99 \ No newline at end of file From f6c35a654112904cd36cee9c327c12d4f7edf258 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Lajeunesse-Robert?= Date: Thu, 27 Nov 2025 13:46:59 -0500 Subject: [PATCH 2/5] Updated the normalization scripts to suport mitre-cwe rules and clean up category --- .boost/scripts/normalize-mapping.py | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/.boost/scripts/normalize-mapping.py b/.boost/scripts/normalize-mapping.py index 7d34c4f3..f3f4bac4 100644 --- a/.boost/scripts/normalize-mapping.py +++ b/.boost/scripts/normalize-mapping.py @@ -31,9 +31,9 @@ for rule_key, rule in rules.items(): categories = rule["categories"] for cwe_list_name, cwes_list in cwes_lists.items(): - if ( + if cwe_list_name not in categories and ( any(cwe in cwes_list for cwe in categories) - and cwe_list_name not in categories + or rule["name"].lower() in cwes_list ): # Add the missing category to the list of categories categories.append(cwe_list_name) @@ -42,6 +42,16 @@ print( f'Added "{cwe_list_name}" category to rule {rule_key} in {rules_file}' ) + elif cwe_list_name in categories and ( + rule["name"].lower() not in cwes_list and + all(cwe not in cwes_list for cwe in categories) + ): + categories.remove(cwe_list_name) + changed = True + + print( + f'Removed "{cwe_list_name}" category to rule {rule_key} in {rules_file}' + ) if not changed: continue From cf4f3359a354df3a3c2975abefee2ab7807c0b8d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Lajeunesse-Robert?= Date: Thu, 27 Nov 2025 13:48:21 -0500 Subject: [PATCH 3/5] Updated rules definition following the execution of the normalize-mapping.py script --- .../boostsecurityio/mitre-cwe/rules.yaml | 158 ++- scanners/boostsecurityio/gosec/rules.yaml | 4 +- .../checkmarx-provider/rules.yaml | 1179 ++--------------- .../boostsecurityio/sci-sca/rules.yaml | 25 +- 4 files changed, 266 insertions(+), 1100 deletions(-) diff --git a/rules-realm/boostsecurityio/mitre-cwe/rules.yaml b/rules-realm/boostsecurityio/mitre-cwe/rules.yaml index b18b4cae..cb2d5530 100644 --- a/rules-realm/boostsecurityio/mitre-cwe/rules.yaml +++ b/rules-realm/boostsecurityio/mitre-cwe/rules.yaml @@ -38,6 +38,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. @@ -825,6 +826,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: Debugging messages help attackers learn about the system and plan a form of attack. group: top10-security-misconfiguration @@ -899,6 +901,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product or code uses machine-dependent functionality, but it does not sufficiently encapsulate or isolate this functionality from the rest of the code. @@ -1155,6 +1158,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers. @@ -1215,6 +1219,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes output that is written to logs. group: top10-security-logging-monitoring-failures @@ -1225,6 +1230,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product does not use, or incorrectly uses, an input validation framework that is provided by the source language or an independent library. group: top10-insecure-design @@ -1235,6 +1241,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The ASP.NET application does not use, or incorrectly uses, the model validation framework. group: top10-security-misconfiguration @@ -1245,6 +1252,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product performs CPU computations using algorithms that are not as efficient as they could be for the needs of the developer, i.e., the computations can be optimized further. @@ -2327,6 +2335,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers. @@ -2791,6 +2800,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream @@ -2947,10 +2957,9 @@ rules: - ALL - boost-baseline - boost-hardened - - owasp-top-10 - description: The product uses externally-provided data to build prompts provided - to large language models (LLMs), but the way these prompts are constructed causes - the LLM to fail to distinguish between user-supplied inputs and developer provided + description: The product uses externally-provided data to build prompts provided + to large language models (LLMs), but the way these prompts are constructed causes + the LLM to fail to distinguish between user-supplied inputs and developer provided system directives. group: top10-injection name: CWE-1427 @@ -3037,6 +3046,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -3381,6 +3391,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, @@ -3393,6 +3404,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, @@ -3447,6 +3459,7 @@ rules: categories: - ALL - boost-hardened + - cwe-top-25 description: The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the @@ -3573,6 +3586,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. group: top10-broken-access-control @@ -3662,6 +3676,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product generates an error message that includes sensitive information about its environment, users, or associated data. group: top10-insecure-design @@ -3707,6 +3722,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other @@ -3741,6 +3757,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties. group: top10-broken-access-control @@ -3800,6 +3817,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe. @@ -3854,6 +3872,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. @@ -3918,6 +3937,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount. @@ -4106,6 +4126,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: Storing a password in plaintext may result in a system compromise. group: top10-insecure-design name: CWE-256 @@ -4115,6 +4136,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext @@ -4162,6 +4184,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product stores a password in a configuration file that might be accessible to actors who do not know the password. group: top10-security-misconfiguration @@ -4172,6 +4195,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: Obscuring a password with a trivial encoding does not protect the password. group: top10-crypto-failures @@ -4202,6 +4226,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. group: top10-insecure-design @@ -4363,6 +4388,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product @@ -4454,6 +4480,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: A product requires authentication, but the product has an alternate path or channel that does not require authentication. group: top10-id-authn-failures @@ -4487,6 +4514,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. group: top10-id-authn-failures @@ -4516,6 +4544,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original @@ -4541,6 +4570,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate. @@ -4597,6 +4627,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced @@ -4619,6 +4650,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker. group: top10-id-authn-failures @@ -4639,6 +4671,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product implements an authentication technique, but it skips a step that weakens the technique. group: top10-id-authn-failures @@ -4673,6 +4706,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks. @@ -4732,6 +4766,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere. group: top10-insecure-design @@ -4742,6 +4777,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product stores sensitive information in cleartext in a file, or on disk. group: top10-insecure-design @@ -4761,6 +4797,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product stores sensitive information in cleartext in a cookie. group: top10-security-misconfiguration name: CWE-315 @@ -4770,6 +4807,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product stores sensitive information in cleartext in memory. group: top10-insecure-design name: CWE-316 @@ -4824,6 +4862,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered. group: top10-crypto-failures @@ -4834,6 +4873,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product performs a key exchange with an actor without verifying the identity of that actor. group: top10-crypto-failures @@ -4844,6 +4884,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: Nonces should be used for the present occasion and only once. group: top10-crypto-failures name: CWE-323 @@ -4853,6 +4894,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key. @@ -4864,6 +4906,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm. group: top10-crypto-failures @@ -4919,6 +4962,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product generates and uses a predictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible to dictionary attacks when they are encrypted under the same key. @@ -4942,6 +4986,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. group: top10-crypto-failures @@ -4952,6 +4997,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others. @@ -4993,6 +5039,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds. group: top10-crypto-failures @@ -5004,6 +5051,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized. group: top10-crypto-failures @@ -5014,6 +5062,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time. group: top10-crypto-failures @@ -5059,6 +5108,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product uses a scheme that generates numbers or identifiers that are more predictable than required. group: top10-crypto-failures @@ -5135,6 +5185,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product does not verify, or incorrectly verifies, the cryptographic signature for data. group: top10-crypto-failures @@ -5167,6 +5218,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is @@ -5217,6 +5269,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum. @@ -5272,6 +5325,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent @@ -5306,6 +5360,7 @@ rules: categories: - ALL - boost-hardened + - cwe-top-25 description: The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can @@ -5439,6 +5494,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: Creating and using insecure temporary files can leave application and system data vulnerable to attack. group: top10-broken-access-control @@ -5503,6 +5559,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. @@ -5662,6 +5719,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product. group: top10-broken-access-control @@ -5815,6 +5873,7 @@ rules: categories: - ALL - boost-hardened + - cwe-top-25 description: Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. group: top10-insecure-design @@ -5825,6 +5884,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product uses a primary channel for administration or restricted functionality, but it does not properly protect the channel. group: top10-insecure-design @@ -5888,6 +5948,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files. group: top10-broken-access-control @@ -5898,6 +5959,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control. @@ -5943,6 +6005,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The wrong "handler" is assigned to process an object. group: top10-insecure-design name: CWE-430 @@ -6062,6 +6125,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside @@ -6076,6 +6140,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that @@ -6152,6 +6217,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks. @@ -6347,6 +6413,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product does not properly protect an assumed-immutable element from being modified by an attacker. group: top10-injection @@ -6357,6 +6424,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields. @@ -6399,6 +6467,7 @@ rules: categories: - ALL - boost-hardened + - cwe-top-25 description: A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. @@ -6625,6 +6694,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does. @@ -6691,6 +6761,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product mixes trusted and untrusted data in the same data structure or structured message. group: top10-insecure-design @@ -6837,6 +6908,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks. @@ -6848,6 +6920,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts. group: top10-id-authn-failures @@ -6873,6 +6946,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server. group: top10-crypto-failures @@ -6893,6 +6967,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached. @@ -6904,6 +6979,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product uses an environment variable to store unencrypted sensitive information. group: top10-security-misconfiguration @@ -6983,6 +7059,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information. group: top10-security-logging-monitoring-failures @@ -7016,6 +7093,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: In many cases, an attacker can leverage the conditions that cause unhandled exception errors in order to gain unauthorized access to the system. group: top10-security-misconfiguration @@ -7026,6 +7104,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information. @@ -7038,6 +7117,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The web application uses persistent cookies, but the cookies contain sensitive information. group: top10-insecure-design @@ -7060,6 +7140,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: Source code on a web server or repository often contains sensitive information and should generally not be accessible to users. group: top10-broken-access-control @@ -7070,6 +7151,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system. @@ -7113,6 +7195,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. @@ -7124,6 +7207,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers. group: top10-broken-access-control @@ -7178,6 +7262,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product makes files or directories accessible to unauthorized actors, even though they should not be. group: top10-broken-access-control @@ -7290,6 +7375,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands. @@ -7314,6 +7400,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor. @@ -7448,6 +7535,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product stores a non-serializable object as an HttpSession attribute, which can hurt reliability. group: top10-insecure-design @@ -7569,6 +7657,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. @@ -7643,6 +7732,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request. group: top10-insecure-design @@ -7696,6 +7786,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. group: top10-insecure-design @@ -7781,6 +7872,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. group: top10-injection @@ -7819,6 +7911,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." @@ -7912,6 +8005,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication. group: top10-id-authn-failures @@ -8042,6 +8136,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. @@ -8065,6 +8160,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. group: top10-id-authn-failures @@ -8086,6 +8182,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors. @@ -8097,6 +8194,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the @@ -8110,6 +8208,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash. @@ -8133,6 +8232,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in @@ -8192,6 +8292,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The server contains a protection mechanism that assumes that any URI that is accessed using HTTP GET will not cause a state change to the associated resource. This might allow attackers to bypass intended access restrictions @@ -8205,6 +8306,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The Web services architecture may require exposing a Web Service Definition Language (WSDL) file that contains information on the publicly accessible services and how callers of these services should interact with them (e.g. what @@ -8217,6 +8319,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the @@ -8230,6 +8333,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions. @@ -8264,6 +8368,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism. @@ -8275,6 +8380,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product violates well-established principles for secure design. group: top10-insecure-design name: CWE-657 @@ -8360,6 +8466,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. group: top10-broken-access-control @@ -8774,6 +8881,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product allows user input to control or influence paths or file names that are used in filesystem operations. group: top10-insecure-design @@ -8835,6 +8943,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product does not adequately filter user-controlled input for special elements with control implications. group: top10-injection @@ -8867,6 +8976,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product does not return custom error pages to the user, possibly exposing sensitive information. group: top10-security-misconfiguration @@ -8877,6 +8987,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not @@ -8902,6 +9013,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input. @@ -8923,6 +9035,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input. @@ -9101,6 +9214,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities. @@ -9165,6 +9279,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption. group: top10-crypto-failures @@ -9206,6 +9321,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure that the cookie is valid for the associated user. @@ -9240,6 +9356,7 @@ rules: categories: - ALL - boost-hardened + - cwe-top-25 description: The product writes data past the end, or before the beginning, of the intended buffer. group: top10-insecure-design @@ -9394,6 +9511,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests. group: top10-insecure-design @@ -9416,6 +9534,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent @@ -9461,6 +9580,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. @@ -9588,6 +9708,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. group: top10-software-data-integrity-failures @@ -9598,6 +9719,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style. @@ -9610,6 +9732,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product includes web functionality (such as a web widget) from another domain, which causes it to operate within the domain of the product, potentially granting total access and control of the product to the untrusted @@ -9726,6 +9849,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence. @@ -9793,6 +9917,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. @@ -9804,6 +9929,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax. group: top10-injection @@ -9814,6 +9940,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. @@ -9889,6 +10016,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system. @@ -9968,6 +10096,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive. @@ -9979,6 +10108,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly @@ -10008,10 +10138,8 @@ rules: CWE-919: categories: - ALL - - cwe-top-25 - boost-baseline - boost-hardened - - owasp-top-10 group: top10-insecure-design name: CWE-919 pretty_name: CWE-919 - Weaknesses in Mobile Applications @@ -10044,6 +10172,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product stores sensitive information without properly limiting read or write access by unauthorized actors. group: top10-broken-access-control @@ -10100,6 +10229,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The Android application uses an implicit intent for transmitting sensitive data to other applications. group: top10-insecure-design @@ -10110,6 +10240,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. @@ -10148,6 +10279,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin. @@ -10170,6 +10302,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product uses a cross-domain policy file that includes domains that should not be trusted. group: top10-security-misconfiguration @@ -10227,6 +10360,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-side include (SSI) directive. @@ -10239,6 +10373,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. @@ -10251,6 +10386,7 @@ rules: categories: - ALL - boost-hardened + - owasp-top-10 description: The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. @@ -10258,13 +10394,3 @@ rules: name: CWE-99 pretty_name: 'CWE-99: Improper Control of Resource Identifiers (''Resource Injection'')' ref: https://cwe.mitre.org/data/definitions/99.html -default: - CWE-UNKNOWN: - categories: - - ALL - - boost-hardened - group: top10-insecure-design - name: CWE-UNKNOWN - pretty_name: CWE-UNKNOWN - Original rule did not map to a known CWE rule - description: The original rule could not be map to a CWE rule - ref: https://cwe.mitre.org/data/index.html diff --git a/scanners/boostsecurityio/gosec/rules.yaml b/scanners/boostsecurityio/gosec/rules.yaml index 1cb3406e..5e52ae79 100644 --- a/scanners/boostsecurityio/gosec/rules.yaml +++ b/scanners/boostsecurityio/gosec/rules.yaml @@ -138,7 +138,7 @@ rules: - boost-hardened group: top10-insecure-design name: G602 - pretty_name: "G602: Slice access out of bounds" + pretty_name: 'G602: Slice access out of bounds' description: The software does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer. ref: https://cwe.mitre.org/data/definitions/118.html @@ -246,7 +246,6 @@ rules: categories: - ALL - cwe-295 - - cwe-top-25 - owasp-top-10 - boost-baseline - boost-hardened @@ -262,6 +261,7 @@ rules: - cwe-310 - boost-baseline - boost-hardened + - owasp-top-10 group: top10-crypto-failures name: G403 pretty_name: 'G403: Ensure minimum RSA key length of 2048 bits' diff --git a/server-side-scanners/boostsecurityio/checkmarx-provider/rules.yaml b/server-side-scanners/boostsecurityio/checkmarx-provider/rules.yaml index c5d98a5e..487f38ef 100644 --- a/server-side-scanners/boostsecurityio/checkmarx-provider/rules.yaml +++ b/server-side-scanners/boostsecurityio/checkmarx-provider/rules.yaml @@ -1,13 +1,3 @@ -default: - CWE-UNKNOWN: - categories: - - ALL - - boost-hardened - description: the original rule did not map to a known CWE rule - group: top10-insecure-design - name: CWE-UNKNOWN - pretty_name: CWE-UNKNOWN - Original rule did not map to a known CWE rule - ref: https://checkmarx.com/resource/documents/en/34965-46525-audit-guide.html rules: 0008c003-79aa-42d8-95b8-1c2fe37dbfe6: categories: @@ -12113,7 +12103,6 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices - - owasp-top-10 description: Points out the situation where a method adorned with AllowPartiallyTrustedCallersAttribute (APTCA) invokes a method without APTCA, thereby exposing potential elevation of privileges threats. @@ -12142,7 +12131,6 @@ rules: ASP_Best_Coding_Practice_Empty_Catch: categories: - cwe-390 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -12187,7 +12175,6 @@ rules: ASP_Best_Coding_Practice_Just_One_of_Equals_and_Hash_code_Defined: categories: - ALL - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - cwe-581 @@ -12200,7 +12187,6 @@ rules: ASP_Best_Coding_Practice_Missing_XML_Validation: categories: - cwe-112 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -12216,7 +12202,6 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices - - owasp-top-10 description: Passing a null argument to the Equals method, which could potentially lead to a NullReferenceException at runtime. group: top10-insecure-design @@ -12226,7 +12211,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Best_Coding_Practice_Pages_Without_Global_Error_Handler: categories: - - owasp-top-10 - cwe-544 - checkmarx-best-coding-practices - boost-baseline @@ -12244,7 +12228,6 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices - - owasp-top-10 description: When PersistSecurityInfo is set to True in a connection string, sensitive information like passwords persist in memory, exposing it to potential security breaches. @@ -12256,7 +12239,6 @@ rules: ASP_Best_Coding_Practice_Sockets_in_WebApp: categories: - boost-baseline - - owasp-top-10 - checkmarx-best-coding-practices - cwe-246 - ALL @@ -12270,7 +12252,6 @@ rules: ASP_Best_Coding_Practice_Threads_in_WebApp: categories: - ALL - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - cwe-383 @@ -12286,7 +12267,6 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices - - owasp-top-10 description: Unclosed system resources (such as connections, files, or other types of system resources) lead to resource leakage, resulting in possible performance degradation or application crashes. @@ -12300,7 +12280,6 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices - - owasp-top-10 description: Public methods' arguments are not validated, opening potential threats of insecure data handling, injection attacks, or unintended behavior. group: top10-insecure-design @@ -12313,7 +12292,6 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices - - owasp-top-10 description: Direct interaction with the System output stream can potentially expose sensitive information or critical system details, increasing vulnerability to potential security breaches. @@ -12327,7 +12305,6 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices - - owasp-top-10 description: Fields of a class are excessively visible, leading to potential encapsulation violations or unintended state changes. Fields should be private or protected and accessed via properties or methods to maintain proper encapsulation. @@ -12657,7 +12634,6 @@ rules: categories: - cwe-171 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: Improper handling of data within protection mechanisms that attempt @@ -12687,6 +12663,7 @@ rules: - ALL - cwe-547 - checkmarx-low-visibility + - owasp-top-10 description: The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. @@ -12701,6 +12678,7 @@ rules: - ALL - checkmarx-low-visibility - cwe-520 + - owasp-top-10 description: Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks. @@ -12713,7 +12691,6 @@ rules: categories: - cwe-248 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: An exception is thrown from a function, but it is not caught. @@ -12726,7 +12703,6 @@ rules: categories: - cwe-404 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not release or incorrectly releases a resource before @@ -12754,7 +12730,6 @@ rules: categories: - cwe-460 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not clean up its state or incorrectly cleans up @@ -12841,7 +12816,6 @@ rules: ASP_Low_Visibility_Leaving_Temporary_Files: categories: - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL - cwe-376 @@ -12857,6 +12831,7 @@ rules: - ALL - cwe-117 - checkmarx-low-visibility + - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes output that is written to logs. group: top10-security-logging-monitoring-failures @@ -12899,7 +12874,6 @@ rules: categories: - cwe-615 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: 'While adding general comments is very useful, some programmers tend @@ -12945,7 +12919,6 @@ rules: categories: - cwe-567 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not properly synchronize shared data, such as static @@ -12974,7 +12947,6 @@ rules: categories: - cwe-647 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product defines policy namespaces and makes authorization decisions @@ -13048,7 +13020,6 @@ rules: ASP_Medium_Threat_DoS_by_Sleep: categories: - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL description: The product performs an iteration or loop without sufficiently limiting @@ -13077,7 +13048,6 @@ rules: categories: - checkmarx-medium-threat - cwe-667 - - owasp-top-10 - boost-baseline - ALL description: The product does not properly acquire or release a lock on a resource, @@ -13190,7 +13160,6 @@ rules: categories: - cwe-404 - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL description: The product does not release or incorrectly releases a resource before @@ -13204,7 +13173,6 @@ rules: categories: - checkmarx-medium-threat - cwe-618 - - owasp-top-10 - boost-baseline - ALL description: An ActiveX control is intended for use in a web browser, but it exposes @@ -13234,7 +13202,6 @@ rules: - boost-baseline - ALL - checkmarx-force-com-code-quality - - owasp-top-10 description: Async future methods are executed inside loops, which may lead to governor limit exceptions due to an excessive number of future calls in Salesforce's Apex code. @@ -13248,7 +13215,6 @@ rules: - boost-baseline - ALL - checkmarx-force-com-code-quality - - owasp-top-10 description: Apex methods are not utilizing collections (lists, sets, or maps) to process bulk data, which can result in inefficient SOQL queries, negatively impacting the code performance in Salesforce. @@ -13262,7 +13228,6 @@ rules: - boost-baseline - ALL - checkmarx-force-com-code-quality - - owasp-top-10 description: In an Apex Salesforce.com codebase, DML operations are present inside loop constructs, which may cause exceeding the governor limit, leading to inefficient code execution. @@ -13276,7 +13241,6 @@ rules: - boost-baseline - ALL - checkmarx-force-com-code-quality - - owasp-top-10 description: Uncertified HTTP callouts are used in Apex code, which can expose sensitive business data and lead to insecure interactions with third-party services. group: top10-insecure-design @@ -13290,6 +13254,7 @@ rules: - ALL - cwe-547 - checkmarx-force-com-code-quality + - owasp-top-10 description: The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. @@ -13303,7 +13268,6 @@ rules: - boost-baseline - ALL - checkmarx-force-com-code-quality - - owasp-top-10 description: Salesforce object IDs are hardcoded in the Apex source code, risking loss of data access or integrity when records or objects are changed, removed, or migrated to other Salesforce instances. @@ -13317,7 +13281,6 @@ rules: - boost-baseline - ALL - checkmarx-force-com-code-quality - - owasp-top-10 description: The code contains hardcoded references to Trigger.new, which limits its reusability and adaptability, making it less maintainable and potentially problematic if changes in data structure occur. @@ -13331,7 +13294,6 @@ rules: - boost-baseline - ALL - checkmarx-force-com-code-quality - - owasp-top-10 description: Direct references to Trigger.old in Apex Code may lead to unexpected behavior or errors during updates and deletions, as this means hardcoding values destined to change with every transaction. @@ -13345,7 +13307,6 @@ rules: - boost-baseline - ALL - checkmarx-force-com-code-quality - - owasp-top-10 description: The rule identifies instances of hardcoded references to static resources within Apex code, which can result in maintenance issues and reduce the code's ability to adapt to changes. @@ -13359,7 +13320,6 @@ rules: - boost-baseline - ALL - checkmarx-force-com-code-quality - - owasp-top-10 description: Visualforce pages contain multiple forms, which may lead to conflicting actions or unintuitive user experiences due to mishandled form submissions or redundant code. @@ -13373,7 +13333,6 @@ rules: - boost-baseline - ALL - checkmarx-force-com-code-quality - - owasp-top-10 description: Multiple triggers are defined on the same 'sObject' in Apex code, possibly leading to unpredictable execution order and potential recursive behavior issues. @@ -13387,7 +13346,6 @@ rules: - boost-baseline - ALL - checkmarx-force-com-code-quality - - owasp-top-10 description: Salesforce Apex queries or SOQL statements lack 'WHERE' or 'LIMIT' clauses, potentially causing data overload and performance issues. group: top10-insecure-design @@ -13400,7 +13358,6 @@ rules: - boost-baseline - ALL - checkmarx-force-com-code-quality - - owasp-top-10 description: Highlights instances of SOSL/SOQL queries placed inside loops which may result in governor limit exceptions in Apex Force.com code. group: top10-insecure-design @@ -13413,7 +13370,6 @@ rules: - boost-baseline - ALL - checkmarx-force-com-code-quality - - owasp-top-10 description: Unit test assertions in Apex code lack custom error messages, reducing the ability to express specific failure conditions for better test maintainability and readability. @@ -13427,7 +13383,6 @@ rules: - boost-baseline - ALL - checkmarx-force-com-code-quality - - owasp-top-10 description: An Apex test method lacks 'System.assert()', 'System.assertEquals()' or 'System.assertNotEquals()' calls, which may inhibit proper validation of the code's functionality. @@ -13439,7 +13394,6 @@ rules: Apex_Force_com_Code_Quality_Unused_Variable: categories: - checkmarx-force-com-code-quality - - owasp-top-10 - cwe-563 - boost-baseline - ALL @@ -13455,7 +13409,6 @@ rules: - boost-baseline - ALL - checkmarx-force-com-code-quality - - owasp-top-10 description: Identifies use of the Salesforce AJAX Toolkit within Apex code, which is deprecated and can lead to functionality issues in Salesforce apps. group: top10-insecure-design @@ -13597,7 +13550,6 @@ rules: - boost-baseline - ALL - checkmarx-force-com-serious-risk - - owasp-top-10 description: Cookies are not properly scoped, leaving sensitive user data susceptible to potential theft or manipulation via cross-site scripting (XSS) or cross-site request forgery (CSRF) attacks. @@ -13610,7 +13562,6 @@ rules: categories: - cwe-243 - checkmarx-force-com-serious-risk - - owasp-top-10 - boost-baseline - ALL description: The product uses the chroot() system call to create a jail, but does @@ -13626,7 +13577,6 @@ rules: - boost-baseline - ALL - checkmarx-force-com-serious-risk - - owasp-top-10 description: Accesses a field by dereferencing a potentially null pointer, exposing an Apex Force.com application to serious security risks including null dereference exceptions or unintended behavior. @@ -13742,6 +13692,7 @@ rules: - cwe-614 - checkmarx-force-com-serious-risk - ALL + - owasp-top-10 description: The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. @@ -13814,7 +13765,6 @@ rules: - boost-baseline - ALL - checkmarx-force-com-serious-risk - - owasp-top-10 description: The 'inputText' function in Apex ignores Field-Level Security settings (FLS), which can result in unauthorized data access or modification on Salesforce's Force.com platform. @@ -13827,7 +13777,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-isv-quality-rules description: The reRender frequency for actionPoller in Apex is set too high, potentially causing performance issues due to excessive server load. @@ -13840,7 +13789,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-isv-quality-rules description: Visualforce components utilize the Ajax Toolkit, instead of standard Visualforce Ajax or Apex, potentially resulting in performance degradation or @@ -13854,7 +13802,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-isv-quality-rules description: Batch Apex is present in the codebase, which may lead to performance issues when processing large data volumes. @@ -13867,7 +13814,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-isv-quality-rules description: Outbound calls are made within a Batch Apex, which may cause scalability issues due to governor limits on Salesforce's outbound HTTP callouts. @@ -13880,7 +13826,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-isv-quality-rules description: The Database DML operation in Apex code has the 'DmlOptions' parameter set to 'false', neglecting potential record locking contention considerations @@ -13894,7 +13839,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-isv-quality-rules description: Catches exceptions without handling them, leading to potential unaddressed errors and application instability. @@ -13907,7 +13851,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-isv-quality-rules description: An 'if' statement in the Apex code does not contain any executable statements, making it redundant and possibly indicative of incomplete or incorrect @@ -13921,7 +13864,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-isv-quality-rules description: The code contains methods that are empty or lack substantive content, which might be unintentional leftovers from incomplete development or refactoring @@ -13935,7 +13877,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-isv-quality-rules description: A 'while' statement in the APEX code has an empty body, causing an infinite loop that can result in script execution and performance problems. @@ -13948,7 +13889,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-isv-quality-rules description: Exposed test data in Apex classes may lead to leakage of sensitive information, violating the Salesforce ISV (Independent Software Vendor) best @@ -13962,7 +13902,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-isv-quality-rules description: The Apex code contains @future annotation, possibly adding complexity to transaction control flow and leading to unexpected order of execution. @@ -13975,7 +13914,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-isv-quality-rules description: The Salesforce Apex code under examination employs an outdated API version, which may result in deprecated or unavailable functionality and suboptimal @@ -13989,7 +13927,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-isv-quality-rules description: Apex code to send outbound emails is employed, which may lead to uncontrolled distribution of sensitive data or exhaustion of email sending limits. @@ -14002,7 +13939,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-isv-quality-rules description: Apex reports without assigned filters can return an excessively broad data set, potentially causing performance issues or disclosing sensitive information. @@ -14015,7 +13951,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-isv-quality-rules description: The SOQL query uses a dynamic 'null' in its WHERE clause, which may lead to inconsistent results or potential vulnerabilities in Apex code. @@ -14028,7 +13963,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-isv-quality-rules description: In Salesforce Apex code, a SOQL query uses a formula field within the WHERE clause, causing unpredictable behavior and potential performance issues @@ -14042,7 +13976,6 @@ rules: categories: - checkmarx-isv-quality-rules - cwe-1067 - - owasp-top-10 - boost-baseline - ALL description: The product contains a data query against an SQL table or view that @@ -14057,7 +13990,6 @@ rules: categories: - checkmarx-isv-quality-rules - cwe-1067 - - owasp-top-10 - boost-baseline - ALL description: The product contains a data query against an SQL table or view that @@ -14071,7 +14003,6 @@ rules: Apex_ISV_Quality_Rules_SOQL_With_All_Fields: categories: - checkmarx-isv-quality-rules - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -14087,7 +14018,6 @@ rules: Apex_ISV_Quality_Rules_SOQL_with_All_Fields_in_Loop: categories: - checkmarx-isv-quality-rules - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -14104,7 +14034,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-isv-quality-rules description: The SOSL (Salesforce Object Search Language) query includes a WHERE clause, which can lead to performance issues due to query inefficiency. @@ -14117,7 +14046,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-isv-quality-rules description: Alerts developers when ViewState usage in Salesforce's Apex code surpasses the size limit, helping to avoid performance issues and exceptions @@ -14131,7 +14059,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-isv-quality-rules description: Workflow rules in Apex cause automatic email transmission, which could disrupt service through excessive messaging, violate data privacy regulations @@ -14146,7 +14073,6 @@ rules: - boost-baseline - ALL - checkmarx-low-visibility - - owasp-top-10 description: The Visualforce markup includes an unescaped merge field, "&{!...}", which could make the application vulnerable to Cross-Site Scripting (XSS) attacks due to rendering of untrusted data as real HTML content. @@ -14189,7 +14115,6 @@ rules: - boost-baseline - ALL - checkmarx-low-visibility - - owasp-top-10 description: Sensitive data, such as passwords, are exposed in Salesforce Apex code due to being hard-coded, log-printed, or misused in a publicly visible or easily accessible manner. @@ -14203,7 +14128,6 @@ rules: - boost-baseline - ALL - checkmarx-low-visibility - - owasp-top-10 description: Apex code lacks frame options in HTTP response headers, making it prone to clickjacking attacks via potential frame injection. group: top10-injection @@ -14290,7 +14214,6 @@ rules: categories: - cwe-118 - checkmarx-secure-coding-guide - - owasp-top-10 - boost-baseline - ALL description: The product does not restrict or incorrectly restricts operations @@ -14305,7 +14228,6 @@ rules: categories: - cwe-118 - checkmarx-secure-coding-guide - - owasp-top-10 - boost-baseline - ALL description: The product does not restrict or incorrectly restricts operations @@ -14320,7 +14242,6 @@ rules: categories: - boost-hardened - checkmarx-secure-coding-guide - - owasp-top-10 - boost-baseline - ALL - cwe-788 @@ -14365,7 +14286,6 @@ rules: categories: - cwe-252 - checkmarx-secure-coding-guide - - owasp-top-10 - boost-baseline - ALL description: The product does not check the return value from a method or function, @@ -14380,7 +14300,6 @@ rules: - boost-hardened - cwe-134 - checkmarx-secure-coding-guide - - owasp-top-10 - boost-baseline - ALL description: The product uses a function that accepts a format string as an argument, @@ -14425,7 +14344,6 @@ rules: - boost-hardened - cwe-190 - checkmarx-secure-coding-guide - - owasp-top-10 - boost-baseline - ALL - cwe-top-25 @@ -14441,7 +14359,6 @@ rules: Apple_Secure_Coding_Guide_UDP_Protocol_Used: categories: - checkmarx-secure-coding-guide - - owasp-top-10 - cwe-398 - boost-baseline - ALL @@ -14471,7 +14388,6 @@ rules: categories: - cwe-252 - checkmarx-secure-coding-guide - - owasp-top-10 - boost-baseline - ALL description: The product does not check the return value from a method or function, @@ -14484,7 +14400,6 @@ rules: Apple_Secure_Coding_Guide_Unscrubbed_Secret: categories: - checkmarx-secure-coding-guide - - owasp-top-10 - cwe-226 - boost-baseline - ALL @@ -14516,7 +14431,6 @@ rules: CPP_Best_Coding_Practice_Buffer_Size_Literal: categories: - cwe-118 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -14531,7 +14445,6 @@ rules: CPP_Best_Coding_Practice_Buffer_Size_Literal_Condition: categories: - cwe-118 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -14545,7 +14458,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Best_Coding_Practice_Buffer_Size_Literal_Overflow: categories: - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -14560,7 +14472,6 @@ rules: CPP_Best_Coding_Practice_Dead_Code: categories: - cwe-561 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -14573,7 +14484,6 @@ rules: CPP_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception: categories: - cwe-396 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -14587,7 +14497,6 @@ rules: CPP_Best_Coding_Practice_Detection_of_Error_Condition_Without_Action: categories: - cwe-390 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -14600,7 +14509,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Best_Coding_Practice_Empty_Methods: categories: - - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -14613,7 +14521,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere: categories: - - owasp-top-10 - cwe-493 - checkmarx-best-coding-practices - boost-baseline @@ -14627,7 +14534,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Best_Coding_Practice_GOTO_Statement: categories: - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -14663,7 +14569,6 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices - - owasp-top-10 description: Numeric constants (known as 'magic numbers') are used directly in the source code, making it hard to maintain and understand. Such numbers should be replaced with named constants. @@ -14674,7 +14579,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Best_Coding_Practice_Methods_Without_ReturnType: categories: - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -14690,7 +14594,6 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices - - owasp-top-10 description: A static constructor in C++ isn't private, which could potentially allow unintended class instantiation and alteration of class states. group: top10-insecure-design @@ -14715,7 +14618,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Best_Coding_Practice_Unused_Variable: categories: - - owasp-top-10 - cwe-563 - checkmarx-best-coding-practices - boost-baseline @@ -14732,7 +14634,6 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices - - owasp-top-10 description: Public methods in C++ code neglect to validate arguments before use, increasing the risk of unauthorized data access and manipulation. group: top10-insecure-design @@ -14745,7 +14646,6 @@ rules: - checkmarx-buffer-overflow - cwe-129 - boost-hardened - - owasp-top-10 - boost-baseline - ALL description: The product uses untrusted input when calculating or using an array @@ -14760,7 +14660,6 @@ rules: categories: - checkmarx-buffer-overflow - cwe-562 - - owasp-top-10 - boost-baseline - ALL description: A function returns the address of a stack variable, which will cause @@ -14775,7 +14674,6 @@ rules: - ALL - boost-hardened - checkmarx-buffer-overflow - - owasp-top-10 - boost-baseline - cwe-787 - cwe-top-25 @@ -14790,7 +14688,6 @@ rules: categories: - checkmarx-buffer-overflow - boost-hardened - - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -14806,7 +14703,6 @@ rules: categories: - checkmarx-buffer-overflow - boost-hardened - - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -14822,7 +14718,6 @@ rules: categories: - checkmarx-buffer-overflow - cwe-193 - - owasp-top-10 - boost-baseline - ALL description: A product calculates or uses an incorrect maximum or minimum value @@ -14836,7 +14731,6 @@ rules: categories: - checkmarx-buffer-overflow - cwe-193 - - owasp-top-10 - boost-baseline - ALL description: A product calculates or uses an incorrect maximum or minimum value @@ -14850,7 +14744,6 @@ rules: categories: - checkmarx-buffer-overflow - boost-hardened - - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -14866,7 +14759,6 @@ rules: categories: - checkmarx-buffer-overflow - boost-hardened - - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -14882,7 +14774,6 @@ rules: categories: - checkmarx-buffer-overflow - boost-hardened - - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -14898,7 +14789,6 @@ rules: categories: - checkmarx-buffer-overflow - boost-hardened - - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -14914,7 +14804,6 @@ rules: categories: - checkmarx-buffer-overflow - boost-hardened - - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -14930,7 +14819,6 @@ rules: categories: - checkmarx-buffer-overflow - boost-hardened - - owasp-top-10 - boost-baseline - ALL - cwe-131 @@ -14944,7 +14832,6 @@ rules: CPP_Buffer_Overflow_Buffer_Overflow_boundcpy_WrongSizeParam: categories: - checkmarx-buffer-overflow - - owasp-top-10 - boost-baseline - ALL - cwe-121 @@ -14960,7 +14847,6 @@ rules: categories: - checkmarx-buffer-overflow - boost-hardened - - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -14975,7 +14861,6 @@ rules: CPP_Buffer_Overflow_Buffer_Overflow_boundedcpy2: categories: - checkmarx-buffer-overflow - - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -14991,7 +14876,6 @@ rules: categories: - checkmarx-buffer-overflow - boost-hardened - - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -15007,7 +14891,6 @@ rules: categories: - checkmarx-buffer-overflow - boost-hardened - - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -15023,7 +14906,6 @@ rules: categories: - checkmarx-buffer-overflow - boost-hardened - - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -15039,7 +14921,6 @@ rules: categories: - checkmarx-buffer-overflow - boost-hardened - - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -15055,7 +14936,6 @@ rules: categories: - checkmarx-buffer-overflow - boost-hardened - - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -15071,7 +14951,6 @@ rules: categories: - checkmarx-buffer-overflow - boost-hardened - - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -15088,7 +14967,6 @@ rules: - boost-hardened - checkmarx-buffer-overflow - cwe-134 - - owasp-top-10 - boost-baseline - ALL description: The product uses a function that accepts a format string as an argument, @@ -15103,7 +14981,6 @@ rules: - cwe-170 - checkmarx-buffer-overflow - boost-hardened - - owasp-top-10 - boost-baseline - ALL description: The product does not terminate or incorrectly terminates a string @@ -15116,7 +14993,6 @@ rules: CPP_Buffer_Overflow_Missing_Precision: categories: - checkmarx-buffer-overflow - - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -15131,7 +15007,6 @@ rules: CPP_Buffer_Overflow_MultiByte_String_Length: categories: - checkmarx-buffer-overflow - - owasp-top-10 - cwe-135 - boost-baseline - ALL @@ -15147,7 +15022,6 @@ rules: - checkmarx-buffer-overflow - boost-hardened - cwe-193 - - owasp-top-10 - boost-baseline - ALL description: A product calculates or uses an incorrect maximum or minimum value @@ -15162,7 +15036,6 @@ rules: - checkmarx-buffer-overflow - boost-hardened - cwe-193 - - owasp-top-10 - boost-baseline - ALL description: A product calculates or uses an incorrect maximum or minimum value @@ -15176,7 +15049,6 @@ rules: categories: - checkmarx-buffer-overflow - cwe-193 - - owasp-top-10 - boost-baseline - ALL description: A product calculates or uses an incorrect maximum or minimum value @@ -15190,7 +15062,6 @@ rules: categories: - checkmarx-buffer-overflow - cwe-193 - - owasp-top-10 - boost-baseline - ALL description: A product calculates or uses an incorrect maximum or minimum value @@ -15204,7 +15075,6 @@ rules: categories: - checkmarx-buffer-overflow - boost-hardened - - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -15219,7 +15089,6 @@ rules: CPP_Buffer_Overflow_Potential_Precision_Problem: categories: - checkmarx-buffer-overflow - - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -15236,7 +15105,6 @@ rules: - cwe-170 - checkmarx-buffer-overflow - boost-hardened - - owasp-top-10 - boost-baseline - ALL description: The product does not terminate or incorrectly terminates a string @@ -15251,7 +15119,6 @@ rules: - cwe-170 - checkmarx-buffer-overflow - boost-hardened - - owasp-top-10 - boost-baseline - ALL description: The product does not terminate or incorrectly terminates a string @@ -15264,7 +15131,6 @@ rules: CPP_Heuristic_Freed_Pointer_Not_Set_To_Null: categories: - checkmarx-heuristic - - owasp-top-10 - cwe-476 - boost-baseline - ALL @@ -15280,7 +15146,6 @@ rules: CPP_Heuristic_Heuristic_2nd_Order_Buffer_Overflow_malloc: categories: - checkmarx-heuristic - - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -15295,7 +15160,6 @@ rules: CPP_Heuristic_Heuristic_2nd_Order_Buffer_Overflow_read: categories: - checkmarx-heuristic - - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -15328,7 +15192,6 @@ rules: categories: - cwe-129 - checkmarx-heuristic - - owasp-top-10 - boost-baseline - ALL description: The product uses untrusted input when calculating or using an array @@ -15342,7 +15205,6 @@ rules: CPP_Heuristic_Heuristic_Buffer_Overflow_malloc: categories: - checkmarx-heuristic - - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -15357,7 +15219,6 @@ rules: CPP_Heuristic_Heuristic_Buffer_Overflow_read: categories: - checkmarx-heuristic - - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -15402,7 +15263,6 @@ rules: CPP_Heuristic_Heuristic_NULL_Pointer_Dereference1: categories: - checkmarx-heuristic - - owasp-top-10 - cwe-476 - boost-baseline - ALL @@ -15418,7 +15278,6 @@ rules: CPP_Heuristic_Heuristic_NULL_Pointer_Dereference2: categories: - checkmarx-heuristic - - owasp-top-10 - cwe-476 - boost-baseline - ALL @@ -15467,7 +15326,6 @@ rules: categories: - cwe-252 - checkmarx-heuristic - - owasp-top-10 - boost-baseline - ALL description: The product does not check the return value from a method or function, @@ -15481,7 +15339,6 @@ rules: categories: - cwe-193 - checkmarx-heuristic - - owasp-top-10 - boost-baseline - ALL description: A product calculates or uses an incorrect maximum or minimum value @@ -15579,7 +15436,6 @@ rules: CPP_High_Risk_Process_Control: categories: - boost-hardened - - owasp-top-10 - cwe-114 - boost-baseline - ALL @@ -15628,7 +15484,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Insecure_Credential_Storage_Comparison_Timing_Attack: categories: - - owasp-top-10 - checkmarx-insecure-credential-storage - boost-baseline - ALL @@ -15750,7 +15605,6 @@ rules: CPP_Integer_Overflow_Boolean_Overflow: categories: - cwe-190 - - owasp-top-10 - checkmarx-integer-overflow - boost-baseline - ALL @@ -15767,7 +15621,6 @@ rules: CPP_Integer_Overflow_Char_Overflow: categories: - cwe-190 - - owasp-top-10 - checkmarx-integer-overflow - boost-baseline - ALL @@ -15784,7 +15637,6 @@ rules: CPP_Integer_Overflow_Float_Overflow: categories: - cwe-190 - - owasp-top-10 - checkmarx-integer-overflow - boost-baseline - ALL @@ -15801,7 +15653,6 @@ rules: CPP_Integer_Overflow_Get_Right_Assignment: categories: - cwe-190 - - owasp-top-10 - checkmarx-integer-overflow - boost-baseline - ALL @@ -15818,7 +15669,6 @@ rules: CPP_Integer_Overflow_Integer_Overflow: categories: - cwe-190 - - owasp-top-10 - checkmarx-integer-overflow - boost-baseline - ALL @@ -15835,7 +15685,6 @@ rules: CPP_Integer_Overflow_Long_Overflow: categories: - cwe-190 - - owasp-top-10 - checkmarx-integer-overflow - boost-baseline - ALL @@ -15852,7 +15701,6 @@ rules: CPP_Integer_Overflow_Short_Overflow: categories: - cwe-190 - - owasp-top-10 - checkmarx-integer-overflow - boost-baseline - ALL @@ -15869,7 +15717,6 @@ rules: CPP_Integer_Overflow_Type_Conversion_Error: categories: - cwe-681 - - owasp-top-10 - checkmarx-integer-overflow - boost-baseline - ALL @@ -15885,7 +15732,6 @@ rules: CPP_Integer_Overflow_Wrong_Size_t_Allocation: categories: - cwe-789 - - owasp-top-10 - checkmarx-integer-overflow - boost-baseline - ALL @@ -15900,7 +15746,6 @@ rules: CPP_Low_Visibility_Arithmetic_Operation_On_Boolean: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-398 - boost-baseline - ALL @@ -15931,7 +15776,6 @@ rules: categories: - cwe-243 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product uses the chroot() system call to create a jail, but does @@ -15946,7 +15790,6 @@ rules: categories: - cwe-477 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -15975,7 +15818,6 @@ rules: categories: - cwe-244 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: Using realloc() to resize buffers that store sensitive information @@ -15990,7 +15832,6 @@ rules: categories: - cwe-248 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: An exception is thrown from a function, but it is not caught. @@ -16017,7 +15858,6 @@ rules: categories: - cwe-404 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not release or incorrectly releases a resource before @@ -16031,7 +15871,6 @@ rules: categories: - cwe-460 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not clean up its state or incorrectly cleans up @@ -16046,7 +15885,6 @@ rules: categories: - cwe-474 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The code uses a function that has inconsistent implementations across @@ -16060,7 +15898,6 @@ rules: categories: - cwe-732 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product specifies permissions for a security-critical resource @@ -16074,7 +15911,6 @@ rules: categories: - cwe-615 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: 'While adding general comments is very useful, some programmers tend @@ -16132,7 +15968,6 @@ rules: CPP_Low_Visibility_Leaving_Temporary_Files: categories: - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL - cwe-376 @@ -16146,7 +15981,6 @@ rules: categories: - cwe-489 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product is deployed to unauthorized actors with debugging code @@ -16163,6 +15997,7 @@ rules: - ALL - cwe-117 - checkmarx-low-visibility + - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes output that is written to logs. group: top10-security-logging-monitoring-failures @@ -16173,7 +16008,6 @@ rules: CPP_Low_Visibility_NULL_Pointer_Dereference: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-476 - boost-baseline - ALL @@ -16189,7 +16023,6 @@ rules: CPP_Low_Visibility_Potential_Path_Traversal: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-36 - boost-baseline - ALL @@ -16222,7 +16055,6 @@ rules: categories: - cwe-350 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product performs reverse DNS resolution on an IP address to obtain @@ -16237,7 +16069,6 @@ rules: categories: - cwe-467 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The code calls sizeof() on a malloced pointer type, which always @@ -16268,7 +16099,6 @@ rules: CPP_Low_Visibility_TOCTOU: categories: - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL - cwe-367 @@ -16285,7 +16115,6 @@ rules: categories: - cwe-129 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product uses untrusted input when calculating or using an array @@ -16300,7 +16129,6 @@ rules: categories: - cwe-252 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not check the return value from a method or function, @@ -16314,7 +16142,6 @@ rules: categories: - ALL - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - cwe-475 description: The behavior of this function is undefined unless its control parameter @@ -16327,7 +16154,6 @@ rules: CPP_Low_Visibility_Unreleased_Resource_Leak: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-411 - boost-baseline - ALL @@ -16342,7 +16168,6 @@ rules: categories: - cwe-477 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -16384,7 +16209,6 @@ rules: categories: - cwe-477 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -16398,7 +16222,6 @@ rules: categories: - cwe-467 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The code calls sizeof() on a malloced pointer type, which always @@ -16411,7 +16234,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R00_01_03_Find_Unused_Variables: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16424,7 +16246,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R00_01_05_Find_Unused_Typedefs: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16437,7 +16258,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R00_01_10_Find_Unused_Defined_Functions: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16451,7 +16271,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R00_01_11_Find_Unused_Parameters: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16464,7 +16283,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R00_01_12_Find_Virtual_Unused_Parameters: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16479,7 +16297,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: Trigraph sequences are present in the code, which violate MISRA C++ Rule 02.03.01, and can impact the readability and maintainability of the code. @@ -16490,7 +16307,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R02_05_01_Digraphs: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16506,7 +16322,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: Code segments are found to be commented out, potentially causing confusion and violating MISRA-C++ rule 2.7.2, which recommends against this @@ -16520,7 +16335,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: Identifies sections of C++ code that have been commented out, which may indicate outdated or erroneous code segments that can lead to confusion @@ -16534,7 +16348,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: An identifier in a localized scope hides an identifier in an outer scope, which could cause confusion and unexpected outcomes as per the MISRA @@ -16548,7 +16361,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: The same name is reused for different 'typedef' declarations, violating rule 2.10.3 of MISRA C++, which recommends unique identifiers for independent @@ -16562,7 +16374,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: Names of class types, enumeration types, and union types should be unique, ensuring clarity and reducing potential ambiguity or misunderstanding @@ -16574,7 +16385,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R02_10_05_Non_Member_Static_Name_Reuse: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16590,7 +16400,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: In violation of MISRA C++:2008 rule 2-13-1, text strings and characters contain escape sequences that are not defined in the ISO C++ standard. This @@ -16604,7 +16413,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: In C++ code, a non-zero octal constant has been used, which is a violation of MISRA C++ Rule 2.13.2, that suggests not using such constants to @@ -16618,7 +16426,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: Unsigned hexadecimal or octal constants lack a 'U' suffix, which can lead to data loss if the constant's value exceeds the range of its type. @@ -16630,7 +16437,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R02_13_04_Literal_Suffix_Uppercase: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16644,7 +16450,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R03_01_03_Find_Arrays_Without_Size: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16660,7 +16465,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: Functionally declared and defined in different files must have matching parameter lists and return types to promote consistency and prevent potential @@ -16674,7 +16478,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: An object definition occurs outside its minimal necessary scope in reference to Rule MISRA C++:2008, 3-4-1, breaching the principle of limiting @@ -16688,7 +16491,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: Non-typedef'd basic types are used in the code, violating MISRA C++ Rule 3-9-2, which requires a typedef to be used instead. This might lead to @@ -16702,7 +16504,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: 'The rule identifies violations of MISRA C++: 2008 Rule 4-10-1, which warns against using NULL as an integer value, preventing possible data corruption @@ -16716,7 +16517,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: A literal zero is used instead of the null pointer constant in C++ code, violating rule R04.10.02 of the Motor Industry Reliability Association's @@ -16731,7 +16531,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: An explicit conversion of an expression from a floating-point type to an integer type occurs in a manner that is inconsistent with the MISRA C++ @@ -16746,7 +16545,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: A bitwise operator is applied to an unsigned char or short type, violating MISRA C++ Rule 5.0.10, which could lead to unintended data manipulation @@ -16760,7 +16558,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: The use of plain 'char' type is detected in the code. According to MISRA C++ Rule 05-0-11, 'char' should be avoided due to its undefined signedness, @@ -16775,7 +16572,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: The rule targets the code where plain "char" type is used, which is a violation of MISRA C++ Rule 5-0-12 that mandates use of explicit "signed" @@ -16789,7 +16585,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: Bitwise operators are applied on a signed integer data type, violating the MISRA C++:2008 Rule 5-0-21, which could cause unexpected results due to @@ -16803,7 +16598,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: Logical AND (&&) and OR (||) operations use operands other than postfix expressions, violating Rule 05-2-1 of the Motor Industry Software Reliability @@ -16817,7 +16611,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: The rule identifies usage of incremental and decremental operators (++ and --) within C++ expressions, which may lead to unpredictable program @@ -16829,7 +16622,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R05_02_11_Find_Special_Operator_Overloads: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16846,7 +16638,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: The unary minus operator is applied to an unsigned type, a violation of rule 05-03-02 of the Motor Industry Software Reliability Association (MISRA) @@ -16859,7 +16650,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R05_03_03_Overloading_Reference_Oper: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16875,7 +16665,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: Indicates the usage of the comma operator outside of a for loop or in any scenario where a function-call sequence cannot be guaranteed, violating @@ -16887,7 +16676,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R06_02_01_Assignment_in_Sub_Expr: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16901,7 +16689,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R06_02_02_FloatingPt_Equality_Inequality_Testing: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16919,7 +16706,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: A switch or iteration statement body that's not a compound statement is present in the code, contradicting MISRA C++ Rule 6-3-1 and potentially leading @@ -16933,7 +16719,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: The body of an 'if' or an 'else' statement is not a compound statement. This can lead to visibility and maintenance issues as per MISRA C++:2008 Rule @@ -16947,7 +16732,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: An 'if else' and 'else if' statement chain does not end with an 'else' statement, violating MISRA C++ rule 06-04-02, which can lead to unexpected results @@ -16961,7 +16745,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: A 'case' label in a 'switch' statement is not enclosed by braces ({ }), which is a violation of MISRA C++ Rule 6-4-4 and can lead to unintended @@ -16975,7 +16758,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: Non-empty switch cases in C++ code that lack a terminating break or throw statement, violating MISRA C++ Rule 6-4-5 and potentially causing unintended @@ -16989,7 +16771,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: The rule identifies when the switch control structure does not end with a default label as the last clause, violating MISRA C++ Rule 6-4-6, which @@ -17001,7 +16782,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R06_04_07_Find_Switch_Condition_Bool: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17016,7 +16796,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: A non-floating literal constant should hold a single character and no more, as dictated by MISRA C++ Rule 06-05-01. This helps avoid ambiguity @@ -17028,7 +16807,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R06_05_02_Loop_Counter_Modify: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17042,7 +16820,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R06_05_03_Change_Lc_In_St_And_Cond: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17056,7 +16833,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R06_05_04_Incremental_Modified: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17071,7 +16847,6 @@ rules: CPP_MISRA_CPP_R06_05_05_Lcv_Change_In_For_Stmt: categories: - boost-baseline - - owasp-top-10 - ALL - checkmarx-misra-cpp description: Loop counter variables are modified in the body of a 'for' loop, @@ -17084,7 +16859,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R06_05_06_Bool_Lcv_Change: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17099,7 +16873,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: The rule identifies instances where 'goto' statements are used to jump back in a C++ program, which is a violation of MISRA guideline 6-6-2 and @@ -17111,7 +16884,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R06_06_03_Continue_In_Legal_For: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17127,7 +16899,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: Each iteration statement (for, while, do) must only contain at most one 'break' or 'goto' statement to ensure code readability and avoid logical @@ -17141,7 +16912,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: Checks for C++ functions not adhering to the MISRA-CPP:2008 compliance statement Rule 6-6-5, which stipulates that a function must only have a single @@ -17154,7 +16924,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R07_01_01_Declare_Const_if_not_Modified: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17168,7 +16937,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R07_01_02_Declare_Ref_Const_if_not_Modified: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17182,7 +16950,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R07_03_01_Definitions_in_Global_Namespace: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17197,7 +16964,6 @@ rules: CPP_MISRA_CPP_R07_03_02_Find_non_Global_Mains: categories: - boost-baseline - - owasp-top-10 - ALL - checkmarx-misra-cpp description: Identifies non-global main functions in C++ codebase, violating MISRA @@ -17209,7 +16975,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R07_03_03_Unnamed_NS_in_Headers: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17223,7 +16988,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R07_03_04_Find_Using_Directives: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17236,7 +17000,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R07_03_05_Multiple_Declarations_After_Using: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17250,7 +17013,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R07_03_06_Find_Using_in_Headers: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17264,7 +17026,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R07_05_02_Address_Assignment_out_of_Scope: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17279,7 +17040,6 @@ rules: CPP_MISRA_CPP_R07_05_03_Return_Parameter_Passed_by_Ref: categories: - ALL - - owasp-top-10 - boost-baseline - checkmarx-misra-cpp description: There is a return-value parameter passed by nonconst reference, violating @@ -17294,7 +17054,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: In C++, functions or recursive algorithms are present, violating rule 7.5.4 of MISRA (Motor Industry Software Reliability Association) C++ standards, @@ -17306,7 +17065,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R08_00_01_Find_Multiple_Declarators: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17322,7 +17080,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: A function in C++ code takes a variable number of arguments, violating MISRA C++:2008 Rule 8-4-1, which can introduce indeterminacy and make code less @@ -17336,7 +17093,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: If a function has multiple exit points, none of them should be an explicit call to 'throw' or 'return' within a 'try' block or a function-try-block, @@ -17348,7 +17104,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R08_05_01_Uninitialized_Variable_Use: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17363,7 +17118,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: Union data types are in violation of rule 9-5-1 of the MISRA-CPP guidelines, as they can lead to unpredictable behavior due to the overlapping @@ -17377,7 +17131,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: A violation of the MISRA C++:2008 Rule 9-6-2 occurs when a bit field is declared with a type different from bool, signed int, or unsigned int, leading @@ -17391,7 +17144,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: Enums are used as bit-fields in this code, which is a violation of MISRA C++ Rule 9-6-3. Enumerations should not be used in this manner as it may @@ -17405,7 +17157,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: A violation of the MISRA C++ 2008 Rule 9-6-4 occurs when a bit field of an integer type has a length that exceeds the number of bits in the width @@ -17417,7 +17168,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R10_01_01_Find_Virtual_Base_Classes: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17431,7 +17181,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R10_03_02_Find_Override_Without_Virtual: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17445,7 +17194,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R10_03_03_Redeclare_Function_as_Pure: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17459,7 +17207,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R12_01_03_Find_non_Explicit_Constructor: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17472,7 +17219,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R15_00_02_Throw_Pointers: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17485,7 +17231,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R15_00_03_Goto_Label_Inside_TryCatch: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17499,7 +17244,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R15_01_02_No_Explicit_Null_Throw: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17512,7 +17256,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R15_01_03_Empty_Throw_Outside_Catch: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17526,7 +17269,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R15_03_02_Catch_All_In_Main: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17541,7 +17283,6 @@ rules: CPP_MISRA_CPP_R15_03_03_Accessing_Non_Static_Mem_In_Ctr_Dtr: categories: - ALL - - owasp-top-10 - boost-baseline - checkmarx-misra-cpp description: The constructors and destructors of a class are accessing non-static @@ -17554,7 +17295,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R15_03_07_Catch_All_Final: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17571,7 +17311,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R15_05_01_Statements_Outside_TryCatch_Dtr: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17585,7 +17324,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R16_00_02_Define_Only_in_Global_Namespace: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17601,7 +17339,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: There's an usage of the '#undef' directive, violating MISRA C++ Rule 16-0-3, which states to avoid such directives to prevent potential issues with @@ -17613,7 +17350,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R16_00_04_Function_Like_Macros_Shall_Not_Be_Defined: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17626,7 +17362,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R16_00_05_No_Tokens_In_Func_Like_Macro: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17639,7 +17374,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R16_00_07_Undefined_Macro_Identifiers: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17653,7 +17387,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R16_00_08_Sharp_Before_Preprocessing_Token: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17667,7 +17400,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R16_01_01_Defined_Standart_Forms: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17682,7 +17414,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: Preprocessor `#if` and corresponding `#else` or `#elif` operators are split between separate source files, violating MISRA C++ Rule 16-1-2 and @@ -17697,7 +17428,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: C++ code violates the MISRA C++:2008 Rule 16-2-6, where the format of an '#include' directive does not adhere to the proper format, resulting in @@ -17711,7 +17441,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: The '#' (pound) preprocessor operator is employed in the code, violating MISRA C++ Rule 16-3-2 which prohibits the use of this operator to prevent potential @@ -17725,7 +17454,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: The C++ Standard Library functions are redefined or undefined, breaking compliance with MISRA C++ Rule 17-0-1 and potentially causing unpredictable @@ -17739,7 +17467,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: In C++ code, macro identifiers from Standard Library are reused, violating MISRA C++ Rule 17-0-2, potentially causing naming conflicts and unpredictable @@ -17753,7 +17480,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: Indicates the redefinition or override of a standard library function, which breaches Rule 17-0-3 of the Motor Industry Software Reliability Association @@ -17768,7 +17494,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: The C-time function from the C Standard Library is used, violating MISRA C++ Rule 18-0-4, which recommends the use of C++ date/time abstraction @@ -17782,7 +17507,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: The rule targets the use of unbounded functions from the CString library in C++ programming, as they can introduce potential buffer overflow @@ -17796,7 +17520,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: Dynamic heap memory allocation functions such as malloc(), realloc(), calloc(), and free() are used in the code, violating MISRA C++ Rule 18-4-1. @@ -17810,7 +17533,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-misra-cpp description: The C standard library function 'signal' is employed in a C++ context. This usage violates rule 18-0-1 of the MISRA C++ guidelines, which advocates @@ -17825,7 +17547,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: In compliance with MISRA C 2012 Rule 1.4, emergent features in C++ should not be utilized, as these may lead to unpredictable program behavior, lesser portability, and/or increased vulnerability to security breaches. @@ -17839,7 +17560,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Any unused, superfluous, or unreachable code within a C++ program, a violation of MISRA C:2012 Rule 2.x directive, which could compromise the reliability and maintainability of the code. @@ -17853,7 +17573,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: C++ comments that do not comply with the 'R03_X' rule from the MISRA C 2012 guidelines are detected. This includes cases where C-style comments (/*...*/), are used rather than the recommended C++ comments (//...), potentially obscuring @@ -17868,7 +17587,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Only standard ASCII characters and escape sequences should be used in character and string literals, as per the MISRA C 2012 guideline R04.X, in order to ensure portability and avoid reliance on specific character set encoding. @@ -17882,7 +17600,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Identifiers which should comply with specific naming conventions as stated in MISRA C 2012 Rule 5.x are not adhering to those conventions, leading to possibly unclear code. @@ -17896,7 +17613,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Bits in non-integral bit fields are accessed, violating the MISRA C 2012 rule 6.x, which states that bit-fields should only be defined to be of type unsigned int or signed int. @@ -17910,7 +17626,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Octal constants are prohibited as per MISRA C 2012 Rule 07.01 to avoid confusion with decimal values in C++ code. group: top10-insecure-design @@ -17923,7 +17638,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Unsigned integer constants should be suffixed with "U" or "u" to ensure clear representation of their unsigned nature, avoiding possible misinterpretation and inappropriate type casting. @@ -17938,7 +17652,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: In a constant suffix, the lowercase letter 'l' shall not be used due to its potential for confusion with the numeral '1', violating MISRA C:2012 Rule 07.03. @@ -17952,7 +17665,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: String literals are assigned to a pointer to non-const char, violating MISRA C 2012 Rule 07.04. This may inadvertently alter string literals, causing unexpected behavior or bugs. @@ -17967,7 +17679,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Identifies C++ function prototypes that do not name the parameters, violating MISRA C++ 2012 Rule 8.2, which stipulates that all parameters in function prototypes should be named to indicate their usage. @@ -17981,7 +17692,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Two or more functions have been given identical names, a violation of MISRA C 2012 Rule 08.03, potentially creating ambiguity and misleading the compiler. @@ -17995,7 +17705,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: When a function or an object is used, its compatible declaration must be visible in its scope, adhering to Rule 08.04 of MISRA C 2012 to ensure type safety. @@ -18009,7 +17718,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: External objects in C++ code should be declared only once to comply with the MISRA C 2012 R08.05 rule, avoiding any confusion or errors due to multiple declarations. @@ -18023,7 +17731,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Ensures that each identifier with external linkage is associated with exactly one definition within the entire program, in accordance with Rule 8.6 of MISRA C 2012 guidelines. @@ -18037,7 +17744,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Functions and objects are defined as 'extern' while being referenced only in a single file, violating MISRA C:2012 Rule 08.07, which can lead to potential linkage and maintainability issues. @@ -18052,7 +17758,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: All internal linkage declarations must use the 'static' keyword in accordance with the MISRA C 2012 Rule 08.08 to prevent potential linkage and name collision issues. @@ -18067,7 +17772,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Ensures that identifiers in C++ are defined at the smallest block scope possible, conforming to MISRA C 2012 Rule 08.09 which aims to improve code readability and maintainability. @@ -18081,7 +17785,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: An inline function in C++ doesn't have 'static' declaration, violating rule 8.10 of MISRA C 2012 standards, leading to potential clashes in function names and unpredictable behavior. @@ -18095,7 +17798,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: External array declarations must include a defined size to ensure compliance with MISRA C 2012 Rule 08.11 and avoid potential runtime issues. group: top10-insecure-design @@ -18108,7 +17810,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Enumerated constant values specified implicitly must be unique in compliance with MISRA C 2012 Rule 8.12, to ensure clear differentiation between enumeration items. @@ -18123,7 +17824,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: A pointer does not point to 'const', breaking the MISRA C 2012 Rule 8.13 guideline, which can lead to unforeseen side effects or code vulnerabilities due to accidental modification of data. @@ -18137,7 +17837,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: The rule R08.14 in the MISRA C 2012 guidelines, precisely checks if the restrict type qualifier does not refer to an object with static storage duration or a function parameter declared as array or function type in the C++ @@ -18152,7 +17851,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: A variable's value is being overwritten without prior usage, violating the MISRA C:2012 Rule 9.1 which states that every value, which is read, must be set explicitly beforehand. @@ -18166,7 +17864,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Array initializers must not contain more initializers than the dimension of the array, and the provided initializer must be compatible with the declared type to meet MISRA C 2012 Rules 09.02 and 09.03. Violations may result in unexpected @@ -18181,7 +17878,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Operands within an expression are of an inappropriate essential type, violating the MISRA C 2012 Rule 10.1, which aims to ensure correct and safe usage of operands in C++ code. @@ -18196,7 +17892,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Character types should not be used inappropriately in arithmetic operations to avoid unexpected results due to implicit type conversion, adhering to the MISRA C 2012 Rule 10.2. @@ -18211,7 +17906,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: An expression's value is assigned to a data type with inappropriate essential type, contradicting MISRA C 2012 Rule 10.3, which can lead to unexpected behavior due to data loss or incorrect value interpretation. @@ -18226,7 +17920,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Binary operators that operate on a basic type should have operands of the same type, as required by MISRA C 2012 Rule 10.4, to ensure type consistency and prevent unexpected behavior during execution. @@ -18240,7 +17933,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: A violation occurs when the value of an expression is cast to an inappropriate essential type according to the MISRA C 2012 standard rule R10.05, thereby increasing the risk of incorrect program behavior. @@ -18255,7 +17947,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Verifies that C++ code adheres to MISRA C 2012 rules 10.6, 10.7, and 10.8, ensuring type consistency of composite expressions to prevent integer overflows and underflows. @@ -18269,7 +17960,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: R11.x Pointer Type Conversions detects violations of MISRA C 2012 Rule 11.x, which prohibits conversions between pointer types that may lead to an incompatible or unexpected type interpretation, possibly causing code behavior @@ -18284,7 +17974,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: An issue with operator precedence in a C++ code line occurs when one expression consists of intertwined operators without the use of parentheses for explicit precedence, resulting in possible ambiguity or unexpected outcomes @@ -18299,7 +17988,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: The right-hand operand of a shift operator in C++ code exceeds the width in bits of the essential type of the left-hand operand, violating the MISRA C++ 2012 Rule 12.02, which can lead to unpredictable values or data loss. @@ -18313,7 +18001,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Prohibits the use of the comma operator, except in functions and arrays, as stated in rule R12.03 of the MISRA C 2012 guidelines to prevent ambiguous or unexpected results in C++ programming. @@ -18327,7 +18014,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Unsigned integer values are used in such a way that could result in wrap-around, violating the MISRA C 2012 guideline R12.04 for reliable and secure coding. @@ -18341,7 +18027,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: The 'sizeof' operator is used with an operand that is not an array of type, in violation of MISRA C 2012 Rule 12.5. This may result in unintended calculation of object memory size. @@ -18355,7 +18040,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Side effects in an expression are not sequenced properly, resulting in unreliable operation under the MISRA C++:2008 Rule 13.x. This could lead to undefined or unpredictable behaviors. @@ -18369,7 +18053,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Control mechanisms in C++ programming, such as if-else and switch-case statements, contain expressions that do not resolve to Boolean values as per MISRA C 2012, Rule 14.x, increasing the chance of unintended program behavior. @@ -18383,7 +18066,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Enforces MISRA C:2012 rules 15.1 to 15.3, which together prohibit usage of 'goto' statements for branch and iteration control, limiting its role for error handling in C++. @@ -18397,7 +18079,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Iteration statements must have at most one break statement exiting the loop, per MISRA C 2012 Rule 15.4, thus enforcing a single point of exit for greater control flow clarity in C++ programming. @@ -18411,7 +18092,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Functions should have a single exit point at the end, ensuring program flow isn't disrupted and handling resources more efficiently, per MISRA C 2012 Rule 15.5. @@ -18425,7 +18105,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: The body of an iteration statement, selection statement, or a `catch` clause in a function definition or at block scope isn't a compound statement, violating MISRA C 2012 Rule 15.06. This may result in unexpected logic flow, @@ -18440,7 +18119,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: This rule checks if 'if-else if' construct in C++ code complies with MISRA C 2012 Rule 15.07, which states that the construct must end with an 'else' clause to avoid unintended behavior. @@ -18454,7 +18132,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Switch-case constructs in C/C++ code are not adhering to MISRA 2012 Rule 16.X, which requires a default label to end all switch statements to avoid potential issues if none of the case matches. @@ -18468,7 +18145,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: The standard header is used within the code, violating Rule 17.1 of MISRA C 2012, which prohibits the use of variable argument functions. group: top10-insecure-design @@ -18481,7 +18157,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: The code violates Rule 17.2 of MISRA C 2012 standard as it contains recursion, either direct or indirect, which might lead to unpredictable program behavior. @@ -18495,7 +18170,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: "The program uses a function that has been declared implicitly, violating\ \ the MISRA C 2012 Rule 17.03\u2014increasing potential for undeclared or mistyped\ \ function names to cause malfunction or behave unpredictably." @@ -18509,7 +18183,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Every non-void function must have a return statement with an expression, ensuring that a return value is specified, conforming to MISRA C 2012 Rule 17.4. group: top10-insecure-design @@ -18522,7 +18195,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Enforces MISRA C 2012 directives 17.05 and 17.06 to ensure that a function does not take an array as a parameter, but rather a pointer to its first element, safeguarding critical memory portions used by the array. @@ -18536,7 +18208,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: In compliance with MISRA C 2012 Rule 17.07, the value returned by a function with a non-void return type must be utilized, preventing potential logical errors or inconsistencies. @@ -18550,7 +18221,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Function parameters in the C++ language are altered or modified, which violates rule 17.08 of MISRA C 2012, potentially leading to unpredictable program behavior. @@ -18564,7 +18234,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Misuse of pointer arithmetic tends to violate rule 18.4 of MISRA C 2012, suggesting that subtraction or addition operators should not be applied to pointer values, which could lead to overflow and underflow memory bugs. @@ -18578,7 +18247,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Declarations of pointer types used in nesting do not exceed two levels, adhering to the MISRA C 2012 Rule 18.5, to prevent complexities in interpreting sequences of indirections. @@ -18592,7 +18260,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: The rule ensures that the addresses of objects with automatic storage duration are not copied to other objects, as per MISRA C 2012 Rule 18.06. Doing so could lead to usage of an invalid address if the automatic storage has expired. @@ -18606,7 +18273,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Variable length arrays and flexible array members are prohibited, adhering to guidelines R18.07 and R18.08 from MISRA-C:2012 rules, thus ensuring predictability and reliability of the code. @@ -18620,7 +18286,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Identifies cases in C++ code where two pointers are used to simultaneously manipulate the same memory space, a violation of rule 19.x of the MISRA C 2012 standard, leading to potential undefined behavior or data integrity issues. @@ -18634,7 +18299,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: When a '#include' directive is used in a file, it fails to respect the inclusion precedence outlined by MISRA C 2012 Rule 20.1, possibly disrupting the sequence of headers and leading to unpredictable results. @@ -18648,7 +18312,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Include file names must be a sequence of valid (ISO 646 Basic) source characters, excluding NUL, and do not contain a UCN encoding a character that can't appear in an ISO/IEC 646:1991 source file. This promotes code portability @@ -18663,7 +18326,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Violates MISRA C 2012 Rule 20.3, which stipulates that the '#include' directive must not use an angle-bracket form when including system library files and a double-quote form when including user-defined files. Non-compliance may @@ -18678,7 +18340,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Macro identifiers align with C++ language keyword names, which violates MISRA C 2012 Rule 20.04 and can lead to confusing or misleading code. group: top10-insecure-design @@ -18691,7 +18352,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: The '#undef' directive is utilized in the code, violating Rule 20.5 of the MISRA C 2012 standard, which forbids the use of this directive in C programming to avoid inconsistencies in symbol definitions. @@ -18705,7 +18365,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: The preprocessor concatenation operations do not comply with MISRA C 2012 Rules R20.10 to R20.12, implying a risk in misinterpretation of the combined tokens. @@ -18719,7 +18378,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: 'Ensures compliance with MISRA C 2012 Rule 20.13: Every preprocessor directive in the code must be a valid and well-formed directive as per the standard. Invalid or ill-formed directives can cause undefined behavior or compilation @@ -18734,7 +18392,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: An 'if' directive and an 'else' directive from a pair of conditional inclusion preprocessor directives are not part of the same file in C++, violating MISRA C 2012 Rule 20.14. This can cause inconsistent code behavior due to different @@ -18749,7 +18406,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Checks for the usage of C Standard Library functions not permissible under MISRA C:2012 rules 21.1 to 21.12, to guarantee safety, reliability, and portability. @@ -18763,7 +18419,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Checks for the use of C standard library types, as dictated by MISRA C:2012 Rules 21.13 to 21.20, which pose potential code safety and reliability hazards. @@ -18777,7 +18432,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: 'Violates directive 4.13 of MISRA C 2012 guidelines: do not rely on undefined or unspecified behavior of any kind, including memory allocation routines, file handling, signals, and exceptions.' @@ -18791,7 +18445,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Enforces the use of "/* ... */" style for multi-line comments in C++ code instead of using a sequence of single line comments with "//", in accordance with the MISRA C++:2008 rule set (Rule 2-2-2). @@ -18805,7 +18458,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Detects the presence of nested comments in C++ code, a violation of MISRA C:2004 Rule 2.3, which may lead to misinterpretation and ambiguity during code analysis. @@ -18819,7 +18471,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Sections of code are commented out, violating Rule 02.04 of the MISRA C guidelines, which could indicate unfinished work or obsolete logic. group: top10-insecure-design @@ -18832,7 +18483,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Code contains '#pragma' directives that are not explained with adjacent comments, thereby violating MISRA C rule 03.04, which deems it necessary to provide explanations for each '#pragma' usage. @@ -18846,7 +18496,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Non-standard escape sequences are used in the program, violating rule R04.01 of the MISRA C guidelines, which requires all escape sequences to comply with the ISO 9899:1999 standard. @@ -18860,7 +18509,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Trigraph sequences are used in the code, violating the MISRA C Rule 04.02, which discourages their usage owing to possible confusion and misinterpretation. group: top10-insecure-design @@ -18873,7 +18521,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Identifier names in a C or C++ file exceed the recommended length specified by the MISRA-C coding standard, potentially leading to legibility and maintainability issues. @@ -18887,7 +18534,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Identifiers in an inner scope are used that hide identifiers in an outer scope, which may lead to confusion and errors, contradicting the MISRA C rule 05.02. @@ -18901,7 +18547,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: The same name is used for different 'typedef' entities within the same codebase, violating MISRA C Rule 5.3, thus leading to potential code ambiguities. group: top10-insecure-design @@ -18914,7 +18559,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: A tag name is being reused for different types within the same scope, violating the MISRA C Rule 05.04, and potentially leading to type confusion. group: top10-insecure-design @@ -18927,7 +18571,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: An identifier with the static storage class specification appears more than once within the same scope, contravening rule 05.05 of the Motor Industry Software Reliability Association (MISRA) guidelines for C programming language. @@ -18941,7 +18584,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: A single identifier name has been used for more than one entity within a scope, violating the MISRA C Rule 5.7 and leading to possible confusion and error. @@ -18955,7 +18597,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: The use of 'plain char' type, which doesn't specify signedness, is not compliant with MISRA C Rule 6.1 and may lead to unexpected behavior in C++. This rule advises using 'signed char' or 'unsigned char' instead. @@ -18969,7 +18610,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Identifies instances in C++ code where plain 'char' type is used, in violation of MISRA C++ Rule 6-2-1 which recommends using 'signed' or 'unsigned' qualifiers for improved portability and predictability. @@ -18983,7 +18623,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Basic types in C++ code like int, char, etc., are used directly instead of through a typedef declaration, violating MISRA C Rule 6.3. This could lead to portability issues across different platforms. @@ -18997,7 +18636,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Bit fields should only be defined with `unsigned int` or `signed int` types, helping to prevent unexpected behavior or data corruption due to compiler-specific implementations. @@ -19011,7 +18649,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: A bit-field declaration with a size greater than the intended bit width may cause unintended results and violates MISRA C:2004 Rule 6.5. group: top10-insecure-design @@ -19024,7 +18661,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: An octal constant (other than zero) is being used which could lead to confusion or errors, violating MISRA C rule 07.01. group: top10-insecure-design @@ -19037,7 +18673,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: The type of a standard library function is not identical in a function declaration and its corresponding definition, violating MISRA-C rule 08.03 and creating potential consistency issues. @@ -19051,7 +18686,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Objects or functions are used in a header file (.h file), conflicting with MISRA C's Rule 08.05, which prohibits declaring such entities in header files to prevent potential re-declaration errors and namespace pollution. @@ -19065,7 +18699,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Objects with block scope should not be declared in the block if they are only used by a single function, as outlined in MISRA C:2004, Rule 8.7, to improve code readability and maintainability. @@ -19079,7 +18712,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: An externally linked object is declared more than once, causing redundancy and potentially leading to unpredictable behavior, in violation of MISRA C rule 08.08. @@ -19093,7 +18725,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Enum elements in C++ are not initialized following the first member and all elements are not consistently initialized, contravening MISRA C rule 09.03 and potentially leading to invalid enum member values. @@ -19107,7 +18738,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: 'In C or C++ programming, unsigned constants must explicitly carry the ''U'' suffix, as per MISRA C : Rule 10.6. This rule identifies when the ''U'' suffix is not applied to an unsigned constant, which may lead to unexpected @@ -19122,7 +18752,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: The rule checks for situations where logical '&&' and '||' operators don't have primary expressions as operands, which is a violation of MISRA C Rule 12.05. This could lead to unexpected behaviors due to operator precedence @@ -19137,7 +18766,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Bitwise operators are applied to signed data types in C++, violating MISRA C guideline (Rule 12.07). This could lead to unpredictable behavior due to sign extension. @@ -19151,7 +18779,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Applies the unary minus operator to an unsigned type, which, according to MISRA C Rule 12.9, can result in undefined behavior due to wrapping around zero. @@ -19165,7 +18792,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: The comma operator is being used in an expression. According to the Motor Industry Software Reliability Association (MISRA) C rule 12.10, this is not advised due to its potential to impact the order of operations and lead @@ -19180,7 +18806,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Floating point values are treated as though they have an underlying bit representation, violating MISRA C rule 12.12, which can lead to unexpected results or undefined behavior. @@ -19194,7 +18819,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: The rule indicates the usage of increment (++) and decrement (--) operators, which is not compliant with MISRA C guideline 12.13 due to potential unpredictability of execution order. @@ -19208,7 +18832,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Assignment operators are used improperly within boolean expressions, violating MISRA C Rule 13.01. This could lead to unpredictable software behavior. group: top10-insecure-design @@ -19221,7 +18844,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Compares floating point numbers for equality or inequality, which contradicts MISRA C R13.03 due to potential inaccuracies in floating point storage and computation. @@ -19235,7 +18857,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Floating point objects are being used in for loop control structures, which is a violation of MISRA C rule 13.04. This can lead to unpredictable behavior due to the imprecise nature of floating point numbers. @@ -19249,7 +18870,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Violates MISRA C Rule 13.06 as the loop iterator is modified in the body of the loop, which may lead to unpredictable iteration behaviors. group: top10-insecure-design @@ -19262,7 +18882,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Refers to the use of 'goto' statement in C++ which violates the MISRA C 2004 Rule 14.4, deeming it as non-compliant due to potential control flow disruption. @@ -19276,7 +18895,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: The 'continue' statement is used in iteration statements, which contradicts rule 14.05 of the MISRA C guidelines, recommending against its use for better predictability and understandability of the code. @@ -19290,7 +18908,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Indicates the presence of multiple break statements within a loop or iteration, which violates MISRA C Rule 14.06 and disrupts expected control flow. @@ -19304,7 +18921,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Functions must have a single point of exit at the end, maintaining only one return statement, as per the MISRA C:2012 Rule 14.7, to improve readability and manageability of the code. @@ -19318,7 +18934,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: The last statement of a switch case or an iteration directive is not a compound statement, which contradicts the MISRA C rule 14.08 guideline and can lead to potential logical errors. @@ -19332,7 +18947,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: An 'if' or 'else if' conditional statement, containing a non-compound statement as its body, must be enclosed in braces {}. Violating this requirement in the C++ language as stipulated by MISRA C standard can lead to misunderstanding @@ -19347,7 +18961,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: 'An ''if'' / ''else if'' construct is not ending with an ''else'' clause, violating MISRA C''s Rule 14.10 and potentially leading to unanticipated behavior under certain conditions. @@ -19363,7 +18976,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: A case in a switch statement is not enclosed by braces, violating the MISRA C Rule 15.1, thus possibly causing unexpected fall-through behavior. group: top10-insecure-design @@ -19376,7 +18988,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: A non-empty switch clause lacks a 'break' statement. According to the MISRA C Guidelines (Rule 15.2), this may lead to unintended execution of adjacent switch clauses. @@ -19390,7 +19001,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: A 'switch' statement in C++ does not have a 'default' clause as the last clause, violating the MISRA C Rule 15.03 and potentially leading to unexpected behavior. @@ -19404,7 +19014,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: A switch statement doesn't include any case labels, negating its purpose; as per MISRA C Rule 15.5, this renders the code non-compliant with best practice. @@ -19418,7 +19027,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Functions with a variable number of arguments are used, in violation of MISRA C Rule 16.01. This can lead to potential security and stability issues. group: top10-insecure-design @@ -19431,7 +19039,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: The rule identifies uses of recursion within C++ code, a practice prohibited by the MISRA C standard due to the possible risks of stack overflow. group: top10-insecure-design @@ -19444,7 +19051,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Violation of MISRA C Rule 16.3, indicating a function prototype is declared without specifying parameter identifiers, which may lead to confusion or mistakes during code maintenance. @@ -19458,7 +19064,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: The identifiers in a function prototype don't match those in its function definition, violating rule R16.04 of the Motor Industry Software Reliability Association (MISRA) C guidelines. @@ -19473,7 +19078,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: A function prototype declaration without parameters presents ambiguity and potential misuse opportunities, violating the MISRA C rule (16.05), which requires clear parameter specification. @@ -19487,7 +19091,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: 'A function is invoked with a number of arguments that does not match the number of parameters in its declaration, violating MISRA C rule R16.06. This could cause unexpected behavior or program crashes. @@ -19504,7 +19107,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Parameters of a function that are pointers to non-const should be pointers to const if they are not modified, to maintain data integrity and prevent unintentional changes. This rule ensures adherence to MISRA C Rule 16.07. @@ -19518,7 +19120,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Non-void functions in C++ lack an explicit return statement, violating MISRA C Rule 16.08, which may cause unpredictable program behavior due to undefined return values. @@ -19532,7 +19133,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: The function identifier is being used inappropriately, i.e., not as a function call or pointer to function, which violates MISRA C Rule 16.09. group: top10-insecure-design @@ -19545,7 +19145,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: The rule identifies the use of 'union' data types in C++. According to MISRA C guidelines (Rule 18.4), unions should not be used due to potential issues with data corruption and indeterminate values. @@ -19559,7 +19158,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: A non-preprocessor command appears before a '#include' directive in a file, which violates the MISRA C:2004 Rule 19.1, making the code prone to unexpected behavior or errors. @@ -19573,7 +19171,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Header file names include non-standard characters, violating Rule 19.2 of MISRA C which states that standardized or expanded identifiers should be used for header file names to avoid potential compatibility issues. @@ -19587,7 +19184,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: The '#include' directive format does not adhere to the MISRA C 2012 Rule 19.3, advocating that all '#include' directives should be located in either the file scope or a function scope, and never inside a block scope. @@ -19601,7 +19197,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: The code violates MISRA C Rule 19.5 by using '#define' or '#undef' directive within a function or block scope, which can cause unpredictable behavior or difficulties in code maintenance. @@ -19615,7 +19210,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: An '#undef' directive is used within a source file, causing potential discrepancies and undefined behaviour in the compiled program, a violation of the MISRA C 2012 Rule 19.6. @@ -19629,7 +19223,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: A C++ macro utilizes multiple '#' or '##' preprocessor operators, violating MISRA-C rule 19.12 for safe and reliable code in embedded systems. group: top10-insecure-design @@ -19642,7 +19235,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: The C++ preprocessor operator (#) is in use, contradicting the MISRA C rule 19.13, which outlaws the utilization of this operator as a measure against accidental macro undefined behavior. @@ -19656,7 +19248,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: In the examined C++ code, a preprocessor '#if' operator and its corresponding '#else' operator are located in separate files, which is a violation of the MISRA C Rule 19.17. This situation can lead to control flow confusion and inconsistent @@ -19672,7 +19263,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: The rule indicates the use of the 'errno' indicator from the 'errno.h' library in C++, which is a direct violation of the MISRA C:2012 Rule 20.5, stressing against such usage due to its global accessibility from different threads, potentially @@ -19687,7 +19277,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: The use of 'offsetof' macro from 'stddef.h' is not compliant with the Motor Industry Software Reliability Association's C coding standards (MISRA C), particularly rule 20.6. The 'offsetof' macro relies on undefined behavior @@ -19702,7 +19291,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: The code uses setjmp/longjmp macros from which is disallowed by MISRA C Rule 20.7 due to its non-deterministic flow of control. This could lead to potential bugs and portability issues. @@ -19716,7 +19304,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: The code includes signal handling functionality from 'signal.h', a violation of the MISRA C Rule 20.08 (The signal handling facilities of shall not be used), risking unpredictable behavior. @@ -19730,7 +19317,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Objects from the 'stdio.h' library are used, which is prohibited by MISRA C guideline (Rule 20.9). This could introduce vulnerabilities associated with standard Input/Output operations. @@ -19744,7 +19330,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Functions atof, atoi, and atol from stdlib.h are used, which violates Rule 20.10 from the MISRA C Guidelines encouraging use of application-specific versions of these functions to handle number conversion errors better. @@ -19758,7 +19343,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: Functions 'abort', 'exit', 'getenv', and 'system' from 'stdlib.h' are used, violating MISRA C Rule 20.11 that discourages their usage due to potential unpredictability in program behavior. @@ -19772,7 +19356,6 @@ rules: - boost-baseline - ALL - checkmarx-misrac - - owasp-top-10 description: The code employs time handling functions or macros from the 'time.h' header file, violating MISRA C rule 20.12, which can lead to unpredictable behavior due to potential inconsistencies in system time settings. @@ -19813,7 +19396,6 @@ rules: categories: - cwe-242 - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL description: The product calls a function that can never be guaranteed to work @@ -19826,7 +19408,6 @@ rules: CPP_Medium_Threat_Divide_By_Zero: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-369 - boost-baseline - ALL @@ -19839,7 +19420,6 @@ rules: CPP_Medium_Threat_DoS_by_Sleep: categories: - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL description: The product performs an iteration or loop without sufficiently limiting @@ -19853,7 +19433,6 @@ rules: categories: - checkmarx-medium-threat - cwe-415 - - owasp-top-10 - boost-baseline - ALL description: The product calls free() twice on the same memory address, potentially @@ -19884,6 +19463,7 @@ rules: - ALL - checkmarx-medium-threat - cwe-15 + - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -19897,6 +19477,7 @@ rules: - ALL - cwe-547 - checkmarx-medium-threat + - owasp-top-10 description: The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. @@ -19908,7 +19489,6 @@ rules: CPP_Medium_Threat_Improperly_Locked_Memory: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-591 - boost-baseline - ALL @@ -19940,7 +19520,6 @@ rules: categories: - cwe-477 - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -19954,7 +19533,6 @@ rules: categories: - cwe-590 - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL description: The product calls free() on a pointer to memory that was not allocated @@ -19968,7 +19546,6 @@ rules: categories: - checkmarx-medium-threat - cwe-401 - - owasp-top-10 - boost-baseline - ALL description: The product does not sufficiently track and release allocated memory @@ -20027,7 +19604,6 @@ rules: CPP_Medium_Threat_Pointer_Subtraction_Determines_Size: categories: - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL description: The product subtracts one pointer from another in order to determine @@ -20044,6 +19620,7 @@ rules: - ALL - checkmarx-medium-threat - cwe-15 + - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -20055,7 +19632,6 @@ rules: categories: - checkmarx-medium-threat - cwe-674 - - owasp-top-10 - boost-baseline - ALL description: The product does not properly control the amount of recursion that @@ -20070,7 +19646,6 @@ rules: categories: - checkmarx-medium-threat - cwe-top-25 - - owasp-top-10 - boost-baseline - ALL - cwe-416 @@ -20099,7 +19674,6 @@ rules: categories: - checkmarx-medium-threat - cwe-457 - - owasp-top-10 - boost-baseline - ALL description: The code uses a variable that has not been initialized, leading to @@ -20113,7 +19687,6 @@ rules: categories: - checkmarx-medium-threat - cwe-457 - - owasp-top-10 - boost-baseline - ALL description: The code uses a variable that has not been initialized, leading to @@ -20127,7 +19700,6 @@ rules: categories: - checkmarx-medium-threat - cwe-457 - - owasp-top-10 - boost-baseline - ALL description: The code uses a variable that has not been initialized, leading to @@ -20155,7 +19727,6 @@ rules: CPP_Medium_Threat_Wrong_Memory_Allocation: categories: - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL - cwe-131 @@ -20186,7 +19757,6 @@ rules: CPP_Stored_Vulnerabilities_Stored_Buffer_Overflow_boundcpy: categories: - checkmarx-stored-vulnerabilities - - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -20201,7 +19771,6 @@ rules: CPP_Stored_Vulnerabilities_Stored_Buffer_Overflow_cpycat: categories: - checkmarx-stored-vulnerabilities - - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -20216,7 +19785,6 @@ rules: CPP_Stored_Vulnerabilities_Stored_Buffer_Overflow_fgets: categories: - checkmarx-stored-vulnerabilities - - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -20231,7 +19799,6 @@ rules: CPP_Stored_Vulnerabilities_Stored_Buffer_Overflow_fscanf: categories: - checkmarx-stored-vulnerabilities - - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -20292,7 +19859,6 @@ rules: CPP_Stored_Vulnerabilities_Stored_DoS_by_Sleep: categories: - checkmarx-stored-vulnerabilities - - owasp-top-10 - boost-baseline - ALL - cwe-730 @@ -20308,6 +19874,7 @@ rules: - ALL - checkmarx-stored-vulnerabilities - cwe-15 + - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -20319,7 +19886,6 @@ rules: categories: - cwe-134 - checkmarx-stored-vulnerabilities - - owasp-top-10 - boost-baseline - ALL description: The product uses a function that accepts a format string as an argument, @@ -20351,6 +19917,7 @@ rules: - ALL - cwe-117 - checkmarx-stored-vulnerabilities + - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes output that is written to logs. group: top10-security-logging-monitoring-failures @@ -20394,7 +19961,6 @@ rules: CPP_Stored_Vulnerabilities_Stored_Process_Control: categories: - checkmarx-stored-vulnerabilities - - owasp-top-10 - cwe-114 - boost-baseline - ALL @@ -20618,7 +20184,6 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices - - owasp-top-10 description: The rule signifies an issue where a C# method, adorned with the AllowPartiallyTrustedCallersAttribute (APTCA), invokes a method that lacks the same attribute, posing a threat to privileged access security. @@ -20630,7 +20195,6 @@ rules: CSharp_Best_Coding_Practice_Catch_NullPointerException: categories: - cwe-395 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -20644,7 +20208,6 @@ rules: CSharp_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception: categories: - cwe-396 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -20660,7 +20223,6 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices - - owasp-top-10 description: Identifies the use of deprecated methods in the C# code which could result in future compatibility issues or unexpected behavior. group: top10-insecure-design @@ -20671,7 +20233,6 @@ rules: CSharp_Best_Coding_Practice_Detection_of_Error_Condition_Without_Action: categories: - cwe-390 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -20685,7 +20246,6 @@ rules: CSharp_Best_Coding_Practice_Direct_Use_of_Sockets: categories: - boost-baseline - - owasp-top-10 - checkmarx-best-coding-practices - cwe-246 - ALL @@ -20715,7 +20275,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere: categories: - - owasp-top-10 - cwe-493 - checkmarx-best-coding-practices - boost-baseline @@ -20729,7 +20288,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_GetLastWin32Error_Is_Not_Called_After_Pinvoke: categories: - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -20779,6 +20337,7 @@ rules: - ALL - checkmarx-best-coding-practices - cwe-778 + - owasp-top-10 description: When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it. group: top10-security-logging-monitoring-failures @@ -20792,6 +20351,7 @@ rules: - ALL - checkmarx-best-coding-practices - cwe-778 + - owasp-top-10 description: When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it. group: top10-security-logging-monitoring-failures @@ -20805,6 +20365,7 @@ rules: - ALL - checkmarx-best-coding-practices - cwe-778 + - owasp-top-10 description: When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it. group: top10-security-logging-monitoring-failures @@ -20815,7 +20376,6 @@ rules: CSharp_Best_Coding_Practice_Just_One_of_Equals_and_Hash_code_Defined: categories: - ALL - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - cwe-581 @@ -20828,7 +20388,6 @@ rules: CSharp_Best_Coding_Practice_Leftover_Debug_Code: categories: - cwe-489 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -20845,7 +20404,6 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices - - owasp-top-10 description: Numerical literals are directly used in the code, instead of being declared as constants. This makes code less readable and maintainable due to lack of context or meaning attached to these numbers, known as 'Magic Numbers'. @@ -20857,7 +20415,6 @@ rules: CSharp_Best_Coding_Practice_Missing_XML_Validation: categories: - cwe-112 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -20873,7 +20430,6 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices - - owasp-top-10 description: Invoking the 'Equals' method with a null argument can lead to a NullReferenceException if the implementation doesn't handle the null condition correctly, causing a potential program crash. @@ -20887,7 +20443,6 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices - - owasp-top-10 description: Static constructors in C# that aren't marked as private might lead to uncontrolled instantiation, affecting program predictability and security. group: top10-insecure-design @@ -20897,7 +20452,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Pages_Without_Global_Error_Handler: categories: - - owasp-top-10 - cwe-544 - checkmarx-best-coding-practices - boost-baseline @@ -20915,7 +20469,6 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices - - owasp-top-10 description: The property PersistSecurityInfo is set to true, revealing sensitive information such as a password, in a connection string after the connection to the database is established. @@ -20927,7 +20480,6 @@ rules: CSharp_Best_Coding_Practice_Routed_Deprecated_Code: categories: - cwe-477 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -20941,7 +20493,6 @@ rules: CSharp_Best_Coding_Practice_Suspicious_Endpoints: categories: - cwe-923 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -20956,7 +20507,6 @@ rules: CSharp_Best_Coding_Practice_Threads_in_WebApp: categories: - ALL - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - cwe-383 @@ -20969,7 +20519,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Unchecked_Error_Condition: categories: - - owasp-top-10 - cwe-391 - checkmarx-best-coding-practices - boost-baseline @@ -20983,7 +20532,6 @@ rules: CSharp_Best_Coding_Practice_Unchecked_Return_Value: categories: - cwe-252 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -20996,7 +20544,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Unclosed_Objects: categories: - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -21013,7 +20560,6 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices - - owasp-top-10 description: Public methods, classes, or interfaces within the application's API lack necessary documentation comments, leading to potential misuse or improper implementation. @@ -21061,7 +20607,6 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices - - owasp-top-10 description: Public methods accept arguments without proper validation, increasing the potential for harmful or unexpected behavior due to uncontrolled input. group: top10-insecure-design @@ -21072,7 +20617,6 @@ rules: CSharp_Best_Coding_Practice_Use_Of_Uninitialized_Variables: categories: - cwe-457 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -21085,7 +20629,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Use_of_System_Output_Stream: categories: - - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -21098,7 +20641,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Using_Of_Index_Instead_Of_Key: categories: - - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -21114,7 +20656,6 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices - - owasp-top-10 description: In the context of C# code, pointers are declared in visible scopes, leading to potential memory manipulation vulnerabilities. group: top10-insecure-design @@ -21507,7 +21048,6 @@ rules: categories: - cwe-171 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: Improper handling of data within protection mechanisms that attempt @@ -21550,7 +21090,6 @@ rules: categories: - cwe-203 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product behaves differently or sends different responses under @@ -21566,7 +21105,6 @@ rules: categories: - cwe-244 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: Using realloc() to resize buffers that store sensitive information @@ -21583,6 +21121,7 @@ rules: - ALL - checkmarx-low-visibility - cwe-520 + - owasp-top-10 description: Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks. @@ -21611,7 +21150,6 @@ rules: categories: - cwe-248 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: An exception is thrown from a function, but it is not caught. @@ -21624,7 +21162,6 @@ rules: categories: - cwe-404 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not release or incorrectly releases a resource before @@ -21652,7 +21189,6 @@ rules: categories: - cwe-460 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not clean up its state or incorrectly cleans up @@ -21666,7 +21202,6 @@ rules: CSharp_Low_Visibility_Inappropriate_Encoding_for_Output_Context: categories: - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL - cwe-838 @@ -21785,7 +21320,6 @@ rules: CSharp_Low_Visibility_Leaving_Temporary_Files: categories: - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL - cwe-376 @@ -21801,6 +21335,7 @@ rules: - ALL - cwe-117 - checkmarx-low-visibility + - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes output that is written to logs. group: top10-security-logging-monitoring-failures @@ -21841,7 +21376,6 @@ rules: categories: - cwe-193 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: A product calculates or uses an incorrect maximum or minimum value @@ -21884,7 +21418,6 @@ rules: categories: - cwe-615 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: 'While adding general comments is very useful, some programmers tend @@ -21913,7 +21446,6 @@ rules: CSharp_Low_Visibility_Potential_ReDoS: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -21929,7 +21461,6 @@ rules: CSharp_Low_Visibility_Potential_ReDoS_By_Injection: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -21945,7 +21476,6 @@ rules: CSharp_Low_Visibility_Potential_ReDoS_In_Code: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -21961,7 +21491,6 @@ rules: CSharp_Low_Visibility_Potential_ReDoS_In_Static_Field: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -21978,7 +21507,6 @@ rules: categories: - cwe-350 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product performs reverse DNS resolution on an IP address to obtain @@ -22055,7 +21583,6 @@ rules: categories: - cwe-567 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not properly synchronize shared data, such as static @@ -22084,7 +21611,6 @@ rules: categories: - cwe-647 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product defines policy namespaces and makes authorization decisions @@ -22183,7 +21709,6 @@ rules: CSharp_Medium_Threat_Buffer_Overflow: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -22260,7 +21785,6 @@ rules: CSharp_Medium_Threat_Data_Filter_Injection: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-943 - boost-baseline - ALL @@ -22275,7 +21799,6 @@ rules: CSharp_Medium_Threat_DoS_by_Sleep: categories: - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL description: The product performs an iteration or loop without sufficiently limiting @@ -22320,6 +21843,7 @@ rules: - ALL - cwe-547 - checkmarx-medium-threat + - owasp-top-10 description: The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. @@ -22334,6 +21858,7 @@ rules: - ALL - boost-baseline - checkmarx-medium-threat + - owasp-top-10 description: The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. group: top10-security-misconfiguration @@ -22345,7 +21870,6 @@ rules: categories: - checkmarx-medium-threat - cwe-667 - - owasp-top-10 - boost-baseline - ALL description: The product does not properly acquire or release a lock on a resource, @@ -22362,6 +21886,7 @@ rules: - boost-baseline - ALL - cwe-top-25 + - owasp-top-10 description: The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. @@ -22376,6 +21901,7 @@ rules: - cwe-614 - checkmarx-medium-threat - ALL + - owasp-top-10 description: The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. @@ -22403,7 +21929,6 @@ rules: categories: - checkmarx-medium-threat - cwe-190 - - owasp-top-10 - boost-baseline - ALL - cwe-top-25 @@ -22607,7 +22132,6 @@ rules: categories: - checkmarx-medium-threat - cwe-366 - - owasp-top-10 - boost-baseline - ALL description: If two threads of execution use a resource simultaneously, there @@ -22621,7 +22145,6 @@ rules: CSharp_Medium_Threat_ReDoS_By_Regex_Injection: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -22637,7 +22160,6 @@ rules: CSharp_Medium_Threat_ReDoS_In_Code: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -22653,7 +22175,6 @@ rules: CSharp_Medium_Threat_ReDoS_In_Validation: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -22703,7 +22224,6 @@ rules: categories: - checkmarx-medium-threat - cwe-599 - - owasp-top-10 - boost-baseline - ALL description: The product uses OpenSSL and trusts or uses a certificate without @@ -22816,7 +22336,6 @@ rules: categories: - cwe-404 - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL description: The product does not release or incorrectly releases a resource before @@ -22872,7 +22391,6 @@ rules: CSharp_Medium_Threat_Value_Shadowing: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-233 - boost-baseline - ALL @@ -22904,7 +22422,6 @@ rules: - boost-baseline - ALL - checkmarx-web-config - - owasp-top-10 description: Session state is configured with cookieless enabled in web.config, leading to possible session hijacking through URL leaks. group: top10-broken-access-control @@ -22915,7 +22432,6 @@ rules: CSharp_WebConfig_CustomError: categories: - cwe-12 - - owasp-top-10 - checkmarx-web-config - boost-baseline - ALL @@ -22932,6 +22448,7 @@ rules: - ALL - checkmarx-web-config - cwe-11 + - owasp-top-10 description: Debugging messages help attackers learn about the system and plan a form of attack. group: top10-security-misconfiguration @@ -22973,7 +22490,6 @@ rules: CSharp_WebConfig_HardcodedCredentials: categories: - cwe-489 - - owasp-top-10 - checkmarx-web-config - boost-baseline - ALL @@ -22991,6 +22507,7 @@ rules: - ALL - boost-baseline - checkmarx-web-config + - owasp-top-10 description: The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. group: top10-security-misconfiguration @@ -23015,7 +22532,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_WebConfig_NonUniqueFormName: categories: - - owasp-top-10 - checkmarx-web-config - cwe-694 - boost-baseline @@ -23033,6 +22549,7 @@ rules: - ALL - checkmarx-web-config - cwe-260 + - owasp-top-10 description: The product stores a password in a configuration file that might be accessible to actors who do not know the password. group: top10-security-misconfiguration @@ -23046,6 +22563,7 @@ rules: - cwe-614 - ALL - checkmarx-web-config + - owasp-top-10 description: The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. @@ -23072,7 +22590,6 @@ rules: CSharp_WebConfig_TraceEnabled: categories: - boost-baseline - - owasp-top-10 - checkmarx-web-config - cwe-749 - ALL @@ -23106,7 +22623,6 @@ rules: categories: - ALL - checkmarx-windows-phone - - owasp-top-10 - boost-baseline - cwe-250 description: The product performs an operation at a privilege level that is higher @@ -23292,7 +22808,6 @@ rules: categories: - cwe-615 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: 'While adding general comments is very useful, some programmers tend @@ -23322,7 +22837,6 @@ rules: categories: - cwe-703 - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL description: The product does not properly anticipate or handle exceptional conditions @@ -23355,7 +22869,6 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices - - owasp-top-10 description: Sensitive information stored in external storage is not encrypted, leaving it vulnerable to unauthorized access or data breaches. group: top10-insecure-design @@ -23366,7 +22879,6 @@ rules: Dart_Mobile_Best_Coding_Practice_Unused_Permission: categories: - ALL - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - cwe-250 @@ -23381,7 +22893,6 @@ rules: Dart_Mobile_Best_Coding_Practice_Using_Deprecated_Methods: categories: - cwe-477 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -23397,7 +22908,6 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices - - owasp-top-10 description: WebView cache data in Dart mobile applications is not properly cleared or controlled, posing a risk for sensitive information leakage. group: top10-insecure-design @@ -23409,7 +22919,6 @@ rules: categories: - boost-hardened - checkmarx-android - - owasp-top-10 - boost-baseline - ALL description: The product uses a handler for a custom URL scheme, but it does not @@ -23557,7 +23066,6 @@ rules: Dart_Mobile_Low_Visibility_Improper_Resource_Shutdown_or_Release: categories: - cwe-404 - - owasp-top-10 - checkmarx-android - boost-baseline - ALL @@ -23571,7 +23079,6 @@ rules: Dart_Mobile_Low_Visibility_Insecure_Android_SDK_Version: categories: - cwe-477 - - owasp-top-10 - checkmarx-android - boost-baseline - ALL @@ -23626,7 +23133,6 @@ rules: Dart_Mobile_Low_Visibility_Missing_Root_Or_Jailbreak_Check: categories: - cwe-693 - - owasp-top-10 - checkmarx-android - boost-baseline - ALL @@ -23640,7 +23146,6 @@ rules: Dart_Mobile_Low_Visibility_No_Installer_Verification_Implemented: categories: - cwe-693 - - owasp-top-10 - checkmarx-android - boost-baseline - ALL @@ -23790,7 +23295,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Low_Visibility_Use_of_Native_Language: categories: - - owasp-top-10 - checkmarx-android - cwe-695 - boost-baseline @@ -24047,7 +23551,6 @@ rules: - boost-baseline - ALL - checkmarx-medium-threat - - owasp-top-10 description: Sensitive input fields in Dart mobile applications allow third-party keyboards, posing a data leakage risk as these keyboards can capture and send user input to remote servers. @@ -24209,7 +23712,6 @@ rules: Go_AWS_Lambda_Race_Condition_Global_Scope: categories: - checkmarx-server-side-vulnerability - - owasp-top-10 - boost-baseline - ALL description: The code is structured in a way that relies too much on using or @@ -24270,6 +23772,7 @@ rules: - ALL - cwe-15 - checkmarx-server-side-vulnerability + - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -24588,7 +24091,6 @@ rules: categories: - cwe-477 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -24616,7 +24118,6 @@ rules: categories: - cwe-248 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: An exception is thrown from a function, but it is not caught. @@ -24628,7 +24129,6 @@ rules: Go_Low_Visibility_Incorrect_Reflect_Value_Comparison: categories: - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product compares object references instead of the contents of @@ -24644,6 +24144,7 @@ rules: - ALL - cwe-117 - checkmarx-low-visibility + - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes output that is written to logs. group: top10-security-logging-monitoring-failures @@ -24726,7 +24227,6 @@ rules: categories: - checkmarx-low-visibility - cwe-362 - - owasp-top-10 - boost-baseline - ALL - cwe-top-25 @@ -24771,7 +24271,6 @@ rules: categories: - cwe-242 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product calls a function that can never be guaranteed to work @@ -24812,7 +24311,6 @@ rules: Go_Medium_Threat_Denial_Of_Service_Resource_Exhaustion: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -24828,7 +24326,6 @@ rules: Go_Medium_Threat_Divide_By_Zero: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-369 - boost-baseline - ALL @@ -24860,6 +24357,7 @@ rules: - ALL - cwe-547 - checkmarx-medium-threat + - owasp-top-10 description: The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. @@ -24872,7 +24370,6 @@ rules: categories: - checkmarx-medium-threat - cwe-190 - - owasp-top-10 - boost-baseline - ALL - cwe-top-25 @@ -24905,6 +24402,7 @@ rules: - ALL - boost-baseline - checkmarx-medium-threat + - owasp-top-10 description: The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. group: top10-security-misconfiguration @@ -24918,6 +24416,7 @@ rules: - cwe-614 - checkmarx-medium-threat - ALL + - owasp-top-10 description: The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. @@ -24961,7 +24460,6 @@ rules: categories: - checkmarx-medium-threat - cwe-366 - - owasp-top-10 - boost-baseline - ALL description: If two threads of execution use a resource simultaneously, there @@ -24975,7 +24473,6 @@ rules: Go_Medium_Threat_Reflected_Absolute_Path_Traversal: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-36 - boost-baseline - ALL @@ -25007,7 +24504,6 @@ rules: categories: - checkmarx-medium-threat - cwe-599 - - owasp-top-10 - boost-baseline - ALL description: The product uses OpenSSL and trusts or uses a certificate without @@ -25037,7 +24533,6 @@ rules: Go_Medium_Threat_Stored_Absolute_Path_Traversal: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-36 - boost-baseline - ALL @@ -25096,7 +24591,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Assign_Collection: categories: - - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -25110,7 +24604,6 @@ rules: Groovy_Best_Coding_Practice_Assigning_instead_of_Comparing: categories: - cwe-481 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -25123,7 +24616,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Comparing_instead_of_Assigning: categories: - - owasp-top-10 - cwe-482 - checkmarx-best-coding-practices - boost-baseline @@ -25138,7 +24630,6 @@ rules: Groovy_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception: categories: - cwe-396 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -25151,7 +24642,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Declaration_of_Throws_for_Generic_Exception: categories: - - owasp-top-10 - cwe-397 - checkmarx-best-coding-practices - boost-baseline @@ -25166,7 +24656,6 @@ rules: Groovy_Best_Coding_Practice_Deprecated_Groovy_Code: categories: - cwe-477 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -25196,7 +24685,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Empty_Methods: categories: - - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -25209,7 +24697,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Explicit_Calls_To_Methods: categories: - - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -25222,7 +24709,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Explicit_Instantiation: categories: - - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -25235,7 +24721,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere: categories: - - owasp-top-10 - cwe-493 - checkmarx-best-coding-practices - boost-baseline @@ -25249,7 +24734,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_GOTO_Statement: categories: - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -25267,7 +24751,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Getter_Method_Could_Be_Property: categories: - - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -25311,7 +24794,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Incorrect_Block_Delimitation: categories: - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -25326,7 +24808,6 @@ rules: Groovy_Best_Coding_Practice_Just_One_of_Equals_and_Hash_code_Defined: categories: - ALL - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - cwe-581 @@ -25339,7 +24820,6 @@ rules: Groovy_Best_Coding_Practice_Missing_Default_Case_In_Switch_Statement: categories: - cwe-478 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -25353,7 +24833,6 @@ rules: Groovy_Best_Coding_Practice_Omitted_Break_Statement_In_Switch: categories: - cwe-484 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -25368,7 +24847,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Potential_Usage_of_Vulnerable_Log4J: categories: - - owasp-top-10 - cwe-400 - checkmarx-best-coding-practices - boost-baseline @@ -25384,7 +24862,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Public_Static_Field_Not_Marked_Final: categories: - - owasp-top-10 - checkmarx-best-coding-practices - cwe-500 - boost-baseline @@ -25399,7 +24876,6 @@ rules: Groovy_Best_Coding_Practice_Return_Inside_Finally_Block: categories: - cwe-584 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -25412,7 +24888,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Use_Collect_Many: categories: - - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -25425,7 +24900,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Use_Collect_Nested: categories: - - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -25439,7 +24913,6 @@ rules: Groovy_Best_Coding_Practice_Use_of_Wrong_Operator_in_String_Comparison: categories: - cwe-597 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -25802,7 +25275,6 @@ rules: categories: - cwe-171 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: Improper handling of data within protection mechanisms that attempt @@ -25816,7 +25288,6 @@ rules: categories: - checkmarx-low-visibility - cwe-182 - - owasp-top-10 - boost-baseline - ALL description: The product filters data in a way that causes it to be reduced or @@ -25830,7 +25301,6 @@ rules: categories: - ALL - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - cwe-378 description: Opening temporary files without appropriate measures or controls @@ -25845,7 +25315,6 @@ rules: categories: - cwe-379 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product creates a temporary file in a directory whose permissions @@ -25860,7 +25329,6 @@ rules: categories: - cwe-203 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product behaves differently or sends different responses under @@ -25878,6 +25346,7 @@ rules: - ALL - checkmarx-low-visibility - cwe-15 + - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -25889,7 +25358,6 @@ rules: categories: - checkmarx-low-visibility - cwe-362 - - owasp-top-10 - boost-baseline - ALL - cwe-top-25 @@ -25905,7 +25373,6 @@ rules: Groovy_Low_Visibility_Divide_By_Zero: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-369 - boost-baseline - ALL @@ -25978,7 +25445,6 @@ rules: categories: - cwe-244 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: Using realloc() to resize buffers that store sensitive information @@ -26010,7 +25476,6 @@ rules: categories: - cwe-248 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: An exception is thrown from a function, but it is not caught. @@ -26023,7 +25488,6 @@ rules: categories: - cwe-413 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not lock or does not correctly lock a resource when @@ -26037,7 +25501,6 @@ rules: categories: - cwe-404 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not release or incorrectly releases a resource before @@ -26065,7 +25528,6 @@ rules: categories: - cwe-460 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not clean up its state or incorrectly cleans up @@ -26079,7 +25541,6 @@ rules: Groovy_Low_Visibility_Information_Exposure_Through_Debug_Log: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-534 - boost-baseline - ALL @@ -26094,7 +25555,6 @@ rules: categories: - ALL - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - cwe-533 description: This entry has been deprecated because its abstraction was too low-level. @@ -26122,7 +25582,6 @@ rules: categories: - cwe-615 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: 'While adding general comments is very useful, some programmers tend @@ -26152,7 +25611,6 @@ rules: categories: - cwe-535 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: A command shell error message indicates that there exists an unhandled @@ -26198,7 +25656,6 @@ rules: categories: - cwe-190 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL - cwe-top-25 @@ -26215,7 +25672,6 @@ rules: categories: - cwe-191 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product subtracts one value from another, such that the result @@ -26229,7 +25685,6 @@ rules: Groovy_Low_Visibility_Leaving_Temporary_File: categories: - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL - cwe-376 @@ -26245,6 +25700,7 @@ rules: - ALL - cwe-117 - checkmarx-low-visibility + - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes output that is written to logs. group: top10-security-logging-monitoring-failures @@ -26270,7 +25726,6 @@ rules: categories: - checkmarx-low-visibility - cwe-549 - - owasp-top-10 - boost-baseline - ALL description: The product does not mask passwords during entry, increasing the @@ -26299,7 +25754,6 @@ rules: categories: - checkmarx-low-visibility - cwe-491 - - owasp-top-10 - boost-baseline - ALL description: A class has a cloneable() method that is not declared final, which @@ -26314,7 +25768,6 @@ rules: categories: - cwe-193 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: A product calculates or uses an incorrect maximum or minimum value @@ -26342,7 +25795,6 @@ rules: Groovy_Low_Visibility_Parse_Double_DoS: categories: - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL - cwe-730 @@ -26358,6 +25810,7 @@ rules: - ALL - checkmarx-low-visibility - cwe-315 + - owasp-top-10 description: The product stores sensitive information in cleartext in a cookie. group: top10-security-misconfiguration name: Groovy_Low_Visibility_Plaintext_Storage_in_a_Cookie @@ -26383,7 +25836,6 @@ rules: Groovy_Low_Visibility_Potential_ReDoS: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -26399,7 +25851,6 @@ rules: Groovy_Low_Visibility_Potential_ReDoS_By_Injection: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -26415,7 +25866,6 @@ rules: Groovy_Low_Visibility_Potential_ReDoS_In_Match: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -26431,7 +25881,6 @@ rules: Groovy_Low_Visibility_Potential_ReDoS_In_Replace: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -26447,7 +25896,6 @@ rules: Groovy_Low_Visibility_Potential_ReDoS_In_Static_Field: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -26464,7 +25912,6 @@ rules: categories: - cwe-607 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: A public or protected static final field references a mutable object, @@ -26479,7 +25926,6 @@ rules: categories: - checkmarx-low-visibility - cwe-362 - - owasp-top-10 - boost-baseline - ALL - cwe-top-25 @@ -26496,7 +25942,6 @@ rules: categories: - checkmarx-low-visibility - cwe-362 - - owasp-top-10 - boost-baseline - ALL - cwe-top-25 @@ -26528,7 +25973,6 @@ rules: categories: - cwe-350 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product performs reverse DNS resolution on an IP address to obtain @@ -26562,6 +26006,7 @@ rules: - cwe-614 - checkmarx-low-visibility - ALL + - owasp-top-10 description: The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. @@ -26573,7 +26018,6 @@ rules: Groovy_Low_Visibility_Serializable_Class_Containing_Sensitive_Data: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-499 - boost-baseline - ALL @@ -26588,7 +26032,6 @@ rules: Groovy_Low_Visibility_Spring_defaultHtmlEscape_Not_True: categories: - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The Spring configuration property 'defaultHtmlEscape', which prevents @@ -26621,7 +26064,6 @@ rules: Groovy_Low_Visibility_TOCTOU: categories: - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL - cwe-367 @@ -26652,7 +26094,6 @@ rules: categories: - cwe-248 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: An exception is thrown from a function, but it is not caught. @@ -26664,7 +26105,6 @@ rules: Groovy_Low_Visibility_Unchecked_Return_Value_to_NULL_Pointer_Dereference: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-690 - boost-baseline - ALL @@ -26680,7 +26120,6 @@ rules: categories: - cwe-134 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product uses a function that accepts a format string as an argument, @@ -26694,7 +26133,6 @@ rules: categories: - cwe-789 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product allocates memory based on an untrusted, large size value, @@ -26709,7 +26147,6 @@ rules: categories: - cwe-567 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not properly synchronize shared data, such as static @@ -26737,7 +26174,6 @@ rules: Groovy_Low_Visibility_Use_Of_getenv: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-589 - boost-baseline - ALL @@ -26765,7 +26201,6 @@ rules: Groovy_Low_Visibility_Use_of_Client_Side_Authentication: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-603 - boost-baseline - ALL @@ -26783,6 +26218,7 @@ rules: - ALL - cwe-547 - checkmarx-low-visibility + - owasp-top-10 description: The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. @@ -26809,7 +26245,6 @@ rules: categories: - cwe-293 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The referer field in HTTP requests can be easily modified and, as @@ -26822,7 +26257,6 @@ rules: Groovy_Medium_Threat_Absolute_Path_Traversal: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-36 - boost-baseline - ALL @@ -26928,7 +26362,6 @@ rules: Groovy_Medium_Threat_Direct_Use_of_Unsafe_JNI: categories: - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL - cwe-111 @@ -26943,7 +26376,6 @@ rules: Groovy_Medium_Threat_DoS_by_Sleep: categories: - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL description: The product performs an iteration or loop without sufficiently limiting @@ -26974,6 +26406,7 @@ rules: - ALL - checkmarx-medium-threat - cwe-15 + - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -27002,6 +26435,7 @@ rules: - ALL - cwe-547 - checkmarx-medium-threat + - owasp-top-10 description: The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. @@ -27016,6 +26450,7 @@ rules: - ALL - boost-baseline - checkmarx-medium-threat + - owasp-top-10 description: The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. group: top10-security-misconfiguration @@ -27029,6 +26464,7 @@ rules: - ALL - boost-baseline - checkmarx-medium-threat + - owasp-top-10 description: The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. group: top10-security-misconfiguration @@ -27040,7 +26476,6 @@ rules: categories: - checkmarx-medium-threat - cwe-667 - - owasp-top-10 - boost-baseline - ALL description: The product does not properly acquire or release a lock on a resource, @@ -27067,7 +26502,6 @@ rules: Groovy_Medium_Threat_Multiple_Binds_to_the_Same_Port: categories: - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL - cwe-605 @@ -27125,7 +26559,6 @@ rules: Groovy_Medium_Threat_Process_Control: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-114 - boost-baseline - ALL @@ -27140,7 +26573,6 @@ rules: Groovy_Medium_Threat_ReDoS_From_Regex_Injection: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -27156,7 +26588,6 @@ rules: Groovy_Medium_Threat_ReDoS_In_Match: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -27172,7 +26603,6 @@ rules: Groovy_Medium_Threat_ReDoS_In_Pattern: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -27188,7 +26618,6 @@ rules: Groovy_Medium_Threat_ReDoS_In_Replace: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -27296,7 +26725,6 @@ rules: Groovy_Medium_Threat_Stored_Absolute_Path_Traversal: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-36 - boost-baseline - ALL @@ -27360,7 +26788,6 @@ rules: Groovy_Medium_Threat_Unchecked_Input_for_Loop_Condition: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-606 - boost-baseline - ALL @@ -27392,7 +26819,6 @@ rules: categories: - checkmarx-medium-threat - cwe-819 - - owasp-top-10 - boost-baseline - ALL description: Relates to using redirects and forwards that have not been validated. @@ -27446,7 +26872,6 @@ rules: Groovy_Medium_Threat_Use_of_Native_Language: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-695 - boost-baseline - ALL @@ -27461,7 +26886,6 @@ rules: categories: - checkmarx-medium-threat - cwe-382 - - owasp-top-10 - boost-baseline - ALL description: A J2EE application uses System.exit(), which also shuts down its @@ -27615,7 +27039,6 @@ rules: categories: - checkmarx-server-side-vulnerability - cwe-366 - - owasp-top-10 - boost-baseline - ALL description: If two threads of execution use a resource simultaneously, there @@ -27662,6 +27085,7 @@ rules: - ALL - cwe-15 - checkmarx-server-side-vulnerability + - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -27704,7 +27128,6 @@ rules: JavaScript_Angular_Angular_Deprecated_API: categories: - cwe-477 - - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -27717,7 +27140,6 @@ rules: JavaScript_Angular_Angular_Improper_Type_Pipe_Usage: categories: - cwe-228 - - owasp-top-10 - boost-baseline - ALL description: The product does not handle or incorrectly handles input that is @@ -27747,7 +27169,6 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices - - owasp-top-10 description: The use of the FinalizationRegistry object in JavaScript is detected, which may lead to unexpected behavior or memory leaks, as this object allows managed interaction with garbage collection. @@ -27761,7 +27182,6 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices - - owasp-top-10 description: Avoid using the WeakRef JavaScript feature, as it poses risks associated with unintended garbage collection leading to potential memory leaks or unexpected application behaviors. @@ -27787,7 +27207,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Best_Coding_Practice_React_Multiple_Classes_With_Same_Name: categories: - - owasp-top-10 - cwe-694 - checkmarx-best-coding-practices - boost-baseline @@ -27801,7 +27220,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Best_Coding_Practice_Use_Of_Multiple_Mixins: categories: - - owasp-top-10 - cwe-710 - checkmarx-best-coding-practices - boost-baseline @@ -27866,6 +27284,7 @@ rules: - ALL - boost-baseline - checkmarx-cordova + - owasp-top-10 description: The product uses a cross-domain policy file that includes domains that should not be trusted. group: top10-security-misconfiguration @@ -28088,7 +27507,6 @@ rules: JavaScript_High_Risk_Prototype_Pollution: categories: - boost-hardened - - owasp-top-10 - boost-baseline - ALL - checkmarx-high-risk @@ -28141,6 +27559,7 @@ rules: - ALL - checkmarx-low-visibility - cwe-315 + - owasp-top-10 description: The product stores sensitive information in cleartext in a cookie. group: top10-security-misconfiguration name: JavaScript_Low_Visibility_Client_Cookies_Inspection @@ -28150,7 +27569,6 @@ rules: JavaScript_Low_Visibility_Client_Cross_Session_Contamination: categories: - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL - cwe-488 @@ -28283,7 +27701,6 @@ rules: categories: - cwe-477 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -28297,7 +27714,6 @@ rules: categories: - cwe-477 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -28310,7 +27726,6 @@ rules: JavaScript_Low_Visibility_Client_Negative_Content_Length: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-398 - boost-baseline - ALL @@ -28340,6 +27755,7 @@ rules: - ALL - boost-baseline - checkmarx-low-visibility + - owasp-top-10 description: The product uses a cross-domain policy file that includes domains that should not be trusted. group: top10-security-misconfiguration @@ -28351,7 +27767,6 @@ rules: categories: - cwe-615 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: 'While adding general comments is very useful, some programmers tend @@ -28381,7 +27796,6 @@ rules: categories: - cwe-693 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not use or incorrectly uses a protection mechanism @@ -28409,7 +27823,6 @@ rules: JavaScript_Low_Visibility_Client_Potential_ReDoS_In_Match: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -28425,7 +27838,6 @@ rules: JavaScript_Low_Visibility_Client_Potential_ReDoS_In_Replace: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -28441,7 +27853,6 @@ rules: JavaScript_Low_Visibility_Client_Regex_Injection: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -28486,7 +27897,6 @@ rules: categories: - cwe-937 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: Relates to using components with known vulnerabilities @@ -28617,7 +28027,6 @@ rules: categories: - cwe-693 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not use or incorrectly uses a protection mechanism @@ -28631,7 +28040,6 @@ rules: categories: - cwe-477 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -28644,7 +28052,6 @@ rules: JavaScript_Low_Visibility_Unsafe_Use_Of_Target_blank: categories: - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL - cwe-1022 @@ -28662,7 +28069,6 @@ rules: - boost-baseline - ALL - checkmarx-low-visibility - - owasp-top-10 description: Sensitive JavaScript fields are being populated with user-controlled input without sufficient validation or sanitization, exposing potential security vulnerabilities such as injection attacks. @@ -28782,7 +28188,6 @@ rules: JavaScript_Medium_Threat_Client_DoS_By_Sleep: categories: - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL - cwe-730 @@ -28915,7 +28320,6 @@ rules: JavaScript_Medium_Threat_Client_ReDoS_From_Regex_Injection: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -28931,7 +28335,6 @@ rules: JavaScript_Medium_Threat_Client_ReDoS_In_Match: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -28947,7 +28350,6 @@ rules: JavaScript_Medium_Threat_Client_ReDoS_In_Replace: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -28963,7 +28365,6 @@ rules: JavaScript_Medium_Threat_Client_ReDos_In_RegExp: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -29008,7 +28409,6 @@ rules: categories: - checkmarx-medium-threat - cwe-618 - - owasp-top-10 - boost-baseline - ALL description: An ActiveX control is intended for use in a web browser, but it exposes @@ -29023,7 +28423,6 @@ rules: categories: - cwe-477 - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -29124,7 +28523,6 @@ rules: JavaScript_Medium_Threat_Unchecked_Input_For_Loop_Condition: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-606 - boost-baseline - ALL @@ -29143,6 +28541,7 @@ rules: - boost-baseline - ALL - cwe-top-25 + - owasp-top-10 description: The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. @@ -29167,7 +28566,6 @@ rules: JavaScript_ReactNative_Insecure_Text_Entry: categories: - cwe-549 - - owasp-top-10 - boost-baseline - ALL description: The product does not mask passwords during entry, increasing the @@ -29193,7 +28591,6 @@ rules: JavaScript_ReactNative_Missing_Root_Or_Jailbreak_Check: categories: - cwe-693 - - owasp-top-10 - boost-baseline - ALL description: The product does not use or incorrectly uses a protection mechanism @@ -29236,7 +28633,6 @@ rules: categories: - cwe-474 - checkmarx-sapui5 - - owasp-top-10 - boost-baseline - ALL description: The code uses a function that has inconsistent implementations across @@ -29250,7 +28646,6 @@ rules: categories: - cwe-474 - checkmarx-sapui5 - - owasp-top-10 - boost-baseline - ALL description: The code uses a function that has inconsistent implementations across @@ -29264,7 +28659,6 @@ rules: categories: - cwe-477 - checkmarx-sapui5 - - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -29292,7 +28686,6 @@ rules: categories: - cwe-474 - checkmarx-sapui5 - - owasp-top-10 - boost-baseline - ALL description: The code uses a function that has inconsistent implementations across @@ -29333,7 +28726,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Absolute_Path_Traversal: categories: - - owasp-top-10 - cwe-36 - boost-baseline - ALL @@ -29415,7 +28807,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Comparing_instead_of_Assigning: categories: - - owasp-top-10 - cwe-482 - boost-baseline - ALL @@ -29444,7 +28835,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Divide_By_Zero: categories: - - owasp-top-10 - cwe-369 - boost-baseline - ALL @@ -29486,7 +28876,6 @@ rules: JavaScript_Server_Side_Vulnerabilities_Expression_is_Always_False: categories: - cwe-570 - - owasp-top-10 - boost-baseline - ALL - checkmarx-server-side-vulnerability @@ -29498,7 +28887,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Expression_is_Always_True: categories: - - owasp-top-10 - cwe-571 - boost-baseline - ALL @@ -29530,6 +28918,7 @@ rules: - ALL - cwe-547 - checkmarx-server-side-vulnerability + - owasp-top-10 description: The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. @@ -29558,6 +28947,7 @@ rules: - ALL - checkmarx-server-side-vulnerability - cwe-532 + - owasp-top-10 description: Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information. group: top10-security-logging-monitoring-failures @@ -29583,7 +28973,6 @@ rules: categories: - boost-hardened - cwe-813 - - owasp-top-10 - boost-baseline - ALL - checkmarx-server-side-vulnerability @@ -29597,7 +28986,6 @@ rules: categories: - cwe-933 - boost-hardened - - owasp-top-10 - boost-baseline - ALL - checkmarx-server-side-vulnerability @@ -29670,7 +29058,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_JWT_No_NotBefore_Validation: categories: - - owasp-top-10 - boost-baseline - ALL - checkmarx-server-side-vulnerability @@ -29718,6 +29105,7 @@ rules: - ALL - cwe-117 - checkmarx-server-side-vulnerability + - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes output that is written to logs. group: top10-security-logging-monitoring-failures @@ -29742,7 +29130,6 @@ rules: JavaScript_Server_Side_Vulnerabilities_Missing_Default_Case_In_Switch_Statement: categories: - cwe-478 - - owasp-top-10 - boost-baseline - ALL - checkmarx-server-side-vulnerability @@ -29788,7 +29175,6 @@ rules: JavaScript_Server_Side_Vulnerabilities_Null_Password: categories: - cwe-252 - - owasp-top-10 - boost-baseline - ALL - checkmarx-server-side-vulnerability @@ -29802,7 +29188,6 @@ rules: JavaScript_Server_Side_Vulnerabilities_Omitted_Break_Statement_In_Switch: categories: - cwe-484 - - owasp-top-10 - boost-baseline - ALL - checkmarx-server-side-vulnerability @@ -29920,7 +29305,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_ReDoS_in_RegExp: categories: - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -29987,7 +29371,6 @@ rules: JavaScript_Server_Side_Vulnerabilities_SSL_Verification_Bypass: categories: - cwe-599 - - owasp-top-10 - boost-baseline - ALL - checkmarx-server-side-vulnerability @@ -30037,7 +29420,6 @@ rules: categories: - cwe-933 - boost-hardened - - owasp-top-10 - boost-baseline - ALL - checkmarx-server-side-vulnerability @@ -30063,7 +29445,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Server_DoS_by_Loop: categories: - - owasp-top-10 - boost-baseline - ALL - cwe-730 @@ -30076,7 +29457,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Server_DoS_by_Sleep: categories: - - owasp-top-10 - boost-baseline - ALL - cwe-730 @@ -30142,7 +29522,6 @@ rules: JavaScript_Server_Side_Vulnerabilities_Uncontrolled_Format_String: categories: - cwe-134 - - owasp-top-10 - boost-baseline - ALL - checkmarx-server-side-vulnerability @@ -30159,6 +29538,7 @@ rules: - cwe-614 - checkmarx-server-side-vulnerability - ALL + - owasp-top-10 description: The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. @@ -30241,7 +29621,6 @@ rules: JavaScript_Server_Side_Vulnerabilities_Use_of_Deprecated_or_Obsolete_Functions: categories: - cwe-477 - - owasp-top-10 - boost-baseline - ALL - checkmarx-server-side-vulnerability @@ -30268,7 +29647,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Vue_Declaration_of_Multiple_Vue_Components_per_File: categories: - - owasp-top-10 - cwe-710 - boost-baseline - ALL @@ -30282,7 +29660,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Vue_Declaration_of_Vue_Component_Data_as_Property: categories: - - owasp-top-10 - cwe-710 - boost-baseline - ALL @@ -30296,7 +29673,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Vue_Inconsistent_Component_Top_Level_Elements_Ordering: categories: - - owasp-top-10 - cwe-710 - boost-baseline - ALL @@ -30310,7 +29686,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Vue_Inconsistent_use_of_Directive_Shorthands: categories: - - owasp-top-10 - cwe-710 - boost-baseline - ALL @@ -30324,7 +29699,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Vue_Use_of_Implicit_Types_on_Vue_Component_Props: categories: - - owasp-top-10 - cwe-710 - boost-baseline - ALL @@ -30338,7 +29712,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Vue_Use_of_Single_Word_Named_Vue_Components: categories: - - owasp-top-10 - cwe-710 - boost-baseline - ALL @@ -30352,7 +29725,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Vue_Use_of_vif_and_vfor_On_Same_Element: categories: - - owasp-top-10 - cwe-710 - boost-baseline - ALL @@ -30420,6 +29792,7 @@ rules: - ALL - cwe-117 - checkmarx-xs + - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes output that is written to logs. group: top10-security-logging-monitoring-failures @@ -30446,7 +29819,6 @@ rules: categories: - boost-baseline - checkmarx-xs - - owasp-top-10 - cwe-749 - ALL description: The product provides an Applications Programming Interface (API) @@ -30476,7 +29848,6 @@ rules: categories: - cwe-693 - checkmarx-xs - - owasp-top-10 - boost-baseline - ALL description: The product does not use or incorrectly uses a protection mechanism @@ -30684,7 +30055,6 @@ rules: Java_AWS_Lambda_Race_Condition_Global_Scope: categories: - checkmarx-server-side-vulnerability - - owasp-top-10 - boost-baseline - ALL description: The code is structured in a way that relies too much on using or @@ -30760,6 +30130,7 @@ rules: - ALL - cwe-15 - checkmarx-server-side-vulnerability + - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -30784,7 +30155,6 @@ rules: Java_Android_Allowed_Backup: categories: - cwe-530 - - owasp-top-10 - checkmarx-android - boost-baseline - ALL @@ -30798,7 +30168,6 @@ rules: Java_Android_Android_Improper_Resource_Shutdown_or_Release: categories: - cwe-404 - - owasp-top-10 - checkmarx-android - boost-baseline - ALL @@ -30828,7 +30197,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Client_Side_ReDoS: categories: - - owasp-top-10 - checkmarx-android - cwe-400 - boost-baseline @@ -30929,7 +30297,6 @@ rules: Java_Android_Failure_To_Implement_Least_Privilege: categories: - ALL - - owasp-top-10 - checkmarx-android - boost-baseline - cwe-250 @@ -30946,7 +30313,6 @@ rules: - boost-baseline - ALL - checkmarx-android - - owasp-top-10 description: Verifies if an Android application is properly requesting permissions. The absence or misuse of permission requests can lead to unauthorized access or functionality misuse. @@ -30986,7 +30352,6 @@ rules: Java_Android_Improper_Verification_Of_Intent_By_Broadcast_Receiver: categories: - cwe-925 - - owasp-top-10 - checkmarx-android - boost-baseline - ALL @@ -31000,7 +30365,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Information_Leak_Through_Response_Caching: categories: - - owasp-top-10 - checkmarx-android - cwe-524 - boost-baseline @@ -31015,7 +30379,6 @@ rules: Java_Android_Insecure_Android_SDK_Version: categories: - cwe-477 - - owasp-top-10 - checkmarx-android - boost-baseline - ALL @@ -31114,7 +30477,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Keyboard_Cache_Information_Leak: categories: - - owasp-top-10 - checkmarx-android - cwe-524 - boost-baseline @@ -31171,7 +30533,6 @@ rules: Java_Android_Missing_Rooted_Device_Check: categories: - cwe-693 - - owasp-top-10 - checkmarx-android - boost-baseline - ALL @@ -31242,7 +30603,6 @@ rules: Java_Android_ProGuard_Obfuscation_Not_In_Use: categories: - cwe-693 - - owasp-top-10 - checkmarx-android - boost-baseline - ALL @@ -31269,7 +30629,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Screen_Caching: categories: - - owasp-top-10 - checkmarx-android - cwe-524 - boost-baseline @@ -31339,7 +30698,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Use_of_Native_Language: categories: - - owasp-top-10 - checkmarx-android - cwe-695 - boost-baseline @@ -31355,7 +30713,6 @@ rules: categories: - boost-hardened - boost-baseline - - owasp-top-10 - checkmarx-android - cwe-749 - ALL @@ -31384,7 +30741,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_WebView_Cache_Information_Leak: categories: - - owasp-top-10 - checkmarx-android - cwe-524 - boost-baseline @@ -31413,7 +30769,6 @@ rules: Java_Best_Coding_Practice_Array_Declared_Public_Final_and_Static: categories: - cwe-582 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31427,7 +30782,6 @@ rules: Java_Best_Coding_Practice_Assigning_instead_of_Comparing: categories: - cwe-481 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31441,7 +30795,6 @@ rules: Java_Best_Coding_Practice_Call_to_Thread_run: categories: - cwe-572 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31455,7 +30808,6 @@ rules: Java_Best_Coding_Practice_Catch_NullPointerException: categories: - cwe-395 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31468,7 +30820,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Comparing_instead_of_Assigning: categories: - - owasp-top-10 - cwe-482 - checkmarx-best-coding-practices - boost-baseline @@ -31483,7 +30834,6 @@ rules: Java_Best_Coding_Practice_Comparison_of_Classes_By_Name: categories: - cwe-486 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31496,7 +30846,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Confusing_Naming: categories: - - owasp-top-10 - cwe-710 - checkmarx-best-coding-practices - boost-baseline @@ -31511,7 +30860,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Critical_Public_Variable_Without_Final_Modifier: categories: - - owasp-top-10 - cwe-493 - checkmarx-best-coding-practices - boost-baseline @@ -31526,7 +30874,6 @@ rules: Java_Best_Coding_Practice_Dead_Code: categories: - cwe-561 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31539,7 +30886,6 @@ rules: Java_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception: categories: - cwe-396 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31552,7 +30898,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Declaration_of_Throws_for_Generic_Exception: categories: - - owasp-top-10 - cwe-397 - checkmarx-best-coding-practices - boost-baseline @@ -31567,7 +30912,6 @@ rules: Java_Best_Coding_Practice_Detection_of_Error_Condition_Without_Action: categories: - cwe-390 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31581,7 +30925,6 @@ rules: Java_Best_Coding_Practice_Direct_Use_of_Sockets: categories: - boost-baseline - - owasp-top-10 - checkmarx-best-coding-practices - cwe-246 - ALL @@ -31595,7 +30938,6 @@ rules: Java_Best_Coding_Practice_Direct_Use_of_Threads: categories: - ALL - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - cwe-383 @@ -31640,7 +30982,6 @@ rules: Java_Best_Coding_Practice_Dynamic_Set_Of_Null_SecurityManager: categories: - cwe-274 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31653,7 +30994,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_ESAPI_Banned_API: categories: - - owasp-top-10 - checkmarx-best-coding-practices - cwe-676 - boost-baseline @@ -31668,7 +31008,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Empty_Methods: categories: - - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -31682,7 +31021,6 @@ rules: Java_Best_Coding_Practice_Empty_Synchronized_Block: categories: - cwe-585 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31695,7 +31033,6 @@ rules: Java_Best_Coding_Practice_Empty_TryBlocks: categories: - cwe-390 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31708,7 +31045,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Explicit_Call_to_Finalize: categories: - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31722,7 +31058,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere: categories: - - owasp-top-10 - cwe-493 - checkmarx-best-coding-practices - boost-baseline @@ -31737,7 +31072,6 @@ rules: Java_Best_Coding_Practice_Expression_is_Always_False: categories: - cwe-570 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31749,7 +31083,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Expression_is_Always_True: categories: - - owasp-top-10 - cwe-571 - checkmarx-best-coding-practices - boost-baseline @@ -31762,7 +31095,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Failure_to_Catch_All_Exceptions_in_Servlet: categories: - - owasp-top-10 - checkmarx-best-coding-practices - cwe-600 - boost-baseline @@ -31776,7 +31108,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_GOTO_Statement: categories: - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31825,7 +31156,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Improper_Initialization: categories: - - owasp-top-10 - checkmarx-best-coding-practices - cwe-665 - boost-baseline @@ -31840,7 +31170,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Incorrect_Block_Delimitation: categories: - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31855,7 +31184,6 @@ rules: Java_Best_Coding_Practice_Incorrect_Conversion_between_Numeric_Types: categories: - cwe-681 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31873,7 +31201,6 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices - - owasp-top-10 description: Input data in a Java application is not being normalized, increasing the risk of data processing errors, security vulnerabilities, and malformed input exploitation. @@ -31888,6 +31215,7 @@ rules: - ALL - checkmarx-best-coding-practices - cwe-778 + - owasp-top-10 description: When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it. group: top10-security-logging-monitoring-failures @@ -31901,6 +31229,7 @@ rules: - ALL - checkmarx-best-coding-practices - cwe-778 + - owasp-top-10 description: When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it. group: top10-security-logging-monitoring-failures @@ -31911,7 +31240,6 @@ rules: Java_Best_Coding_Practice_Just_One_of_Equals_and_Hash_code_Defined: categories: - ALL - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - cwe-581 @@ -31924,7 +31252,6 @@ rules: Java_Best_Coding_Practice_Leftover_Debug_Code: categories: - cwe-489 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31939,7 +31266,6 @@ rules: Java_Best_Coding_Practice_Missing_Default_Case_In_Switch_Statement: categories: - cwe-478 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31953,7 +31279,6 @@ rules: Java_Best_Coding_Practice_Missing_XML_Validation: categories: - cwe-112 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31980,7 +31305,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Not_Static_Final_Logger: categories: - - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -31993,7 +31317,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Null_Pointer_Dereference: categories: - - owasp-top-10 - checkmarx-best-coding-practices - cwe-476 - boost-baseline @@ -32010,7 +31333,6 @@ rules: Java_Best_Coding_Practice_Omitted_Break_Statement_In_Switch: categories: - cwe-484 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -32025,7 +31347,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Pages_Without_Global_Error_Handler: categories: - - owasp-top-10 - cwe-544 - checkmarx-best-coding-practices - boost-baseline @@ -32041,7 +31362,6 @@ rules: Java_Best_Coding_Practice_Portability_Flaw_In_File_Separator: categories: - cwe-474 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -32057,7 +31377,6 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices - - owasp-top-10 description: Indicates the potential usage of Spring Shell libraries, posing a risk of code execution vulnerability if unattended commands are exposed to the user. @@ -32068,7 +31387,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Potential_Usage_of_Vulnerable_Log4J: categories: - - owasp-top-10 - cwe-400 - checkmarx-best-coding-practices - boost-baseline @@ -32084,7 +31402,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Potentially_Serializable_Class_With_Sensitive_Data: categories: - - owasp-top-10 - checkmarx-best-coding-practices - cwe-499 - boost-baseline @@ -32099,7 +31416,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Public_Static_Field_Not_Marked_Final: categories: - - owasp-top-10 - checkmarx-best-coding-practices - cwe-500 - boost-baseline @@ -32113,7 +31429,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Reachable_Assertion: categories: - - owasp-top-10 - cwe-617 - checkmarx-best-coding-practices - boost-baseline @@ -32129,7 +31444,6 @@ rules: Java_Best_Coding_Practice_Redirect_Without_Exit: categories: - cwe-698 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -32158,7 +31472,6 @@ rules: Java_Best_Coding_Practice_Return_Inside_Finally_Block: categories: - cwe-584 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -32172,7 +31485,6 @@ rules: Java_Best_Coding_Practice_Suspicious_Endpoints: categories: - cwe-923 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -32186,7 +31498,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Unchecked_Error_Condition: categories: - - owasp-top-10 - cwe-391 - checkmarx-best-coding-practices - boost-baseline @@ -32200,7 +31511,6 @@ rules: Java_Best_Coding_Practice_Unchecked_Return_Value: categories: - cwe-252 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -32213,7 +31523,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Unclosed_Objects: categories: - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -32228,7 +31537,6 @@ rules: Java_Best_Coding_Practice_Uncontrolled_Recursion: categories: - cwe-674 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -32243,7 +31551,6 @@ rules: Java_Best_Coding_Practice_Undocumented_API: categories: - cwe-1059 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -32293,7 +31600,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Unused_Variable: categories: - - owasp-top-10 - cwe-563 - checkmarx-best-coding-practices - boost-baseline @@ -32308,7 +31614,6 @@ rules: Java_Best_Coding_Practice_Use_Of_Uninitialized_Variables: categories: - cwe-457 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -32322,7 +31627,6 @@ rules: Java_Best_Coding_Practice_Use_of_Inner_Class_Containing_Sensitive_Data: categories: - cwe-492 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -32337,7 +31641,6 @@ rules: Java_Best_Coding_Practice_Use_of_Obsolete_Functions: categories: - cwe-477 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -32350,7 +31653,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Use_of_System_Output_Stream: categories: - - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -32364,7 +31666,6 @@ rules: Java_Best_Coding_Practice_Use_of_System_exit: categories: - cwe-382 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -32378,7 +31679,6 @@ rules: Java_Best_Coding_Practice_Use_of_Wrong_Operator_in_String_Comparison: categories: - cwe-597 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -32392,7 +31692,6 @@ rules: Java_Best_Coding_Practice_clone_Method_Without_super_clone: categories: - cwe-580 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -32405,7 +31704,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_finalize_Method_Declared_Public: categories: - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -32420,7 +31718,6 @@ rules: Java_Best_Coding_Practice_finalize_Method_Without_super_finalize: categories: - cwe-568 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -32434,7 +31731,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 description: Identifies instances in Java code where unsafe, potentially exploitable packages or classes are imported, risking security vulnerabilities. group: top10-injection @@ -32446,7 +31742,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 description: Java code where '.find()' methods are employed could introduce potential Regular Expression Denial of Service (ReDoS) vulnerabilities if user-supplied input is not properly sanitized. @@ -32807,7 +32102,6 @@ rules: Java_High_Risk_Mongo_NoSQL_Injection: categories: - boost-hardened - - owasp-top-10 - cwe-943 - boost-baseline - ALL @@ -33009,7 +32303,6 @@ rules: - boost-baseline - ALL - checkmarx-low-visibility - - owasp-top-10 description: The Citrus Developer Mode, a testing tool for Java, has been enabled in a production setting. This exposes sensitive information and debug data that could be exploited. @@ -33022,7 +32315,6 @@ rules: categories: - cwe-171 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: Improper handling of data within protection mechanisms that attempt @@ -33036,7 +32328,6 @@ rules: categories: - checkmarx-low-visibility - cwe-182 - - owasp-top-10 - boost-baseline - ALL description: The product filters data in a way that causes it to be reduced or @@ -33079,7 +32370,6 @@ rules: categories: - ALL - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - cwe-378 description: Opening temporary files without appropriate measures or controls @@ -33094,7 +32384,6 @@ rules: categories: - cwe-379 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product creates a temporary file in a directory whose permissions @@ -33109,7 +32398,6 @@ rules: categories: - cwe-203 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product behaves differently or sends different responses under @@ -33127,6 +32415,7 @@ rules: - ALL - checkmarx-low-visibility - cwe-15 + - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -33138,7 +32427,6 @@ rules: categories: - checkmarx-low-visibility - cwe-362 - - owasp-top-10 - boost-baseline - ALL - cwe-top-25 @@ -33154,7 +32442,6 @@ rules: Java_Low_Visibility_Divide_By_Zero: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-369 - boost-baseline - ALL @@ -33227,7 +32514,6 @@ rules: categories: - cwe-732 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product specifies permissions for a security-critical resource @@ -33241,7 +32527,6 @@ rules: categories: - cwe-244 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: Using realloc() to resize buffers that store sensitive information @@ -33273,7 +32558,6 @@ rules: categories: - cwe-248 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: An exception is thrown from a function, but it is not caught. @@ -33300,7 +32584,6 @@ rules: categories: - cwe-413 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not lock or does not correctly lock a resource when @@ -33314,7 +32597,6 @@ rules: categories: - cwe-404 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not release or incorrectly releases a resource before @@ -33342,7 +32624,6 @@ rules: categories: - cwe-460 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not clean up its state or incorrectly cleans up @@ -33357,7 +32638,6 @@ rules: categories: - cwe-732 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product specifies permissions for a security-critical resource @@ -33370,7 +32650,6 @@ rules: Java_Low_Visibility_Information_Exposure_Through_Debug_Log: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-534 - boost-baseline - ALL @@ -33399,7 +32678,6 @@ rules: categories: - ALL - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - cwe-533 description: This entry has been deprecated because its abstraction was too low-level. @@ -33427,7 +32705,6 @@ rules: categories: - cwe-615 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: 'While adding general comments is very useful, some programmers tend @@ -33457,7 +32734,6 @@ rules: categories: - cwe-535 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: A command shell error message indicates that there exists an unhandled @@ -33503,7 +32779,6 @@ rules: categories: - cwe-190 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL - cwe-top-25 @@ -33520,7 +32795,6 @@ rules: categories: - cwe-191 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product subtracts one value from another, such that the result @@ -33564,7 +32838,6 @@ rules: Java_Low_Visibility_Leaving_Temporary_File: categories: - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL - cwe-376 @@ -33580,6 +32853,7 @@ rules: - ALL - cwe-117 - checkmarx-low-visibility + - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes output that is written to logs. group: top10-security-logging-monitoring-failures @@ -33619,7 +32893,6 @@ rules: categories: - checkmarx-low-visibility - cwe-549 - - owasp-top-10 - boost-baseline - ALL description: The product does not mask passwords during entry, increasing the @@ -33663,7 +32936,6 @@ rules: categories: - checkmarx-low-visibility - cwe-491 - - owasp-top-10 - boost-baseline - ALL description: A class has a cloneable() method that is not declared final, which @@ -33678,7 +32950,6 @@ rules: categories: - cwe-193 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: A product calculates or uses an incorrect maximum or minimum value @@ -33720,7 +32991,6 @@ rules: Java_Low_Visibility_Parse_Double_DoS: categories: - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL - cwe-730 @@ -33734,7 +33004,6 @@ rules: categories: - cwe-615 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: 'While adding general comments is very useful, some programmers tend @@ -33766,6 +33035,7 @@ rules: - ALL - checkmarx-low-visibility - cwe-315 + - owasp-top-10 description: The product stores sensitive information in cleartext in a cookie. group: top10-security-misconfiguration name: Java_Low_Visibility_Plaintext_Storage_in_a_Cookie @@ -33776,7 +33046,6 @@ rules: categories: - cwe-474 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The code uses a function that has inconsistent implementations across @@ -33789,7 +33058,6 @@ rules: Java_Low_Visibility_Potential_ReDoS: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -33805,7 +33073,6 @@ rules: Java_Low_Visibility_Potential_ReDoS_By_Injection: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -33821,7 +33088,6 @@ rules: Java_Low_Visibility_Potential_ReDoS_In_Match: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -33837,7 +33103,6 @@ rules: Java_Low_Visibility_Potential_ReDoS_In_Replace: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -33853,7 +33118,6 @@ rules: Java_Low_Visibility_Potential_ReDoS_In_Static_Field: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -33869,7 +33133,6 @@ rules: Java_Low_Visibility_Private_Array_Returned_From_A_Public_Method: categories: - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL - cwe-495 @@ -33884,7 +33147,6 @@ rules: categories: - boost-baseline - checkmarx-low-visibility - - owasp-top-10 - cwe-496 - ALL description: Assigning public data to a private array is equivalent to giving @@ -33898,7 +33160,6 @@ rules: categories: - cwe-607 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: A public or protected static final field references a mutable object, @@ -33913,7 +33174,6 @@ rules: categories: - checkmarx-low-visibility - cwe-362 - - owasp-top-10 - boost-baseline - ALL - cwe-top-25 @@ -33930,7 +33190,6 @@ rules: categories: - checkmarx-low-visibility - cwe-362 - - owasp-top-10 - boost-baseline - ALL - cwe-top-25 @@ -33949,6 +33208,7 @@ rules: - ALL - checkmarx-low-visibility - cwe-15 + - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -33975,7 +33235,6 @@ rules: categories: - cwe-350 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product performs reverse DNS resolution on an IP address to obtain @@ -34009,6 +33268,7 @@ rules: - cwe-614 - checkmarx-low-visibility - ALL + - owasp-top-10 description: The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. @@ -34020,7 +33280,6 @@ rules: Java_Low_Visibility_Serializable_Class_Containing_Sensitive_Data: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-499 - boost-baseline - ALL @@ -34053,6 +33312,7 @@ rules: - ALL - checkmarx-low-visibility - cwe-15 + - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -34066,6 +33326,7 @@ rules: - ALL - cwe-117 - checkmarx-low-visibility + - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes output that is written to logs. group: top10-security-logging-monitoring-failures @@ -34111,7 +33372,6 @@ rules: Java_Low_Visibility_TOCTOU: categories: - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL - cwe-367 @@ -34190,7 +33450,6 @@ rules: categories: - cwe-248 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: An exception is thrown from a function, but it is not caught. @@ -34202,7 +33461,6 @@ rules: Java_Low_Visibility_Unchecked_Return_Value_to_NULL_Pointer_Dereference: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-690 - boost-baseline - ALL @@ -34218,7 +33476,6 @@ rules: categories: - cwe-134 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product uses a function that accepts a format string as an argument, @@ -34232,7 +33489,6 @@ rules: categories: - cwe-789 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product allocates memory based on an untrusted, large size value, @@ -34262,7 +33518,6 @@ rules: categories: - cwe-567 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not properly synchronize shared data, such as static @@ -34293,6 +33548,7 @@ rules: - ALL - checkmarx-low-visibility - cwe-260 + - owasp-top-10 description: The product stores a password in a configuration file that might be accessible to actors who do not know the password. group: top10-security-misconfiguration @@ -34303,7 +33559,6 @@ rules: Java_Low_Visibility_Use_Of_getenv: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-589 - boost-baseline - ALL @@ -34331,7 +33586,6 @@ rules: Java_Low_Visibility_Use_of_Client_Side_Authentication: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-603 - boost-baseline - ALL @@ -34349,6 +33603,7 @@ rules: - ALL - cwe-547 - checkmarx-low-visibility + - owasp-top-10 description: The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. @@ -34389,7 +33644,6 @@ rules: categories: - cwe-293 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The referer field in HTTP requests can be easily modified and, as @@ -34402,7 +33656,6 @@ rules: Java_Medium_Threat_Absolute_Path_Traversal: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-36 - boost-baseline - ALL @@ -34481,7 +33734,6 @@ rules: categories: - checkmarx-medium-threat - cwe-254 - - owasp-top-10 - boost-baseline - ALL description: The product is saving client state in JavaServer Faces (JSF), potentially @@ -34523,7 +33775,6 @@ rules: Java_Medium_Threat_Direct_Use_of_Unsafe_JNI: categories: - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL - cwe-111 @@ -34538,7 +33789,6 @@ rules: Java_Medium_Threat_DoS_by_Sleep: categories: - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL description: The product performs an iteration or loop without sufficiently limiting @@ -34598,6 +33848,7 @@ rules: - ALL - checkmarx-medium-threat - cwe-15 + - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -34640,6 +33891,7 @@ rules: - ALL - cwe-547 - checkmarx-medium-threat + - owasp-top-10 description: The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. @@ -34654,6 +33906,7 @@ rules: - ALL - boost-baseline - checkmarx-medium-threat + - owasp-top-10 description: The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. group: top10-security-misconfiguration @@ -34667,6 +33920,7 @@ rules: - ALL - boost-baseline - checkmarx-medium-threat + - owasp-top-10 description: The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. group: top10-security-misconfiguration @@ -34678,7 +33932,6 @@ rules: categories: - checkmarx-medium-threat - cwe-667 - - owasp-top-10 - boost-baseline - ALL description: The product does not properly acquire or release a lock on a resource, @@ -34695,6 +33948,7 @@ rules: - boost-baseline - ALL - cwe-top-25 + - owasp-top-10 description: The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. @@ -34710,6 +33964,7 @@ rules: - boost-baseline - ALL - cwe-top-25 + - owasp-top-10 description: The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. @@ -34844,7 +34099,6 @@ rules: - boost-baseline - ALL - checkmarx-medium-threat - - owasp-top-10 description: A Java deserialization filter is misconfigured, thereby increasing the risk of untrusted input being deserialized, which can potentially lead to arbitrary code execution. @@ -34870,7 +34124,6 @@ rules: Java_Medium_Threat_Multiple_Binds_to_the_Same_Port: categories: - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL - cwe-605 @@ -34928,7 +34181,6 @@ rules: Java_Medium_Threat_Process_Control: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-114 - boost-baseline - ALL @@ -34943,7 +34195,6 @@ rules: Java_Medium_Threat_ReDoS_From_Regex_Injection: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -34959,7 +34210,6 @@ rules: Java_Medium_Threat_ReDoS_In_Match: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -34975,7 +34225,6 @@ rules: Java_Medium_Threat_ReDoS_In_Pattern: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -34991,7 +34240,6 @@ rules: Java_Medium_Threat_ReDoS_In_Replace: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -35055,7 +34303,6 @@ rules: categories: - checkmarx-medium-threat - cwe-599 - - owasp-top-10 - boost-baseline - ALL description: The product uses OpenSSL and trusts or uses a certificate without @@ -35114,7 +34361,6 @@ rules: Java_Medium_Threat_Stored_Absolute_Path_Traversal: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-36 - boost-baseline - ALL @@ -35178,7 +34424,6 @@ rules: Java_Medium_Threat_Unchecked_Input_for_Loop_Condition: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-606 - boost-baseline - ALL @@ -35225,7 +34470,6 @@ rules: categories: - checkmarx-medium-threat - cwe-819 - - owasp-top-10 - boost-baseline - ALL description: Relates to using redirects and forwards that have not been validated. @@ -35294,7 +34538,6 @@ rules: Java_Medium_Threat_Use_of_Native_Language: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-695 - boost-baseline - ALL @@ -35422,6 +34665,7 @@ rules: - ALL - cwe-547 - checkmarx-potential + - owasp-top-10 description: The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. @@ -35609,6 +34853,7 @@ rules: - cwe-776 - ALL - checkmarx-potential + - owasp-top-10 description: The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities. @@ -35662,7 +34907,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Spring_Spring_Comparison_Timing_Attack: categories: - - owasp-top-10 - boost-baseline - ALL - cwe-208 @@ -35691,7 +34935,6 @@ rules: Java_Spring_Spring_Missing_Expect_CT_Header: categories: - cwe-693 - - owasp-top-10 - boost-baseline - ALL description: The product does not use or incorrectly uses a protection mechanism @@ -35745,7 +34988,6 @@ rules: Java_Spring_Spring_Missing_XSS_Protection_Header: categories: - cwe-693 - - owasp-top-10 - boost-baseline - ALL description: The product does not use or incorrectly uses a protection mechanism @@ -35758,7 +35000,6 @@ rules: Java_Spring_Spring_Missing_X_Content_Type_Options: categories: - cwe-693 - - owasp-top-10 - boost-baseline - ALL description: The product does not use or incorrectly uses a protection mechanism @@ -35910,7 +35151,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Spring_Spring_defaultHtmlEscape_Not_True: categories: - - owasp-top-10 - boost-baseline - ALL description: The setting for defaultHtmlEscape in the Spring configuration is @@ -35970,7 +35210,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Stored_Stored_Mongo_NoSQL_Injection: categories: - - owasp-top-10 - checkmarx-stored - cwe-943 - boost-baseline @@ -36018,7 +35257,6 @@ rules: categories: - cwe-108 - checkmarx-structs - - owasp-top-10 - boost-baseline - ALL description: Every Action Form must have a corresponding validation form. @@ -36030,7 +35268,6 @@ rules: Java_Struts_Struts2_Duplicate_Action_Field_Validators: categories: - checkmarx-structs - - owasp-top-10 - cwe-102 - boost-baseline - ALL @@ -36045,7 +35282,6 @@ rules: Java_Struts_Struts2_Duplicate_Validators: categories: - checkmarx-structs - - owasp-top-10 - cwe-102 - boost-baseline - ALL @@ -36060,7 +35296,6 @@ rules: Java_Struts_Struts2_Undeclared_Validator: categories: - checkmarx-structs - - owasp-top-10 - cwe-105 - boost-baseline - ALL @@ -36075,7 +35310,6 @@ rules: Java_Struts_Struts2_Validation_File_Without_Action: categories: - checkmarx-structs - - owasp-top-10 - cwe-107 - boost-baseline - ALL @@ -36090,7 +35324,6 @@ rules: categories: - cwe-110 - checkmarx-structs - - owasp-top-10 - boost-baseline - ALL description: Validation fields that do not appear in forms they are associated @@ -36103,7 +35336,6 @@ rules: Java_Struts_Struts_Duplicate_Config_Files: categories: - checkmarx-structs - - owasp-top-10 - cwe-694 - boost-baseline - ALL @@ -36117,7 +35349,6 @@ rules: Java_Struts_Struts_Duplicate_Form_Bean: categories: - checkmarx-structs - - owasp-top-10 - cwe-694 - boost-baseline - ALL @@ -36131,7 +35362,6 @@ rules: Java_Struts_Struts_Duplicate_Validation_Files: categories: - checkmarx-structs - - owasp-top-10 - cwe-694 - boost-baseline - ALL @@ -36145,7 +35375,6 @@ rules: Java_Struts_Struts_Duplicate_Validation_Forms: categories: - checkmarx-structs - - owasp-top-10 - cwe-102 - boost-baseline - ALL @@ -36161,7 +35390,6 @@ rules: categories: - checkmarx-structs - cwe-104 - - owasp-top-10 - boost-baseline - ALL description: If a form bean does not extend an ActionForm subclass of the Validator @@ -36175,7 +35403,6 @@ rules: Java_Struts_Struts_Form_Field_Without_Validator: categories: - checkmarx-structs - - owasp-top-10 - cwe-105 - boost-baseline - ALL @@ -36190,7 +35417,6 @@ rules: Java_Struts_Struts_Incomplete_Validate_Method_Definition: categories: - checkmarx-structs - - owasp-top-10 - boost-baseline - ALL - cwe-103 @@ -36205,7 +35431,6 @@ rules: categories: - cwe-457 - checkmarx-structs - - owasp-top-10 - boost-baseline - ALL description: The code uses a variable that has not been initialized, leading to @@ -36218,7 +35443,6 @@ rules: Java_Struts_Struts_Missing_Form_Bean_Name: categories: - checkmarx-structs - - owasp-top-10 - cwe-563 - boost-baseline - ALL @@ -36232,7 +35456,6 @@ rules: Java_Struts_Struts_Missing_Form_Bean_Type: categories: - checkmarx-structs - - owasp-top-10 - cwe-563 - boost-baseline - ALL @@ -36247,7 +35470,6 @@ rules: categories: - cwe-489 - checkmarx-structs - - owasp-top-10 - boost-baseline - ALL description: The product is deployed to unauthorized actors with debugging code @@ -36261,7 +35483,6 @@ rules: Java_Struts_Struts_Non_Private_Field_In_ActionForm_Class: categories: - checkmarx-structs - - owasp-top-10 - boost-baseline - ALL - cwe-608 @@ -36276,7 +35497,6 @@ rules: categories: - checkmarx-structs - cwe-362 - - owasp-top-10 - boost-baseline - ALL - cwe-top-25 @@ -36293,7 +35513,6 @@ rules: categories: - cwe-489 - checkmarx-structs - - owasp-top-10 - boost-baseline - ALL description: The product is deployed to unauthorized actors with debugging code @@ -36307,7 +35526,6 @@ rules: Java_Struts_Struts_Unused_Validation_Form: categories: - checkmarx-structs - - owasp-top-10 - cwe-107 - boost-baseline - ALL @@ -36322,7 +35540,6 @@ rules: categories: - cwe-108 - checkmarx-structs - - owasp-top-10 - boost-baseline - ALL description: Every Action Form must have a corresponding validation form. @@ -36335,7 +35552,6 @@ rules: categories: - cwe-21 - checkmarx-structs - - owasp-top-10 - boost-baseline - ALL description: The product uses external input to construct a pathname that should @@ -36349,7 +35565,6 @@ rules: Java_Struts_Struts_Validation_Turned_Off: categories: - checkmarx-structs - - owasp-top-10 - boost-baseline - ALL - cwe-109 @@ -36365,7 +35580,6 @@ rules: categories: - cwe-110 - checkmarx-structs - - owasp-top-10 - boost-baseline - ALL description: Validation fields that do not appear in forms they are associated @@ -36445,7 +35659,6 @@ rules: Javascript_Kony_Kony_Deprecated_Functions: categories: - cwe-477 - - owasp-top-10 - checkmarx-kony - boost-baseline - ALL @@ -36610,6 +35823,7 @@ rules: - boost-baseline - ALL - cwe-15 + - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -36624,6 +35838,7 @@ rules: - boost-baseline - ALL - cwe-15 + - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -36667,7 +35882,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-lightning description: The Aura component's attribute is defined with an 'Object' type, which can lead to potential type conflicts and unexpected behaviors due to lack @@ -36681,7 +35895,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-lightning description: Names for Lightning components in JavaScript must start with a lowercase letter and can contain alphabets, numbers, or underscores, ensuring readability @@ -36713,7 +35926,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-lightning description: Lightning data retrieval in a JavaScript file does not use the '@wire' decorator, leading to potential issues in data synchronization. @@ -36726,7 +35938,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-lightning description: Dynamic href values in anchor tags within Salesforce's Lightning components are identified, which might result in unsafe redirects or content @@ -36757,7 +35968,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-lightning description: Refers to the occurrence of using Aura components in Lightning Web Components (LWC), which is discouraged due to potential performance degradation @@ -36771,7 +35981,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-lightning description: Event bubbling is improperly used in JavaScript Lightning Web Components (LWC), which can lead to unintended propagation of events and cause incorrect @@ -36785,7 +35994,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 - checkmarx-lightning description: Duplicate use of a single Apex controller method in multiple Lightning components is present. This might lead to unintended functionality coupling, @@ -36813,7 +36021,6 @@ rules: Kotlin_Android_Allowed_Backup: categories: - cwe-530 - - owasp-top-10 - checkmarx-android - boost-baseline - ALL @@ -36843,7 +36050,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Client_Side_ReDoS: categories: - - owasp-top-10 - checkmarx-android - cwe-400 - boost-baseline @@ -36958,7 +36164,6 @@ rules: Kotlin_Android_Failure_to_Implement_Least_Privilege: categories: - ALL - - owasp-top-10 - checkmarx-android - boost-baseline - cwe-250 @@ -37014,7 +36219,6 @@ rules: Kotlin_Android_Improper_Verification_Of_Intent_By_Broadcast_Receiver: categories: - cwe-925 - - owasp-top-10 - checkmarx-android - boost-baseline - ALL @@ -37029,7 +36233,6 @@ rules: Kotlin_Android_Insecure_Android_SDK_Version: categories: - cwe-477 - - owasp-top-10 - checkmarx-android - boost-baseline - ALL @@ -37114,7 +36317,6 @@ rules: Kotlin_Android_Missing_Rooted_Device_Check: categories: - cwe-693 - - owasp-top-10 - checkmarx-android - boost-baseline - ALL @@ -37172,7 +36374,6 @@ rules: Kotlin_Android_ProGuard_Obfuscation_Not_In_Use: categories: - cwe-693 - - owasp-top-10 - checkmarx-android - boost-baseline - ALL @@ -37199,7 +36400,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Screen_Caching: categories: - - owasp-top-10 - checkmarx-android - cwe-524 - boost-baseline @@ -37258,7 +36458,6 @@ rules: categories: - boost-hardened - boost-baseline - - owasp-top-10 - checkmarx-android - cwe-749 - ALL @@ -37272,7 +36471,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_WebView_Cache_Information_Leak: categories: - - owasp-top-10 - checkmarx-android - cwe-524 - boost-baseline @@ -37302,7 +36500,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Best_Coding_Practice_Potential_Usage_of_Vulnerable_Log4J: categories: - - owasp-top-10 - cwe-400 - checkmarx-best-coding-practices - boost-baseline @@ -37575,7 +36772,6 @@ rules: categories: - cwe-477 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -37619,7 +36815,6 @@ rules: categories: - cwe-615 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: 'While adding general comments is very useful, some programmers tend @@ -37707,6 +36902,7 @@ rules: - ALL - boost-baseline - checkmarx-medium-threat + - owasp-top-10 description: The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. group: top10-security-misconfiguration @@ -37837,7 +37033,6 @@ rules: Kotlin_Medium_Threat_Unchecked_Input_for_Loop_Condition: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-606 - boost-baseline - ALL @@ -37926,7 +37121,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Lua_Best_Coding_Practice_Empty_Methods: categories: - - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -37940,7 +37134,6 @@ rules: ObjectiveC_Best_Coding_Practice_Dead_Code: categories: - cwe-561 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -37969,7 +37162,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Best_Coding_Practice_Empty_Methods: categories: - - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -37983,7 +37175,6 @@ rules: ObjectiveC_Best_Coding_Practice_Expression_is_Always_False: categories: - cwe-570 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -37995,7 +37186,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Best_Coding_Practice_Expression_is_Always_True: categories: - - owasp-top-10 - cwe-571 - checkmarx-best-coding-practices - boost-baseline @@ -38008,7 +37198,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Best_Coding_Practice_Missing_Colon_In_Selector: categories: - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -38188,7 +37377,6 @@ rules: categories: - cwe-530 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: A backup file is stored in a directory or archive that is made accessible @@ -38216,7 +37404,6 @@ rules: categories: - cwe-477 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -38230,7 +37417,6 @@ rules: categories: - cwe-244 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: Using realloc() to resize buffers that store sensitive information @@ -38245,7 +37431,6 @@ rules: categories: - cwe-404 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not release or incorrectly releases a resource before @@ -38259,7 +37444,6 @@ rules: categories: - cwe-456 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not initialize critical variables, which causes @@ -38286,7 +37470,6 @@ rules: ObjectiveC_Low_Visibility_Information_Leak_Through_Response_Caching: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-524 - boost-baseline - ALL @@ -38318,6 +37501,7 @@ rules: - ALL - cwe-117 - checkmarx-low-visibility + - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes output that is written to logs. group: top10-security-logging-monitoring-failures @@ -38329,7 +37513,6 @@ rules: categories: - cwe-401 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not sufficiently track and release allocated memory @@ -38370,7 +37553,6 @@ rules: categories: - cwe-693 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not use or incorrectly uses a protection mechanism @@ -38384,7 +37566,6 @@ rules: categories: - cwe-252 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not check the return value from a method or function, @@ -38398,7 +37579,6 @@ rules: categories: - cwe-615 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: 'While adding general comments is very useful, some programmers tend @@ -38442,7 +37622,6 @@ rules: ObjectiveC_Low_Visibility_Potential_ReDoS: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -38487,7 +37666,6 @@ rules: categories: - cwe-252 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not check the return value from a method or function, @@ -38556,7 +37734,6 @@ rules: categories: - cwe-477 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -38570,7 +37747,6 @@ rules: categories: - cwe-404 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not release or incorrectly releases a resource before @@ -38614,7 +37790,6 @@ rules: categories: - checkmarx-medium-threat - cwe-134 - - owasp-top-10 - boost-baseline - ALL description: The product uses a function that accepts a format string as an argument, @@ -38743,7 +37918,6 @@ rules: ObjectiveC_Medium_Threat_ReDoS: categories: - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL - cwe-1333 @@ -38758,7 +37932,6 @@ rules: ObjectiveC_Medium_Threat_Screen_Caching: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-524 - boost-baseline - ALL @@ -38790,6 +37963,7 @@ rules: - boost-baseline - ALL - cwe-top-25 + - owasp-top-10 description: The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. @@ -39064,7 +38238,6 @@ rules: PHP_Medium_Threat_DoS_by_Sleep: categories: - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL description: The product performs an iteration or loop without sufficiently limiting @@ -39110,6 +38283,7 @@ rules: - ALL - boost-baseline - checkmarx-medium-threat + - owasp-top-10 description: The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. group: top10-security-misconfiguration @@ -39121,7 +38295,6 @@ rules: categories: - checkmarx-medium-threat - cwe-914 - - owasp-top-10 - boost-baseline - ALL description: The product does not properly restrict reading from or writing to @@ -39155,6 +38328,7 @@ rules: - boost-baseline - ALL - cwe-top-25 + - owasp-top-10 description: The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. @@ -39170,6 +38344,7 @@ rules: - boost-baseline - ALL - cwe-top-25 + - owasp-top-10 description: The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. @@ -39181,7 +38356,6 @@ rules: PHP_Medium_Threat_Inappropriate_Encoding_for_Output_Context: categories: - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL - cwe-838 @@ -39318,7 +38492,6 @@ rules: categories: - checkmarx-medium-threat - cwe-599 - - owasp-top-10 - boost-baseline - ALL description: The product uses OpenSSL and trusts or uses a certificate without @@ -39485,7 +38658,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PLSQL_Best_Coding_Practice_Unchecked_Error_Condition: categories: - - owasp-top-10 - cwe-391 - checkmarx-best-coding-practices - boost-baseline @@ -39498,7 +38670,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PLSQL_Best_Coding_Practice_Use_of_Potentially_Dangerous_Function: categories: - - owasp-top-10 - checkmarx-best-coding-practices - cwe-676 - boost-baseline @@ -39615,7 +38786,6 @@ rules: PLSQL_Low_Visibility_Default_Definer_Rights_in_Method_Definition: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-265 - boost-baseline - ALL @@ -39646,7 +38816,6 @@ rules: categories: - cwe-404 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not release or incorrectly releases a resource before @@ -39717,7 +38886,6 @@ rules: PLSQL_Medium_Threat_Dangling_Database_Cursor: categories: - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL - cwe-619 @@ -39732,7 +38900,6 @@ rules: PLSQL_Medium_Threat_Default_Definer_Rights_in_Package_or_Object_Definition: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-265 - boost-baseline - ALL @@ -39747,7 +38914,6 @@ rules: PLSQL_Medium_Threat_DoS_By_Sleep: categories: - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL description: The product performs an iteration or loop without sufficiently limiting @@ -39861,7 +39027,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Best_Coding_Practice_Empty_Methods: categories: - - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -39889,7 +39054,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Best_Coding_Practice_Prepending_Leading_Zeroes_To_Integer_Literals: categories: - - owasp-top-10 - checkmarx-best-coding-practices - cwe-665 - boost-baseline @@ -39904,7 +39068,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Best_Coding_Practice_Reusing_Variable_Names_In_Subscopes: categories: - - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -39918,7 +39081,6 @@ rules: Perl_Best_Coding_Practice_Using_Perl4_Package_Names: categories: - cwe-477 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -39931,7 +39093,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Best_Coding_Practice_Using_Subroutine_Prototypes: categories: - - owasp-top-10 - cwe-628 - checkmarx-best-coding-practices - boost-baseline @@ -40118,7 +39279,6 @@ rules: categories: - cwe-477 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -40131,7 +39291,6 @@ rules: Perl_Low_Visibility_Improper_Filtering_of_Special_Elements: categories: - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL - cwe-790 @@ -40163,6 +39322,7 @@ rules: - ALL - cwe-117 - checkmarx-low-visibility + - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes output that is written to logs. group: top10-security-logging-monitoring-failures @@ -40174,7 +39334,6 @@ rules: categories: - cwe-252 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not check the return value from a method or function, @@ -40187,7 +39346,6 @@ rules: Perl_Low_Visibility_Overloading_Reserved_Keywords_or_Subroutines: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-398 - boost-baseline - ALL @@ -40201,7 +39359,6 @@ rules: categories: - cwe-625 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product uses a regular expression that does not sufficiently @@ -40214,7 +39371,6 @@ rules: Perl_Low_Visibility_Prohibit_Indirect_Object_Call_Syntax: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-665 - boost-baseline - ALL @@ -40229,7 +39385,6 @@ rules: Perl_Low_Visibility_Signifying_Inheritence_At_Runtime: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-398 - boost-baseline - ALL @@ -40243,7 +39398,6 @@ rules: categories: - cwe-252 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not check the return value from a method or function, @@ -40270,7 +39424,6 @@ rules: categories: - cwe-477 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -40283,7 +39436,6 @@ rules: Perl_Low_Visibility_Variables_Outside_The_Scope_of_a_Regex: categories: - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL - cwe-824 @@ -40312,7 +39464,6 @@ rules: Perl_Medium_Threat_DoS_by_Sleep: categories: - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL description: The product performs an iteration or loop without sufficiently limiting @@ -40329,6 +39480,7 @@ rules: - boost-baseline - ALL - cwe-top-25 + - owasp-top-10 description: The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. @@ -40472,7 +39624,6 @@ rules: categories: - checkmarx-medium-threat - cwe-134 - - owasp-top-10 - boost-baseline - ALL description: The product uses a function that accepts a format string as an argument, @@ -40486,7 +39637,6 @@ rules: categories: - checkmarx-medium-threat - cwe-789 - - owasp-top-10 - boost-baseline - ALL description: The product allocates memory based on an untrusted, large size value, @@ -40545,7 +39695,6 @@ rules: Php_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception: categories: - cwe-396 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -40559,7 +39708,6 @@ rules: Php_Best_Coding_Practice_Detection_of_Error_Condition_Without_Action: categories: - cwe-390 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -40589,7 +39737,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere: categories: - - owasp-top-10 - cwe-493 - checkmarx-best-coding-practices - boost-baseline @@ -40621,7 +39768,6 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices - - owasp-top-10 description: A local PHP variable, with the same name as a global variable, is being written to, thus posing a risk of unintentional global variable overwrite. group: top10-insecure-design @@ -40631,7 +39777,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Best_Coding_Practice_Unchecked_Error_Condition: categories: - - owasp-top-10 - cwe-391 - checkmarx-best-coding-practices - boost-baseline @@ -40644,7 +39789,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Best_Coding_Practice_Unclosed_Objects: categories: - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -40658,7 +39802,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Best_Coding_Practice_Use_Of_Namespace: categories: - - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -40671,7 +39814,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Best_Coding_Practice_Use_Of_Private_Static_Variable: categories: - - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -40684,7 +39826,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Best_Coding_Practice_Use_Of_Super_GLOBALS: categories: - - owasp-top-10 - cwe-766 - checkmarx-best-coding-practices - boost-baseline @@ -40717,7 +39858,6 @@ rules: categories: - cwe-203 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product behaves differently or sends different responses under @@ -40733,7 +39873,6 @@ rules: categories: - cwe-477 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -40761,7 +39900,6 @@ rules: categories: - cwe-248 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: An exception is thrown from a function, but it is not caught. @@ -40774,7 +39912,6 @@ rules: categories: - cwe-460 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not clean up its state or incorrectly cleans up @@ -40788,7 +39925,6 @@ rules: Php_Low_Visibility_Incorrect_Implementation_of_Authentication_Algorithm: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-303 - boost-baseline - ALL @@ -40848,6 +39984,7 @@ rules: - ALL - cwe-117 - checkmarx-low-visibility + - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes output that is written to logs. group: top10-security-logging-monitoring-failures @@ -40859,7 +39996,6 @@ rules: categories: - cwe-691 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The code does not sufficiently manage its control flow during execution, @@ -40889,7 +40025,6 @@ rules: categories: - cwe-350 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product performs reverse DNS resolution on an IP address to obtain @@ -40917,7 +40052,6 @@ rules: Php_Low_Visibility_Unsafe_Use_Of_Target_Blank: categories: - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL - cwe-1022 @@ -40977,7 +40111,6 @@ rules: categories: - boost-hardened - checkmarx-server-side-vulnerability - - owasp-top-10 - boost-baseline - ALL description: AWS credentials are exposed within Python AWS Lambda function code, @@ -41038,7 +40171,6 @@ rules: categories: - checkmarx-server-side-vulnerability - cwe-366 - - owasp-top-10 - boost-baseline - ALL description: If two threads of execution use a resource simultaneously, there @@ -41099,6 +40231,7 @@ rules: - ALL - cwe-15 - checkmarx-server-side-vulnerability + - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -41125,7 +40258,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 description: The code searches for Python imports using an insecure method, such as os.system or subprocess.Popen, making it susceptible to arbitrary code execution through shell injection. @@ -41138,7 +40270,6 @@ rules: categories: - boost-baseline - ALL - - owasp-top-10 description: The Python 'find' method is used in a way that can potentially lead to exploitable path inconsistencies or traversal vulnerabilities, creating a security risk for the application. @@ -41387,7 +40518,6 @@ rules: categories: - cwe-203 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product behaves differently or sends different responses under @@ -41405,6 +40535,7 @@ rules: - ALL - checkmarx-low-visibility - cwe-11 + - owasp-top-10 description: Debugging messages help attackers learn about the system and plan a form of attack. group: top10-security-misconfiguration @@ -41459,7 +40590,6 @@ rules: categories: - cwe-404 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not release or incorrectly releases a resource before @@ -41504,6 +40634,7 @@ rules: - ALL - cwe-117 - checkmarx-low-visibility + - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes output that is written to logs. group: top10-security-logging-monitoring-failures @@ -41543,7 +40674,6 @@ rules: categories: - cwe-615 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: 'While adding general comments is very useful, some programmers tend @@ -41572,7 +40702,6 @@ rules: Python_Low_Visibility_ReDoS_Injection: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -41735,7 +40864,6 @@ rules: Python_Medium_Threat_DoS_by_Sleep: categories: - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL description: The product performs an iteration or loop without sufficiently limiting @@ -41751,6 +40879,7 @@ rules: - ALL - checkmarx-medium-threat - cwe-532 + - owasp-top-10 description: Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information. group: top10-security-logging-monitoring-failures @@ -41764,6 +40893,7 @@ rules: - ALL - cwe-547 - checkmarx-medium-threat + - owasp-top-10 description: The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. @@ -41793,6 +40923,7 @@ rules: - ALL - boost-baseline - checkmarx-medium-threat + - owasp-top-10 description: The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. group: top10-security-misconfiguration @@ -41807,6 +40938,7 @@ rules: - boost-baseline - ALL - cwe-top-25 + - owasp-top-10 description: The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. @@ -41849,6 +40981,7 @@ rules: - cwe-614 - checkmarx-medium-threat - ALL + - owasp-top-10 description: The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. @@ -41938,7 +41071,6 @@ rules: Python_Medium_Threat_ReDoS_In_Replace: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -41955,7 +41087,6 @@ rules: categories: - checkmarx-medium-threat - cwe-599 - - owasp-top-10 - boost-baseline - ALL description: The product uses OpenSSL and trusts or uses a certificate without @@ -42018,7 +41149,6 @@ rules: Python_Medium_Threat_Unchecked_Input_for_Loop_Condition: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-606 - boost-baseline - ALL @@ -42034,7 +41164,6 @@ rules: categories: - checkmarx-medium-threat - cwe-134 - - owasp-top-10 - boost-baseline - ALL description: The product uses a function that accepts a format string as an argument, @@ -42061,7 +41190,6 @@ rules: RPG_High_Risk_Buffer_Overrun: categories: - boost-hardened - - owasp-top-10 - boost-baseline - ALL - checkmarx-high-risk @@ -42112,7 +41240,6 @@ rules: categories: - cwe-703 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not properly anticipate or handle exceptional conditions @@ -42126,7 +41253,6 @@ rules: categories: - cwe-404 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not release or incorrectly releases a resource before @@ -42139,7 +41265,6 @@ rules: RPG_Low_Visibility_Information_Exposure_Through_Dump: categories: - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product generates a core dump file in a directory, archive, or @@ -42154,7 +41279,6 @@ rules: categories: - cwe-190 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL - cwe-top-25 @@ -42170,7 +41294,6 @@ rules: RPG_Low_Visibility_Library_Search_Order_Hijacking: categories: - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product uses a fixed or controlled search path to find resources, @@ -42211,7 +41334,6 @@ rules: RPG_Medium_Threat_DoS_by_Sleep: categories: - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL description: The product performs an iteration or loop without sufficiently limiting @@ -42224,7 +41346,6 @@ rules: RPG_Medium_Threat_ReDoS: categories: - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL - cwe-1333 @@ -42239,7 +41360,6 @@ rules: RPG_Medium_Threat_Reflected_Path_Traversal: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-36 - boost-baseline - ALL @@ -42255,7 +41375,6 @@ rules: Ruby_Best_Coding_Practice_Caching_False_In_Production: categories: - ALL - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline description: Setting caching to false in a production environment in a Ruby application, @@ -42268,7 +41387,6 @@ rules: Ruby_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception: categories: - cwe-396 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -42282,7 +41400,6 @@ rules: Ruby_Best_Coding_Practice_Dynamic_Render_Path: categories: - ALL - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline description: Render paths are determined at runtime in Rails views. This practice @@ -42312,7 +41429,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Best_Coding_Practice_Global_Variables_Without_Meaningful_Name: categories: - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -42341,7 +41457,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Best_Coding_Practice_Import_Relative_To_File: categories: - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -42355,7 +41470,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Best_Coding_Practice_Unchecked_Error_Condition: categories: - - owasp-top-10 - cwe-391 - checkmarx-best-coding-practices - boost-baseline @@ -42368,7 +41482,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Best_Coding_Practice_Unclosed_Objects: categories: - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -42382,7 +41495,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Best_Coding_Practice_Use_Of_Global_Variables: categories: - - owasp-top-10 - cwe-766 - checkmarx-best-coding-practices - boost-baseline @@ -42520,7 +41632,6 @@ rules: - boost-baseline - ALL - checkmarx-low-visibility - - owasp-top-10 description: The attribute of an Active Record model is not declared as accessible using 'attr_accessible', allowing potential mass assignment vulnerabilities in Ruby on Rails applications. @@ -42565,7 +41676,6 @@ rules: categories: - cwe-203 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product behaves differently or sends different responses under @@ -42595,7 +41705,6 @@ rules: categories: - ALL - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - cwe-250 description: The product performs an operation at a privilege level that is higher @@ -42624,7 +41733,6 @@ rules: categories: - cwe-248 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: An exception is thrown from a function, but it is not caught. @@ -42637,7 +41745,6 @@ rules: categories: - cwe-460 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not clean up its state or incorrectly cleans up @@ -42709,7 +41816,6 @@ rules: categories: - cwe-489 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product is deployed to unauthorized actors with debugging code @@ -42740,6 +41846,7 @@ rules: - ALL - cwe-117 - checkmarx-low-visibility + - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes output that is written to logs. group: top10-security-logging-monitoring-failures @@ -42884,7 +41991,6 @@ rules: categories: - cwe-242 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product calls a function that can never be guaranteed to work @@ -42959,7 +42065,6 @@ rules: Ruby_Medium_Threat_DOS_To_Symbol: categories: - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL - cwe-730 @@ -42991,7 +42096,6 @@ rules: - boost-baseline - ALL - checkmarx-medium-threat - - owasp-top-10 description: The application is utilizing default routes in Ruby, which may expose it to unwanted routes and increase the surface for potential attacks. group: top10-insecure-design @@ -43002,7 +42106,6 @@ rules: Ruby_Medium_Threat_DoS_by_Sleep: categories: - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL description: The product performs an iteration or loop without sufficiently limiting @@ -43017,7 +42120,6 @@ rules: - boost-baseline - ALL - checkmarx-medium-threat - - owasp-top-10 description: Involves downloading files from user-controlled sources without validating or sanitizing their content or origin beforehand, presenting significant security risks like malicious code execution or unauthorized data access. @@ -43032,6 +42134,7 @@ rules: - ALL - checkmarx-medium-threat - cwe-532 + - owasp-top-10 description: Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information. group: top10-security-logging-monitoring-failures @@ -43089,7 +42192,6 @@ rules: categories: - checkmarx-medium-threat - cwe-625 - - owasp-top-10 - boost-baseline - ALL description: The product uses a regular expression that does not sufficiently @@ -43198,7 +42300,6 @@ rules: categories: - checkmarx-medium-threat - cwe-599 - - owasp-top-10 - boost-baseline - ALL description: The product uses OpenSSL and trusts or uses a certificate without @@ -43307,7 +42408,6 @@ rules: categories: - cwe-477 - vulnerable-and-outdated-components - - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -43336,7 +42436,6 @@ rules: Ruby_Vulnerable_Outdated_Versions_Outdated_Rails_Allows_DOS_via_ActiveRecord: categories: - vulnerable-and-outdated-components - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -43384,7 +42483,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Best_Coding_Practice_Potential_Usage_of_Vulnerable_Log4J: categories: - - owasp-top-10 - cwe-400 - checkmarx-best-coding-practices - boost-baseline @@ -43608,6 +42706,7 @@ rules: - ALL - checkmarx-low-visibility - cwe-15 + - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -43620,7 +42719,6 @@ rules: - boost-baseline - ALL - checkmarx-low-visibility - - owasp-top-10 description: Akka's host name verification is disabled, likely by setting the 'akka.ssl-config.loose.disableHostnameVerification' configuration to true, which makes it vulnerable to Man-In-The-Middle (MITM) attacks. @@ -43635,6 +42733,7 @@ rules: - ALL - checkmarx-low-visibility - cwe-15 + - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -43648,6 +42747,7 @@ rules: - ALL - checkmarx-low-visibility - cwe-15 + - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -43661,6 +42761,7 @@ rules: - ALL - checkmarx-low-visibility - cwe-15 + - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -43674,6 +42775,7 @@ rules: - ALL - checkmarx-low-visibility - cwe-15 + - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -43714,7 +42816,6 @@ rules: categories: - cwe-203 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product behaves differently or sends different responses under @@ -43731,7 +42832,6 @@ rules: - boost-baseline - ALL - checkmarx-low-visibility - - owasp-top-10 description: Code in Scala utilizes deprecated API elements, indicating potential breaking changes in future updates due to obsolete functions or methods. group: top10-insecure-design @@ -43743,7 +42843,6 @@ rules: categories: - cwe-244 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: Using realloc() to resize buffers that store sensitive information @@ -43758,7 +42857,6 @@ rules: categories: - cwe-190 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL - cwe-top-25 @@ -43850,6 +42948,7 @@ rules: - ALL - cwe-547 - checkmarx-low-visibility + - owasp-top-10 description: The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. @@ -43889,7 +42988,6 @@ rules: Scala_Medium_Threat_Absolute_Path_Traversal: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-36 - boost-baseline - ALL @@ -43963,7 +43061,6 @@ rules: Scala_Medium_Threat_DoS_by_Sleep: categories: - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL description: The product performs an iteration or loop without sufficiently limiting @@ -43980,6 +43077,7 @@ rules: - boost-baseline - ALL - cwe-top-25 + - owasp-top-10 description: The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. @@ -44009,6 +43107,7 @@ rules: - ALL - cwe-547 - checkmarx-medium-threat + - owasp-top-10 description: The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. @@ -44023,6 +43122,7 @@ rules: - ALL - boost-baseline - checkmarx-medium-threat + - owasp-top-10 description: The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. group: top10-security-misconfiguration @@ -44034,7 +43134,6 @@ rules: categories: - checkmarx-medium-threat - cwe-667 - - owasp-top-10 - boost-baseline - ALL description: The product does not properly acquire or release a lock on a resource, @@ -44065,6 +43164,7 @@ rules: - cwe-614 - checkmarx-medium-threat - ALL + - owasp-top-10 description: The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. @@ -44076,7 +43176,6 @@ rules: Scala_Medium_Threat_Multiple_Binds_to_the_Same_Port: categories: - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL - cwe-605 @@ -44134,7 +43233,6 @@ rules: Scala_Medium_Threat_ReDoS_From_Regex_Injection: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -44150,7 +43248,6 @@ rules: Scala_Medium_Threat_ReDoS_In_Match: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -44166,7 +43263,6 @@ rules: Scala_Medium_Threat_ReDoS_In_Pattern: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -44182,7 +43278,6 @@ rules: Scala_Medium_Threat_ReDoS_In_Replace: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -44198,7 +43293,6 @@ rules: Scala_Medium_Threat_Relative_Path_Traversal: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-36 - boost-baseline - ALL @@ -44232,7 +43326,6 @@ rules: categories: - checkmarx-medium-threat - cwe-599 - - owasp-top-10 - boost-baseline - ALL description: The product uses OpenSSL and trusts or uses a certificate without @@ -44295,6 +43388,7 @@ rules: - boost-baseline - ALL - cwe-top-25 + - owasp-top-10 description: The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. @@ -44478,7 +43572,6 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices - - owasp-top-10 description: Identifies and flags methods in Swift code that are empty, which may indicate overlooked or incomplete implementation. group: top10-insecure-design @@ -44518,7 +43611,6 @@ rules: Swift_High_Risk_Resource_Updated_By_URL_Data: categories: - boost-hardened - - owasp-top-10 - boost-baseline - ALL - checkmarx-high-risk @@ -44610,7 +43702,6 @@ rules: categories: - cwe-530 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: A backup file is stored in a directory or archive that is made accessible @@ -44653,7 +43744,6 @@ rules: categories: - cwe-477 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -44667,7 +43757,6 @@ rules: categories: - cwe-244 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: Using realloc() to resize buffers that store sensitive information @@ -44681,7 +43770,6 @@ rules: Swift_Low_Visibility_Information_Leak_Through_Response_Caching: categories: - checkmarx-low-visibility - - owasp-top-10 - cwe-524 - boost-baseline - ALL @@ -44738,7 +43826,6 @@ rules: categories: - cwe-693 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not use or incorrectly uses a protection mechanism @@ -44752,7 +43839,6 @@ rules: categories: - cwe-252 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not check the return value from a method or function, @@ -44781,7 +43867,6 @@ rules: categories: - cwe-615 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: 'While adding general comments is very useful, some programmers tend @@ -44990,7 +44075,6 @@ rules: categories: - checkmarx-medium-threat - cwe-134 - - owasp-top-10 - boost-baseline - ALL description: The product uses a function that accepts a format string as an argument, @@ -45095,7 +44179,6 @@ rules: Swift_Medium_Threat_ReDoS: categories: - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL - cwe-1333 @@ -45127,7 +44210,6 @@ rules: Swift_Medium_Threat_Screen_Caching: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-524 - boost-baseline - ALL @@ -45175,6 +44257,7 @@ rules: - boost-baseline - ALL - cwe-top-25 + - owasp-top-10 description: The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. @@ -45307,7 +44390,6 @@ rules: categories: - cwe-118 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not restrict or incorrectly restricts operations @@ -45337,7 +44419,6 @@ rules: categories: - cwe-248 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: An exception is thrown from a function, but it is not caught. @@ -45395,6 +44476,7 @@ rules: - ALL - cwe-117 - checkmarx-low-visibility + - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes output that is written to logs. group: top10-security-logging-monitoring-failures @@ -45436,7 +44518,6 @@ rules: VB6_Medium_Threat_DoS_by_Sleep: categories: - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL description: The product performs an iteration or loop without sufficiently limiting @@ -45452,6 +44533,7 @@ rules: - ALL - cwe-547 - checkmarx-medium-threat + - owasp-top-10 description: The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. @@ -45514,7 +44596,6 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices - - owasp-top-10 description: A method in Visual Basic .NET designated with AllowPartiallyTrustedCallersAttribute (APTCA) invokes a method not marked with APTCA, opening up vulnerabilities for privilege escalation. @@ -45526,7 +44607,6 @@ rules: VbNet_Best_Coding_Practice_Catch_NullPointerException: categories: - cwe-395 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -45540,7 +44620,6 @@ rules: VbNet_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception: categories: - cwe-396 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -45556,7 +44635,6 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices - - owasp-top-10 description: Code is using methods which have been marked as deprecated, indicating they might not be supported in future versions and should be replaced with newer alternatives. @@ -45568,7 +44646,6 @@ rules: VbNet_Best_Coding_Practice_Detection_of_Error_Condition_Without_Action: categories: - cwe-390 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -45582,7 +44659,6 @@ rules: VbNet_Best_Coding_Practice_Direct_Use_of_Sockets: categories: - boost-baseline - - owasp-top-10 - checkmarx-best-coding-practices - cwe-246 - ALL @@ -45612,7 +44688,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere: categories: - - owasp-top-10 - cwe-493 - checkmarx-best-coding-practices - boost-baseline @@ -45626,7 +44701,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_GetLastWin32Error_Is_Not_Called_After_Pinvoke: categories: - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -45672,7 +44746,6 @@ rules: VbNet_Best_Coding_Practice_Just_One_of_Equals_and_Hash_code_Defined: categories: - ALL - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - cwe-581 @@ -45685,7 +44758,6 @@ rules: VbNet_Best_Coding_Practice_Leftover_Debug_Code: categories: - cwe-489 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -45702,7 +44774,6 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices - - owasp-top-10 description: Identifies the hard coding of numbers, referred to as "magic numbers," in Visual Basic .NET code, which can decrease maintainability and readability. group: top10-insecure-design @@ -45713,7 +44784,6 @@ rules: VbNet_Best_Coding_Practice_Missing_XML_Validation: categories: - cwe-112 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -45729,7 +44799,6 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices - - owasp-top-10 description: Passing a null argument to the 'Equals' method in Visual Basic .Net might result in a NullReferenceException, causing an application crash. group: top10-insecure-design @@ -45742,7 +44811,6 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices - - owasp-top-10 description: Non-private static constructors in VB.NET are accessible outside the class, presenting an opportunity for unintended use or manipulation and potential security risks. @@ -45753,7 +44821,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_Pages_Without_Global_Error_Handler: categories: - - owasp-top-10 - cwe-544 - checkmarx-best-coding-practices - boost-baseline @@ -45771,7 +44838,6 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices - - owasp-top-10 description: The 'PersistSecurityInfo' property is set to 'True' risking the exposure of sensitive data such as connection string with passwords in log files or other external sources. @@ -45783,7 +44849,6 @@ rules: VbNet_Best_Coding_Practice_Threads_in_WebApp: categories: - ALL - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - cwe-383 @@ -45796,7 +44861,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_Unchecked_Error_Condition: categories: - - owasp-top-10 - cwe-391 - checkmarx-best-coding-practices - boost-baseline @@ -45810,7 +44874,6 @@ rules: VbNet_Best_Coding_Practice_Unchecked_Return_Value: categories: - cwe-252 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -45823,7 +44886,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_Unclosed_Objects: categories: - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -45840,7 +44902,6 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices - - owasp-top-10 description: Public methods in VB.NET code accept arguments without conducting appropriate validation, increasing susceptibility to malicious input exploitation. group: top10-insecure-design @@ -45851,7 +44912,6 @@ rules: VbNet_Best_Coding_Practice_Use_Of_Uninitialized_Variables: categories: - cwe-457 - - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -45864,7 +44924,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_Use_of_System_Output_Stream: categories: - - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -45880,7 +44939,6 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices - - owasp-top-10 description: Pointers in Visual Basic .NET are visible, posing a risk for unsafe code execution due to direct memory manipulation. group: top10-insecure-design @@ -46209,7 +45267,6 @@ rules: categories: - cwe-171 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: Improper handling of data within protection mechanisms that attempt @@ -46237,7 +45294,6 @@ rules: categories: - cwe-203 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product behaves differently or sends different responses under @@ -46253,7 +45309,6 @@ rules: categories: - cwe-244 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: Using realloc() to resize buffers that store sensitive information @@ -46270,6 +45325,7 @@ rules: - ALL - checkmarx-low-visibility - cwe-520 + - owasp-top-10 description: Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks. @@ -46298,7 +45354,6 @@ rules: categories: - cwe-248 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: An exception is thrown from a function, but it is not caught. @@ -46311,7 +45366,6 @@ rules: categories: - cwe-404 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not release or incorrectly releases a resource before @@ -46339,7 +45393,6 @@ rules: categories: - cwe-460 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not clean up its state or incorrectly cleans up @@ -46412,7 +45465,6 @@ rules: VbNet_Low_Visibility_Leaving_Temporary_Files: categories: - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL - cwe-376 @@ -46428,6 +45480,7 @@ rules: - ALL - cwe-117 - checkmarx-low-visibility + - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes output that is written to logs. group: top10-security-logging-monitoring-failures @@ -46515,7 +45568,6 @@ rules: categories: - cwe-567 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product does not properly synchronize shared data, such as static @@ -46544,7 +45596,6 @@ rules: categories: - cwe-647 - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The product defines policy namespaces and makes authorization decisions @@ -46601,7 +45652,6 @@ rules: VbNet_Medium_Threat_Buffer_Overflow: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -46676,7 +45726,6 @@ rules: VbNet_Medium_Threat_DoS_by_Sleep: categories: - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL description: The product performs an iteration or loop without sufficiently limiting @@ -46707,6 +45756,7 @@ rules: - ALL - cwe-547 - checkmarx-medium-threat + - owasp-top-10 description: The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. @@ -46719,7 +45769,6 @@ rules: categories: - checkmarx-medium-threat - cwe-667 - - owasp-top-10 - boost-baseline - ALL description: The product does not properly acquire or release a lock on a resource, @@ -46733,7 +45782,6 @@ rules: categories: - checkmarx-medium-threat - cwe-190 - - owasp-top-10 - boost-baseline - ALL - cwe-top-25 @@ -46897,7 +45945,6 @@ rules: categories: - cwe-404 - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL description: The product does not release or incorrectly releases a resource before @@ -46939,7 +45986,6 @@ rules: VbNet_Medium_Threat_Value_Shadowing: categories: - checkmarx-medium-threat - - owasp-top-10 - cwe-233 - boost-baseline - ALL @@ -46971,7 +46017,6 @@ rules: - boost-baseline - ALL - checkmarx-web-config - - owasp-top-10 description: The session state in the web.config file of a VB.NET application is configured to be cookieless, which may expose Session IDs in the URL, increasing the risk of session hijacking. @@ -46983,7 +46028,6 @@ rules: VbNet_WebConfig_CustomError: categories: - cwe-12 - - owasp-top-10 - checkmarx-web-config - boost-baseline - ALL @@ -47000,6 +46044,7 @@ rules: - ALL - checkmarx-web-config - cwe-11 + - owasp-top-10 description: Debugging messages help attackers learn about the system and plan a form of attack. group: top10-security-misconfiguration @@ -47027,7 +46072,6 @@ rules: VbNet_WebConfig_HardcodedCredentials: categories: - cwe-489 - - owasp-top-10 - checkmarx-web-config - boost-baseline - ALL @@ -47046,6 +46090,7 @@ rules: - checkmarx-web-config - boost-baseline - ALL + - owasp-top-10 description: The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. group: top10-security-misconfiguration @@ -47070,7 +46115,6 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_WebConfig_NonUniqueFormName: categories: - - owasp-top-10 - checkmarx-web-config - cwe-694 - boost-baseline @@ -47088,6 +46132,7 @@ rules: - ALL - checkmarx-web-config - cwe-260 + - owasp-top-10 description: The product stores a password in a configuration file that might be accessible to actors who do not know the password. group: top10-security-misconfiguration @@ -47101,6 +46146,7 @@ rules: - cwe-614 - ALL - checkmarx-web-config + - owasp-top-10 description: The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. @@ -47127,7 +46173,6 @@ rules: VbNet_WebConfig_TraceEnabled: categories: - boost-baseline - - owasp-top-10 - checkmarx-web-config - cwe-749 - ALL @@ -47180,6 +46225,7 @@ rules: - ALL - checkmarx-low-visibility - cwe-315 + - owasp-top-10 description: The product stores sensitive information in cleartext in a cookie. group: top10-security-misconfiguration name: VbScript_Low_Visibility_Cookies_Inspection @@ -47204,7 +46250,6 @@ rules: VbScript_Low_Visibility_Weak_Password_Authentication: categories: - checkmarx-low-visibility - - owasp-top-10 - boost-baseline - ALL description: The VBScript code uses a weak password authentication mechanism, @@ -47218,7 +46263,6 @@ rules: VbScript_Medium_Threat_Client_DoS_By_Sleep: categories: - checkmarx-medium-threat - - owasp-top-10 - boost-baseline - ALL - cwe-730 @@ -47232,7 +46276,6 @@ rules: categories: - checkmarx-medium-threat - cwe-618 - - owasp-top-10 - boost-baseline - ALL description: An ActiveX control is intended for use in a web browser, but it exposes diff --git a/server-side-scanners/boostsecurityio/sci-sca/rules.yaml b/server-side-scanners/boostsecurityio/sci-sca/rules.yaml index 995bd0e3..cfc3e27b 100644 --- a/server-side-scanners/boostsecurityio/sci-sca/rules.yaml +++ b/server-side-scanners/boostsecurityio/sci-sca/rules.yaml @@ -1,16 +1,13 @@ -import: - - boostsecurityio/sca-cve - rules: use-of-unsafe-ai-model: categories: - - ALL - - boost-baseline - - boost-hardened - - supply-chain - - owasp-top-10 - - unsafe-ai-component - description: An Unsafe AI model is being loaded. There are dangerous arbitrary code execution attacks that can be perpetrated when you load an unsafe AI model. + - ALL + - boost-baseline + - boost-hardened + - supply-chain + - unsafe-ai-component + description: An Unsafe AI model is being loaded. There are dangerous arbitrary + code execution attacks that can be perpetrated when you load an unsafe AI model. name: use-of-unsafe-ai-model group: top10-vulnerable-components pretty_name: Use of Unsafe AI model @@ -18,12 +15,12 @@ rules: recommended: true forbidden-component: categories: - - ALL - - boost-baseline - - use-of-forbidden-component + - ALL + - boost-baseline + - use-of-forbidden-component description: Project with Unauthorized Component name: forbidden-component group: component-violations pretty_name: Project with Unauthorized Component - ref: https://docs.boostsecurity.io/rules/index.html + ref: https://docs.boostsecurity.io/rules/index.html recommended: true From e1969aa6fd60c610bc93f6522efdd1ba507608d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Lajeunesse-Robert?= Date: Thu, 27 Nov 2025 14:01:02 -0500 Subject: [PATCH 4/5] Added support to default to normalize script and revert default removal for mitre-cwe rules --- .boost/scripts/normalize-mapping.py | 4 +++- rules-realm/boostsecurityio/mitre-cwe/rules.yaml | 10 ++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/.boost/scripts/normalize-mapping.py b/.boost/scripts/normalize-mapping.py index f3f4bac4..ddd9155b 100644 --- a/.boost/scripts/normalize-mapping.py +++ b/.boost/scripts/normalize-mapping.py @@ -25,6 +25,7 @@ rules_file = os.path.join(dirpath, filename) changed = False with open(rules_file, "r") as f: + rules_def = yaml.safe_load(f) rules = yaml.safe_load(f).get("rules", {}) # Validate and fix the categories of each rule @@ -57,5 +58,6 @@ continue # Save the updated rules back to the YAML file + rules_def["rules"] = rules with open(rules_file, "w") as f: - yaml.safe_dump({"rules": rules}, f, sort_keys=False) + yaml.safe_dump(rules_def, f, sort_keys=False) diff --git a/rules-realm/boostsecurityio/mitre-cwe/rules.yaml b/rules-realm/boostsecurityio/mitre-cwe/rules.yaml index cb2d5530..efed17a3 100644 --- a/rules-realm/boostsecurityio/mitre-cwe/rules.yaml +++ b/rules-realm/boostsecurityio/mitre-cwe/rules.yaml @@ -10394,3 +10394,13 @@ rules: name: CWE-99 pretty_name: 'CWE-99: Improper Control of Resource Identifiers (''Resource Injection'')' ref: https://cwe.mitre.org/data/definitions/99.html +default: + CWE-UNKNOWN: + categories: + - ALL + - boost-hardened + group: top10-insecure-design + name: CWE-UNKNOWN + pretty_name: CWE-UNKNOWN - Original rule did not map to a known CWE rule + description: The original rule could not be map to a CWE rule + ref: https://cwe.mitre.org/data/index.html \ No newline at end of file From f243a81d942d97fbd4e2c93985268f2535bb6de1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Lajeunesse-Robert?= Date: Thu, 27 Nov 2025 14:11:38 -0500 Subject: [PATCH 5/5] Reverted the suppression of the import due to the normalize script issue --- .../checkmarx-provider/rules.yaml | 1179 +++++++++++++++-- .../boostsecurityio/sci-sca/rules.yaml | 2 + 2 files changed, 1070 insertions(+), 111 deletions(-) diff --git a/server-side-scanners/boostsecurityio/checkmarx-provider/rules.yaml b/server-side-scanners/boostsecurityio/checkmarx-provider/rules.yaml index 487f38ef..c5d98a5e 100644 --- a/server-side-scanners/boostsecurityio/checkmarx-provider/rules.yaml +++ b/server-side-scanners/boostsecurityio/checkmarx-provider/rules.yaml @@ -1,3 +1,13 @@ +default: + CWE-UNKNOWN: + categories: + - ALL + - boost-hardened + description: the original rule did not map to a known CWE rule + group: top10-insecure-design + name: CWE-UNKNOWN + pretty_name: CWE-UNKNOWN - Original rule did not map to a known CWE rule + ref: https://checkmarx.com/resource/documents/en/34965-46525-audit-guide.html rules: 0008c003-79aa-42d8-95b8-1c2fe37dbfe6: categories: @@ -12103,6 +12113,7 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices + - owasp-top-10 description: Points out the situation where a method adorned with AllowPartiallyTrustedCallersAttribute (APTCA) invokes a method without APTCA, thereby exposing potential elevation of privileges threats. @@ -12131,6 +12142,7 @@ rules: ASP_Best_Coding_Practice_Empty_Catch: categories: - cwe-390 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -12175,6 +12187,7 @@ rules: ASP_Best_Coding_Practice_Just_One_of_Equals_and_Hash_code_Defined: categories: - ALL + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - cwe-581 @@ -12187,6 +12200,7 @@ rules: ASP_Best_Coding_Practice_Missing_XML_Validation: categories: - cwe-112 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -12202,6 +12216,7 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices + - owasp-top-10 description: Passing a null argument to the Equals method, which could potentially lead to a NullReferenceException at runtime. group: top10-insecure-design @@ -12211,6 +12226,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ASP_Best_Coding_Practice_Pages_Without_Global_Error_Handler: categories: + - owasp-top-10 - cwe-544 - checkmarx-best-coding-practices - boost-baseline @@ -12228,6 +12244,7 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices + - owasp-top-10 description: When PersistSecurityInfo is set to True in a connection string, sensitive information like passwords persist in memory, exposing it to potential security breaches. @@ -12239,6 +12256,7 @@ rules: ASP_Best_Coding_Practice_Sockets_in_WebApp: categories: - boost-baseline + - owasp-top-10 - checkmarx-best-coding-practices - cwe-246 - ALL @@ -12252,6 +12270,7 @@ rules: ASP_Best_Coding_Practice_Threads_in_WebApp: categories: - ALL + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - cwe-383 @@ -12267,6 +12286,7 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices + - owasp-top-10 description: Unclosed system resources (such as connections, files, or other types of system resources) lead to resource leakage, resulting in possible performance degradation or application crashes. @@ -12280,6 +12300,7 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices + - owasp-top-10 description: Public methods' arguments are not validated, opening potential threats of insecure data handling, injection attacks, or unintended behavior. group: top10-insecure-design @@ -12292,6 +12313,7 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices + - owasp-top-10 description: Direct interaction with the System output stream can potentially expose sensitive information or critical system details, increasing vulnerability to potential security breaches. @@ -12305,6 +12327,7 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices + - owasp-top-10 description: Fields of a class are excessively visible, leading to potential encapsulation violations or unintended state changes. Fields should be private or protected and accessed via properties or methods to maintain proper encapsulation. @@ -12634,6 +12657,7 @@ rules: categories: - cwe-171 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: Improper handling of data within protection mechanisms that attempt @@ -12663,7 +12687,6 @@ rules: - ALL - cwe-547 - checkmarx-low-visibility - - owasp-top-10 description: The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. @@ -12678,7 +12701,6 @@ rules: - ALL - checkmarx-low-visibility - cwe-520 - - owasp-top-10 description: Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks. @@ -12691,6 +12713,7 @@ rules: categories: - cwe-248 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: An exception is thrown from a function, but it is not caught. @@ -12703,6 +12726,7 @@ rules: categories: - cwe-404 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not release or incorrectly releases a resource before @@ -12730,6 +12754,7 @@ rules: categories: - cwe-460 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not clean up its state or incorrectly cleans up @@ -12816,6 +12841,7 @@ rules: ASP_Low_Visibility_Leaving_Temporary_Files: categories: - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL - cwe-376 @@ -12831,7 +12857,6 @@ rules: - ALL - cwe-117 - checkmarx-low-visibility - - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes output that is written to logs. group: top10-security-logging-monitoring-failures @@ -12874,6 +12899,7 @@ rules: categories: - cwe-615 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: 'While adding general comments is very useful, some programmers tend @@ -12919,6 +12945,7 @@ rules: categories: - cwe-567 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not properly synchronize shared data, such as static @@ -12947,6 +12974,7 @@ rules: categories: - cwe-647 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product defines policy namespaces and makes authorization decisions @@ -13020,6 +13048,7 @@ rules: ASP_Medium_Threat_DoS_by_Sleep: categories: - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL description: The product performs an iteration or loop without sufficiently limiting @@ -13048,6 +13077,7 @@ rules: categories: - checkmarx-medium-threat - cwe-667 + - owasp-top-10 - boost-baseline - ALL description: The product does not properly acquire or release a lock on a resource, @@ -13160,6 +13190,7 @@ rules: categories: - cwe-404 - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL description: The product does not release or incorrectly releases a resource before @@ -13173,6 +13204,7 @@ rules: categories: - checkmarx-medium-threat - cwe-618 + - owasp-top-10 - boost-baseline - ALL description: An ActiveX control is intended for use in a web browser, but it exposes @@ -13202,6 +13234,7 @@ rules: - boost-baseline - ALL - checkmarx-force-com-code-quality + - owasp-top-10 description: Async future methods are executed inside loops, which may lead to governor limit exceptions due to an excessive number of future calls in Salesforce's Apex code. @@ -13215,6 +13248,7 @@ rules: - boost-baseline - ALL - checkmarx-force-com-code-quality + - owasp-top-10 description: Apex methods are not utilizing collections (lists, sets, or maps) to process bulk data, which can result in inefficient SOQL queries, negatively impacting the code performance in Salesforce. @@ -13228,6 +13262,7 @@ rules: - boost-baseline - ALL - checkmarx-force-com-code-quality + - owasp-top-10 description: In an Apex Salesforce.com codebase, DML operations are present inside loop constructs, which may cause exceeding the governor limit, leading to inefficient code execution. @@ -13241,6 +13276,7 @@ rules: - boost-baseline - ALL - checkmarx-force-com-code-quality + - owasp-top-10 description: Uncertified HTTP callouts are used in Apex code, which can expose sensitive business data and lead to insecure interactions with third-party services. group: top10-insecure-design @@ -13254,7 +13290,6 @@ rules: - ALL - cwe-547 - checkmarx-force-com-code-quality - - owasp-top-10 description: The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. @@ -13268,6 +13303,7 @@ rules: - boost-baseline - ALL - checkmarx-force-com-code-quality + - owasp-top-10 description: Salesforce object IDs are hardcoded in the Apex source code, risking loss of data access or integrity when records or objects are changed, removed, or migrated to other Salesforce instances. @@ -13281,6 +13317,7 @@ rules: - boost-baseline - ALL - checkmarx-force-com-code-quality + - owasp-top-10 description: The code contains hardcoded references to Trigger.new, which limits its reusability and adaptability, making it less maintainable and potentially problematic if changes in data structure occur. @@ -13294,6 +13331,7 @@ rules: - boost-baseline - ALL - checkmarx-force-com-code-quality + - owasp-top-10 description: Direct references to Trigger.old in Apex Code may lead to unexpected behavior or errors during updates and deletions, as this means hardcoding values destined to change with every transaction. @@ -13307,6 +13345,7 @@ rules: - boost-baseline - ALL - checkmarx-force-com-code-quality + - owasp-top-10 description: The rule identifies instances of hardcoded references to static resources within Apex code, which can result in maintenance issues and reduce the code's ability to adapt to changes. @@ -13320,6 +13359,7 @@ rules: - boost-baseline - ALL - checkmarx-force-com-code-quality + - owasp-top-10 description: Visualforce pages contain multiple forms, which may lead to conflicting actions or unintuitive user experiences due to mishandled form submissions or redundant code. @@ -13333,6 +13373,7 @@ rules: - boost-baseline - ALL - checkmarx-force-com-code-quality + - owasp-top-10 description: Multiple triggers are defined on the same 'sObject' in Apex code, possibly leading to unpredictable execution order and potential recursive behavior issues. @@ -13346,6 +13387,7 @@ rules: - boost-baseline - ALL - checkmarx-force-com-code-quality + - owasp-top-10 description: Salesforce Apex queries or SOQL statements lack 'WHERE' or 'LIMIT' clauses, potentially causing data overload and performance issues. group: top10-insecure-design @@ -13358,6 +13400,7 @@ rules: - boost-baseline - ALL - checkmarx-force-com-code-quality + - owasp-top-10 description: Highlights instances of SOSL/SOQL queries placed inside loops which may result in governor limit exceptions in Apex Force.com code. group: top10-insecure-design @@ -13370,6 +13413,7 @@ rules: - boost-baseline - ALL - checkmarx-force-com-code-quality + - owasp-top-10 description: Unit test assertions in Apex code lack custom error messages, reducing the ability to express specific failure conditions for better test maintainability and readability. @@ -13383,6 +13427,7 @@ rules: - boost-baseline - ALL - checkmarx-force-com-code-quality + - owasp-top-10 description: An Apex test method lacks 'System.assert()', 'System.assertEquals()' or 'System.assertNotEquals()' calls, which may inhibit proper validation of the code's functionality. @@ -13394,6 +13439,7 @@ rules: Apex_Force_com_Code_Quality_Unused_Variable: categories: - checkmarx-force-com-code-quality + - owasp-top-10 - cwe-563 - boost-baseline - ALL @@ -13409,6 +13455,7 @@ rules: - boost-baseline - ALL - checkmarx-force-com-code-quality + - owasp-top-10 description: Identifies use of the Salesforce AJAX Toolkit within Apex code, which is deprecated and can lead to functionality issues in Salesforce apps. group: top10-insecure-design @@ -13550,6 +13597,7 @@ rules: - boost-baseline - ALL - checkmarx-force-com-serious-risk + - owasp-top-10 description: Cookies are not properly scoped, leaving sensitive user data susceptible to potential theft or manipulation via cross-site scripting (XSS) or cross-site request forgery (CSRF) attacks. @@ -13562,6 +13610,7 @@ rules: categories: - cwe-243 - checkmarx-force-com-serious-risk + - owasp-top-10 - boost-baseline - ALL description: The product uses the chroot() system call to create a jail, but does @@ -13577,6 +13626,7 @@ rules: - boost-baseline - ALL - checkmarx-force-com-serious-risk + - owasp-top-10 description: Accesses a field by dereferencing a potentially null pointer, exposing an Apex Force.com application to serious security risks including null dereference exceptions or unintended behavior. @@ -13692,7 +13742,6 @@ rules: - cwe-614 - checkmarx-force-com-serious-risk - ALL - - owasp-top-10 description: The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. @@ -13765,6 +13814,7 @@ rules: - boost-baseline - ALL - checkmarx-force-com-serious-risk + - owasp-top-10 description: The 'inputText' function in Apex ignores Field-Level Security settings (FLS), which can result in unauthorized data access or modification on Salesforce's Force.com platform. @@ -13777,6 +13827,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-isv-quality-rules description: The reRender frequency for actionPoller in Apex is set too high, potentially causing performance issues due to excessive server load. @@ -13789,6 +13840,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-isv-quality-rules description: Visualforce components utilize the Ajax Toolkit, instead of standard Visualforce Ajax or Apex, potentially resulting in performance degradation or @@ -13802,6 +13854,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-isv-quality-rules description: Batch Apex is present in the codebase, which may lead to performance issues when processing large data volumes. @@ -13814,6 +13867,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-isv-quality-rules description: Outbound calls are made within a Batch Apex, which may cause scalability issues due to governor limits on Salesforce's outbound HTTP callouts. @@ -13826,6 +13880,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-isv-quality-rules description: The Database DML operation in Apex code has the 'DmlOptions' parameter set to 'false', neglecting potential record locking contention considerations @@ -13839,6 +13894,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-isv-quality-rules description: Catches exceptions without handling them, leading to potential unaddressed errors and application instability. @@ -13851,6 +13907,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-isv-quality-rules description: An 'if' statement in the Apex code does not contain any executable statements, making it redundant and possibly indicative of incomplete or incorrect @@ -13864,6 +13921,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-isv-quality-rules description: The code contains methods that are empty or lack substantive content, which might be unintentional leftovers from incomplete development or refactoring @@ -13877,6 +13935,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-isv-quality-rules description: A 'while' statement in the APEX code has an empty body, causing an infinite loop that can result in script execution and performance problems. @@ -13889,6 +13948,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-isv-quality-rules description: Exposed test data in Apex classes may lead to leakage of sensitive information, violating the Salesforce ISV (Independent Software Vendor) best @@ -13902,6 +13962,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-isv-quality-rules description: The Apex code contains @future annotation, possibly adding complexity to transaction control flow and leading to unexpected order of execution. @@ -13914,6 +13975,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-isv-quality-rules description: The Salesforce Apex code under examination employs an outdated API version, which may result in deprecated or unavailable functionality and suboptimal @@ -13927,6 +13989,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-isv-quality-rules description: Apex code to send outbound emails is employed, which may lead to uncontrolled distribution of sensitive data or exhaustion of email sending limits. @@ -13939,6 +14002,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-isv-quality-rules description: Apex reports without assigned filters can return an excessively broad data set, potentially causing performance issues or disclosing sensitive information. @@ -13951,6 +14015,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-isv-quality-rules description: The SOQL query uses a dynamic 'null' in its WHERE clause, which may lead to inconsistent results or potential vulnerabilities in Apex code. @@ -13963,6 +14028,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-isv-quality-rules description: In Salesforce Apex code, a SOQL query uses a formula field within the WHERE clause, causing unpredictable behavior and potential performance issues @@ -13976,6 +14042,7 @@ rules: categories: - checkmarx-isv-quality-rules - cwe-1067 + - owasp-top-10 - boost-baseline - ALL description: The product contains a data query against an SQL table or view that @@ -13990,6 +14057,7 @@ rules: categories: - checkmarx-isv-quality-rules - cwe-1067 + - owasp-top-10 - boost-baseline - ALL description: The product contains a data query against an SQL table or view that @@ -14003,6 +14071,7 @@ rules: Apex_ISV_Quality_Rules_SOQL_With_All_Fields: categories: - checkmarx-isv-quality-rules + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -14018,6 +14087,7 @@ rules: Apex_ISV_Quality_Rules_SOQL_with_All_Fields_in_Loop: categories: - checkmarx-isv-quality-rules + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -14034,6 +14104,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-isv-quality-rules description: The SOSL (Salesforce Object Search Language) query includes a WHERE clause, which can lead to performance issues due to query inefficiency. @@ -14046,6 +14117,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-isv-quality-rules description: Alerts developers when ViewState usage in Salesforce's Apex code surpasses the size limit, helping to avoid performance issues and exceptions @@ -14059,6 +14131,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-isv-quality-rules description: Workflow rules in Apex cause automatic email transmission, which could disrupt service through excessive messaging, violate data privacy regulations @@ -14073,6 +14146,7 @@ rules: - boost-baseline - ALL - checkmarx-low-visibility + - owasp-top-10 description: The Visualforce markup includes an unescaped merge field, "&{!...}", which could make the application vulnerable to Cross-Site Scripting (XSS) attacks due to rendering of untrusted data as real HTML content. @@ -14115,6 +14189,7 @@ rules: - boost-baseline - ALL - checkmarx-low-visibility + - owasp-top-10 description: Sensitive data, such as passwords, are exposed in Salesforce Apex code due to being hard-coded, log-printed, or misused in a publicly visible or easily accessible manner. @@ -14128,6 +14203,7 @@ rules: - boost-baseline - ALL - checkmarx-low-visibility + - owasp-top-10 description: Apex code lacks frame options in HTTP response headers, making it prone to clickjacking attacks via potential frame injection. group: top10-injection @@ -14214,6 +14290,7 @@ rules: categories: - cwe-118 - checkmarx-secure-coding-guide + - owasp-top-10 - boost-baseline - ALL description: The product does not restrict or incorrectly restricts operations @@ -14228,6 +14305,7 @@ rules: categories: - cwe-118 - checkmarx-secure-coding-guide + - owasp-top-10 - boost-baseline - ALL description: The product does not restrict or incorrectly restricts operations @@ -14242,6 +14320,7 @@ rules: categories: - boost-hardened - checkmarx-secure-coding-guide + - owasp-top-10 - boost-baseline - ALL - cwe-788 @@ -14286,6 +14365,7 @@ rules: categories: - cwe-252 - checkmarx-secure-coding-guide + - owasp-top-10 - boost-baseline - ALL description: The product does not check the return value from a method or function, @@ -14300,6 +14380,7 @@ rules: - boost-hardened - cwe-134 - checkmarx-secure-coding-guide + - owasp-top-10 - boost-baseline - ALL description: The product uses a function that accepts a format string as an argument, @@ -14344,6 +14425,7 @@ rules: - boost-hardened - cwe-190 - checkmarx-secure-coding-guide + - owasp-top-10 - boost-baseline - ALL - cwe-top-25 @@ -14359,6 +14441,7 @@ rules: Apple_Secure_Coding_Guide_UDP_Protocol_Used: categories: - checkmarx-secure-coding-guide + - owasp-top-10 - cwe-398 - boost-baseline - ALL @@ -14388,6 +14471,7 @@ rules: categories: - cwe-252 - checkmarx-secure-coding-guide + - owasp-top-10 - boost-baseline - ALL description: The product does not check the return value from a method or function, @@ -14400,6 +14484,7 @@ rules: Apple_Secure_Coding_Guide_Unscrubbed_Secret: categories: - checkmarx-secure-coding-guide + - owasp-top-10 - cwe-226 - boost-baseline - ALL @@ -14431,6 +14516,7 @@ rules: CPP_Best_Coding_Practice_Buffer_Size_Literal: categories: - cwe-118 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -14445,6 +14531,7 @@ rules: CPP_Best_Coding_Practice_Buffer_Size_Literal_Condition: categories: - cwe-118 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -14458,6 +14545,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Best_Coding_Practice_Buffer_Size_Literal_Overflow: categories: + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -14472,6 +14560,7 @@ rules: CPP_Best_Coding_Practice_Dead_Code: categories: - cwe-561 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -14484,6 +14573,7 @@ rules: CPP_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception: categories: - cwe-396 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -14497,6 +14587,7 @@ rules: CPP_Best_Coding_Practice_Detection_of_Error_Condition_Without_Action: categories: - cwe-390 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -14509,6 +14600,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Best_Coding_Practice_Empty_Methods: categories: + - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -14521,6 +14613,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere: categories: + - owasp-top-10 - cwe-493 - checkmarx-best-coding-practices - boost-baseline @@ -14534,6 +14627,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Best_Coding_Practice_GOTO_Statement: categories: + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -14569,6 +14663,7 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices + - owasp-top-10 description: Numeric constants (known as 'magic numbers') are used directly in the source code, making it hard to maintain and understand. Such numbers should be replaced with named constants. @@ -14579,6 +14674,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Best_Coding_Practice_Methods_Without_ReturnType: categories: + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -14594,6 +14690,7 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices + - owasp-top-10 description: A static constructor in C++ isn't private, which could potentially allow unintended class instantiation and alteration of class states. group: top10-insecure-design @@ -14618,6 +14715,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Best_Coding_Practice_Unused_Variable: categories: + - owasp-top-10 - cwe-563 - checkmarx-best-coding-practices - boost-baseline @@ -14634,6 +14732,7 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices + - owasp-top-10 description: Public methods in C++ code neglect to validate arguments before use, increasing the risk of unauthorized data access and manipulation. group: top10-insecure-design @@ -14646,6 +14745,7 @@ rules: - checkmarx-buffer-overflow - cwe-129 - boost-hardened + - owasp-top-10 - boost-baseline - ALL description: The product uses untrusted input when calculating or using an array @@ -14660,6 +14760,7 @@ rules: categories: - checkmarx-buffer-overflow - cwe-562 + - owasp-top-10 - boost-baseline - ALL description: A function returns the address of a stack variable, which will cause @@ -14674,6 +14775,7 @@ rules: - ALL - boost-hardened - checkmarx-buffer-overflow + - owasp-top-10 - boost-baseline - cwe-787 - cwe-top-25 @@ -14688,6 +14790,7 @@ rules: categories: - checkmarx-buffer-overflow - boost-hardened + - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -14703,6 +14806,7 @@ rules: categories: - checkmarx-buffer-overflow - boost-hardened + - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -14718,6 +14822,7 @@ rules: categories: - checkmarx-buffer-overflow - cwe-193 + - owasp-top-10 - boost-baseline - ALL description: A product calculates or uses an incorrect maximum or minimum value @@ -14731,6 +14836,7 @@ rules: categories: - checkmarx-buffer-overflow - cwe-193 + - owasp-top-10 - boost-baseline - ALL description: A product calculates or uses an incorrect maximum or minimum value @@ -14744,6 +14850,7 @@ rules: categories: - checkmarx-buffer-overflow - boost-hardened + - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -14759,6 +14866,7 @@ rules: categories: - checkmarx-buffer-overflow - boost-hardened + - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -14774,6 +14882,7 @@ rules: categories: - checkmarx-buffer-overflow - boost-hardened + - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -14789,6 +14898,7 @@ rules: categories: - checkmarx-buffer-overflow - boost-hardened + - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -14804,6 +14914,7 @@ rules: categories: - checkmarx-buffer-overflow - boost-hardened + - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -14819,6 +14930,7 @@ rules: categories: - checkmarx-buffer-overflow - boost-hardened + - owasp-top-10 - boost-baseline - ALL - cwe-131 @@ -14832,6 +14944,7 @@ rules: CPP_Buffer_Overflow_Buffer_Overflow_boundcpy_WrongSizeParam: categories: - checkmarx-buffer-overflow + - owasp-top-10 - boost-baseline - ALL - cwe-121 @@ -14847,6 +14960,7 @@ rules: categories: - checkmarx-buffer-overflow - boost-hardened + - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -14861,6 +14975,7 @@ rules: CPP_Buffer_Overflow_Buffer_Overflow_boundedcpy2: categories: - checkmarx-buffer-overflow + - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -14876,6 +14991,7 @@ rules: categories: - checkmarx-buffer-overflow - boost-hardened + - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -14891,6 +15007,7 @@ rules: categories: - checkmarx-buffer-overflow - boost-hardened + - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -14906,6 +15023,7 @@ rules: categories: - checkmarx-buffer-overflow - boost-hardened + - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -14921,6 +15039,7 @@ rules: categories: - checkmarx-buffer-overflow - boost-hardened + - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -14936,6 +15055,7 @@ rules: categories: - checkmarx-buffer-overflow - boost-hardened + - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -14951,6 +15071,7 @@ rules: categories: - checkmarx-buffer-overflow - boost-hardened + - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -14967,6 +15088,7 @@ rules: - boost-hardened - checkmarx-buffer-overflow - cwe-134 + - owasp-top-10 - boost-baseline - ALL description: The product uses a function that accepts a format string as an argument, @@ -14981,6 +15103,7 @@ rules: - cwe-170 - checkmarx-buffer-overflow - boost-hardened + - owasp-top-10 - boost-baseline - ALL description: The product does not terminate or incorrectly terminates a string @@ -14993,6 +15116,7 @@ rules: CPP_Buffer_Overflow_Missing_Precision: categories: - checkmarx-buffer-overflow + - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -15007,6 +15131,7 @@ rules: CPP_Buffer_Overflow_MultiByte_String_Length: categories: - checkmarx-buffer-overflow + - owasp-top-10 - cwe-135 - boost-baseline - ALL @@ -15022,6 +15147,7 @@ rules: - checkmarx-buffer-overflow - boost-hardened - cwe-193 + - owasp-top-10 - boost-baseline - ALL description: A product calculates or uses an incorrect maximum or minimum value @@ -15036,6 +15162,7 @@ rules: - checkmarx-buffer-overflow - boost-hardened - cwe-193 + - owasp-top-10 - boost-baseline - ALL description: A product calculates or uses an incorrect maximum or minimum value @@ -15049,6 +15176,7 @@ rules: categories: - checkmarx-buffer-overflow - cwe-193 + - owasp-top-10 - boost-baseline - ALL description: A product calculates or uses an incorrect maximum or minimum value @@ -15062,6 +15190,7 @@ rules: categories: - checkmarx-buffer-overflow - cwe-193 + - owasp-top-10 - boost-baseline - ALL description: A product calculates or uses an incorrect maximum or minimum value @@ -15075,6 +15204,7 @@ rules: categories: - checkmarx-buffer-overflow - boost-hardened + - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -15089,6 +15219,7 @@ rules: CPP_Buffer_Overflow_Potential_Precision_Problem: categories: - checkmarx-buffer-overflow + - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -15105,6 +15236,7 @@ rules: - cwe-170 - checkmarx-buffer-overflow - boost-hardened + - owasp-top-10 - boost-baseline - ALL description: The product does not terminate or incorrectly terminates a string @@ -15119,6 +15251,7 @@ rules: - cwe-170 - checkmarx-buffer-overflow - boost-hardened + - owasp-top-10 - boost-baseline - ALL description: The product does not terminate or incorrectly terminates a string @@ -15131,6 +15264,7 @@ rules: CPP_Heuristic_Freed_Pointer_Not_Set_To_Null: categories: - checkmarx-heuristic + - owasp-top-10 - cwe-476 - boost-baseline - ALL @@ -15146,6 +15280,7 @@ rules: CPP_Heuristic_Heuristic_2nd_Order_Buffer_Overflow_malloc: categories: - checkmarx-heuristic + - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -15160,6 +15295,7 @@ rules: CPP_Heuristic_Heuristic_2nd_Order_Buffer_Overflow_read: categories: - checkmarx-heuristic + - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -15192,6 +15328,7 @@ rules: categories: - cwe-129 - checkmarx-heuristic + - owasp-top-10 - boost-baseline - ALL description: The product uses untrusted input when calculating or using an array @@ -15205,6 +15342,7 @@ rules: CPP_Heuristic_Heuristic_Buffer_Overflow_malloc: categories: - checkmarx-heuristic + - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -15219,6 +15357,7 @@ rules: CPP_Heuristic_Heuristic_Buffer_Overflow_read: categories: - checkmarx-heuristic + - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -15263,6 +15402,7 @@ rules: CPP_Heuristic_Heuristic_NULL_Pointer_Dereference1: categories: - checkmarx-heuristic + - owasp-top-10 - cwe-476 - boost-baseline - ALL @@ -15278,6 +15418,7 @@ rules: CPP_Heuristic_Heuristic_NULL_Pointer_Dereference2: categories: - checkmarx-heuristic + - owasp-top-10 - cwe-476 - boost-baseline - ALL @@ -15326,6 +15467,7 @@ rules: categories: - cwe-252 - checkmarx-heuristic + - owasp-top-10 - boost-baseline - ALL description: The product does not check the return value from a method or function, @@ -15339,6 +15481,7 @@ rules: categories: - cwe-193 - checkmarx-heuristic + - owasp-top-10 - boost-baseline - ALL description: A product calculates or uses an incorrect maximum or minimum value @@ -15436,6 +15579,7 @@ rules: CPP_High_Risk_Process_Control: categories: - boost-hardened + - owasp-top-10 - cwe-114 - boost-baseline - ALL @@ -15484,6 +15628,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_Insecure_Credential_Storage_Comparison_Timing_Attack: categories: + - owasp-top-10 - checkmarx-insecure-credential-storage - boost-baseline - ALL @@ -15605,6 +15750,7 @@ rules: CPP_Integer_Overflow_Boolean_Overflow: categories: - cwe-190 + - owasp-top-10 - checkmarx-integer-overflow - boost-baseline - ALL @@ -15621,6 +15767,7 @@ rules: CPP_Integer_Overflow_Char_Overflow: categories: - cwe-190 + - owasp-top-10 - checkmarx-integer-overflow - boost-baseline - ALL @@ -15637,6 +15784,7 @@ rules: CPP_Integer_Overflow_Float_Overflow: categories: - cwe-190 + - owasp-top-10 - checkmarx-integer-overflow - boost-baseline - ALL @@ -15653,6 +15801,7 @@ rules: CPP_Integer_Overflow_Get_Right_Assignment: categories: - cwe-190 + - owasp-top-10 - checkmarx-integer-overflow - boost-baseline - ALL @@ -15669,6 +15818,7 @@ rules: CPP_Integer_Overflow_Integer_Overflow: categories: - cwe-190 + - owasp-top-10 - checkmarx-integer-overflow - boost-baseline - ALL @@ -15685,6 +15835,7 @@ rules: CPP_Integer_Overflow_Long_Overflow: categories: - cwe-190 + - owasp-top-10 - checkmarx-integer-overflow - boost-baseline - ALL @@ -15701,6 +15852,7 @@ rules: CPP_Integer_Overflow_Short_Overflow: categories: - cwe-190 + - owasp-top-10 - checkmarx-integer-overflow - boost-baseline - ALL @@ -15717,6 +15869,7 @@ rules: CPP_Integer_Overflow_Type_Conversion_Error: categories: - cwe-681 + - owasp-top-10 - checkmarx-integer-overflow - boost-baseline - ALL @@ -15732,6 +15885,7 @@ rules: CPP_Integer_Overflow_Wrong_Size_t_Allocation: categories: - cwe-789 + - owasp-top-10 - checkmarx-integer-overflow - boost-baseline - ALL @@ -15746,6 +15900,7 @@ rules: CPP_Low_Visibility_Arithmetic_Operation_On_Boolean: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-398 - boost-baseline - ALL @@ -15776,6 +15931,7 @@ rules: categories: - cwe-243 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product uses the chroot() system call to create a jail, but does @@ -15790,6 +15946,7 @@ rules: categories: - cwe-477 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -15818,6 +15975,7 @@ rules: categories: - cwe-244 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: Using realloc() to resize buffers that store sensitive information @@ -15832,6 +15990,7 @@ rules: categories: - cwe-248 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: An exception is thrown from a function, but it is not caught. @@ -15858,6 +16017,7 @@ rules: categories: - cwe-404 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not release or incorrectly releases a resource before @@ -15871,6 +16031,7 @@ rules: categories: - cwe-460 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not clean up its state or incorrectly cleans up @@ -15885,6 +16046,7 @@ rules: categories: - cwe-474 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The code uses a function that has inconsistent implementations across @@ -15898,6 +16060,7 @@ rules: categories: - cwe-732 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product specifies permissions for a security-critical resource @@ -15911,6 +16074,7 @@ rules: categories: - cwe-615 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: 'While adding general comments is very useful, some programmers tend @@ -15968,6 +16132,7 @@ rules: CPP_Low_Visibility_Leaving_Temporary_Files: categories: - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL - cwe-376 @@ -15981,6 +16146,7 @@ rules: categories: - cwe-489 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product is deployed to unauthorized actors with debugging code @@ -15997,7 +16163,6 @@ rules: - ALL - cwe-117 - checkmarx-low-visibility - - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes output that is written to logs. group: top10-security-logging-monitoring-failures @@ -16008,6 +16173,7 @@ rules: CPP_Low_Visibility_NULL_Pointer_Dereference: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-476 - boost-baseline - ALL @@ -16023,6 +16189,7 @@ rules: CPP_Low_Visibility_Potential_Path_Traversal: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-36 - boost-baseline - ALL @@ -16055,6 +16222,7 @@ rules: categories: - cwe-350 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product performs reverse DNS resolution on an IP address to obtain @@ -16069,6 +16237,7 @@ rules: categories: - cwe-467 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The code calls sizeof() on a malloced pointer type, which always @@ -16099,6 +16268,7 @@ rules: CPP_Low_Visibility_TOCTOU: categories: - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL - cwe-367 @@ -16115,6 +16285,7 @@ rules: categories: - cwe-129 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product uses untrusted input when calculating or using an array @@ -16129,6 +16300,7 @@ rules: categories: - cwe-252 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not check the return value from a method or function, @@ -16142,6 +16314,7 @@ rules: categories: - ALL - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - cwe-475 description: The behavior of this function is undefined unless its control parameter @@ -16154,6 +16327,7 @@ rules: CPP_Low_Visibility_Unreleased_Resource_Leak: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-411 - boost-baseline - ALL @@ -16168,6 +16342,7 @@ rules: categories: - cwe-477 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -16209,6 +16384,7 @@ rules: categories: - cwe-477 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -16222,6 +16398,7 @@ rules: categories: - cwe-467 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The code calls sizeof() on a malloced pointer type, which always @@ -16234,6 +16411,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R00_01_03_Find_Unused_Variables: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16246,6 +16424,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R00_01_05_Find_Unused_Typedefs: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16258,6 +16437,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R00_01_10_Find_Unused_Defined_Functions: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16271,6 +16451,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R00_01_11_Find_Unused_Parameters: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16283,6 +16464,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R00_01_12_Find_Virtual_Unused_Parameters: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16297,6 +16479,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: Trigraph sequences are present in the code, which violate MISRA C++ Rule 02.03.01, and can impact the readability and maintainability of the code. @@ -16307,6 +16490,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R02_05_01_Digraphs: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16322,6 +16506,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: Code segments are found to be commented out, potentially causing confusion and violating MISRA-C++ rule 2.7.2, which recommends against this @@ -16335,6 +16520,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: Identifies sections of C++ code that have been commented out, which may indicate outdated or erroneous code segments that can lead to confusion @@ -16348,6 +16534,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: An identifier in a localized scope hides an identifier in an outer scope, which could cause confusion and unexpected outcomes as per the MISRA @@ -16361,6 +16548,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: The same name is reused for different 'typedef' declarations, violating rule 2.10.3 of MISRA C++, which recommends unique identifiers for independent @@ -16374,6 +16562,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: Names of class types, enumeration types, and union types should be unique, ensuring clarity and reducing potential ambiguity or misunderstanding @@ -16385,6 +16574,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R02_10_05_Non_Member_Static_Name_Reuse: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16400,6 +16590,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: In violation of MISRA C++:2008 rule 2-13-1, text strings and characters contain escape sequences that are not defined in the ISO C++ standard. This @@ -16413,6 +16604,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: In C++ code, a non-zero octal constant has been used, which is a violation of MISRA C++ Rule 2.13.2, that suggests not using such constants to @@ -16426,6 +16618,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: Unsigned hexadecimal or octal constants lack a 'U' suffix, which can lead to data loss if the constant's value exceeds the range of its type. @@ -16437,6 +16630,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R02_13_04_Literal_Suffix_Uppercase: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16450,6 +16644,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R03_01_03_Find_Arrays_Without_Size: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16465,6 +16660,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: Functionally declared and defined in different files must have matching parameter lists and return types to promote consistency and prevent potential @@ -16478,6 +16674,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: An object definition occurs outside its minimal necessary scope in reference to Rule MISRA C++:2008, 3-4-1, breaching the principle of limiting @@ -16491,6 +16688,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: Non-typedef'd basic types are used in the code, violating MISRA C++ Rule 3-9-2, which requires a typedef to be used instead. This might lead to @@ -16504,6 +16702,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: 'The rule identifies violations of MISRA C++: 2008 Rule 4-10-1, which warns against using NULL as an integer value, preventing possible data corruption @@ -16517,6 +16716,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: A literal zero is used instead of the null pointer constant in C++ code, violating rule R04.10.02 of the Motor Industry Reliability Association's @@ -16531,6 +16731,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: An explicit conversion of an expression from a floating-point type to an integer type occurs in a manner that is inconsistent with the MISRA C++ @@ -16545,6 +16746,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: A bitwise operator is applied to an unsigned char or short type, violating MISRA C++ Rule 5.0.10, which could lead to unintended data manipulation @@ -16558,6 +16760,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: The use of plain 'char' type is detected in the code. According to MISRA C++ Rule 05-0-11, 'char' should be avoided due to its undefined signedness, @@ -16572,6 +16775,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: The rule targets the code where plain "char" type is used, which is a violation of MISRA C++ Rule 5-0-12 that mandates use of explicit "signed" @@ -16585,6 +16789,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: Bitwise operators are applied on a signed integer data type, violating the MISRA C++:2008 Rule 5-0-21, which could cause unexpected results due to @@ -16598,6 +16803,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: Logical AND (&&) and OR (||) operations use operands other than postfix expressions, violating Rule 05-2-1 of the Motor Industry Software Reliability @@ -16611,6 +16817,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: The rule identifies usage of incremental and decremental operators (++ and --) within C++ expressions, which may lead to unpredictable program @@ -16622,6 +16829,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R05_02_11_Find_Special_Operator_Overloads: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16638,6 +16846,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: The unary minus operator is applied to an unsigned type, a violation of rule 05-03-02 of the Motor Industry Software Reliability Association (MISRA) @@ -16650,6 +16859,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R05_03_03_Overloading_Reference_Oper: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16665,6 +16875,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: Indicates the usage of the comma operator outside of a for loop or in any scenario where a function-call sequence cannot be guaranteed, violating @@ -16676,6 +16887,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R06_02_01_Assignment_in_Sub_Expr: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16689,6 +16901,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R06_02_02_FloatingPt_Equality_Inequality_Testing: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16706,6 +16919,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: A switch or iteration statement body that's not a compound statement is present in the code, contradicting MISRA C++ Rule 6-3-1 and potentially leading @@ -16719,6 +16933,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: The body of an 'if' or an 'else' statement is not a compound statement. This can lead to visibility and maintenance issues as per MISRA C++:2008 Rule @@ -16732,6 +16947,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: An 'if else' and 'else if' statement chain does not end with an 'else' statement, violating MISRA C++ rule 06-04-02, which can lead to unexpected results @@ -16745,6 +16961,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: A 'case' label in a 'switch' statement is not enclosed by braces ({ }), which is a violation of MISRA C++ Rule 6-4-4 and can lead to unintended @@ -16758,6 +16975,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: Non-empty switch cases in C++ code that lack a terminating break or throw statement, violating MISRA C++ Rule 6-4-5 and potentially causing unintended @@ -16771,6 +16989,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: The rule identifies when the switch control structure does not end with a default label as the last clause, violating MISRA C++ Rule 6-4-6, which @@ -16782,6 +17001,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R06_04_07_Find_Switch_Condition_Bool: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16796,6 +17016,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: A non-floating literal constant should hold a single character and no more, as dictated by MISRA C++ Rule 06-05-01. This helps avoid ambiguity @@ -16807,6 +17028,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R06_05_02_Loop_Counter_Modify: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16820,6 +17042,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R06_05_03_Change_Lc_In_St_And_Cond: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16833,6 +17056,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R06_05_04_Incremental_Modified: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16847,6 +17071,7 @@ rules: CPP_MISRA_CPP_R06_05_05_Lcv_Change_In_For_Stmt: categories: - boost-baseline + - owasp-top-10 - ALL - checkmarx-misra-cpp description: Loop counter variables are modified in the body of a 'for' loop, @@ -16859,6 +17084,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R06_05_06_Bool_Lcv_Change: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16873,6 +17099,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: The rule identifies instances where 'goto' statements are used to jump back in a C++ program, which is a violation of MISRA guideline 6-6-2 and @@ -16884,6 +17111,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R06_06_03_Continue_In_Legal_For: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16899,6 +17127,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: Each iteration statement (for, while, do) must only contain at most one 'break' or 'goto' statement to ensure code readability and avoid logical @@ -16912,6 +17141,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: Checks for C++ functions not adhering to the MISRA-CPP:2008 compliance statement Rule 6-6-5, which stipulates that a function must only have a single @@ -16924,6 +17154,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R07_01_01_Declare_Const_if_not_Modified: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16937,6 +17168,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R07_01_02_Declare_Ref_Const_if_not_Modified: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16950,6 +17182,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R07_03_01_Definitions_in_Global_Namespace: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16964,6 +17197,7 @@ rules: CPP_MISRA_CPP_R07_03_02_Find_non_Global_Mains: categories: - boost-baseline + - owasp-top-10 - ALL - checkmarx-misra-cpp description: Identifies non-global main functions in C++ codebase, violating MISRA @@ -16975,6 +17209,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R07_03_03_Unnamed_NS_in_Headers: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -16988,6 +17223,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R07_03_04_Find_Using_Directives: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17000,6 +17236,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R07_03_05_Multiple_Declarations_After_Using: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17013,6 +17250,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R07_03_06_Find_Using_in_Headers: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17026,6 +17264,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R07_05_02_Address_Assignment_out_of_Scope: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17040,6 +17279,7 @@ rules: CPP_MISRA_CPP_R07_05_03_Return_Parameter_Passed_by_Ref: categories: - ALL + - owasp-top-10 - boost-baseline - checkmarx-misra-cpp description: There is a return-value parameter passed by nonconst reference, violating @@ -17054,6 +17294,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: In C++, functions or recursive algorithms are present, violating rule 7.5.4 of MISRA (Motor Industry Software Reliability Association) C++ standards, @@ -17065,6 +17306,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R08_00_01_Find_Multiple_Declarators: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17080,6 +17322,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: A function in C++ code takes a variable number of arguments, violating MISRA C++:2008 Rule 8-4-1, which can introduce indeterminacy and make code less @@ -17093,6 +17336,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: If a function has multiple exit points, none of them should be an explicit call to 'throw' or 'return' within a 'try' block or a function-try-block, @@ -17104,6 +17348,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R08_05_01_Uninitialized_Variable_Use: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17118,6 +17363,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: Union data types are in violation of rule 9-5-1 of the MISRA-CPP guidelines, as they can lead to unpredictable behavior due to the overlapping @@ -17131,6 +17377,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: A violation of the MISRA C++:2008 Rule 9-6-2 occurs when a bit field is declared with a type different from bool, signed int, or unsigned int, leading @@ -17144,6 +17391,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: Enums are used as bit-fields in this code, which is a violation of MISRA C++ Rule 9-6-3. Enumerations should not be used in this manner as it may @@ -17157,6 +17405,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: A violation of the MISRA C++ 2008 Rule 9-6-4 occurs when a bit field of an integer type has a length that exceeds the number of bits in the width @@ -17168,6 +17417,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R10_01_01_Find_Virtual_Base_Classes: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17181,6 +17431,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R10_03_02_Find_Override_Without_Virtual: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17194,6 +17445,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R10_03_03_Redeclare_Function_as_Pure: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17207,6 +17459,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R12_01_03_Find_non_Explicit_Constructor: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17219,6 +17472,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R15_00_02_Throw_Pointers: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17231,6 +17485,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R15_00_03_Goto_Label_Inside_TryCatch: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17244,6 +17499,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R15_01_02_No_Explicit_Null_Throw: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17256,6 +17512,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R15_01_03_Empty_Throw_Outside_Catch: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17269,6 +17526,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R15_03_02_Catch_All_In_Main: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17283,6 +17541,7 @@ rules: CPP_MISRA_CPP_R15_03_03_Accessing_Non_Static_Mem_In_Ctr_Dtr: categories: - ALL + - owasp-top-10 - boost-baseline - checkmarx-misra-cpp description: The constructors and destructors of a class are accessing non-static @@ -17295,6 +17554,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R15_03_07_Catch_All_Final: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17311,6 +17571,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R15_05_01_Statements_Outside_TryCatch_Dtr: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17324,6 +17585,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R16_00_02_Define_Only_in_Global_Namespace: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17339,6 +17601,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: There's an usage of the '#undef' directive, violating MISRA C++ Rule 16-0-3, which states to avoid such directives to prevent potential issues with @@ -17350,6 +17613,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R16_00_04_Function_Like_Macros_Shall_Not_Be_Defined: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17362,6 +17626,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R16_00_05_No_Tokens_In_Func_Like_Macro: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17374,6 +17639,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R16_00_07_Undefined_Macro_Identifiers: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17387,6 +17653,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R16_00_08_Sharp_Before_Preprocessing_Token: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17400,6 +17667,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CPP_MISRA_CPP_R16_01_01_Defined_Standart_Forms: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-misra-cpp @@ -17414,6 +17682,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: Preprocessor `#if` and corresponding `#else` or `#elif` operators are split between separate source files, violating MISRA C++ Rule 16-1-2 and @@ -17428,6 +17697,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: C++ code violates the MISRA C++:2008 Rule 16-2-6, where the format of an '#include' directive does not adhere to the proper format, resulting in @@ -17441,6 +17711,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: The '#' (pound) preprocessor operator is employed in the code, violating MISRA C++ Rule 16-3-2 which prohibits the use of this operator to prevent potential @@ -17454,6 +17725,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: The C++ Standard Library functions are redefined or undefined, breaking compliance with MISRA C++ Rule 17-0-1 and potentially causing unpredictable @@ -17467,6 +17739,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: In C++ code, macro identifiers from Standard Library are reused, violating MISRA C++ Rule 17-0-2, potentially causing naming conflicts and unpredictable @@ -17480,6 +17753,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: Indicates the redefinition or override of a standard library function, which breaches Rule 17-0-3 of the Motor Industry Software Reliability Association @@ -17494,6 +17768,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: The C-time function from the C Standard Library is used, violating MISRA C++ Rule 18-0-4, which recommends the use of C++ date/time abstraction @@ -17507,6 +17782,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: The rule targets the use of unbounded functions from the CString library in C++ programming, as they can introduce potential buffer overflow @@ -17520,6 +17796,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: Dynamic heap memory allocation functions such as malloc(), realloc(), calloc(), and free() are used in the code, violating MISRA C++ Rule 18-4-1. @@ -17533,6 +17810,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-misra-cpp description: The C standard library function 'signal' is employed in a C++ context. This usage violates rule 18-0-1 of the MISRA C++ guidelines, which advocates @@ -17547,6 +17825,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: In compliance with MISRA C 2012 Rule 1.4, emergent features in C++ should not be utilized, as these may lead to unpredictable program behavior, lesser portability, and/or increased vulnerability to security breaches. @@ -17560,6 +17839,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Any unused, superfluous, or unreachable code within a C++ program, a violation of MISRA C:2012 Rule 2.x directive, which could compromise the reliability and maintainability of the code. @@ -17573,6 +17853,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: C++ comments that do not comply with the 'R03_X' rule from the MISRA C 2012 guidelines are detected. This includes cases where C-style comments (/*...*/), are used rather than the recommended C++ comments (//...), potentially obscuring @@ -17587,6 +17868,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Only standard ASCII characters and escape sequences should be used in character and string literals, as per the MISRA C 2012 guideline R04.X, in order to ensure portability and avoid reliance on specific character set encoding. @@ -17600,6 +17882,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Identifiers which should comply with specific naming conventions as stated in MISRA C 2012 Rule 5.x are not adhering to those conventions, leading to possibly unclear code. @@ -17613,6 +17896,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Bits in non-integral bit fields are accessed, violating the MISRA C 2012 rule 6.x, which states that bit-fields should only be defined to be of type unsigned int or signed int. @@ -17626,6 +17910,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Octal constants are prohibited as per MISRA C 2012 Rule 07.01 to avoid confusion with decimal values in C++ code. group: top10-insecure-design @@ -17638,6 +17923,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Unsigned integer constants should be suffixed with "U" or "u" to ensure clear representation of their unsigned nature, avoiding possible misinterpretation and inappropriate type casting. @@ -17652,6 +17938,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: In a constant suffix, the lowercase letter 'l' shall not be used due to its potential for confusion with the numeral '1', violating MISRA C:2012 Rule 07.03. @@ -17665,6 +17952,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: String literals are assigned to a pointer to non-const char, violating MISRA C 2012 Rule 07.04. This may inadvertently alter string literals, causing unexpected behavior or bugs. @@ -17679,6 +17967,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Identifies C++ function prototypes that do not name the parameters, violating MISRA C++ 2012 Rule 8.2, which stipulates that all parameters in function prototypes should be named to indicate their usage. @@ -17692,6 +17981,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Two or more functions have been given identical names, a violation of MISRA C 2012 Rule 08.03, potentially creating ambiguity and misleading the compiler. @@ -17705,6 +17995,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: When a function or an object is used, its compatible declaration must be visible in its scope, adhering to Rule 08.04 of MISRA C 2012 to ensure type safety. @@ -17718,6 +18009,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: External objects in C++ code should be declared only once to comply with the MISRA C 2012 R08.05 rule, avoiding any confusion or errors due to multiple declarations. @@ -17731,6 +18023,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Ensures that each identifier with external linkage is associated with exactly one definition within the entire program, in accordance with Rule 8.6 of MISRA C 2012 guidelines. @@ -17744,6 +18037,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Functions and objects are defined as 'extern' while being referenced only in a single file, violating MISRA C:2012 Rule 08.07, which can lead to potential linkage and maintainability issues. @@ -17758,6 +18052,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: All internal linkage declarations must use the 'static' keyword in accordance with the MISRA C 2012 Rule 08.08 to prevent potential linkage and name collision issues. @@ -17772,6 +18067,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Ensures that identifiers in C++ are defined at the smallest block scope possible, conforming to MISRA C 2012 Rule 08.09 which aims to improve code readability and maintainability. @@ -17785,6 +18081,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: An inline function in C++ doesn't have 'static' declaration, violating rule 8.10 of MISRA C 2012 standards, leading to potential clashes in function names and unpredictable behavior. @@ -17798,6 +18095,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: External array declarations must include a defined size to ensure compliance with MISRA C 2012 Rule 08.11 and avoid potential runtime issues. group: top10-insecure-design @@ -17810,6 +18108,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Enumerated constant values specified implicitly must be unique in compliance with MISRA C 2012 Rule 8.12, to ensure clear differentiation between enumeration items. @@ -17824,6 +18123,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: A pointer does not point to 'const', breaking the MISRA C 2012 Rule 8.13 guideline, which can lead to unforeseen side effects or code vulnerabilities due to accidental modification of data. @@ -17837,6 +18137,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: The rule R08.14 in the MISRA C 2012 guidelines, precisely checks if the restrict type qualifier does not refer to an object with static storage duration or a function parameter declared as array or function type in the C++ @@ -17851,6 +18152,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: A variable's value is being overwritten without prior usage, violating the MISRA C:2012 Rule 9.1 which states that every value, which is read, must be set explicitly beforehand. @@ -17864,6 +18166,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Array initializers must not contain more initializers than the dimension of the array, and the provided initializer must be compatible with the declared type to meet MISRA C 2012 Rules 09.02 and 09.03. Violations may result in unexpected @@ -17878,6 +18181,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Operands within an expression are of an inappropriate essential type, violating the MISRA C 2012 Rule 10.1, which aims to ensure correct and safe usage of operands in C++ code. @@ -17892,6 +18196,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Character types should not be used inappropriately in arithmetic operations to avoid unexpected results due to implicit type conversion, adhering to the MISRA C 2012 Rule 10.2. @@ -17906,6 +18211,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: An expression's value is assigned to a data type with inappropriate essential type, contradicting MISRA C 2012 Rule 10.3, which can lead to unexpected behavior due to data loss or incorrect value interpretation. @@ -17920,6 +18226,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Binary operators that operate on a basic type should have operands of the same type, as required by MISRA C 2012 Rule 10.4, to ensure type consistency and prevent unexpected behavior during execution. @@ -17933,6 +18240,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: A violation occurs when the value of an expression is cast to an inappropriate essential type according to the MISRA C 2012 standard rule R10.05, thereby increasing the risk of incorrect program behavior. @@ -17947,6 +18255,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Verifies that C++ code adheres to MISRA C 2012 rules 10.6, 10.7, and 10.8, ensuring type consistency of composite expressions to prevent integer overflows and underflows. @@ -17960,6 +18269,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: R11.x Pointer Type Conversions detects violations of MISRA C 2012 Rule 11.x, which prohibits conversions between pointer types that may lead to an incompatible or unexpected type interpretation, possibly causing code behavior @@ -17974,6 +18284,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: An issue with operator precedence in a C++ code line occurs when one expression consists of intertwined operators without the use of parentheses for explicit precedence, resulting in possible ambiguity or unexpected outcomes @@ -17988,6 +18299,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: The right-hand operand of a shift operator in C++ code exceeds the width in bits of the essential type of the left-hand operand, violating the MISRA C++ 2012 Rule 12.02, which can lead to unpredictable values or data loss. @@ -18001,6 +18313,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Prohibits the use of the comma operator, except in functions and arrays, as stated in rule R12.03 of the MISRA C 2012 guidelines to prevent ambiguous or unexpected results in C++ programming. @@ -18014,6 +18327,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Unsigned integer values are used in such a way that could result in wrap-around, violating the MISRA C 2012 guideline R12.04 for reliable and secure coding. @@ -18027,6 +18341,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: The 'sizeof' operator is used with an operand that is not an array of type, in violation of MISRA C 2012 Rule 12.5. This may result in unintended calculation of object memory size. @@ -18040,6 +18355,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Side effects in an expression are not sequenced properly, resulting in unreliable operation under the MISRA C++:2008 Rule 13.x. This could lead to undefined or unpredictable behaviors. @@ -18053,6 +18369,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Control mechanisms in C++ programming, such as if-else and switch-case statements, contain expressions that do not resolve to Boolean values as per MISRA C 2012, Rule 14.x, increasing the chance of unintended program behavior. @@ -18066,6 +18383,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Enforces MISRA C:2012 rules 15.1 to 15.3, which together prohibit usage of 'goto' statements for branch and iteration control, limiting its role for error handling in C++. @@ -18079,6 +18397,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Iteration statements must have at most one break statement exiting the loop, per MISRA C 2012 Rule 15.4, thus enforcing a single point of exit for greater control flow clarity in C++ programming. @@ -18092,6 +18411,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Functions should have a single exit point at the end, ensuring program flow isn't disrupted and handling resources more efficiently, per MISRA C 2012 Rule 15.5. @@ -18105,6 +18425,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: The body of an iteration statement, selection statement, or a `catch` clause in a function definition or at block scope isn't a compound statement, violating MISRA C 2012 Rule 15.06. This may result in unexpected logic flow, @@ -18119,6 +18440,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: This rule checks if 'if-else if' construct in C++ code complies with MISRA C 2012 Rule 15.07, which states that the construct must end with an 'else' clause to avoid unintended behavior. @@ -18132,6 +18454,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Switch-case constructs in C/C++ code are not adhering to MISRA 2012 Rule 16.X, which requires a default label to end all switch statements to avoid potential issues if none of the case matches. @@ -18145,6 +18468,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: The standard header is used within the code, violating Rule 17.1 of MISRA C 2012, which prohibits the use of variable argument functions. group: top10-insecure-design @@ -18157,6 +18481,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: The code violates Rule 17.2 of MISRA C 2012 standard as it contains recursion, either direct or indirect, which might lead to unpredictable program behavior. @@ -18170,6 +18495,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: "The program uses a function that has been declared implicitly, violating\ \ the MISRA C 2012 Rule 17.03\u2014increasing potential for undeclared or mistyped\ \ function names to cause malfunction or behave unpredictably." @@ -18183,6 +18509,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Every non-void function must have a return statement with an expression, ensuring that a return value is specified, conforming to MISRA C 2012 Rule 17.4. group: top10-insecure-design @@ -18195,6 +18522,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Enforces MISRA C 2012 directives 17.05 and 17.06 to ensure that a function does not take an array as a parameter, but rather a pointer to its first element, safeguarding critical memory portions used by the array. @@ -18208,6 +18536,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: In compliance with MISRA C 2012 Rule 17.07, the value returned by a function with a non-void return type must be utilized, preventing potential logical errors or inconsistencies. @@ -18221,6 +18550,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Function parameters in the C++ language are altered or modified, which violates rule 17.08 of MISRA C 2012, potentially leading to unpredictable program behavior. @@ -18234,6 +18564,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Misuse of pointer arithmetic tends to violate rule 18.4 of MISRA C 2012, suggesting that subtraction or addition operators should not be applied to pointer values, which could lead to overflow and underflow memory bugs. @@ -18247,6 +18578,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Declarations of pointer types used in nesting do not exceed two levels, adhering to the MISRA C 2012 Rule 18.5, to prevent complexities in interpreting sequences of indirections. @@ -18260,6 +18592,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: The rule ensures that the addresses of objects with automatic storage duration are not copied to other objects, as per MISRA C 2012 Rule 18.06. Doing so could lead to usage of an invalid address if the automatic storage has expired. @@ -18273,6 +18606,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Variable length arrays and flexible array members are prohibited, adhering to guidelines R18.07 and R18.08 from MISRA-C:2012 rules, thus ensuring predictability and reliability of the code. @@ -18286,6 +18620,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Identifies cases in C++ code where two pointers are used to simultaneously manipulate the same memory space, a violation of rule 19.x of the MISRA C 2012 standard, leading to potential undefined behavior or data integrity issues. @@ -18299,6 +18634,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: When a '#include' directive is used in a file, it fails to respect the inclusion precedence outlined by MISRA C 2012 Rule 20.1, possibly disrupting the sequence of headers and leading to unpredictable results. @@ -18312,6 +18648,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Include file names must be a sequence of valid (ISO 646 Basic) source characters, excluding NUL, and do not contain a UCN encoding a character that can't appear in an ISO/IEC 646:1991 source file. This promotes code portability @@ -18326,6 +18663,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Violates MISRA C 2012 Rule 20.3, which stipulates that the '#include' directive must not use an angle-bracket form when including system library files and a double-quote form when including user-defined files. Non-compliance may @@ -18340,6 +18678,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Macro identifiers align with C++ language keyword names, which violates MISRA C 2012 Rule 20.04 and can lead to confusing or misleading code. group: top10-insecure-design @@ -18352,6 +18691,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: The '#undef' directive is utilized in the code, violating Rule 20.5 of the MISRA C 2012 standard, which forbids the use of this directive in C programming to avoid inconsistencies in symbol definitions. @@ -18365,6 +18705,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: The preprocessor concatenation operations do not comply with MISRA C 2012 Rules R20.10 to R20.12, implying a risk in misinterpretation of the combined tokens. @@ -18378,6 +18719,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: 'Ensures compliance with MISRA C 2012 Rule 20.13: Every preprocessor directive in the code must be a valid and well-formed directive as per the standard. Invalid or ill-formed directives can cause undefined behavior or compilation @@ -18392,6 +18734,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: An 'if' directive and an 'else' directive from a pair of conditional inclusion preprocessor directives are not part of the same file in C++, violating MISRA C 2012 Rule 20.14. This can cause inconsistent code behavior due to different @@ -18406,6 +18749,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Checks for the usage of C Standard Library functions not permissible under MISRA C:2012 rules 21.1 to 21.12, to guarantee safety, reliability, and portability. @@ -18419,6 +18763,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Checks for the use of C standard library types, as dictated by MISRA C:2012 Rules 21.13 to 21.20, which pose potential code safety and reliability hazards. @@ -18432,6 +18777,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: 'Violates directive 4.13 of MISRA C 2012 guidelines: do not rely on undefined or unspecified behavior of any kind, including memory allocation routines, file handling, signals, and exceptions.' @@ -18445,6 +18791,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Enforces the use of "/* ... */" style for multi-line comments in C++ code instead of using a sequence of single line comments with "//", in accordance with the MISRA C++:2008 rule set (Rule 2-2-2). @@ -18458,6 +18805,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Detects the presence of nested comments in C++ code, a violation of MISRA C:2004 Rule 2.3, which may lead to misinterpretation and ambiguity during code analysis. @@ -18471,6 +18819,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Sections of code are commented out, violating Rule 02.04 of the MISRA C guidelines, which could indicate unfinished work or obsolete logic. group: top10-insecure-design @@ -18483,6 +18832,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Code contains '#pragma' directives that are not explained with adjacent comments, thereby violating MISRA C rule 03.04, which deems it necessary to provide explanations for each '#pragma' usage. @@ -18496,6 +18846,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Non-standard escape sequences are used in the program, violating rule R04.01 of the MISRA C guidelines, which requires all escape sequences to comply with the ISO 9899:1999 standard. @@ -18509,6 +18860,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Trigraph sequences are used in the code, violating the MISRA C Rule 04.02, which discourages their usage owing to possible confusion and misinterpretation. group: top10-insecure-design @@ -18521,6 +18873,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Identifier names in a C or C++ file exceed the recommended length specified by the MISRA-C coding standard, potentially leading to legibility and maintainability issues. @@ -18534,6 +18887,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Identifiers in an inner scope are used that hide identifiers in an outer scope, which may lead to confusion and errors, contradicting the MISRA C rule 05.02. @@ -18547,6 +18901,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: The same name is used for different 'typedef' entities within the same codebase, violating MISRA C Rule 5.3, thus leading to potential code ambiguities. group: top10-insecure-design @@ -18559,6 +18914,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: A tag name is being reused for different types within the same scope, violating the MISRA C Rule 05.04, and potentially leading to type confusion. group: top10-insecure-design @@ -18571,6 +18927,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: An identifier with the static storage class specification appears more than once within the same scope, contravening rule 05.05 of the Motor Industry Software Reliability Association (MISRA) guidelines for C programming language. @@ -18584,6 +18941,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: A single identifier name has been used for more than one entity within a scope, violating the MISRA C Rule 5.7 and leading to possible confusion and error. @@ -18597,6 +18955,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: The use of 'plain char' type, which doesn't specify signedness, is not compliant with MISRA C Rule 6.1 and may lead to unexpected behavior in C++. This rule advises using 'signed char' or 'unsigned char' instead. @@ -18610,6 +18969,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Identifies instances in C++ code where plain 'char' type is used, in violation of MISRA C++ Rule 6-2-1 which recommends using 'signed' or 'unsigned' qualifiers for improved portability and predictability. @@ -18623,6 +18983,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Basic types in C++ code like int, char, etc., are used directly instead of through a typedef declaration, violating MISRA C Rule 6.3. This could lead to portability issues across different platforms. @@ -18636,6 +18997,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Bit fields should only be defined with `unsigned int` or `signed int` types, helping to prevent unexpected behavior or data corruption due to compiler-specific implementations. @@ -18649,6 +19011,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: A bit-field declaration with a size greater than the intended bit width may cause unintended results and violates MISRA C:2004 Rule 6.5. group: top10-insecure-design @@ -18661,6 +19024,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: An octal constant (other than zero) is being used which could lead to confusion or errors, violating MISRA C rule 07.01. group: top10-insecure-design @@ -18673,6 +19037,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: The type of a standard library function is not identical in a function declaration and its corresponding definition, violating MISRA-C rule 08.03 and creating potential consistency issues. @@ -18686,6 +19051,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Objects or functions are used in a header file (.h file), conflicting with MISRA C's Rule 08.05, which prohibits declaring such entities in header files to prevent potential re-declaration errors and namespace pollution. @@ -18699,6 +19065,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Objects with block scope should not be declared in the block if they are only used by a single function, as outlined in MISRA C:2004, Rule 8.7, to improve code readability and maintainability. @@ -18712,6 +19079,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: An externally linked object is declared more than once, causing redundancy and potentially leading to unpredictable behavior, in violation of MISRA C rule 08.08. @@ -18725,6 +19093,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Enum elements in C++ are not initialized following the first member and all elements are not consistently initialized, contravening MISRA C rule 09.03 and potentially leading to invalid enum member values. @@ -18738,6 +19107,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: 'In C or C++ programming, unsigned constants must explicitly carry the ''U'' suffix, as per MISRA C : Rule 10.6. This rule identifies when the ''U'' suffix is not applied to an unsigned constant, which may lead to unexpected @@ -18752,6 +19122,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: The rule checks for situations where logical '&&' and '||' operators don't have primary expressions as operands, which is a violation of MISRA C Rule 12.05. This could lead to unexpected behaviors due to operator precedence @@ -18766,6 +19137,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Bitwise operators are applied to signed data types in C++, violating MISRA C guideline (Rule 12.07). This could lead to unpredictable behavior due to sign extension. @@ -18779,6 +19151,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Applies the unary minus operator to an unsigned type, which, according to MISRA C Rule 12.9, can result in undefined behavior due to wrapping around zero. @@ -18792,6 +19165,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: The comma operator is being used in an expression. According to the Motor Industry Software Reliability Association (MISRA) C rule 12.10, this is not advised due to its potential to impact the order of operations and lead @@ -18806,6 +19180,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Floating point values are treated as though they have an underlying bit representation, violating MISRA C rule 12.12, which can lead to unexpected results or undefined behavior. @@ -18819,6 +19194,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: The rule indicates the usage of increment (++) and decrement (--) operators, which is not compliant with MISRA C guideline 12.13 due to potential unpredictability of execution order. @@ -18832,6 +19208,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Assignment operators are used improperly within boolean expressions, violating MISRA C Rule 13.01. This could lead to unpredictable software behavior. group: top10-insecure-design @@ -18844,6 +19221,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Compares floating point numbers for equality or inequality, which contradicts MISRA C R13.03 due to potential inaccuracies in floating point storage and computation. @@ -18857,6 +19235,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Floating point objects are being used in for loop control structures, which is a violation of MISRA C rule 13.04. This can lead to unpredictable behavior due to the imprecise nature of floating point numbers. @@ -18870,6 +19249,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Violates MISRA C Rule 13.06 as the loop iterator is modified in the body of the loop, which may lead to unpredictable iteration behaviors. group: top10-insecure-design @@ -18882,6 +19262,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Refers to the use of 'goto' statement in C++ which violates the MISRA C 2004 Rule 14.4, deeming it as non-compliant due to potential control flow disruption. @@ -18895,6 +19276,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: The 'continue' statement is used in iteration statements, which contradicts rule 14.05 of the MISRA C guidelines, recommending against its use for better predictability and understandability of the code. @@ -18908,6 +19290,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Indicates the presence of multiple break statements within a loop or iteration, which violates MISRA C Rule 14.06 and disrupts expected control flow. @@ -18921,6 +19304,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Functions must have a single point of exit at the end, maintaining only one return statement, as per the MISRA C:2012 Rule 14.7, to improve readability and manageability of the code. @@ -18934,6 +19318,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: The last statement of a switch case or an iteration directive is not a compound statement, which contradicts the MISRA C rule 14.08 guideline and can lead to potential logical errors. @@ -18947,6 +19332,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: An 'if' or 'else if' conditional statement, containing a non-compound statement as its body, must be enclosed in braces {}. Violating this requirement in the C++ language as stipulated by MISRA C standard can lead to misunderstanding @@ -18961,6 +19347,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: 'An ''if'' / ''else if'' construct is not ending with an ''else'' clause, violating MISRA C''s Rule 14.10 and potentially leading to unanticipated behavior under certain conditions. @@ -18976,6 +19363,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: A case in a switch statement is not enclosed by braces, violating the MISRA C Rule 15.1, thus possibly causing unexpected fall-through behavior. group: top10-insecure-design @@ -18988,6 +19376,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: A non-empty switch clause lacks a 'break' statement. According to the MISRA C Guidelines (Rule 15.2), this may lead to unintended execution of adjacent switch clauses. @@ -19001,6 +19390,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: A 'switch' statement in C++ does not have a 'default' clause as the last clause, violating the MISRA C Rule 15.03 and potentially leading to unexpected behavior. @@ -19014,6 +19404,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: A switch statement doesn't include any case labels, negating its purpose; as per MISRA C Rule 15.5, this renders the code non-compliant with best practice. @@ -19027,6 +19418,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Functions with a variable number of arguments are used, in violation of MISRA C Rule 16.01. This can lead to potential security and stability issues. group: top10-insecure-design @@ -19039,6 +19431,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: The rule identifies uses of recursion within C++ code, a practice prohibited by the MISRA C standard due to the possible risks of stack overflow. group: top10-insecure-design @@ -19051,6 +19444,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Violation of MISRA C Rule 16.3, indicating a function prototype is declared without specifying parameter identifiers, which may lead to confusion or mistakes during code maintenance. @@ -19064,6 +19458,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: The identifiers in a function prototype don't match those in its function definition, violating rule R16.04 of the Motor Industry Software Reliability Association (MISRA) C guidelines. @@ -19078,6 +19473,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: A function prototype declaration without parameters presents ambiguity and potential misuse opportunities, violating the MISRA C rule (16.05), which requires clear parameter specification. @@ -19091,6 +19487,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: 'A function is invoked with a number of arguments that does not match the number of parameters in its declaration, violating MISRA C rule R16.06. This could cause unexpected behavior or program crashes. @@ -19107,6 +19504,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Parameters of a function that are pointers to non-const should be pointers to const if they are not modified, to maintain data integrity and prevent unintentional changes. This rule ensures adherence to MISRA C Rule 16.07. @@ -19120,6 +19518,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Non-void functions in C++ lack an explicit return statement, violating MISRA C Rule 16.08, which may cause unpredictable program behavior due to undefined return values. @@ -19133,6 +19532,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: The function identifier is being used inappropriately, i.e., not as a function call or pointer to function, which violates MISRA C Rule 16.09. group: top10-insecure-design @@ -19145,6 +19545,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: The rule identifies the use of 'union' data types in C++. According to MISRA C guidelines (Rule 18.4), unions should not be used due to potential issues with data corruption and indeterminate values. @@ -19158,6 +19559,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: A non-preprocessor command appears before a '#include' directive in a file, which violates the MISRA C:2004 Rule 19.1, making the code prone to unexpected behavior or errors. @@ -19171,6 +19573,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Header file names include non-standard characters, violating Rule 19.2 of MISRA C which states that standardized or expanded identifiers should be used for header file names to avoid potential compatibility issues. @@ -19184,6 +19587,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: The '#include' directive format does not adhere to the MISRA C 2012 Rule 19.3, advocating that all '#include' directives should be located in either the file scope or a function scope, and never inside a block scope. @@ -19197,6 +19601,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: The code violates MISRA C Rule 19.5 by using '#define' or '#undef' directive within a function or block scope, which can cause unpredictable behavior or difficulties in code maintenance. @@ -19210,6 +19615,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: An '#undef' directive is used within a source file, causing potential discrepancies and undefined behaviour in the compiled program, a violation of the MISRA C 2012 Rule 19.6. @@ -19223,6 +19629,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: A C++ macro utilizes multiple '#' or '##' preprocessor operators, violating MISRA-C rule 19.12 for safe and reliable code in embedded systems. group: top10-insecure-design @@ -19235,6 +19642,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: The C++ preprocessor operator (#) is in use, contradicting the MISRA C rule 19.13, which outlaws the utilization of this operator as a measure against accidental macro undefined behavior. @@ -19248,6 +19656,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: In the examined C++ code, a preprocessor '#if' operator and its corresponding '#else' operator are located in separate files, which is a violation of the MISRA C Rule 19.17. This situation can lead to control flow confusion and inconsistent @@ -19263,6 +19672,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: The rule indicates the use of the 'errno' indicator from the 'errno.h' library in C++, which is a direct violation of the MISRA C:2012 Rule 20.5, stressing against such usage due to its global accessibility from different threads, potentially @@ -19277,6 +19687,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: The use of 'offsetof' macro from 'stddef.h' is not compliant with the Motor Industry Software Reliability Association's C coding standards (MISRA C), particularly rule 20.6. The 'offsetof' macro relies on undefined behavior @@ -19291,6 +19702,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: The code uses setjmp/longjmp macros from which is disallowed by MISRA C Rule 20.7 due to its non-deterministic flow of control. This could lead to potential bugs and portability issues. @@ -19304,6 +19716,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: The code includes signal handling functionality from 'signal.h', a violation of the MISRA C Rule 20.08 (The signal handling facilities of shall not be used), risking unpredictable behavior. @@ -19317,6 +19730,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Objects from the 'stdio.h' library are used, which is prohibited by MISRA C guideline (Rule 20.9). This could introduce vulnerabilities associated with standard Input/Output operations. @@ -19330,6 +19744,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Functions atof, atoi, and atol from stdlib.h are used, which violates Rule 20.10 from the MISRA C Guidelines encouraging use of application-specific versions of these functions to handle number conversion errors better. @@ -19343,6 +19758,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: Functions 'abort', 'exit', 'getenv', and 'system' from 'stdlib.h' are used, violating MISRA C Rule 20.11 that discourages their usage due to potential unpredictability in program behavior. @@ -19356,6 +19772,7 @@ rules: - boost-baseline - ALL - checkmarx-misrac + - owasp-top-10 description: The code employs time handling functions or macros from the 'time.h' header file, violating MISRA C rule 20.12, which can lead to unpredictable behavior due to potential inconsistencies in system time settings. @@ -19396,6 +19813,7 @@ rules: categories: - cwe-242 - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL description: The product calls a function that can never be guaranteed to work @@ -19408,6 +19826,7 @@ rules: CPP_Medium_Threat_Divide_By_Zero: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-369 - boost-baseline - ALL @@ -19420,6 +19839,7 @@ rules: CPP_Medium_Threat_DoS_by_Sleep: categories: - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL description: The product performs an iteration or loop without sufficiently limiting @@ -19433,6 +19853,7 @@ rules: categories: - checkmarx-medium-threat - cwe-415 + - owasp-top-10 - boost-baseline - ALL description: The product calls free() twice on the same memory address, potentially @@ -19463,7 +19884,6 @@ rules: - ALL - checkmarx-medium-threat - cwe-15 - - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -19477,7 +19897,6 @@ rules: - ALL - cwe-547 - checkmarx-medium-threat - - owasp-top-10 description: The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. @@ -19489,6 +19908,7 @@ rules: CPP_Medium_Threat_Improperly_Locked_Memory: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-591 - boost-baseline - ALL @@ -19520,6 +19940,7 @@ rules: categories: - cwe-477 - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -19533,6 +19954,7 @@ rules: categories: - cwe-590 - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL description: The product calls free() on a pointer to memory that was not allocated @@ -19546,6 +19968,7 @@ rules: categories: - checkmarx-medium-threat - cwe-401 + - owasp-top-10 - boost-baseline - ALL description: The product does not sufficiently track and release allocated memory @@ -19604,6 +20027,7 @@ rules: CPP_Medium_Threat_Pointer_Subtraction_Determines_Size: categories: - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL description: The product subtracts one pointer from another in order to determine @@ -19620,7 +20044,6 @@ rules: - ALL - checkmarx-medium-threat - cwe-15 - - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -19632,6 +20055,7 @@ rules: categories: - checkmarx-medium-threat - cwe-674 + - owasp-top-10 - boost-baseline - ALL description: The product does not properly control the amount of recursion that @@ -19646,6 +20070,7 @@ rules: categories: - checkmarx-medium-threat - cwe-top-25 + - owasp-top-10 - boost-baseline - ALL - cwe-416 @@ -19674,6 +20099,7 @@ rules: categories: - checkmarx-medium-threat - cwe-457 + - owasp-top-10 - boost-baseline - ALL description: The code uses a variable that has not been initialized, leading to @@ -19687,6 +20113,7 @@ rules: categories: - checkmarx-medium-threat - cwe-457 + - owasp-top-10 - boost-baseline - ALL description: The code uses a variable that has not been initialized, leading to @@ -19700,6 +20127,7 @@ rules: categories: - checkmarx-medium-threat - cwe-457 + - owasp-top-10 - boost-baseline - ALL description: The code uses a variable that has not been initialized, leading to @@ -19727,6 +20155,7 @@ rules: CPP_Medium_Threat_Wrong_Memory_Allocation: categories: - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL - cwe-131 @@ -19757,6 +20186,7 @@ rules: CPP_Stored_Vulnerabilities_Stored_Buffer_Overflow_boundcpy: categories: - checkmarx-stored-vulnerabilities + - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -19771,6 +20201,7 @@ rules: CPP_Stored_Vulnerabilities_Stored_Buffer_Overflow_cpycat: categories: - checkmarx-stored-vulnerabilities + - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -19785,6 +20216,7 @@ rules: CPP_Stored_Vulnerabilities_Stored_Buffer_Overflow_fgets: categories: - checkmarx-stored-vulnerabilities + - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -19799,6 +20231,7 @@ rules: CPP_Stored_Vulnerabilities_Stored_Buffer_Overflow_fscanf: categories: - checkmarx-stored-vulnerabilities + - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -19859,6 +20292,7 @@ rules: CPP_Stored_Vulnerabilities_Stored_DoS_by_Sleep: categories: - checkmarx-stored-vulnerabilities + - owasp-top-10 - boost-baseline - ALL - cwe-730 @@ -19874,7 +20308,6 @@ rules: - ALL - checkmarx-stored-vulnerabilities - cwe-15 - - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -19886,6 +20319,7 @@ rules: categories: - cwe-134 - checkmarx-stored-vulnerabilities + - owasp-top-10 - boost-baseline - ALL description: The product uses a function that accepts a format string as an argument, @@ -19917,7 +20351,6 @@ rules: - ALL - cwe-117 - checkmarx-stored-vulnerabilities - - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes output that is written to logs. group: top10-security-logging-monitoring-failures @@ -19961,6 +20394,7 @@ rules: CPP_Stored_Vulnerabilities_Stored_Process_Control: categories: - checkmarx-stored-vulnerabilities + - owasp-top-10 - cwe-114 - boost-baseline - ALL @@ -20184,6 +20618,7 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices + - owasp-top-10 description: The rule signifies an issue where a C# method, adorned with the AllowPartiallyTrustedCallersAttribute (APTCA), invokes a method that lacks the same attribute, posing a threat to privileged access security. @@ -20195,6 +20630,7 @@ rules: CSharp_Best_Coding_Practice_Catch_NullPointerException: categories: - cwe-395 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -20208,6 +20644,7 @@ rules: CSharp_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception: categories: - cwe-396 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -20223,6 +20660,7 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices + - owasp-top-10 description: Identifies the use of deprecated methods in the C# code which could result in future compatibility issues or unexpected behavior. group: top10-insecure-design @@ -20233,6 +20671,7 @@ rules: CSharp_Best_Coding_Practice_Detection_of_Error_Condition_Without_Action: categories: - cwe-390 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -20246,6 +20685,7 @@ rules: CSharp_Best_Coding_Practice_Direct_Use_of_Sockets: categories: - boost-baseline + - owasp-top-10 - checkmarx-best-coding-practices - cwe-246 - ALL @@ -20275,6 +20715,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere: categories: + - owasp-top-10 - cwe-493 - checkmarx-best-coding-practices - boost-baseline @@ -20288,6 +20729,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_GetLastWin32Error_Is_Not_Called_After_Pinvoke: categories: + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -20337,7 +20779,6 @@ rules: - ALL - checkmarx-best-coding-practices - cwe-778 - - owasp-top-10 description: When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it. group: top10-security-logging-monitoring-failures @@ -20351,7 +20792,6 @@ rules: - ALL - checkmarx-best-coding-practices - cwe-778 - - owasp-top-10 description: When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it. group: top10-security-logging-monitoring-failures @@ -20365,7 +20805,6 @@ rules: - ALL - checkmarx-best-coding-practices - cwe-778 - - owasp-top-10 description: When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it. group: top10-security-logging-monitoring-failures @@ -20376,6 +20815,7 @@ rules: CSharp_Best_Coding_Practice_Just_One_of_Equals_and_Hash_code_Defined: categories: - ALL + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - cwe-581 @@ -20388,6 +20828,7 @@ rules: CSharp_Best_Coding_Practice_Leftover_Debug_Code: categories: - cwe-489 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -20404,6 +20845,7 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices + - owasp-top-10 description: Numerical literals are directly used in the code, instead of being declared as constants. This makes code less readable and maintainable due to lack of context or meaning attached to these numbers, known as 'Magic Numbers'. @@ -20415,6 +20857,7 @@ rules: CSharp_Best_Coding_Practice_Missing_XML_Validation: categories: - cwe-112 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -20430,6 +20873,7 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices + - owasp-top-10 description: Invoking the 'Equals' method with a null argument can lead to a NullReferenceException if the implementation doesn't handle the null condition correctly, causing a potential program crash. @@ -20443,6 +20887,7 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices + - owasp-top-10 description: Static constructors in C# that aren't marked as private might lead to uncontrolled instantiation, affecting program predictability and security. group: top10-insecure-design @@ -20452,6 +20897,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Pages_Without_Global_Error_Handler: categories: + - owasp-top-10 - cwe-544 - checkmarx-best-coding-practices - boost-baseline @@ -20469,6 +20915,7 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices + - owasp-top-10 description: The property PersistSecurityInfo is set to true, revealing sensitive information such as a password, in a connection string after the connection to the database is established. @@ -20480,6 +20927,7 @@ rules: CSharp_Best_Coding_Practice_Routed_Deprecated_Code: categories: - cwe-477 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -20493,6 +20941,7 @@ rules: CSharp_Best_Coding_Practice_Suspicious_Endpoints: categories: - cwe-923 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -20507,6 +20956,7 @@ rules: CSharp_Best_Coding_Practice_Threads_in_WebApp: categories: - ALL + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - cwe-383 @@ -20519,6 +20969,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Unchecked_Error_Condition: categories: + - owasp-top-10 - cwe-391 - checkmarx-best-coding-practices - boost-baseline @@ -20532,6 +20983,7 @@ rules: CSharp_Best_Coding_Practice_Unchecked_Return_Value: categories: - cwe-252 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -20544,6 +20996,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Unclosed_Objects: categories: + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -20560,6 +21013,7 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices + - owasp-top-10 description: Public methods, classes, or interfaces within the application's API lack necessary documentation comments, leading to potential misuse or improper implementation. @@ -20607,6 +21061,7 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices + - owasp-top-10 description: Public methods accept arguments without proper validation, increasing the potential for harmful or unexpected behavior due to uncontrolled input. group: top10-insecure-design @@ -20617,6 +21072,7 @@ rules: CSharp_Best_Coding_Practice_Use_Of_Uninitialized_Variables: categories: - cwe-457 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -20629,6 +21085,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Use_of_System_Output_Stream: categories: + - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -20641,6 +21098,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_Best_Coding_Practice_Using_Of_Index_Instead_Of_Key: categories: + - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -20656,6 +21114,7 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices + - owasp-top-10 description: In the context of C# code, pointers are declared in visible scopes, leading to potential memory manipulation vulnerabilities. group: top10-insecure-design @@ -21048,6 +21507,7 @@ rules: categories: - cwe-171 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: Improper handling of data within protection mechanisms that attempt @@ -21090,6 +21550,7 @@ rules: categories: - cwe-203 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product behaves differently or sends different responses under @@ -21105,6 +21566,7 @@ rules: categories: - cwe-244 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: Using realloc() to resize buffers that store sensitive information @@ -21121,7 +21583,6 @@ rules: - ALL - checkmarx-low-visibility - cwe-520 - - owasp-top-10 description: Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks. @@ -21150,6 +21611,7 @@ rules: categories: - cwe-248 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: An exception is thrown from a function, but it is not caught. @@ -21162,6 +21624,7 @@ rules: categories: - cwe-404 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not release or incorrectly releases a resource before @@ -21189,6 +21652,7 @@ rules: categories: - cwe-460 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not clean up its state or incorrectly cleans up @@ -21202,6 +21666,7 @@ rules: CSharp_Low_Visibility_Inappropriate_Encoding_for_Output_Context: categories: - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL - cwe-838 @@ -21320,6 +21785,7 @@ rules: CSharp_Low_Visibility_Leaving_Temporary_Files: categories: - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL - cwe-376 @@ -21335,7 +21801,6 @@ rules: - ALL - cwe-117 - checkmarx-low-visibility - - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes output that is written to logs. group: top10-security-logging-monitoring-failures @@ -21376,6 +21841,7 @@ rules: categories: - cwe-193 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: A product calculates or uses an incorrect maximum or minimum value @@ -21418,6 +21884,7 @@ rules: categories: - cwe-615 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: 'While adding general comments is very useful, some programmers tend @@ -21446,6 +21913,7 @@ rules: CSharp_Low_Visibility_Potential_ReDoS: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -21461,6 +21929,7 @@ rules: CSharp_Low_Visibility_Potential_ReDoS_By_Injection: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -21476,6 +21945,7 @@ rules: CSharp_Low_Visibility_Potential_ReDoS_In_Code: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -21491,6 +21961,7 @@ rules: CSharp_Low_Visibility_Potential_ReDoS_In_Static_Field: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -21507,6 +21978,7 @@ rules: categories: - cwe-350 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product performs reverse DNS resolution on an IP address to obtain @@ -21583,6 +22055,7 @@ rules: categories: - cwe-567 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not properly synchronize shared data, such as static @@ -21611,6 +22084,7 @@ rules: categories: - cwe-647 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product defines policy namespaces and makes authorization decisions @@ -21709,6 +22183,7 @@ rules: CSharp_Medium_Threat_Buffer_Overflow: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -21785,6 +22260,7 @@ rules: CSharp_Medium_Threat_Data_Filter_Injection: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-943 - boost-baseline - ALL @@ -21799,6 +22275,7 @@ rules: CSharp_Medium_Threat_DoS_by_Sleep: categories: - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL description: The product performs an iteration or loop without sufficiently limiting @@ -21843,7 +22320,6 @@ rules: - ALL - cwe-547 - checkmarx-medium-threat - - owasp-top-10 description: The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. @@ -21858,7 +22334,6 @@ rules: - ALL - boost-baseline - checkmarx-medium-threat - - owasp-top-10 description: The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. group: top10-security-misconfiguration @@ -21870,6 +22345,7 @@ rules: categories: - checkmarx-medium-threat - cwe-667 + - owasp-top-10 - boost-baseline - ALL description: The product does not properly acquire or release a lock on a resource, @@ -21886,7 +22362,6 @@ rules: - boost-baseline - ALL - cwe-top-25 - - owasp-top-10 description: The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. @@ -21901,7 +22376,6 @@ rules: - cwe-614 - checkmarx-medium-threat - ALL - - owasp-top-10 description: The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. @@ -21929,6 +22403,7 @@ rules: categories: - checkmarx-medium-threat - cwe-190 + - owasp-top-10 - boost-baseline - ALL - cwe-top-25 @@ -22132,6 +22607,7 @@ rules: categories: - checkmarx-medium-threat - cwe-366 + - owasp-top-10 - boost-baseline - ALL description: If two threads of execution use a resource simultaneously, there @@ -22145,6 +22621,7 @@ rules: CSharp_Medium_Threat_ReDoS_By_Regex_Injection: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -22160,6 +22637,7 @@ rules: CSharp_Medium_Threat_ReDoS_In_Code: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -22175,6 +22653,7 @@ rules: CSharp_Medium_Threat_ReDoS_In_Validation: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -22224,6 +22703,7 @@ rules: categories: - checkmarx-medium-threat - cwe-599 + - owasp-top-10 - boost-baseline - ALL description: The product uses OpenSSL and trusts or uses a certificate without @@ -22336,6 +22816,7 @@ rules: categories: - cwe-404 - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL description: The product does not release or incorrectly releases a resource before @@ -22391,6 +22872,7 @@ rules: CSharp_Medium_Threat_Value_Shadowing: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-233 - boost-baseline - ALL @@ -22422,6 +22904,7 @@ rules: - boost-baseline - ALL - checkmarx-web-config + - owasp-top-10 description: Session state is configured with cookieless enabled in web.config, leading to possible session hijacking through URL leaks. group: top10-broken-access-control @@ -22432,6 +22915,7 @@ rules: CSharp_WebConfig_CustomError: categories: - cwe-12 + - owasp-top-10 - checkmarx-web-config - boost-baseline - ALL @@ -22448,7 +22932,6 @@ rules: - ALL - checkmarx-web-config - cwe-11 - - owasp-top-10 description: Debugging messages help attackers learn about the system and plan a form of attack. group: top10-security-misconfiguration @@ -22490,6 +22973,7 @@ rules: CSharp_WebConfig_HardcodedCredentials: categories: - cwe-489 + - owasp-top-10 - checkmarx-web-config - boost-baseline - ALL @@ -22507,7 +22991,6 @@ rules: - ALL - boost-baseline - checkmarx-web-config - - owasp-top-10 description: The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. group: top10-security-misconfiguration @@ -22532,6 +23015,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html CSharp_WebConfig_NonUniqueFormName: categories: + - owasp-top-10 - checkmarx-web-config - cwe-694 - boost-baseline @@ -22549,7 +23033,6 @@ rules: - ALL - checkmarx-web-config - cwe-260 - - owasp-top-10 description: The product stores a password in a configuration file that might be accessible to actors who do not know the password. group: top10-security-misconfiguration @@ -22563,7 +23046,6 @@ rules: - cwe-614 - ALL - checkmarx-web-config - - owasp-top-10 description: The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. @@ -22590,6 +23072,7 @@ rules: CSharp_WebConfig_TraceEnabled: categories: - boost-baseline + - owasp-top-10 - checkmarx-web-config - cwe-749 - ALL @@ -22623,6 +23106,7 @@ rules: categories: - ALL - checkmarx-windows-phone + - owasp-top-10 - boost-baseline - cwe-250 description: The product performs an operation at a privilege level that is higher @@ -22808,6 +23292,7 @@ rules: categories: - cwe-615 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: 'While adding general comments is very useful, some programmers tend @@ -22837,6 +23322,7 @@ rules: categories: - cwe-703 - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL description: The product does not properly anticipate or handle exceptional conditions @@ -22869,6 +23355,7 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices + - owasp-top-10 description: Sensitive information stored in external storage is not encrypted, leaving it vulnerable to unauthorized access or data breaches. group: top10-insecure-design @@ -22879,6 +23366,7 @@ rules: Dart_Mobile_Best_Coding_Practice_Unused_Permission: categories: - ALL + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - cwe-250 @@ -22893,6 +23381,7 @@ rules: Dart_Mobile_Best_Coding_Practice_Using_Deprecated_Methods: categories: - cwe-477 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -22908,6 +23397,7 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices + - owasp-top-10 description: WebView cache data in Dart mobile applications is not properly cleared or controlled, posing a risk for sensitive information leakage. group: top10-insecure-design @@ -22919,6 +23409,7 @@ rules: categories: - boost-hardened - checkmarx-android + - owasp-top-10 - boost-baseline - ALL description: The product uses a handler for a custom URL scheme, but it does not @@ -23066,6 +23557,7 @@ rules: Dart_Mobile_Low_Visibility_Improper_Resource_Shutdown_or_Release: categories: - cwe-404 + - owasp-top-10 - checkmarx-android - boost-baseline - ALL @@ -23079,6 +23571,7 @@ rules: Dart_Mobile_Low_Visibility_Insecure_Android_SDK_Version: categories: - cwe-477 + - owasp-top-10 - checkmarx-android - boost-baseline - ALL @@ -23133,6 +23626,7 @@ rules: Dart_Mobile_Low_Visibility_Missing_Root_Or_Jailbreak_Check: categories: - cwe-693 + - owasp-top-10 - checkmarx-android - boost-baseline - ALL @@ -23146,6 +23640,7 @@ rules: Dart_Mobile_Low_Visibility_No_Installer_Verification_Implemented: categories: - cwe-693 + - owasp-top-10 - checkmarx-android - boost-baseline - ALL @@ -23295,6 +23790,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Dart_Mobile_Low_Visibility_Use_of_Native_Language: categories: + - owasp-top-10 - checkmarx-android - cwe-695 - boost-baseline @@ -23551,6 +24047,7 @@ rules: - boost-baseline - ALL - checkmarx-medium-threat + - owasp-top-10 description: Sensitive input fields in Dart mobile applications allow third-party keyboards, posing a data leakage risk as these keyboards can capture and send user input to remote servers. @@ -23712,6 +24209,7 @@ rules: Go_AWS_Lambda_Race_Condition_Global_Scope: categories: - checkmarx-server-side-vulnerability + - owasp-top-10 - boost-baseline - ALL description: The code is structured in a way that relies too much on using or @@ -23772,7 +24270,6 @@ rules: - ALL - cwe-15 - checkmarx-server-side-vulnerability - - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -24091,6 +24588,7 @@ rules: categories: - cwe-477 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -24118,6 +24616,7 @@ rules: categories: - cwe-248 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: An exception is thrown from a function, but it is not caught. @@ -24129,6 +24628,7 @@ rules: Go_Low_Visibility_Incorrect_Reflect_Value_Comparison: categories: - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product compares object references instead of the contents of @@ -24144,7 +24644,6 @@ rules: - ALL - cwe-117 - checkmarx-low-visibility - - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes output that is written to logs. group: top10-security-logging-monitoring-failures @@ -24227,6 +24726,7 @@ rules: categories: - checkmarx-low-visibility - cwe-362 + - owasp-top-10 - boost-baseline - ALL - cwe-top-25 @@ -24271,6 +24771,7 @@ rules: categories: - cwe-242 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product calls a function that can never be guaranteed to work @@ -24311,6 +24812,7 @@ rules: Go_Medium_Threat_Denial_Of_Service_Resource_Exhaustion: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -24326,6 +24828,7 @@ rules: Go_Medium_Threat_Divide_By_Zero: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-369 - boost-baseline - ALL @@ -24357,7 +24860,6 @@ rules: - ALL - cwe-547 - checkmarx-medium-threat - - owasp-top-10 description: The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. @@ -24370,6 +24872,7 @@ rules: categories: - checkmarx-medium-threat - cwe-190 + - owasp-top-10 - boost-baseline - ALL - cwe-top-25 @@ -24402,7 +24905,6 @@ rules: - ALL - boost-baseline - checkmarx-medium-threat - - owasp-top-10 description: The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. group: top10-security-misconfiguration @@ -24416,7 +24918,6 @@ rules: - cwe-614 - checkmarx-medium-threat - ALL - - owasp-top-10 description: The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. @@ -24460,6 +24961,7 @@ rules: categories: - checkmarx-medium-threat - cwe-366 + - owasp-top-10 - boost-baseline - ALL description: If two threads of execution use a resource simultaneously, there @@ -24473,6 +24975,7 @@ rules: Go_Medium_Threat_Reflected_Absolute_Path_Traversal: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-36 - boost-baseline - ALL @@ -24504,6 +25007,7 @@ rules: categories: - checkmarx-medium-threat - cwe-599 + - owasp-top-10 - boost-baseline - ALL description: The product uses OpenSSL and trusts or uses a certificate without @@ -24533,6 +25037,7 @@ rules: Go_Medium_Threat_Stored_Absolute_Path_Traversal: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-36 - boost-baseline - ALL @@ -24591,6 +25096,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Assign_Collection: categories: + - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -24604,6 +25110,7 @@ rules: Groovy_Best_Coding_Practice_Assigning_instead_of_Comparing: categories: - cwe-481 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -24616,6 +25123,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Comparing_instead_of_Assigning: categories: + - owasp-top-10 - cwe-482 - checkmarx-best-coding-practices - boost-baseline @@ -24630,6 +25138,7 @@ rules: Groovy_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception: categories: - cwe-396 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -24642,6 +25151,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Declaration_of_Throws_for_Generic_Exception: categories: + - owasp-top-10 - cwe-397 - checkmarx-best-coding-practices - boost-baseline @@ -24656,6 +25166,7 @@ rules: Groovy_Best_Coding_Practice_Deprecated_Groovy_Code: categories: - cwe-477 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -24685,6 +25196,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Empty_Methods: categories: + - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -24697,6 +25209,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Explicit_Calls_To_Methods: categories: + - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -24709,6 +25222,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Explicit_Instantiation: categories: + - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -24721,6 +25235,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere: categories: + - owasp-top-10 - cwe-493 - checkmarx-best-coding-practices - boost-baseline @@ -24734,6 +25249,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_GOTO_Statement: categories: + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -24751,6 +25267,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Getter_Method_Could_Be_Property: categories: + - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -24794,6 +25311,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Incorrect_Block_Delimitation: categories: + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -24808,6 +25326,7 @@ rules: Groovy_Best_Coding_Practice_Just_One_of_Equals_and_Hash_code_Defined: categories: - ALL + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - cwe-581 @@ -24820,6 +25339,7 @@ rules: Groovy_Best_Coding_Practice_Missing_Default_Case_In_Switch_Statement: categories: - cwe-478 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -24833,6 +25353,7 @@ rules: Groovy_Best_Coding_Practice_Omitted_Break_Statement_In_Switch: categories: - cwe-484 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -24847,6 +25368,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Potential_Usage_of_Vulnerable_Log4J: categories: + - owasp-top-10 - cwe-400 - checkmarx-best-coding-practices - boost-baseline @@ -24862,6 +25384,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Public_Static_Field_Not_Marked_Final: categories: + - owasp-top-10 - checkmarx-best-coding-practices - cwe-500 - boost-baseline @@ -24876,6 +25399,7 @@ rules: Groovy_Best_Coding_Practice_Return_Inside_Finally_Block: categories: - cwe-584 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -24888,6 +25412,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Use_Collect_Many: categories: + - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -24900,6 +25425,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Groovy_Best_Coding_Practice_Use_Collect_Nested: categories: + - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -24913,6 +25439,7 @@ rules: Groovy_Best_Coding_Practice_Use_of_Wrong_Operator_in_String_Comparison: categories: - cwe-597 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -25275,6 +25802,7 @@ rules: categories: - cwe-171 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: Improper handling of data within protection mechanisms that attempt @@ -25288,6 +25816,7 @@ rules: categories: - checkmarx-low-visibility - cwe-182 + - owasp-top-10 - boost-baseline - ALL description: The product filters data in a way that causes it to be reduced or @@ -25301,6 +25830,7 @@ rules: categories: - ALL - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - cwe-378 description: Opening temporary files without appropriate measures or controls @@ -25315,6 +25845,7 @@ rules: categories: - cwe-379 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product creates a temporary file in a directory whose permissions @@ -25329,6 +25860,7 @@ rules: categories: - cwe-203 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product behaves differently or sends different responses under @@ -25346,7 +25878,6 @@ rules: - ALL - checkmarx-low-visibility - cwe-15 - - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -25358,6 +25889,7 @@ rules: categories: - checkmarx-low-visibility - cwe-362 + - owasp-top-10 - boost-baseline - ALL - cwe-top-25 @@ -25373,6 +25905,7 @@ rules: Groovy_Low_Visibility_Divide_By_Zero: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-369 - boost-baseline - ALL @@ -25445,6 +25978,7 @@ rules: categories: - cwe-244 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: Using realloc() to resize buffers that store sensitive information @@ -25476,6 +26010,7 @@ rules: categories: - cwe-248 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: An exception is thrown from a function, but it is not caught. @@ -25488,6 +26023,7 @@ rules: categories: - cwe-413 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not lock or does not correctly lock a resource when @@ -25501,6 +26037,7 @@ rules: categories: - cwe-404 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not release or incorrectly releases a resource before @@ -25528,6 +26065,7 @@ rules: categories: - cwe-460 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not clean up its state or incorrectly cleans up @@ -25541,6 +26079,7 @@ rules: Groovy_Low_Visibility_Information_Exposure_Through_Debug_Log: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-534 - boost-baseline - ALL @@ -25555,6 +26094,7 @@ rules: categories: - ALL - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - cwe-533 description: This entry has been deprecated because its abstraction was too low-level. @@ -25582,6 +26122,7 @@ rules: categories: - cwe-615 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: 'While adding general comments is very useful, some programmers tend @@ -25611,6 +26152,7 @@ rules: categories: - cwe-535 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: A command shell error message indicates that there exists an unhandled @@ -25656,6 +26198,7 @@ rules: categories: - cwe-190 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL - cwe-top-25 @@ -25672,6 +26215,7 @@ rules: categories: - cwe-191 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product subtracts one value from another, such that the result @@ -25685,6 +26229,7 @@ rules: Groovy_Low_Visibility_Leaving_Temporary_File: categories: - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL - cwe-376 @@ -25700,7 +26245,6 @@ rules: - ALL - cwe-117 - checkmarx-low-visibility - - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes output that is written to logs. group: top10-security-logging-monitoring-failures @@ -25726,6 +26270,7 @@ rules: categories: - checkmarx-low-visibility - cwe-549 + - owasp-top-10 - boost-baseline - ALL description: The product does not mask passwords during entry, increasing the @@ -25754,6 +26299,7 @@ rules: categories: - checkmarx-low-visibility - cwe-491 + - owasp-top-10 - boost-baseline - ALL description: A class has a cloneable() method that is not declared final, which @@ -25768,6 +26314,7 @@ rules: categories: - cwe-193 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: A product calculates or uses an incorrect maximum or minimum value @@ -25795,6 +26342,7 @@ rules: Groovy_Low_Visibility_Parse_Double_DoS: categories: - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL - cwe-730 @@ -25810,7 +26358,6 @@ rules: - ALL - checkmarx-low-visibility - cwe-315 - - owasp-top-10 description: The product stores sensitive information in cleartext in a cookie. group: top10-security-misconfiguration name: Groovy_Low_Visibility_Plaintext_Storage_in_a_Cookie @@ -25836,6 +26383,7 @@ rules: Groovy_Low_Visibility_Potential_ReDoS: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -25851,6 +26399,7 @@ rules: Groovy_Low_Visibility_Potential_ReDoS_By_Injection: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -25866,6 +26415,7 @@ rules: Groovy_Low_Visibility_Potential_ReDoS_In_Match: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -25881,6 +26431,7 @@ rules: Groovy_Low_Visibility_Potential_ReDoS_In_Replace: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -25896,6 +26447,7 @@ rules: Groovy_Low_Visibility_Potential_ReDoS_In_Static_Field: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -25912,6 +26464,7 @@ rules: categories: - cwe-607 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: A public or protected static final field references a mutable object, @@ -25926,6 +26479,7 @@ rules: categories: - checkmarx-low-visibility - cwe-362 + - owasp-top-10 - boost-baseline - ALL - cwe-top-25 @@ -25942,6 +26496,7 @@ rules: categories: - checkmarx-low-visibility - cwe-362 + - owasp-top-10 - boost-baseline - ALL - cwe-top-25 @@ -25973,6 +26528,7 @@ rules: categories: - cwe-350 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product performs reverse DNS resolution on an IP address to obtain @@ -26006,7 +26562,6 @@ rules: - cwe-614 - checkmarx-low-visibility - ALL - - owasp-top-10 description: The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. @@ -26018,6 +26573,7 @@ rules: Groovy_Low_Visibility_Serializable_Class_Containing_Sensitive_Data: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-499 - boost-baseline - ALL @@ -26032,6 +26588,7 @@ rules: Groovy_Low_Visibility_Spring_defaultHtmlEscape_Not_True: categories: - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The Spring configuration property 'defaultHtmlEscape', which prevents @@ -26064,6 +26621,7 @@ rules: Groovy_Low_Visibility_TOCTOU: categories: - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL - cwe-367 @@ -26094,6 +26652,7 @@ rules: categories: - cwe-248 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: An exception is thrown from a function, but it is not caught. @@ -26105,6 +26664,7 @@ rules: Groovy_Low_Visibility_Unchecked_Return_Value_to_NULL_Pointer_Dereference: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-690 - boost-baseline - ALL @@ -26120,6 +26680,7 @@ rules: categories: - cwe-134 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product uses a function that accepts a format string as an argument, @@ -26133,6 +26694,7 @@ rules: categories: - cwe-789 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product allocates memory based on an untrusted, large size value, @@ -26147,6 +26709,7 @@ rules: categories: - cwe-567 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not properly synchronize shared data, such as static @@ -26174,6 +26737,7 @@ rules: Groovy_Low_Visibility_Use_Of_getenv: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-589 - boost-baseline - ALL @@ -26201,6 +26765,7 @@ rules: Groovy_Low_Visibility_Use_of_Client_Side_Authentication: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-603 - boost-baseline - ALL @@ -26218,7 +26783,6 @@ rules: - ALL - cwe-547 - checkmarx-low-visibility - - owasp-top-10 description: The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. @@ -26245,6 +26809,7 @@ rules: categories: - cwe-293 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The referer field in HTTP requests can be easily modified and, as @@ -26257,6 +26822,7 @@ rules: Groovy_Medium_Threat_Absolute_Path_Traversal: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-36 - boost-baseline - ALL @@ -26362,6 +26928,7 @@ rules: Groovy_Medium_Threat_Direct_Use_of_Unsafe_JNI: categories: - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL - cwe-111 @@ -26376,6 +26943,7 @@ rules: Groovy_Medium_Threat_DoS_by_Sleep: categories: - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL description: The product performs an iteration or loop without sufficiently limiting @@ -26406,7 +26974,6 @@ rules: - ALL - checkmarx-medium-threat - cwe-15 - - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -26435,7 +27002,6 @@ rules: - ALL - cwe-547 - checkmarx-medium-threat - - owasp-top-10 description: The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. @@ -26450,7 +27016,6 @@ rules: - ALL - boost-baseline - checkmarx-medium-threat - - owasp-top-10 description: The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. group: top10-security-misconfiguration @@ -26464,7 +27029,6 @@ rules: - ALL - boost-baseline - checkmarx-medium-threat - - owasp-top-10 description: The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. group: top10-security-misconfiguration @@ -26476,6 +27040,7 @@ rules: categories: - checkmarx-medium-threat - cwe-667 + - owasp-top-10 - boost-baseline - ALL description: The product does not properly acquire or release a lock on a resource, @@ -26502,6 +27067,7 @@ rules: Groovy_Medium_Threat_Multiple_Binds_to_the_Same_Port: categories: - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL - cwe-605 @@ -26559,6 +27125,7 @@ rules: Groovy_Medium_Threat_Process_Control: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-114 - boost-baseline - ALL @@ -26573,6 +27140,7 @@ rules: Groovy_Medium_Threat_ReDoS_From_Regex_Injection: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -26588,6 +27156,7 @@ rules: Groovy_Medium_Threat_ReDoS_In_Match: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -26603,6 +27172,7 @@ rules: Groovy_Medium_Threat_ReDoS_In_Pattern: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -26618,6 +27188,7 @@ rules: Groovy_Medium_Threat_ReDoS_In_Replace: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -26725,6 +27296,7 @@ rules: Groovy_Medium_Threat_Stored_Absolute_Path_Traversal: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-36 - boost-baseline - ALL @@ -26788,6 +27360,7 @@ rules: Groovy_Medium_Threat_Unchecked_Input_for_Loop_Condition: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-606 - boost-baseline - ALL @@ -26819,6 +27392,7 @@ rules: categories: - checkmarx-medium-threat - cwe-819 + - owasp-top-10 - boost-baseline - ALL description: Relates to using redirects and forwards that have not been validated. @@ -26872,6 +27446,7 @@ rules: Groovy_Medium_Threat_Use_of_Native_Language: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-695 - boost-baseline - ALL @@ -26886,6 +27461,7 @@ rules: categories: - checkmarx-medium-threat - cwe-382 + - owasp-top-10 - boost-baseline - ALL description: A J2EE application uses System.exit(), which also shuts down its @@ -27039,6 +27615,7 @@ rules: categories: - checkmarx-server-side-vulnerability - cwe-366 + - owasp-top-10 - boost-baseline - ALL description: If two threads of execution use a resource simultaneously, there @@ -27085,7 +27662,6 @@ rules: - ALL - cwe-15 - checkmarx-server-side-vulnerability - - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -27128,6 +27704,7 @@ rules: JavaScript_Angular_Angular_Deprecated_API: categories: - cwe-477 + - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -27140,6 +27717,7 @@ rules: JavaScript_Angular_Angular_Improper_Type_Pipe_Usage: categories: - cwe-228 + - owasp-top-10 - boost-baseline - ALL description: The product does not handle or incorrectly handles input that is @@ -27169,6 +27747,7 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices + - owasp-top-10 description: The use of the FinalizationRegistry object in JavaScript is detected, which may lead to unexpected behavior or memory leaks, as this object allows managed interaction with garbage collection. @@ -27182,6 +27761,7 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices + - owasp-top-10 description: Avoid using the WeakRef JavaScript feature, as it poses risks associated with unintended garbage collection leading to potential memory leaks or unexpected application behaviors. @@ -27207,6 +27787,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Best_Coding_Practice_React_Multiple_Classes_With_Same_Name: categories: + - owasp-top-10 - cwe-694 - checkmarx-best-coding-practices - boost-baseline @@ -27220,6 +27801,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Best_Coding_Practice_Use_Of_Multiple_Mixins: categories: + - owasp-top-10 - cwe-710 - checkmarx-best-coding-practices - boost-baseline @@ -27284,7 +27866,6 @@ rules: - ALL - boost-baseline - checkmarx-cordova - - owasp-top-10 description: The product uses a cross-domain policy file that includes domains that should not be trusted. group: top10-security-misconfiguration @@ -27507,6 +28088,7 @@ rules: JavaScript_High_Risk_Prototype_Pollution: categories: - boost-hardened + - owasp-top-10 - boost-baseline - ALL - checkmarx-high-risk @@ -27559,7 +28141,6 @@ rules: - ALL - checkmarx-low-visibility - cwe-315 - - owasp-top-10 description: The product stores sensitive information in cleartext in a cookie. group: top10-security-misconfiguration name: JavaScript_Low_Visibility_Client_Cookies_Inspection @@ -27569,6 +28150,7 @@ rules: JavaScript_Low_Visibility_Client_Cross_Session_Contamination: categories: - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL - cwe-488 @@ -27701,6 +28283,7 @@ rules: categories: - cwe-477 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -27714,6 +28297,7 @@ rules: categories: - cwe-477 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -27726,6 +28310,7 @@ rules: JavaScript_Low_Visibility_Client_Negative_Content_Length: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-398 - boost-baseline - ALL @@ -27755,7 +28340,6 @@ rules: - ALL - boost-baseline - checkmarx-low-visibility - - owasp-top-10 description: The product uses a cross-domain policy file that includes domains that should not be trusted. group: top10-security-misconfiguration @@ -27767,6 +28351,7 @@ rules: categories: - cwe-615 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: 'While adding general comments is very useful, some programmers tend @@ -27796,6 +28381,7 @@ rules: categories: - cwe-693 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not use or incorrectly uses a protection mechanism @@ -27823,6 +28409,7 @@ rules: JavaScript_Low_Visibility_Client_Potential_ReDoS_In_Match: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -27838,6 +28425,7 @@ rules: JavaScript_Low_Visibility_Client_Potential_ReDoS_In_Replace: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -27853,6 +28441,7 @@ rules: JavaScript_Low_Visibility_Client_Regex_Injection: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -27897,6 +28486,7 @@ rules: categories: - cwe-937 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: Relates to using components with known vulnerabilities @@ -28027,6 +28617,7 @@ rules: categories: - cwe-693 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not use or incorrectly uses a protection mechanism @@ -28040,6 +28631,7 @@ rules: categories: - cwe-477 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -28052,6 +28644,7 @@ rules: JavaScript_Low_Visibility_Unsafe_Use_Of_Target_blank: categories: - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL - cwe-1022 @@ -28069,6 +28662,7 @@ rules: - boost-baseline - ALL - checkmarx-low-visibility + - owasp-top-10 description: Sensitive JavaScript fields are being populated with user-controlled input without sufficient validation or sanitization, exposing potential security vulnerabilities such as injection attacks. @@ -28188,6 +28782,7 @@ rules: JavaScript_Medium_Threat_Client_DoS_By_Sleep: categories: - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL - cwe-730 @@ -28320,6 +28915,7 @@ rules: JavaScript_Medium_Threat_Client_ReDoS_From_Regex_Injection: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -28335,6 +28931,7 @@ rules: JavaScript_Medium_Threat_Client_ReDoS_In_Match: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -28350,6 +28947,7 @@ rules: JavaScript_Medium_Threat_Client_ReDoS_In_Replace: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -28365,6 +28963,7 @@ rules: JavaScript_Medium_Threat_Client_ReDos_In_RegExp: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -28409,6 +29008,7 @@ rules: categories: - checkmarx-medium-threat - cwe-618 + - owasp-top-10 - boost-baseline - ALL description: An ActiveX control is intended for use in a web browser, but it exposes @@ -28423,6 +29023,7 @@ rules: categories: - cwe-477 - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -28523,6 +29124,7 @@ rules: JavaScript_Medium_Threat_Unchecked_Input_For_Loop_Condition: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-606 - boost-baseline - ALL @@ -28541,7 +29143,6 @@ rules: - boost-baseline - ALL - cwe-top-25 - - owasp-top-10 description: The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. @@ -28566,6 +29167,7 @@ rules: JavaScript_ReactNative_Insecure_Text_Entry: categories: - cwe-549 + - owasp-top-10 - boost-baseline - ALL description: The product does not mask passwords during entry, increasing the @@ -28591,6 +29193,7 @@ rules: JavaScript_ReactNative_Missing_Root_Or_Jailbreak_Check: categories: - cwe-693 + - owasp-top-10 - boost-baseline - ALL description: The product does not use or incorrectly uses a protection mechanism @@ -28633,6 +29236,7 @@ rules: categories: - cwe-474 - checkmarx-sapui5 + - owasp-top-10 - boost-baseline - ALL description: The code uses a function that has inconsistent implementations across @@ -28646,6 +29250,7 @@ rules: categories: - cwe-474 - checkmarx-sapui5 + - owasp-top-10 - boost-baseline - ALL description: The code uses a function that has inconsistent implementations across @@ -28659,6 +29264,7 @@ rules: categories: - cwe-477 - checkmarx-sapui5 + - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -28686,6 +29292,7 @@ rules: categories: - cwe-474 - checkmarx-sapui5 + - owasp-top-10 - boost-baseline - ALL description: The code uses a function that has inconsistent implementations across @@ -28726,6 +29333,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Absolute_Path_Traversal: categories: + - owasp-top-10 - cwe-36 - boost-baseline - ALL @@ -28807,6 +29415,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Comparing_instead_of_Assigning: categories: + - owasp-top-10 - cwe-482 - boost-baseline - ALL @@ -28835,6 +29444,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Divide_By_Zero: categories: + - owasp-top-10 - cwe-369 - boost-baseline - ALL @@ -28876,6 +29486,7 @@ rules: JavaScript_Server_Side_Vulnerabilities_Expression_is_Always_False: categories: - cwe-570 + - owasp-top-10 - boost-baseline - ALL - checkmarx-server-side-vulnerability @@ -28887,6 +29498,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Expression_is_Always_True: categories: + - owasp-top-10 - cwe-571 - boost-baseline - ALL @@ -28918,7 +29530,6 @@ rules: - ALL - cwe-547 - checkmarx-server-side-vulnerability - - owasp-top-10 description: The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. @@ -28947,7 +29558,6 @@ rules: - ALL - checkmarx-server-side-vulnerability - cwe-532 - - owasp-top-10 description: Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information. group: top10-security-logging-monitoring-failures @@ -28973,6 +29583,7 @@ rules: categories: - boost-hardened - cwe-813 + - owasp-top-10 - boost-baseline - ALL - checkmarx-server-side-vulnerability @@ -28986,6 +29597,7 @@ rules: categories: - cwe-933 - boost-hardened + - owasp-top-10 - boost-baseline - ALL - checkmarx-server-side-vulnerability @@ -29058,6 +29670,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_JWT_No_NotBefore_Validation: categories: + - owasp-top-10 - boost-baseline - ALL - checkmarx-server-side-vulnerability @@ -29105,7 +29718,6 @@ rules: - ALL - cwe-117 - checkmarx-server-side-vulnerability - - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes output that is written to logs. group: top10-security-logging-monitoring-failures @@ -29130,6 +29742,7 @@ rules: JavaScript_Server_Side_Vulnerabilities_Missing_Default_Case_In_Switch_Statement: categories: - cwe-478 + - owasp-top-10 - boost-baseline - ALL - checkmarx-server-side-vulnerability @@ -29175,6 +29788,7 @@ rules: JavaScript_Server_Side_Vulnerabilities_Null_Password: categories: - cwe-252 + - owasp-top-10 - boost-baseline - ALL - checkmarx-server-side-vulnerability @@ -29188,6 +29802,7 @@ rules: JavaScript_Server_Side_Vulnerabilities_Omitted_Break_Statement_In_Switch: categories: - cwe-484 + - owasp-top-10 - boost-baseline - ALL - checkmarx-server-side-vulnerability @@ -29305,6 +29920,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_ReDoS_in_RegExp: categories: + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -29371,6 +29987,7 @@ rules: JavaScript_Server_Side_Vulnerabilities_SSL_Verification_Bypass: categories: - cwe-599 + - owasp-top-10 - boost-baseline - ALL - checkmarx-server-side-vulnerability @@ -29420,6 +30037,7 @@ rules: categories: - cwe-933 - boost-hardened + - owasp-top-10 - boost-baseline - ALL - checkmarx-server-side-vulnerability @@ -29445,6 +30063,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Server_DoS_by_Loop: categories: + - owasp-top-10 - boost-baseline - ALL - cwe-730 @@ -29457,6 +30076,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Server_Side_Vulnerabilities_Server_DoS_by_Sleep: categories: + - owasp-top-10 - boost-baseline - ALL - cwe-730 @@ -29522,6 +30142,7 @@ rules: JavaScript_Server_Side_Vulnerabilities_Uncontrolled_Format_String: categories: - cwe-134 + - owasp-top-10 - boost-baseline - ALL - checkmarx-server-side-vulnerability @@ -29538,7 +30159,6 @@ rules: - cwe-614 - checkmarx-server-side-vulnerability - ALL - - owasp-top-10 description: The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. @@ -29621,6 +30241,7 @@ rules: JavaScript_Server_Side_Vulnerabilities_Use_of_Deprecated_or_Obsolete_Functions: categories: - cwe-477 + - owasp-top-10 - boost-baseline - ALL - checkmarx-server-side-vulnerability @@ -29647,6 +30268,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Vue_Declaration_of_Multiple_Vue_Components_per_File: categories: + - owasp-top-10 - cwe-710 - boost-baseline - ALL @@ -29660,6 +30282,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Vue_Declaration_of_Vue_Component_Data_as_Property: categories: + - owasp-top-10 - cwe-710 - boost-baseline - ALL @@ -29673,6 +30296,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Vue_Inconsistent_Component_Top_Level_Elements_Ordering: categories: + - owasp-top-10 - cwe-710 - boost-baseline - ALL @@ -29686,6 +30310,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Vue_Inconsistent_use_of_Directive_Shorthands: categories: + - owasp-top-10 - cwe-710 - boost-baseline - ALL @@ -29699,6 +30324,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Vue_Use_of_Implicit_Types_on_Vue_Component_Props: categories: + - owasp-top-10 - cwe-710 - boost-baseline - ALL @@ -29712,6 +30338,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Vue_Use_of_Single_Word_Named_Vue_Components: categories: + - owasp-top-10 - cwe-710 - boost-baseline - ALL @@ -29725,6 +30352,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html JavaScript_Vue_Use_of_vif_and_vfor_On_Same_Element: categories: + - owasp-top-10 - cwe-710 - boost-baseline - ALL @@ -29792,7 +30420,6 @@ rules: - ALL - cwe-117 - checkmarx-xs - - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes output that is written to logs. group: top10-security-logging-monitoring-failures @@ -29819,6 +30446,7 @@ rules: categories: - boost-baseline - checkmarx-xs + - owasp-top-10 - cwe-749 - ALL description: The product provides an Applications Programming Interface (API) @@ -29848,6 +30476,7 @@ rules: categories: - cwe-693 - checkmarx-xs + - owasp-top-10 - boost-baseline - ALL description: The product does not use or incorrectly uses a protection mechanism @@ -30055,6 +30684,7 @@ rules: Java_AWS_Lambda_Race_Condition_Global_Scope: categories: - checkmarx-server-side-vulnerability + - owasp-top-10 - boost-baseline - ALL description: The code is structured in a way that relies too much on using or @@ -30130,7 +30760,6 @@ rules: - ALL - cwe-15 - checkmarx-server-side-vulnerability - - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -30155,6 +30784,7 @@ rules: Java_Android_Allowed_Backup: categories: - cwe-530 + - owasp-top-10 - checkmarx-android - boost-baseline - ALL @@ -30168,6 +30798,7 @@ rules: Java_Android_Android_Improper_Resource_Shutdown_or_Release: categories: - cwe-404 + - owasp-top-10 - checkmarx-android - boost-baseline - ALL @@ -30197,6 +30828,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Client_Side_ReDoS: categories: + - owasp-top-10 - checkmarx-android - cwe-400 - boost-baseline @@ -30297,6 +30929,7 @@ rules: Java_Android_Failure_To_Implement_Least_Privilege: categories: - ALL + - owasp-top-10 - checkmarx-android - boost-baseline - cwe-250 @@ -30313,6 +30946,7 @@ rules: - boost-baseline - ALL - checkmarx-android + - owasp-top-10 description: Verifies if an Android application is properly requesting permissions. The absence or misuse of permission requests can lead to unauthorized access or functionality misuse. @@ -30352,6 +30986,7 @@ rules: Java_Android_Improper_Verification_Of_Intent_By_Broadcast_Receiver: categories: - cwe-925 + - owasp-top-10 - checkmarx-android - boost-baseline - ALL @@ -30365,6 +31000,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Information_Leak_Through_Response_Caching: categories: + - owasp-top-10 - checkmarx-android - cwe-524 - boost-baseline @@ -30379,6 +31015,7 @@ rules: Java_Android_Insecure_Android_SDK_Version: categories: - cwe-477 + - owasp-top-10 - checkmarx-android - boost-baseline - ALL @@ -30477,6 +31114,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Keyboard_Cache_Information_Leak: categories: + - owasp-top-10 - checkmarx-android - cwe-524 - boost-baseline @@ -30533,6 +31171,7 @@ rules: Java_Android_Missing_Rooted_Device_Check: categories: - cwe-693 + - owasp-top-10 - checkmarx-android - boost-baseline - ALL @@ -30603,6 +31242,7 @@ rules: Java_Android_ProGuard_Obfuscation_Not_In_Use: categories: - cwe-693 + - owasp-top-10 - checkmarx-android - boost-baseline - ALL @@ -30629,6 +31269,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Screen_Caching: categories: + - owasp-top-10 - checkmarx-android - cwe-524 - boost-baseline @@ -30698,6 +31339,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_Use_of_Native_Language: categories: + - owasp-top-10 - checkmarx-android - cwe-695 - boost-baseline @@ -30713,6 +31355,7 @@ rules: categories: - boost-hardened - boost-baseline + - owasp-top-10 - checkmarx-android - cwe-749 - ALL @@ -30741,6 +31384,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Android_WebView_Cache_Information_Leak: categories: + - owasp-top-10 - checkmarx-android - cwe-524 - boost-baseline @@ -30769,6 +31413,7 @@ rules: Java_Best_Coding_Practice_Array_Declared_Public_Final_and_Static: categories: - cwe-582 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -30782,6 +31427,7 @@ rules: Java_Best_Coding_Practice_Assigning_instead_of_Comparing: categories: - cwe-481 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -30795,6 +31441,7 @@ rules: Java_Best_Coding_Practice_Call_to_Thread_run: categories: - cwe-572 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -30808,6 +31455,7 @@ rules: Java_Best_Coding_Practice_Catch_NullPointerException: categories: - cwe-395 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -30820,6 +31468,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Comparing_instead_of_Assigning: categories: + - owasp-top-10 - cwe-482 - checkmarx-best-coding-practices - boost-baseline @@ -30834,6 +31483,7 @@ rules: Java_Best_Coding_Practice_Comparison_of_Classes_By_Name: categories: - cwe-486 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -30846,6 +31496,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Confusing_Naming: categories: + - owasp-top-10 - cwe-710 - checkmarx-best-coding-practices - boost-baseline @@ -30860,6 +31511,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Critical_Public_Variable_Without_Final_Modifier: categories: + - owasp-top-10 - cwe-493 - checkmarx-best-coding-practices - boost-baseline @@ -30874,6 +31526,7 @@ rules: Java_Best_Coding_Practice_Dead_Code: categories: - cwe-561 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -30886,6 +31539,7 @@ rules: Java_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception: categories: - cwe-396 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -30898,6 +31552,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Declaration_of_Throws_for_Generic_Exception: categories: + - owasp-top-10 - cwe-397 - checkmarx-best-coding-practices - boost-baseline @@ -30912,6 +31567,7 @@ rules: Java_Best_Coding_Practice_Detection_of_Error_Condition_Without_Action: categories: - cwe-390 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -30925,6 +31581,7 @@ rules: Java_Best_Coding_Practice_Direct_Use_of_Sockets: categories: - boost-baseline + - owasp-top-10 - checkmarx-best-coding-practices - cwe-246 - ALL @@ -30938,6 +31595,7 @@ rules: Java_Best_Coding_Practice_Direct_Use_of_Threads: categories: - ALL + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - cwe-383 @@ -30982,6 +31640,7 @@ rules: Java_Best_Coding_Practice_Dynamic_Set_Of_Null_SecurityManager: categories: - cwe-274 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -30994,6 +31653,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_ESAPI_Banned_API: categories: + - owasp-top-10 - checkmarx-best-coding-practices - cwe-676 - boost-baseline @@ -31008,6 +31668,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Empty_Methods: categories: + - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -31021,6 +31682,7 @@ rules: Java_Best_Coding_Practice_Empty_Synchronized_Block: categories: - cwe-585 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31033,6 +31695,7 @@ rules: Java_Best_Coding_Practice_Empty_TryBlocks: categories: - cwe-390 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31045,6 +31708,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Explicit_Call_to_Finalize: categories: + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31058,6 +31722,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere: categories: + - owasp-top-10 - cwe-493 - checkmarx-best-coding-practices - boost-baseline @@ -31072,6 +31737,7 @@ rules: Java_Best_Coding_Practice_Expression_is_Always_False: categories: - cwe-570 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31083,6 +31749,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Expression_is_Always_True: categories: + - owasp-top-10 - cwe-571 - checkmarx-best-coding-practices - boost-baseline @@ -31095,6 +31762,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Failure_to_Catch_All_Exceptions_in_Servlet: categories: + - owasp-top-10 - checkmarx-best-coding-practices - cwe-600 - boost-baseline @@ -31108,6 +31776,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_GOTO_Statement: categories: + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31156,6 +31825,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Improper_Initialization: categories: + - owasp-top-10 - checkmarx-best-coding-practices - cwe-665 - boost-baseline @@ -31170,6 +31840,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Incorrect_Block_Delimitation: categories: + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31184,6 +31855,7 @@ rules: Java_Best_Coding_Practice_Incorrect_Conversion_between_Numeric_Types: categories: - cwe-681 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31201,6 +31873,7 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices + - owasp-top-10 description: Input data in a Java application is not being normalized, increasing the risk of data processing errors, security vulnerabilities, and malformed input exploitation. @@ -31215,7 +31888,6 @@ rules: - ALL - checkmarx-best-coding-practices - cwe-778 - - owasp-top-10 description: When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it. group: top10-security-logging-monitoring-failures @@ -31229,7 +31901,6 @@ rules: - ALL - checkmarx-best-coding-practices - cwe-778 - - owasp-top-10 description: When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it. group: top10-security-logging-monitoring-failures @@ -31240,6 +31911,7 @@ rules: Java_Best_Coding_Practice_Just_One_of_Equals_and_Hash_code_Defined: categories: - ALL + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - cwe-581 @@ -31252,6 +31924,7 @@ rules: Java_Best_Coding_Practice_Leftover_Debug_Code: categories: - cwe-489 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31266,6 +31939,7 @@ rules: Java_Best_Coding_Practice_Missing_Default_Case_In_Switch_Statement: categories: - cwe-478 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31279,6 +31953,7 @@ rules: Java_Best_Coding_Practice_Missing_XML_Validation: categories: - cwe-112 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31305,6 +31980,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Not_Static_Final_Logger: categories: + - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -31317,6 +31993,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Null_Pointer_Dereference: categories: + - owasp-top-10 - checkmarx-best-coding-practices - cwe-476 - boost-baseline @@ -31333,6 +32010,7 @@ rules: Java_Best_Coding_Practice_Omitted_Break_Statement_In_Switch: categories: - cwe-484 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31347,6 +32025,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Pages_Without_Global_Error_Handler: categories: + - owasp-top-10 - cwe-544 - checkmarx-best-coding-practices - boost-baseline @@ -31362,6 +32041,7 @@ rules: Java_Best_Coding_Practice_Portability_Flaw_In_File_Separator: categories: - cwe-474 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31377,6 +32057,7 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices + - owasp-top-10 description: Indicates the potential usage of Spring Shell libraries, posing a risk of code execution vulnerability if unattended commands are exposed to the user. @@ -31387,6 +32068,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Potential_Usage_of_Vulnerable_Log4J: categories: + - owasp-top-10 - cwe-400 - checkmarx-best-coding-practices - boost-baseline @@ -31402,6 +32084,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Potentially_Serializable_Class_With_Sensitive_Data: categories: + - owasp-top-10 - checkmarx-best-coding-practices - cwe-499 - boost-baseline @@ -31416,6 +32099,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Public_Static_Field_Not_Marked_Final: categories: + - owasp-top-10 - checkmarx-best-coding-practices - cwe-500 - boost-baseline @@ -31429,6 +32113,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Reachable_Assertion: categories: + - owasp-top-10 - cwe-617 - checkmarx-best-coding-practices - boost-baseline @@ -31444,6 +32129,7 @@ rules: Java_Best_Coding_Practice_Redirect_Without_Exit: categories: - cwe-698 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31472,6 +32158,7 @@ rules: Java_Best_Coding_Practice_Return_Inside_Finally_Block: categories: - cwe-584 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31485,6 +32172,7 @@ rules: Java_Best_Coding_Practice_Suspicious_Endpoints: categories: - cwe-923 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31498,6 +32186,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Unchecked_Error_Condition: categories: + - owasp-top-10 - cwe-391 - checkmarx-best-coding-practices - boost-baseline @@ -31511,6 +32200,7 @@ rules: Java_Best_Coding_Practice_Unchecked_Return_Value: categories: - cwe-252 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31523,6 +32213,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Unclosed_Objects: categories: + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31537,6 +32228,7 @@ rules: Java_Best_Coding_Practice_Uncontrolled_Recursion: categories: - cwe-674 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31551,6 +32243,7 @@ rules: Java_Best_Coding_Practice_Undocumented_API: categories: - cwe-1059 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31600,6 +32293,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Unused_Variable: categories: + - owasp-top-10 - cwe-563 - checkmarx-best-coding-practices - boost-baseline @@ -31614,6 +32308,7 @@ rules: Java_Best_Coding_Practice_Use_Of_Uninitialized_Variables: categories: - cwe-457 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31627,6 +32322,7 @@ rules: Java_Best_Coding_Practice_Use_of_Inner_Class_Containing_Sensitive_Data: categories: - cwe-492 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31641,6 +32337,7 @@ rules: Java_Best_Coding_Practice_Use_of_Obsolete_Functions: categories: - cwe-477 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31653,6 +32350,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_Use_of_System_Output_Stream: categories: + - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -31666,6 +32364,7 @@ rules: Java_Best_Coding_Practice_Use_of_System_exit: categories: - cwe-382 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31679,6 +32378,7 @@ rules: Java_Best_Coding_Practice_Use_of_Wrong_Operator_in_String_Comparison: categories: - cwe-597 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31692,6 +32392,7 @@ rules: Java_Best_Coding_Practice_clone_Method_Without_super_clone: categories: - cwe-580 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31704,6 +32405,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Best_Coding_Practice_finalize_Method_Declared_Public: categories: + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31718,6 +32420,7 @@ rules: Java_Best_Coding_Practice_finalize_Method_Without_super_finalize: categories: - cwe-568 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -31731,6 +32434,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 description: Identifies instances in Java code where unsafe, potentially exploitable packages or classes are imported, risking security vulnerabilities. group: top10-injection @@ -31742,6 +32446,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 description: Java code where '.find()' methods are employed could introduce potential Regular Expression Denial of Service (ReDoS) vulnerabilities if user-supplied input is not properly sanitized. @@ -32102,6 +32807,7 @@ rules: Java_High_Risk_Mongo_NoSQL_Injection: categories: - boost-hardened + - owasp-top-10 - cwe-943 - boost-baseline - ALL @@ -32303,6 +33009,7 @@ rules: - boost-baseline - ALL - checkmarx-low-visibility + - owasp-top-10 description: The Citrus Developer Mode, a testing tool for Java, has been enabled in a production setting. This exposes sensitive information and debug data that could be exploited. @@ -32315,6 +33022,7 @@ rules: categories: - cwe-171 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: Improper handling of data within protection mechanisms that attempt @@ -32328,6 +33036,7 @@ rules: categories: - checkmarx-low-visibility - cwe-182 + - owasp-top-10 - boost-baseline - ALL description: The product filters data in a way that causes it to be reduced or @@ -32370,6 +33079,7 @@ rules: categories: - ALL - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - cwe-378 description: Opening temporary files without appropriate measures or controls @@ -32384,6 +33094,7 @@ rules: categories: - cwe-379 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product creates a temporary file in a directory whose permissions @@ -32398,6 +33109,7 @@ rules: categories: - cwe-203 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product behaves differently or sends different responses under @@ -32415,7 +33127,6 @@ rules: - ALL - checkmarx-low-visibility - cwe-15 - - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -32427,6 +33138,7 @@ rules: categories: - checkmarx-low-visibility - cwe-362 + - owasp-top-10 - boost-baseline - ALL - cwe-top-25 @@ -32442,6 +33154,7 @@ rules: Java_Low_Visibility_Divide_By_Zero: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-369 - boost-baseline - ALL @@ -32514,6 +33227,7 @@ rules: categories: - cwe-732 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product specifies permissions for a security-critical resource @@ -32527,6 +33241,7 @@ rules: categories: - cwe-244 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: Using realloc() to resize buffers that store sensitive information @@ -32558,6 +33273,7 @@ rules: categories: - cwe-248 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: An exception is thrown from a function, but it is not caught. @@ -32584,6 +33300,7 @@ rules: categories: - cwe-413 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not lock or does not correctly lock a resource when @@ -32597,6 +33314,7 @@ rules: categories: - cwe-404 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not release or incorrectly releases a resource before @@ -32624,6 +33342,7 @@ rules: categories: - cwe-460 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not clean up its state or incorrectly cleans up @@ -32638,6 +33357,7 @@ rules: categories: - cwe-732 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product specifies permissions for a security-critical resource @@ -32650,6 +33370,7 @@ rules: Java_Low_Visibility_Information_Exposure_Through_Debug_Log: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-534 - boost-baseline - ALL @@ -32678,6 +33399,7 @@ rules: categories: - ALL - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - cwe-533 description: This entry has been deprecated because its abstraction was too low-level. @@ -32705,6 +33427,7 @@ rules: categories: - cwe-615 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: 'While adding general comments is very useful, some programmers tend @@ -32734,6 +33457,7 @@ rules: categories: - cwe-535 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: A command shell error message indicates that there exists an unhandled @@ -32779,6 +33503,7 @@ rules: categories: - cwe-190 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL - cwe-top-25 @@ -32795,6 +33520,7 @@ rules: categories: - cwe-191 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product subtracts one value from another, such that the result @@ -32838,6 +33564,7 @@ rules: Java_Low_Visibility_Leaving_Temporary_File: categories: - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL - cwe-376 @@ -32853,7 +33580,6 @@ rules: - ALL - cwe-117 - checkmarx-low-visibility - - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes output that is written to logs. group: top10-security-logging-monitoring-failures @@ -32893,6 +33619,7 @@ rules: categories: - checkmarx-low-visibility - cwe-549 + - owasp-top-10 - boost-baseline - ALL description: The product does not mask passwords during entry, increasing the @@ -32936,6 +33663,7 @@ rules: categories: - checkmarx-low-visibility - cwe-491 + - owasp-top-10 - boost-baseline - ALL description: A class has a cloneable() method that is not declared final, which @@ -32950,6 +33678,7 @@ rules: categories: - cwe-193 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: A product calculates or uses an incorrect maximum or minimum value @@ -32991,6 +33720,7 @@ rules: Java_Low_Visibility_Parse_Double_DoS: categories: - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL - cwe-730 @@ -33004,6 +33734,7 @@ rules: categories: - cwe-615 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: 'While adding general comments is very useful, some programmers tend @@ -33035,7 +33766,6 @@ rules: - ALL - checkmarx-low-visibility - cwe-315 - - owasp-top-10 description: The product stores sensitive information in cleartext in a cookie. group: top10-security-misconfiguration name: Java_Low_Visibility_Plaintext_Storage_in_a_Cookie @@ -33046,6 +33776,7 @@ rules: categories: - cwe-474 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The code uses a function that has inconsistent implementations across @@ -33058,6 +33789,7 @@ rules: Java_Low_Visibility_Potential_ReDoS: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -33073,6 +33805,7 @@ rules: Java_Low_Visibility_Potential_ReDoS_By_Injection: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -33088,6 +33821,7 @@ rules: Java_Low_Visibility_Potential_ReDoS_In_Match: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -33103,6 +33837,7 @@ rules: Java_Low_Visibility_Potential_ReDoS_In_Replace: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -33118,6 +33853,7 @@ rules: Java_Low_Visibility_Potential_ReDoS_In_Static_Field: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -33133,6 +33869,7 @@ rules: Java_Low_Visibility_Private_Array_Returned_From_A_Public_Method: categories: - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL - cwe-495 @@ -33147,6 +33884,7 @@ rules: categories: - boost-baseline - checkmarx-low-visibility + - owasp-top-10 - cwe-496 - ALL description: Assigning public data to a private array is equivalent to giving @@ -33160,6 +33898,7 @@ rules: categories: - cwe-607 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: A public or protected static final field references a mutable object, @@ -33174,6 +33913,7 @@ rules: categories: - checkmarx-low-visibility - cwe-362 + - owasp-top-10 - boost-baseline - ALL - cwe-top-25 @@ -33190,6 +33930,7 @@ rules: categories: - checkmarx-low-visibility - cwe-362 + - owasp-top-10 - boost-baseline - ALL - cwe-top-25 @@ -33208,7 +33949,6 @@ rules: - ALL - checkmarx-low-visibility - cwe-15 - - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -33235,6 +33975,7 @@ rules: categories: - cwe-350 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product performs reverse DNS resolution on an IP address to obtain @@ -33268,7 +34009,6 @@ rules: - cwe-614 - checkmarx-low-visibility - ALL - - owasp-top-10 description: The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. @@ -33280,6 +34020,7 @@ rules: Java_Low_Visibility_Serializable_Class_Containing_Sensitive_Data: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-499 - boost-baseline - ALL @@ -33312,7 +34053,6 @@ rules: - ALL - checkmarx-low-visibility - cwe-15 - - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -33326,7 +34066,6 @@ rules: - ALL - cwe-117 - checkmarx-low-visibility - - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes output that is written to logs. group: top10-security-logging-monitoring-failures @@ -33372,6 +34111,7 @@ rules: Java_Low_Visibility_TOCTOU: categories: - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL - cwe-367 @@ -33450,6 +34190,7 @@ rules: categories: - cwe-248 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: An exception is thrown from a function, but it is not caught. @@ -33461,6 +34202,7 @@ rules: Java_Low_Visibility_Unchecked_Return_Value_to_NULL_Pointer_Dereference: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-690 - boost-baseline - ALL @@ -33476,6 +34218,7 @@ rules: categories: - cwe-134 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product uses a function that accepts a format string as an argument, @@ -33489,6 +34232,7 @@ rules: categories: - cwe-789 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product allocates memory based on an untrusted, large size value, @@ -33518,6 +34262,7 @@ rules: categories: - cwe-567 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not properly synchronize shared data, such as static @@ -33548,7 +34293,6 @@ rules: - ALL - checkmarx-low-visibility - cwe-260 - - owasp-top-10 description: The product stores a password in a configuration file that might be accessible to actors who do not know the password. group: top10-security-misconfiguration @@ -33559,6 +34303,7 @@ rules: Java_Low_Visibility_Use_Of_getenv: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-589 - boost-baseline - ALL @@ -33586,6 +34331,7 @@ rules: Java_Low_Visibility_Use_of_Client_Side_Authentication: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-603 - boost-baseline - ALL @@ -33603,7 +34349,6 @@ rules: - ALL - cwe-547 - checkmarx-low-visibility - - owasp-top-10 description: The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. @@ -33644,6 +34389,7 @@ rules: categories: - cwe-293 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The referer field in HTTP requests can be easily modified and, as @@ -33656,6 +34402,7 @@ rules: Java_Medium_Threat_Absolute_Path_Traversal: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-36 - boost-baseline - ALL @@ -33734,6 +34481,7 @@ rules: categories: - checkmarx-medium-threat - cwe-254 + - owasp-top-10 - boost-baseline - ALL description: The product is saving client state in JavaServer Faces (JSF), potentially @@ -33775,6 +34523,7 @@ rules: Java_Medium_Threat_Direct_Use_of_Unsafe_JNI: categories: - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL - cwe-111 @@ -33789,6 +34538,7 @@ rules: Java_Medium_Threat_DoS_by_Sleep: categories: - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL description: The product performs an iteration or loop without sufficiently limiting @@ -33848,7 +34598,6 @@ rules: - ALL - checkmarx-medium-threat - cwe-15 - - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -33891,7 +34640,6 @@ rules: - ALL - cwe-547 - checkmarx-medium-threat - - owasp-top-10 description: The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. @@ -33906,7 +34654,6 @@ rules: - ALL - boost-baseline - checkmarx-medium-threat - - owasp-top-10 description: The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. group: top10-security-misconfiguration @@ -33920,7 +34667,6 @@ rules: - ALL - boost-baseline - checkmarx-medium-threat - - owasp-top-10 description: The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. group: top10-security-misconfiguration @@ -33932,6 +34678,7 @@ rules: categories: - checkmarx-medium-threat - cwe-667 + - owasp-top-10 - boost-baseline - ALL description: The product does not properly acquire or release a lock on a resource, @@ -33948,7 +34695,6 @@ rules: - boost-baseline - ALL - cwe-top-25 - - owasp-top-10 description: The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. @@ -33964,7 +34710,6 @@ rules: - boost-baseline - ALL - cwe-top-25 - - owasp-top-10 description: The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. @@ -34099,6 +34844,7 @@ rules: - boost-baseline - ALL - checkmarx-medium-threat + - owasp-top-10 description: A Java deserialization filter is misconfigured, thereby increasing the risk of untrusted input being deserialized, which can potentially lead to arbitrary code execution. @@ -34124,6 +34870,7 @@ rules: Java_Medium_Threat_Multiple_Binds_to_the_Same_Port: categories: - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL - cwe-605 @@ -34181,6 +34928,7 @@ rules: Java_Medium_Threat_Process_Control: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-114 - boost-baseline - ALL @@ -34195,6 +34943,7 @@ rules: Java_Medium_Threat_ReDoS_From_Regex_Injection: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -34210,6 +34959,7 @@ rules: Java_Medium_Threat_ReDoS_In_Match: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -34225,6 +34975,7 @@ rules: Java_Medium_Threat_ReDoS_In_Pattern: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -34240,6 +34991,7 @@ rules: Java_Medium_Threat_ReDoS_In_Replace: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -34303,6 +35055,7 @@ rules: categories: - checkmarx-medium-threat - cwe-599 + - owasp-top-10 - boost-baseline - ALL description: The product uses OpenSSL and trusts or uses a certificate without @@ -34361,6 +35114,7 @@ rules: Java_Medium_Threat_Stored_Absolute_Path_Traversal: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-36 - boost-baseline - ALL @@ -34424,6 +35178,7 @@ rules: Java_Medium_Threat_Unchecked_Input_for_Loop_Condition: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-606 - boost-baseline - ALL @@ -34470,6 +35225,7 @@ rules: categories: - checkmarx-medium-threat - cwe-819 + - owasp-top-10 - boost-baseline - ALL description: Relates to using redirects and forwards that have not been validated. @@ -34538,6 +35294,7 @@ rules: Java_Medium_Threat_Use_of_Native_Language: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-695 - boost-baseline - ALL @@ -34665,7 +35422,6 @@ rules: - ALL - cwe-547 - checkmarx-potential - - owasp-top-10 description: The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. @@ -34853,7 +35609,6 @@ rules: - cwe-776 - ALL - checkmarx-potential - - owasp-top-10 description: The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities. @@ -34907,6 +35662,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Spring_Spring_Comparison_Timing_Attack: categories: + - owasp-top-10 - boost-baseline - ALL - cwe-208 @@ -34935,6 +35691,7 @@ rules: Java_Spring_Spring_Missing_Expect_CT_Header: categories: - cwe-693 + - owasp-top-10 - boost-baseline - ALL description: The product does not use or incorrectly uses a protection mechanism @@ -34988,6 +35745,7 @@ rules: Java_Spring_Spring_Missing_XSS_Protection_Header: categories: - cwe-693 + - owasp-top-10 - boost-baseline - ALL description: The product does not use or incorrectly uses a protection mechanism @@ -35000,6 +35758,7 @@ rules: Java_Spring_Spring_Missing_X_Content_Type_Options: categories: - cwe-693 + - owasp-top-10 - boost-baseline - ALL description: The product does not use or incorrectly uses a protection mechanism @@ -35151,6 +35910,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Spring_Spring_defaultHtmlEscape_Not_True: categories: + - owasp-top-10 - boost-baseline - ALL description: The setting for defaultHtmlEscape in the Spring configuration is @@ -35210,6 +35970,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Java_Stored_Stored_Mongo_NoSQL_Injection: categories: + - owasp-top-10 - checkmarx-stored - cwe-943 - boost-baseline @@ -35257,6 +36018,7 @@ rules: categories: - cwe-108 - checkmarx-structs + - owasp-top-10 - boost-baseline - ALL description: Every Action Form must have a corresponding validation form. @@ -35268,6 +36030,7 @@ rules: Java_Struts_Struts2_Duplicate_Action_Field_Validators: categories: - checkmarx-structs + - owasp-top-10 - cwe-102 - boost-baseline - ALL @@ -35282,6 +36045,7 @@ rules: Java_Struts_Struts2_Duplicate_Validators: categories: - checkmarx-structs + - owasp-top-10 - cwe-102 - boost-baseline - ALL @@ -35296,6 +36060,7 @@ rules: Java_Struts_Struts2_Undeclared_Validator: categories: - checkmarx-structs + - owasp-top-10 - cwe-105 - boost-baseline - ALL @@ -35310,6 +36075,7 @@ rules: Java_Struts_Struts2_Validation_File_Without_Action: categories: - checkmarx-structs + - owasp-top-10 - cwe-107 - boost-baseline - ALL @@ -35324,6 +36090,7 @@ rules: categories: - cwe-110 - checkmarx-structs + - owasp-top-10 - boost-baseline - ALL description: Validation fields that do not appear in forms they are associated @@ -35336,6 +36103,7 @@ rules: Java_Struts_Struts_Duplicate_Config_Files: categories: - checkmarx-structs + - owasp-top-10 - cwe-694 - boost-baseline - ALL @@ -35349,6 +36117,7 @@ rules: Java_Struts_Struts_Duplicate_Form_Bean: categories: - checkmarx-structs + - owasp-top-10 - cwe-694 - boost-baseline - ALL @@ -35362,6 +36131,7 @@ rules: Java_Struts_Struts_Duplicate_Validation_Files: categories: - checkmarx-structs + - owasp-top-10 - cwe-694 - boost-baseline - ALL @@ -35375,6 +36145,7 @@ rules: Java_Struts_Struts_Duplicate_Validation_Forms: categories: - checkmarx-structs + - owasp-top-10 - cwe-102 - boost-baseline - ALL @@ -35390,6 +36161,7 @@ rules: categories: - checkmarx-structs - cwe-104 + - owasp-top-10 - boost-baseline - ALL description: If a form bean does not extend an ActionForm subclass of the Validator @@ -35403,6 +36175,7 @@ rules: Java_Struts_Struts_Form_Field_Without_Validator: categories: - checkmarx-structs + - owasp-top-10 - cwe-105 - boost-baseline - ALL @@ -35417,6 +36190,7 @@ rules: Java_Struts_Struts_Incomplete_Validate_Method_Definition: categories: - checkmarx-structs + - owasp-top-10 - boost-baseline - ALL - cwe-103 @@ -35431,6 +36205,7 @@ rules: categories: - cwe-457 - checkmarx-structs + - owasp-top-10 - boost-baseline - ALL description: The code uses a variable that has not been initialized, leading to @@ -35443,6 +36218,7 @@ rules: Java_Struts_Struts_Missing_Form_Bean_Name: categories: - checkmarx-structs + - owasp-top-10 - cwe-563 - boost-baseline - ALL @@ -35456,6 +36232,7 @@ rules: Java_Struts_Struts_Missing_Form_Bean_Type: categories: - checkmarx-structs + - owasp-top-10 - cwe-563 - boost-baseline - ALL @@ -35470,6 +36247,7 @@ rules: categories: - cwe-489 - checkmarx-structs + - owasp-top-10 - boost-baseline - ALL description: The product is deployed to unauthorized actors with debugging code @@ -35483,6 +36261,7 @@ rules: Java_Struts_Struts_Non_Private_Field_In_ActionForm_Class: categories: - checkmarx-structs + - owasp-top-10 - boost-baseline - ALL - cwe-608 @@ -35497,6 +36276,7 @@ rules: categories: - checkmarx-structs - cwe-362 + - owasp-top-10 - boost-baseline - ALL - cwe-top-25 @@ -35513,6 +36293,7 @@ rules: categories: - cwe-489 - checkmarx-structs + - owasp-top-10 - boost-baseline - ALL description: The product is deployed to unauthorized actors with debugging code @@ -35526,6 +36307,7 @@ rules: Java_Struts_Struts_Unused_Validation_Form: categories: - checkmarx-structs + - owasp-top-10 - cwe-107 - boost-baseline - ALL @@ -35540,6 +36322,7 @@ rules: categories: - cwe-108 - checkmarx-structs + - owasp-top-10 - boost-baseline - ALL description: Every Action Form must have a corresponding validation form. @@ -35552,6 +36335,7 @@ rules: categories: - cwe-21 - checkmarx-structs + - owasp-top-10 - boost-baseline - ALL description: The product uses external input to construct a pathname that should @@ -35565,6 +36349,7 @@ rules: Java_Struts_Struts_Validation_Turned_Off: categories: - checkmarx-structs + - owasp-top-10 - boost-baseline - ALL - cwe-109 @@ -35580,6 +36365,7 @@ rules: categories: - cwe-110 - checkmarx-structs + - owasp-top-10 - boost-baseline - ALL description: Validation fields that do not appear in forms they are associated @@ -35659,6 +36445,7 @@ rules: Javascript_Kony_Kony_Deprecated_Functions: categories: - cwe-477 + - owasp-top-10 - checkmarx-kony - boost-baseline - ALL @@ -35823,7 +36610,6 @@ rules: - boost-baseline - ALL - cwe-15 - - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -35838,7 +36624,6 @@ rules: - boost-baseline - ALL - cwe-15 - - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -35882,6 +36667,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-lightning description: The Aura component's attribute is defined with an 'Object' type, which can lead to potential type conflicts and unexpected behaviors due to lack @@ -35895,6 +36681,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-lightning description: Names for Lightning components in JavaScript must start with a lowercase letter and can contain alphabets, numbers, or underscores, ensuring readability @@ -35926,6 +36713,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-lightning description: Lightning data retrieval in a JavaScript file does not use the '@wire' decorator, leading to potential issues in data synchronization. @@ -35938,6 +36726,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-lightning description: Dynamic href values in anchor tags within Salesforce's Lightning components are identified, which might result in unsafe redirects or content @@ -35968,6 +36757,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-lightning description: Refers to the occurrence of using Aura components in Lightning Web Components (LWC), which is discouraged due to potential performance degradation @@ -35981,6 +36771,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-lightning description: Event bubbling is improperly used in JavaScript Lightning Web Components (LWC), which can lead to unintended propagation of events and cause incorrect @@ -35994,6 +36785,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 - checkmarx-lightning description: Duplicate use of a single Apex controller method in multiple Lightning components is present. This might lead to unintended functionality coupling, @@ -36021,6 +36813,7 @@ rules: Kotlin_Android_Allowed_Backup: categories: - cwe-530 + - owasp-top-10 - checkmarx-android - boost-baseline - ALL @@ -36050,6 +36843,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Client_Side_ReDoS: categories: + - owasp-top-10 - checkmarx-android - cwe-400 - boost-baseline @@ -36164,6 +36958,7 @@ rules: Kotlin_Android_Failure_to_Implement_Least_Privilege: categories: - ALL + - owasp-top-10 - checkmarx-android - boost-baseline - cwe-250 @@ -36219,6 +37014,7 @@ rules: Kotlin_Android_Improper_Verification_Of_Intent_By_Broadcast_Receiver: categories: - cwe-925 + - owasp-top-10 - checkmarx-android - boost-baseline - ALL @@ -36233,6 +37029,7 @@ rules: Kotlin_Android_Insecure_Android_SDK_Version: categories: - cwe-477 + - owasp-top-10 - checkmarx-android - boost-baseline - ALL @@ -36317,6 +37114,7 @@ rules: Kotlin_Android_Missing_Rooted_Device_Check: categories: - cwe-693 + - owasp-top-10 - checkmarx-android - boost-baseline - ALL @@ -36374,6 +37172,7 @@ rules: Kotlin_Android_ProGuard_Obfuscation_Not_In_Use: categories: - cwe-693 + - owasp-top-10 - checkmarx-android - boost-baseline - ALL @@ -36400,6 +37199,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_Screen_Caching: categories: + - owasp-top-10 - checkmarx-android - cwe-524 - boost-baseline @@ -36458,6 +37258,7 @@ rules: categories: - boost-hardened - boost-baseline + - owasp-top-10 - checkmarx-android - cwe-749 - ALL @@ -36471,6 +37272,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Android_WebView_Cache_Information_Leak: categories: + - owasp-top-10 - checkmarx-android - cwe-524 - boost-baseline @@ -36500,6 +37302,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Kotlin_Best_Coding_Practice_Potential_Usage_of_Vulnerable_Log4J: categories: + - owasp-top-10 - cwe-400 - checkmarx-best-coding-practices - boost-baseline @@ -36772,6 +37575,7 @@ rules: categories: - cwe-477 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -36815,6 +37619,7 @@ rules: categories: - cwe-615 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: 'While adding general comments is very useful, some programmers tend @@ -36902,7 +37707,6 @@ rules: - ALL - boost-baseline - checkmarx-medium-threat - - owasp-top-10 description: The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. group: top10-security-misconfiguration @@ -37033,6 +37837,7 @@ rules: Kotlin_Medium_Threat_Unchecked_Input_for_Loop_Condition: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-606 - boost-baseline - ALL @@ -37121,6 +37926,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Lua_Best_Coding_Practice_Empty_Methods: categories: + - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -37134,6 +37940,7 @@ rules: ObjectiveC_Best_Coding_Practice_Dead_Code: categories: - cwe-561 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -37162,6 +37969,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Best_Coding_Practice_Empty_Methods: categories: + - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -37175,6 +37983,7 @@ rules: ObjectiveC_Best_Coding_Practice_Expression_is_Always_False: categories: - cwe-570 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -37186,6 +37995,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Best_Coding_Practice_Expression_is_Always_True: categories: + - owasp-top-10 - cwe-571 - checkmarx-best-coding-practices - boost-baseline @@ -37198,6 +38008,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html ObjectiveC_Best_Coding_Practice_Missing_Colon_In_Selector: categories: + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -37377,6 +38188,7 @@ rules: categories: - cwe-530 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: A backup file is stored in a directory or archive that is made accessible @@ -37404,6 +38216,7 @@ rules: categories: - cwe-477 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -37417,6 +38230,7 @@ rules: categories: - cwe-244 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: Using realloc() to resize buffers that store sensitive information @@ -37431,6 +38245,7 @@ rules: categories: - cwe-404 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not release or incorrectly releases a resource before @@ -37444,6 +38259,7 @@ rules: categories: - cwe-456 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not initialize critical variables, which causes @@ -37470,6 +38286,7 @@ rules: ObjectiveC_Low_Visibility_Information_Leak_Through_Response_Caching: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-524 - boost-baseline - ALL @@ -37501,7 +38318,6 @@ rules: - ALL - cwe-117 - checkmarx-low-visibility - - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes output that is written to logs. group: top10-security-logging-monitoring-failures @@ -37513,6 +38329,7 @@ rules: categories: - cwe-401 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not sufficiently track and release allocated memory @@ -37553,6 +38370,7 @@ rules: categories: - cwe-693 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not use or incorrectly uses a protection mechanism @@ -37566,6 +38384,7 @@ rules: categories: - cwe-252 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not check the return value from a method or function, @@ -37579,6 +38398,7 @@ rules: categories: - cwe-615 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: 'While adding general comments is very useful, some programmers tend @@ -37622,6 +38442,7 @@ rules: ObjectiveC_Low_Visibility_Potential_ReDoS: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -37666,6 +38487,7 @@ rules: categories: - cwe-252 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not check the return value from a method or function, @@ -37734,6 +38556,7 @@ rules: categories: - cwe-477 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -37747,6 +38570,7 @@ rules: categories: - cwe-404 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not release or incorrectly releases a resource before @@ -37790,6 +38614,7 @@ rules: categories: - checkmarx-medium-threat - cwe-134 + - owasp-top-10 - boost-baseline - ALL description: The product uses a function that accepts a format string as an argument, @@ -37918,6 +38743,7 @@ rules: ObjectiveC_Medium_Threat_ReDoS: categories: - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL - cwe-1333 @@ -37932,6 +38758,7 @@ rules: ObjectiveC_Medium_Threat_Screen_Caching: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-524 - boost-baseline - ALL @@ -37963,7 +38790,6 @@ rules: - boost-baseline - ALL - cwe-top-25 - - owasp-top-10 description: The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. @@ -38238,6 +39064,7 @@ rules: PHP_Medium_Threat_DoS_by_Sleep: categories: - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL description: The product performs an iteration or loop without sufficiently limiting @@ -38283,7 +39110,6 @@ rules: - ALL - boost-baseline - checkmarx-medium-threat - - owasp-top-10 description: The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. group: top10-security-misconfiguration @@ -38295,6 +39121,7 @@ rules: categories: - checkmarx-medium-threat - cwe-914 + - owasp-top-10 - boost-baseline - ALL description: The product does not properly restrict reading from or writing to @@ -38328,7 +39155,6 @@ rules: - boost-baseline - ALL - cwe-top-25 - - owasp-top-10 description: The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. @@ -38344,7 +39170,6 @@ rules: - boost-baseline - ALL - cwe-top-25 - - owasp-top-10 description: The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. @@ -38356,6 +39181,7 @@ rules: PHP_Medium_Threat_Inappropriate_Encoding_for_Output_Context: categories: - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL - cwe-838 @@ -38492,6 +39318,7 @@ rules: categories: - checkmarx-medium-threat - cwe-599 + - owasp-top-10 - boost-baseline - ALL description: The product uses OpenSSL and trusts or uses a certificate without @@ -38658,6 +39485,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PLSQL_Best_Coding_Practice_Unchecked_Error_Condition: categories: + - owasp-top-10 - cwe-391 - checkmarx-best-coding-practices - boost-baseline @@ -38670,6 +39498,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html PLSQL_Best_Coding_Practice_Use_of_Potentially_Dangerous_Function: categories: + - owasp-top-10 - checkmarx-best-coding-practices - cwe-676 - boost-baseline @@ -38786,6 +39615,7 @@ rules: PLSQL_Low_Visibility_Default_Definer_Rights_in_Method_Definition: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-265 - boost-baseline - ALL @@ -38816,6 +39646,7 @@ rules: categories: - cwe-404 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not release or incorrectly releases a resource before @@ -38886,6 +39717,7 @@ rules: PLSQL_Medium_Threat_Dangling_Database_Cursor: categories: - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL - cwe-619 @@ -38900,6 +39732,7 @@ rules: PLSQL_Medium_Threat_Default_Definer_Rights_in_Package_or_Object_Definition: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-265 - boost-baseline - ALL @@ -38914,6 +39747,7 @@ rules: PLSQL_Medium_Threat_DoS_By_Sleep: categories: - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL description: The product performs an iteration or loop without sufficiently limiting @@ -39027,6 +39861,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Best_Coding_Practice_Empty_Methods: categories: + - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -39054,6 +39889,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Best_Coding_Practice_Prepending_Leading_Zeroes_To_Integer_Literals: categories: + - owasp-top-10 - checkmarx-best-coding-practices - cwe-665 - boost-baseline @@ -39068,6 +39904,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Best_Coding_Practice_Reusing_Variable_Names_In_Subscopes: categories: + - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -39081,6 +39918,7 @@ rules: Perl_Best_Coding_Practice_Using_Perl4_Package_Names: categories: - cwe-477 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -39093,6 +39931,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Perl_Best_Coding_Practice_Using_Subroutine_Prototypes: categories: + - owasp-top-10 - cwe-628 - checkmarx-best-coding-practices - boost-baseline @@ -39279,6 +40118,7 @@ rules: categories: - cwe-477 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -39291,6 +40131,7 @@ rules: Perl_Low_Visibility_Improper_Filtering_of_Special_Elements: categories: - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL - cwe-790 @@ -39322,7 +40163,6 @@ rules: - ALL - cwe-117 - checkmarx-low-visibility - - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes output that is written to logs. group: top10-security-logging-monitoring-failures @@ -39334,6 +40174,7 @@ rules: categories: - cwe-252 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not check the return value from a method or function, @@ -39346,6 +40187,7 @@ rules: Perl_Low_Visibility_Overloading_Reserved_Keywords_or_Subroutines: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-398 - boost-baseline - ALL @@ -39359,6 +40201,7 @@ rules: categories: - cwe-625 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product uses a regular expression that does not sufficiently @@ -39371,6 +40214,7 @@ rules: Perl_Low_Visibility_Prohibit_Indirect_Object_Call_Syntax: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-665 - boost-baseline - ALL @@ -39385,6 +40229,7 @@ rules: Perl_Low_Visibility_Signifying_Inheritence_At_Runtime: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-398 - boost-baseline - ALL @@ -39398,6 +40243,7 @@ rules: categories: - cwe-252 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not check the return value from a method or function, @@ -39424,6 +40270,7 @@ rules: categories: - cwe-477 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -39436,6 +40283,7 @@ rules: Perl_Low_Visibility_Variables_Outside_The_Scope_of_a_Regex: categories: - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL - cwe-824 @@ -39464,6 +40312,7 @@ rules: Perl_Medium_Threat_DoS_by_Sleep: categories: - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL description: The product performs an iteration or loop without sufficiently limiting @@ -39480,7 +40329,6 @@ rules: - boost-baseline - ALL - cwe-top-25 - - owasp-top-10 description: The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. @@ -39624,6 +40472,7 @@ rules: categories: - checkmarx-medium-threat - cwe-134 + - owasp-top-10 - boost-baseline - ALL description: The product uses a function that accepts a format string as an argument, @@ -39637,6 +40486,7 @@ rules: categories: - checkmarx-medium-threat - cwe-789 + - owasp-top-10 - boost-baseline - ALL description: The product allocates memory based on an untrusted, large size value, @@ -39695,6 +40545,7 @@ rules: Php_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception: categories: - cwe-396 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -39708,6 +40559,7 @@ rules: Php_Best_Coding_Practice_Detection_of_Error_Condition_Without_Action: categories: - cwe-390 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -39737,6 +40589,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere: categories: + - owasp-top-10 - cwe-493 - checkmarx-best-coding-practices - boost-baseline @@ -39768,6 +40621,7 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices + - owasp-top-10 description: A local PHP variable, with the same name as a global variable, is being written to, thus posing a risk of unintentional global variable overwrite. group: top10-insecure-design @@ -39777,6 +40631,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Best_Coding_Practice_Unchecked_Error_Condition: categories: + - owasp-top-10 - cwe-391 - checkmarx-best-coding-practices - boost-baseline @@ -39789,6 +40644,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Best_Coding_Practice_Unclosed_Objects: categories: + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -39802,6 +40658,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Best_Coding_Practice_Use_Of_Namespace: categories: + - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -39814,6 +40671,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Best_Coding_Practice_Use_Of_Private_Static_Variable: categories: + - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -39826,6 +40684,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Php_Best_Coding_Practice_Use_Of_Super_GLOBALS: categories: + - owasp-top-10 - cwe-766 - checkmarx-best-coding-practices - boost-baseline @@ -39858,6 +40717,7 @@ rules: categories: - cwe-203 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product behaves differently or sends different responses under @@ -39873,6 +40733,7 @@ rules: categories: - cwe-477 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -39900,6 +40761,7 @@ rules: categories: - cwe-248 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: An exception is thrown from a function, but it is not caught. @@ -39912,6 +40774,7 @@ rules: categories: - cwe-460 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not clean up its state or incorrectly cleans up @@ -39925,6 +40788,7 @@ rules: Php_Low_Visibility_Incorrect_Implementation_of_Authentication_Algorithm: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-303 - boost-baseline - ALL @@ -39984,7 +40848,6 @@ rules: - ALL - cwe-117 - checkmarx-low-visibility - - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes output that is written to logs. group: top10-security-logging-monitoring-failures @@ -39996,6 +40859,7 @@ rules: categories: - cwe-691 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The code does not sufficiently manage its control flow during execution, @@ -40025,6 +40889,7 @@ rules: categories: - cwe-350 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product performs reverse DNS resolution on an IP address to obtain @@ -40052,6 +40917,7 @@ rules: Php_Low_Visibility_Unsafe_Use_Of_Target_Blank: categories: - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL - cwe-1022 @@ -40111,6 +40977,7 @@ rules: categories: - boost-hardened - checkmarx-server-side-vulnerability + - owasp-top-10 - boost-baseline - ALL description: AWS credentials are exposed within Python AWS Lambda function code, @@ -40171,6 +41038,7 @@ rules: categories: - checkmarx-server-side-vulnerability - cwe-366 + - owasp-top-10 - boost-baseline - ALL description: If two threads of execution use a resource simultaneously, there @@ -40231,7 +41099,6 @@ rules: - ALL - cwe-15 - checkmarx-server-side-vulnerability - - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -40258,6 +41125,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 description: The code searches for Python imports using an insecure method, such as os.system or subprocess.Popen, making it susceptible to arbitrary code execution through shell injection. @@ -40270,6 +41138,7 @@ rules: categories: - boost-baseline - ALL + - owasp-top-10 description: The Python 'find' method is used in a way that can potentially lead to exploitable path inconsistencies or traversal vulnerabilities, creating a security risk for the application. @@ -40518,6 +41387,7 @@ rules: categories: - cwe-203 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product behaves differently or sends different responses under @@ -40535,7 +41405,6 @@ rules: - ALL - checkmarx-low-visibility - cwe-11 - - owasp-top-10 description: Debugging messages help attackers learn about the system and plan a form of attack. group: top10-security-misconfiguration @@ -40590,6 +41459,7 @@ rules: categories: - cwe-404 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not release or incorrectly releases a resource before @@ -40634,7 +41504,6 @@ rules: - ALL - cwe-117 - checkmarx-low-visibility - - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes output that is written to logs. group: top10-security-logging-monitoring-failures @@ -40674,6 +41543,7 @@ rules: categories: - cwe-615 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: 'While adding general comments is very useful, some programmers tend @@ -40702,6 +41572,7 @@ rules: Python_Low_Visibility_ReDoS_Injection: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -40864,6 +41735,7 @@ rules: Python_Medium_Threat_DoS_by_Sleep: categories: - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL description: The product performs an iteration or loop without sufficiently limiting @@ -40879,7 +41751,6 @@ rules: - ALL - checkmarx-medium-threat - cwe-532 - - owasp-top-10 description: Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information. group: top10-security-logging-monitoring-failures @@ -40893,7 +41764,6 @@ rules: - ALL - cwe-547 - checkmarx-medium-threat - - owasp-top-10 description: The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. @@ -40923,7 +41793,6 @@ rules: - ALL - boost-baseline - checkmarx-medium-threat - - owasp-top-10 description: The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. group: top10-security-misconfiguration @@ -40938,7 +41807,6 @@ rules: - boost-baseline - ALL - cwe-top-25 - - owasp-top-10 description: The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. @@ -40981,7 +41849,6 @@ rules: - cwe-614 - checkmarx-medium-threat - ALL - - owasp-top-10 description: The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. @@ -41071,6 +41938,7 @@ rules: Python_Medium_Threat_ReDoS_In_Replace: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -41087,6 +41955,7 @@ rules: categories: - checkmarx-medium-threat - cwe-599 + - owasp-top-10 - boost-baseline - ALL description: The product uses OpenSSL and trusts or uses a certificate without @@ -41149,6 +42018,7 @@ rules: Python_Medium_Threat_Unchecked_Input_for_Loop_Condition: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-606 - boost-baseline - ALL @@ -41164,6 +42034,7 @@ rules: categories: - checkmarx-medium-threat - cwe-134 + - owasp-top-10 - boost-baseline - ALL description: The product uses a function that accepts a format string as an argument, @@ -41190,6 +42061,7 @@ rules: RPG_High_Risk_Buffer_Overrun: categories: - boost-hardened + - owasp-top-10 - boost-baseline - ALL - checkmarx-high-risk @@ -41240,6 +42112,7 @@ rules: categories: - cwe-703 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not properly anticipate or handle exceptional conditions @@ -41253,6 +42126,7 @@ rules: categories: - cwe-404 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not release or incorrectly releases a resource before @@ -41265,6 +42139,7 @@ rules: RPG_Low_Visibility_Information_Exposure_Through_Dump: categories: - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product generates a core dump file in a directory, archive, or @@ -41279,6 +42154,7 @@ rules: categories: - cwe-190 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL - cwe-top-25 @@ -41294,6 +42170,7 @@ rules: RPG_Low_Visibility_Library_Search_Order_Hijacking: categories: - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product uses a fixed or controlled search path to find resources, @@ -41334,6 +42211,7 @@ rules: RPG_Medium_Threat_DoS_by_Sleep: categories: - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL description: The product performs an iteration or loop without sufficiently limiting @@ -41346,6 +42224,7 @@ rules: RPG_Medium_Threat_ReDoS: categories: - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL - cwe-1333 @@ -41360,6 +42239,7 @@ rules: RPG_Medium_Threat_Reflected_Path_Traversal: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-36 - boost-baseline - ALL @@ -41375,6 +42255,7 @@ rules: Ruby_Best_Coding_Practice_Caching_False_In_Production: categories: - ALL + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline description: Setting caching to false in a production environment in a Ruby application, @@ -41387,6 +42268,7 @@ rules: Ruby_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception: categories: - cwe-396 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -41400,6 +42282,7 @@ rules: Ruby_Best_Coding_Practice_Dynamic_Render_Path: categories: - ALL + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline description: Render paths are determined at runtime in Rails views. This practice @@ -41429,6 +42312,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Best_Coding_Practice_Global_Variables_Without_Meaningful_Name: categories: + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -41457,6 +42341,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Best_Coding_Practice_Import_Relative_To_File: categories: + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -41470,6 +42355,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Best_Coding_Practice_Unchecked_Error_Condition: categories: + - owasp-top-10 - cwe-391 - checkmarx-best-coding-practices - boost-baseline @@ -41482,6 +42368,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Best_Coding_Practice_Unclosed_Objects: categories: + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -41495,6 +42382,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Ruby_Best_Coding_Practice_Use_Of_Global_Variables: categories: + - owasp-top-10 - cwe-766 - checkmarx-best-coding-practices - boost-baseline @@ -41632,6 +42520,7 @@ rules: - boost-baseline - ALL - checkmarx-low-visibility + - owasp-top-10 description: The attribute of an Active Record model is not declared as accessible using 'attr_accessible', allowing potential mass assignment vulnerabilities in Ruby on Rails applications. @@ -41676,6 +42565,7 @@ rules: categories: - cwe-203 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product behaves differently or sends different responses under @@ -41705,6 +42595,7 @@ rules: categories: - ALL - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - cwe-250 description: The product performs an operation at a privilege level that is higher @@ -41733,6 +42624,7 @@ rules: categories: - cwe-248 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: An exception is thrown from a function, but it is not caught. @@ -41745,6 +42637,7 @@ rules: categories: - cwe-460 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not clean up its state or incorrectly cleans up @@ -41816,6 +42709,7 @@ rules: categories: - cwe-489 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product is deployed to unauthorized actors with debugging code @@ -41846,7 +42740,6 @@ rules: - ALL - cwe-117 - checkmarx-low-visibility - - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes output that is written to logs. group: top10-security-logging-monitoring-failures @@ -41991,6 +42884,7 @@ rules: categories: - cwe-242 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product calls a function that can never be guaranteed to work @@ -42065,6 +42959,7 @@ rules: Ruby_Medium_Threat_DOS_To_Symbol: categories: - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL - cwe-730 @@ -42096,6 +42991,7 @@ rules: - boost-baseline - ALL - checkmarx-medium-threat + - owasp-top-10 description: The application is utilizing default routes in Ruby, which may expose it to unwanted routes and increase the surface for potential attacks. group: top10-insecure-design @@ -42106,6 +43002,7 @@ rules: Ruby_Medium_Threat_DoS_by_Sleep: categories: - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL description: The product performs an iteration or loop without sufficiently limiting @@ -42120,6 +43017,7 @@ rules: - boost-baseline - ALL - checkmarx-medium-threat + - owasp-top-10 description: Involves downloading files from user-controlled sources without validating or sanitizing their content or origin beforehand, presenting significant security risks like malicious code execution or unauthorized data access. @@ -42134,7 +43032,6 @@ rules: - ALL - checkmarx-medium-threat - cwe-532 - - owasp-top-10 description: Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information. group: top10-security-logging-monitoring-failures @@ -42192,6 +43089,7 @@ rules: categories: - checkmarx-medium-threat - cwe-625 + - owasp-top-10 - boost-baseline - ALL description: The product uses a regular expression that does not sufficiently @@ -42300,6 +43198,7 @@ rules: categories: - checkmarx-medium-threat - cwe-599 + - owasp-top-10 - boost-baseline - ALL description: The product uses OpenSSL and trusts or uses a certificate without @@ -42408,6 +43307,7 @@ rules: categories: - cwe-477 - vulnerable-and-outdated-components + - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -42436,6 +43336,7 @@ rules: Ruby_Vulnerable_Outdated_Versions_Outdated_Rails_Allows_DOS_via_ActiveRecord: categories: - vulnerable-and-outdated-components + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -42483,6 +43384,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html Scala_Best_Coding_Practice_Potential_Usage_of_Vulnerable_Log4J: categories: + - owasp-top-10 - cwe-400 - checkmarx-best-coding-practices - boost-baseline @@ -42706,7 +43608,6 @@ rules: - ALL - checkmarx-low-visibility - cwe-15 - - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -42719,6 +43620,7 @@ rules: - boost-baseline - ALL - checkmarx-low-visibility + - owasp-top-10 description: Akka's host name verification is disabled, likely by setting the 'akka.ssl-config.loose.disableHostnameVerification' configuration to true, which makes it vulnerable to Man-In-The-Middle (MITM) attacks. @@ -42733,7 +43635,6 @@ rules: - ALL - checkmarx-low-visibility - cwe-15 - - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -42747,7 +43648,6 @@ rules: - ALL - checkmarx-low-visibility - cwe-15 - - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -42761,7 +43661,6 @@ rules: - ALL - checkmarx-low-visibility - cwe-15 - - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -42775,7 +43674,6 @@ rules: - ALL - checkmarx-low-visibility - cwe-15 - - owasp-top-10 description: One or more system settings or configuration elements can be externally controlled by a user. group: top10-security-misconfiguration @@ -42816,6 +43714,7 @@ rules: categories: - cwe-203 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product behaves differently or sends different responses under @@ -42832,6 +43731,7 @@ rules: - boost-baseline - ALL - checkmarx-low-visibility + - owasp-top-10 description: Code in Scala utilizes deprecated API elements, indicating potential breaking changes in future updates due to obsolete functions or methods. group: top10-insecure-design @@ -42843,6 +43743,7 @@ rules: categories: - cwe-244 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: Using realloc() to resize buffers that store sensitive information @@ -42857,6 +43758,7 @@ rules: categories: - cwe-190 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL - cwe-top-25 @@ -42948,7 +43850,6 @@ rules: - ALL - cwe-547 - checkmarx-low-visibility - - owasp-top-10 description: The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. @@ -42988,6 +43889,7 @@ rules: Scala_Medium_Threat_Absolute_Path_Traversal: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-36 - boost-baseline - ALL @@ -43061,6 +43963,7 @@ rules: Scala_Medium_Threat_DoS_by_Sleep: categories: - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL description: The product performs an iteration or loop without sufficiently limiting @@ -43077,7 +43980,6 @@ rules: - boost-baseline - ALL - cwe-top-25 - - owasp-top-10 description: The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. @@ -43107,7 +44009,6 @@ rules: - ALL - cwe-547 - checkmarx-medium-threat - - owasp-top-10 description: The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. @@ -43122,7 +44023,6 @@ rules: - ALL - boost-baseline - checkmarx-medium-threat - - owasp-top-10 description: The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. group: top10-security-misconfiguration @@ -43134,6 +44034,7 @@ rules: categories: - checkmarx-medium-threat - cwe-667 + - owasp-top-10 - boost-baseline - ALL description: The product does not properly acquire or release a lock on a resource, @@ -43164,7 +44065,6 @@ rules: - cwe-614 - checkmarx-medium-threat - ALL - - owasp-top-10 description: The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. @@ -43176,6 +44076,7 @@ rules: Scala_Medium_Threat_Multiple_Binds_to_the_Same_Port: categories: - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL - cwe-605 @@ -43233,6 +44134,7 @@ rules: Scala_Medium_Threat_ReDoS_From_Regex_Injection: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -43248,6 +44150,7 @@ rules: Scala_Medium_Threat_ReDoS_In_Match: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -43263,6 +44166,7 @@ rules: Scala_Medium_Threat_ReDoS_In_Pattern: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -43278,6 +44182,7 @@ rules: Scala_Medium_Threat_ReDoS_In_Replace: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-400 - boost-baseline - ALL @@ -43293,6 +44198,7 @@ rules: Scala_Medium_Threat_Relative_Path_Traversal: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-36 - boost-baseline - ALL @@ -43326,6 +44232,7 @@ rules: categories: - checkmarx-medium-threat - cwe-599 + - owasp-top-10 - boost-baseline - ALL description: The product uses OpenSSL and trusts or uses a certificate without @@ -43388,7 +44295,6 @@ rules: - boost-baseline - ALL - cwe-top-25 - - owasp-top-10 description: The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. @@ -43572,6 +44478,7 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices + - owasp-top-10 description: Identifies and flags methods in Swift code that are empty, which may indicate overlooked or incomplete implementation. group: top10-insecure-design @@ -43611,6 +44518,7 @@ rules: Swift_High_Risk_Resource_Updated_By_URL_Data: categories: - boost-hardened + - owasp-top-10 - boost-baseline - ALL - checkmarx-high-risk @@ -43702,6 +44610,7 @@ rules: categories: - cwe-530 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: A backup file is stored in a directory or archive that is made accessible @@ -43744,6 +44653,7 @@ rules: categories: - cwe-477 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The code uses deprecated or obsolete functions, which suggests that @@ -43757,6 +44667,7 @@ rules: categories: - cwe-244 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: Using realloc() to resize buffers that store sensitive information @@ -43770,6 +44681,7 @@ rules: Swift_Low_Visibility_Information_Leak_Through_Response_Caching: categories: - checkmarx-low-visibility + - owasp-top-10 - cwe-524 - boost-baseline - ALL @@ -43826,6 +44738,7 @@ rules: categories: - cwe-693 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not use or incorrectly uses a protection mechanism @@ -43839,6 +44752,7 @@ rules: categories: - cwe-252 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not check the return value from a method or function, @@ -43867,6 +44781,7 @@ rules: categories: - cwe-615 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: 'While adding general comments is very useful, some programmers tend @@ -44075,6 +44990,7 @@ rules: categories: - checkmarx-medium-threat - cwe-134 + - owasp-top-10 - boost-baseline - ALL description: The product uses a function that accepts a format string as an argument, @@ -44179,6 +45095,7 @@ rules: Swift_Medium_Threat_ReDoS: categories: - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL - cwe-1333 @@ -44210,6 +45127,7 @@ rules: Swift_Medium_Threat_Screen_Caching: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-524 - boost-baseline - ALL @@ -44257,7 +45175,6 @@ rules: - boost-baseline - ALL - cwe-top-25 - - owasp-top-10 description: The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. @@ -44390,6 +45307,7 @@ rules: categories: - cwe-118 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not restrict or incorrectly restricts operations @@ -44419,6 +45337,7 @@ rules: categories: - cwe-248 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: An exception is thrown from a function, but it is not caught. @@ -44476,7 +45395,6 @@ rules: - ALL - cwe-117 - checkmarx-low-visibility - - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes output that is written to logs. group: top10-security-logging-monitoring-failures @@ -44518,6 +45436,7 @@ rules: VB6_Medium_Threat_DoS_by_Sleep: categories: - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL description: The product performs an iteration or loop without sufficiently limiting @@ -44533,7 +45452,6 @@ rules: - ALL - cwe-547 - checkmarx-medium-threat - - owasp-top-10 description: The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. @@ -44596,6 +45514,7 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices + - owasp-top-10 description: A method in Visual Basic .NET designated with AllowPartiallyTrustedCallersAttribute (APTCA) invokes a method not marked with APTCA, opening up vulnerabilities for privilege escalation. @@ -44607,6 +45526,7 @@ rules: VbNet_Best_Coding_Practice_Catch_NullPointerException: categories: - cwe-395 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -44620,6 +45540,7 @@ rules: VbNet_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception: categories: - cwe-396 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -44635,6 +45556,7 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices + - owasp-top-10 description: Code is using methods which have been marked as deprecated, indicating they might not be supported in future versions and should be replaced with newer alternatives. @@ -44646,6 +45568,7 @@ rules: VbNet_Best_Coding_Practice_Detection_of_Error_Condition_Without_Action: categories: - cwe-390 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -44659,6 +45582,7 @@ rules: VbNet_Best_Coding_Practice_Direct_Use_of_Sockets: categories: - boost-baseline + - owasp-top-10 - checkmarx-best-coding-practices - cwe-246 - ALL @@ -44688,6 +45612,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere: categories: + - owasp-top-10 - cwe-493 - checkmarx-best-coding-practices - boost-baseline @@ -44701,6 +45626,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_GetLastWin32Error_Is_Not_Called_After_Pinvoke: categories: + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -44746,6 +45672,7 @@ rules: VbNet_Best_Coding_Practice_Just_One_of_Equals_and_Hash_code_Defined: categories: - ALL + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - cwe-581 @@ -44758,6 +45685,7 @@ rules: VbNet_Best_Coding_Practice_Leftover_Debug_Code: categories: - cwe-489 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -44774,6 +45702,7 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices + - owasp-top-10 description: Identifies the hard coding of numbers, referred to as "magic numbers," in Visual Basic .NET code, which can decrease maintainability and readability. group: top10-insecure-design @@ -44784,6 +45713,7 @@ rules: VbNet_Best_Coding_Practice_Missing_XML_Validation: categories: - cwe-112 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -44799,6 +45729,7 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices + - owasp-top-10 description: Passing a null argument to the 'Equals' method in Visual Basic .Net might result in a NullReferenceException, causing an application crash. group: top10-insecure-design @@ -44811,6 +45742,7 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices + - owasp-top-10 description: Non-private static constructors in VB.NET are accessible outside the class, presenting an opportunity for unintended use or manipulation and potential security risks. @@ -44821,6 +45753,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_Pages_Without_Global_Error_Handler: categories: + - owasp-top-10 - cwe-544 - checkmarx-best-coding-practices - boost-baseline @@ -44838,6 +45771,7 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices + - owasp-top-10 description: The 'PersistSecurityInfo' property is set to 'True' risking the exposure of sensitive data such as connection string with passwords in log files or other external sources. @@ -44849,6 +45783,7 @@ rules: VbNet_Best_Coding_Practice_Threads_in_WebApp: categories: - ALL + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - cwe-383 @@ -44861,6 +45796,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_Unchecked_Error_Condition: categories: + - owasp-top-10 - cwe-391 - checkmarx-best-coding-practices - boost-baseline @@ -44874,6 +45810,7 @@ rules: VbNet_Best_Coding_Practice_Unchecked_Return_Value: categories: - cwe-252 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -44886,6 +45823,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_Unclosed_Objects: categories: + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -44902,6 +45840,7 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices + - owasp-top-10 description: Public methods in VB.NET code accept arguments without conducting appropriate validation, increasing susceptibility to malicious input exploitation. group: top10-insecure-design @@ -44912,6 +45851,7 @@ rules: VbNet_Best_Coding_Practice_Use_Of_Uninitialized_Variables: categories: - cwe-457 + - owasp-top-10 - checkmarx-best-coding-practices - boost-baseline - ALL @@ -44924,6 +45864,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_Best_Coding_Practice_Use_of_System_Output_Stream: categories: + - owasp-top-10 - cwe-398 - checkmarx-best-coding-practices - boost-baseline @@ -44939,6 +45880,7 @@ rules: - boost-baseline - ALL - checkmarx-best-coding-practices + - owasp-top-10 description: Pointers in Visual Basic .NET are visible, posing a risk for unsafe code execution due to direct memory manipulation. group: top10-insecure-design @@ -45267,6 +46209,7 @@ rules: categories: - cwe-171 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: Improper handling of data within protection mechanisms that attempt @@ -45294,6 +46237,7 @@ rules: categories: - cwe-203 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product behaves differently or sends different responses under @@ -45309,6 +46253,7 @@ rules: categories: - cwe-244 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: Using realloc() to resize buffers that store sensitive information @@ -45325,7 +46270,6 @@ rules: - ALL - checkmarx-low-visibility - cwe-520 - - owasp-top-10 description: Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks. @@ -45354,6 +46298,7 @@ rules: categories: - cwe-248 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: An exception is thrown from a function, but it is not caught. @@ -45366,6 +46311,7 @@ rules: categories: - cwe-404 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not release or incorrectly releases a resource before @@ -45393,6 +46339,7 @@ rules: categories: - cwe-460 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not clean up its state or incorrectly cleans up @@ -45465,6 +46412,7 @@ rules: VbNet_Low_Visibility_Leaving_Temporary_Files: categories: - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL - cwe-376 @@ -45480,7 +46428,6 @@ rules: - ALL - cwe-117 - checkmarx-low-visibility - - owasp-top-10 description: The product does not neutralize or incorrectly neutralizes output that is written to logs. group: top10-security-logging-monitoring-failures @@ -45568,6 +46515,7 @@ rules: categories: - cwe-567 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product does not properly synchronize shared data, such as static @@ -45596,6 +46544,7 @@ rules: categories: - cwe-647 - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The product defines policy namespaces and makes authorization decisions @@ -45652,6 +46601,7 @@ rules: VbNet_Medium_Threat_Buffer_Overflow: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-120 - boost-baseline - ALL @@ -45726,6 +46676,7 @@ rules: VbNet_Medium_Threat_DoS_by_Sleep: categories: - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL description: The product performs an iteration or loop without sufficiently limiting @@ -45756,7 +46707,6 @@ rules: - ALL - cwe-547 - checkmarx-medium-threat - - owasp-top-10 description: The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. @@ -45769,6 +46719,7 @@ rules: categories: - checkmarx-medium-threat - cwe-667 + - owasp-top-10 - boost-baseline - ALL description: The product does not properly acquire or release a lock on a resource, @@ -45782,6 +46733,7 @@ rules: categories: - checkmarx-medium-threat - cwe-190 + - owasp-top-10 - boost-baseline - ALL - cwe-top-25 @@ -45945,6 +46897,7 @@ rules: categories: - cwe-404 - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL description: The product does not release or incorrectly releases a resource before @@ -45986,6 +46939,7 @@ rules: VbNet_Medium_Threat_Value_Shadowing: categories: - checkmarx-medium-threat + - owasp-top-10 - cwe-233 - boost-baseline - ALL @@ -46017,6 +46971,7 @@ rules: - boost-baseline - ALL - checkmarx-web-config + - owasp-top-10 description: The session state in the web.config file of a VB.NET application is configured to be cookieless, which may expose Session IDs in the URL, increasing the risk of session hijacking. @@ -46028,6 +46983,7 @@ rules: VbNet_WebConfig_CustomError: categories: - cwe-12 + - owasp-top-10 - checkmarx-web-config - boost-baseline - ALL @@ -46044,7 +47000,6 @@ rules: - ALL - checkmarx-web-config - cwe-11 - - owasp-top-10 description: Debugging messages help attackers learn about the system and plan a form of attack. group: top10-security-misconfiguration @@ -46072,6 +47027,7 @@ rules: VbNet_WebConfig_HardcodedCredentials: categories: - cwe-489 + - owasp-top-10 - checkmarx-web-config - boost-baseline - ALL @@ -46090,7 +47046,6 @@ rules: - checkmarx-web-config - boost-baseline - ALL - - owasp-top-10 description: The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. group: top10-security-misconfiguration @@ -46115,6 +47070,7 @@ rules: ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html VbNet_WebConfig_NonUniqueFormName: categories: + - owasp-top-10 - checkmarx-web-config - cwe-694 - boost-baseline @@ -46132,7 +47088,6 @@ rules: - ALL - checkmarx-web-config - cwe-260 - - owasp-top-10 description: The product stores a password in a configuration file that might be accessible to actors who do not know the password. group: top10-security-misconfiguration @@ -46146,7 +47101,6 @@ rules: - cwe-614 - ALL - checkmarx-web-config - - owasp-top-10 description: The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. @@ -46173,6 +47127,7 @@ rules: VbNet_WebConfig_TraceEnabled: categories: - boost-baseline + - owasp-top-10 - checkmarx-web-config - cwe-749 - ALL @@ -46225,7 +47180,6 @@ rules: - ALL - checkmarx-low-visibility - cwe-315 - - owasp-top-10 description: The product stores sensitive information in cleartext in a cookie. group: top10-security-misconfiguration name: VbScript_Low_Visibility_Cookies_Inspection @@ -46250,6 +47204,7 @@ rules: VbScript_Low_Visibility_Weak_Password_Authentication: categories: - checkmarx-low-visibility + - owasp-top-10 - boost-baseline - ALL description: The VBScript code uses a weak password authentication mechanism, @@ -46263,6 +47218,7 @@ rules: VbScript_Medium_Threat_Client_DoS_By_Sleep: categories: - checkmarx-medium-threat + - owasp-top-10 - boost-baseline - ALL - cwe-730 @@ -46276,6 +47232,7 @@ rules: categories: - checkmarx-medium-threat - cwe-618 + - owasp-top-10 - boost-baseline - ALL description: An ActiveX control is intended for use in a web browser, but it exposes diff --git a/server-side-scanners/boostsecurityio/sci-sca/rules.yaml b/server-side-scanners/boostsecurityio/sci-sca/rules.yaml index cfc3e27b..4c5ef1b1 100644 --- a/server-side-scanners/boostsecurityio/sci-sca/rules.yaml +++ b/server-side-scanners/boostsecurityio/sci-sca/rules.yaml @@ -1,3 +1,5 @@ +import: + - boostsecurityio/sca-cve rules: use-of-unsafe-ai-model: categories: