[{"tags":["semgrep","security","sql","sqli","sql injection"],"stats":{"cwe":{"totals":{"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":2},"per_framework":{"":{"go":{"":3},"js":{"":1},"java":{"":8},"ruby":{"":1},"regex":{"":1},"python":{"":5}},"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":{"javascript":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"java":{"":2},"python":{"":9},"javascript":{"":5}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')\n":{"python":{"":1}}},"rules_with_no_cwe":["pg-orm-sqli","pg-sqli","pgx-sqli","find-sql-string-concatenation","hibernate-sqli","jdbc-sqli","jdo-sqli","jpa-sqli","turbine-sqli","vertx-sqli","spring-sqli","node-postgres-sqli","aiopg-sqli","asyncpg-sqli","pg8000-sqli","psycopg-sqli","sqlalchemy-sql-injection","ruby-pg-sqli","detected-sql-dump"]},"owasp":{"totals":{"":19,"A1: Injection":19},"per_framework":{"":{"go":{"":3},"js":{"":1},"java":{"":8},"ruby":{"":1},"regex":{"":1},"python":{"":5}},"A1: Injection":{"java":{"":2},"python":{"":10},"javascript":{"":7}}},"rules_with_no_owasp":["pg-orm-sqli","pg-sqli","pgx-sqli","find-sql-string-concatenation","hibernate-sqli","jdbc-sqli","jdo-sqli","jpa-sqli","turbine-sqli","vertx-sqli","spring-sqli","node-postgres-sqli","aiopg-sqli","asyncpg-sqli","pg8000-sqli","psycopg-sqli","sqlalchemy-sql-injection","ruby-pg-sqli","detected-sql-dump"]}},"author":"Colleen Dai","username":"colleend","languages":["go","ruby","python","java","javascript"],"description":"SQL injection guardrails. Checks for non-constant SQL queries and other SQLi.","id":"dYX","name":"minusworld.sql-injection","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{},"per_framework":{},"rules_with_no_cwe":[]},"owasp":{"totals":{},"per_framework":{},"rules_with_no_owasp":[]}},"author":"javixeneize","counts":{"total_rules":0,"premium_rules":0},"hidden":true,"description":"","id":"6Lo","name":"javixeneize.java rules","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{},"per_framework":{},"rules_with_no_cwe":[]},"owasp":{"totals":{},"per_framework":{},"rules_with_no_owasp":[]}},"author":"andyisimprovised","counts":{"total_rules":0,"premium_rules":0},"hidden":true,"description":"","id":"PBY","name":"andyisimprovised.andreaspack","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{},"per_framework":{},"rules_with_no_cwe":[]},"owasp":{"totals":{},"per_framework":{},"rules_with_no_owasp":[]}},"author":"andyisimprovised","counts":{"total_rules":0,"premium_rules":0},"hidden":true,"description":null,"id":"JPw","name":"andyisimprovised.yend-rules","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"":1},"per_framework":{"":{"java":{"":1}}},"rules_with_no_cwe":["my_pattern_id"]},"owasp":{"totals":{"":1},"per_framework":{"":{"java":{"":1}}},"rules_with_no_owasp":["my_pattern_id"]}},"author":"Paul Harrington","counts":{"total_rules":1,"premium_rules":0},"hidden":true,"description":null,"id":"rrn","name":"didn0t.1lzg-rules","visibility":"public","categories":[]},{"tags":["semgrep","security","javascript","insecure transport"],"stats":{"cwe":{"totals":{"CWE-319: Cleartext Transmission of Sensitive Information":8},"per_framework":{"CWE-319: Cleartext Transmission of Sensitive Information":{"javascript":{"":8}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A3: Sensitive Data Exposure":8},"per_framework":{"A3: Sensitive Data Exposure":{"javascript":{"":8}}},"rules_with_no_owasp":[]}},"author":"r2c","description":"Rule pack for detecting insecure transport in node js","id":"w6P","name":"helper_scripts.insecure-transport-jsnode","visibility":"public","categories":[]},{"tags":["semgrep","security","java","insecure transport"],"stats":{"cwe":{"totals":{},"per_framework":{},"rules_with_no_cwe":[]},"owasp":{"totals":{},"per_framework":{},"rules_with_no_owasp":[]}},"author":"r2c","description":"Rule pack for detecting insecure transport in java spring.","id":"ogN","name":"colleend.test","visibility":"public","categories":[]},{"tags":["replit"],"stats":{"cwe":{"totals":{"CWE-91: XML Injection":1,"CWE-489: Active Debug Code":1,"CWE-310: Cryptographic Issues":1,"CWE-287: Improper Authentication":3,"CWE-346: Origin Validation Error":1,"CWE-20: Improper Input Validation":1,"CWE-521: Weak Password Requirements":3,"CWE-276: Incorrect Default Permissions":1,"CWE-798: Use of Hard-coded Credentials":227,"CWE-326: Inadequate Encryption Strength":8,"CWE-295: Improper Certificate Validation":4,"CWE-183: Permissive List of Allowed Inputs":2,"CWE-352: Cross-Site Request Forgery (CSRF)":1,"CWE-400: Uncontrolled Resource Consumption":1,"CWE-502: Deserialization of Untrusted Data":8,"CWE-704: Incorrect Type Conversion or Cast":3,"CWE-310: CWE CATEGORY: Cryptographic Issues":2,"CWE-918: Server-Side Request Forgery (SSRF)":22,"CWE-321: Use of Hard-coded Cryptographic Key":1,"CWE-330: Use of Insufficiently Random Values":1,"CWE-311: Missing Encryption of Sensitive Data":2,"CWE-522: Insufficiently Protected Credentials":4,"CWE-523: Unprotected Transport of Credentials":1,"CWE-73: External Control of File Name or Path":1,"CWE-250: Execution with Unnecessary Privileges":1,"CWE-116: Improper Encoding or Escaping of Output":4,"CWE-1333: Inefficient Regular Expression Complexity":2,"CWE-134: Use of Externally-Controlled Format String":1,"CWE-322: Key Exchange without Entity Authentication":1,"CWE-1104: Use of Unmaintained Third Party Components":1,"CWE-306: Missing Authentication for Critical Function":2,"CWE-706: Use of Incorrectly-Resolved Name or Reference":3,"CWE-1204: Generation of Weak Initialization Vector (IV)":1,"CWE-345: Insufficient Verification of Data Authenticity":4,"CWE-319: Cleartext Transmission of Sensitive Information":26,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":16,"CWE-347: Improper Verification of Cryptographic Signature":1,"CWE-553: Command Shell in Externally Accessible Directory":1,"CWE-548: Exposure of Information Through Directory Listing":1,"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":5,"CWE-770: Allocation of Resources Without Limits or Throttling":1,"CWE-611: Improper Restriction of XML External Entity Reference":10,"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":2,"CWE-939: Improper Authorization in Handler for Custom URL Scheme":1,"CWE-155: Improper Neutralization of Wildcards or Matching Symbols":1,"CWE-94: Improper Control of Generation of Code ('Code Injection')":12,"CWE-1236: Improper Neutralization of Formula Elements in a CSV File":2,"CWE-916: Use of Password Hash With Insufficient Computational Effort":1,"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":1,"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":1,"CWE-451: User Interface (UI) Misrepresentation of Critical Information":1,"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":2,"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine":1,"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer":1,"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)":1,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":8,"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":6,"CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory":1,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":50,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":27,"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":1,"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":18,"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":6,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":39,"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":2},"per_framework":{"CWE-91: XML Injection":{"python":{"":1}},"CWE-489: Active Debug Code":{"python":{"":1}},"CWE-310: Cryptographic Issues":{"python":{"":1}},"CWE-287: Improper Authentication":{"js":{"":1},"python":{"":1},"javascript":{"":1}},"CWE-346: Origin Validation Error":{"javascript":{"":1}},"CWE-20: Improper Input Validation":{"python":{"":1}},"CWE-521: Weak Password Requirements":{"python":{"":3}},"CWE-276: Incorrect Default Permissions":{"python":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"regex":{"":217},"python":{"":2},"generic":{"":5},"javascript":{"":3}},"CWE-326: Inadequate Encryption Strength":{"python":{"":8}},"CWE-295: Improper Certificate Validation":{"python":{"":4}},"CWE-183: Permissive List of Allowed Inputs":{"ts":{"":1},"typescript":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"javascript":{"":1}},"CWE-400: Uncontrolled Resource Consumption":{"javascript":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"python":{"":6},"javascript":{"":2}},"CWE-704: Incorrect Type Conversion or Cast":{"python":{"":3}},"CWE-310: CWE CATEGORY: Cryptographic Issues":{"javascript":{"":2}},"CWE-918: Server-Side Request Forgery (SSRF)":{"python":{"":5},"javascript":{"":17}},"CWE-321: Use of Hard-coded Cryptographic Key":{"regex":{"":1}},"CWE-330: Use of Insufficiently Random Values":{"python":{"":1}},"CWE-311: Missing Encryption of Sensitive Data":{"ts":{"":1},"typescript":{"":1}},"CWE-522: Insufficiently Protected Credentials":{"javascript":{"":4}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-73: External Control of File Name or Path":{"javascript":{"":1}},"CWE-250: Execution with Unnecessary Privileges":{"python":{"":1}},"CWE-116: Improper Encoding or Escaping of Output":{"python":{"":1},"javascript":{"":3}},"CWE-1333: Inefficient Regular Expression Complexity":{"javascript":{"":2}},"CWE-134: Use of Externally-Controlled Format String":{"python":{"":1}},"CWE-322: Key Exchange without Entity Authentication":{"python":{"":1}},"CWE-1104: Use of Unmaintained Third Party Components":{"javascript":{"":1}},"CWE-306: Missing Authentication for Critical Function":{"ts":{"":2}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"python":{"":1},"javascript":{"":2}},"CWE-1204: Generation of Weak Initialization Vector (IV)":{"javascript":{"":1}},"CWE-345: Insufficient Verification of Data Authenticity":{"javascript":{"":4}},"CWE-319: Cleartext Transmission of Sensitive Information":{"regex":{"":1},"python":{"":14},"javascript":{"":10},"typescript":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"python":{"":13},"javascript":{"":3}},"CWE-347: Improper Verification of Cryptographic Signature":{"javascript":{"":1}},"CWE-553: Command Shell in Externally Accessible Directory":{"python":{"":1}},"CWE-548: Exposure of Information Through Directory Listing":{"javascript":{"":1}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"python":{"":2},"javascript":{"":2},"typescript":{"":1}},"CWE-770: Allocation of Resources Without Limits or Throttling":{"python":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"python":{"":2},"javascript":{"":8}},"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":{"python":{"":2}},"CWE-939: Improper Authorization in Handler for Custom URL Scheme":{"python":{"":1}},"CWE-155: Improper Neutralization of Wildcards or Matching Symbols":{"python":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"javascript":{"":12}},"CWE-1236: Improper Neutralization of Formula Elements in a CSV File":{"python":{"":2}},"CWE-916: Use of Password Hash With Insufficient Computational Effort":{"javascript":{"":1}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"python":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"python":{"":1}},"CWE-451: User Interface (UI) Misrepresentation of Critical Information":{"javascript":{"":1}},"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":{"python":{"":1},"javascript":{"":1}},"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine":{"javascript":{"":1}},"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer":{"javascript":{"":1}},"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)":{"javascript":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"python":{"":5},"javascript":{"":2},"typescript":{"":1}},"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":{"python":{"":2},"javascript":{"":3},"typescript":{"":1}},"CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory":{"generic":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"python":{"":19},"javascript":{"":24},"typescript":{"":7}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"python":{"":17},"javascript":{"":10}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"python":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":13},"javascript":{"":5}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":6}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":32},"javascript":{"":7}},"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":{"python":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":11,"A01:2017: Injection":74,"A03:2021: Injection":165,"A05:2025: Injection":165,"A6:2017 misconfiguration":1,"A04:2021: Insecure Design":10,"A06:2025: Insecure Design":10,"A01:2021: Broken Access Control":19,"A01:2025: Broken Access Control":41,"A02:2017: Broken Authentication":6,"A05:2017: Broken Access Control":9,"A3:2017 Sensitive Data Exposure":1,"A02:2021: Cryptographic Failures":47,"A04:2025: Cryptographic Failures":47,"A03:2017: Sensitive Data Exposure":53,"A07:2025: Authentication Failures":239,"A08:2017: Insecure Deserialization":8,"A02:2021 – Cryptographic Failures":2,"A02:2025: Security Misconfiguration":17,"A05:2021: Security Misconfiguration":17,"A06:2017: Security Misconfiguration":5,"A07:2017: Cross-Site Scripting (XSS)":50,"A04:2017: XML External Entities (XXE)":11,"A03:2025: Software Supply Chain Failures":1,"A06:2021: Vulnerable and Outdated Components":1,"A10:2021: Server-Side Request Forgery (SSRF)":22,"A08:2025: Software or Data Integrity Failures":17,"A08:2021: Software and Data Integrity Failures":17,"A07:2021: Identification and Authentication Failures":239},"per_framework":{"":{"js":{"":1},"regex":{"":1},"python":{"":6},"javascript":{"":3}},"A01:2017: Injection":{"python":{"":55},"javascript":{"":19}},"A03:2021: Injection":{"python":{"":95},"javascript":{"":63},"typescript":{"":7}},"A05:2025: Injection":{"python":{"":95},"javascript":{"":63},"typescript":{"":7}},"A6:2017 misconfiguration":{"python":{"":1}},"A04:2021: Insecure Design":{"ts":{"":2},"javascript":{"":6},"typescript":{"":2}},"A06:2025: Insecure Design":{"ts":{"":2},"javascript":{"":6},"typescript":{"":2}},"A01:2021: Broken Access Control":{"python":{"":9},"javascript":{"":8},"typescript":{"":2}},"A01:2025: Broken Access Control":{"python":{"":14},"javascript":{"":25},"typescript":{"":2}},"A02:2017: Broken Authentication":{"python":{"":2},"javascript":{"":4}},"A05:2017: Broken Access Control":{"python":{"":5},"javascript":{"":3},"typescript":{"":1}},"A3:2017 Sensitive Data Exposure":{"generic":{"":1}},"A02:2021: Cryptographic Failures":{"regex":{"":2},"python":{"":35},"javascript":{"":9},"typescript":{"":1}},"A04:2025: Cryptographic Failures":{"regex":{"":2},"python":{"":35},"javascript":{"":9},"typescript":{"":1}},"A03:2017: Sensitive Data Exposure":{"ts":{"":1},"regex":{"":1},"python":{"":36},"javascript":{"":13},"typescript":{"":2}},"A07:2025: Authentication Failures":{"ts":{"":2},"regex":{"":216},"python":{"":11},"generic":{"":5},"javascript":{"":5}},"A08:2017: Insecure Deserialization":{"python":{"":6},"javascript":{"":2}},"A02:2021 – Cryptographic Failures":{"python":{"":2}},"A02:2025: Security Misconfiguration":{"python":{"":6},"javascript":{"":11}},"A05:2021: Security Misconfiguration":{"python":{"":6},"javascript":{"":11}},"A06:2017: Security Misconfiguration":{"python":{"":2},"javascript":{"":3}},"A07:2017: Cross-Site Scripting (XSS)":{"python":{"":19},"javascript":{"":24},"typescript":{"":7}},"A04:2017: XML External Entities (XXE)":{"python":{"":3},"javascript":{"":8}},"A03:2025: Software Supply Chain Failures":{"javascript":{"":1}},"A06:2021: Vulnerable and Outdated Components":{"javascript":{"":1}},"A10:2021: Server-Side Request Forgery (SSRF)":{"python":{"":5},"javascript":{"":17}},"A08:2025: Software or Data Integrity Failures":{"python":{"":8},"javascript":{"":8},"typescript":{"":1}},"A08:2021: Software and Data Integrity Failures":{"python":{"":8},"javascript":{"":8},"typescript":{"":1}},"A07:2021: Identification and Authentication Failures":{"ts":{"":2},"regex":{"":216},"python":{"":11},"generic":{"":5},"javascript":{"":5}}},"rules_with_no_owasp":["detected-onfido-live-api-token","ajv-allerrors-true","intercom-settings-user-identifier-without-user-hash","detect-buffer-noassert","create-de-cipher-no-iv","django-using-request-post-after-is-valid","nan-injection","docker-arbitrary-container-run","flask-api-method-string-format","nan-injection","python-reverse-shell"]}},"author":"Semgrep","counts":{"total_rules":563,"premium_rules":0},"username":"semgrep","description":"Replit Community rule pack","id":"xeKA","name":"replit-community","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-676: Use of Potentially Dangerous Function":5},"per_framework":{"CWE-676: Use of Potentially Dangerous Function":{"c":{"":5}},"CWE-134: Use of Externally-Controlled Format String":{"c":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":6},"per_framework":{"":{"c":{"":6}}},"rules_with_no_owasp":["insecure-use-string-copy-fn","insecure-use-gets-fn","insecure-use-strcat-fn","insecure-use-scanf-fn","insecure-use-printf-fn","insecure-use-strtok-fn"]}},"author":"Mathieu Deous","counts":{"total_rules":6,"premium_rules":0},"hidden":true,"description":"","id":"wvY","name":"mdeous-datadog.c-security-pack","visibility":"public","categories":[]},{"tags":[],"stats":{"cwe":{"totals":{"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":1},"per_framework":{"":{"python":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"python":{"":1}}},"rules_with_no_cwe":["use-earliest-or-latest","no-null-string-field"]},"owasp":{"totals":{"":2,"A01:2017: Injection":1,"A03:2021: Injection":1},"per_framework":{"":{"python":{"":2}},"A01:2017: Injection":{"python":{"":1}},"A03:2021: Injection":{"python":{"":1}}},"rules_with_no_owasp":["use-earliest-or-latest","no-null-string-field"]}},"author":"minusworld","counts":{"total_rules":3,"premium_rules":0},"hidden":true,"description":"","id":"gBJ","name":"minusworld.django-trimmed","visibility":"public","categories":[]},{"stats":{"cwe":{"totals":{"":1},"per_framework":{"":{"c":{"":9},"go":{"":73},"js":{"":4},"ts":{"":5},"hcl":{"":21},"php":{"":10},"bash":{"":4},"java":{"":15},"json":{"":6},"ruby":{"":23},"yaml":{"":54},"ocaml":{"":19},"regex":{"":54},"scala":{"":1},"csharp":{"":2},"python":{"":138},"generic":{"":28},"dockerfile":{"":1},"javascript":{"":31},"typescript":{"":10}},"cwe-20":{"javascript":{"":1}},"cwe-22":{"javascript":{"":6}},"cwe-23":{"javascript":{"":4}},"cwe-73":{"java":{"":1}},"cwe-78":{"java":{"":3},"javascript":{"":2}},"cwe-79":{"javascript":{"":3}},"cwe-80":{"javascript":{"":2}},"cwe-89":{"javascript":{"":2}},"cwe-94":{"javascript":{"":8}},"cwe-95":{"javascript":{"":1}},"cwe-116":{"javascript":{"":1}},"cwe-119":{"javascript":{"":1}},"cwe-185":{"javascript":{"":1}},"cwe-200":{"java":{"":2}},"cwe-208":{"javascript":{"":1}},"cwe-209":{"javascript":{"":2}},"cwe-272":{"javascript":{"":3}},"cwe-276":{"java":{"":2}},"cwe-295":{"java":{"":4},"javascript":{"":2}},"cwe-319":{"javascript":{"":2}},"cwe-321":{"java":{"":1}},"cwe-326":{"java":{"":1}},"cwe-327":{"java":{"":7},"javascript":{"":7}},"cwe-329":{"java":{"":1}},"cwe-330":{"java":{"":1}},"cwe-346":{"javascript":{"":3}},"cwe-353":{"java":{"":1}},"cwe-400":{"javascript":{"":3}},"cwe-489":{"java":{"":1}},"cwe-502":{"java":{"":2},"javascript":{"":4}},"cwe-522":{"javascript":{"":8}},"cwe-532":{"java":{"":1}},"cwe-599":{"javascript":{"":1}},"cwe-601":{"javascript":{"":3}},"cwe-611":{"java":{"":3},"javascript":{"":4}},"cwe-613":{"javascript":{"":1}},"cwe-614":{"javascript":{"":1}},"cwe-643":{"javascript":{"":1}},"cwe-644":{"javascript":{"":1}},"cwe-649":{"java":{"":1}},"cwe-693":{"javascript":{"":4}},"cwe-706":{"javascript":{"":1}},"cwe-749":{"java":{"":2}},"cwe-757":{"java":{"":1},"javascript":{"":1}},"cwe-776":{"javascript":{"":1}},"cwe-780":{"java":{"":1}},"cwe-798":{"java":{"":4},"javascript":{"":5}},"cwe-807":{"javascript":{"":1}},"cwe-918":{"javascript":{"":6}},"cwe-919":{"java":{"":2}},"cwe-943":{"javascript":{"":2}},"cwe-1004":{"javascript":{"":1}},"cwe-1204":{"java":{"":1}},"cwe-1275":{"javascript":{"":1}},"CWE-415: Double Free":{"c":{"":1}},"CWE-89: SQL Injection":{"java":{"":1}},"CWE-22: Path Traversal":{"go":{"":1}},"CWE-416: Use After Free":{"c":{"":1}},"CWE-328: Use of Weak Hash":{"java":{"":2}},"CWE-489: Active Debug Code":{"go":{"":1},"yaml":{"":1},"python":{"":4},"generic":{"":1}},"CWE-125: Out-of-bounds Read":{"C#":{"":1}},"CWE-787: Out-of-bounds Write":{"C#":{"":1}},"CWE-310: Cryptographic Issues":{"C#":{"":1}},"CWE-778: Insufficient Logging":{"hcl":{"":1}},"CWE-320: Key Management Errors":{"hcl":{"":16}},"CWE-778: Insufficient Logging\n":{"hcl":{"":4}},"CWE-252: Unchecked Return Value":{"php":{"":1}},"CWE-320: Key Management Errors\n":{"hcl":{"":4}},"CWE-284: Improper Access Control":{"hcl":{"":3}},"CWE-287: Improper Authentication":{"kt":{"":1},"php":{"":1},"java":{"":1},"python":{"":1}},"CWE-346: Origin Validation Error":{"js":{"":1},"php":{"":2},"javascript":{"":1}},"CWE-377: Insecure Temporary File":{"go":{"":1}},"CWE-20: Improper Input Validation":{"generic":{"":3}},"CWE-501: Trust Boundary Violation":{"java":{"":1}},"CWE-696: Incorrect Behavior Order":{"java":{"":1}},"CWE-272: Least Privilege Violation":{"javascript":{"":3}},"CWE-521: Weak Password Requirements":{"python":{"":3}},"CWE-185: Incorrect Regular Expression":{"javascript":{"":1}},"CWE-693: Protection Mechanism Failure":{"javascript":{"":1}},"CWE-269: Improper Privilege Management":{"hcl":{"":4}},"CWE-276: Incorrect Default Permissions":{"go":{"":1},"java":{"":1},"ruby":{"":2},"python":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"go":{"":1},"ruby":{"":1},"python":{"":2}},"CWE-326: Inadequate Encryption Strength":{"go":{"":1},"kt":{"":4},"hcl":{"":4},"java":{"":7},"python":{"":8}},"CWE-798: Use of Hard-coded Credentials\n":{"hcl":{"":1}},"CWE-295: Improper Certificate Validation":{"java":{"":2},"csharp":{"":1},"python":{"":4}},"CWE-295: Improper Certificate Validation\n":{"javascript":{"":1}},"CWE-427: Uncontrolled Search Path Element":{"json":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"go":{"":1},"php":{"":1},"java":{"":3},"ruby":{"":1},"csharp":{"":1},"python":{"":2},"javascript":{"":1}},"CWE-400: Uncontrolled Resource Consumption":{"go":{"":1},"js":{"":1},"ruby":{"":1},"python":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"C#":{"":16},"php":{"":2},"java":{"":6},"csharp":{"":1},"python":{"":11},"javascript":{"":2}},"CWE-704: Incorrect Type Conversion or Cast":{"kt":{"":1},"java":{"":1},"python":{"":2}},"CWE-780: Use of RSA Algorithm without OAEP":{"scala":{"":1}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":2}},"CWE-918: Server-Side Request Forgery (SSRF)":{"go":{"":1},"js":{"":1},"php":{"":2},"java":{"ssrf":4},"ruby":{"":1},"scala":{"":4},"csharp":{"":5},"python":{"":5},"javascript":{"":22}},"CWE-329: Not Using a Random IV with CBC Mode":{"java":{"":1}},"CWE-330: Use of Insufficiently Random Values":{"java":{"":1},"scala":{"":1}},"CWE-353: Missing Support for Integrity Check":{"generic":{"":1}},"CWE-311: Missing Encryption of Sensitive Data":{"hcl":{"":4}},"CWE-522: Insufficiently Protected Credentials":{"hcl":{"":1},"java":{"":1},"ruby":{"":3},"scala":{"":1},"python":{"":3},"javascript":{"":15}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-668: Exposure of Resource to Wrong Sphere":{"python":{"":2}},"CWE-73: External Control of File Name or Path":{"python":{"":1}},"CWE-749: Exposed Dangerous Method or Function":{"yaml":{"":1}},"CWE-250: Execution with Unnecessary Privileges":{"hcl":{"":1}},"CWE-311: Missing Encryption of Sensitive Data\n":{"hcl":{"":12}},"CWE-116: Improper Encoding or Escaping of Output":{"js":{"":1},"python":{"":1},"javascript":{"":1}},"CWE-289: Authentication Bypass by Alternate Name":{"go":{"":1}},"CWE-323: Reusing a Nonce, Key Pair in Encryption":{"kt":{"":1},"java":{"":1}},"CWE-14: Compiler Removal of Code to Clear Buffers":{"c":{"":1}},"CWE-494: Download of Code Without Integrity Check":{"generic":{"":10}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"go":{"":2},"kt":{"":1},"java":{"":1}},"CWE-1333: Inefficient Regular Expression Complexity":{"C#":{"":2}},"CWE-134: Use of Externally-Controlled Format String":{"javascript":{"":1}},"CWE-322: Key Exchange without Entity Authentication":{"go":{"":1},"python":{"":1}},"CWE-1323: Improper Management of Sensitive Trace Data":{"generic":{"":1}},"CWE-264: Permissions, Privileges, and Access Controls":{"json":{"":2}},"CWE-306: Missing Authentication for Critical Function":{"ts":{"":2}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"C#":{"":1},"python":{"":1},"javascript":{"":2}},"CWE-11: ASP.NET Misconfiguration: Creating Debug Binary":{"generic":{"":1}},"CWE-345: Insufficient Verification of Data Authenticity":{"go":{"":1},"java":{"":1},"ruby":{"":1},"javascript":{"":3}},"CWE-319: Cleartext Transmission of Sensitive Information":{"go":{"":10},"kt":{"":1},"java":{"":16},"ruby":{"":5},"python":{"":19},"javascript":{"":9},"typescript":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"go":{"":10},"kt":{"":4},"php":{"":1},"java":{"":8},"ruby":{"":2},"python":{"":20},"javascript":{"":3}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"php":{"":1},"java":{"":2},"ruby":{"":1},"python":{"":2},"javascript":{"":3}},"CWE-297: Improper Validation of Certificate with Host Mismatch":{"java":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":7,"xxe":7},"csharp":{"":3},"python":{"":1},"javascript":{"":6}},"CWE-732: Incorrect Permission Assignment for Critical Resource":{"hcl":{"":4}},"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":{"hcl":{"":1}},"CWE-913: Improper Control of Dynamically-Managed Code Resources":{"go":{"":2},"yaml":{"":1}},"CWE-94: Improper Control of Generation of Code (Code Injection)":{"javascript":{"":6}},"CWE-939: Improper Authorization in Handler for Custom URL Scheme":{"python":{"":1}},"CWE-155: Improper Neutralization of Wildcards or Matching Symbols":{"python":{"":1}},"CWE-94:\tImproper Control of Generation of Code ('Code Injection')":{"generic":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"go":{"":4},"java":{"":5},"ruby":{"":5},"csharp":{"":1},"javascript":{"":20}},"CWE-1236: Improper Neutralization of Formula Elements in a CSV File":{"python":{"":1}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"go":{"":1},"hcl":{"":6},"java":{"":1},"ruby":{"":1},"csharp":{"":1},"python":{"":1},"typescript":{"":3}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"java":{"":1},"python":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"go":{"":2},"kt":{"":1},"java":{"":1},"python":{"":2},"generic":{"":2}},"CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences":{"regex":{"":1}},"CWE-451: User Interface (UI) Misrepresentation of Critical Information":{"js":{"":1}},"CWE-1022: Use of Web Link to Untrusted Target with window.opener Access":{"generic":{"":2}},"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page":{"javascript":{"":1}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command":{"ruby":{"":1}},"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":{"go":{"":1},"javascript":{"":1}},"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine":{"go":{"":1}},"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer":{"javascript":{"":1}},"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":{"java":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"go":{"":1},"php":{"":1},"java":{"":2},"ruby":{"":4},"scala":{"":1},"csharp":{"":1},"python":{"":5},"generic":{"":1},"javascript":{"":2},"typescript":{"":1}},"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":{"ruby":{"":2},"python":{"":1},"javascript":{"":3},"typescript":{"":1}},"CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')":{"go":{"":1},"php":{"":1},"java":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross Site Scripting')":{"ruby":{"":2},"generic":{"":2}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":12},"java":{"":3},"ruby":{"":9},"regex":{"":13},"python":{"":21},"generic":{"":15},"javascript":{"":9},"typescript":{"":9}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":4},"php":{"":4},"java":{"":6},"ruby":{"":6},"scala":{"":3},"csharp":{"":1},"python":{"":16},"javascript":{"":10}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"java":{"":3}},"CWE-079: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"javascript":{"":1}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"python":{"":1}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')\n":{"ruby":{"":1},"python":{"":3},"javascript":{"":1}},"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')":{"php":{"":1},"java":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"bash":{"":2},"java":{"":1},"python":{"":14},"generic":{"":1},"javascript":{"":6}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":6}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"C#":{"":1},"kt":{"":1},"java":{"":3},"ruby":{"":1},"yaml":{"":2},"scala":{"":3},"python":{"":19},"javascript":{"":9}},"CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')":{"javascript":{"":1}},"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":{"java":{"":1},"python":{"":2},"generic":{"":1}}},"rules_with_no_cwe":["anti_csrf_control","helmet_header_check_crossdomain","helmet_header_check_csp","helmet_header_check_expect_ct","helmet_header_dns_prefetch","helmet_header_feature_policy","helmet_header_frame_guard","helmet_header_hsts","helmet_header_ienoopen","helmet_header_nosniff","helmet_header_referrer_policy","helmet_header_x_powered_by","helmet_header_xss_filter","rate_limit_control","unquoted-command-substitution-in-command","unquoted-variable-expansion-in-command","ifs-tampering","double_goto","incorrect-use-ato-fn","incorrect-use-sscanf-fn","info-leak-on-non-formated-string","insecure-use-gets-fn","insecure-use-printf-fn","insecure-use-scanf-fn","insecure-use-strtok-fn","random-fd-exhaustion","insecure-commands-use","insecure-compile-use","insecure-cryptography-attribute-use","insecure-dl-use","insecure-duo-client-use","insecure-eval-use","insecure-exec-use","insecure-gl-use","insecure-hashlib-use","insecure-itsdangerous-use","insecure-marshal-use","insecure-onelogin-attribute-use","insecure-os-exec-use","insecure-os-temp-use","insecure-pickle-use","insecure-popen2-use","insecure-pycrypto-use","insecure-requests-use","insecure-shelve-use","insecure-simplexmlrpcserver-use","insecure-ssl-use","insecure-subprocess-use","insecure-tarfile-use","insecure-tempfile-use","insecure-urllib3-connections-use","insecure-urllib3-warnings-use","insecure-xml-use","insecure-xmlsec-attribute-use","insecure-yaml-use","insecure-zipfile-use","correctness-double-epsilon-equality","correctness-regioninfo-interop","html-raw-json","bad-exponentiation","bad-nil-guard","rows-not-closed","cancelable-context-not-systematically-cancelled","context-todo","use-net-errclosed","err-nil-check","err-todo","hash-sum-without-write","use-hmac-equal","hmac-needs-new","sprintf-host-port","deprecated-ioutil-discard","deprecated-ioutil-nopcloser","deprecated-ioutil-readall","deprecated-ioutil-readdir","deprecated-ioutil-readfile","deprecated-ioutil-tempdir","deprecated-ioutil-tempfile","deprecated-ioutil-writefile","use-strings-join-path","json-encoder-needs-type","sprintf-mail-address","marshal-json-pointer-receiver","return-nil","newrelic-start-without-end","odd-bitwise","odd-comparison","odd-compound-expression","odd-sequence-ifs","odd-bits-leadingzeros","os-error-handling-functions","parseint-downcast","read-io-eof","io-readfull-n","return-nil","bad-sort-slice-function","use-err-error","leaky-time-after","not-after","not-before","use-writer-not-writestring","maybe-wrong-err","wrong-lock-unlock","changed-semgrepignore","bash_reverse_shell","bash_reverse_shell","alias-must-be-unique","copy-from-own-alias","invalid-port","missing-assume-yes-switch","multiple-cmd-instructions","multiple-entrypoint-instructions","last-user-is-root","missing-user","alias-path-traversal","dynamic-proxy-host","dynamic-proxy-scheme","header-injection","header-redefinition","insecure-redirect","insecure-ssl-version","missing-internal","missing-ssl-version","possible-nginx-h2c-smuggling","request-host-used","detected-amazon-mws-auth-token","detected-artifactory-password","detected-artifactory-token","detected-aws-access-key-id-value","detected-aws-account-id","detected-aws-appsync-graphql-key","detected-aws-secret-access-key","detected-aws-session-token","detected-bcrypt-hash","detected-codeclimate","detected-etc-shadow","detected-facebook-access-token","detected-facebook-oauth","detected-generic-api-key","detected-generic-secret","detected-github-token","detected-google-api-key","detected-google-cloud-api-key","detected-google-gcm-service-account","detected-google-oauth-access-token","detected-google-oauth-url","detected-heroku-api-key","detected-hockeyapp","detected-jwt-token","detected-kolide-api-key","detected-mailchimp-api-key","detected-mailgun-api-key","detected-npm-registry-auth-token","detected-npm-token","detected-outlook-team","detected-paypal-braintree-access-token","detected-pgp-private-key-block","detected-picatic-api-key","detected-private-key","detected-sauce-token","detected-sendgrid-api-key","detected-slack-token","detected-slack-webhook","detected-snyk-api-key","detected-softlayer-api-key","detected-sonarqube-docs-api-key","detected-sql-dump","detected-square-access-token","detected-square-oauth-secret","detected-ssh-password","detected-stripe-api-key","detected-stripe-restricted-api-key","detected-telegram-bot-api-key","detected-twilio-api-key","detected-twitter-access-token","detected-twitter-oauth","detected-username-and-password-in-uri","contains-bidirectional-characters","integer-overflow-int16","integer-overflow-int32","use-filepath-join","eqeq-is-bad","hardcoded-eq-true-or-false","useless-if-body","useless-if-conditional","dangerous-command-write","gosql-sqli","pg-orm-sqli","pg-sqli","pgx-sqli","go-insecure-templates","assignment-comparison","eqeq","hardcoded-conditional","no-string-eqeq","gcm-nonce-reuse","java-reverse-shell","permissive-cors","hibernate-sqli","jdbc-sqli","jdo-sqli","jpa-sqli","turbine-sqli","vertx-sqli","do-privileged-use","spring-actuator-fully-enabled","spring-sqli","detect-angular-element-methods","detect-angular-open-redirect","detect-angular-resource-loading","detect-angular-sce-disabled","detect-angular-trust-as-css-method","detect-angular-trust-as-html-method","detect-angular-trust-as-js-method","detect-angular-trust-as-method","detect-angular-trust-as-resourceurl-method","detect-angular-trust-as-url-method","detect-angular-translateprovider-translations-method","detect-angular-translateprovider-useStrategy-method","harden-dompurify-usage","javascript-alert","no-replaceall","eqeq-is-bad","node-mssql-sqli","node-postgres-sqli","detect-insecure-websocket","calling-set-state-on-current-state","sequelize-enforce-tls","sequelize-weak-tls-version","avoid-v-html","wildcard-assume-role","empty-message","identical-id","identical-pattern","metadata-cwe","metadata-owasp","metadata-references","no-language-field","no-message","unnecessary-parent-operator","unsatisfiable-rule","deprecated-pervasives","physical-equal","physical-not-equal","physical-equal","physical-not-equal","useless-compare","useless-equal","ocamllint-useless-if","useless-let","useless-equal","ocamllint-useless-if","useless-let","ocamllint-length-list-zero","ocamllint-length-more-than-zero","broken-input-line","prefer-read-in-binary-mode","prefer-write-in-binary-mode","not-portable-tmp-string","not-portable-tmp-string","backticks-use","curl-ssl-verifypeer-off","eval-use","exec-use","ftp-use","mb-ereg-replace-eval","mcrypt-use","md5-loose-equality","phpinfo-use","preg-replace-eval","attr-mutable-initializer","bokeh-deprecated-apis","suppressed-exception-handling-finally-break","require-encryption","django-compat-2_0-assert-redirects-helper","django-compat-2_0-assignment-tag","django-compat-2_0-check-aggregate-support","django-compat-2_0-extra-forms","django-compat-2_0-signals-weak","django-db-model-save-super","nontext-field-must-set-null-true","string-field-must-set-null-true","use-decimalfield-for-money","conflicting-path-assignment","duplicate-name-assignment","duplicate-path-assignment","duplicate-path-assignment-different-names","duplicate-path-assignment-different-names","use-count-method","use-earliest-or-latest","docker-arbitrary-container-run","flask-cache-query-string","avoid-accessing-request-in-wrong-handler","flask-duplicate-handler-name","flask-deprecated-apis","make-response-with-unknown-content","flask-api-method-string-format","python36-compatibility-Popen1","python36-compatibility-Popen2","python36-compatibility-ssl","python37-compatability-os-module","python37-compatibility-httpconn","python37-compatibility-httpsconn","python37-compatibility-importlib","python37-compatibility-importlib2","python37-compatibility-importlib3","python37-compatibility-importlib2","python37-compatibility-importlib3","python37-compatibility-ipv4network1","python37-compatibility-ipv4network2","python37-compatibility-ipv6network1","python37-compatibility-ipv6network2","python37-compatibility-locale1","python37-compatibility-math1","python37-compatibility-multiprocess1","python37-compatibility-multiprocess2","python37-compatibility-os1","python37-compatibility-os2-ok2","python37-compatibility-pdb","python37-compatibility-textiowrapper","baseclass-attribute-override","default-mutable-dict","default-mutable-list","identical-is-comparison","string-is-comparison","is-not-is-not","string-concat-in-list","uncaught-executor-exceptions","dict-del-while-iterate","raise-not-base-exception","use-sys-exit","file-object-redefined-before-close","list-modify-while-iterate","pdb-remove","return-in-init","yield-in-init","sync-sleep-in-async-code","tempfile-without-flush","tempfile-insecure","unchecked-subprocess-call","no-strings-as-booleans","useless-eqeq","writing-to-file-in-read-mode","improper-list-concat","code-after-unconditional-return","return-not-in-function","useless-assignment-keyed","useless-if-body","useless-if-conditional","useless-inner-function","useless-literal-dict","useless-literal-set","hardcoded-password-default-argument","python-logger-credential-disclosure","python-reverse-shell","aiopg-sqli","asyncpg-sqli","pg8000-sqli","psycopg-sqli","mongo-client-bad-auth","mongo-client-bad-auth","bad-operator-in-filter","delete-where-no-execute","batch-import","len-all-count","sqlalchemy-sql-injection","bad-deserialization","cookie-serialization","create-with","divide-by-zero","file-disclosure","force-ssl-false","jruby-xml","json-encoding","json-entity-escape","model-attr-accessible","model-attributes-attr-accessible","model-attributes-attr-protected","nested-attributes-bypass","nested-attributes","ruby-eval","bad-send","ssl-mode-no-verify","timing-attack","weak-hashes-md5","weak-hashes-sha1","yaml-parsing","rails-skip-forgery-protection","ruby-pg-sqli","alias-for-html-safe","avoid-content-tag","avoid-html-safe","avoid-raw","var-in-script-tag","positive-number-index-of","aws-provider-static-credentials","wildcard-assume-role","appservice-account-identity-registered","appservice-authentication-enabled","appservice-enable-http2","appservice-enable-https-only","appservice-require-client-cert","appservice-use-secure-tls-policy","functionapp-authentication-enabled","functionapp-enable-http2","keyvault-content-type-for-secret","keyvault-ensure-key-expires","keyvault-ensure-secret-expires","keyvault-purge-enabled","keyvault-specify-network-acl","storage-allow-microsoft-service-bypass","storage-default-action-deny","storage-enforce-https","storage-queue-services-logging","storage-use-secure-tls-policy","ecr-image-scan-on-push","anonymous-race-condition","invalid-usage-of-modified-variable","iterate-over-empty-collection","iterate-over-empty-map","missing-runlock-on-rwmutex","missing-unlock-before-return","nondeterministic-select","questionable-assignment","racy-append-to-slice","racy-write-to-map","servercodec-readrequestbody-unhandled-nil","sleep-used-for-synchronizations","string-to-int-signedness-cast","sync-mutex-value-copied","waitgroup-add-called-inside-goroutine","waitgroup-wait-inside-loop","automatic-memory-pinning","lxml-in-pandas","numpy-in-pytorch-modules","numpy-in-torch-datasets","pickles-in-numpy","pickles-in-pandas","pickles-in-pytorch","pickles-in-torch-distributed","tarfile-extractall-traversal","torch-package","torch-tensor","waiting-with-torch-distributed","useless-ternary","angular-bypasssecuritytrust","angular-sanitize-none-context","awscdk-bucket-encryption","aws-cdk-bucket-enforcessl","awscdk-sqs-unencryptedqueue","useless-ternary","cors-regex-wildcard","nestjs-header-cors-any","nestjs-header-xss-disabled","nestjs-open-redirect","react-jwt-decoded-property","react-jwt-in-localstorage","react-router-redirect","react-controlled-component-password","exposing-docker-socket-volume","no-new-privileges","privileged-service","seccomp-confinement-disabled","selinux-separation-disabled","writable-filesystem-service","semgrep-github-action-push-without-branches","changes-with-when-never","allow-privilege-escalation","exposing-docker-socket-hostpath","hostipc-pod","hostnetwork-pod","hostpid-pod","privileged-container","run-as-non-root","seccomp-confinement-disabled","skip-tls-verify-cluster","skip-tls-verify-service","writable-filesystem-container","lang-consistency-bash","lang-consistency-cpp","lang-consistency-csharp","lang-consistency-dockerfile","lang-consistency-elixir","lang-consistency-go","lang-consistency-hcl","lang-consistency-js","lang-consistency-kotlin","lang-consistency-python","lang-consistency-regex","lang-consistency-solidity","lang-consistency-ts","duplicate-id","duplicate-pattern","empty-message","metadata-category","metadata-cwe","metadata-owasp","metadata-references","metadata-technology","missing-language-field","missing-message-field","multi-line-message","slow-pattern-general-func","slow-pattern-general-property","slow-pattern-single-metavariable","slow-pattern-top-ellipsis","unnecessary-parent-operator","unsatisfiable-rule"]},"owasp":{"totals":{"":708,"A01:2017":7,"A03:2021":11,"A07:2017":10,"A10:2021":6,"A1: Injection":235,"A3: Injection":6,"A01: Injection":4,"A01:2017: Injection":19,"A03:2021: Injection":18,"A04:2021: Insecure Design":1,"A2: Broken Authentication":43,"A5: Broken Access Control":3,"A3: Sensitive Data Exposure":135,"A04:2021 – Insecure Design":1,"A8: Insecure Deserialization":38,"A5: Security Misconfiguration":4,"A6: Security Misconfiguration":42,"A7: Cross-Site Scripting (XSS)":81,"A01:2021: Broken Access Control":7,"A02:2017: Broken Authentication":7,"A05:2017: Broken Access Control":4,"A4: XML External Entities (XXE)":22,"A02:2021: Cryptographic Failures":47,"A03:2021: Cryptographic Failures":1,"A03:2017: Sensitive Data Exposure":6,"A08:2017: Insecure Deserialization":2,"A05:2021: Security Misconfiguration":14,"A06:2017: Security Misconfiguration":6,"A04:2017: XML External Entities (XXE)":3,"A10:2021: Server-Side Request Forgery":1,"A06:2021: Vulnerable and Outdated Components":7,"A08:2021: Software and Data Integrity Failures":2,"A06:2021 – Vulnerable and Outdated Components":1,"A07: Identification and Authentication Failures":1,"A9: Using Components with Known Vulnerabilities":16,"A09:2021: Security Logging and Monitoring Failures":4,"A07:2021: Identification and Authentication Failures":1,"A09:2017: Using Components with Known Vulnerabilities":7,"A09:2017 – Using Components with Known Vulnerabilities":1},"per_framework":{"":{"c":{"":11},"go":{"":80},"js":{"":6},"kt":{"":1},"ts":{"":7},"hcl":{"":38},"php":{"":12},"bash":{"":4},"java":{"":59,"ssrf":4},"json":{"":5},"ruby":{"":23},"yaml":{"":54},"ocaml":{"":19},"regex":{"":54},"scala":{"":1},"csharp":{"":3},"python":{"":140},"generic":{"":37},"dockerfile":{"":1},"javascript":{"":137},"typescript":{"":12}},"A01:2017":{"go":{"":2},"php":{"":2},"java":{"":1},"python":{"":2}},"A03:2021":{"go":{"":1},"java":{"":1},"ruby":{"":2},"python":{"":4},"javascript":{"":3}},"A07:2017":{"go":{"":1},"ruby":{"":2},"python":{"":4},"javascript":{"":3}},"A10:2021":{"go":{"":2},"php":{"":2},"python":{"":2}},"A1: Injection":{"C#":{"":3},"go":{"":12},"js":{"":3},"kt":{"":1},"php":{"":3},"java":{"":22},"ruby":{"":20},"yaml":{"":3},"scala":{"":10},"csharp":{"":5},"python":{"":72},"generic":{"":1},"javascript":{"":80}},"A3: Injection":{"php":{"":1},"ruby":{"":3},"generic":{"":2}},"A01: Injection":{"java":{"":4}},"A01:2017: Injection":{"go":{"":1},"php":{"":1},"bash":{"":2},"java":{"":1},"ruby":{"":2},"csharp":{"":2},"python":{"":4},"generic":{"":5},"javascript":{"":1}},"A03:2021: Injection":{"go":{"":1},"bash":{"":2},"java":{"":1},"ruby":{"":2},"csharp":{"":2},"python":{"":4},"generic":{"":5},"javascript":{"":1}},"A04:2021: Insecure Design":{"C#":{"":1}},"A2: Broken Authentication":{"go":{"":4},"kt":{"":1},"php":{"":1},"java":{"":6},"ruby":{"":4},"scala":{"":1},"python":{"":10},"javascript":{"":16}},"A5: Broken Access Control":{"php":{"":1},"javascript":{"":2}},"A3: Sensitive Data Exposure":{"go":{"":17},"kt":{"":10},"java":{"":32},"ruby":{"":8},"csharp":{"":1},"python":{"":51},"javascript":{"":12},"typescript":{"":4}},"A04:2021 – Insecure Design":{"c":{"":1}},"A8: Insecure Deserialization":{"C#":{"":16},"go":{"":2},"php":{"":1},"java":{"":6},"python":{"":11},"javascript":{"":2}},"A5: Security Misconfiguration":{"json":{"":1},"ruby":{"":1},"generic":{"":2}},"A6: Security Misconfiguration":{"go":{"":2},"php":{"":3},"java":{"":6},"json":{"":2},"ruby":{"":2},"yaml":{"":2},"python":{"":14},"generic":{"":2},"javascript":{"":9}},"A7: Cross-Site Scripting (XSS)":{"go":{"":7},"java":{"":3},"ruby":{"":7},"regex":{"":14},"python":{"":17},"generic":{"":15},"javascript":{"":9},"typescript":{"":9}},"A01:2021: Broken Access Control":{"C#":{"":1},"hcl":{"":2},"scala":{"":1},"csharp":{"":1},"generic":{"":2}},"A02:2017: Broken Authentication":{"go":{"":1},"php":{"":1},"java":{"":1},"ruby":{"":1},"csharp":{"":1},"python":{"":1},"javascript":{"":1}},"A05:2017: Broken Access Control":{"C#":{"":1},"csharp":{"":1},"generic":{"":2}},"A4: XML External Entities (XXE)":{"java":{"":7,"xxe":7},"python":{"":2},"javascript":{"":6}},"A02:2021: Cryptographic Failures":{"C#":{"":1},"go":{"":1},"hcl":{"":38},"php":{"":2},"java":{"":1},"ruby":{"":1},"scala":{"":1},"python":{"":1},"javascript":{"":1}},"A03:2021: Cryptographic Failures":{"scala":{"":1}},"A03:2017: Sensitive Data Exposure":{"C#":{"":1},"hcl":{"":5}},"A08:2017: Insecure Deserialization":{"php":{"":1},"csharp":{"":1}},"A05:2021: Security Misconfiguration":{"go":{"":1},"hcl":{"":5},"json":{"":1},"csharp":{"":3},"python":{"":1},"generic":{"":3}},"A06:2017: Security Misconfiguration":{"hcl":{"":1},"json":{"":1},"python":{"":1},"generic":{"":3}},"A04:2017: XML External Entities (XXE)":{"csharp":{"":3}},"A10:2021: Server-Side Request Forgery":{"php":{"":1}},"A06:2021: Vulnerable and Outdated Components":{"ruby":{"":1},"generic":{"":6}},"A08:2021: Software and Data Integrity Failures":{"php":{"":1},"csharp":{"":1}},"A06:2021 – Vulnerable and Outdated Components":{"C#":{"":1}},"A07: Identification and Authentication Failures":{"java":{"":1}},"A9: Using Components with Known Vulnerabilities":{"go":{"":8},"kt":{"":2},"java":{"":5},"javascript":{"":1}},"A09:2021: Security Logging and Monitoring Failures":{"hcl":{"":4}},"A07:2021: Identification and Authentication Failures":{"csharp":{"":1}},"A09:2017: Using Components with Known Vulnerabilities":{"ruby":{"":1},"generic":{"":6}},"A09:2017 – Using Components with Known Vulnerabilities":{"C#":{"":1}}},"rules_with_no_owasp":["admzip_path_overwrite","tar_path_overwrite","zip_path_overwrite","zip_path_overwrite2","zip_path_overwrite2","buffer_noassert","node_aes_ecb","node_aes_noiv","node_insecure_random_generator","node_md5","node_sha1","node_weak_crypto","generic_error_disclosure","node_error_disclosure","node_deserialize","serializetojs_deserialize","grpc_insecure_connection","eval_nodejs","eval_require","sandbox_code_injection","vm2_code_injection","vm2_context_injection","vm_code_injection","vm_compilefunction_injection","vm_runincontext_injection","vm_runinnewcontext_injection","yaml_deserialize","generic_os_command_exec","shelljs_os_command_exec","express_bodyparser","express_lfr_warning","express_lfr","express_lfr_warning","anti_csrf_control","helmet_header_check_crossdomain","helmet_header_check_csp","helmet_header_check_expect_ct","helmet_header_dns_prefetch","helmet_header_feature_policy","helmet_header_frame_guard","helmet_header_hsts","helmet_header_ienoopen","helmet_header_nosniff","helmet_header_referrer_policy","helmet_header_x_powered_by","helmet_header_xss_filter","rate_limit_control","hardcoded_passport_secret","node_api_key","node_password","node_secret","node_username","cookie_session_default","cookie_session_no_domain","cookie_session_no_httponly","cookie_session_no_maxage","cookie_session_no_path","cookie_session_no_samesite","cookie_session_no_secure","express_cors","generic_cors","helmet_feature_disabled","generic_header_injection","header_xss_generic","header_xss_lusca","host_header_injection","jwt_exposed_credentials","jwt_exposed_data","jwt_express_hardcoded","hardcoded_jwt_secret","node_jwt_none_algorithm","jwt_not_revoked","layer7_object_dos","node_logic_bypass","node_nosqli_injection","node_nosqli_js_injection","express_open_redirect2","express_open_redirect","express_open_redirect2","generic_path_traversal","regex_dos","regex_injection_dos","join_resolve_path_traversal","electron_allow_http","electron_blink_integration","electron_context_isolation","electron_disable_websecurity","electron_experimental_features","electron_nodejs_integration","sequelize_tls","sequelize_tls_cert_validation","sequelize_weak_tls","server_side_template_injection","node_sqli_injection","node_knex_sqli_injection","node_ssrf","phantom_ssrf","playwright_ssrf","puppeteer_ssrf","wkhtmltoimage_ssrf","wkhtmltopdf_ssrf","node_timing_attack","node_curl_ssl_verify_disable","node_tls_reject","node_entity_expansion","node_xpath_injection","xss_disable_mustache_escape","express_xss","xss_serialize_javascript","handlebars_noescape","handlebars_safestring","squirrelly_autoescape","xxe_expat","node_xxe","xxe_sax","xxe_xml2json","unquoted-command-substitution-in-command","unquoted-variable-expansion-in-command","ifs-tampering","double_goto","incorrect-use-ato-fn","incorrect-use-sscanf-fn","double-free","info-leak-on-non-formated-string","insecure-use-gets-fn","insecure-use-printf-fn","insecure-use-scanf-fn","insecure-use-strtok-fn","random-fd-exhaustion","use-after-free","insecure-commands-use","insecure-compile-use","insecure-cryptography-attribute-use","insecure-dl-use","insecure-duo-client-use","insecure-eval-use","insecure-exec-use","insecure-gl-use","insecure-hashlib-use","insecure-itsdangerous-use","insecure-marshal-use","insecure-onelogin-attribute-use","insecure-os-exec-use","insecure-os-temp-use","insecure-pickle-use","insecure-popen2-use","insecure-pycrypto-use","insecure-requests-use","insecure-shelve-use","insecure-simplexmlrpcserver-use","insecure-ssl-use","insecure-subprocess-use","insecure-tarfile-use","insecure-tempfile-use","insecure-urllib3-connections-use","insecure-urllib3-warnings-use","insecure-xml-use","insecure-xmlsec-attribute-use","insecure-yaml-use","insecure-zipfile-use","owasp.java.ssrf.java.net.url","owasp.java.ssrf.org.apache.commons.httpclient","owasp.java.ssrf.org.apache.http.impl.client.CloseableHttpClient","owasp.java.ssrf.possible.import.statements","mvc-missing-antiforgery","correctness-double-epsilon-equality","correctness-regioninfo-interop","html-raw-json","bad-exponentiation","bad-nil-guard","rows-not-closed","cancelable-context-not-systematically-cancelled","context-todo","use-net-errclosed","err-nil-check","err-todo","hash-sum-without-write","use-hmac-equal","hmac-needs-new","sprintf-host-port","deprecated-ioutil-discard","deprecated-ioutil-nopcloser","deprecated-ioutil-readall","deprecated-ioutil-readdir","deprecated-ioutil-readfile","deprecated-ioutil-tempdir","deprecated-ioutil-tempfile","deprecated-ioutil-writefile","use-strings-join-path","json-encoder-needs-type","sprintf-mail-address","marshal-json-pointer-receiver","return-nil","newrelic-start-without-end","odd-bitwise","odd-comparison","odd-compound-expression","odd-sequence-ifs","odd-bits-leadingzeros","os-error-handling-functions","parseint-downcast","read-io-eof","io-readfull-n","return-nil","bad-sort-slice-function","use-err-error","leaky-time-after","not-after","not-before","use-writer-not-writestring","maybe-wrong-err","wrong-lock-unlock","changed-semgrepignore","bash_reverse_shell","bash_reverse_shell","use-frozen-lockfile-pipenv","use-frozen-lockfile","use-frozen-lockfile-pip","use-frozen-lockfile-yarn","use-frozen-lockfile-npm","use-frozen-lockfile-npm","use-frozen-lockfile-pipenv","use-frozen-lockfile-pip","use-frozen-lockfile-pipenv","use-frozen-lockfile-yarn","alias-must-be-unique","copy-from-own-alias","invalid-port","missing-assume-yes-switch","multiple-cmd-instructions","multiple-entrypoint-instructions","last-user-is-root","missing-user","alias-path-traversal","dynamic-proxy-host","dynamic-proxy-scheme","header-injection","header-redefinition","insecure-redirect","insecure-ssl-version","missing-internal","missing-ssl-version","possible-nginx-h2c-smuggling","request-host-used","detected-amazon-mws-auth-token","detected-artifactory-password","detected-artifactory-token","detected-aws-access-key-id-value","detected-aws-account-id","detected-aws-appsync-graphql-key","detected-aws-secret-access-key","detected-aws-session-token","detected-bcrypt-hash","detected-codeclimate","detected-etc-shadow","detected-facebook-access-token","detected-facebook-oauth","detected-generic-api-key","detected-generic-secret","detected-github-token","detected-google-api-key","detected-google-cloud-api-key","detected-google-gcm-service-account","detected-google-oauth-access-token","detected-google-oauth-url","detected-heroku-api-key","detected-hockeyapp","detected-jwt-token","detected-kolide-api-key","detected-mailchimp-api-key","detected-mailgun-api-key","detected-npm-registry-auth-token","detected-npm-token","detected-outlook-team","detected-paypal-braintree-access-token","detected-pgp-private-key-block","detected-picatic-api-key","detected-private-key","detected-sauce-token","detected-sendgrid-api-key","detected-slack-token","detected-slack-webhook","detected-snyk-api-key","detected-softlayer-api-key","detected-sonarqube-docs-api-key","detected-sql-dump","detected-square-access-token","detected-square-oauth-secret","detected-ssh-password","detected-stripe-api-key","detected-stripe-restricted-api-key","detected-telegram-bot-api-key","detected-twilio-api-key","detected-twitter-access-token","detected-twitter-oauth","detected-username-and-password-in-uri","contains-bidirectional-characters","grpc-client-insecure-connection","grpc-server-insecure-connection","integer-overflow-int16","integer-overflow-int32","incorrect-default-permission","use-filepath-join","eqeq-is-bad","hardcoded-eq-true-or-false","useless-if-body","useless-if-conditional","dangerous-command-write","gosql-sqli","pg-orm-sqli","pg-sqli","pgx-sqli","bad-tmp-file-creation","potential-dos-via-decompression-bomb","path-traversal-inside-zip-extraction","go-insecure-templates","go-ssti","assignment-comparison","eqeq","hardcoded-conditional","no-string-eqeq","gcm-detection","gcm-nonce-reuse","java-reverse-shell","permissive-cors","hibernate-sqli","jdbc-sqli","jdo-sqli","jpa-sqli","turbine-sqli","vertx-sqli","do-privileged-use","spring-sqli","ajv-allerrors-true","detect-angular-element-methods","detect-angular-open-redirect","detect-angular-resource-loading","detect-angular-sce-disabled","detect-angular-trust-as-css-method","detect-angular-trust-as-html-method","detect-angular-trust-as-js-method","detect-angular-trust-as-method","detect-angular-trust-as-resourceurl-method","detect-angular-trust-as-url-method","detect-angular-translateprovider-translations-method","detect-angular-translateprovider-useStrategy-method","harden-dompurify-usage","express-data-exfiltration","javascript-alert","no-replaceall","eqeq-is-bad","detect-non-literal-fs-filename","detect-non-literal-regexp","incomplete-sanitization","prototype-pollution-assignment","prototype-pollution-function","prototype-pollution-loop","node-mssql-sqli","node-postgres-sqli","detect-buffer-noassert","detect-insecure-websocket","detect-no-csrf-before-method-override","calling-set-state-on-current-state","avoid-v-html","gcm-detection","empty-message","identical-id","identical-pattern","metadata-cwe","metadata-owasp","metadata-references","no-language-field","no-message","unnecessary-parent-operator","unsatisfiable-rule","accept_self_signed_certificate","aes_ecb_mode","aes_ecb_mode_default","aes_ecb_mode_default","aes_hardcoded_key","android_safetynet_api","cbc_padding_oracle","cbc_static_iv","command_injection","command_injection_warning","default_http_client_tls","android_prevent_screenshot","android_hidden_ui","java_insecure_random","insecure_sslv3","jackson_deserialization","android_logging","object_deserialization","android_root_detection","rsa_no_oeap","hardcoded_api_key","hardcoded_password","hardcoded_secret","hardcoded_username","sha1_hash","sqlite_injection","android_detect_tapjacking","android_certificate_transparency","android_certificate_pinning","weak_cipher","weak_hash","weak_iv","weak_key_size","webview_debugging","webview_external_storage","webview_set_allow_file_access","ignore_ssl_certificate_errors","webview_javascript_interface","world_readable","world_writeable","xml_decoder_xxe","xmlinputfactory_xxe_enabled","xmlinputfactory_xxe","deprecated-pervasives","physical-equal","physical-not-equal","physical-equal","physical-not-equal","useless-compare","useless-equal","ocamllint-useless-if","useless-let","useless-equal","ocamllint-useless-if","useless-let","ocamllint-length-list-zero","ocamllint-length-more-than-zero","broken-input-line","prefer-read-in-binary-mode","prefer-write-in-binary-mode","not-portable-tmp-string","not-portable-tmp-string","backticks-use","curl-ssl-verifypeer-off","eval-use","exec-use","ftp-use","tainted-object-instantiation","mb-ereg-replace-eval","mcrypt-use","md5-loose-equality","non-literal-header","phpinfo-use","preg-replace-eval","attr-mutable-initializer","bokeh-deprecated-apis","suppressed-exception-handling-finally-break","require-encryption","django-compat-2_0-assert-redirects-helper","django-compat-2_0-assignment-tag","django-compat-2_0-check-aggregate-support","django-compat-2_0-extra-forms","django-compat-2_0-signals-weak","django-db-model-save-super","nontext-field-must-set-null-true","string-field-must-set-null-true","use-decimalfield-for-money","conflicting-path-assignment","duplicate-name-assignment","duplicate-path-assignment","duplicate-path-assignment-different-names","duplicate-path-assignment-different-names","use-count-method","use-earliest-or-latest","nan-injection","docker-arbitrary-container-run","flask-cache-query-string","avoid-accessing-request-in-wrong-handler","flask-duplicate-handler-name","flask-deprecated-apis","make-response-with-unknown-content","flask-api-method-string-format","nan-injection","python36-compatibility-Popen1","python36-compatibility-Popen2","python36-compatibility-ssl","python37-compatability-os-module","python37-compatibility-httpconn","python37-compatibility-httpsconn","python37-compatibility-importlib","python37-compatibility-importlib2","python37-compatibility-importlib3","python37-compatibility-importlib2","python37-compatibility-importlib3","python37-compatibility-ipv4network1","python37-compatibility-ipv4network2","python37-compatibility-ipv6network1","python37-compatibility-ipv6network2","python37-compatibility-locale1","python37-compatibility-math1","python37-compatibility-multiprocess1","python37-compatibility-multiprocess2","python37-compatibility-os1","python37-compatibility-os2-ok2","python37-compatibility-pdb","python37-compatibility-textiowrapper","baseclass-attribute-override","default-mutable-dict","default-mutable-list","identical-is-comparison","string-is-comparison","is-not-is-not","string-concat-in-list","uncaught-executor-exceptions","dict-del-while-iterate","raise-not-base-exception","use-sys-exit","file-object-redefined-before-close","list-modify-while-iterate","pdb-remove","return-in-init","yield-in-init","sync-sleep-in-async-code","tempfile-without-flush","tempfile-insecure","unchecked-subprocess-call","no-strings-as-booleans","useless-eqeq","writing-to-file-in-read-mode","improper-list-concat","code-after-unconditional-return","return-not-in-function","useless-assignment-keyed","useless-if-body","useless-if-conditional","useless-inner-function","useless-literal-dict","useless-literal-set","hardcoded-password-default-argument","python-logger-credential-disclosure","python-reverse-shell","aiopg-sqli","asyncpg-sqli","pg8000-sqli","psycopg-sqli","mongo-client-bad-auth","mongo-client-bad-auth","bad-operator-in-filter","delete-where-no-execute","batch-import","len-all-count","sqlalchemy-sql-injection","bad-deserialization","cookie-serialization","create-with","divide-by-zero","file-disclosure","force-ssl-false","jruby-xml","json-encoding","json-entity-escape","model-attr-accessible","model-attributes-attr-accessible","model-attributes-attr-protected","nested-attributes-bypass","nested-attributes","ruby-eval","bad-send","ssl-mode-no-verify","timing-attack","weak-hashes-md5","weak-hashes-sha1","yaml-parsing","rails-skip-forgery-protection","ruby-pg-sqli","alias-for-html-safe","avoid-content-tag","avoid-html-safe","avoid-raw","var-in-script-tag","positive-number-index-of","aws-provider-static-credentials","appservice-account-identity-registered","appservice-authentication-enabled","appservice-enable-http2","appservice-enable-https-only","appservice-require-client-cert","appservice-use-secure-tls-policy","functionapp-authentication-enabled","functionapp-enable-http2","keyvault-content-type-for-secret","keyvault-ensure-key-expires","keyvault-ensure-secret-expires","keyvault-purge-enabled","keyvault-specify-network-acl","storage-allow-microsoft-service-bypass","storage-default-action-deny","storage-enforce-https","storage-queue-services-logging","storage-use-secure-tls-policy","unencrypted-ebs-volume","ecr-image-scan-on-push","eks-insufficient-control-plane-logging","eks-public-endpoint-enabled","elastic-search-encryption-at-rest","no-iam-admin-privileges","no-iam-creds-exposure","no-iam-data-exfiltration","no-iam-priv-esc-funcs","no-iam-priv-esc-other-users","no-iam-priv-esc-roles","no-iam-resource-exposure","no-iam-star-actions","rds-insecure-password-storage-in-source-code","rds-public-access","all-origins-allowed","s3-public-read-bucket","s3-public-rw-bucket","s3-unencrypted-bucket","anonymous-race-condition","invalid-usage-of-modified-variable","iterate-over-empty-collection","iterate-over-empty-map","missing-runlock-on-rwmutex","missing-unlock-before-return","nondeterministic-select","questionable-assignment","racy-append-to-slice","racy-write-to-map","servercodec-readrequestbody-unhandled-nil","sleep-used-for-synchronizations","string-to-int-signedness-cast","sync-mutex-value-copied","waitgroup-add-called-inside-goroutine","waitgroup-wait-inside-loop","automatic-memory-pinning","lxml-in-pandas","numpy-in-pytorch-modules","numpy-in-torch-datasets","pickles-in-numpy","pickles-in-pandas","pickles-in-pytorch","pickles-in-torch-distributed","tarfile-extractall-traversal","torch-package","torch-tensor","waiting-with-torch-distributed","useless-ternary","angular-bypasssecuritytrust","angular-sanitize-none-context","awscdk-bucket-encryption","aws-cdk-bucket-enforcessl","awscdk-sqs-unencryptedqueue","awscdk-bucket-grantpublicaccessmethod","awscdk-codebuild-project-public","useless-ternary","cors-regex-wildcard","nestjs-header-cors-any","nestjs-header-xss-disabled","nestjs-open-redirect","react-jwt-decoded-property","react-jwt-in-localstorage","react-router-redirect","react-controlled-component-password","exposing-docker-socket-volume","no-new-privileges","privileged-service","seccomp-confinement-disabled","selinux-separation-disabled","writable-filesystem-service","semgrep-github-action-push-without-branches","changes-with-when-never","allow-privilege-escalation","exposing-docker-socket-hostpath","hostipc-pod","hostnetwork-pod","hostpid-pod","privileged-container","run-as-non-root","seccomp-confinement-disabled","skip-tls-verify-cluster","skip-tls-verify-service","writable-filesystem-container","lang-consistency-bash","lang-consistency-cpp","lang-consistency-csharp","lang-consistency-dockerfile","lang-consistency-elixir","lang-consistency-go","lang-consistency-hcl","lang-consistency-js","lang-consistency-kotlin","lang-consistency-python","lang-consistency-regex","lang-consistency-solidity","lang-consistency-ts","duplicate-id","duplicate-pattern","empty-message","metadata-category","metadata-cwe","metadata-owasp","metadata-references","metadata-technology","missing-language-field","missing-message-field","multi-line-message","slow-pattern-general-func","slow-pattern-general-property","slow-pattern-single-metavariable","slow-pattern-top-ellipsis","unnecessary-parent-operator","unsatisfiable-rule"]}},"author":"raghav","hidden":true,"description":"Test Ruleset","id":"Db22","name":"raghav-test","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":1},"per_framework":{"CWE-502: Deserialization of Untrusted Data":{"java":{"":1}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"java":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"java":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"java":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A03:2021: Injection":1,"A01:2021: Broken Access Control":2,"A05:2017: Broken Access Control":1,"A08:2017: Insecure Deserialization":1,"A08:2021: Software and Data Integrity Failures":1},"per_framework":{"A03:2021: Injection":{"java":{"":1}},"A01:2021: Broken Access Control":{"java":{"":2}},"A05:2017: Broken Access Control":{"java":{"":1}},"A08:2017: Insecure Deserialization":{"java":{"":1}},"A08:2021: Software and Data Integrity Failures":{"java":{"":1}}},"rules_with_no_owasp":[]}},"author":"mfocuz","counts":{"total_rules":4,"premium_rules":0},"hidden":true,"description":"test","id":"vvA","name":"mfocuz.test","visibility":"public","categories":[]},{"tags":["semgrep","security","nodejs","javascript","insecure transport"],"stats":{"cwe":{"totals":{"CWE-319: Cleartext Transmission of Sensitive Information":8},"per_framework":{"CWE-319: Cleartext Transmission of Sensitive Information":{"javascript":{"":8}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A02:2021: Cryptographic Failures":1,"A03:2017: Sensitive Data Exposure":8},"per_framework":{"A02:2021: Cryptographic Failures":{"javascript":{"":1}},"A03:2017: Sensitive Data Exposure":{"javascript":{"":8}}},"rules_with_no_owasp":[]}},"author":"r2c","counts":{"total_rules":8,"premium_rules":0},"hidden":true,"description":"Rule pack for detecting insecure transport in node js","id":"ley","name":"colleend.insecure-transport-nodejs","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{},"per_framework":{},"rules_with_no_cwe":[]},"owasp":{"totals":{},"per_framework":{},"rules_with_no_owasp":[]}},"author":"Nacho Guisado Obregón","counts":{"total_rules":0,"premium_rules":0},"hidden":true,"description":"","id":"ZzD","name":"gitnachogo.nachogopack","visibility":"public","categories":[]},{"tags":[],"stats":{"cwe":{"totals":{"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":1},"per_framework":{"CWE-326: Inadequate Encryption Strength":{"java":{"":1}},"CWE-295: Improper Certificate Validation":{"java":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":2}},"CWE-329: Generation of Predictable IV with CBC Mode":{"java":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"java":{"":2}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"java":{"":2}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":2}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"java":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"java":{"":2}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"java":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A03:2021: Injection":3,"A01:2021: Broken Access Control":5,"A05:2017: Broken Access Control":2,"A02:2021: Cryptographic Failures":4,"A03:2017: Sensitive Data Exposure":4,"A08:2017: Insecure Deserialization":2,"A05:2021: Security Misconfiguration":2,"A07:2017: Cross-Site Scripting (XSS)":2,"A04:2017: XML External Entities (XXE)":2,"A08:2021: Software and Data Integrity Failures":2,"A07:2021: Identification and Authentication Failures":1},"per_framework":{"A03:2021: Injection":{"java":{"":3}},"A01:2021: Broken Access Control":{"java":{"":5}},"A05:2017: Broken Access Control":{"java":{"":2}},"A02:2021: Cryptographic Failures":{"java":{"":4}},"A03:2017: Sensitive Data Exposure":{"java":{"":4}},"A08:2017: Insecure Deserialization":{"java":{"":2}},"A05:2021: Security Misconfiguration":{"java":{"":2}},"A07:2017: Cross-Site Scripting (XSS)":{"java":{"":2}},"A04:2017: XML External Entities (XXE)":{"java":{"":2}},"A08:2021: Software and Data Integrity Failures":{"java":{"":2}},"A07:2021: Identification and Authentication Failures":{"java":{"":1}}},"rules_with_no_owasp":[]}},"author":"Katie Foster","counts":{"total_rules":17,"premium_rules":0},"hidden":true,"description":"","id":"dEZ","name":"fitbitkfoster.test","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{},"per_framework":{},"rules_with_no_cwe":[]},"owasp":{"totals":{},"per_framework":{},"rules_with_no_owasp":[]}},"author":"javixeneize","counts":{"total_rules":0,"premium_rules":0},"hidden":true,"description":"","id":"z4G","name":"javixeneize.javascript_rules","visibility":"public","categories":[]},{"tags":[],"stats":{"cwe":{"totals":{"CWE-523: Unprotected Transport of Credentials":1},"per_framework":{"":{"go":{"":2},"java":{"":3},"python":{"":44},"javascript":{"":1}},"CWE-489: Active Debug Code":{"python":{"":1}},"CWE-521: Weak Password Requirements":{"python":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"javascript":{"":6}},"CWE-295: Improper Certificate Validation":{"python":{"":2}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":1},"python":{"":2},"javascript":{"":1}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":2}},"CWE-918: Server-Side Request Forgery (SSRF)":{"python":{"":1},"javascript":{"":4}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"python":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"javascript":{"":2}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"python":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":1},"python":{"":1},"javascript":{"":2}},"CWE-94: Improper Control of Generation of Code (Code Injection)":{"javascript":{"":5}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"javascript":{"":1}},"CWE-1236: Improper Neutralization of Formula Elements in a CSV File":{"python":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"python":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"java":{"":1}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":1},"python":{"":2}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"python":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":2}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":2},"javascript":{"":1}}},"rules_with_no_cwe":["eqeq-is-bad","eqeq-is-bad","hardcoded-eq-true-or-false","assignment-comparison","eqeq","hardcoded-conditional","use-click-secho","use-count-method","use-json-response","use-django-environ","use-earliest-or-latest","string-field-must-set-null-true","nontext-field-must-set-null-true","delete-where-no-execute","use-jsonify","arbitrary-sleep","open-never-closed","useless-inner-function","python36-compatibility-ssl","python36-compatibility-Popen1","python36-compatibility-Popen2","python37-compatibility-importlib","python37-compatibility-importlib2","python37-compatibility-importlib3","python37-compatibility-httpconn","python37-compatibility-httpsconn","python37-compatibility-textiowrapper","python37-compatibility-ipv6network1","python37-compatibility-ipv6network2","python37-compatibility-ipv4network1","python37-compatibility-ipv4network2","python37-compatibility-locale1","python37-compatibility-math1","python37-compatibility-multiprocess1","python37-compatibility-multiprocess2","python37-compatibility-os1","python37-compatability-os-module","python37-compatibility-os2-ok2","python37-compatibility-pdb","return-in-init","yield-in-init","useless-eqeq","is-not-is-not","default-mutable-list","default-mutable-dict","identical-is-comparison","string-is-comparison","raise-not-base-exception","tempfile-insecure","tempfile-without-flush"]},"owasp":{"totals":{"":50,"A1: Injection":5,"A01:2017: Injection":7,"A03:2021: Injection":11,"A01:2021: Broken Access Control":3,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":1,"A02:2021: Cryptographic Failures":4,"A03:2017: Sensitive Data Exposure":5,"A08:2017: Insecure Deserialization":4,"A05:2021: Security Misconfiguration":6,"A07:2017: Cross-Site Scripting (XSS)":1,"A04:2017: XML External Entities (XXE)":5,"A10:2021: Server-Side Request Forgery (SSRF)":5,"A08:2021: Software and Data Integrity Failures":4,"A07:2021: Identification and Authentication Failures":11},"per_framework":{"":{"go":{"":2},"java":{"":3},"python":{"":44},"javascript":{"":1}},"A1: Injection":{"javascript":{"":5}},"A01:2017: Injection":{"go":{"":1},"python":{"":5},"javascript":{"":1}},"A03:2021: Injection":{"go":{"":1},"java":{"":1},"python":{"":7},"javascript":{"":2}},"A01:2021: Broken Access Control":{"python":{"":2},"javascript":{"":1}},"A02:2017: Broken Authentication":{"python":{"":1}},"A05:2017: Broken Access Control":{"python":{"":1}},"A02:2021: Cryptographic Failures":{"python":{"":2},"javascript":{"":2}},"A03:2017: Sensitive Data Exposure":{"python":{"":3},"javascript":{"":2}},"A08:2017: Insecure Deserialization":{"java":{"":1},"python":{"":2},"javascript":{"":1}},"A05:2021: Security Misconfiguration":{"java":{"":1},"python":{"":3},"javascript":{"":2}},"A07:2017: Cross-Site Scripting (XSS)":{"java":{"":1}},"A04:2017: XML External Entities (XXE)":{"java":{"":1},"python":{"":2},"javascript":{"":2}},"A10:2021: Server-Side Request Forgery (SSRF)":{"python":{"":1},"javascript":{"":4}},"A08:2021: Software and Data Integrity Failures":{"java":{"":1},"python":{"":2},"javascript":{"":1}},"A07:2021: Identification and Authentication Failures":{"go":{"":2},"python":{"":3},"javascript":{"":6}}},"rules_with_no_owasp":["eqeq-is-bad","eqeq-is-bad","hardcoded-eq-true-or-false","assignment-comparison","eqeq","hardcoded-conditional","use-click-secho","use-count-method","use-json-response","use-django-environ","use-earliest-or-latest","string-field-must-set-null-true","nontext-field-must-set-null-true","delete-where-no-execute","use-jsonify","arbitrary-sleep","open-never-closed","useless-inner-function","python36-compatibility-ssl","python36-compatibility-Popen1","python36-compatibility-Popen2","python37-compatibility-importlib","python37-compatibility-importlib2","python37-compatibility-importlib3","python37-compatibility-httpconn","python37-compatibility-httpsconn","python37-compatibility-textiowrapper","python37-compatibility-ipv6network1","python37-compatibility-ipv6network2","python37-compatibility-ipv4network1","python37-compatibility-ipv4network2","python37-compatibility-locale1","python37-compatibility-math1","python37-compatibility-multiprocess1","python37-compatibility-multiprocess2","python37-compatibility-os1","python37-compatability-os-module","python37-compatibility-os2-ok2","python37-compatibility-pdb","return-in-init","yield-in-init","useless-eqeq","is-not-is-not","default-mutable-list","default-mutable-dict","identical-is-comparison","string-is-comparison","raise-not-base-exception","tempfile-insecure","tempfile-without-flush"]}},"author":"Jeshventh Raja","counts":{"total_rules":100,"premium_rules":0},"hidden":true,"description":"","id":"pvg","name":"jeshventhraja.all-errors-pack","visibility":"public","categories":[]},{"tags":["semgrep","security","c"],"stats":{"cwe":{"totals":{"":1},"per_framework":{"":{"c":{"":4}},"CWE-415: Double Free":{"c":{"":1}},"CWE-416: Use After Free":{"c":{"":1}},"CWE-676: Use of Potentially Dangerous Function":{"c":{"":5}},"CWE-14: Compiler Removal of Code to Clear Buffers":{"c":{"":1}},"CWE-134: Use of Externally-Controlled Format String":{"c":{"":1}},"CWE-532: Insertion of Sensitive Information into Log File":{"c":{"":1}},"CWE-774: Allocation of File Descriptors or Handles Without Limits or Throttling":{"c":{"":1}}},"rules_with_no_cwe":["incorrect-use-ato-fn","incorrect-use-sscanf-fn","double_goto","c-string-equality"]},"owasp":{"totals":{"":12,"A01:2017: Injection":1,"A03:2021: Injection":1,"A04:2021 – Insecure Design":1,"A09:2021: Security Logging and Monitoring Failures":1},"per_framework":{"":{"c":{"":12}},"A01:2017: Injection":{"c":{"":1}},"A03:2021: Injection":{"c":{"":1}},"A04:2021 – Insecure Design":{"c":{"":1}},"A09:2021: Security Logging and Monitoring Failures":{"c":{"":1}}},"rules_with_no_owasp":["insecure-use-printf-fn","insecure-use-strcat-fn","insecure-use-strtok-fn","insecure-use-string-copy-fn","random-fd-exhaustion","insecure-use-scanf-fn","insecure-use-gets-fn","use-after-free","incorrect-use-ato-fn","incorrect-use-sscanf-fn","double_goto","c-string-equality"]}},"author":"r2c","languages":["c"],"description":"Ruleset by r2c","id":"LrZJ","name":"helper_scripts.c","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"":5},"per_framework":{"":{"c":{"":1}},"CWE-676: Use of Potentially Dangerous Function":{"c":{"":5}},"CWE-134: Use of Externally-Controlled Format String":{"c":{"":1}}},"rules_with_no_cwe":["double_goto"]},"owasp":{"totals":{"":7},"per_framework":{"":{"c":{"":7}}},"rules_with_no_owasp":["insecure-use-string-copy-fn","insecure-use-gets-fn","insecure-use-strcat-fn","insecure-use-scanf-fn","insecure-use-printf-fn","insecure-use-strtok-fn","double_goto"]}},"author":"Ascof22","counts":{"total_rules":7,"premium_rules":0},"hidden":true,"description":"All C rules pack from 29.07.2020","id":"eYy","name":"ascof22.ascof22.espresso-it_c_rules_only","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":2},"per_framework":{"CWE-328: Use of Weak Hash":{"ruby":{"":1}},"CWE-208: Observable Timing Discrepancy":{"ruby":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"ruby":{"":1}},"CWE-295: Improper Certificate Validation":{"ruby":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"ruby":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"ruby":{"":2}},"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":{"ruby":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":1,"A03:2021: Injection":2,"A01:2021: Broken Access Control":1,"A02:2021: Cryptographic Failures":1,"A03:2017: Sensitive Data Exposure":2,"A08:2021: Software and Data Integrity Failures":1,"A07:2021: Identification and Authentication Failures":2},"per_framework":{"":{"ruby":{"":1}},"A03:2021: Injection":{"ruby":{"":2}},"A01:2021: Broken Access Control":{"ruby":{"":1}},"A02:2021: Cryptographic Failures":{"ruby":{"":1}},"A03:2017: Sensitive Data Exposure":{"ruby":{"":2}},"A08:2021: Software and Data Integrity Failures":{"ruby":{"":1}},"A07:2021: Identification and Authentication Failures":{"ruby":{"":2}}},"rules_with_no_owasp":["timing-attack"]}},"author":"Eiwe Lingefors","counts":{"total_rules":8,"premium_rules":0},"hidden":true,"description":"","id":"v3A","name":"eiwe.ruby-test-pack","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":2},"per_framework":{"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"regex":{"":2},"python":{"":5},"generic":{"":2}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A03:2021: Injection":11,"A07:2017: Cross-Site Scripting (XSS)":9},"per_framework":{"A03:2021: Injection":{"regex":{"":2},"python":{"":7},"generic":{"":2}},"A07:2017: Cross-Site Scripting (XSS)":{"regex":{"":2},"python":{"":5},"generic":{"":2}}},"rules_with_no_owasp":[]}},"author":"minusworld","counts":{"total_rules":11,"premium_rules":0},"hidden":true,"description":"","id":"4gl","name":"minusworld.flask-xss","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-523: Unprotected Transport of Credentials":3},"per_framework":{"CWE-369: Divide By Zero":{"ruby":{"":1}},"CWE-328: Use of Weak Hash":{"ruby":{"":1}},"CWE-489: Active Debug Code":{"go":{"":1},"python":{"":5}},"CWE-284: Improper Access Control":{"ruby":{"":1}},"CWE-287: Improper Authentication":{"java":{"":1},"python":{"":1}},"CWE-377: Insecure Temporary File":{"go":{"":1}},"CWE-20: Improper Input Validation":{"ruby":{"":1}},"CWE-521: Weak Password Requirements":{"python":{"":2}},"CWE-208: Observable Timing Discrepancy":{"ruby":{"":1}},"CWE-276: Incorrect Default Permissions":{"java":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"go":{"":1},"ruby":{"":1},"python":{"":2},"javascript":{"":6}},"CWE-326: Inadequate Encryption Strength":{"java":{"":5},"python":{"":3}},"CWE-295: Improper Certificate Validation":{"java":{"":2},"ruby":{"":1},"python":{"":3}},"CWE-183: Permissive List of Allowed Inputs":{"java":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":2},"ruby":{"":1},"python":{"":2},"javascript":{"":1}},"CWE-400: Uncontrolled Resource Consumption":{"go":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":2},"ruby":{"":1},"python":{"":10},"javascript":{"":1}},"CWE-704: Incorrect Type Conversion or Cast":{"java":{"":1}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":2}},"CWE-918: Server-Side Request Forgery (SSRF)":{"python":{"":3},"javascript":{"":7}},"CWE-242: Use of Inherently Dangerous Function":{"go":{"":1}},"CWE-311: Missing Encryption of Sensitive Data":{"ruby":{"":1}},"CWE-522: Insufficiently Protected Credentials":{"javascript":{"":9}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-668: Exposure of Resource to Wrong Sphere":{"python":{"":2}},"CWE-73: External Control of File Name or Path":{"python":{"":1}},"CWE-676: Use of Potentially Dangerous Function":{"c":{"":5}},"CWE-116: Improper Encoding or Escaping of Output":{"python":{"":1},"javascript":{"":1}},"CWE-289: Authentication Bypass by Alternate Name":{"go":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"java":{"":1}},"CWE-134: Use of Externally-Controlled Format String":{"c":{"":1}},"CWE-322: Key Exchange without Entity Authentication":{"go":{"":1},"python":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"java":{"":1}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":2}},"CWE-345: Insufficient Verification of Data Authenticity":{"javascript":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"go":{"":1},"java":{"":1},"python":{"":3}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"go":{"":7},"java":{"":5},"python":{"":18},"javascript":{"":2}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"java":{"":2},"python":{"":1},"javascript":{"":1}},"CWE-1021: Improper Restriction of Rendered UI Layers or Frames":{"ruby":{"":1}},"CWE-297: Improper Validation of Certificate with Host Mismatch":{"java":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":3},"ruby":{"":1},"python":{"":1},"javascript":{"":6}},"CWE-913: Improper Control of Dynamically-Managed Code Resources":{"go":{"":2}},"CWE-94: Improper Control of Generation of Code (Code Injection)":{"javascript":{"":6}},"CWE-939: Improper Authorization in Handler for Custom URL Scheme":{"python":{"":1}},"CWE-155: Improper Neutralization of Wildcards or Matching Symbols":{"python":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"go":{"":1},"java":{"":4},"ruby":{"":4},"javascript":{"":14}},"CWE-1236: Improper Neutralization of Formula Elements in a CSV File":{"python":{"":1}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"go":{"":1},"java":{"":1},"python":{"":1}},"CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls":{"json":{"":1}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"java":{"":1},"python":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"java":{"":1},"python":{"":2}},"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":{"go":{"":1}},"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer":{"javascript":{"":1}},"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)":{"javascript":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"go":{"":1},"java":{"":2},"ruby":{"":1},"python":{"":4},"javascript":{"":2}},"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":{"ruby":{"":6},"python":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":6},"java":{"":2},"ruby":{"":2},"python":{"":7},"javascript":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":1},"java":{"":2},"python":{"":9},"javascript":{"":1}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"java":{"":2}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"python":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":9},"javascript":{"":2}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":3}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":1},"python":{"":8},"javascript":{"":3}},"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":{"java":{"":1}},"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":{"python":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":12,"A1: Injection":8,"A01:2017: Injection":28,"A03:2021: Injection":89,"A04:2021: Insecure Design":13,"A3: Sensitive Data Exposure":11,"A6: Security Misconfiguration":1,"A01:2021: Broken Access Control":33,"A02:2017: Broken Authentication":12,"A05:2017: Broken Access Control":12,"A02:2021: Cryptographic Failures":38,"A03:2017: Sensitive Data Exposure":41,"A08:2017: Insecure Deserialization":14,"A05:2021: Security Misconfiguration":20,"A06:2017: Security Misconfiguration":2,"A07:2017: Cross-Site Scripting (XSS)":19,"A04:2017: XML External Entities (XXE)":12,"A10:2021: Server-Side Request Forgery (SSRF)":10,"A08:2021: Software and Data Integrity Failures":22,"A9: Using Components with Known Vulnerabilities":2,"A07:2021: Identification and Authentication Failures":23},"per_framework":{"":{"c":{"":6},"go":{"":3},"ruby":{"":2},"javascript":{"":1}},"A1: Injection":{"python":{"":2},"javascript":{"":6}},"A01:2017: Injection":{"go":{"":1},"java":{"":5},"python":{"":18},"javascript":{"":4}},"A03:2021: Injection":{"go":{"":8},"java":{"":13},"ruby":{"":7},"python":{"":37},"javascript":{"":24}},"A04:2021: Insecure Design":{"java":{"":1},"ruby":{"":2},"python":{"":1},"javascript":{"":9}},"A3: Sensitive Data Exposure":{"python":{"":11}},"A6: Security Misconfiguration":{"python":{"":1}},"A01:2021: Broken Access Control":{"go":{"":5},"java":{"":8},"json":{"":1},"ruby":{"":3},"python":{"":10},"javascript":{"":6}},"A02:2017: Broken Authentication":{"java":{"":1},"python":{"":2},"javascript":{"":9}},"A05:2017: Broken Access Control":{"go":{"":1},"java":{"":2},"ruby":{"":2},"python":{"":4},"javascript":{"":3}},"A02:2021: Cryptographic Failures":{"go":{"":10},"java":{"":10},"ruby":{"":1},"python":{"":15},"javascript":{"":2}},"A03:2017: Sensitive Data Exposure":{"go":{"":8},"java":{"":12},"ruby":{"":3},"python":{"":16},"javascript":{"":2}},"A08:2017: Insecure Deserialization":{"java":{"":2},"ruby":{"":1},"python":{"":10},"javascript":{"":1}},"A05:2021: Security Misconfiguration":{"java":{"":5},"ruby":{"":1},"python":{"":8},"javascript":{"":6}},"A06:2017: Security Misconfiguration":{"go":{"":1},"python":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":6},"java":{"":2},"ruby":{"":2},"python":{"":7},"javascript":{"":2}},"A04:2017: XML External Entities (XXE)":{"java":{"":3},"ruby":{"":1},"python":{"":2},"javascript":{"":6}},"A10:2021: Server-Side Request Forgery (SSRF)":{"python":{"":3},"javascript":{"":7}},"A08:2021: Software and Data Integrity Failures":{"java":{"":2},"ruby":{"":7},"python":{"":11},"javascript":{"":2}},"A9: Using Components with Known Vulnerabilities":{"java":{"":2}},"A07:2021: Identification and Authentication Failures":{"go":{"":3},"java":{"":4},"ruby":{"":2},"python":{"":8},"javascript":{"":6}}},"rules_with_no_owasp":["insecure-use-string-copy-fn","insecure-use-gets-fn","insecure-use-scanf-fn","insecure-use-strcat-fn","insecure-use-printf-fn","insecure-use-strtok-fn","detect-buffer-noassert","divide-by-zero","timing-attack","handler-assignment-from-multiple-sources","potential-dos-via-decompression-bomb","use-of-unsafe-block"]}},"author":"Josh Gatka","counts":{"total_rules":288,"premium_rules":0},"hidden":true,"description":"jgatka, 08/26/2020 - This pack of 307 rules includes security vulnerabilities as chosen from the \"security\" and \"owasp\" packs, across all currently supported languages and all severity levels. ","id":"X7K","name":"jgatka-od.jgatka_comprehensive","visibility":"public","categories":[]},{"tags":["semgrep","security","go","xss","html"],"stats":{"cwe":{"totals":{"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":6},"per_framework":{"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":6}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A03:2021: Injection":6,"A07:2017: Cross-Site Scripting (XSS)":6},"per_framework":{"A03:2021: Injection":{"go":{"":6}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":6}}},"rules_with_no_owasp":[]}},"author":"r2c","counts":{"total_rules":6,"premium_rules":0},"hidden":true,"description":"Secure defaults for XSS in Go.","id":"PGY","name":"minusworld.go-std-xss","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{},"per_framework":{},"rules_with_no_cwe":[]},"owasp":{"totals":{},"per_framework":{},"rules_with_no_owasp":[]}},"author":"ali0818","counts":{"total_rules":0,"premium_rules":0},"hidden":true,"description":"Customize regex and rule created for java, node, and other security issues.","id":"JvW","name":"ali0818.firdoesh.khan","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-326: Inadequate Encryption Strength":2},"per_framework":{"":{"javascript":{"":6}},"CWE-287: Improper Authentication":{"java":{"":1}},"CWE-276: Incorrect Default Permissions":{"java":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"javascript":{"":6}},"CWE-326: Inadequate Encryption Strength":{"java":{"":5}},"CWE-295: Improper Certificate Validation":{"java":{"":2}},"CWE-183: Permissive List of Allowed Inputs":{"java":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":2},"javascript":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":2},"javascript":{"":1}},"CWE-704: Incorrect Type Conversion or Cast":{"java":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"java":{"ssrf":4},"javascript":{"":7}},"CWE-522: Insufficiently Protected Credentials":{"javascript":{"":9}},"CWE-116: Improper Encoding or Escaping of Output":{"javascript":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"java":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"java":{"":1}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":2}},"CWE-345: Insufficient Verification of Data Authenticity":{"javascript":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"java":{"":1},"javascript":{"":8}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"java":{"":5},"javascript":{"":2}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"java":{"":2},"javascript":{"":1}},"CWE-297: Improper Validation of Certificate with Host Mismatch":{"java":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":3,"xxe":8},"javascript":{"":6}},"CWE-94: Improper Control of Generation of Code (Code Injection)":{"javascript":{"":6}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"java":{"":4},"javascript":{"":14}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"java":{"":1}},"CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls":{"json":{"":1}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"java":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"java":{"":1}},"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer":{"javascript":{"":1}},"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)":{"javascript":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"java":{"":2},"javascript":{"":2}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"java":{"":2},"javascript":{"":13}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"java":{"":2},"javascript":{"":1}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"java":{"":2}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"javascript":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":1},"javascript":{"":3}},"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":{"java":{"":1}}},"rules_with_no_cwe":["detect-angular-translateprovider-useStrategy-method","assigned-undefined","javascript-alert","javascript-debugger","javascript-confirm","javascript-prompt"]},"owasp":{"totals":{"":11,"A1: Injection":6,"A01:2017: Injection":9,"A03:2021: Injection":48,"A04:2021: Insecure Design":10,"A01:2021: Broken Access Control":15,"A02:2017: Broken Authentication":10,"A05:2017: Broken Access Control":5,"A02:2021: Cryptographic Failures":13,"A03:2017: Sensitive Data Exposure":22,"A08:2017: Insecure Deserialization":3,"A05:2021: Security Misconfiguration":11,"A07:2017: Cross-Site Scripting (XSS)":15,"A4:2017: XML External Entities (XXE)":1,"A04:2017: XML External Entities (XXE)":15,"A04:2021: XML External Entities (XXE)":1,"A10:2021: Server-Side Request Forgery (SSRF)":7,"A08:2021: Software and Data Integrity Failures":4,"A9: Using Components with Known Vulnerabilities":2,"A07:2021: Identification and Authentication Failures":10},"per_framework":{"":{"java":{"ssrf":4},"javascript":{"":7}},"A1: Injection":{"javascript":{"":6}},"A01:2017: Injection":{"java":{"":5},"javascript":{"":4}},"A03:2021: Injection":{"java":{"":13},"javascript":{"":35}},"A04:2021: Insecure Design":{"java":{"":1},"javascript":{"":9}},"A01:2021: Broken Access Control":{"java":{"":8},"json":{"":1},"javascript":{"":6}},"A02:2017: Broken Authentication":{"java":{"":1},"javascript":{"":9}},"A05:2017: Broken Access Control":{"java":{"":2},"javascript":{"":3}},"A02:2021: Cryptographic Failures":{"java":{"":10},"javascript":{"":3}},"A03:2017: Sensitive Data Exposure":{"java":{"":12},"javascript":{"":10}},"A08:2017: Insecure Deserialization":{"java":{"":2},"javascript":{"":1}},"A05:2021: Security Misconfiguration":{"java":{"":5},"javascript":{"":6}},"A07:2017: Cross-Site Scripting (XSS)":{"java":{"":2},"javascript":{"":13}},"A4:2017: XML External Entities (XXE)":{"java":{"xxe":1}},"A04:2017: XML External Entities (XXE)":{"java":{"":3,"xxe":6},"javascript":{"":6}},"A04:2021: XML External Entities (XXE)":{"java":{"xxe":1}},"A10:2021: Server-Side Request Forgery (SSRF)":{"javascript":{"":7}},"A08:2021: Software and Data Integrity Failures":{"java":{"":2},"javascript":{"":2}},"A9: Using Components with Known Vulnerabilities":{"java":{"":2}},"A07:2021: Identification and Authentication Failures":{"java":{"":4},"javascript":{"":6}}},"rules_with_no_owasp":["owasp.java.ssrf.java.net.url","owasp.java.ssrf.org.apache.commons.httpclient","owasp.java.ssrf.org.apache.http.impl.client.CloseableHttpClient","owasp.java.ssrf.possible.import.statements","detect-angular-translateprovider-useStrategy-method","assigned-undefined","javascript-alert","javascript-debugger","javascript-confirm","javascript-prompt","detect-buffer-noassert"]}},"author":"slothy-ghost","counts":{"total_rules":153,"premium_rules":0},"hidden":true,"description":"","id":"ekX","name":"slothy-ghost.czi-meta","visibility":"public","categories":[]},{"tags":[],"stats":{"cwe":{"totals":{"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":1},"per_framework":{"":{"python":{"":16}},"CWE-489: Active Debug Code":{"python":{"":1}},"CWE-521: Weak Password Requirements":{"python":{"":1}},"CWE-295: Improper Certificate Validation":{"python":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"python":{"":2}},"CWE-918: Server-Side Request Forgery (SSRF)":{"python":{"":1}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"python":{"":1}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"python":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"python":{"":1}},"CWE-1236: Improper Neutralization of Formula Elements in a CSV File":{"python":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"python":{"":1}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"python":{"":2}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":2}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":1}}},"rules_with_no_cwe":["use-count-method","use-earliest-or-latest","string-field-must-set-null-true","nontext-field-must-set-null-true","delete-where-no-execute","tempfile-without-flush","tempfile-insecure","raise-not-base-exception","string-is-comparison","identical-is-comparison","default-mutable-dict","default-mutable-list","is-not-is-not","useless-eqeq","yield-in-init","return-in-init"]},"owasp":{"totals":{"":16,"A01:2017: Injection":4,"A03:2021: Injection":6,"A01:2021: Broken Access Control":2,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":1,"A02:2021: Cryptographic Failures":2,"A03:2017: Sensitive Data Exposure":2,"A08:2017: Insecure Deserialization":2,"A05:2021: Security Misconfiguration":2,"A04:2017: XML External Entities (XXE)":1,"A10:2021: Server-Side Request Forgery (SSRF)":1,"A08:2021: Software and Data Integrity Failures":2,"A07:2021: Identification and Authentication Failures":2},"per_framework":{"":{"python":{"":16}},"A01:2017: Injection":{"python":{"":4}},"A03:2021: Injection":{"python":{"":6}},"A01:2021: Broken Access Control":{"python":{"":2}},"A02:2017: Broken Authentication":{"python":{"":1}},"A05:2017: Broken Access Control":{"python":{"":1}},"A02:2021: Cryptographic Failures":{"python":{"":2}},"A03:2017: Sensitive Data Exposure":{"python":{"":2}},"A08:2017: Insecure Deserialization":{"python":{"":2}},"A05:2021: Security Misconfiguration":{"python":{"":2}},"A04:2017: XML External Entities (XXE)":{"python":{"":1}},"A10:2021: Server-Side Request Forgery (SSRF)":{"python":{"":1}},"A08:2021: Software and Data Integrity Failures":{"python":{"":2}},"A07:2021: Identification and Authentication Failures":{"python":{"":2}}},"rules_with_no_owasp":["use-count-method","use-earliest-or-latest","string-field-must-set-null-true","nontext-field-must-set-null-true","delete-where-no-execute","tempfile-without-flush","tempfile-insecure","raise-not-base-exception","string-is-comparison","identical-is-comparison","default-mutable-dict","default-mutable-list","is-not-is-not","useless-eqeq","yield-in-init","return-in-init"]}},"author":"amccabe-splk","counts":{"total_rules":34,"premium_rules":0},"hidden":true,"description":"test","id":"RWe","name":"amccabe-splk.1046-test","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"":1},"per_framework":{"":{"python":{"":1}}},"rules_with_no_cwe":["new_rule"]},"owasp":{"totals":{"":1},"per_framework":{"":{"python":{"":1}}},"rules_with_no_owasp":["new_rule"]}},"author":"penny-1995","counts":{"total_rules":1,"premium_rules":0},"hidden":true,"description":null,"id":"o67","name":"penny-1995.ajvb-rules","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":7},"per_framework":{"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"python":{"":7}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2017: Injection":7,"A03:2021: Injection":7},"per_framework":{"A01:2017: Injection":{"python":{"":7}},"A03:2021: Injection":{"python":{"":7}}},"rules_with_no_owasp":[]}},"author":"minusworld","counts":{"total_rules":7,"premium_rules":0},"hidden":true,"description":"","id":"L4r","name":"minusworld.django-sqli","visibility":"public","categories":[]},{"tags":[],"stats":{"cwe":{"totals":{"CWE-521: Weak Password Requirements":1},"per_framework":{"":{"python":{"":2}},"CWE-521: Weak Password Requirements":{"python":{"":1}}},"rules_with_no_cwe":["use-count-method","access-foreign-keys"]},"owasp":{"totals":{"":2,"A07:2021: Identification and Authentication Failures":1},"per_framework":{"":{"python":{"":2}},"A07:2021: Identification and Authentication Failures":{"python":{"":1}}},"rules_with_no_owasp":["use-count-method","access-foreign-keys"]}},"author":"minusworld","counts":{"total_rules":3,"premium_rules":0},"hidden":true,"description":"django rules","id":"84y","name":"minusworld.django-test-delme","visibility":"public","categories":[]},{"tags":["semgrep","security","django","python","xss"],"stats":{"cwe":{"totals":{"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":13},"per_framework":{"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"regex":{"":3},"python":{"":8},"generic":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A03:2021: Injection":13,"A07:2017: Cross-Site Scripting (XSS)":13},"per_framework":{"A03:2021: Injection":{"regex":{"":3},"python":{"":8},"generic":{"":2}},"A07:2017: Cross-Site Scripting (XSS)":{"regex":{"":3},"python":{"":8},"generic":{"":2}}},"rules_with_no_owasp":[]}},"author":"r2c","counts":{"total_rules":13,"premium_rules":0},"hidden":true,"description":"Secure defaults for XSS prevention in Django","id":"QR4","name":"minusworld.django-xss","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":1},"per_framework":{"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"javascript":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"javascript":{"":1}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"javascript":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"javascript":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2017: Injection":1,"A03:2021: Injection":3,"A01:2021: Broken Access Control":1,"A07:2017: Cross-Site Scripting (XSS)":1},"per_framework":{"A01:2017: Injection":{"javascript":{"":1}},"A03:2021: Injection":{"javascript":{"":3}},"A01:2021: Broken Access Control":{"javascript":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"javascript":{"":1}}},"rules_with_no_owasp":[]}},"author":"minusworld","counts":{"total_rules":4,"premium_rules":0},"hidden":true,"description":"","id":"5nA","name":"minusworld.js-juiceshop-test","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":2},"per_framework":{"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"regex":{"":2},"python":{"":5},"generic":{"":4}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A03:2021: Injection":13,"A07:2017: Cross-Site Scripting (XSS)":11},"per_framework":{"A03:2021: Injection":{"regex":{"":2},"python":{"":7},"generic":{"":4}},"A07:2017: Cross-Site Scripting (XSS)":{"regex":{"":2},"python":{"":5},"generic":{"":4}}},"rules_with_no_owasp":[]}},"author":"minusworld","counts":{"total_rules":13,"premium_rules":0},"hidden":true,"description":"","id":"RAO","name":"minusworld.python-flask-xss-w-template","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":2},"per_framework":{"CWE-116: Improper Encoding or Escaping of Output":{"python":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"python":{"":5}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A03:2021: Injection":7,"A6: Security Misconfiguration":1,"A07:2017: Cross-Site Scripting (XSS)":5},"per_framework":{"A03:2021: Injection":{"python":{"":7}},"A6: Security Misconfiguration":{"python":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"python":{"":5}}},"rules_with_no_owasp":[]}},"author":"minusworld","counts":{"total_rules":8,"premium_rules":0},"hidden":true,"description":"","id":"AWp","name":"minusworld.python-flask-xss","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-311: Missing Encryption of Sensitive Data":1},"per_framework":{"CWE-310: Cryptographic Issues":{"python":{"":2}},"CWE-326: Inadequate Encryption Strength":{"python":{"":3}},"CWE-295: Improper Certificate Validation":{"python":{"":3}},"CWE-311: Missing Encryption of Sensitive Data":{"python":{"":2}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-322: Key Exchange without Entity Authentication":{"python":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"python":{"":18}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A02:2017: Broken Authentication":1,"A02:2021: Cryptographic Failures":25,"A03:2017: Sensitive Data Exposure":26,"A05:2021: Security Misconfiguration":2,"A06:2017: Security Misconfiguration":2,"A07:2021: Identification and Authentication Failures":3},"per_framework":{"A02:2017: Broken Authentication":{"python":{"":1}},"A02:2021: Cryptographic Failures":{"python":{"":25}},"A03:2017: Sensitive Data Exposure":{"python":{"":26}},"A05:2021: Security Misconfiguration":{"python":{"":2}},"A06:2017: Security Misconfiguration":{"python":{"":2}},"A07:2021: Identification and Authentication Failures":{"python":{"":3}}},"rules_with_no_owasp":[]}},"author":"minusworld","counts":{"total_rules":30,"premium_rules":0},"hidden":true,"description":"","id":"B0W","name":"minusworld.python-insecure-transport-starter","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-676: Use of Potentially Dangerous Function":5},"per_framework":{"":{"c":{"":1}},"CWE-676: Use of Potentially Dangerous Function":{"c":{"":5}},"CWE-134: Use of Externally-Controlled Format String":{"c":{"":1}}},"rules_with_no_cwe":["double_goto"]},"owasp":{"totals":{"":7},"per_framework":{"":{"c":{"":7}}},"rules_with_no_owasp":["insecure-use-string-copy-fn","insecure-use-gets-fn","double_goto","insecure-use-strtok-fn","insecure-use-printf-fn","insecure-use-scanf-fn","insecure-use-strcat-fn"]}},"author":"uivil","counts":{"total_rules":7,"premium_rules":0},"hidden":true,"description":"","id":"8dJ","name":"uivil.c","visibility":"public","categories":[]},{"tags":[],"stats":{"cwe":{"totals":{},"per_framework":{},"rules_with_no_cwe":[]},"owasp":{"totals":{},"per_framework":{},"rules_with_no_owasp":[]}},"author":"webappsecurityz","counts":{"total_rules":0,"premium_rules":0},"hidden":true,"description":null,"id":"gyo","name":"webappsecurityz.3zrr-rules","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-295: Improper Certificate Validation":1},"per_framework":{"CWE-295: Improper Certificate Validation":{"java":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":2}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"java":{"":2}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":2}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"java":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"java":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"java":{"":2}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"java":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A03:2021: Injection":3,"A01:2021: Broken Access Control":5,"A05:2017: Broken Access Control":2,"A03:2017: Sensitive Data Exposure":1,"A08:2017: Insecure Deserialization":2,"A05:2021: Security Misconfiguration":3,"A07:2017: Cross-Site Scripting (XSS)":2,"A04:2017: XML External Entities (XXE)":2,"A08:2021: Software and Data Integrity Failures":2,"A07:2021: Identification and Authentication Failures":1},"per_framework":{"A03:2021: Injection":{"java":{"":3}},"A01:2021: Broken Access Control":{"java":{"":5}},"A05:2017: Broken Access Control":{"java":{"":2}},"A03:2017: Sensitive Data Exposure":{"java":{"":1}},"A08:2017: Insecure Deserialization":{"java":{"":2}},"A05:2021: Security Misconfiguration":{"java":{"":3}},"A07:2017: Cross-Site Scripting (XSS)":{"java":{"":2}},"A04:2017: XML External Entities (XXE)":{"java":{"":2}},"A08:2021: Software and Data Integrity Failures":{"java":{"":2}},"A07:2021: Identification and Authentication Failures":{"java":{"":1}}},"rules_with_no_owasp":[]}},"author":"wflk","counts":{"total_rules":14,"premium_rules":0},"hidden":true,"description":"All java security issues","id":"QND","name":"wflk.java_security","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":1},"per_framework":{"CWE-326: Inadequate Encryption Strength":{"java":{"":2},"python":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"go":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A02:2021: Cryptographic Failures":4,"A03:2017: Sensitive Data Exposure":4},"per_framework":{"A02:2021: Cryptographic Failures":{"go":{"":1},"java":{"":2},"python":{"":1}},"A03:2017: Sensitive Data Exposure":{"go":{"":1},"java":{"":2},"python":{"":1}}},"rules_with_no_owasp":[]}},"author":"Joe Bollen","counts":{"total_rules":4,"premium_rules":0},"hidden":true,"description":"Detect use of insecure TLS in Python, Go and Java","id":"GLp","name":"hazanasec.secure_tls_audit","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{},"per_framework":{},"rules_with_no_cwe":[]},"owasp":{"totals":{},"per_framework":{},"rules_with_no_owasp":[]}},"author":"Ross Nanopoulos","counts":{"total_rules":0,"premium_rules":0},"hidden":true,"description":"","id":"3dg","name":"zythosec.test-pack","visibility":"public","categories":[]},{"tags":["security","python","injection","xss","flask","django","requests","deserialization","xxe"],"stats":{"cwe":{"totals":{"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":2},"per_framework":{"":{"python":{"":13}},"CWE-521: Weak Password Requirements":{"python":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"python":{"":1}},"CWE-326: Inadequate Encryption Strength":{"python":{"":2}},"CWE-295: Improper Certificate Validation":{"python":{"":2}},"CWE-502: Deserialization of Untrusted Data":{"python":{"":2}},"CWE-918: Server-Side Request Forgery (SSRF)":{"python":{"":1}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-116: Improper Encoding or Escaping of Output":{"python":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"python":{"":17}},"CWE-611: Improper Restriction of XML External Entity Reference":{"python":{"":1}},"CWE-1236: Improper Neutralization of Formula Elements in a CSV File":{"python":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"python":{"":1}},"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":{"python":{"":1}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"python":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":4}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":1}}},"rules_with_no_cwe":["tempfile-without-flush","string-is-comparison","default-mutable-dict","default-mutable-list","is-not-is-not","list-modify-while-iterate","dict-del-while-iterate","useless-eqeq","no-strings-as-booleans","return-in-init","yield-in-init","useless-if-conditional","useless-literal-dict"]},"owasp":{"totals":{"":13,"A01:2017: Injection":2,"A03:2021: Injection":7,"A3: Sensitive Data Exposure":11,"A6: Security Misconfiguration":1,"A01:2021: Broken Access Control":1,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":1,"A02:2021: Cryptographic Failures":9,"A03:2017: Sensitive Data Exposure":10,"A08:2017: Insecure Deserialization":2,"A05:2021: Security Misconfiguration":2,"A04:2017: XML External Entities (XXE)":2,"A10:2021: Server-Side Request Forgery (SSRF)":1,"A08:2021: Software and Data Integrity Failures":3,"A07:2021: Identification and Authentication Failures":4},"per_framework":{"":{"python":{"":13}},"A01:2017: Injection":{"python":{"":2}},"A03:2021: Injection":{"python":{"":7}},"A3: Sensitive Data Exposure":{"python":{"":11}},"A6: Security Misconfiguration":{"python":{"":1}},"A01:2021: Broken Access Control":{"python":{"":1}},"A02:2017: Broken Authentication":{"python":{"":1}},"A05:2017: Broken Access Control":{"python":{"":1}},"A02:2021: Cryptographic Failures":{"python":{"":9}},"A03:2017: Sensitive Data Exposure":{"python":{"":10}},"A08:2017: Insecure Deserialization":{"python":{"":2}},"A05:2021: Security Misconfiguration":{"python":{"":2}},"A04:2017: XML External Entities (XXE)":{"python":{"":2}},"A10:2021: Server-Side Request Forgery (SSRF)":{"python":{"":1}},"A08:2021: Software and Data Integrity Failures":{"python":{"":3}},"A07:2021: Identification and Authentication Failures":{"python":{"":4}}},"rules_with_no_owasp":["tempfile-without-flush","string-is-comparison","default-mutable-dict","default-mutable-list","is-not-is-not","list-modify-while-iterate","dict-del-while-iterate","useless-eqeq","no-strings-as-booleans","return-in-init","yield-in-init","useless-if-conditional","useless-literal-dict"]}},"author":"r2c","counts":{"total_rules":53,"premium_rules":0},"hidden":true,"description":"Scan for runtime errors, logic bus, and high-confidence security vulnerabilities. Recommended for use in CI to block serious issues from reaching production.","id":"PGN","name":"minusworld.r2c-python-ci","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":3},"per_framework":{"CWE-369: Divide By Zero":{"ruby":{"":1}},"CWE-328: Use of Weak Hash":{"ruby":{"":1}},"CWE-208: Observable Timing Discrepancy":{"ruby":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"ruby":{"":1}},"CWE-295: Improper Certificate Validation":{"ruby":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"ruby":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"ruby":{"":1}},"CWE-311: Missing Encryption of Sensitive Data":{"ruby":{"":1}},"CWE-1021: Improper Restriction of Rendered UI Layers or Frames":{"ruby":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"ruby":{"":3}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"ruby":{"":1}},"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":{"ruby":{"":3}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":2,"A03:2021: Injection":3,"A04:2021: Insecure Design":2,"A01:2021: Broken Access Control":2,"A05:2017: Broken Access Control":1,"A02:2021: Cryptographic Failures":1,"A03:2017: Sensitive Data Exposure":3,"A08:2017: Insecure Deserialization":1,"A08:2021: Software and Data Integrity Failures":4,"A07:2021: Identification and Authentication Failures":2},"per_framework":{"":{"ruby":{"":2}},"A03:2021: Injection":{"ruby":{"":3}},"A04:2021: Insecure Design":{"ruby":{"":2}},"A01:2021: Broken Access Control":{"ruby":{"":2}},"A05:2017: Broken Access Control":{"ruby":{"":1}},"A02:2021: Cryptographic Failures":{"ruby":{"":1}},"A03:2017: Sensitive Data Exposure":{"ruby":{"":3}},"A08:2017: Insecure Deserialization":{"ruby":{"":1}},"A08:2021: Software and Data Integrity Failures":{"ruby":{"":4}},"A07:2021: Identification and Authentication Failures":{"ruby":{"":2}}},"rules_with_no_owasp":["divide-by-zero","timing-attack"]}},"author":"minusworld","counts":{"total_rules":16,"premium_rules":0},"hidden":true,"description":"","id":"Jpo","name":"minusworld.ruby-all","visibility":"public","categories":[]},{"tags":["semgrep","security","ruby","rails","ruby on rails","xss","erb"],"stats":{"cwe":{"totals":{"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":14},"per_framework":{"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"ruby":{"":7},"generic":{"":7}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A03:2021: Injection":14,"A07:2017: Cross-Site Scripting (XSS)":14},"per_framework":{"A03:2021: Injection":{"ruby":{"":7},"generic":{"":7}},"A07:2017: Cross-Site Scripting (XSS)":{"ruby":{"":7},"generic":{"":7}}},"rules_with_no_owasp":[]}},"author":"r2c","counts":{"total_rules":14,"premium_rules":0},"hidden":true,"description":"Secure defaults for XSS prevention for Ruby on Rails","id":"5n6","name":"minusworld.ruby-on-rails-xss","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-502: Deserialization of Untrusted Data":1},"per_framework":{"CWE-502: Deserialization of Untrusted Data":{"python":{"":1}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"python":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2021: Broken Access Control":1,"A08:2017: Insecure Deserialization":1,"A08:2021: Software and Data Integrity Failures":1},"per_framework":{"A01:2021: Broken Access Control":{"python":{"":1}},"A08:2017: Insecure Deserialization":{"python":{"":1}},"A08:2021: Software and Data Integrity Failures":{"python":{"":1}}},"rules_with_no_owasp":[]}},"author":"mschwager","counts":{"total_rules":2,"premium_rules":0},"hidden":true,"description":"","id":"AWg","name":"mschwager.pack-request","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-523: Unprotected Transport of Credentials":1},"per_framework":{"CWE-295: Improper Certificate Validation":{"python":{"":1}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A02:2017: Broken Authentication":1,"A02:2021: Cryptographic Failures":1,"A03:2017: Sensitive Data Exposure":1,"A07:2021: Identification and Authentication Failures":1},"per_framework":{"A02:2017: Broken Authentication":{"python":{"":1}},"A02:2021: Cryptographic Failures":{"python":{"":1}},"A03:2017: Sensitive Data Exposure":{"python":{"":1}},"A07:2021: Identification and Authentication Failures":{"python":{"":1}}},"rules_with_no_owasp":[]}},"author":"mschwager","counts":{"total_rules":2,"premium_rules":0},"hidden":true,"description":"Checks for security issues in Python requests package","id":"B0b","name":"mschwager.python-requests-security","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-523: Unprotected Transport of Credentials":1},"per_framework":{"":{"python":{"":2}},"CWE-295: Improper Certificate Validation":{"python":{"":1}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}}},"rules_with_no_cwe":["use-timeout","use-raise-for-status"]},"owasp":{"totals":{"":2,"A02:2017: Broken Authentication":1,"A02:2021: Cryptographic Failures":1,"A03:2017: Sensitive Data Exposure":1,"A07:2021: Identification and Authentication Failures":1},"per_framework":{"":{"python":{"":2}},"A02:2017: Broken Authentication":{"python":{"":1}},"A02:2021: Cryptographic Failures":{"python":{"":1}},"A03:2017: Sensitive Data Exposure":{"python":{"":1}},"A07:2021: Identification and Authentication Failures":{"python":{"":1}}},"rules_with_no_owasp":["use-timeout","use-raise-for-status"]}},"author":"mschwager","counts":{"total_rules":4,"premium_rules":0},"hidden":true,"description":"Checks for best practices and security issues in Python requests package","id":"Dq2","name":"mschwager.python-requests","visibility":"public","categories":[]},{"tags":[],"stats":{"cwe":{"totals":{"":2},"per_framework":{"":{"python":{"":9}},"CWE-489: Active Debug Code":{"python":{"":5}},"CWE-295: Improper Certificate Validation":{"python":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"python":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"python":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"python":{"":1}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-668: Exposure of Resource to Wrong Sphere":{"python":{"":2}},"CWE-73: External Control of File Name or Path":{"python":{"":1}},"CWE-116: Improper Encoding or Escaping of Output":{"python":{"":1}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"python":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"python":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"python":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"python":{"":2}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":2}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":1}}},"rules_with_no_cwe":["use-jsonify","flask-deprecated-apis","flask-duplicate-handler-name","avoid-accessing-request-in-wrong-handler","use-timeout","bad-operator-in-filter","delete-where-no-execute","batch-import","len-all-count"]},"owasp":{"totals":{"":9,"A01:2017: Injection":1,"A03:2021: Injection":7,"A04:2021: Insecure Design":1,"A6: Security Misconfiguration":1,"A01:2021: Broken Access Control":5,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":1,"A02:2021: Cryptographic Failures":1,"A03:2017: Sensitive Data Exposure":1,"A08:2017: Insecure Deserialization":1,"A05:2021: Security Misconfiguration":5,"A06:2017: Security Misconfiguration":1,"A07:2017: Cross-Site Scripting (XSS)":2,"A10:2021: Server-Side Request Forgery (SSRF)":1,"A08:2021: Software and Data Integrity Failures":1,"A07:2021: Identification and Authentication Failures":1},"per_framework":{"":{"python":{"":9}},"A01:2017: Injection":{"python":{"":1}},"A03:2021: Injection":{"python":{"":7}},"A04:2021: Insecure Design":{"python":{"":1}},"A6: Security Misconfiguration":{"python":{"":1}},"A01:2021: Broken Access Control":{"python":{"":5}},"A02:2017: Broken Authentication":{"python":{"":1}},"A05:2017: Broken Access Control":{"python":{"":1}},"A02:2021: Cryptographic Failures":{"python":{"":1}},"A03:2017: Sensitive Data Exposure":{"python":{"":1}},"A08:2017: Insecure Deserialization":{"python":{"":1}},"A05:2021: Security Misconfiguration":{"python":{"":5}},"A06:2017: Security Misconfiguration":{"python":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"python":{"":2}},"A10:2021: Server-Side Request Forgery (SSRF)":{"python":{"":1}},"A08:2021: Software and Data Integrity Failures":{"python":{"":1}},"A07:2021: Identification and Authentication Failures":{"python":{"":1}}},"rules_with_no_owasp":["use-jsonify","flask-deprecated-apis","flask-duplicate-handler-name","avoid-accessing-request-in-wrong-handler","use-timeout","bad-operator-in-filter","delete-where-no-execute","batch-import","len-all-count"]}},"author":"Riley Flynn","counts":{"total_rules":33,"premium_rules":0},"hidden":true,"description":"","id":"WKy","name":"nint8835.test-pack","visibility":"public","categories":[]},{"stats":{"cwe":{"totals":{"CWE-250: Execution with Unnecessary Privileges":1},"per_framework":{"CWE-328: Use of Weak Hash":{"java":{"":2}},"CWE-489: Active Debug Code":{"php":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"js":{"":6},"py":{"":1},"java":{"":6},"ruby":{"":2},"swift":{"":7},"csharp":{"":9},"python":{"":8},"javascript":{"":5}},"CWE-326: Inadequate Encryption Strength":{"go":{"":1},"kt":{"":1},"hcl":{"":1},"java":{"":6},"ruby":{"":1},"generic":{"":1},"terraform":{"":1},"javascript":{"":1}},"CWE-613: Insufficient Session Expiration":{"csharp":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":1}},"CWE-780: Use of RSA Algorithm without OAEP":{"scala":{"":1}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":2}},"CWE-311: Missing Encryption of Sensitive Data":{"ruby":{"":1}},"CWE-522: Insufficiently Protected Credentials":{"scala":{"":2},"python":{"":1}},"CWE-250: Execution with Unnecessary Privileges":{"yaml":{"":1}},"CWE-323: Reusing a Nonce, Key Pair in Encryption":{"java":{"":2}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"java":{"":2}},"CWE-329: Generation of Predictable IV with CBC Mode":{"php":{"":1},"java":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"java":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"go":{"":4},"java":{"":4},"javascript":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"php":{"":2},"java":{"":4},"scala":{"":3},"javascript":{"":1}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"go":{"":1},"python":{"":1}},"CWE-209: Generation of Error Message Containing Sensitive Information":{"csharp":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"php":{"":1},"java":{"":2},"generic":{"":1}},"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":{"javascript":{"":1}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":2},"scala":{"":2},"javascript":{"":3}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2017: Injection":8,"A03:2021: Injection":7,"A04:2021: Insecure Design":5,"A01:2021: Broken Access Control":3,"A02:2017: Broken Authentication":4,"A02:2021: Cryptographic Failures":30,"A03:2017: Sensitive Data Exposure":26,"A05:2021: Security Misconfiguration":18,"A06:2017: Security Misconfiguration":3,"A04:2017: XML External Entities (XXE)":10,"A07:2021: Identification and Authentication Failures":47},"per_framework":{"A01:2017: Injection":{"go":{"":2},"scala":{"":2},"javascript":{"":4}},"A03:2021: Injection":{"go":{"":2},"scala":{"":2},"javascript":{"":3}},"A04:2021: Insecure Design":{"ruby":{"":1},"scala":{"":2},"csharp":{"":1},"python":{"":1}},"A01:2021: Broken Access Control":{"go":{"":1},"java":{"":1},"python":{"":1}},"A02:2017: Broken Authentication":{"scala":{"":2},"csharp":{"":1},"python":{"":1}},"A02:2021: Cryptographic Failures":{"go":{"":5},"kt":{"":1},"hcl":{"":1},"php":{"":1},"java":{"":16},"ruby":{"":1},"scala":{"":1},"generic":{"":1},"terraform":{"":1},"javascript":{"":2}},"A03:2017: Sensitive Data Exposure":{"go":{"":5},"kt":{"":1},"hcl":{"":1},"java":{"":13},"ruby":{"":2},"generic":{"":1},"terraform":{"":1},"javascript":{"":2}},"A05:2021: Security Misconfiguration":{"php":{"":4},"java":{"":8},"yaml":{"":1},"scala":{"":3},"generic":{"":1},"javascript":{"":1}},"A06:2017: Security Misconfiguration":{"php":{"":1},"yaml":{"":1},"csharp":{"":1}},"A04:2017: XML External Entities (XXE)":{"php":{"":2},"java":{"":4},"scala":{"":3},"javascript":{"":1}},"A07:2021: Identification and Authentication Failures":{"go":{"":2},"js":{"":6},"py":{"":1},"java":{"":6},"ruby":{"":2},"swift":{"":7},"csharp":{"":10},"python":{"":8},"javascript":{"":5}}},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":111,"premium_rules":51},"hidden":true,"username":"returntocorp","description":"This is a developer-oriented set of rules that covers broken cryptography, insecure data transport, XXE, CSRF, broken authn/authz, SQLi.","id":"X2pB","name":"developer-poc-20221019","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"":1},"per_framework":{"":{"python":{"":1}}},"rules_with_no_cwe":["new_rule"]},"owasp":{"totals":{"":1},"per_framework":{"":{"python":{"":1}}},"rules_with_no_owasp":["new_rule"]}},"author":"penny-1995","counts":{"total_rules":1,"premium_rules":0},"hidden":true,"description":"","id":"po3","name":"penny-1995.penny_python","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-611: Improper Restriction of XML External Entity Reference":1},"per_framework":{"":{"javascript":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"javascript":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"javascript":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"javascript":{"":1}}},"rules_with_no_cwe":["eqeq-is-bad"]},"owasp":{"totals":{"":1,"A01:2017: Injection":1,"A03:2021: Injection":1,"A02:2021: Cryptographic Failures":1,"A03:2017: Sensitive Data Exposure":1,"A05:2021: Security Misconfiguration":1,"A04:2017: XML External Entities (XXE)":1},"per_framework":{"":{"javascript":{"":1}},"A01:2017: Injection":{"javascript":{"":1}},"A03:2021: Injection":{"javascript":{"":1}},"A02:2021: Cryptographic Failures":{"javascript":{"":1}},"A03:2017: Sensitive Data Exposure":{"javascript":{"":1}},"A05:2021: Security Misconfiguration":{"javascript":{"":1}},"A04:2017: XML External Entities (XXE)":{"javascript":{"":1}}},"rules_with_no_owasp":["eqeq-is-bad"]}},"author":"Paul Theriault","counts":{"total_rules":4,"premium_rules":0},"hidden":true,"description":"","id":"lqL","name":"pauljt.my-rad-pack","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{},"per_framework":{},"rules_with_no_cwe":[]},"owasp":{"totals":{},"per_framework":{},"rules_with_no_owasp":[]}},"author":"reeyaa","counts":{"total_rules":0,"premium_rules":0},"hidden":true,"description":"","id":"9Pk","name":"reeyaa.riya.my-rad-pack","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{},"per_framework":{},"rules_with_no_cwe":[]},"owasp":{"totals":{},"per_framework":{},"rules_with_no_owasp":[]}},"author":"reeyaa","counts":{"total_rules":0,"premium_rules":0},"hidden":true,"description":"","id":"yq8","name":"reeyaa.test-pack","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{},"per_framework":{},"rules_with_no_cwe":[]},"owasp":{"totals":{},"per_framework":{},"rules_with_no_owasp":[]}},"author":"reeyaa","counts":{"total_rules":0,"premium_rules":0},"hidden":true,"description":"","id":"rR6","name":"reeyaa.test2","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-704: Incorrect Type Conversion or Cast":1},"per_framework":{"CWE-287: Improper Authentication":{"java":{"":1}},"CWE-704: Incorrect Type Conversion or Cast":{"java":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"java":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2021: Broken Access Control":1,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":1,"A03:2017: Sensitive Data Exposure":1,"A07:2021: Identification and Authentication Failures":1},"per_framework":{"A01:2021: Broken Access Control":{"java":{"":1}},"A02:2017: Broken Authentication":{"java":{"":1}},"A05:2017: Broken Access Control":{"java":{"":1}},"A03:2017: Sensitive Data Exposure":{"java":{"":1}},"A07:2021: Identification and Authentication Failures":{"java":{"":1}}},"rules_with_no_owasp":[]}},"author":"reeyaa","counts":{"total_rules":3,"premium_rules":0},"hidden":true,"description":"","id":"bnZ","name":"reeyaa.test3","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":1},"per_framework":{"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"javascript":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A1: Injection":1},"per_framework":{"A1: Injection":{"javascript":{"":1}}},"rules_with_no_owasp":[]}},"author":"Rohit Salecha","counts":{"total_rules":1,"premium_rules":0},"hidden":true,"description":null,"id":"kyX","name":"salecharohit.owasp-javascript-eval-rules","visibility":"public","categories":[]},{"tags":["owasp","security","typescript","javascript","requests"],"stats":{"cwe":{"totals":{"":1},"per_framework":{"":{"ts":{"":1}}},"rules_with_no_cwe":["mongo-inject-from-request"]},"owasp":{"totals":{"A01:2017: Injection":1,"A03:2021: Injection":1},"per_framework":{"A01:2017: Injection":{"ts":{"":1}},"A03:2021: Injection":{"ts":{"":1}}},"rules_with_no_owasp":[]}},"author":"Enno Liu","counts":{"total_rules":1,"premium_rules":0},"hidden":true,"username":"enncoded","languages":["Typescript","Javascript"],"description":"A ruleset of javascript and typescript rules made for OWASP Juice Shop.","id":"qkg7","name":"juice-shop","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":1},"per_framework":{"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"javascript":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A03:2021: Injection":1},"per_framework":{"A03:2021: Injection":{"javascript":{"":1}}},"rules_with_no_owasp":[]}},"author":"Rohit Salecha","counts":{"total_rules":1,"premium_rules":0},"hidden":true,"description":"","id":"w0x","name":"salecharohit.owasp.javascript.eval","visibility":"public","categories":[]},{"tags":[],"stats":{"cwe":{"totals":{"CWE-295: Improper Certificate Validation":1},"per_framework":{"CWE-326: Inadequate Encryption Strength":{"java":{"":2}},"CWE-295: Improper Certificate Validation":{"java":{"":2}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":1}},"CWE-704: Incorrect Type Conversion or Cast":{"java":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"java":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"java":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"java":{"":5}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"java":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"java":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"java":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2017: Injection":1,"A03:2021: Injection":3,"A01:2021: Broken Access Control":1,"A02:2021: Cryptographic Failures":6,"A03:2017: Sensitive Data Exposure":8,"A08:2017: Insecure Deserialization":1,"A05:2021: Security Misconfiguration":3,"A07:2017: Cross-Site Scripting (XSS)":1,"A04:2017: XML External Entities (XXE)":1,"A08:2021: Software and Data Integrity Failures":1,"A9: Using Components with Known Vulnerabilities":2,"A07:2021: Identification and Authentication Failures":2},"per_framework":{"A01:2017: Injection":{"java":{"":1}},"A03:2021: Injection":{"java":{"":3}},"A01:2021: Broken Access Control":{"java":{"":1}},"A02:2021: Cryptographic Failures":{"java":{"":6}},"A03:2017: Sensitive Data Exposure":{"java":{"":8}},"A08:2017: Insecure Deserialization":{"java":{"":1}},"A05:2021: Security Misconfiguration":{"java":{"":3}},"A07:2017: Cross-Site Scripting (XSS)":{"java":{"":1}},"A04:2017: XML External Entities (XXE)":{"java":{"":1}},"A08:2021: Software and Data Integrity Failures":{"java":{"":1}},"A9: Using Components with Known Vulnerabilities":{"java":{"":2}},"A07:2021: Identification and Authentication Failures":{"java":{"":2}}},"rules_with_no_owasp":[]}},"author":"Soumitr Pandey","counts":{"total_rules":19,"premium_rules":0},"hidden":true,"description":"","id":"ONe","name":"sfc-gh-spandey.my-super-awesome-pack","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-676: Use of Potentially Dangerous Function":5},"per_framework":{"":{"c":{"":1}},"CWE-676: Use of Potentially Dangerous Function":{"c":{"":5}},"CWE-134: Use of Externally-Controlled Format String":{"c":{"":1}}},"rules_with_no_cwe":["double_goto"]},"owasp":{"totals":{"":7},"per_framework":{"":{"c":{"":7}}},"rules_with_no_owasp":["double_goto","insecure-use-strtok-fn","insecure-use-printf-fn","insecure-use-scanf-fn","insecure-use-strcat-fn","insecure-use-gets-fn","insecure-use-string-copy-fn"]}},"author":"Tonimir Kisasondi","counts":{"total_rules":7,"premium_rules":0},"hidden":true,"description":"","id":"Zy7","name":"tkisason.c-only","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{},"per_framework":{},"rules_with_no_cwe":[]},"owasp":{"totals":{},"per_framework":{},"rules_with_no_owasp":[]}},"author":"Duarte Duarte","counts":{"total_rules":0,"premium_rules":0},"hidden":true,"description":"","id":"dld","name":"dduarte.test-js-pack","visibility":"public","categories":[]},{"stats":{"cwe":{"totals":{},"per_framework":{},"rules_with_no_cwe":[]},"owasp":{"totals":{},"per_framework":{},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":0,"premium_rules":0},"hidden":true,"description":"The vuln finding rules that were written in Q2","id":"e1Q0","name":"vuln-finding","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"":1},"per_framework":{"":{"python":{"":1}}},"rules_with_no_cwe":["my_pattern_id"]},"owasp":{"totals":{"":1},"per_framework":{"":{"python":{"":1}}},"rules_with_no_owasp":["my_pattern_id"]}},"author":"Krishna Teja Jillelamudi","counts":{"total_rules":1,"premium_rules":0},"hidden":true,"description":null,"id":"7JW","name":"krishnatejaj.log-demo1-rules","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"":5},"per_framework":{"":{"c":{"":1}},"CWE-676: Use of Potentially Dangerous Function":{"c":{"":5}},"CWE-134: Use of Externally-Controlled Format String":{"c":{"":1}}},"rules_with_no_cwe":["double_goto"]},"owasp":{"totals":{"":7},"per_framework":{"":{"c":{"":7}}},"rules_with_no_owasp":["insecure-use-string-copy-fn","insecure-use-gets-fn","insecure-use-strcat-fn","insecure-use-scanf-fn","insecure-use-printf-fn","insecure-use-strtok-fn","double_goto"]}},"author":"traw","counts":{"total_rules":7,"premium_rules":0},"hidden":true,"description":"C Rules","id":"7dv","name":"traw.c","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"":5},"per_framework":{"":{"c":{"":1}},"CWE-676: Use of Potentially Dangerous Function":{"c":{"":5}},"CWE-134: Use of Externally-Controlled Format String":{"c":{"":1}}},"rules_with_no_cwe":["double_goto"]},"owasp":{"totals":{"":7},"per_framework":{"":{"c":{"":7}}},"rules_with_no_owasp":["insecure-use-string-copy-fn","insecure-use-gets-fn","insecure-use-strcat-fn","insecure-use-scanf-fn","insecure-use-printf-fn","insecure-use-strtok-fn","double_goto"]}},"author":"traw","counts":{"total_rules":7,"premium_rules":0},"hidden":true,"description":"C","id":"LkL","name":"traw.test","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"":1},"per_framework":{"":{"go":{"":1}}},"rules_with_no_cwe":["websocket-checkorigin-missing"]},"owasp":{"totals":{"":1},"per_framework":{"":{"go":{"":1}}},"rules_with_no_owasp":["websocket-checkorigin-missing"]}},"author":"Cenk Kalpakoğlu","counts":{"total_rules":1,"premium_rules":0},"hidden":true,"description":null,"id":"0vv","name":"ckalpakoglu.gorilla-websocket-checkorigin-missing-rules","visibility":"public","categories":[]},{"tags":[],"stats":{"cwe":{"totals":{},"per_framework":{},"rules_with_no_cwe":[]},"owasp":{"totals":{},"per_framework":{},"rules_with_no_owasp":[]}},"author":"Lin Jiahao Bobby","counts":{"total_rules":0,"premium_rules":0},"hidden":true,"description":null,"id":"BKW","name":"bobby-lin.gdzb-rules","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":1},"per_framework":{"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2017: Injection":1,"A03:2021: Injection":1},"per_framework":{"A01:2017: Injection":{"python":{"":1}},"A03:2021: Injection":{"python":{"":1}}},"rules_with_no_owasp":[]}},"author":"Clara McCreery","counts":{"total_rules":1,"premium_rules":0},"hidden":true,"description":"","id":"WY4","name":"chmccreery.paramiko","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{},"per_framework":{},"rules_with_no_cwe":[]},"owasp":{"totals":{},"per_framework":{},"rules_with_no_owasp":[]}},"author":"Daniel Cuthbert","counts":{"total_rules":0,"premium_rules":0},"hidden":true,"description":"this is a test ","id":"X6K","name":"danielcuthbert.daniel-test","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":1},"per_framework":{"":{"python":{"":1}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"python":{"":1}}},"rules_with_no_cwe":["use-json-response"]},"owasp":{"totals":{"":1,"A01:2017: Injection":1,"A03:2021: Injection":1},"per_framework":{"":{"python":{"":1}},"A01:2017: Injection":{"python":{"":1}},"A03:2021: Injection":{"python":{"":1}}},"rules_with_no_owasp":["use-json-response"]}},"author":"David Ulevitch","counts":{"total_rules":2,"premium_rules":0},"hidden":true,"description":"","id":"yjx","name":"davidu.du-test","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":1},"per_framework":{"CWE-329: Generation of Predictable IV with CBC Mode":{"java":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"java":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A02:2021: Cryptographic Failures":1,"A9: Using Components with Known Vulnerabilities":2},"per_framework":{"A02:2021: Cryptographic Failures":{"java":{"":1}},"A9: Using Components with Known Vulnerabilities":{"java":{"":2}}},"rules_with_no_owasp":[]}},"author":"Evan Farrer","counts":{"total_rules":3,"premium_rules":0},"hidden":true,"description":"","id":"eeb","name":"efarrer.test","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"":1},"per_framework":{"":{"java":{"":1}}},"rules_with_no_cwe":["new_rule"]},"owasp":{"totals":{"":1},"per_framework":{"":{"java":{"":1}}},"rules_with_no_owasp":["new_rule"]}},"author":"mantribm009","counts":{"total_rules":1,"premium_rules":0},"hidden":true,"description":null,"id":"b8p","name":"mantribm009.always-rules","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"":1},"per_framework":{"":{"java":{"":1}}},"rules_with_no_cwe":["new_rule"]},"owasp":{"totals":{"":1},"per_framework":{"":{"java":{"":1}}},"rules_with_no_owasp":["new_rule"]}},"author":"mantribm009","counts":{"total_rules":1,"premium_rules":0},"hidden":true,"description":null,"id":"N7p","name":"mantribm009.empty_block-rules","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"":1},"per_framework":{"":{"java":{"":1}}},"rules_with_no_cwe":["new_rule"]},"owasp":{"totals":{"":1},"per_framework":{"":{"java":{"":1}}},"rules_with_no_owasp":["new_rule"]}},"author":"mantribm009","counts":{"total_rules":1,"premium_rules":0},"hidden":true,"description":null,"id":"kv7","name":"mantribm009.unused_method-rules","visibility":"public","categories":[]},{"tags":[],"stats":{"cwe":{"totals":{"CWE-94: Improper Control of Generation of Code ('Code Injection')":6},"per_framework":{"CWE-94: Improper Control of Generation of Code (Code Injection)":{"javascript":{"":6}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"javascript":{"":11}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A1: Injection":6,"A03:2021: Injection":11},"per_framework":{"A1: Injection":{"javascript":{"":6}},"A03:2021: Injection":{"javascript":{"":11}}},"rules_with_no_owasp":[]}},"author":"kagirova","counts":{"total_rules":17,"premium_rules":0},"hidden":true,"description":"nodejs vm sandbox injections","id":"jvY","name":"kagirova.nodejs-vm-injections","visibility":"public","categories":[]},{"tags":["semgrep","security","java","insecure transport"],"stats":{"cwe":{"totals":{"CWE-319: Cleartext Transmission of Sensitive Information":11},"per_framework":{"CWE-319: Cleartext Transmission of Sensitive Information":{"java":{"":11}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A03:2017: Sensitive Data Exposure":11},"per_framework":{"A03:2017: Sensitive Data Exposure":{"java":{"":11}}},"rules_with_no_owasp":[]}},"author":"r2c","counts":{"total_rules":11,"premium_rules":0},"hidden":true,"description":"Rule pack for detecting insecure transport in java stdlib.","id":"qwz","name":"colleend.insecure-transport-javastdlib","visibility":"public","categories":[]},{"tags":["audit","cookies","correctness","crypto","csrf","go","injection","java","javascript","python","security","spring","xss","xxe","logic","logic bugs","runtime errors"],"stats":{"cwe":{"totals":{"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":2},"per_framework":{"":{"go":{"":3},"java":{"":2},"python":{"":13},"javascript":{"":1}},"CWE-489: Active Debug Code":{"go":{"":1}},"CWE-521: Weak Password Requirements":{"python":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"go":{"":1},"python":{"":1},"javascript":{"":6}},"CWE-326: Inadequate Encryption Strength":{"java":{"":3},"python":{"":2}},"CWE-295: Improper Certificate Validation":{"java":{"":2},"python":{"":2}},"CWE-183: Permissive List of Allowed Inputs":{"java":{"":1}},"CWE-400: Uncontrolled Resource Consumption":{"go":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":1},"python":{"":2},"javascript":{"":1}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":2}},"CWE-918: Server-Side Request Forgery (SSRF)":{"python":{"":1},"javascript":{"":4}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-116: Improper Encoding or Escaping of Output":{"python":{"":1}},"CWE-322: Key Exchange without Entity Authentication":{"go":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"java":{"":1}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"go":{"":7},"java":{"":3},"python":{"":17},"javascript":{"":2}},"CWE-297: Improper Validation of Certificate with Host Mismatch":{"java":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":1},"python":{"":1},"javascript":{"":2}},"CWE-913: Improper Control of Dynamically-Managed Code Resources":{"go":{"":1}},"CWE-94: Improper Control of Generation of Code (Code Injection)":{"javascript":{"":5}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"javascript":{"":1}},"CWE-1236: Improper Neutralization of Formula Elements in a CSV File":{"python":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"go":{"":1},"java":{"":2},"python":{"":1}},"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":{"python":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":1},"java":{"":1}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"python":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":4}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":1}}},"rules_with_no_cwe":["hardcoded-eq-true-or-false","useless-if-conditional","useless-if-body","no-string-eqeq","eqeq","tempfile-without-flush","string-is-comparison","default-mutable-dict","default-mutable-list","is-not-is-not","list-modify-while-iterate","dict-del-while-iterate","useless-eqeq","no-strings-as-booleans","return-in-init","yield-in-init","useless-if-conditional","useless-literal-dict","eqeq-is-bad"]},"owasp":{"totals":{"":20,"A1: Injection":5,"A01:2017: Injection":2,"A03:2021: Injection":10,"A04:2021: Insecure Design":1,"A3: Sensitive Data Exposure":11,"A6: Security Misconfiguration":1,"A01:2021: Broken Access Control":6,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":4,"A02:2021: Cryptographic Failures":24,"A03:2017: Sensitive Data Exposure":25,"A08:2017: Insecure Deserialization":4,"A05:2021: Security Misconfiguration":5,"A06:2017: Security Misconfiguration":1,"A07:2017: Cross-Site Scripting (XSS)":2,"A04:2017: XML External Entities (XXE)":5,"A10:2021: Server-Side Request Forgery (SSRF)":5,"A08:2021: Software and Data Integrity Failures":5,"A9: Using Components with Known Vulnerabilities":2,"A07:2021: Identification and Authentication Failures":16},"per_framework":{"":{"go":{"":4},"java":{"":2},"python":{"":13},"javascript":{"":1}},"A1: Injection":{"javascript":{"":5}},"A01:2017: Injection":{"python":{"":2}},"A03:2021: Injection":{"go":{"":1},"java":{"":1},"python":{"":7},"javascript":{"":1}},"A04:2021: Insecure Design":{"java":{"":1}},"A3: Sensitive Data Exposure":{"python":{"":11}},"A6: Security Misconfiguration":{"python":{"":1}},"A01:2021: Broken Access Control":{"go":{"":2},"java":{"":2},"python":{"":1},"javascript":{"":1}},"A02:2017: Broken Authentication":{"python":{"":1}},"A05:2017: Broken Access Control":{"go":{"":1},"java":{"":2},"python":{"":1}},"A02:2021: Cryptographic Failures":{"go":{"":8},"java":{"":5},"python":{"":9},"javascript":{"":2}},"A03:2017: Sensitive Data Exposure":{"go":{"":7},"java":{"":6},"python":{"":10},"javascript":{"":2}},"A08:2017: Insecure Deserialization":{"java":{"":1},"python":{"":2},"javascript":{"":1}},"A05:2021: Security Misconfiguration":{"java":{"":1},"python":{"":2},"javascript":{"":2}},"A06:2017: Security Misconfiguration":{"go":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":1},"java":{"":1}},"A04:2017: XML External Entities (XXE)":{"java":{"":1},"python":{"":2},"javascript":{"":2}},"A10:2021: Server-Side Request Forgery (SSRF)":{"python":{"":1},"javascript":{"":4}},"A08:2021: Software and Data Integrity Failures":{"java":{"":1},"python":{"":3},"javascript":{"":1}},"A9: Using Components with Known Vulnerabilities":{"java":{"":2}},"A07:2021: Identification and Authentication Failures":{"go":{"":3},"java":{"":3},"python":{"":4},"javascript":{"":6}}},"rules_with_no_owasp":["potential-dos-via-decompression-bomb","hardcoded-eq-true-or-false","useless-if-conditional","useless-if-body","no-string-eqeq","eqeq","tempfile-without-flush","string-is-comparison","default-mutable-dict","default-mutable-list","is-not-is-not","list-modify-while-iterate","dict-del-while-iterate","useless-eqeq","no-strings-as-booleans","return-in-init","yield-in-init","useless-if-conditional","useless-literal-dict","eqeq-is-bad"]}},"author":"r2c","counts":{"total_rules":113,"premium_rules":0},"hidden":true,"description":"Scan for runtime errors, logic bus, and high-confidence security vulnerabilities. Recommended for use in CI to block serious issues from reaching production. Supports Python, Java, JavaScript, and Go.","id":"WK4","name":"minusworld.r2c-ci","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"":1},"per_framework":{"":{"python":{"":1}}},"rules_with_no_cwe":["new_rule"]},"owasp":{"totals":{"":1},"per_framework":{"":{"python":{"":1}}},"rules_with_no_owasp":["new_rule"]}},"author":"penny-1995","counts":{"total_rules":1,"premium_rules":0},"hidden":true,"description":null,"id":"zAz","name":"penny-1995.b2kr-rules","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"":1},"per_framework":{"":{"python":{"":1}}},"rules_with_no_cwe":["new_rule"]},"owasp":{"totals":{"":1},"per_framework":{"":{"python":{"":1}}},"rules_with_no_owasp":["new_rule"]}},"author":"penny-1995","counts":{"total_rules":1,"premium_rules":0},"hidden":true,"description":null,"id":"21z","name":"penny-1995.test11-rules","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"":1},"per_framework":{"":{"python":{"":1}}},"rules_with_no_cwe":["new_rule"]},"owasp":{"totals":{"":1},"per_framework":{"":{"python":{"":1}}},"rules_with_no_owasp":["new_rule"]}},"author":"penny-1995","counts":{"total_rules":1,"premium_rules":0},"hidden":true,"description":null,"id":"Xql","name":"penny-1995.urlparse-rules","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-523: Unprotected Transport of Credentials":3},"per_framework":{"":{"python":{"":88}},"CWE-489: Active Debug Code":{"python":{"":5}},"CWE-310: Cryptographic Issues":{"python":{"":7}},"CWE-377: Insecure Temporary File":{"python":{"":1}},"CWE-521: Weak Password Requirements":{"python":{"":2}},"CWE-798: Use of Hard-coded Credentials":{"python":{"":2}},"CWE-326: Inadequate Encryption Strength":{"python":{"":3}},"CWE-295: Improper Certificate Validation":{"python":{"":3}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"python":{"":2}},"CWE-502: Deserialization of Untrusted Data":{"python":{"":13}},"CWE-918: Server-Side Request Forgery (SSRF)":{"python":{"":3}},"CWE-311: Missing Encryption of Sensitive Data":{"python":{"":2}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-668: Exposure of Resource to Wrong Sphere":{"python":{"":2}},"CWE-73: External Control of File Name or Path":{"python":{"":1}},"CWE-116: Improper Encoding or Escaping of Output":{"python":{"":1}},"CWE-322: Key Exchange without Entity Authentication":{"python":{"":1}},"CWE-1104: Use of Unmaintained Third Party Components":{"python":{"":3}},"CWE-689: Permission Race Condition During Resource Copy":{"python":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"python":{"":3}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"python":{"":19}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"python":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"python":{"":2}},"CWE-939: Improper Authorization in Handler for Custom URL Scheme":{"python":{"":1}},"CWE-155: Improper Neutralization of Wildcards or Matching Symbols":{"python":{"":1}},"CWE-1236: Improper Neutralization of Formula Elements in a CSV File":{"python":{"":1}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"python":{"":1}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"python":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"python":{"":2}},"CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere":{"python":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"python":{"":6}},"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":{"python":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"python":{"":6}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"python":{"":8}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"python":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":11}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":3}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":13}},"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":{"python":{"":2}}},"rules_with_no_cwe":["use-click-secho","use-django-environ","use-onetoonefield","use-json-response","use-count-method","access-foreign-keys","use-earliest-or-latest","django-compat-2_0-signals-weak","django-compat-2_0-check-aggregate-support","django-compat-2_0-extra-forms","django-compat-2_0-assignment-tag","django-compat-2_0-assert-redirects-helper","no-null-string-field","string-field-must-set-null-true","django-db-model-save-super","nontext-field-must-set-null-true","bokeh-deprecated-apis","len-all-count","batch-import","delete-where-no-execute","bad-operator-in-filter","attr-mutable-initializer","use-jsonify","flask-deprecated-apis","flask-duplicate-handler-name","avoid-accessing-request-in-wrong-handler","python-debugger-found","pass-body-fn","pass-body-range","missing-hash-with-eq","arbitrary-sleep","open-never-closed","manual-defaultdict-dict-create","manual-defaultdict-set-create","manual-defaultdict-list-create","manual-counter-create","hardcoded-tmp-path","useless-inner-function","useless-literal-dict","useless-assignment-keyed","useless-if-conditional","useless-if-body","code-after-unconditional-return","return-not-in-function","python36-compatibility-ssl","python36-compatibility-Popen1","python36-compatibility-Popen2","python37-compatibility-importlib","python37-compatibility-importlib2","python37-compatibility-importlib3","python37-compatibility-httpconn","python37-compatibility-httpsconn","python37-compatibility-textiowrapper","python37-compatibility-ipv6network1","python37-compatibility-ipv6network2","python37-compatibility-ipv4network1","python37-compatibility-ipv4network2","python37-compatibility-locale1","python37-compatibility-math1","python37-compatibility-multiprocess1","python37-compatibility-multiprocess2","python37-compatibility-os1","python37-compatability-os-module","python37-compatibility-os2-ok2","python37-compatibility-pdb","pdb-remove","use-sys-exit","return-in-init","yield-in-init","file-object-redefined-before-close","unchecked-subprocess-call","baseclass-attribute-override","no-strings-as-booleans","useless-eqeq","writing-to-file-in-read-mode","dict-del-while-iterate","list-modify-while-iterate","is-not-is-not","default-mutable-list","default-mutable-dict","identical-is-comparison","string-is-comparison","string-concat-in-list","raise-not-base-exception","tempfile-insecure","tempfile-without-flush","use-timeout","use-raise-for-status"]},"owasp":{"totals":{"":88,"A1: Injection":2,"A01:2017: Injection":22,"A03:2021: Injection":40,"A04:2021: Insecure Design":1,"A3: Sensitive Data Exposure":11,"A6: Security Misconfiguration":1,"A01:2021: Broken Access Control":10,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":4,"A02:2021: Cryptographic Failures":21,"A03:2017: Sensitive Data Exposure":22,"A08:2017: Insecure Deserialization":12,"A05:2021: Security Misconfiguration":18,"A06:2017: Security Misconfiguration":11,"A07:2017: Cross-Site Scripting (XSS)":6,"A04:2017: XML External Entities (XXE)":2,"A06:2021: Vulnerable and Outdated Components":9,"A10:2021: Server-Side Request Forgery (SSRF)":3,"A08:2021: Software and Data Integrity Failures":13,"A07:2021: Identification and Authentication Failures":7,"A09:2017: Using Components with Known Vulnerabilities":9},"per_framework":{"":{"python":{"":88}},"A1: Injection":{"python":{"":2}},"A01:2017: Injection":{"python":{"":22}},"A03:2021: Injection":{"python":{"":40}},"A04:2021: Insecure Design":{"python":{"":1}},"A3: Sensitive Data Exposure":{"python":{"":11}},"A6: Security Misconfiguration":{"python":{"":1}},"A01:2021: Broken Access Control":{"python":{"":10}},"A02:2017: Broken Authentication":{"python":{"":1}},"A05:2017: Broken Access Control":{"python":{"":4}},"A02:2021: Cryptographic Failures":{"python":{"":21}},"A03:2017: Sensitive Data Exposure":{"python":{"":22}},"A08:2017: Insecure Deserialization":{"python":{"":12}},"A05:2021: Security Misconfiguration":{"python":{"":18}},"A06:2017: Security Misconfiguration":{"python":{"":11}},"A07:2017: Cross-Site Scripting (XSS)":{"python":{"":6}},"A04:2017: XML External Entities (XXE)":{"python":{"":2}},"A06:2021: Vulnerable and Outdated Components":{"python":{"":9}},"A10:2021: Server-Side Request Forgery (SSRF)":{"python":{"":3}},"A08:2021: Software and Data Integrity Failures":{"python":{"":13}},"A07:2021: Identification and Authentication Failures":{"python":{"":7}},"A09:2017: Using Components with Known Vulnerabilities":{"python":{"":9}}},"rules_with_no_owasp":["use-click-secho","use-django-environ","use-onetoonefield","use-json-response","use-count-method","access-foreign-keys","use-earliest-or-latest","django-compat-2_0-signals-weak","django-compat-2_0-check-aggregate-support","django-compat-2_0-extra-forms","django-compat-2_0-assignment-tag","django-compat-2_0-assert-redirects-helper","no-null-string-field","string-field-must-set-null-true","django-db-model-save-super","nontext-field-must-set-null-true","bokeh-deprecated-apis","len-all-count","batch-import","delete-where-no-execute","bad-operator-in-filter","attr-mutable-initializer","use-jsonify","flask-deprecated-apis","flask-duplicate-handler-name","avoid-accessing-request-in-wrong-handler","python-debugger-found","pass-body-fn","pass-body-range","missing-hash-with-eq","arbitrary-sleep","open-never-closed","manual-defaultdict-dict-create","manual-defaultdict-set-create","manual-defaultdict-list-create","manual-counter-create","hardcoded-tmp-path","useless-inner-function","useless-literal-dict","useless-assignment-keyed","useless-if-conditional","useless-if-body","code-after-unconditional-return","return-not-in-function","python36-compatibility-ssl","python36-compatibility-Popen1","python36-compatibility-Popen2","python37-compatibility-importlib","python37-compatibility-importlib2","python37-compatibility-importlib3","python37-compatibility-httpconn","python37-compatibility-httpsconn","python37-compatibility-textiowrapper","python37-compatibility-ipv6network1","python37-compatibility-ipv6network2","python37-compatibility-ipv4network1","python37-compatibility-ipv4network2","python37-compatibility-locale1","python37-compatibility-math1","python37-compatibility-multiprocess1","python37-compatibility-multiprocess2","python37-compatibility-os1","python37-compatability-os-module","python37-compatibility-os2-ok2","python37-compatibility-pdb","pdb-remove","use-sys-exit","return-in-init","yield-in-init","file-object-redefined-before-close","unchecked-subprocess-call","baseclass-attribute-override","no-strings-as-booleans","useless-eqeq","writing-to-file-in-read-mode","dict-del-while-iterate","list-modify-while-iterate","is-not-is-not","default-mutable-list","default-mutable-dict","identical-is-comparison","string-is-comparison","string-concat-in-list","raise-not-base-exception","tempfile-insecure","tempfile-without-flush","use-timeout","use-raise-for-status"]}},"author":"Ascof22","counts":{"total_rules":225,"premium_rules":0},"hidden":true,"description":"All Python Rules From 31.6.2020","id":"Odn","name":"ascof22.all_python_rules","visibility":"public","categories":[]},{"tags":["smart contract","blockchain","solidity","security"],"stats":{"cwe":{"totals":{"":15,"CWE-787: Out-of-bounds Write":1,"CWE-682: Incorrect Calculation":4,"CWE-285: Improper Authorization":1,"CWE-284: Improper Access Control":10,"CWE-20: Improper Input Validation":4,"CWE-341: Predictable from Observable State":1,"CWE-191: Integer Underflow (Wrap or Wraparound)":1,"CWE-841: Improper Enforcement of Behavioral Workflow":7,"CWE-837: Improper Enforcement of a Single, Unique Action":2,"CWE-347: Improper Verification of Cryptographic Signature":1,"CWE-688: Function Call With Incorrect Variable or Reference as Argument":2,"CWE-1285: Improper Validation of Specified Index, Position, or Offset in Input":1},"per_framework":{"":{"solidity":{"":15}},"CWE-787: Out-of-bounds Write":{"solidity":{"":1}},"CWE-682: Incorrect Calculation":{"solidity":{"":4}},"CWE-285: Improper Authorization":{"solidity":{"":1}},"CWE-284: Improper Access Control":{"solidity":{"":10}},"CWE-20: Improper Input Validation":{"solidity":{"":4}},"CWE-341: Predictable from Observable State":{"solidity":{"":1}},"CWE-191: Integer Underflow (Wrap or Wraparound)":{"solidity":{"":1}},"CWE-841: Improper Enforcement of Behavioral Workflow":{"solidity":{"":7}},"CWE-837: Improper Enforcement of a Single, Unique Action":{"solidity":{"":2}},"CWE-347: Improper Verification of Cryptographic Signature":{"solidity":{"":1}},"CWE-688: Function Call With Incorrect Variable or Reference as Argument":{"solidity":{"":2}},"CWE-1285: Improper Validation of Specified Index, Position, or Offset in Input":{"solidity":{"":1}}},"rules_with_no_cwe":["use-abi-encodecall-instead-of-encodewithselector","use-ownable2step","array-length-outside-loop","inefficient-state-variable-increment","init-variables-with-default-value","non-optimal-variables-swap","non-payable-constructor","state-variable-read-in-a-loop","unnecessary-checked-arithmetic-in-loop","use-custom-error-not-require","use-multiple-require","use-nested-if","use-prefix-decrement-not-postfix","use-prefix-increment-not-postfix","use-short-revert-string"]},"owasp":{"totals":{"":48,"A01:2021: Broken Access Control":1,"A01:2025: Broken Access Control":1,"A7:2021 Identification and Authentication Failures":1},"per_framework":{"":{"solidity":{"":48}},"A01:2021: Broken Access Control":{"solidity":{"":1}},"A01:2025: Broken Access Control":{"solidity":{"":1}},"A7:2021 Identification and Authentication Failures":{"solidity":{"":1}}},"rules_with_no_owasp":["use-abi-encodecall-instead-of-encodewithselector","use-ownable2step","array-length-outside-loop","inefficient-state-variable-increment","init-variables-with-default-value","non-optimal-variables-swap","non-payable-constructor","state-variable-read-in-a-loop","unnecessary-checked-arithmetic-in-loop","use-custom-error-not-require","use-multiple-require","use-nested-if","use-prefix-decrement-not-postfix","use-prefix-increment-not-postfix","use-short-revert-string","accessible-selfdestruct","arbitrary-low-level-call","balancer-readonly-reentrancy-getpooltokens","balancer-readonly-reentrancy-getrate","basic-arithmetic-underflow","basic-oracle-manipulation","compound-borrowfresh-reentrancy","compound-sweeptoken-not-restricted","curve-readonly-reentrancy","delegatecall-to-arbitrary-address","encode-packed-collision","erc20-public-burn","erc20-public-transfer","erc677-reentrancy","erc721-arbitrary-transferfrom","erc721-reentrancy","erc777-reentrancy","gearbox-tokens-path-confusion","incorrect-use-of-blockhash","keeper-network-oracle-manipulation","msg-value-multicall","no-bidi-characters","no-slippage-check","openzeppelin-ecdsa-recover-malleable","oracle-price-update-not-restricted","proxy-storage-collision","redacted-cartel-custom-approval-bug","rigoblock-missing-access-control","sense-missing-oracle-access-control","superfluid-ctx-injection","tecra-coin-burnfrom-bug","uniswap-callback-not-protected","unrestricted-transferownership"]}},"author":"Decurity","counts":{"total_rules":50,"premium_rules":0},"username":"Decurity","languages":["Solidity"],"description":"Ruleset for smart contract security, contributed by Decurity (https://www.decurity.io/).","id":"RPNg","name":"smart-contracts","visibility":"public","categories":[]},{"tags":["semgrep","security","java","insecure transport"],"stats":{"cwe":{"totals":{"CWE-319: Cleartext Transmission of Sensitive Information":1},"per_framework":{"CWE-319: Cleartext Transmission of Sensitive Information":{"java":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A03:2017: Sensitive Data Exposure":1},"per_framework":{"A03:2017: Sensitive Data Exposure":{"java":{"":1}}},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":1,"premium_rules":0},"hidden":true,"description":"Rule pack for detecting insecure transport in java spring.","id":"zn1","name":"test","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"":2},"per_framework":{"":{"python":{"":3}},"CWE-489: Active Debug Code":{"python":{"":3}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"python":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"python":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"python":{"":1}},"CWE-668: Exposure of Resource to Wrong Sphere":{"python":{"":2}},"CWE-73: External Control of File Name or Path":{"python":{"":1}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"python":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"python":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"python":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"python":{"":2}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":2}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":1}}},"rules_with_no_cwe":["use-jsonify","avoid-accessing-request-in-wrong-handler","flask-duplicate-handler-name"]},"owasp":{"totals":{"":3,"A01:2017: Injection":1,"A03:2021: Injection":7,"A04:2021: Insecure Design":1,"A01:2021: Broken Access Control":5,"A05:2017: Broken Access Control":1,"A08:2017: Insecure Deserialization":1,"A05:2021: Security Misconfiguration":4,"A07:2017: Cross-Site Scripting (XSS)":2,"A10:2021: Server-Side Request Forgery (SSRF)":1,"A08:2021: Software and Data Integrity Failures":1},"per_framework":{"":{"python":{"":3}},"A01:2017: Injection":{"python":{"":1}},"A03:2021: Injection":{"python":{"":7}},"A04:2021: Insecure Design":{"python":{"":1}},"A01:2021: Broken Access Control":{"python":{"":5}},"A05:2017: Broken Access Control":{"python":{"":1}},"A08:2017: Insecure Deserialization":{"python":{"":1}},"A05:2021: Security Misconfiguration":{"python":{"":4}},"A07:2017: Cross-Site Scripting (XSS)":{"python":{"":2}},"A10:2021: Server-Side Request Forgery (SSRF)":{"python":{"":1}},"A08:2021: Software and Data Integrity Failures":{"python":{"":1}}},"rules_with_no_owasp":["use-jsonify","avoid-accessing-request-in-wrong-handler","flask-duplicate-handler-name"]}},"author":"MCOffSec","counts":{"total_rules":22,"premium_rules":0},"hidden":true,"description":"","id":"Lvo","name":"mcoffsec.test","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"":1},"per_framework":{"":{"python":{"":1}}},"rules_with_no_cwe":["assertTrue"]},"owasp":{"totals":{"":1},"per_framework":{"":{"python":{"":1}}},"rules_with_no_owasp":["assertTrue"]}},"author":"Adam Blackwell","counts":{"total_rules":1,"premium_rules":0},"hidden":true,"description":null,"id":"PvW","name":"adzuci.use-assertequal-for-equality-rules","visibility":"public","categories":[]},{"tags":["semgrep","security","java","insecure transport"],"stats":{"cwe":{"totals":{"CWE-319: Cleartext Transmission of Sensitive Information":3},"per_framework":{"CWE-319: Cleartext Transmission of Sensitive Information":{"java":{"":3}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A03:2017: Sensitive Data Exposure":3},"per_framework":{"A03:2017: Sensitive Data Exposure":{"java":{"":3}}},"rules_with_no_owasp":[]}},"author":"r2c","counts":{"total_rules":3,"premium_rules":0},"hidden":true,"description":"Rule pack for detecting insecure transport in java spring.","id":"KJ7","name":"colleend.insecure-transport-javaspring","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":4},"per_framework":{"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":1},"java":{"":2},"javascript":{"":1}},"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":{"python":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A03:2021: Injection":6,"A07:2017: Cross-Site Scripting (XSS)":4},"per_framework":{"A03:2021: Injection":{"go":{"":1},"java":{"":2},"python":{"":2},"javascript":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":1},"java":{"":2},"javascript":{"":1}}},"rules_with_no_owasp":[]}},"author":"Joe Bollen","counts":{"total_rules":6,"premium_rules":0},"hidden":true,"description":"Detect use of known possible functionality that can introduce XSS in Java, JS, and Python","id":"88y","name":"hazanasec.generic_possible_xss","visibility":"public","categories":[]},{"tags":[],"stats":{"cwe":{"totals":{"CWE-502: Deserialization of Untrusted Data":3},"per_framework":{"CWE-489: Active Debug Code":{"python":{"":5}},"CWE-521: Weak Password Requirements":{"python":{"":2}},"CWE-798: Use of Hard-coded Credentials":{"python":{"":2}},"CWE-326: Inadequate Encryption Strength":{"python":{"":3}},"CWE-295: Improper Certificate Validation":{"python":{"":3}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"python":{"":2}},"CWE-502: Deserialization of Untrusted Data":{"python":{"":9}},"CWE-918: Server-Side Request Forgery (SSRF)":{"python":{"":3}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-668: Exposure of Resource to Wrong Sphere":{"python":{"":2}},"CWE-73: External Control of File Name or Path":{"python":{"":1}},"CWE-116: Improper Encoding or Escaping of Output":{"python":{"":1}},"CWE-322: Key Exchange without Entity Authentication":{"python":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"python":{"":3}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"python":{"":18}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"python":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"python":{"":1}},"CWE-939: Improper Authorization in Handler for Custom URL Scheme":{"python":{"":1}},"CWE-155: Improper Neutralization of Wildcards or Matching Symbols":{"python":{"":1}},"CWE-1236: Improper Neutralization of Formula Elements in a CSV File":{"python":{"":1}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"python":{"":1}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"python":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"python":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"python":{"":4}},"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":{"python":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"python":{"":6}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"python":{"":8}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"python":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":9}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":3}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":8}},"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":{"python":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A1: Injection":2,"A01:2017: Injection":17,"A03:2021: Injection":35,"A04:2021: Insecure Design":1,"A3: Sensitive Data Exposure":11,"A6: Security Misconfiguration":1,"A01:2021: Broken Access Control":10,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":4,"A02:2021: Cryptographic Failures":15,"A03:2017: Sensitive Data Exposure":16,"A08:2017: Insecure Deserialization":9,"A05:2021: Security Misconfiguration":7,"A06:2017: Security Misconfiguration":1,"A07:2017: Cross-Site Scripting (XSS)":6,"A04:2017: XML External Entities (XXE)":2,"A10:2021: Server-Side Request Forgery (SSRF)":3,"A08:2021: Software and Data Integrity Failures":10,"A07:2021: Identification and Authentication Failures":7},"per_framework":{"A1: Injection":{"python":{"":2}},"A01:2017: Injection":{"python":{"":17}},"A03:2021: Injection":{"python":{"":35}},"A04:2021: Insecure Design":{"python":{"":1}},"A3: Sensitive Data Exposure":{"python":{"":11}},"A6: Security Misconfiguration":{"python":{"":1}},"A01:2021: Broken Access Control":{"python":{"":10}},"A02:2017: Broken Authentication":{"python":{"":1}},"A05:2017: Broken Access Control":{"python":{"":4}},"A02:2021: Cryptographic Failures":{"python":{"":15}},"A03:2017: Sensitive Data Exposure":{"python":{"":16}},"A08:2017: Insecure Deserialization":{"python":{"":9}},"A05:2021: Security Misconfiguration":{"python":{"":7}},"A06:2017: Security Misconfiguration":{"python":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"python":{"":6}},"A04:2017: XML External Entities (XXE)":{"python":{"":2}},"A10:2021: Server-Side Request Forgery (SSRF)":{"python":{"":3}},"A08:2021: Software and Data Integrity Failures":{"python":{"":10}},"A07:2021: Identification and Authentication Failures":{"python":{"":7}}},"rules_with_no_owasp":[]}},"author":"pedramjm","counts":{"total_rules":106,"premium_rules":0},"hidden":true,"description":"","id":"63w","name":"pedramjm.python-security","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"":1},"per_framework":{"":{"js":{"":1}}},"rules_with_no_cwe":["dangerous-assignment-to-innerHTML"]},"owasp":{"totals":{"":1},"per_framework":{"":{"js":{"":1}}},"rules_with_no_owasp":["dangerous-assignment-to-innerHTML"]}},"author":"Paul Theriault","counts":{"total_rules":1,"premium_rules":0},"hidden":true,"description":null,"id":"qz1","name":"pauljt.dangerous-assignment-to-innerhtml-rules","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{},"per_framework":{},"rules_with_no_cwe":[]},"owasp":{"totals":{},"per_framework":{},"rules_with_no_owasp":[]}},"author":"ifhros","counts":{"total_rules":0,"premium_rules":0},"hidden":true,"description":"","id":"K77","name":"ifhros.killy-pack","visibility":"public","categories":[]},{"tags":[],"stats":{"cwe":{"totals":{"CWE-918: Server-Side Request Forgery (SSRF)":7},"per_framework":{"CWE-918: Server-Side Request Forgery (SSRF)":{"javascript":{"":7}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A10:2021: Server-Side Request Forgery (SSRF)":7},"per_framework":{"A10:2021: Server-Side Request Forgery (SSRF)":{"javascript":{"":7}}},"rules_with_no_owasp":[]}},"author":"Vasilii Ermilov","counts":{"total_rules":7,"premium_rules":0},"hidden":true,"description":"","id":"l8y","name":"inkz.headless1","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":3},"per_framework":{"CWE-369: Divide By Zero":{"ruby":{"":1}},"CWE-328: Use of Weak Hash":{"ruby":{"":1}},"CWE-208: Observable Timing Discrepancy":{"ruby":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"ruby":{"":1}},"CWE-295: Improper Certificate Validation":{"ruby":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"ruby":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"ruby":{"":1}},"CWE-1021: Improper Restriction of Rendered UI Layers or Frames":{"ruby":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"ruby":{"":3}},"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":{"ruby":{"":3}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":2,"A03:2021: Injection":3,"A04:2021: Insecure Design":1,"A01:2021: Broken Access Control":1,"A02:2021: Cryptographic Failures":1,"A03:2017: Sensitive Data Exposure":2,"A08:2017: Insecure Deserialization":1,"A08:2021: Software and Data Integrity Failures":4,"A07:2021: Identification and Authentication Failures":2},"per_framework":{"":{"ruby":{"":2}},"A03:2021: Injection":{"ruby":{"":3}},"A04:2021: Insecure Design":{"ruby":{"":1}},"A01:2021: Broken Access Control":{"ruby":{"":1}},"A02:2021: Cryptographic Failures":{"ruby":{"":1}},"A03:2017: Sensitive Data Exposure":{"ruby":{"":2}},"A08:2017: Insecure Deserialization":{"ruby":{"":1}},"A08:2021: Software and Data Integrity Failures":{"ruby":{"":4}},"A07:2021: Identification and Authentication Failures":{"ruby":{"":2}}},"rules_with_no_owasp":["divide-by-zero","timing-attack"]}},"author":"slothy-ghost","counts":{"total_rules":14,"premium_rules":0},"hidden":true,"description":"","id":"vWX","name":"slothy-ghost.m-ruby-pack-inc-cz","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"":4},"per_framework":{"":{"c":{"":1},"java":{"":4}},"CWE-287: Improper Authentication":{"java":{"":1}},"CWE-276: Incorrect Default Permissions":{"java":{"":1}},"CWE-326: Inadequate Encryption Strength":{"java":{"":5}},"CWE-295: Improper Certificate Validation":{"java":{"":2}},"CWE-183: Permissive List of Allowed Inputs":{"java":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":2}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":2}},"CWE-704: Incorrect Type Conversion or Cast":{"java":{"":1}},"CWE-676: Use of Potentially Dangerous Function":{"c":{"":5}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"java":{"":1}},"CWE-134: Use of Externally-Controlled Format String":{"c":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"java":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"java":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"java":{"":5}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"java":{"":2}},"CWE-297: Improper Validation of Certificate with Host Mismatch":{"java":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":3}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"java":{"":4}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"java":{"":1}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"java":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"java":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"java":{"":2}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"java":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"java":{"":2}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"java":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":1}},"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":{"java":{"":1}}},"rules_with_no_cwe":["double_goto","no-string-eqeq","assignment-comparison","eqeq","hardcoded-conditional"]},"owasp":{"totals":{"":11,"A01:2017: Injection":5,"A03:2021: Injection":13,"A04:2021: Insecure Design":1,"A01:2021: Broken Access Control":8,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":2,"A02:2021: Cryptographic Failures":10,"A03:2017: Sensitive Data Exposure":12,"A08:2017: Insecure Deserialization":2,"A05:2021: Security Misconfiguration":5,"A07:2017: Cross-Site Scripting (XSS)":2,"A04:2017: XML External Entities (XXE)":3,"A08:2021: Software and Data Integrity Failures":2,"A9: Using Components with Known Vulnerabilities":2,"A07:2021: Identification and Authentication Failures":4},"per_framework":{"":{"c":{"":7},"java":{"":4}},"A01:2017: Injection":{"java":{"":5}},"A03:2021: Injection":{"java":{"":13}},"A04:2021: Insecure Design":{"java":{"":1}},"A01:2021: Broken Access Control":{"java":{"":8}},"A02:2017: Broken Authentication":{"java":{"":1}},"A05:2017: Broken Access Control":{"java":{"":2}},"A02:2021: Cryptographic Failures":{"java":{"":10}},"A03:2017: Sensitive Data Exposure":{"java":{"":12}},"A08:2017: Insecure Deserialization":{"java":{"":2}},"A05:2021: Security Misconfiguration":{"java":{"":5}},"A07:2017: Cross-Site Scripting (XSS)":{"java":{"":2}},"A04:2017: XML External Entities (XXE)":{"java":{"":3}},"A08:2021: Software and Data Integrity Failures":{"java":{"":2}},"A9: Using Components with Known Vulnerabilities":{"java":{"":2}},"A07:2021: Identification and Authentication Failures":{"java":{"":4}}},"rules_with_no_owasp":["double_goto","insecure-use-strtok-fn","insecure-use-printf-fn","insecure-use-scanf-fn","insecure-use-string-copy-fn","insecure-use-gets-fn","insecure-use-strcat-fn","no-string-eqeq","assignment-comparison","eqeq","hardcoded-conditional"]}},"author":"Ascof22","counts":{"total_rules":57,"premium_rules":0},"hidden":true,"description":"C and Java Linting Pack for Espresso-IT research project","id":"vYb","name":"ascof22.espresso-it_c_and_java","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":1},"per_framework":{"":{"javascript":{"":1}},"CWE-22":{"python":{"":1}},"CWE-78":{"python":{"":9}},"CWE-79":{"python":{"":2}},"CWE-89":{"python":{"":3}},"CWE-94":{"python":{"":1}},"CWE-95":{"python":{"":1}},"CWE-116":{"python":{"":1}},"CWE-155":{"python":{"":1}},"CWE-200":{"python":{"":1}},"CWE-259":{"python":{"":3}},"CWE-284":{"python":{"":1}},"CWE-295":{"python":{"":3}},"CWE-310":{"python":{"":1}},"CWE-319":{"python":{"":6}},"CWE-322":{"python":{"":1}},"CWE-326":{"python":{"":4}},"CWE-327":{"python":{"":23}},"CWE-330":{"python":{"":1}},"CWE-377":{"python":{"":4}},"CWE-400":{"python":{"":1}},"CWE-489":{"python":{"":1}},"CWE-502":{"python":{"":14}},"CWE-611":{"python":{"":8}},"CWE-703":{"python":{"":2}},"CWE-732":{"python":{"":1}},"CWE-754":{"python":{"":1}},"CWE-939":{"python":{"":2}},"CWE-377: Insecure Temporary File":{"python":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"javascript":{"":3}},"CWE-326: Inadequate Encryption Strength":{"python":{"":1}},"CWE-295: Improper Certificate Validation":{"python":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"python":{"":1}},"CWE-116: Improper Encoding or Escaping of Output":{"python":{"":1}},"CWE-345: Insufficient Verification of Data Authenticity":{"javascript":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"python":{"":1},"javascript":{"":2}},"CWE-611: Improper Restriction of XML External Entity Reference":{"python":{"":3},"javascript":{"":1}},"CWE-913: Improper Control of Dynamically-Managed Code Resources":{"go":{"":1}},"CWE-939: Improper Authorization in Handler for Custom URL Scheme":{"python":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"python":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":1},"python":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":1},"javascript":{"":1}}},"rules_with_no_cwe":["eqeq-is-bad"]},"owasp":{"totals":{"":14,"A1:2017-Injection":13,"A01:2017: Injection":5,"A03:2021: Injection":6,"A3: Sensitive Data Exposure":1,"A2:2017-Broken Authentication":3,"A5:2017-Broken Access Control":4,"A6: Security Misconfiguration":1,"A7: Cross-Site Scripting (XSS)":1,"A01:2021: Broken Access Control":1,"A3:2017-Sensitive Data Exposure":36,"A4: XML External Entities (XXE)":1,"A02:2021: Cryptographic Failures":3,"A8:2017-Insecure Deserialization":15,"A03:2017: Sensitive Data Exposure":4,"A6:2017-Security Misconfiguration":3,"A08:2017: Insecure Deserialization":1,"A7:2017-Cross-Site Scripting (XSS)":3,"A05:2021: Security Misconfiguration":2,"A4:2017-XML External Entities (XXE)":8,"A07:2017: Cross-Site Scripting (XSS)":1,"A04:2017: XML External Entities (XXE)":2,"A06:2021: Vulnerable and Outdated Components":1,"A08:2021: Software and Data Integrity Failures":2,"A07:2021: Identification and Authentication Failures":4,"A09:2017: Using Components with Known Vulnerabilities":1},"per_framework":{"":{"python":{"":13},"javascript":{"":1}},"A1:2017-Injection":{"python":{"":13}},"A01:2017: Injection":{"go":{"":1},"python":{"":3},"javascript":{"":1}},"A03:2021: Injection":{"go":{"":1},"python":{"":4},"javascript":{"":1}},"A3: Sensitive Data Exposure":{"python":{"":1}},"A2:2017-Broken Authentication":{"python":{"":3}},"A5:2017-Broken Access Control":{"python":{"":4}},"A6: Security Misconfiguration":{"python":{"":1}},"A7: Cross-Site Scripting (XSS)":{"python":{"":1}},"A01:2021: Broken Access Control":{"go":{"":1}},"A3:2017-Sensitive Data Exposure":{"python":{"":36}},"A4: XML External Entities (XXE)":{"python":{"":1}},"A02:2021: Cryptographic Failures":{"python":{"":1},"javascript":{"":2}},"A8:2017-Insecure Deserialization":{"python":{"":15}},"A03:2017: Sensitive Data Exposure":{"python":{"":2},"javascript":{"":2}},"A6:2017-Security Misconfiguration":{"python":{"":3}},"A08:2017: Insecure Deserialization":{"python":{"":1}},"A7:2017-Cross-Site Scripting (XSS)":{"python":{"":3}},"A05:2021: Security Misconfiguration":{"python":{"":1},"javascript":{"":1}},"A4:2017-XML External Entities (XXE)":{"python":{"":8}},"A07:2017: Cross-Site Scripting (XSS)":{"python":{"":1}},"A04:2017: XML External Entities (XXE)":{"python":{"":1},"javascript":{"":1}},"A06:2021: Vulnerable and Outdated Components":{"python":{"":1}},"A08:2021: Software and Data Integrity Failures":{"python":{"":1},"javascript":{"":1}},"A07:2021: Identification and Authentication Failures":{"python":{"":1},"javascript":{"":3}},"A09:2017: Using Components with Known Vulnerabilities":{"python":{"":1}}},"rules_with_no_owasp":["bandit.B415","bandit.B612","bandit.B508","bandit.B113","bandit.B509","bandit.B202","bandit.B108","bandit.B108-2","bandit.B110","bandit.B325","bandit.B112","bandit.B101","bandit.B108-1","eqeq-is-bad"]}},"author":"dajima","counts":{"total_rules":123,"premium_rules":0},"hidden":true,"description":"","id":"2v0","name":"dajima.my-pack","visibility":"public","categories":[]},{"tags":["security","correctness","logic","bugs","injection","xss","deserialization","xxe","spring","java"],"stats":{"cwe":{"totals":{"":1},"per_framework":{"":{"java":{"":2}},"CWE-326: Inadequate Encryption Strength":{"java":{"":3}},"CWE-295: Improper Certificate Validation":{"java":{"":2}},"CWE-183: Permissive List of Allowed Inputs":{"java":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"java":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"java":{"":3}},"CWE-297: Improper Validation of Certificate with Host Mismatch":{"java":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"java":{"":2}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"java":{"":1}}},"rules_with_no_cwe":["no-string-eqeq","eqeq"]},"owasp":{"totals":{"":2,"A03:2021: Injection":1,"A04:2021: Insecure Design":1,"A01:2021: Broken Access Control":2,"A05:2017: Broken Access Control":2,"A02:2021: Cryptographic Failures":5,"A03:2017: Sensitive Data Exposure":6,"A08:2017: Insecure Deserialization":1,"A05:2021: Security Misconfiguration":1,"A07:2017: Cross-Site Scripting (XSS)":1,"A04:2017: XML External Entities (XXE)":1,"A08:2021: Software and Data Integrity Failures":1,"A9: Using Components with Known Vulnerabilities":2,"A07:2021: Identification and Authentication Failures":3},"per_framework":{"":{"java":{"":2}},"A03:2021: Injection":{"java":{"":1}},"A04:2021: Insecure Design":{"java":{"":1}},"A01:2021: Broken Access Control":{"java":{"":2}},"A05:2017: Broken Access Control":{"java":{"":2}},"A02:2021: Cryptographic Failures":{"java":{"":5}},"A03:2017: Sensitive Data Exposure":{"java":{"":6}},"A08:2017: Insecure Deserialization":{"java":{"":1}},"A05:2021: Security Misconfiguration":{"java":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"java":{"":1}},"A04:2017: XML External Entities (XXE)":{"java":{"":1}},"A08:2021: Software and Data Integrity Failures":{"java":{"":1}},"A9: Using Components with Known Vulnerabilities":{"java":{"":2}},"A07:2021: Identification and Authentication Failures":{"java":{"":3}}},"rules_with_no_owasp":["no-string-eqeq","eqeq"]}},"author":"r2c","counts":{"total_rules":18,"premium_rules":0},"hidden":true,"description":"Scan for runtime errors, logic bus, and high-confidence security vulnerabilities. Recommended for use in CI to block serious issues from reaching production.","id":"K27","name":"minusworld.r2c-java-ci","visibility":"public","categories":[]},{"tags":[],"stats":{"cwe":{"totals":{"CWE-523: Unprotected Transport of Credentials":3},"per_framework":{"":{"c":{"":1},"go":{"":6},"java":{"":4},"python":{"":82},"javascript":{"":7}},"CWE-489: Active Debug Code":{"go":{"":1},"python":{"":5}},"CWE-310: Cryptographic Issues":{"python":{"":7}},"CWE-287: Improper Authentication":{"java":{"":1}},"CWE-377: Insecure Temporary File":{"go":{"":1},"python":{"":1}},"CWE-521: Weak Password Requirements":{"python":{"":2}},"CWE-276: Incorrect Default Permissions":{"java":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"go":{"":1},"python":{"":2},"javascript":{"":6}},"CWE-326: Inadequate Encryption Strength":{"java":{"":5},"python":{"":3}},"CWE-295: Improper Certificate Validation":{"java":{"":2},"python":{"":3}},"CWE-183: Permissive List of Allowed Inputs":{"java":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":2},"python":{"":2}},"CWE-400: Uncontrolled Resource Consumption":{"go":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":2},"python":{"":13},"javascript":{"":1}},"CWE-704: Incorrect Type Conversion or Cast":{"java":{"":1}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":2}},"CWE-918: Server-Side Request Forgery (SSRF)":{"python":{"":3},"javascript":{"":7}},"CWE-242: Use of Inherently Dangerous Function":{"go":{"":1}},"CWE-311: Missing Encryption of Sensitive Data":{"python":{"":2}},"CWE-522: Insufficiently Protected Credentials":{"javascript":{"":9}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-668: Exposure of Resource to Wrong Sphere":{"python":{"":2}},"CWE-73: External Control of File Name or Path":{"python":{"":1}},"CWE-116: Improper Encoding or Escaping of Output":{"python":{"":1}},"CWE-289: Authentication Bypass by Alternate Name":{"go":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"java":{"":1}},"CWE-322: Key Exchange without Entity Authentication":{"go":{"":1},"python":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"java":{"":1}},"CWE-1104: Use of Unmaintained Third Party Components":{"python":{"":3}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":2}},"CWE-345: Insufficient Verification of Data Authenticity":{"javascript":{"":1}},"CWE-689: Permission Race Condition During Resource Copy":{"python":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"go":{"":1},"java":{"":1},"python":{"":3}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"go":{"":7},"java":{"":5},"python":{"":19},"javascript":{"":2}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"java":{"":2},"python":{"":1}},"CWE-297: Improper Validation of Certificate with Host Mismatch":{"java":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":3},"python":{"":2},"javascript":{"":5}},"CWE-913: Improper Control of Dynamically-Managed Code Resources":{"go":{"":2}},"CWE-94: Improper Control of Generation of Code (Code Injection)":{"javascript":{"":6}},"CWE-939: Improper Authorization in Handler for Custom URL Scheme":{"python":{"":1}},"CWE-155: Improper Neutralization of Wildcards or Matching Symbols":{"python":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"go":{"":1},"java":{"":4},"javascript":{"":12}},"CWE-1236: Improper Neutralization of Formula Elements in a CSV File":{"python":{"":1}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"go":{"":1},"java":{"":1},"python":{"":1}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"java":{"":1},"python":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"java":{"":1},"python":{"":2}},"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":{"go":{"":1}},"CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere":{"python":{"":1}},"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)":{"javascript":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"go":{"":1},"java":{"":2},"python":{"":6},"javascript":{"":2}},"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":{"python":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":5},"java":{"":2},"python":{"":5}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":1},"java":{"":2},"python":{"":8}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"java":{"":2}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"python":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":11}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":3}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":1},"python":{"":13},"javascript":{"":1}},"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":{"python":{"":2}}},"rules_with_no_cwe":["double_goto","assigned-undefined","javascript-alert","javascript-debugger","javascript-confirm","javascript-prompt","useless-assignment","eqeq-is-bad","channel-guarded-with-mutex","hidden-goroutine","useless-if-conditional","useless-if-body","eqeq-is-bad","hardcoded-eq-true-or-false","no-string-eqeq","assignment-comparison","eqeq","hardcoded-conditional","use-click-secho","use-django-environ","use-onetoonefield","use-json-response","use-count-method","access-foreign-keys","use-earliest-or-latest","django-compat-2_0-signals-weak","django-compat-2_0-check-aggregate-support","django-compat-2_0-extra-forms","django-compat-2_0-assignment-tag","django-compat-2_0-assert-redirects-helper","no-null-string-field","string-field-must-set-null-true","django-db-model-save-super","nontext-field-must-set-null-true","bokeh-deprecated-apis","len-all-count","batch-import","delete-where-no-execute","bad-operator-in-filter","use-jsonify","flask-deprecated-apis","flask-duplicate-handler-name","avoid-accessing-request-in-wrong-handler","python-debugger-found","pass-body-fn","pass-body-range","missing-hash-with-eq","arbitrary-sleep","open-never-closed","manual-defaultdict-dict-create","manual-defaultdict-set-create","manual-defaultdict-list-create","manual-counter-create","hardcoded-tmp-path","useless-inner-function","useless-literal-dict","useless-assignment-keyed","useless-if-conditional","useless-if-body","code-after-unconditional-return","return-not-in-function","python36-compatibility-ssl","python36-compatibility-Popen1","python36-compatibility-Popen2","python37-compatibility-importlib","python37-compatibility-importlib2","python37-compatibility-importlib3","python37-compatibility-httpconn","python37-compatibility-httpsconn","python37-compatibility-textiowrapper","python37-compatibility-ipv6network1","python37-compatibility-ipv6network2","python37-compatibility-ipv4network1","python37-compatibility-ipv4network2","python37-compatibility-locale1","python37-compatibility-math1","python37-compatibility-multiprocess1","python37-compatibility-multiprocess2","python37-compatibility-os1","python37-compatability-os-module","python37-compatibility-os2-ok2","python37-compatibility-pdb","use-sys-exit","return-in-init","yield-in-init","file-object-redefined-before-close","unchecked-subprocess-call","baseclass-attribute-override","useless-eqeq","dict-del-while-iterate","is-not-is-not","default-mutable-list","default-mutable-dict","identical-is-comparison","string-is-comparison","string-concat-in-list","raise-not-base-exception","tempfile-insecure","tempfile-without-flush","use-timeout"]},"owasp":{"totals":{"":103,"A1: Injection":8,"A01:2017: Injection":29,"A03:2021: Injection":72,"A04:2021: Insecure Design":11,"A3: Sensitive Data Exposure":11,"A6: Security Misconfiguration":1,"A01:2021: Broken Access Control":27,"A02:2017: Broken Authentication":11,"A05:2017: Broken Access Control":9,"A02:2021: Cryptographic Failures":43,"A03:2017: Sensitive Data Exposure":44,"A08:2017: Insecure Deserialization":15,"A05:2021: Security Misconfiguration":28,"A06:2017: Security Misconfiguration":12,"A07:2017: Cross-Site Scripting (XSS)":12,"A04:2017: XML External Entities (XXE)":10,"A06:2021: Vulnerable and Outdated Components":9,"A10:2021: Server-Side Request Forgery (SSRF)":10,"A08:2021: Software and Data Integrity Failures":17,"A9: Using Components with Known Vulnerabilities":2,"A07:2021: Identification and Authentication Failures":20,"A09:2017: Using Components with Known Vulnerabilities":9},"per_framework":{"":{"c":{"":1},"go":{"":9},"java":{"":4},"python":{"":82},"javascript":{"":7}},"A1: Injection":{"python":{"":2},"javascript":{"":6}},"A01:2017: Injection":{"go":{"":1},"java":{"":5},"python":{"":22},"javascript":{"":1}},"A03:2021: Injection":{"go":{"":7},"java":{"":12},"python":{"":39},"javascript":{"":14}},"A04:2021: Insecure Design":{"java":{"":1},"python":{"":1},"javascript":{"":9}},"A3: Sensitive Data Exposure":{"python":{"":11}},"A6: Security Misconfiguration":{"python":{"":1}},"A01:2021: Broken Access Control":{"go":{"":5},"java":{"":8},"python":{"":10},"javascript":{"":4}},"A02:2017: Broken Authentication":{"java":{"":1},"python":{"":1},"javascript":{"":9}},"A05:2017: Broken Access Control":{"go":{"":1},"java":{"":2},"python":{"":4},"javascript":{"":2}},"A02:2021: Cryptographic Failures":{"go":{"":10},"java":{"":10},"python":{"":21},"javascript":{"":2}},"A03:2017: Sensitive Data Exposure":{"go":{"":8},"java":{"":12},"python":{"":22},"javascript":{"":2}},"A08:2017: Insecure Deserialization":{"java":{"":2},"python":{"":12},"javascript":{"":1}},"A05:2021: Security Misconfiguration":{"java":{"":5},"python":{"":18},"javascript":{"":5}},"A06:2017: Security Misconfiguration":{"go":{"":1},"python":{"":11}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":5},"java":{"":2},"python":{"":5}},"A04:2017: XML External Entities (XXE)":{"java":{"":3},"python":{"":2},"javascript":{"":5}},"A06:2021: Vulnerable and Outdated Components":{"python":{"":9}},"A10:2021: Server-Side Request Forgery (SSRF)":{"python":{"":3},"javascript":{"":7}},"A08:2021: Software and Data Integrity Failures":{"java":{"":2},"python":{"":13},"javascript":{"":2}},"A9: Using Components with Known Vulnerabilities":{"java":{"":2}},"A07:2021: Identification and Authentication Failures":{"go":{"":3},"java":{"":4},"python":{"":7},"javascript":{"":6}},"A09:2017: Using Components with Known Vulnerabilities":{"python":{"":9}}},"rules_with_no_owasp":["double_goto","assigned-undefined","javascript-alert","javascript-debugger","javascript-confirm","javascript-prompt","useless-assignment","eqeq-is-bad","handler-assignment-from-multiple-sources","channel-guarded-with-mutex","hidden-goroutine","useless-if-conditional","useless-if-body","potential-dos-via-decompression-bomb","use-of-unsafe-block","eqeq-is-bad","hardcoded-eq-true-or-false","no-string-eqeq","assignment-comparison","eqeq","hardcoded-conditional","use-click-secho","use-django-environ","use-onetoonefield","use-json-response","use-count-method","access-foreign-keys","use-earliest-or-latest","django-compat-2_0-signals-weak","django-compat-2_0-check-aggregate-support","django-compat-2_0-extra-forms","django-compat-2_0-assignment-tag","django-compat-2_0-assert-redirects-helper","no-null-string-field","string-field-must-set-null-true","django-db-model-save-super","nontext-field-must-set-null-true","bokeh-deprecated-apis","len-all-count","batch-import","delete-where-no-execute","bad-operator-in-filter","use-jsonify","flask-deprecated-apis","flask-duplicate-handler-name","avoid-accessing-request-in-wrong-handler","python-debugger-found","pass-body-fn","pass-body-range","missing-hash-with-eq","arbitrary-sleep","open-never-closed","manual-defaultdict-dict-create","manual-defaultdict-set-create","manual-defaultdict-list-create","manual-counter-create","hardcoded-tmp-path","useless-inner-function","useless-literal-dict","useless-assignment-keyed","useless-if-conditional","useless-if-body","code-after-unconditional-return","return-not-in-function","python36-compatibility-ssl","python36-compatibility-Popen1","python36-compatibility-Popen2","python37-compatibility-importlib","python37-compatibility-importlib2","python37-compatibility-importlib3","python37-compatibility-httpconn","python37-compatibility-httpsconn","python37-compatibility-textiowrapper","python37-compatibility-ipv6network1","python37-compatibility-ipv6network2","python37-compatibility-ipv4network1","python37-compatibility-ipv4network2","python37-compatibility-locale1","python37-compatibility-math1","python37-compatibility-multiprocess1","python37-compatibility-multiprocess2","python37-compatibility-os1","python37-compatability-os-module","python37-compatibility-os2-ok2","python37-compatibility-pdb","use-sys-exit","return-in-init","yield-in-init","file-object-redefined-before-close","unchecked-subprocess-call","baseclass-attribute-override","useless-eqeq","dict-del-while-iterate","is-not-is-not","default-mutable-list","default-mutable-dict","identical-is-comparison","string-is-comparison","string-concat-in-list","raise-not-base-exception","tempfile-insecure","tempfile-without-flush","use-timeout"]}},"author":"DanspilS","counts":{"total_rules":365,"premium_rules":0},"hidden":true,"description":"","id":"xjz","name":"dmspils.the-full-monty","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"":4},"per_framework":{"":{"java":{"":4}},"CWE-287: Improper Authentication":{"java":{"":1}},"CWE-276: Incorrect Default Permissions":{"java":{"":1}},"CWE-326: Inadequate Encryption Strength":{"java":{"":5}},"CWE-295: Improper Certificate Validation":{"java":{"":2}},"CWE-183: Permissive List of Allowed Inputs":{"java":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":2}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":2}},"CWE-704: Incorrect Type Conversion or Cast":{"java":{"":1}},"CWE-311: Missing Encryption of Sensitive Data":{"python":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"java":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"java":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"java":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"java":{"":5}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"java":{"":2}},"CWE-297: Improper Validation of Certificate with Host Mismatch":{"java":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":3}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"java":{"":4}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"java":{"":1}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"java":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"java":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"java":{"":2}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"java":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"java":{"":2}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"java":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":1}},"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":{"java":{"":1}}},"rules_with_no_cwe":["no-string-eqeq","assignment-comparison","eqeq","hardcoded-conditional"]},"owasp":{"totals":{"":4,"A01:2017: Injection":5,"A03:2021: Injection":13,"A04:2021: Insecure Design":1,"A01:2021: Broken Access Control":8,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":2,"A02:2021: Cryptographic Failures":10,"A03:2017: Sensitive Data Exposure":12,"A08:2017: Insecure Deserialization":2,"A05:2021: Security Misconfiguration":6,"A06:2017: Security Misconfiguration":1,"A07:2017: Cross-Site Scripting (XSS)":2,"A04:2017: XML External Entities (XXE)":3,"A08:2021: Software and Data Integrity Failures":2,"A9: Using Components with Known Vulnerabilities":2,"A07:2021: Identification and Authentication Failures":4},"per_framework":{"":{"java":{"":4}},"A01:2017: Injection":{"java":{"":5}},"A03:2021: Injection":{"java":{"":13}},"A04:2021: Insecure Design":{"java":{"":1}},"A01:2021: Broken Access Control":{"java":{"":8}},"A02:2017: Broken Authentication":{"java":{"":1}},"A05:2017: Broken Access Control":{"java":{"":2}},"A02:2021: Cryptographic Failures":{"java":{"":10}},"A03:2017: Sensitive Data Exposure":{"java":{"":12}},"A08:2017: Insecure Deserialization":{"java":{"":2}},"A05:2021: Security Misconfiguration":{"java":{"":5},"python":{"":1}},"A06:2017: Security Misconfiguration":{"python":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"java":{"":2}},"A04:2017: XML External Entities (XXE)":{"java":{"":3}},"A08:2021: Software and Data Integrity Failures":{"java":{"":2}},"A9: Using Components with Known Vulnerabilities":{"java":{"":2}},"A07:2021: Identification and Authentication Failures":{"java":{"":4}}},"rules_with_no_owasp":["no-string-eqeq","assignment-comparison","eqeq","hardcoded-conditional"]}},"author":"Cristiano Corrado","counts":{"total_rules":51,"premium_rules":0},"hidden":true,"description":"","id":"oj9","name":"cristiano-corrado.java-test-ccc","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"":4},"per_framework":{"":{"java":{"":4}},"CWE-287: Improper Authentication":{"java":{"":1}},"CWE-276: Incorrect Default Permissions":{"java":{"":1}},"CWE-326: Inadequate Encryption Strength":{"java":{"":5}},"CWE-295: Improper Certificate Validation":{"java":{"":2}},"CWE-183: Permissive List of Allowed Inputs":{"java":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":2}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":2}},"CWE-704: Incorrect Type Conversion or Cast":{"java":{"":1}},"CWE-676: Use of Potentially Dangerous Function":{"c":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"java":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"java":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"java":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"java":{"":5}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"java":{"":2}},"CWE-297: Improper Validation of Certificate with Host Mismatch":{"java":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":3}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"java":{"":4}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"java":{"":1}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"java":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"java":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"java":{"":2}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"java":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"java":{"":2}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"java":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":1}},"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":{"java":{"":1}}},"rules_with_no_cwe":["no-string-eqeq","assignment-comparison","eqeq","hardcoded-conditional"]},"owasp":{"totals":{"":5,"A01:2017: Injection":5,"A03:2021: Injection":13,"A04:2021: Insecure Design":1,"A01:2021: Broken Access Control":8,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":2,"A02:2021: Cryptographic Failures":10,"A03:2017: Sensitive Data Exposure":12,"A08:2017: Insecure Deserialization":2,"A05:2021: Security Misconfiguration":5,"A07:2017: Cross-Site Scripting (XSS)":2,"A04:2017: XML External Entities (XXE)":3,"A08:2021: Software and Data Integrity Failures":2,"A9: Using Components with Known Vulnerabilities":2,"A07:2021: Identification and Authentication Failures":4},"per_framework":{"":{"c":{"":1},"java":{"":4}},"A01:2017: Injection":{"java":{"":5}},"A03:2021: Injection":{"java":{"":13}},"A04:2021: Insecure Design":{"java":{"":1}},"A01:2021: Broken Access Control":{"java":{"":8}},"A02:2017: Broken Authentication":{"java":{"":1}},"A05:2017: Broken Access Control":{"java":{"":2}},"A02:2021: Cryptographic Failures":{"java":{"":10}},"A03:2017: Sensitive Data Exposure":{"java":{"":12}},"A08:2017: Insecure Deserialization":{"java":{"":2}},"A05:2021: Security Misconfiguration":{"java":{"":5}},"A07:2017: Cross-Site Scripting (XSS)":{"java":{"":2}},"A04:2017: XML External Entities (XXE)":{"java":{"":3}},"A08:2021: Software and Data Integrity Failures":{"java":{"":2}},"A9: Using Components with Known Vulnerabilities":{"java":{"":2}},"A07:2021: Identification and Authentication Failures":{"java":{"":4}}},"rules_with_no_owasp":["insecure-use-gets-fn","no-string-eqeq","assignment-comparison","eqeq","hardcoded-conditional"]}},"author":"Paul Harrington","counts":{"total_rules":51,"premium_rules":0},"hidden":true,"description":"","id":"bep","name":"didn0t.ph-java-sec","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":5},"per_framework":{"CWE-798: Use of Hard-coded Credentials":{"javascript":{"":6}},"CWE-502: Deserialization of Untrusted Data":{"javascript":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"javascript":{"":4}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"javascript":{"":2}},"CWE-611: Improper Restriction of XML External Entity Reference":{"javascript":{"":2}},"CWE-94: Improper Control of Generation of Code (Code Injection)":{"javascript":{"":5}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"javascript":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"javascript":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"javascript":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A1: Injection":5,"A01:2017: Injection":1,"A03:2021: Injection":3,"A01:2021: Broken Access Control":1,"A02:2021: Cryptographic Failures":2,"A03:2017: Sensitive Data Exposure":2,"A08:2017: Insecure Deserialization":1,"A05:2021: Security Misconfiguration":2,"A07:2017: Cross-Site Scripting (XSS)":1,"A04:2017: XML External Entities (XXE)":2,"A10:2021: Server-Side Request Forgery (SSRF)":4,"A08:2021: Software and Data Integrity Failures":1,"A07:2021: Identification and Authentication Failures":6},"per_framework":{"A1: Injection":{"javascript":{"":5}},"A01:2017: Injection":{"javascript":{"":1}},"A03:2021: Injection":{"javascript":{"":3}},"A01:2021: Broken Access Control":{"javascript":{"":1}},"A02:2021: Cryptographic Failures":{"javascript":{"":2}},"A03:2017: Sensitive Data Exposure":{"javascript":{"":2}},"A08:2017: Insecure Deserialization":{"javascript":{"":1}},"A05:2021: Security Misconfiguration":{"javascript":{"":2}},"A07:2017: Cross-Site Scripting (XSS)":{"javascript":{"":1}},"A04:2017: XML External Entities (XXE)":{"javascript":{"":2}},"A10:2021: Server-Side Request Forgery (SSRF)":{"javascript":{"":4}},"A08:2021: Software and Data Integrity Failures":{"javascript":{"":1}},"A07:2021: Identification and Authentication Failures":{"javascript":{"":6}}},"rules_with_no_owasp":[]}},"author":"Paolo del Mundo","counts":{"total_rules":24,"premium_rules":0},"hidden":true,"description":"","id":"Q3Q","name":"tmfrook.fool-javascript-pack","visibility":"public","categories":[]},{"tags":["node","node.js","nodejs","express","express.js"],"stats":{"cwe":{"totals":{"CWE-384: Session Fixation":1,"CWE-287: Improper Authentication":6,"CWE-346: Origin Validation Error":5,"CWE-798: Use of Hard-coded Credentials":21,"CWE-326: Inadequate Encryption Strength":1,"CWE-502: Deserialization of Untrusted Data":1,"CWE-918: Server-Side Request Forgery (SSRF)":55,"CWE-311: Missing Encryption of Sensitive Data":2,"CWE-522: Insufficiently Protected Credentials":7,"CWE-73: External Control of File Name or Path":1,"CWE-117: Improper Output Neutralization for Logs":1,"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":5,"CWE-1333: Inefficient Regular Expression Complexity":1,"CWE-306: Missing Authentication for Critical Function":2,"CWE-706: Use of Incorrectly-Resolved Name or Reference":2,"CWE-345: Insufficient Verification of Data Authenticity":1,"CWE-319: Cleartext Transmission of Sensitive Information":3,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":6,"CWE-548: Exposure of Information Through Directory Listing":1,"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":6,"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":7,"CWE-611: Improper Restriction of XML External Entity Reference":6,"CWE-732: Incorrect Permission Assignment for Critical Resource":2,"CWE-94: Improper Control of Generation of Code ('Code Injection')":17,"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":1,"CWE-916: Use of Password Hash With Insufficient Computational Effort":1,"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":6,"CWE-451: User Interface (UI) Misrepresentation of Critical Information":1,"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":4,"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine":2,"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":1,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":21,"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":1,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":31,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":37,"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":2,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":8,"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":3},"per_framework":{"CWE-384: Session Fixation":{"javascript":{"":1}},"CWE-287: Improper Authentication":{"js":{"":6}},"CWE-346: Origin Validation Error":{"javascript":{"":5}},"CWE-798: Use of Hard-coded Credentials":{"js":{"":14},"javascript":{"":7}},"CWE-326: Inadequate Encryption Strength":{"javascript":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"javascript":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"javascript":{"":55}},"CWE-311: Missing Encryption of Sensitive Data":{"ts":{"":1},"typescript":{"":1}},"CWE-522: Insufficiently Protected Credentials":{"javascript":{"":7}},"CWE-73: External Control of File Name or Path":{"javascript":{"":1}},"CWE-117: Improper Output Neutralization for Logs":{"javascript":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"javascript":{"":5}},"CWE-1333: Inefficient Regular Expression Complexity":{"javascript":{"":1}},"CWE-306: Missing Authentication for Critical Function":{"ts":{"":2}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":2}},"CWE-345: Insufficient Verification of Data Authenticity":{"javascript":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"ts":{"":1},"javascript":{"":1},"typescript":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"javascript":{"":6}},"CWE-548: Exposure of Information Through Directory Listing":{"javascript":{"":1}},"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":{"javascript":{"":6}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"javascript":{"":7}},"CWE-611: Improper Restriction of XML External Entity Reference":{"javascript":{"":6}},"CWE-732: Incorrect Permission Assignment for Critical Resource":{"javascript":{"":2}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"javascript":{"":17}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"javascript":{"":1}},"CWE-916: Use of Password Hash With Insufficient Computational Effort":{"javascript":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"javascript":{"":6}},"CWE-451: User Interface (UI) Misrepresentation of Critical Information":{"javascript":{"":1}},"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":{"javascript":{"":4}},"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine":{"javascript":{"":2}},"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":{"javascript":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"javascript":{"":21}},"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":{"javascript":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"javascript":{"":16},"typescript":{"":15}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"javascript":{"":37}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"javascript":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"javascript":{"":8}},"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":{"javascript":{"":3}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":4,"A01:2017: Injection":51,"A03:2021: Injection":101,"A05:2025: Injection":101,"A04:2021: Insecure Design":11,"A06:2025: Insecure Design":11,"A01:2021: Broken Access Control":38,"A01:2025: Broken Access Control":91,"A02:2017: Broken Authentication":11,"A05:2017: Broken Access Control":21,"A02:2021: Cryptographic Failures":10,"A04:2025: Cryptographic Failures":10,"A03:2017: Sensitive Data Exposure":12,"A07:2025: Authentication Failures":35,"A08:2017: Insecure Deserialization":1,"A02:2025: Security Misconfiguration":17,"A05:2021: Security Misconfiguration":17,"A06:2017: Security Misconfiguration":1,"A07:2017: Cross-Site Scripting (XSS)":31,"A04:2017: XML External Entities (XXE)":6,"A10:2021: Server-Side Request Forgery (SSRF)":55,"A08:2025: Software or Data Integrity Failures":2,"A08:2021: Software and Data Integrity Failures":2,"A09:2025: Security Logging & Alerting Failures":1,"A09:2021: Security Logging and Monitoring Failures":1,"A07:2021: Identification and Authentication Failures":35},"per_framework":{"":{"javascript":{"":4}},"A01:2017: Injection":{"javascript":{"":51}},"A03:2021: Injection":{"javascript":{"":86},"typescript":{"":15}},"A05:2025: Injection":{"javascript":{"":86},"typescript":{"":15}},"A04:2021: Insecure Design":{"ts":{"":1},"javascript":{"":9},"typescript":{"":1}},"A06:2025: Insecure Design":{"ts":{"":1},"javascript":{"":9},"typescript":{"":1}},"A01:2021: Broken Access Control":{"javascript":{"":38}},"A01:2025: Broken Access Control":{"javascript":{"":91}},"A02:2017: Broken Authentication":{"js":{"":3},"javascript":{"":8}},"A05:2017: Broken Access Control":{"javascript":{"":21}},"A02:2021: Cryptographic Failures":{"ts":{"":1},"javascript":{"":8},"typescript":{"":1}},"A04:2025: Cryptographic Failures":{"ts":{"":1},"javascript":{"":8},"typescript":{"":1}},"A03:2017: Sensitive Data Exposure":{"ts":{"":2},"javascript":{"":8},"typescript":{"":2}},"A07:2025: Authentication Failures":{"js":{"":20},"ts":{"":2},"javascript":{"":13}},"A08:2017: Insecure Deserialization":{"javascript":{"":1}},"A02:2025: Security Misconfiguration":{"javascript":{"":17}},"A05:2021: Security Misconfiguration":{"javascript":{"":17}},"A06:2017: Security Misconfiguration":{"javascript":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"javascript":{"":16},"typescript":{"":15}},"A04:2017: XML External Entities (XXE)":{"javascript":{"":6}},"A10:2021: Server-Side Request Forgery (SSRF)":{"javascript":{"":55}},"A08:2025: Software or Data Integrity Failures":{"javascript":{"":2}},"A08:2021: Software and Data Integrity Failures":{"javascript":{"":2}},"A09:2025: Security Logging & Alerting Failures":{"javascript":{"":1}},"A09:2021: Security Logging and Monitoring Failures":{"javascript":{"":1}},"A07:2021: Identification and Authentication Failures":{"js":{"":20},"ts":{"":2},"javascript":{"":13}}},"rules_with_no_owasp":["regexp-redos","cookies-default-express","session-cookie-default-express","dot-nestjs"]}},"author":"Semgrep","counts":{"total_rules":279,"premium_rules":208},"username":"semgrep","languages":["JavaScript","TypeScript"],"description":"Default ruleset for Express, curated by Semgrep.","id":"bke","name":"expressjs","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-94: Improper Control of Generation of Code ('Code Injection')":4},"per_framework":{"":{"javascript":{"":3}},"CWE-328: Use of Weak Hash":{"java":{"":3},"clojure":{"":1}},"CWE-489: Active Debug Code":{"php":{"":1},"python":{"":1}},"CWE-778: Insufficient Logging":{"hcl":{"":1}},"CWE-23: Relative Path Traversal":{"php":{"":1},"java":{"":1}},"CWE-287: Improper Authentication":{"go":{"":8},"js":{"":5},"ruby":{"":6},"kotlin":{"":4},"python":{"":18}},"CWE-501: Trust Boundary Violation":{"java":{"":1}},"CWE-259: Use of Hard-coded Password":{"swift":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"go":{"":10},"js":{"":22},"py":{"":1},"java":{"":21},"ruby":{"":18},"swift":{"":7},"csharp":{"":9},"kotlin":{"":21},"python":{"":34},"javascript":{"":7}},"CWE-326: Inadequate Encryption Strength":{"go":{"":1},"kt":{"":1},"hcl":{"":1},"java":{"":6},"ruby":{"":1},"swift":{"":2},"generic":{"":1},"terraform":{"":1},"javascript":{"":1}},"CWE-613: Insufficient Session Expiration":{"csharp":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"C#":{"":1},"java":{"":2},"python":{"":58},"javascript":{"":1}},"CWE-780: Use of RSA Algorithm without OAEP":{"scala":{"":1}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":2}},"CWE-918: Server-Side Request Forgery (SSRF)":{"go":{"":4},"php":{"":1},"java":{"":4},"kotlin":{"":2},"javascript":{"":2}},"CWE-321: Use of Hard-coded Cryptographic Key":{"swift":{"":1}},"CWE-311: Missing Encryption of Sensitive Data":{"ruby":{"":1}},"CWE-522: Insufficiently Protected Credentials":{"scala":{"":2},"python":{"":1}},"CWE-668: Exposure of Resource to Wrong Sphere":{"python":{"":1}},"CWE-250: Execution with Unnecessary Privileges":{"yaml":{"":1}},"CWE-323: Reusing a Nonce, Key Pair in Encryption":{"java":{"":2}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"java":{"":2}},"CWE-1333: Inefficient Regular Expression Complexity":{"javascript":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"php":{"":1},"java":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"html":{"":1},"java":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"go":{"":4},"java":{"":9},"swift":{"":5},"csharp":{"":1},"kotlin":{"":1},"clojure":{"":1},"javascript":{"":3}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"javascript":{"":4}},"CWE-611: Improper Restriction of XML External Entity Reference":{"go":{"":2},"php":{"":2},"java":{"":24},"scala":{"":3},"javascript":{"":3}},"CWE-732: Incorrect Permission Assignment for Critical Resource":{"hcl":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"yaml":{"":1},"kotlin":{"":1},"generic":{"":1},"javascript":{"":2}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"go":{"":1},"python":{"":1}},"CWE-916: Use of Password Hash With Insufficient Computational Effort":{"swift":{"":3}},"CWE-209: Generation of Error Message Containing Sensitive Information":{"csharp":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"php":{"":1},"java":{"":2},"generic":{"":1}},"CWE-323: Nonces should be used for the present occasion and only once.":{"swift":{"":1}},"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":{"go":{"":4},"kotlin":{"":5},"javascript":{"":1}},"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":{"csharp":{"":1}},"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":{"java":{"":1}},"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)":{"javascript":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"go":{"":5},"java":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":5},"java":{"":1},"kotlin":{"":1},"javascript":{"":3},"typescript":{"":11}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":11},"java":{"":3},"scala":{"":2},"kotlin":{"":5},"javascript":{"":4}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"java":{"":2}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"java":{"":16}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"php":{"":1},"java":{"":2},"javascript":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"go":{"":4},"java":{"":2},"yaml":{"":1},"kotlin":{"":1},"python":{"":2}},"CWE-329: Not using a random initialization Vector (IV) with Cipher Block Chaining (CBC) Mode causes algorithms to be susceptible to dictionary attacks.":{"swift":{"":1}}},"rules_with_no_cwe":["javascript-debugger","javascript-confirm","javascript-prompt"]},"owasp":{"totals":{"":4,"A01:2017: Injection":48,"A03:2021: Injection":69,"A04:2021: Insecure Design":6,"A01:2021: Broken Access Control":16,"A02:2017: Broken Authentication":19,"A05:2017: Broken Access Control":6,"A02:2021: Cryptographic Failures":56,"A03:2017: Sensitive Data Exposure":44,"A08:2017: Insecure Deserialization":62,"A05:2021: Security Misconfiguration":43,"A06:2017: Security Misconfiguration":4,"A07:2017: Cross-Site Scripting (XSS)":21,"A04:2017: XML External Entities (XXE)":34,"A10:2021: Server-Side Request Forgery (SSRF)":13,"A08:2021: Software and Data Integrity Failures":62,"A09:2021: Security Logging and Monitoring Failures":1,"A07:2021: Identification and Authentication Failures":195},"per_framework":{"":{"javascript":{"":4}},"A01:2017: Injection":{"go":{"":19},"java":{"":8},"yaml":{"":1},"scala":{"":2},"kotlin":{"":11},"python":{"":2},"javascript":{"":5}},"A03:2021: Injection":{"go":{"":20},"php":{"":1},"java":{"":11},"yaml":{"":2},"scala":{"":2},"kotlin":{"":8},"python":{"":2},"generic":{"":1},"javascript":{"":11},"typescript":{"":11}},"A04:2021: Insecure Design":{"java":{"":1},"ruby":{"":1},"scala":{"":2},"csharp":{"":1},"python":{"":1}},"A01:2021: Broken Access Control":{"go":{"":6},"php":{"":1},"java":{"":3},"python":{"":2},"javascript":{"":4}},"A02:2017: Broken Authentication":{"go":{"":8},"js":{"":3},"scala":{"":2},"csharp":{"":1},"kotlin":{"":4},"python":{"":1}},"A05:2017: Broken Access Control":{"go":{"":5},"java":{"":1}},"A02:2021: Cryptographic Failures":{"go":{"":5},"kt":{"":1},"hcl":{"":1},"php":{"":1},"html":{"":1},"java":{"":22},"ruby":{"":1},"scala":{"":1},"swift":{"":13},"csharp":{"":2},"kotlin":{"":1},"clojure":{"":1},"generic":{"":1},"terraform":{"":1},"javascript":{"":4}},"A03:2017: Sensitive Data Exposure":{"go":{"":5},"kt":{"":1},"hcl":{"":1},"html":{"":1},"java":{"":19},"ruby":{"":2},"swift":{"":7},"kotlin":{"":1},"clojure":{"":1},"generic":{"":1},"terraform":{"":1},"javascript":{"":4}},"A08:2017: Insecure Deserialization":{"C#":{"":1},"java":{"":2},"python":{"":58},"javascript":{"":1}},"A05:2021: Security Misconfiguration":{"go":{"":2},"hcl":{"":1},"php":{"":4},"java":{"":28},"yaml":{"":1},"scala":{"":3},"generic":{"":1},"javascript":{"":3}},"A06:2017: Security Misconfiguration":{"php":{"":1},"yaml":{"":1},"csharp":{"":1},"python":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":5},"java":{"":1},"kotlin":{"":1},"javascript":{"":3},"typescript":{"":11}},"A04:2017: XML External Entities (XXE)":{"go":{"":2},"php":{"":2},"java":{"":24},"scala":{"":3},"javascript":{"":3}},"A10:2021: Server-Side Request Forgery (SSRF)":{"go":{"":4},"php":{"":1},"java":{"":4},"kotlin":{"":2},"javascript":{"":2}},"A08:2021: Software and Data Integrity Failures":{"C#":{"":1},"java":{"":2},"python":{"":58},"javascript":{"":1}},"A09:2021: Security Logging and Monitoring Failures":{"hcl":{"":1}},"A07:2021: Identification and Authentication Failures":{"go":{"":20},"js":{"":27},"py":{"":1},"java":{"":21},"ruby":{"":24},"swift":{"":8},"csharp":{"":10},"kotlin":{"":25},"python":{"":52},"javascript":{"":7}}},"rules_with_no_owasp":["regexp-redos","javascript-debugger","javascript-confirm","javascript-prompt"]}},"author":"Daniel Cuthbert","counts":{"total_rules":476,"premium_rules":374},"hidden":true,"description":"because we like quick ","id":"jeY","name":"danielcuthbert.quickjs","visibility":"public","categories":[]},{"tags":[],"stats":{"cwe":{"totals":{"":1},"per_framework":{"":{"go":{"":2}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":1}}},"rules_with_no_cwe":["hardcoded-eq-true-or-false","eqeq-is-bad"]},"owasp":{"totals":{"":2,"A01:2017: Injection":1,"A03:2021: Injection":1,"A07:2021: Identification and Authentication Failures":2},"per_framework":{"":{"go":{"":2}},"A01:2017: Injection":{"go":{"":1}},"A03:2021: Injection":{"go":{"":1}},"A07:2021: Identification and Authentication Failures":{"go":{"":2}}},"rules_with_no_owasp":["hardcoded-eq-true-or-false","eqeq-is-bad"]}},"author":"amccabe-splk","counts":{"total_rules":5,"premium_rules":0},"hidden":true,"description":"","id":"A08","name":"amccabe-splk.hack1046golang-2","visibility":"public","categories":[]},{"tags":[],"stats":{"cwe":{"totals":{"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":1},"per_framework":{"":{"python":{"":16}},"CWE-489: Active Debug Code":{"python":{"":1}},"CWE-521: Weak Password Requirements":{"python":{"":1}},"CWE-295: Improper Certificate Validation":{"python":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"python":{"":2}},"CWE-918: Server-Side Request Forgery (SSRF)":{"python":{"":1}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"python":{"":1}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"python":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"python":{"":1}},"CWE-1236: Improper Neutralization of Formula Elements in a CSV File":{"python":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"python":{"":1}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"python":{"":2}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":2}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":1}}},"rules_with_no_cwe":["use-count-method","use-earliest-or-latest","string-field-must-set-null-true","nontext-field-must-set-null-true","delete-where-no-execute","tempfile-without-flush","tempfile-insecure","raise-not-base-exception","string-is-comparison","identical-is-comparison","default-mutable-dict","default-mutable-list","is-not-is-not","useless-eqeq","yield-in-init","return-in-init"]},"owasp":{"totals":{"":16,"A01:2017: Injection":4,"A03:2021: Injection":6,"A01:2021: Broken Access Control":2,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":1,"A02:2021: Cryptographic Failures":2,"A03:2017: Sensitive Data Exposure":2,"A08:2017: Insecure Deserialization":2,"A05:2021: Security Misconfiguration":2,"A04:2017: XML External Entities (XXE)":1,"A10:2021: Server-Side Request Forgery (SSRF)":1,"A08:2021: Software and Data Integrity Failures":2,"A07:2021: Identification and Authentication Failures":2},"per_framework":{"":{"python":{"":16}},"A01:2017: Injection":{"python":{"":4}},"A03:2021: Injection":{"python":{"":6}},"A01:2021: Broken Access Control":{"python":{"":2}},"A02:2017: Broken Authentication":{"python":{"":1}},"A05:2017: Broken Access Control":{"python":{"":1}},"A02:2021: Cryptographic Failures":{"python":{"":2}},"A03:2017: Sensitive Data Exposure":{"python":{"":2}},"A08:2017: Insecure Deserialization":{"python":{"":2}},"A05:2021: Security Misconfiguration":{"python":{"":2}},"A04:2017: XML External Entities (XXE)":{"python":{"":1}},"A10:2021: Server-Side Request Forgery (SSRF)":{"python":{"":1}},"A08:2021: Software and Data Integrity Failures":{"python":{"":2}},"A07:2021: Identification and Authentication Failures":{"python":{"":2}}},"rules_with_no_owasp":["use-count-method","use-earliest-or-latest","string-field-must-set-null-true","nontext-field-must-set-null-true","delete-where-no-execute","tempfile-without-flush","tempfile-insecure","raise-not-base-exception","string-is-comparison","identical-is-comparison","default-mutable-dict","default-mutable-list","is-not-is-not","useless-eqeq","yield-in-init","return-in-init"]}},"author":"amccabe-splk","counts":{"total_rules":34,"premium_rules":0},"hidden":true,"description":"","id":"BK2","name":"amccabe-splk.hack1046golang","visibility":"public","categories":[]},{"tags":[],"stats":{"cwe":{"totals":{"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":1},"per_framework":{"":{"python":{"":16}},"CWE-489: Active Debug Code":{"python":{"":1}},"CWE-521: Weak Password Requirements":{"python":{"":1}},"CWE-295: Improper Certificate Validation":{"python":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"python":{"":2}},"CWE-918: Server-Side Request Forgery (SSRF)":{"python":{"":1}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"python":{"":1}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"python":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"python":{"":1}},"CWE-1236: Improper Neutralization of Formula Elements in a CSV File":{"python":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"python":{"":1}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"python":{"":2}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":2}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":1}}},"rules_with_no_cwe":["use-count-method","use-earliest-or-latest","string-field-must-set-null-true","nontext-field-must-set-null-true","delete-where-no-execute","tempfile-without-flush","tempfile-insecure","raise-not-base-exception","string-is-comparison","identical-is-comparison","default-mutable-dict","default-mutable-list","is-not-is-not","useless-eqeq","yield-in-init","return-in-init"]},"owasp":{"totals":{"":16,"A01:2017: Injection":4,"A03:2021: Injection":6,"A01:2021: Broken Access Control":2,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":1,"A02:2021: Cryptographic Failures":2,"A03:2017: Sensitive Data Exposure":2,"A08:2017: Insecure Deserialization":2,"A05:2021: Security Misconfiguration":2,"A04:2017: XML External Entities (XXE)":1,"A10:2021: Server-Side Request Forgery (SSRF)":1,"A08:2021: Software and Data Integrity Failures":2,"A07:2021: Identification and Authentication Failures":2},"per_framework":{"":{"python":{"":16}},"A01:2017: Injection":{"python":{"":4}},"A03:2021: Injection":{"python":{"":6}},"A01:2021: Broken Access Control":{"python":{"":2}},"A02:2017: Broken Authentication":{"python":{"":1}},"A05:2017: Broken Access Control":{"python":{"":1}},"A02:2021: Cryptographic Failures":{"python":{"":2}},"A03:2017: Sensitive Data Exposure":{"python":{"":2}},"A08:2017: Insecure Deserialization":{"python":{"":2}},"A05:2021: Security Misconfiguration":{"python":{"":2}},"A04:2017: XML External Entities (XXE)":{"python":{"":1}},"A10:2021: Server-Side Request Forgery (SSRF)":{"python":{"":1}},"A08:2021: Software and Data Integrity Failures":{"python":{"":2}},"A07:2021: Identification and Authentication Failures":{"python":{"":2}}},"rules_with_no_owasp":["use-count-method","use-earliest-or-latest","string-field-must-set-null-true","nontext-field-must-set-null-true","delete-where-no-execute","tempfile-without-flush","tempfile-insecure","raise-not-base-exception","string-is-comparison","identical-is-comparison","default-mutable-dict","default-mutable-list","is-not-is-not","useless-eqeq","yield-in-init","return-in-init"]}},"author":"amccabe-splk","counts":{"total_rules":34,"premium_rules":0},"hidden":true,"description":"","id":"0v5","name":"amccabe-splk.hack1046js-all","visibility":"public","categories":[]},{"tags":["java","security"],"stats":{"cwe":{"totals":{"CWE-295: Improper Certificate Validation":4},"per_framework":{"CWE-287: Improper Authentication":{"java":{"":1}},"CWE-276: Incorrect Default Permissions":{"java":{"":1}},"CWE-326: Inadequate Encryption Strength":{"java":{"":5}},"CWE-295: Improper Certificate Validation":{"java":{"":2}},"CWE-183: Permissive List of Allowed Inputs":{"java":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":1}},"CWE-704: Incorrect Type Conversion or Cast":{"java":{"":1}},"CWE-116: Improper Encoding or Escaping of Output":{"regex":{"":2}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"java":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"java":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"java":{"":15}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"java":{"":4}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"java":{"":2}},"CWE-297: Improper Validation of Certificate with Host Mismatch":{"java":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":3}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"java":{"":4}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"java":{"":1}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"java":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"java":{"":1}},"CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences":{"regex":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"java":{"":2}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"java":{"":3}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"java":{"":3}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"java":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":1}},"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":{"java":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2017: Injection":6,"A03:2021: Injection":17,"A04:2021: Insecure Design":1,"A01:2021: Broken Access Control":7,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":2,"A02:2021: Cryptographic Failures":9,"A03:2017: Sensitive Data Exposure":25,"A08:2017: Insecure Deserialization":1,"A05:2021: Security Misconfiguration":5,"A07:2017: Cross-Site Scripting (XSS)":4,"A04:2017: XML External Entities (XXE)":3,"A08:2021: Software and Data Integrity Failures":1,"A9: Using Components with Known Vulnerabilities":2,"A07:2021: Identification and Authentication Failures":4},"per_framework":{"A01:2017: Injection":{"java":{"":6}},"A03:2021: Injection":{"java":{"":15},"regex":{"":2}},"A04:2021: Insecure Design":{"java":{"":1}},"A01:2021: Broken Access Control":{"java":{"":7}},"A02:2017: Broken Authentication":{"java":{"":1}},"A05:2017: Broken Access Control":{"java":{"":2}},"A02:2021: Cryptographic Failures":{"java":{"":9}},"A03:2017: Sensitive Data Exposure":{"java":{"":25}},"A08:2017: Insecure Deserialization":{"java":{"":1}},"A05:2021: Security Misconfiguration":{"java":{"":5}},"A07:2017: Cross-Site Scripting (XSS)":{"java":{"":3},"regex":{"":1}},"A04:2017: XML External Entities (XXE)":{"java":{"":3}},"A08:2021: Software and Data Integrity Failures":{"java":{"":1}},"A9: Using Components with Known Vulnerabilities":{"java":{"":2}},"A07:2021: Identification and Authentication Failures":{"java":{"":4}}},"rules_with_no_owasp":[]}},"author":"r2c","counts":{"total_rules":62,"premium_rules":1},"hidden":true,"description":"r2c Java security rules, combined","id":"G6B","name":"mschwager.java-security-rules","visibility":"public","categories":[]},{"tags":[],"stats":{"cwe":{"totals":{"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":1},"per_framework":{"":{"python":{"":16}},"CWE-489: Active Debug Code":{"python":{"":1}},"CWE-521: Weak Password Requirements":{"python":{"":1}},"CWE-295: Improper Certificate Validation":{"python":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"python":{"":2}},"CWE-918: Server-Side Request Forgery (SSRF)":{"python":{"":1}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"python":{"":1}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"python":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"python":{"":1}},"CWE-1236: Improper Neutralization of Formula Elements in a CSV File":{"python":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"python":{"":1}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"python":{"":2}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":2}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":1}}},"rules_with_no_cwe":["use-count-method","use-earliest-or-latest","string-field-must-set-null-true","nontext-field-must-set-null-true","delete-where-no-execute","tempfile-without-flush","tempfile-insecure","raise-not-base-exception","string-is-comparison","identical-is-comparison","default-mutable-dict","default-mutable-list","is-not-is-not","useless-eqeq","yield-in-init","return-in-init"]},"owasp":{"totals":{"":16,"A01:2017: Injection":4,"A03:2021: Injection":6,"A01:2021: Broken Access Control":2,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":1,"A02:2021: Cryptographic Failures":2,"A03:2017: Sensitive Data Exposure":2,"A08:2017: Insecure Deserialization":2,"A05:2021: Security Misconfiguration":2,"A04:2017: XML External Entities (XXE)":1,"A10:2021: Server-Side Request Forgery (SSRF)":1,"A08:2021: Software and Data Integrity Failures":2,"A07:2021: Identification and Authentication Failures":2},"per_framework":{"":{"python":{"":16}},"A01:2017: Injection":{"python":{"":4}},"A03:2021: Injection":{"python":{"":6}},"A01:2021: Broken Access Control":{"python":{"":2}},"A02:2017: Broken Authentication":{"python":{"":1}},"A05:2017: Broken Access Control":{"python":{"":1}},"A02:2021: Cryptographic Failures":{"python":{"":2}},"A03:2017: Sensitive Data Exposure":{"python":{"":2}},"A08:2017: Insecure Deserialization":{"python":{"":2}},"A05:2021: Security Misconfiguration":{"python":{"":2}},"A04:2017: XML External Entities (XXE)":{"python":{"":1}},"A10:2021: Server-Side Request Forgery (SSRF)":{"python":{"":1}},"A08:2021: Software and Data Integrity Failures":{"python":{"":2}},"A07:2021: Identification and Authentication Failures":{"python":{"":2}}},"rules_with_no_owasp":["use-count-method","use-earliest-or-latest","string-field-must-set-null-true","nontext-field-must-set-null-true","delete-where-no-execute","tempfile-without-flush","tempfile-insecure","raise-not-base-exception","string-is-comparison","identical-is-comparison","default-mutable-dict","default-mutable-list","is-not-is-not","useless-eqeq","yield-in-init","return-in-init"]}},"author":"amccabe-splk","counts":{"total_rules":34,"premium_rules":0},"hidden":true,"description":"","id":"KJX","name":"amccabe-splk.hack1046js","visibility":"public","categories":[]},{"stats":{"cwe":{"totals":{"CWE-319: Cleartext Transmission of Sensitive Information":1},"per_framework":{"CWE-328: Use of Weak Hash":{"java":{"":2},"ruby":{"":2}},"CWE-489: Active Debug Code":{"php":{"":1},"java":{"":2}},"CWE-862: Missing Authorization":{"csharp":{"":1}},"CWE-284: Improper Access Control":{"hcl":{"":2},"ruby":{"":1},"yaml":{"":1}},"CWE-287: Improper Authentication":{"kt":{"":1},"hcl":{"":1},"python":{"":1}},"CWE-346: Origin Validation Error":{"javascript":{"":1}},"CWE-521: Weak Password Requirements":{"python":{"":2}},"CWE-276: Incorrect Default Permissions":{"ruby":{"":1},"python":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"go":{"":1},"js":{"":6},"py":{"":1},"hcl":{"":1},"java":{"":7},"ruby":{"":2},"yaml":{"":1},"regex":{"":1},"swift":{"":7},"csharp":{"":9},"python":{"":10},"generic":{"":1},"javascript":{"":5}},"CWE-326: Inadequate Encryption Strength":{"go":{"":1},"kt":{"":1},"hcl":{"":14},"java":{"":6},"ruby":{"":1},"python":{"":7},"generic":{"":2},"terraform":{"":2},"javascript":{"":1}},"CWE-295: Improper Certificate Validation":{"hcl":{"":1},"ruby":{"":1},"python":{"":2}},"CWE-613: Insufficient Session Expiration":{"csharp":{"":1}},"CWE-290: Authentication Bypass by Spoofing":{"generic":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"go":{"":1},"java":{"":1},"python":{"":3},"generic":{"":1}},"CWE-780: Use of RSA Algorithm without OAEP":{"scala":{"":1}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":2}},"CWE-320: CWE CATEGORY: Key Management Errors":{"hcl":{"":8}},"CWE-311: Missing Encryption of Sensitive Data":{"ts":{"":1},"hcl":{"":3},"ruby":{"":1},"typescript":{"":1}},"CWE-522: Insufficiently Protected Credentials":{"hcl":{"":1},"scala":{"":2},"python":{"":1},"javascript":{"":2}},"CWE-250: Execution with Unnecessary Privileges":{"hcl":{"":1},"json":{"":1},"yaml":{"":2}},"CWE-116: Improper Encoding or Escaping of Output":{"python":{"":2}},"CWE-323: Reusing a Nonce, Key Pair in Encryption":{"java":{"":2}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"go":{"":2},"php":{"":1},"java":{"":2},"python":{"":4}},"CWE-322: Key Exchange without Entity Authentication":{"go":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"php":{"":1},"java":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"go":{"":1},"ts":{"":1},"hcl":{"":3},"php":{"":1},"java":{"":1},"yaml":{"":2},"python":{"":2},"typescript":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"go":{"":10},"kt":{"":4},"php":{"":1},"java":{"":5},"ruby":{"":1},"python":{"":22},"javascript":{"":2}},"CWE-347: Improper Verification of Cryptographic Signature":{"csharp":{"":1}},"CWE-639: Authorization Bypass Through User-Controlled Key":{"ruby":{"":1}},"CWE-540: Inclusion of Sensitive Information in Source Code":{"ruby":{"":1}},"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":{"python":{"":3}},"CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')":{"generic":{"":1}},"CWE-297: Improper Validation of Certificate with Host Mismatch":{"java":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"php":{"":2},"java":{"":23},"scala":{"":3},"csharp":{"":3},"python":{"":1},"javascript":{"":4}},"CWE-732: Incorrect Permission Assignment for Critical Resource":{"hcl":{"":4},"yaml":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"ruby":{"":1}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"go":{"":1},"hcl":{"":1},"php":{"":1},"java":{"":1},"ruby":{"":1},"yaml":{"":2},"python":{"":1},"generic":{"":2}},"CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls":{"json":{"":2}},"CWE-209: Generation of Error Message Containing Sensitive Information":{"csharp":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"go":{"":2},"php":{"":1},"java":{"":2},"python":{"":4},"generic":{"":2}},"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":{"python":{"":1},"javascript":{"":2}},"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":{"go":{"":1}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":8},"php":{"":5},"java":{"":13},"ruby":{"":7},"scala":{"":3},"csharp":{"":1},"python":{"":13},"javascript":{"":9}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"java":{"":17}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2017: Injection":62,"A03:2021: Injection":62,"A04:2021: Insecure Design":13,"A01:2021: Broken Access Control":31,"A02:2017: Broken Authentication":10,"A05:2017: Broken Access Control":5,"A02:2021: Cryptographic Failures":104,"A03:2017: Sensitive Data Exposure":114,"A05:2021: Security Misconfiguration":68,"A06:2017: Security Misconfiguration":9,"A04:2017: XML External Entities (XXE)":36,"A10:2004: Insecure Configuration Management":2,"A07:2021: Identification and Authentication Failures":67},"per_framework":{"A01:2017: Injection":{"go":{"":8},"php":{"":5},"java":{"":13},"ruby":{"":7},"scala":{"":3},"csharp":{"":1},"python":{"":14},"javascript":{"":11}},"A03:2021: Injection":{"go":{"":8},"php":{"":5},"java":{"":13},"ruby":{"":8},"scala":{"":3},"csharp":{"":1},"python":{"":15},"javascript":{"":9}},"A04:2021: Insecure Design":{"ts":{"":1},"hcl":{"":4},"ruby":{"":1},"scala":{"":2},"csharp":{"":1},"python":{"":1},"javascript":{"":2},"typescript":{"":1}},"A01:2021: Broken Access Control":{"go":{"":2},"hcl":{"":3},"php":{"":1},"java":{"":2},"json":{"":2},"ruby":{"":5},"yaml":{"":3},"csharp":{"":1},"python":{"":8},"generic":{"":4}},"A02:2017: Broken Authentication":{"kt":{"":1},"hcl":{"":2},"scala":{"":2},"csharp":{"":1},"python":{"":2},"javascript":{"":2}},"A05:2017: Broken Access Control":{"hcl":{"":2},"ruby":{"":2},"yaml":{"":1}},"A02:2021: Cryptographic Failures":{"go":{"":14},"kt":{"":5},"ts":{"":1},"hcl":{"":17},"php":{"":3},"java":{"":17},"ruby":{"":4},"yaml":{"":2},"scala":{"":1},"csharp":{"":1},"python":{"":31},"generic":{"":2},"terraform":{"":2},"javascript":{"":3},"typescript":{"":1}},"A03:2017: Sensitive Data Exposure":{"go":{"":12},"kt":{"":5},"ts":{"":2},"hcl":{"":29},"php":{"":2},"java":{"":14},"ruby":{"":6},"yaml":{"":2},"python":{"":33},"generic":{"":2},"terraform":{"":2},"javascript":{"":3},"typescript":{"":2}},"A05:2021: Security Misconfiguration":{"go":{"":4},"hcl":{"":5},"php":{"":5},"java":{"":29},"json":{"":1},"yaml":{"":3},"scala":{"":3},"csharp":{"":3},"python":{"":9},"generic":{"":2},"javascript":{"":4}},"A06:2017: Security Misconfiguration":{"hcl":{"":1},"php":{"":1},"java":{"":2},"json":{"":1},"yaml":{"":3},"csharp":{"":1}},"A04:2017: XML External Entities (XXE)":{"php":{"":2},"java":{"":23},"scala":{"":3},"csharp":{"":3},"python":{"":1},"javascript":{"":4}},"A10:2004: Insecure Configuration Management":{"java":{"":2}},"A07:2021: Identification and Authentication Failures":{"go":{"":3},"js":{"":6},"kt":{"":1},"py":{"":1},"hcl":{"":3},"java":{"":8},"ruby":{"":3},"yaml":{"":1},"regex":{"":1},"swift":{"":7},"csharp":{"":10},"python":{"":15},"generic":{"":2},"javascript":{"":6}}},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":356,"premium_rules":84},"hidden":true,"username":"returntocorp","description":"This is an auditor-oriented set of rules that covers broken cryptography, insecure data transport, XXE, CSRF, broken authn/authz, SQLi.","id":"2LlL","name":"audit-poc-20221019","visibility":"public","categories":[]},{"tags":[],"stats":{"cwe":{"totals":{"CWE-300: Channel Accessible by Non-Endpoint":1},"per_framework":{"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2017: Injection":1,"A03:2021: Injection":1,"A07:2021: Identification and Authentication Failures":2},"per_framework":{"A01:2017: Injection":{"go":{"":1}},"A03:2021: Injection":{"go":{"":1}},"A07:2021: Identification and Authentication Failures":{"go":{"":2}}},"rules_with_no_owasp":[]}},"author":"Daghan Altas","counts":{"total_rules":3,"premium_rules":0},"hidden":true,"description":"These are the go security error only rules ","id":"pdg","name":"daghan.daghan-go-sec-only","visibility":"public","categories":[]},{"tags":[],"stats":{"cwe":{"totals":{"CWE-523: Unprotected Transport of Credentials":1},"per_framework":{"":{"python":{"":7}},"CWE-798: Use of Hard-coded Credentials":{"python":{"":1}},"CWE-295: Improper Certificate Validation":{"python":{"":1}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":1}}},"rules_with_no_cwe":["use-click-secho","bokeh-deprecated-apis","len-all-count","batch-import","delete-where-no-execute","bad-operator-in-filter","use-timeout"]},"owasp":{"totals":{"":7,"A01:2017: Injection":1,"A03:2021: Injection":1,"A02:2017: Broken Authentication":1,"A02:2021: Cryptographic Failures":1,"A03:2017: Sensitive Data Exposure":1,"A07:2021: Identification and Authentication Failures":2},"per_framework":{"":{"python":{"":7}},"A01:2017: Injection":{"python":{"":1}},"A03:2021: Injection":{"python":{"":1}},"A02:2017: Broken Authentication":{"python":{"":1}},"A02:2021: Cryptographic Failures":{"python":{"":1}},"A03:2017: Sensitive Data Exposure":{"python":{"":1}},"A07:2021: Identification and Authentication Failures":{"python":{"":2}}},"rules_with_no_owasp":["use-click-secho","bokeh-deprecated-apis","len-all-count","batch-import","delete-where-no-execute","bad-operator-in-filter","use-timeout"]}},"author":"minusworld","counts":{"total_rules":11,"premium_rules":0},"hidden":true,"description":"Rules for not lang, not Flask, and not Django. 2020-06-18","id":"DqY","name":"minusworld.python-minor-modules","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":1},"per_framework":{"":{"go":{"":4}},"CWE-489: Active Debug Code":{"go":{"":1}},"CWE-377: Insecure Temporary File":{"go":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"go":{"":1}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":2}},"CWE-322: Key Exchange without Entity Authentication":{"go":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"go":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"go":{"":4}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"go":{"":1}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"go":{"":1}},"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":{"go":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"go":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":5}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":1}}},"rules_with_no_cwe":["channel-guarded-with-mutex","hidden-goroutine","useless-if-conditional","useless-if-body"]},"owasp":{"totals":{"":4,"A01:2017: Injection":1,"A03:2021: Injection":7,"A01:2021: Broken Access Control":3,"A05:2017: Broken Access Control":1,"A02:2021: Cryptographic Failures":7,"A03:2017: Sensitive Data Exposure":5,"A06:2017: Security Misconfiguration":1,"A07:2017: Cross-Site Scripting (XSS)":5,"A07:2021: Identification and Authentication Failures":3},"per_framework":{"":{"go":{"":4}},"A01:2017: Injection":{"go":{"":1}},"A03:2021: Injection":{"go":{"":7}},"A01:2021: Broken Access Control":{"go":{"":3}},"A05:2017: Broken Access Control":{"go":{"":1}},"A02:2021: Cryptographic Failures":{"go":{"":7}},"A03:2017: Sensitive Data Exposure":{"go":{"":5}},"A06:2017: Security Misconfiguration":{"go":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":5}},"A07:2021: Identification and Authentication Failures":{"go":{"":3}}},"rules_with_no_owasp":["channel-guarded-with-mutex","hidden-goroutine","useless-if-conditional","useless-if-body"]}},"author":"Kristin Mayo","counts":{"total_rules":25,"premium_rules":0},"hidden":true,"description":"","id":"yvx","name":"kristinnmayo.go","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-502: Deserialization of Untrusted Data":1},"per_framework":{"CWE-489: Active Debug Code":{"python":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"ruby":{"":1},"python":{"":1},"javascript":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":2},"python":{"":8},"javascript":{"":1}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":2}},"CWE-242: Use of Inherently Dangerous Function":{"go":{"":1}},"CWE-116: Improper Encoding or Escaping of Output":{"python":{"":1}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":1}},"CWE-345: Insufficient Verification of Data Authenticity":{"javascript":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"go":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"javascript":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"java":{"":1},"ruby":{"":2},"javascript":{"":2}},"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)":{"javascript":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":1},"java":{"":2},"python":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"java":{"":1},"python":{"":4}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":8},"javascript":{"":1}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":1},"python":{"":5},"javascript":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":1,"A1: Injection":1,"A01:2017: Injection":11,"A03:2021: Injection":32,"A6: Security Misconfiguration":1,"A01:2021: Broken Access Control":1,"A02:2021: Cryptographic Failures":2,"A03:2017: Sensitive Data Exposure":2,"A08:2017: Insecure Deserialization":11,"A05:2021: Security Misconfiguration":1,"A07:2017: Cross-Site Scripting (XSS)":5,"A08:2021: Software and Data Integrity Failures":12,"A07:2021: Identification and Authentication Failures":5},"per_framework":{"":{"go":{"":1}},"A1: Injection":{"python":{"":1}},"A01:2017: Injection":{"java":{"":2},"python":{"":8},"javascript":{"":1}},"A03:2021: Injection":{"go":{"":1},"java":{"":5},"ruby":{"":2},"python":{"":19},"javascript":{"":5}},"A6: Security Misconfiguration":{"python":{"":1}},"A01:2021: Broken Access Control":{"javascript":{"":1}},"A02:2021: Cryptographic Failures":{"go":{"":1},"javascript":{"":1}},"A03:2017: Sensitive Data Exposure":{"go":{"":1},"javascript":{"":1}},"A08:2017: Insecure Deserialization":{"java":{"":2},"python":{"":8},"javascript":{"":1}},"A05:2021: Security Misconfiguration":{"python":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":1},"java":{"":2},"python":{"":2}},"A08:2021: Software and Data Integrity Failures":{"java":{"":2},"python":{"":8},"javascript":{"":2}},"A07:2021: Identification and Authentication Failures":{"go":{"":2},"ruby":{"":1},"python":{"":1},"javascript":{"":1}}},"rules_with_no_owasp":["use-of-unsafe-block"]}},"author":"Michael Whiteman","counts":{"total_rules":56,"premium_rules":0},"hidden":true,"description":"","id":"nYX","name":"mikewhiteman.mixed-critical-v2","visibility":"public","categories":[]},{"tags":["security","correctness","logic","bugs","injection","xss","injection","jwt","xxe","deserialization","javascript"],"stats":{"cwe":{"totals":{"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":5},"per_framework":{"":{"javascript":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"javascript":{"":6}},"CWE-502: Deserialization of Untrusted Data":{"javascript":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"javascript":{"":4}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"javascript":{"":2}},"CWE-611: Improper Restriction of XML External Entity Reference":{"javascript":{"":2}},"CWE-94: Improper Control of Generation of Code (Code Injection)":{"javascript":{"":5}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"javascript":{"":1}}},"rules_with_no_cwe":["eqeq-is-bad"]},"owasp":{"totals":{"":1,"A1: Injection":5,"A03:2021: Injection":1,"A01:2021: Broken Access Control":1,"A02:2021: Cryptographic Failures":2,"A03:2017: Sensitive Data Exposure":2,"A08:2017: Insecure Deserialization":1,"A05:2021: Security Misconfiguration":2,"A04:2017: XML External Entities (XXE)":2,"A10:2021: Server-Side Request Forgery (SSRF)":4,"A08:2021: Software and Data Integrity Failures":1,"A07:2021: Identification and Authentication Failures":6},"per_framework":{"":{"javascript":{"":1}},"A1: Injection":{"javascript":{"":5}},"A03:2021: Injection":{"javascript":{"":1}},"A01:2021: Broken Access Control":{"javascript":{"":1}},"A02:2021: Cryptographic Failures":{"javascript":{"":2}},"A03:2017: Sensitive Data Exposure":{"javascript":{"":2}},"A08:2017: Insecure Deserialization":{"javascript":{"":1}},"A05:2021: Security Misconfiguration":{"javascript":{"":2}},"A04:2017: XML External Entities (XXE)":{"javascript":{"":2}},"A10:2021: Server-Side Request Forgery (SSRF)":{"javascript":{"":4}},"A08:2021: Software and Data Integrity Failures":{"javascript":{"":1}},"A07:2021: Identification and Authentication Failures":{"javascript":{"":6}}},"rules_with_no_owasp":["eqeq-is-bad"]}},"author":"r2c","counts":{"total_rules":23,"premium_rules":0},"hidden":true,"description":"Scan for runtime errors, logic bus, and high-confidence security vulnerabilities. Recommended for use in CI to block serious issues from reaching production.","id":"4gg","name":"minusworld.r2c-javascript-ci","visibility":"public","categories":[]},{"tags":[],"stats":{"cwe":{"totals":{"CWE-94: Improper Control of Generation of Code (Code Injection)":2},"per_framework":{"":{"javascript":{"":7}},"CWE-798: Use of Hard-coded Credentials":{"javascript":{"":6}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"javascript":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"javascript":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"javascript":{"":7}},"CWE-522: Insufficiently Protected Credentials":{"javascript":{"":9}},"CWE-116: Improper Encoding or Escaping of Output":{"javascript":{"":1}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":2}},"CWE-345: Insufficient Verification of Data Authenticity":{"javascript":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"javascript":{"":2}},"CWE-611: Improper Restriction of XML External Entity Reference":{"javascript":{"":6}},"CWE-94: Improper Control of Generation of Code (Code Injection)":{"javascript":{"":6}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"javascript":{"":12}},"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer":{"javascript":{"":1}},"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)":{"javascript":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"javascript":{"":2}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"javascript":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"javascript":{"":2}}},"rules_with_no_cwe":["eqeq-is-bad","useless-assignment","javascript-prompt","javascript-confirm","javascript-debugger","javascript-alert","assigned-undefined"]},"owasp":{"totals":{"":8,"A1: Injection":6,"A01:2017: Injection":2,"A03:2021: Injection":18,"A04:2021: Insecure Design":9,"A01:2021: Broken Access Control":5,"A02:2017: Broken Authentication":9,"A05:2017: Broken Access Control":3,"A02:2021: Cryptographic Failures":2,"A03:2017: Sensitive Data Exposure":2,"A08:2017: Insecure Deserialization":1,"A05:2021: Security Misconfiguration":6,"A04:2017: XML External Entities (XXE)":6,"A10:2021: Server-Side Request Forgery (SSRF)":7,"A08:2021: Software and Data Integrity Failures":2,"A07:2021: Identification and Authentication Failures":6},"per_framework":{"":{"javascript":{"":8}},"A1: Injection":{"javascript":{"":6}},"A01:2017: Injection":{"javascript":{"":2}},"A03:2021: Injection":{"javascript":{"":18}},"A04:2021: Insecure Design":{"javascript":{"":9}},"A01:2021: Broken Access Control":{"javascript":{"":5}},"A02:2017: Broken Authentication":{"javascript":{"":9}},"A05:2017: Broken Access Control":{"javascript":{"":3}},"A02:2021: Cryptographic Failures":{"javascript":{"":2}},"A03:2017: Sensitive Data Exposure":{"javascript":{"":2}},"A08:2017: Insecure Deserialization":{"javascript":{"":1}},"A05:2021: Security Misconfiguration":{"javascript":{"":6}},"A04:2017: XML External Entities (XXE)":{"javascript":{"":6}},"A10:2021: Server-Side Request Forgery (SSRF)":{"javascript":{"":7}},"A08:2021: Software and Data Integrity Failures":{"javascript":{"":2}},"A07:2021: Identification and Authentication Failures":{"javascript":{"":6}}},"rules_with_no_owasp":["eqeq-is-bad","useless-assignment","detect-buffer-noassert","javascript-prompt","javascript-confirm","javascript-debugger","javascript-alert","assigned-undefined"]}},"author":"SecuritySamurai","counts":{"total_rules":69,"premium_rules":0},"hidden":true,"description":"almost all JavaScript rules","id":"xKe","name":"securitysamurai.super-javascript-packid","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-1022: Use of Web Link to Untrusted Target with window.opener Access":3},"per_framework":{"CWE-415: Double Free":{"c":{"":1}},"CWE-369: Divide By Zero":{"ruby":{"":1}},"CWE-416: Use After Free":{"c":{"":1}},"CWE-328: Use of Weak Hash":{"java":{"":2},"ruby":{"":2}},"CWE-489: Active Debug Code":{"go":{"":1},"python":{"":5}},"CWE-287: Improper Authentication":{"java":{"":1}},"CWE-377: Insecure Temporary File":{"go":{"":1}},"CWE-501: Trust Boundary Violation":{"java":{"":1}},"CWE-16: CWE CATEGORY: Configuration":{"generic":{"":3}},"CWE-521: Weak Password Requirements":{"python":{"":2}},"CWE-208: Observable Timing Discrepancy":{"ruby":{"":1}},"CWE-269: Improper Privilege Management":{"dockerfile":{"":1}},"CWE-276: Incorrect Default Permissions":{"java":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"go":{"":1},"ruby":{"":1},"python":{"":2},"javascript":{"":4}},"CWE-326: Inadequate Encryption Strength":{"java":{"":5},"python":{"":3},"generic":{"":2}},"CWE-295: Improper Certificate Validation":{"java":{"":2},"ruby":{"":1},"python":{"":3}},"CWE-183: Permissive List of Allowed Inputs":{"java":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":3},"ruby":{"":1},"python":{"":2},"javascript":{"":1}},"CWE-400: Uncontrolled Resource Consumption":{"go":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":2},"ruby":{"":1},"python":{"":9},"javascript":{"":1}},"CWE-704: Incorrect Type Conversion or Cast":{"java":{"":1}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":2}},"CWE-330: Use of Insufficiently Random Values":{"java":{"":1}},"CWE-242: Use of Inherently Dangerous Function":{"go":{"":1}},"CWE-311: Missing Encryption of Sensitive Data":{"hcl":{"":1},"ruby":{"":1}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-668: Exposure of Resource to Wrong Sphere":{"python":{"":2}},"CWE-73: External Control of File Name or Path":{"python":{"":1}},"CWE-676: Use of Potentially Dangerous Function":{"c":{"":5}},"CWE-116: Improper Encoding or Escaping of Output":{"python":{"":1},"javascript":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"java":{"":1}},"CWE-134: Use of Externally-Controlled Format String":{"c":{"":1}},"CWE-322: Key Exchange without Entity Authentication":{"go":{"":1},"python":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"java":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"go":{"":1},"java":{"":1},"python":{"":3},"generic":{"":1},"typescript":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"go":{"":7},"java":{"":3},"python":{"":18},"javascript":{"":2}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"java":{"":2},"python":{"":1},"javascript":{"":1}},"CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')":{"generic":{"":1}},"CWE-1021: Improper Restriction of Rendered UI Layers or Frames":{"ruby":{"":1}},"CWE-297: Improper Validation of Certificate with Host Mismatch":{"java":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":3},"python":{"":1},"javascript":{"":3}},"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":{"hcl":{"":1}},"CWE-913: Improper Control of Dynamically-Managed Code Resources":{"go":{"":2}},"CWE-939: Improper Authorization in Handler for Custom URL Scheme":{"python":{"":1}},"CWE-155: Improper Neutralization of Wildcards or Matching Symbols":{"python":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"go":{"":1},"java":{"":3},"ruby":{"":3}},"CWE-1236: Improper Neutralization of Formula Elements in a CSV File":{"python":{"":1}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"go":{"":1},"hcl":{"":2},"java":{"":1},"python":{"":1},"typescript":{"":1}},"CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls":{"json":{"":1}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"java":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"java":{"":1},"python":{"":2}},"CWE-1022: Use of Web Link to Untrusted Target with window.opener Access":{"generic":{"":3}},"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":{"go":{"":1},"javascript":{"":1}},"CWE-774: Allocation of File Descriptors or Handles Without Limits or Throttling":{"c":{"":1}},"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer":{"javascript":{"":1}},"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":{"java":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"go":{"":1},"java":{"":2},"ruby":{"":1},"python":{"":1},"generic":{"":1}},"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":{"ruby":{"":3},"python":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":5},"java":{"":3},"regex":{"":4},"python":{"":6},"generic":{"":6},"javascript":{"":1},"typescript":{"":3}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":1},"java":{"":3},"python":{"":5}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"java":{"":3}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"python":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":7},"javascript":{"":2}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":3}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":2},"python":{"":6},"javascript":{"":2}},"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":{"java":{"":1},"generic":{"":1}},"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":{"python":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":13,"A1: Injection":2,"A01:2017: Injection":24,"A03:2021: Injection":75,"A04:2021: Insecure Design":7,"A3: Sensitive Data Exposure":11,"A6: Security Misconfiguration":1,"A01:2021: Broken Access Control":34,"A02:2017: Broken Authentication":2,"A05:2017: Broken Access Control":10,"A02:2021: Cryptographic Failures":47,"A03:2017: Sensitive Data Exposure":49,"A08:2017: Insecure Deserialization":13,"A05:2021: Security Misconfiguration":20,"A06:2017: Security Misconfiguration":5,"A07:2017: Cross-Site Scripting (XSS)":28,"A04:2017: XML External Entities (XXE)":8,"A08:2021: Software and Data Integrity Failures":17,"A07:2021: Identification and Authentication Failures":20},"per_framework":{"":{"c":{"":8},"go":{"":2},"ruby":{"":2},"javascript":{"":1}},"A1: Injection":{"python":{"":2}},"A01:2017: Injection":{"c":{"":1},"go":{"":1},"java":{"":8},"python":{"":12},"javascript":{"":2}},"A03:2021: Injection":{"c":{"":1},"go":{"":7},"java":{"":17},"ruby":{"":3},"regex":{"":4},"python":{"":27},"generic":{"":7},"javascript":{"":6},"typescript":{"":3}},"A04:2021: Insecure Design":{"hcl":{"":1},"java":{"":2},"ruby":{"":2},"python":{"":1},"dockerfile":{"":1}},"A3: Sensitive Data Exposure":{"python":{"":11}},"A6: Security Misconfiguration":{"python":{"":1}},"A01:2021: Broken Access Control":{"go":{"":5},"hcl":{"":2},"java":{"":9},"json":{"":1},"ruby":{"":2},"python":{"":7},"generic":{"":5},"javascript":{"":2},"typescript":{"":1}},"A02:2017: Broken Authentication":{"java":{"":1},"python":{"":1}},"A05:2017: Broken Access Control":{"go":{"":1},"java":{"":2},"ruby":{"":1},"python":{"":1},"generic":{"":4},"javascript":{"":1}},"A02:2021: Cryptographic Failures":{"go":{"":10},"java":{"":13},"ruby":{"":2},"python":{"":15},"generic":{"":3},"javascript":{"":3},"typescript":{"":1}},"A03:2017: Sensitive Data Exposure":{"go":{"":8},"hcl":{"":1},"java":{"":14},"ruby":{"":4},"python":{"":16},"generic":{"":3},"javascript":{"":2},"typescript":{"":1}},"A08:2017: Insecure Deserialization":{"java":{"":2},"ruby":{"":1},"python":{"":9},"javascript":{"":1}},"A05:2021: Security Misconfiguration":{"hcl":{"":1},"java":{"":5},"python":{"":8},"generic":{"":3},"javascript":{"":3}},"A06:2017: Security Misconfiguration":{"go":{"":1},"python":{"":1},"generic":{"":3}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":5},"java":{"":3},"regex":{"":4},"python":{"":6},"generic":{"":6},"javascript":{"":1},"typescript":{"":3}},"A04:2017: XML External Entities (XXE)":{"java":{"":3},"python":{"":2},"javascript":{"":3}},"A08:2021: Software and Data Integrity Failures":{"java":{"":2},"ruby":{"":4},"python":{"":10},"javascript":{"":1}},"A07:2021: Identification and Authentication Failures":{"go":{"":3},"java":{"":4},"ruby":{"":2},"python":{"":7},"javascript":{"":4}}},"rules_with_no_owasp":["detect-buffer-noassert","use-of-unsafe-block","divide-by-zero","insecure-use-strcat-fn","timing-attack","potential-dos-via-decompression-bomb","use-after-free","insecure-use-gets-fn","insecure-use-string-copy-fn","insecure-use-strtok-fn","random-fd-exhaustion","insecure-use-scanf-fn","insecure-use-printf-fn"]}},"author":"Daniel Murphy","counts":{"total_rules":253,"premium_rules":0},"hidden":true,"description":"","id":"Z5o","name":"danhatesnumbers.ruby-rules","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":3},"per_framework":{"":{"go":{"":6},"python":{"":88}},"CWE-489: Active Debug Code":{"go":{"":1},"python":{"":5}},"CWE-310: Cryptographic Issues":{"python":{"":7}},"CWE-377: Insecure Temporary File":{"go":{"":1},"python":{"":1}},"CWE-521: Weak Password Requirements":{"python":{"":2}},"CWE-798: Use of Hard-coded Credentials":{"go":{"":1},"python":{"":2}},"CWE-326: Inadequate Encryption Strength":{"python":{"":3}},"CWE-295: Improper Certificate Validation":{"python":{"":3}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"python":{"":2}},"CWE-400: Uncontrolled Resource Consumption":{"go":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"python":{"":13}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":2}},"CWE-918: Server-Side Request Forgery (SSRF)":{"python":{"":3}},"CWE-242: Use of Inherently Dangerous Function":{"go":{"":1}},"CWE-311: Missing Encryption of Sensitive Data":{"python":{"":2}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-668: Exposure of Resource to Wrong Sphere":{"python":{"":2}},"CWE-73: External Control of File Name or Path":{"python":{"":1}},"CWE-116: Improper Encoding or Escaping of Output":{"python":{"":1}},"CWE-289: Authentication Bypass by Alternate Name":{"go":{"":1}},"CWE-322: Key Exchange without Entity Authentication":{"go":{"":1},"python":{"":1}},"CWE-1104: Use of Unmaintained Third Party Components":{"python":{"":3}},"CWE-689: Permission Race Condition During Resource Copy":{"python":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"go":{"":1},"python":{"":3}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"go":{"":7},"python":{"":19}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"python":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"python":{"":2}},"CWE-913: Improper Control of Dynamically-Managed Code Resources":{"go":{"":2}},"CWE-939: Improper Authorization in Handler for Custom URL Scheme":{"python":{"":1}},"CWE-155: Improper Neutralization of Wildcards or Matching Symbols":{"python":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"go":{"":1}},"CWE-1236: Improper Neutralization of Formula Elements in a CSV File":{"python":{"":1}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"go":{"":1},"python":{"":1}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"python":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"python":{"":2}},"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":{"go":{"":1}},"CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere":{"python":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"go":{"":1},"python":{"":6}},"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":{"python":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":6},"python":{"":7}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":1},"python":{"":8}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"python":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":11}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":3}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":13}},"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":{"python":{"":2}}},"rules_with_no_cwe":["use-raise-for-status","use-timeout","tempfile-without-flush","tempfile-insecure","raise-not-base-exception","string-concat-in-list","string-is-comparison","identical-is-comparison","default-mutable-dict","default-mutable-list","is-not-is-not","list-modify-while-iterate","dict-del-while-iterate","writing-to-file-in-read-mode","useless-eqeq","no-strings-as-booleans","baseclass-attribute-override","unchecked-subprocess-call","file-object-redefined-before-close","yield-in-init","return-in-init","use-sys-exit","pdb-remove","python37-compatibility-pdb","python37-compatibility-os2-ok2","python37-compatability-os-module","python37-compatibility-os1","python37-compatibility-multiprocess2","python37-compatibility-multiprocess1","python37-compatibility-math1","python37-compatibility-locale1","python37-compatibility-ipv4network2","python37-compatibility-ipv4network1","python37-compatibility-ipv6network2","python37-compatibility-ipv6network1","python37-compatibility-textiowrapper","python37-compatibility-importlib3","python37-compatibility-httpsconn","python37-compatibility-httpconn","python37-compatibility-importlib2","python37-compatibility-importlib","python36-compatibility-Popen2","python36-compatibility-Popen1","python36-compatibility-ssl","return-not-in-function","code-after-unconditional-return","useless-if-body","useless-if-conditional","useless-assignment-keyed","useless-literal-dict","useless-inner-function","hardcoded-tmp-path","manual-counter-create","manual-defaultdict-list-create","manual-defaultdict-set-create","manual-defaultdict-dict-create","open-never-closed","arbitrary-sleep","missing-hash-with-eq","pass-body-range","pass-body-fn","python-debugger-found","avoid-accessing-request-in-wrong-handler","flask-duplicate-handler-name","flask-deprecated-apis","use-jsonify","attr-mutable-initializer","bad-operator-in-filter","delete-where-no-execute","batch-import","len-all-count","bokeh-deprecated-apis","nontext-field-must-set-null-true","django-db-model-save-super","string-field-must-set-null-true","no-null-string-field","django-compat-2_0-assert-redirects-helper","django-compat-2_0-assignment-tag","django-compat-2_0-extra-forms","django-compat-2_0-check-aggregate-support","django-compat-2_0-signals-weak","use-earliest-or-latest","access-foreign-keys","use-count-method","use-json-response","use-onetoonefield","use-django-environ","use-click-secho","hardcoded-eq-true-or-false","eqeq-is-bad","useless-if-body","useless-if-conditional","hidden-goroutine","channel-guarded-with-mutex"]},"owasp":{"totals":{"":97,"A1: Injection":2,"A01:2017: Injection":23,"A03:2021: Injection":49,"A04:2021: Insecure Design":1,"A3: Sensitive Data Exposure":11,"A6: Security Misconfiguration":1,"A01:2021: Broken Access Control":15,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":5,"A02:2021: Cryptographic Failures":31,"A03:2017: Sensitive Data Exposure":30,"A08:2017: Insecure Deserialization":12,"A05:2021: Security Misconfiguration":18,"A06:2017: Security Misconfiguration":12,"A07:2017: Cross-Site Scripting (XSS)":13,"A04:2017: XML External Entities (XXE)":2,"A06:2021: Vulnerable and Outdated Components":9,"A10:2021: Server-Side Request Forgery (SSRF)":3,"A08:2021: Software and Data Integrity Failures":13,"A07:2021: Identification and Authentication Failures":10,"A09:2017: Using Components with Known Vulnerabilities":9},"per_framework":{"":{"go":{"":9},"python":{"":88}},"A1: Injection":{"python":{"":2}},"A01:2017: Injection":{"go":{"":1},"python":{"":22}},"A03:2021: Injection":{"go":{"":8},"python":{"":41}},"A04:2021: Insecure Design":{"python":{"":1}},"A3: Sensitive Data Exposure":{"python":{"":11}},"A6: Security Misconfiguration":{"python":{"":1}},"A01:2021: Broken Access Control":{"go":{"":5},"python":{"":10}},"A02:2017: Broken Authentication":{"python":{"":1}},"A05:2017: Broken Access Control":{"go":{"":1},"python":{"":4}},"A02:2021: Cryptographic Failures":{"go":{"":10},"python":{"":21}},"A03:2017: Sensitive Data Exposure":{"go":{"":8},"python":{"":22}},"A08:2017: Insecure Deserialization":{"python":{"":12}},"A05:2021: Security Misconfiguration":{"python":{"":18}},"A06:2017: Security Misconfiguration":{"go":{"":1},"python":{"":11}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":6},"python":{"":7}},"A04:2017: XML External Entities (XXE)":{"python":{"":2}},"A06:2021: Vulnerable and Outdated Components":{"python":{"":9}},"A10:2021: Server-Side Request Forgery (SSRF)":{"python":{"":3}},"A08:2021: Software and Data Integrity Failures":{"python":{"":13}},"A07:2021: Identification and Authentication Failures":{"go":{"":3},"python":{"":7}},"A09:2017: Using Components with Known Vulnerabilities":{"python":{"":9}}},"rules_with_no_owasp":["use-raise-for-status","use-timeout","tempfile-without-flush","tempfile-insecure","raise-not-base-exception","string-concat-in-list","string-is-comparison","identical-is-comparison","default-mutable-dict","default-mutable-list","is-not-is-not","list-modify-while-iterate","dict-del-while-iterate","writing-to-file-in-read-mode","useless-eqeq","no-strings-as-booleans","baseclass-attribute-override","unchecked-subprocess-call","file-object-redefined-before-close","yield-in-init","return-in-init","use-sys-exit","pdb-remove","python37-compatibility-pdb","python37-compatibility-os2-ok2","python37-compatability-os-module","python37-compatibility-os1","python37-compatibility-multiprocess2","python37-compatibility-multiprocess1","python37-compatibility-math1","python37-compatibility-locale1","python37-compatibility-ipv4network2","python37-compatibility-ipv4network1","python37-compatibility-ipv6network2","python37-compatibility-ipv6network1","python37-compatibility-textiowrapper","python37-compatibility-importlib3","python37-compatibility-httpsconn","python37-compatibility-httpconn","python37-compatibility-importlib2","python37-compatibility-importlib","python36-compatibility-Popen2","python36-compatibility-Popen1","python36-compatibility-ssl","return-not-in-function","code-after-unconditional-return","useless-if-body","useless-if-conditional","useless-assignment-keyed","useless-literal-dict","useless-inner-function","hardcoded-tmp-path","manual-counter-create","manual-defaultdict-list-create","manual-defaultdict-set-create","manual-defaultdict-dict-create","open-never-closed","arbitrary-sleep","missing-hash-with-eq","pass-body-range","pass-body-fn","python-debugger-found","avoid-accessing-request-in-wrong-handler","flask-duplicate-handler-name","flask-deprecated-apis","use-jsonify","attr-mutable-initializer","bad-operator-in-filter","delete-where-no-execute","batch-import","len-all-count","bokeh-deprecated-apis","nontext-field-must-set-null-true","django-db-model-save-super","string-field-must-set-null-true","no-null-string-field","django-compat-2_0-assert-redirects-helper","django-compat-2_0-assignment-tag","django-compat-2_0-extra-forms","django-compat-2_0-check-aggregate-support","django-compat-2_0-signals-weak","use-earliest-or-latest","access-foreign-keys","use-count-method","use-json-response","use-onetoonefield","use-django-environ","use-click-secho","hardcoded-eq-true-or-false","eqeq-is-bad","use-of-unsafe-block","potential-dos-via-decompression-bomb","useless-if-body","useless-if-conditional","hidden-goroutine","channel-guarded-with-mutex","handler-assignment-from-multiple-sources"]}},"author":"Quozlet","counts":{"total_rules":262,"premium_rules":0},"hidden":true,"description":"","id":"85E","name":"quozlet.python+go","visibility":"public","categories":[]},{"tags":[],"stats":{"cwe":{"totals":{"CWE-706: Use of Incorrectly-Resolved Name or Reference":6},"per_framework":{"CWE-798: Use of Hard-coded Credentials":{"javascript":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"javascript":{"":4}},"CWE-522: Insufficiently Protected Credentials":{"javascript":{"":7}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"javascript":{"":3}},"CWE-94: Improper Control of Generation of Code (Code Injection)":{"javascript":{"":6}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"javascript":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A1: Injection":6,"A03:2021: Injection":1,"A04:2021: Insecure Design":7,"A01:2021: Broken Access Control":1,"A02:2017: Broken Authentication":7,"A05:2021: Security Misconfiguration":3,"A04:2017: XML External Entities (XXE)":3,"A10:2021: Server-Side Request Forgery (SSRF)":4,"A07:2021: Identification and Authentication Failures":1},"per_framework":{"A1: Injection":{"javascript":{"":6}},"A03:2021: Injection":{"javascript":{"":1}},"A04:2021: Insecure Design":{"javascript":{"":7}},"A01:2021: Broken Access Control":{"javascript":{"":1}},"A02:2017: Broken Authentication":{"javascript":{"":7}},"A05:2021: Security Misconfiguration":{"javascript":{"":3}},"A04:2017: XML External Entities (XXE)":{"javascript":{"":3}},"A10:2021: Server-Side Request Forgery (SSRF)":{"javascript":{"":4}},"A07:2021: Identification and Authentication Failures":{"javascript":{"":1}}},"rules_with_no_owasp":[]}},"author":"Vasilii Ermilov","counts":{"total_rules":23,"premium_rules":0},"hidden":true,"description":"express pack","id":"qdz","name":"inkz.express-pack","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"":1},"per_framework":{"":{"python":{"":51}},"CWE-521: Weak Password Requirements":{"python":{"":2}},"CWE-798: Use of Hard-coded Credentials":{"python":{"":2}},"CWE-326: Inadequate Encryption Strength":{"python":{"":1}},"CWE-295: Improper Certificate Validation":{"python":{"":2}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"python":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"python":{"":8}},"CWE-918: Server-Side Request Forgery (SSRF)":{"python":{"":2}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-116: Improper Encoding or Escaping of Output":{"python":{"":1}},"CWE-322: Key Exchange without Entity Authentication":{"python":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"python":{"":2}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"python":{"":18}},"CWE-611: Improper Restriction of XML External Entity Reference":{"python":{"":1}},"CWE-939: Improper Authorization in Handler for Custom URL Scheme":{"python":{"":1}},"CWE-155: Improper Neutralization of Wildcards or Matching Symbols":{"python":{"":1}},"CWE-1236: Improper Neutralization of Formula Elements in a CSV File":{"python":{"":1}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"python":{"":1}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"python":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"python":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"python":{"":3}},"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":{"python":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"python":{"":3}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"python":{"":7}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"python":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":6}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":6}},"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":{"python":{"":2}}},"rules_with_no_cwe":["identical-is-comparison","string-is-comparison","default-mutable-list","unchecked-subprocess-call","default-mutable-dict","raise-not-base-exception","useless-eqeq","use-sys-exit","no-strings-as-booleans","dict-del-while-iterate","return-in-init","yield-in-init","list-modify-while-iterate","use-timeout","use-json-response","use-django-environ","use-onetoonefield","nontext-field-must-set-null-true","string-field-must-set-null-true","no-null-string-field","use-count-method","use-earliest-or-latest","django-compat-2_0-signals-weak","django-compat-2_0-check-aggregate-support","django-compat-2_0-extra-forms","django-compat-2_0-assignment-tag","django-compat-2_0-assert-redirects-helper","django-db-model-save-super","arbitrary-sleep","open-never-closed","useless-inner-function","writing-to-file-in-read-mode","is-not-is-not","tempfile-insecure","tempfile-without-flush","use-raise-for-status","use-click-secho","python-debugger-found","pass-body-fn","pass-body-range","missing-hash-with-eq","manual-defaultdict-dict-create","manual-defaultdict-set-create","manual-defaultdict-list-create","manual-counter-create","hardcoded-tmp-path","access-foreign-keys","len-all-count","attr-mutable-initializer","file-object-redefined-before-close","baseclass-attribute-override"]},"owasp":{"totals":{"":51,"A1: Injection":2,"A01:2017: Injection":14,"A03:2021: Injection":24,"A3: Sensitive Data Exposure":11,"A6: Security Misconfiguration":1,"A01:2021: Broken Access Control":5,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":3,"A02:2021: Cryptographic Failures":12,"A03:2017: Sensitive Data Exposure":12,"A08:2017: Insecure Deserialization":8,"A05:2021: Security Misconfiguration":3,"A07:2017: Cross-Site Scripting (XSS)":3,"A04:2017: XML External Entities (XXE)":2,"A10:2021: Server-Side Request Forgery (SSRF)":2,"A08:2021: Software and Data Integrity Failures":9,"A07:2021: Identification and Authentication Failures":6},"per_framework":{"":{"python":{"":51}},"A1: Injection":{"python":{"":2}},"A01:2017: Injection":{"python":{"":14}},"A03:2021: Injection":{"python":{"":24}},"A3: Sensitive Data Exposure":{"python":{"":11}},"A6: Security Misconfiguration":{"python":{"":1}},"A01:2021: Broken Access Control":{"python":{"":5}},"A02:2017: Broken Authentication":{"python":{"":1}},"A05:2017: Broken Access Control":{"python":{"":3}},"A02:2021: Cryptographic Failures":{"python":{"":12}},"A03:2017: Sensitive Data Exposure":{"python":{"":12}},"A08:2017: Insecure Deserialization":{"python":{"":8}},"A05:2021: Security Misconfiguration":{"python":{"":3}},"A07:2017: Cross-Site Scripting (XSS)":{"python":{"":3}},"A04:2017: XML External Entities (XXE)":{"python":{"":2}},"A10:2021: Server-Side Request Forgery (SSRF)":{"python":{"":2}},"A08:2021: Software and Data Integrity Failures":{"python":{"":9}},"A07:2021: Identification and Authentication Failures":{"python":{"":6}}},"rules_with_no_owasp":["identical-is-comparison","string-is-comparison","default-mutable-list","unchecked-subprocess-call","default-mutable-dict","raise-not-base-exception","useless-eqeq","use-sys-exit","no-strings-as-booleans","dict-del-while-iterate","return-in-init","yield-in-init","list-modify-while-iterate","use-timeout","use-json-response","use-django-environ","use-onetoonefield","nontext-field-must-set-null-true","string-field-must-set-null-true","no-null-string-field","use-count-method","use-earliest-or-latest","django-compat-2_0-signals-weak","django-compat-2_0-check-aggregate-support","django-compat-2_0-extra-forms","django-compat-2_0-assignment-tag","django-compat-2_0-assert-redirects-helper","django-db-model-save-super","arbitrary-sleep","open-never-closed","useless-inner-function","writing-to-file-in-read-mode","is-not-is-not","tempfile-insecure","tempfile-without-flush","use-raise-for-status","use-click-secho","python-debugger-found","pass-body-fn","pass-body-range","missing-hash-with-eq","manual-defaultdict-dict-create","manual-defaultdict-set-create","manual-defaultdict-list-create","manual-counter-create","hardcoded-tmp-path","access-foreign-keys","len-all-count","attr-mutable-initializer","file-object-redefined-before-close","baseclass-attribute-override"]}},"author":"VeniVidiVici42","counts":{"total_rules":129,"premium_rules":0},"hidden":true,"description":"","id":"4Xz","name":"venividivici42.akatz-test-pack","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"":1},"per_framework":{"":{"go":{"":6}},"CWE-489: Active Debug Code":{"go":{"":1}},"CWE-377: Insecure Temporary File":{"go":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"go":{"":1}},"CWE-400: Uncontrolled Resource Consumption":{"go":{"":1}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":2}},"CWE-242: Use of Inherently Dangerous Function":{"go":{"":1}},"CWE-289: Authentication Bypass by Alternate Name":{"go":{"":1}},"CWE-322: Key Exchange without Entity Authentication":{"go":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"go":{"":7}},"CWE-913: Improper Control of Dynamically-Managed Code Resources":{"go":{"":2}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"go":{"":1}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"go":{"":1}},"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":{"go":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"go":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":5}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":1}}},"rules_with_no_cwe":["channel-guarded-with-mutex","hidden-goroutine","useless-if-conditional","useless-if-body","eqeq-is-bad","hardcoded-eq-true-or-false"]},"owasp":{"totals":{"":9,"A01:2017: Injection":1,"A03:2021: Injection":7,"A01:2021: Broken Access Control":5,"A05:2017: Broken Access Control":1,"A02:2021: Cryptographic Failures":9,"A03:2017: Sensitive Data Exposure":7,"A06:2017: Security Misconfiguration":1,"A07:2017: Cross-Site Scripting (XSS)":5,"A07:2021: Identification and Authentication Failures":3},"per_framework":{"":{"go":{"":9}},"A01:2017: Injection":{"go":{"":1}},"A03:2021: Injection":{"go":{"":7}},"A01:2021: Broken Access Control":{"go":{"":5}},"A05:2017: Broken Access Control":{"go":{"":1}},"A02:2021: Cryptographic Failures":{"go":{"":9}},"A03:2017: Sensitive Data Exposure":{"go":{"":7}},"A06:2017: Security Misconfiguration":{"go":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":5}},"A07:2021: Identification and Authentication Failures":{"go":{"":3}}},"rules_with_no_owasp":["handler-assignment-from-multiple-sources","channel-guarded-with-mutex","hidden-goroutine","useless-if-conditional","useless-if-body","potential-dos-via-decompression-bomb","use-of-unsafe-block","eqeq-is-bad","hardcoded-eq-true-or-false"]}},"author":"Nathalie Flower","counts":{"total_rules":34,"premium_rules":0},"hidden":true,"description":"","id":"j0Z","name":"purpledino-nat.gosec-pack","visibility":"public","categories":[]},{"tags":[],"stats":{"cwe":{"totals":{"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":1},"per_framework":{"CWE-377: Insecure Temporary File":{"go":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"go":{"":1}},"CWE-400: Uncontrolled Resource Consumption":{"go":{"":1}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":2}},"CWE-242: Use of Inherently Dangerous Function":{"go":{"":1}},"CWE-289: Authentication Bypass by Alternate Name":{"go":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"go":{"":1}},"CWE-913: Improper Control of Dynamically-Managed Code Resources":{"go":{"":2}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"go":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"go":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":1}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":3,"A01:2017: Injection":1,"A03:2021: Injection":3,"A01:2021: Broken Access Control":4,"A05:2017: Broken Access Control":1,"A02:2021: Cryptographic Failures":1,"A03:2017: Sensitive Data Exposure":1,"A07:2017: Cross-Site Scripting (XSS)":1,"A07:2021: Identification and Authentication Failures":3},"per_framework":{"":{"go":{"":3}},"A01:2017: Injection":{"go":{"":1}},"A03:2021: Injection":{"go":{"":3}},"A01:2021: Broken Access Control":{"go":{"":4}},"A05:2017: Broken Access Control":{"go":{"":1}},"A02:2021: Cryptographic Failures":{"go":{"":1}},"A03:2017: Sensitive Data Exposure":{"go":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":1}},"A07:2021: Identification and Authentication Failures":{"go":{"":3}}},"rules_with_no_owasp":["handler-assignment-from-multiple-sources","use-of-unsafe-block","potential-dos-via-decompression-bomb"]}},"author":"Teja","counts":{"total_rules":14,"premium_rules":0},"hidden":true,"description":"All Golang Security  Rules","id":"N3x","name":"saiteja16.tm-golang-security-all","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"":3},"per_framework":{"":{"java":{"":4}},"CWE-415: Double Free":{"c":{"":1}},"CWE-369: Divide By Zero":{"ruby":{"":1}},"CWE-416: Use After Free":{"c":{"":1}},"CWE-328: Use of Weak Hash":{"java":{"":2},"ruby":{"":2}},"CWE-489: Active Debug Code":{"go":{"":1},"python":{"":5}},"CWE-287: Improper Authentication":{"java":{"":1}},"CWE-377: Insecure Temporary File":{"go":{"":1}},"CWE-501: Trust Boundary Violation":{"java":{"":1}},"CWE-16: CWE CATEGORY: Configuration":{"generic":{"":3}},"CWE-521: Weak Password Requirements":{"python":{"":2}},"CWE-208: Observable Timing Discrepancy":{"ruby":{"":1}},"CWE-269: Improper Privilege Management":{"dockerfile":{"":1}},"CWE-276: Incorrect Default Permissions":{"java":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"go":{"":1},"ruby":{"":1},"python":{"":2},"javascript":{"":4}},"CWE-326: Inadequate Encryption Strength":{"java":{"":5},"python":{"":3},"generic":{"":2}},"CWE-295: Improper Certificate Validation":{"java":{"":2},"ruby":{"":1},"python":{"":3}},"CWE-183: Permissive List of Allowed Inputs":{"java":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":3},"ruby":{"":1},"python":{"":2},"javascript":{"":1}},"CWE-400: Uncontrolled Resource Consumption":{"go":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":2},"ruby":{"":1},"python":{"":9},"javascript":{"":1}},"CWE-704: Incorrect Type Conversion or Cast":{"java":{"":1}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":2}},"CWE-330: Use of Insufficiently Random Values":{"java":{"":1}},"CWE-242: Use of Inherently Dangerous Function":{"go":{"":1}},"CWE-311: Missing Encryption of Sensitive Data":{"hcl":{"":1},"ruby":{"":1}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-668: Exposure of Resource to Wrong Sphere":{"python":{"":2}},"CWE-73: External Control of File Name or Path":{"python":{"":1}},"CWE-676: Use of Potentially Dangerous Function":{"c":{"":5}},"CWE-116: Improper Encoding or Escaping of Output":{"python":{"":1},"javascript":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"java":{"":1}},"CWE-134: Use of Externally-Controlled Format String":{"c":{"":1}},"CWE-322: Key Exchange without Entity Authentication":{"go":{"":1},"python":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"java":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"go":{"":1},"java":{"":1},"python":{"":3},"generic":{"":1},"typescript":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"go":{"":7},"java":{"":5},"python":{"":18},"javascript":{"":2}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"java":{"":2},"python":{"":1},"javascript":{"":1}},"CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')":{"generic":{"":1}},"CWE-1021: Improper Restriction of Rendered UI Layers or Frames":{"ruby":{"":1}},"CWE-297: Improper Validation of Certificate with Host Mismatch":{"java":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":3},"python":{"":1},"javascript":{"":3}},"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":{"hcl":{"":1}},"CWE-913: Improper Control of Dynamically-Managed Code Resources":{"go":{"":2}},"CWE-939: Improper Authorization in Handler for Custom URL Scheme":{"python":{"":1}},"CWE-155: Improper Neutralization of Wildcards or Matching Symbols":{"python":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"go":{"":1},"java":{"":4},"ruby":{"":3}},"CWE-1236: Improper Neutralization of Formula Elements in a CSV File":{"python":{"":1}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"go":{"":1},"hcl":{"":2},"java":{"":1},"python":{"":1},"typescript":{"":1}},"CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls":{"json":{"":1}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"java":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"java":{"":1},"python":{"":2}},"CWE-1022: Use of Web Link to Untrusted Target with window.opener Access":{"generic":{"":3}},"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":{"go":{"":1},"javascript":{"":1}},"CWE-774: Allocation of File Descriptors or Handles Without Limits or Throttling":{"c":{"":1}},"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer":{"javascript":{"":1}},"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":{"java":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"go":{"":1},"java":{"":2},"ruby":{"":1},"python":{"":1},"generic":{"":1}},"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":{"ruby":{"":3},"python":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":5},"java":{"":3},"regex":{"":4},"python":{"":6},"generic":{"":6},"javascript":{"":1},"typescript":{"":3}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":1},"java":{"":3},"python":{"":5}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"java":{"":3}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"python":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":7},"javascript":{"":2}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":3}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":2},"python":{"":6},"javascript":{"":2}},"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":{"java":{"":1},"generic":{"":1}},"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":{"python":{"":2}}},"rules_with_no_cwe":["no-string-eqeq","assignment-comparison","eqeq","hardcoded-conditional"]},"owasp":{"totals":{"":17,"A1: Injection":2,"A01:2017: Injection":24,"A03:2021: Injection":76,"A04:2021: Insecure Design":7,"A3: Sensitive Data Exposure":11,"A6: Security Misconfiguration":1,"A01:2021: Broken Access Control":34,"A02:2017: Broken Authentication":2,"A05:2017: Broken Access Control":10,"A02:2021: Cryptographic Failures":47,"A03:2017: Sensitive Data Exposure":49,"A08:2017: Insecure Deserialization":13,"A05:2021: Security Misconfiguration":20,"A06:2017: Security Misconfiguration":5,"A07:2017: Cross-Site Scripting (XSS)":28,"A04:2017: XML External Entities (XXE)":8,"A08:2021: Software and Data Integrity Failures":17,"A9: Using Components with Known Vulnerabilities":2,"A07:2021: Identification and Authentication Failures":20},"per_framework":{"":{"c":{"":8},"go":{"":2},"java":{"":4},"ruby":{"":2},"javascript":{"":1}},"A1: Injection":{"python":{"":2}},"A01:2017: Injection":{"c":{"":1},"go":{"":1},"java":{"":8},"python":{"":12},"javascript":{"":2}},"A03:2021: Injection":{"c":{"":1},"go":{"":7},"java":{"":18},"ruby":{"":3},"regex":{"":4},"python":{"":27},"generic":{"":7},"javascript":{"":6},"typescript":{"":3}},"A04:2021: Insecure Design":{"hcl":{"":1},"java":{"":2},"ruby":{"":2},"python":{"":1},"dockerfile":{"":1}},"A3: Sensitive Data Exposure":{"python":{"":11}},"A6: Security Misconfiguration":{"python":{"":1}},"A01:2021: Broken Access Control":{"go":{"":5},"hcl":{"":2},"java":{"":9},"json":{"":1},"ruby":{"":2},"python":{"":7},"generic":{"":5},"javascript":{"":2},"typescript":{"":1}},"A02:2017: Broken Authentication":{"java":{"":1},"python":{"":1}},"A05:2017: Broken Access Control":{"go":{"":1},"java":{"":2},"ruby":{"":1},"python":{"":1},"generic":{"":4},"javascript":{"":1}},"A02:2021: Cryptographic Failures":{"go":{"":10},"java":{"":13},"ruby":{"":2},"python":{"":15},"generic":{"":3},"javascript":{"":3},"typescript":{"":1}},"A03:2017: Sensitive Data Exposure":{"go":{"":8},"hcl":{"":1},"java":{"":14},"ruby":{"":4},"python":{"":16},"generic":{"":3},"javascript":{"":2},"typescript":{"":1}},"A08:2017: Insecure Deserialization":{"java":{"":2},"ruby":{"":1},"python":{"":9},"javascript":{"":1}},"A05:2021: Security Misconfiguration":{"hcl":{"":1},"java":{"":5},"python":{"":8},"generic":{"":3},"javascript":{"":3}},"A06:2017: Security Misconfiguration":{"go":{"":1},"python":{"":1},"generic":{"":3}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":5},"java":{"":3},"regex":{"":4},"python":{"":6},"generic":{"":6},"javascript":{"":1},"typescript":{"":3}},"A04:2017: XML External Entities (XXE)":{"java":{"":3},"python":{"":2},"javascript":{"":3}},"A08:2021: Software and Data Integrity Failures":{"java":{"":2},"ruby":{"":4},"python":{"":10},"javascript":{"":1}},"A9: Using Components with Known Vulnerabilities":{"java":{"":2}},"A07:2021: Identification and Authentication Failures":{"go":{"":3},"java":{"":4},"ruby":{"":2},"python":{"":7},"javascript":{"":4}}},"rules_with_no_owasp":["detect-buffer-noassert","use-of-unsafe-block","divide-by-zero","insecure-use-strcat-fn","timing-attack","potential-dos-via-decompression-bomb","use-after-free","insecure-use-gets-fn","insecure-use-string-copy-fn","insecure-use-strtok-fn","random-fd-exhaustion","insecure-use-scanf-fn","insecure-use-printf-fn","no-string-eqeq","assignment-comparison","eqeq","hardcoded-conditional"]}},"author":"Cristiano Corrado","counts":{"total_rules":260,"premium_rules":0},"hidden":true,"description":"","id":"6vo","name":"cristiano-corrado.java-security-all","visibility":"public","categories":[]},{"tags":["semgrep","security"],"stats":{"cwe":{"totals":{"CWE-319: Cleartext Transmission of Sensitive Information":1},"per_framework":{"CWE-326: Inadequate Encryption Strength":{"python":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"go":{"":9},"java":{"":14},"ruby":{"":5},"python":{"":16},"javascript":{"":8}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A02:2021: Cryptographic Failures":18,"A03:2017: Sensitive Data Exposure":53},"per_framework":{"A02:2021: Cryptographic Failures":{"python":{"":17},"javascript":{"":1}},"A03:2017: Sensitive Data Exposure":{"go":{"":9},"java":{"":14},"ruby":{"":5},"python":{"":17},"javascript":{"":8}}},"rules_with_no_owasp":[]}},"author":"r2c","counts":{"total_rules":53,"premium_rules":0},"hidden":true,"languages":["java","javascript","go","python","ruby"],"description":"Omni pack for insecure transport rules","id":"Yoe","name":"colleend.insecure-transport-omni","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls":2},"per_framework":{"":{"java":{"":4},"javascript":{"":7}},"CWE-287: Improper Authentication":{"java":{"":1}},"CWE-276: Incorrect Default Permissions":{"java":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"javascript":{"":6}},"CWE-326: Inadequate Encryption Strength":{"java":{"":5}},"CWE-295: Improper Certificate Validation":{"java":{"":2}},"CWE-183: Permissive List of Allowed Inputs":{"java":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":2},"javascript":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":2},"javascript":{"":1}},"CWE-704: Incorrect Type Conversion or Cast":{"java":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"javascript":{"":7}},"CWE-522: Insufficiently Protected Credentials":{"javascript":{"":9}},"CWE-116: Improper Encoding or Escaping of Output":{"javascript":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"java":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"java":{"":1}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":2}},"CWE-345: Insufficient Verification of Data Authenticity":{"javascript":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"java":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"java":{"":5},"javascript":{"":2}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"java":{"":2},"javascript":{"":1}},"CWE-297: Improper Validation of Certificate with Host Mismatch":{"java":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":3},"javascript":{"":6}},"CWE-94: Improper Control of Generation of Code (Code Injection)":{"javascript":{"":6}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"java":{"":4},"javascript":{"":14}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"java":{"":1}},"CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls":{"json":{"":1}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"java":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"java":{"":1}},"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer":{"javascript":{"":1}},"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)":{"javascript":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"java":{"":2},"javascript":{"":2}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"java":{"":2},"javascript":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"java":{"":2}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"java":{"":2}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"javascript":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":1},"javascript":{"":3}}},"rules_with_no_cwe":["assigned-undefined","javascript-alert","javascript-debugger","javascript-confirm","javascript-prompt","useless-assignment","eqeq-is-bad","no-string-eqeq","assignment-comparison","eqeq","hardcoded-conditional"]},"owasp":{"totals":{"":12,"A1: Injection":6,"A01:2017: Injection":8,"A03:2021: Injection":35,"A04:2021: Insecure Design":10,"A01:2021: Broken Access Control":15,"A02:2017: Broken Authentication":10,"A05:2017: Broken Access Control":5,"A02:2021: Cryptographic Failures":12,"A03:2017: Sensitive Data Exposure":14,"A08:2017: Insecure Deserialization":3,"A05:2021: Security Misconfiguration":11,"A07:2017: Cross-Site Scripting (XSS)":4,"A04:2017: XML External Entities (XXE)":9,"A10:2021: Server-Side Request Forgery (SSRF)":7,"A08:2021: Software and Data Integrity Failures":4,"A9: Using Components with Known Vulnerabilities":2,"A07:2021: Identification and Authentication Failures":10},"per_framework":{"":{"java":{"":4},"javascript":{"":8}},"A1: Injection":{"javascript":{"":6}},"A01:2017: Injection":{"java":{"":5},"javascript":{"":3}},"A03:2021: Injection":{"java":{"":12},"javascript":{"":23}},"A04:2021: Insecure Design":{"java":{"":1},"javascript":{"":9}},"A01:2021: Broken Access Control":{"java":{"":8},"json":{"":1},"javascript":{"":6}},"A02:2017: Broken Authentication":{"java":{"":1},"javascript":{"":9}},"A05:2017: Broken Access Control":{"java":{"":2},"javascript":{"":3}},"A02:2021: Cryptographic Failures":{"java":{"":10},"javascript":{"":2}},"A03:2017: Sensitive Data Exposure":{"java":{"":12},"javascript":{"":2}},"A08:2017: Insecure Deserialization":{"java":{"":2},"javascript":{"":1}},"A05:2021: Security Misconfiguration":{"java":{"":5},"javascript":{"":6}},"A07:2017: Cross-Site Scripting (XSS)":{"java":{"":2},"javascript":{"":2}},"A04:2017: XML External Entities (XXE)":{"java":{"":3},"javascript":{"":6}},"A10:2021: Server-Side Request Forgery (SSRF)":{"javascript":{"":7}},"A08:2021: Software and Data Integrity Failures":{"java":{"":2},"javascript":{"":2}},"A9: Using Components with Known Vulnerabilities":{"java":{"":2}},"A07:2021: Identification and Authentication Failures":{"java":{"":4},"javascript":{"":6}}},"rules_with_no_owasp":["assigned-undefined","javascript-alert","javascript-debugger","javascript-confirm","javascript-prompt","detect-buffer-noassert","useless-assignment","eqeq-is-bad","no-string-eqeq","assignment-comparison","eqeq","hardcoded-conditional"]}},"author":"brileyd","counts":{"total_rules":125,"premium_rules":0},"hidden":true,"description":"All Java, JavaScript and JSON rules.","id":"DlY","name":"brileyd.java_js_json","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"":4},"per_framework":{"":{"java":{"":4}},"CWE-287: Improper Authentication":{"java":{"":1}},"CWE-276: Incorrect Default Permissions":{"java":{"":1}},"CWE-326: Inadequate Encryption Strength":{"java":{"":5}},"CWE-295: Improper Certificate Validation":{"java":{"":2}},"CWE-183: Permissive List of Allowed Inputs":{"java":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":2}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":2}},"CWE-704: Incorrect Type Conversion or Cast":{"java":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"java":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"java":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"java":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"java":{"":5}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"java":{"":2}},"CWE-297: Improper Validation of Certificate with Host Mismatch":{"java":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":3}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"java":{"":4}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"java":{"":1}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"java":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"java":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"java":{"":2}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"java":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"java":{"":2}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"java":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":1}},"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":{"java":{"":1}}},"rules_with_no_cwe":["no-string-eqeq","assignment-comparison","eqeq","hardcoded-conditional"]},"owasp":{"totals":{"":4,"A01:2017: Injection":5,"A03:2021: Injection":13,"A04:2021: Insecure Design":1,"A01:2021: Broken Access Control":8,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":2,"A02:2021: Cryptographic Failures":10,"A03:2017: Sensitive Data Exposure":12,"A08:2017: Insecure Deserialization":2,"A05:2021: Security Misconfiguration":5,"A07:2017: Cross-Site Scripting (XSS)":2,"A04:2017: XML External Entities (XXE)":3,"A08:2021: Software and Data Integrity Failures":2,"A9: Using Components with Known Vulnerabilities":2,"A07:2021: Identification and Authentication Failures":4},"per_framework":{"":{"java":{"":4}},"A01:2017: Injection":{"java":{"":5}},"A03:2021: Injection":{"java":{"":13}},"A04:2021: Insecure Design":{"java":{"":1}},"A01:2021: Broken Access Control":{"java":{"":8}},"A02:2017: Broken Authentication":{"java":{"":1}},"A05:2017: Broken Access Control":{"java":{"":2}},"A02:2021: Cryptographic Failures":{"java":{"":10}},"A03:2017: Sensitive Data Exposure":{"java":{"":12}},"A08:2017: Insecure Deserialization":{"java":{"":2}},"A05:2021: Security Misconfiguration":{"java":{"":5}},"A07:2017: Cross-Site Scripting (XSS)":{"java":{"":2}},"A04:2017: XML External Entities (XXE)":{"java":{"":3}},"A08:2021: Software and Data Integrity Failures":{"java":{"":2}},"A9: Using Components with Known Vulnerabilities":{"java":{"":2}},"A07:2021: Identification and Authentication Failures":{"java":{"":4}}},"rules_with_no_owasp":["no-string-eqeq","assignment-comparison","eqeq","hardcoded-conditional"]}},"author":"Ben Cambourne","counts":{"total_rules":50,"premium_rules":0},"hidden":true,"description":"","id":"5vA","name":"ben-elttam.bdawg-java-all","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-918: Server-Side Request Forgery (SSRF)":2},"per_framework":{"":{"javascript":{"":7}},"CWE-798: Use of Hard-coded Credentials":{"javascript":{"":6}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"javascript":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"javascript":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"javascript":{"":7}},"CWE-522: Insufficiently Protected Credentials":{"javascript":{"":9}},"CWE-116: Improper Encoding or Escaping of Output":{"javascript":{"":1}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":2}},"CWE-345: Insufficient Verification of Data Authenticity":{"javascript":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"javascript":{"":2}},"CWE-611: Improper Restriction of XML External Entity Reference":{"javascript":{"":6}},"CWE-94: Improper Control of Generation of Code (Code Injection)":{"javascript":{"":6}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"javascript":{"":12}},"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer":{"javascript":{"":1}},"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)":{"javascript":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"javascript":{"":2}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"javascript":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"javascript":{"":2}}},"rules_with_no_cwe":["eqeq-is-bad","useless-assignment","javascript-prompt","javascript-confirm","javascript-debugger","javascript-alert","assigned-undefined"]},"owasp":{"totals":{"":8,"A1: Injection":6,"A01:2017: Injection":2,"A03:2021: Injection":18,"A04:2021: Insecure Design":9,"A01:2021: Broken Access Control":5,"A02:2017: Broken Authentication":9,"A05:2017: Broken Access Control":3,"A02:2021: Cryptographic Failures":2,"A03:2017: Sensitive Data Exposure":2,"A08:2017: Insecure Deserialization":1,"A05:2021: Security Misconfiguration":6,"A04:2017: XML External Entities (XXE)":6,"A10:2021: Server-Side Request Forgery (SSRF)":7,"A08:2021: Software and Data Integrity Failures":2,"A07:2021: Identification and Authentication Failures":6},"per_framework":{"":{"javascript":{"":8}},"A1: Injection":{"javascript":{"":6}},"A01:2017: Injection":{"javascript":{"":2}},"A03:2021: Injection":{"javascript":{"":18}},"A04:2021: Insecure Design":{"javascript":{"":9}},"A01:2021: Broken Access Control":{"javascript":{"":5}},"A02:2017: Broken Authentication":{"javascript":{"":9}},"A05:2017: Broken Access Control":{"javascript":{"":3}},"A02:2021: Cryptographic Failures":{"javascript":{"":2}},"A03:2017: Sensitive Data Exposure":{"javascript":{"":2}},"A08:2017: Insecure Deserialization":{"javascript":{"":1}},"A05:2021: Security Misconfiguration":{"javascript":{"":6}},"A04:2017: XML External Entities (XXE)":{"javascript":{"":6}},"A10:2021: Server-Side Request Forgery (SSRF)":{"javascript":{"":7}},"A08:2021: Software and Data Integrity Failures":{"javascript":{"":2}},"A07:2021: Identification and Authentication Failures":{"javascript":{"":6}}},"rules_with_no_owasp":["eqeq-is-bad","useless-assignment","detect-buffer-noassert","javascript-prompt","javascript-confirm","javascript-debugger","javascript-alert","assigned-undefined"]}},"author":"Daghan Altas","counts":{"total_rules":69,"premium_rules":0},"hidden":true,"description":"","id":"zjG","name":"daghan.all js","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"":2},"per_framework":{"":{"go":{"":6}},"CWE-489: Active Debug Code":{"go":{"":1}},"CWE-377: Insecure Temporary File":{"go":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"go":{"":1}},"CWE-400: Uncontrolled Resource Consumption":{"go":{"":1}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":2}},"CWE-242: Use of Inherently Dangerous Function":{"go":{"":1}},"CWE-289: Authentication Bypass by Alternate Name":{"go":{"":1}},"CWE-322: Key Exchange without Entity Authentication":{"go":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"go":{"":3}},"CWE-913: Improper Control of Dynamically-Managed Code Resources":{"go":{"":2}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"go":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":6}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":1}}},"rules_with_no_cwe":["channel-guarded-with-mutex","hidden-goroutine","useless-if-conditional","useless-if-body","eqeq-is-bad","hardcoded-eq-true-or-false"]},"owasp":{"totals":{"":9,"A01:2017: Injection":1,"A03:2021: Injection":7,"A01:2021: Broken Access Control":4,"A05:2017: Broken Access Control":1,"A02:2021: Cryptographic Failures":4,"A03:2017: Sensitive Data Exposure":3,"A06:2017: Security Misconfiguration":1,"A07:2017: Cross-Site Scripting (XSS)":6,"A07:2021: Identification and Authentication Failures":3},"per_framework":{"":{"go":{"":9}},"A01:2017: Injection":{"go":{"":1}},"A03:2021: Injection":{"go":{"":7}},"A01:2021: Broken Access Control":{"go":{"":4}},"A05:2017: Broken Access Control":{"go":{"":1}},"A02:2021: Cryptographic Failures":{"go":{"":4}},"A03:2017: Sensitive Data Exposure":{"go":{"":3}},"A06:2017: Security Misconfiguration":{"go":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":6}},"A07:2021: Identification and Authentication Failures":{"go":{"":3}}},"rules_with_no_owasp":["handler-assignment-from-multiple-sources","channel-guarded-with-mutex","hidden-goroutine","useless-if-conditional","useless-if-body","potential-dos-via-decompression-bomb","use-of-unsafe-block","eqeq-is-bad","hardcoded-eq-true-or-false"]}},"author":"diegommm","counts":{"total_rules":28,"premium_rules":0},"hidden":true,"description":"","id":"k87","name":"diegommm.test","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-523: Unprotected Transport of Credentials":3},"per_framework":{"":{"python":{"":87}},"CWE-489: Active Debug Code":{"python":{"":5}},"CWE-310: Cryptographic Issues":{"python":{"":7}},"CWE-377: Insecure Temporary File":{"python":{"":1}},"CWE-521: Weak Password Requirements":{"python":{"":2}},"CWE-798: Use of Hard-coded Credentials":{"python":{"":2}},"CWE-326: Inadequate Encryption Strength":{"python":{"":3}},"CWE-295: Improper Certificate Validation":{"python":{"":3}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"python":{"":2}},"CWE-502: Deserialization of Untrusted Data":{"python":{"":13}},"CWE-918: Server-Side Request Forgery (SSRF)":{"python":{"":3}},"CWE-311: Missing Encryption of Sensitive Data":{"python":{"":2}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-668: Exposure of Resource to Wrong Sphere":{"python":{"":2}},"CWE-73: External Control of File Name or Path":{"python":{"":1}},"CWE-116: Improper Encoding or Escaping of Output":{"python":{"":1}},"CWE-322: Key Exchange without Entity Authentication":{"python":{"":1}},"CWE-1104: Use of Unmaintained Third Party Components":{"python":{"":3}},"CWE-689: Permission Race Condition During Resource Copy":{"python":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"python":{"":3}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"python":{"":19}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"python":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"python":{"":2}},"CWE-939: Improper Authorization in Handler for Custom URL Scheme":{"python":{"":1}},"CWE-155: Improper Neutralization of Wildcards or Matching Symbols":{"python":{"":1}},"CWE-1236: Improper Neutralization of Formula Elements in a CSV File":{"python":{"":1}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"python":{"":1}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"python":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"python":{"":2}},"CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere":{"python":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"python":{"":6}},"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":{"python":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"python":{"":6}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"python":{"":8}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"python":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":11}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":3}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":13}},"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":{"python":{"":2}}},"rules_with_no_cwe":["use-click-secho","use-django-environ","use-onetoonefield","use-json-response","use-count-method","access-foreign-keys","use-earliest-or-latest","django-compat-2_0-signals-weak","django-compat-2_0-check-aggregate-support","django-compat-2_0-extra-forms","django-compat-2_0-assignment-tag","django-compat-2_0-assert-redirects-helper","no-null-string-field","string-field-must-set-null-true","django-db-model-save-super","nontext-field-must-set-null-true","bokeh-deprecated-apis","len-all-count","batch-import","delete-where-no-execute","bad-operator-in-filter","attr-mutable-initializer","use-jsonify","flask-deprecated-apis","flask-duplicate-handler-name","avoid-accessing-request-in-wrong-handler","python-debugger-found","pass-body-fn","pass-body-range","missing-hash-with-eq","arbitrary-sleep","open-never-closed","manual-defaultdict-dict-create","manual-defaultdict-set-create","manual-defaultdict-list-create","manual-counter-create","hardcoded-tmp-path","useless-inner-function","useless-literal-dict","useless-assignment-keyed","useless-if-conditional","useless-if-body","code-after-unconditional-return","return-not-in-function","python36-compatibility-ssl","python36-compatibility-Popen1","python37-compatibility-importlib","python37-compatibility-importlib2","python37-compatibility-importlib3","python37-compatibility-httpconn","python37-compatibility-httpsconn","python37-compatibility-textiowrapper","python37-compatibility-ipv6network1","python37-compatibility-ipv6network2","python37-compatibility-ipv4network1","python37-compatibility-ipv4network2","python37-compatibility-math1","python37-compatibility-locale1","python37-compatibility-multiprocess1","python37-compatibility-multiprocess2","python37-compatibility-os1","python37-compatability-os-module","python37-compatibility-os2-ok2","python37-compatibility-pdb","pdb-remove","use-sys-exit","return-in-init","yield-in-init","file-object-redefined-before-close","unchecked-subprocess-call","baseclass-attribute-override","no-strings-as-booleans","useless-eqeq","writing-to-file-in-read-mode","dict-del-while-iterate","list-modify-while-iterate","is-not-is-not","default-mutable-list","default-mutable-dict","identical-is-comparison","string-is-comparison","string-concat-in-list","raise-not-base-exception","tempfile-insecure","tempfile-without-flush","use-timeout","use-raise-for-status"]},"owasp":{"totals":{"":87,"A1: Injection":2,"A01:2017: Injection":22,"A03:2021: Injection":40,"A04:2021: Insecure Design":1,"A3: Sensitive Data Exposure":11,"A6: Security Misconfiguration":1,"A01:2021: Broken Access Control":10,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":4,"A02:2021: Cryptographic Failures":21,"A03:2017: Sensitive Data Exposure":22,"A08:2017: Insecure Deserialization":12,"A05:2021: Security Misconfiguration":18,"A06:2017: Security Misconfiguration":11,"A07:2017: Cross-Site Scripting (XSS)":6,"A04:2017: XML External Entities (XXE)":2,"A06:2021: Vulnerable and Outdated Components":9,"A10:2021: Server-Side Request Forgery (SSRF)":3,"A08:2021: Software and Data Integrity Failures":13,"A07:2021: Identification and Authentication Failures":7,"A09:2017: Using Components with Known Vulnerabilities":9},"per_framework":{"":{"python":{"":87}},"A1: Injection":{"python":{"":2}},"A01:2017: Injection":{"python":{"":22}},"A03:2021: Injection":{"python":{"":40}},"A04:2021: Insecure Design":{"python":{"":1}},"A3: Sensitive Data Exposure":{"python":{"":11}},"A6: Security Misconfiguration":{"python":{"":1}},"A01:2021: Broken Access Control":{"python":{"":10}},"A02:2017: Broken Authentication":{"python":{"":1}},"A05:2017: Broken Access Control":{"python":{"":4}},"A02:2021: Cryptographic Failures":{"python":{"":21}},"A03:2017: Sensitive Data Exposure":{"python":{"":22}},"A08:2017: Insecure Deserialization":{"python":{"":12}},"A05:2021: Security Misconfiguration":{"python":{"":18}},"A06:2017: Security Misconfiguration":{"python":{"":11}},"A07:2017: Cross-Site Scripting (XSS)":{"python":{"":6}},"A04:2017: XML External Entities (XXE)":{"python":{"":2}},"A06:2021: Vulnerable and Outdated Components":{"python":{"":9}},"A10:2021: Server-Side Request Forgery (SSRF)":{"python":{"":3}},"A08:2021: Software and Data Integrity Failures":{"python":{"":13}},"A07:2021: Identification and Authentication Failures":{"python":{"":7}},"A09:2017: Using Components with Known Vulnerabilities":{"python":{"":9}}},"rules_with_no_owasp":["use-click-secho","use-django-environ","use-onetoonefield","use-json-response","use-count-method","access-foreign-keys","use-earliest-or-latest","django-compat-2_0-signals-weak","django-compat-2_0-check-aggregate-support","django-compat-2_0-extra-forms","django-compat-2_0-assignment-tag","django-compat-2_0-assert-redirects-helper","no-null-string-field","string-field-must-set-null-true","django-db-model-save-super","nontext-field-must-set-null-true","bokeh-deprecated-apis","len-all-count","batch-import","delete-where-no-execute","bad-operator-in-filter","attr-mutable-initializer","use-jsonify","flask-deprecated-apis","flask-duplicate-handler-name","avoid-accessing-request-in-wrong-handler","python-debugger-found","pass-body-fn","pass-body-range","missing-hash-with-eq","arbitrary-sleep","open-never-closed","manual-defaultdict-dict-create","manual-defaultdict-set-create","manual-defaultdict-list-create","manual-counter-create","hardcoded-tmp-path","useless-inner-function","useless-literal-dict","useless-assignment-keyed","useless-if-conditional","useless-if-body","code-after-unconditional-return","return-not-in-function","python36-compatibility-ssl","python36-compatibility-Popen1","python37-compatibility-importlib","python37-compatibility-importlib2","python37-compatibility-importlib3","python37-compatibility-httpconn","python37-compatibility-httpsconn","python37-compatibility-textiowrapper","python37-compatibility-ipv6network1","python37-compatibility-ipv6network2","python37-compatibility-ipv4network1","python37-compatibility-ipv4network2","python37-compatibility-math1","python37-compatibility-locale1","python37-compatibility-multiprocess1","python37-compatibility-multiprocess2","python37-compatibility-os1","python37-compatability-os-module","python37-compatibility-os2-ok2","python37-compatibility-pdb","pdb-remove","use-sys-exit","return-in-init","yield-in-init","file-object-redefined-before-close","unchecked-subprocess-call","baseclass-attribute-override","no-strings-as-booleans","useless-eqeq","writing-to-file-in-read-mode","dict-del-while-iterate","list-modify-while-iterate","is-not-is-not","default-mutable-list","default-mutable-dict","identical-is-comparison","string-is-comparison","string-concat-in-list","raise-not-base-exception","tempfile-insecure","tempfile-without-flush","use-timeout","use-raise-for-status"]}},"author":"David Mary","counts":{"total_rules":224,"premium_rules":0},"hidden":true,"description":"All rules available for python","id":"wjY","name":"dmarydg.my-complete-python-pack","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"":8},"per_framework":{"":{"python":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"go":{"":1},"java":{"":2},"python":{"":3},"javascript":{"":2}}},"rules_with_no_cwe":["hardcoded-tmp-path"]},"owasp":{"totals":{"":1,"A01:2021: Broken Access Control":8,"A05:2017: Broken Access Control":8},"per_framework":{"":{"python":{"":1}},"A01:2021: Broken Access Control":{"go":{"":1},"java":{"":2},"python":{"":3},"javascript":{"":2}},"A05:2017: Broken Access Control":{"go":{"":1},"java":{"":2},"python":{"":3},"javascript":{"":2}}},"rules_with_no_owasp":["hardcoded-tmp-path"]}},"author":"Joe Bollen","counts":{"total_rules":9,"premium_rules":0},"hidden":true,"description":"Detect possible dangerous path traversal in Java, JS and Python","id":"J7w","name":"hazanasec.possible_path_traversal","visibility":"public","categories":[]},{"tags":[],"stats":{"cwe":{"totals":{"":2},"per_framework":{"":{"python":{"":44}},"CWE-489: Active Debug Code":{"python":{"":5}},"CWE-310: Cryptographic Issues":{"python":{"":7}},"CWE-377: Insecure Temporary File":{"python":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"python":{"":2}},"CWE-326: Inadequate Encryption Strength":{"python":{"":3}},"CWE-295: Improper Certificate Validation":{"python":{"":3}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"python":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"python":{"":12}},"CWE-918: Server-Side Request Forgery (SSRF)":{"python":{"":1}},"CWE-311: Missing Encryption of Sensitive Data":{"python":{"":2}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-668: Exposure of Resource to Wrong Sphere":{"python":{"":2}},"CWE-73: External Control of File Name or Path":{"python":{"":1}},"CWE-116: Improper Encoding or Escaping of Output":{"python":{"":1}},"CWE-322: Key Exchange without Entity Authentication":{"python":{"":1}},"CWE-1104: Use of Unmaintained Third Party Components":{"python":{"":3}},"CWE-689: Permission Race Condition During Resource Copy":{"python":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"python":{"":3}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"python":{"":19}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"python":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"python":{"":2}},"CWE-939: Improper Authorization in Handler for Custom URL Scheme":{"python":{"":1}},"CWE-1236: Improper Neutralization of Formula Elements in a CSV File":{"python":{"":1}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"python":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"python":{"":1}},"CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere":{"python":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"python":{"":3}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"python":{"":3}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"python":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":7}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":12}}},"rules_with_no_cwe":["airflow-xss","use-click-secho","len-all-count","use-timeout","tempfile-without-flush","tempfile-insecure","raise-not-base-exception","string-concat-in-list","string-is-comparison","identical-is-comparison","default-mutable-dict","default-mutable-list","is-not-is-not","dict-del-while-iterate","useless-eqeq","unchecked-subprocess-call","file-object-redefined-before-close","yield-in-init","return-in-init","use-sys-exit","code-after-unconditional-return","useless-if-body","useless-if-conditional","useless-assignment-keyed","useless-literal-dict","useless-inner-function","hardcoded-tmp-path","manual-counter-create","manual-defaultdict-list-create","manual-defaultdict-dict-create","manual-defaultdict-set-create","open-never-closed","arbitrary-sleep","missing-hash-with-eq","pass-body-range","pass-body-fn","python-debugger-found","avoid-accessing-request-in-wrong-handler","flask-duplicate-handler-name","flask-deprecated-apis","use-jsonify","bad-operator-in-filter","delete-where-no-execute","batch-import"]},"owasp":{"totals":{"":44,"A1: Injection":2,"A01:2017: Injection":12,"A03:2021: Injection":20,"A04:2021: Insecure Design":1,"A3: Sensitive Data Exposure":11,"A6: Security Misconfiguration":1,"A01:2021: Broken Access Control":6,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":1,"A02:2021: Cryptographic Failures":21,"A03:2017: Sensitive Data Exposure":22,"A08:2017: Insecure Deserialization":11,"A05:2021: Security Misconfiguration":17,"A06:2017: Security Misconfiguration":11,"A07:2017: Cross-Site Scripting (XSS)":3,"A04:2017: XML External Entities (XXE)":2,"A06:2021: Vulnerable and Outdated Components":9,"A10:2021: Server-Side Request Forgery (SSRF)":1,"A08:2021: Software and Data Integrity Failures":11,"A07:2021: Identification and Authentication Failures":5,"A09:2017: Using Components with Known Vulnerabilities":9},"per_framework":{"":{"python":{"":44}},"A1: Injection":{"python":{"":2}},"A01:2017: Injection":{"python":{"":12}},"A03:2021: Injection":{"python":{"":20}},"A04:2021: Insecure Design":{"python":{"":1}},"A3: Sensitive Data Exposure":{"python":{"":11}},"A6: Security Misconfiguration":{"python":{"":1}},"A01:2021: Broken Access Control":{"python":{"":6}},"A02:2017: Broken Authentication":{"python":{"":1}},"A05:2017: Broken Access Control":{"python":{"":1}},"A02:2021: Cryptographic Failures":{"python":{"":21}},"A03:2017: Sensitive Data Exposure":{"python":{"":22}},"A08:2017: Insecure Deserialization":{"python":{"":11}},"A05:2021: Security Misconfiguration":{"python":{"":17}},"A06:2017: Security Misconfiguration":{"python":{"":11}},"A07:2017: Cross-Site Scripting (XSS)":{"python":{"":3}},"A04:2017: XML External Entities (XXE)":{"python":{"":2}},"A06:2021: Vulnerable and Outdated Components":{"python":{"":9}},"A10:2021: Server-Side Request Forgery (SSRF)":{"python":{"":1}},"A08:2021: Software and Data Integrity Failures":{"python":{"":11}},"A07:2021: Identification and Authentication Failures":{"python":{"":5}},"A09:2017: Using Components with Known Vulnerabilities":{"python":{"":9}}},"rules_with_no_owasp":["airflow-xss","use-click-secho","len-all-count","use-timeout","tempfile-without-flush","tempfile-insecure","raise-not-base-exception","string-concat-in-list","string-is-comparison","identical-is-comparison","default-mutable-dict","default-mutable-list","is-not-is-not","dict-del-while-iterate","useless-eqeq","unchecked-subprocess-call","file-object-redefined-before-close","yield-in-init","return-in-init","use-sys-exit","code-after-unconditional-return","useless-if-body","useless-if-conditional","useless-assignment-keyed","useless-literal-dict","useless-inner-function","hardcoded-tmp-path","manual-counter-create","manual-defaultdict-list-create","manual-defaultdict-dict-create","manual-defaultdict-set-create","open-never-closed","arbitrary-sleep","missing-hash-with-eq","pass-body-range","pass-body-fn","python-debugger-found","avoid-accessing-request-in-wrong-handler","flask-duplicate-handler-name","flask-deprecated-apis","use-jsonify","bad-operator-in-filter","delete-where-no-execute","batch-import"]}},"author":"Isaac Evans","counts":{"total_rules":149,"premium_rules":0},"hidden":true,"description":"All the python rules as of July 7, 2020","id":"0ev","name":"ievans.python-all-2020-07","visibility":"public","categories":[]},{"tags":[],"stats":{"cwe":{"totals":{"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":1},"per_framework":{"":{"python":{"":4}},"CWE-521: Weak Password Requirements":{"python":{"":2}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"python":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"python":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"python":{"":2}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"python":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"python":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"python":{"":3}},"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":{"python":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"python":{"":3}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"python":{"":8}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":4}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":1}},"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":{"python":{"":2}}},"rules_with_no_cwe":["use-django-environ","use-onetoonefield","use-json-response","use-count-method"]},"owasp":{"totals":{"":4,"A01:2017: Injection":9,"A03:2021: Injection":20,"A01:2021: Broken Access Control":4,"A05:2017: Broken Access Control":3,"A08:2017: Insecure Deserialization":1,"A05:2021: Security Misconfiguration":1,"A07:2017: Cross-Site Scripting (XSS)":3,"A10:2021: Server-Side Request Forgery (SSRF)":2,"A08:2021: Software and Data Integrity Failures":2,"A07:2021: Identification and Authentication Failures":2},"per_framework":{"":{"python":{"":4}},"A01:2017: Injection":{"python":{"":9}},"A03:2021: Injection":{"python":{"":20}},"A01:2021: Broken Access Control":{"python":{"":4}},"A05:2017: Broken Access Control":{"python":{"":3}},"A08:2017: Insecure Deserialization":{"python":{"":1}},"A05:2021: Security Misconfiguration":{"python":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"python":{"":3}},"A10:2021: Server-Side Request Forgery (SSRF)":{"python":{"":2}},"A08:2021: Software and Data Integrity Failures":{"python":{"":2}},"A07:2021: Identification and Authentication Failures":{"python":{"":2}}},"rules_with_no_owasp":["use-django-environ","use-onetoonefield","use-json-response","use-count-method"]}},"author":"Jacob Kaplan-Moss","counts":{"total_rules":35,"premium_rules":0},"hidden":true,"description":"","id":"Y9e","name":"jacobian.jkm's django pack","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"":1},"per_framework":{"":{"java":{"":1}},"CWE-287: Improper Authentication":{"java":{"":1}},"CWE-326: Inadequate Encryption Strength":{"java":{"":2}},"CWE-295: Improper Certificate Validation":{"java":{"":2}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":1}},"CWE-704: Incorrect Type Conversion or Cast":{"java":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"java":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"java":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"java":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"java":{"":5}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"java":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"java":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"java":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"java":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"java":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"java":{"":2}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"java":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":1}},"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":{"java":{"":1}}},"rules_with_no_cwe":["eqeq"]},"owasp":{"totals":{"":1,"A01:2017: Injection":4,"A03:2021: Injection":8,"A01:2021: Broken Access Control":3,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":1,"A02:2021: Cryptographic Failures":7,"A03:2017: Sensitive Data Exposure":9,"A08:2017: Insecure Deserialization":1,"A05:2021: Security Misconfiguration":3,"A07:2017: Cross-Site Scripting (XSS)":2,"A04:2017: XML External Entities (XXE)":1,"A08:2021: Software and Data Integrity Failures":1,"A9: Using Components with Known Vulnerabilities":2,"A07:2021: Identification and Authentication Failures":3},"per_framework":{"":{"java":{"":1}},"A01:2017: Injection":{"java":{"":4}},"A03:2021: Injection":{"java":{"":8}},"A01:2021: Broken Access Control":{"java":{"":3}},"A02:2017: Broken Authentication":{"java":{"":1}},"A05:2017: Broken Access Control":{"java":{"":1}},"A02:2021: Cryptographic Failures":{"java":{"":7}},"A03:2017: Sensitive Data Exposure":{"java":{"":9}},"A08:2017: Insecure Deserialization":{"java":{"":1}},"A05:2021: Security Misconfiguration":{"java":{"":3}},"A07:2017: Cross-Site Scripting (XSS)":{"java":{"":2}},"A04:2017: XML External Entities (XXE)":{"java":{"":1}},"A08:2021: Software and Data Integrity Failures":{"java":{"":1}},"A9: Using Components with Known Vulnerabilities":{"java":{"":2}},"A07:2021: Identification and Authentication Failures":{"java":{"":3}}},"rules_with_no_owasp":["eqeq"]}},"author":"Izanagi95","counts":{"total_rules":29,"premium_rules":1},"hidden":true,"description":"","id":"Eoe","name":"izanagi95.full_java","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"":1},"per_framework":{"":{"go":{"":6}},"CWE-489: Active Debug Code":{"go":{"":1}},"CWE-377: Insecure Temporary File":{"go":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"go":{"":1}},"CWE-400: Uncontrolled Resource Consumption":{"go":{"":1}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":2}},"CWE-242: Use of Inherently Dangerous Function":{"go":{"":1}},"CWE-289: Authentication Bypass by Alternate Name":{"go":{"":1}},"CWE-322: Key Exchange without Entity Authentication":{"go":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"go":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"go":{"":7}},"CWE-913: Improper Control of Dynamically-Managed Code Resources":{"go":{"":2}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"go":{"":1}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"go":{"":1}},"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":{"go":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"go":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":6}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":1}}},"rules_with_no_cwe":["channel-guarded-with-mutex","hidden-goroutine","useless-if-conditional","useless-if-body","eqeq-is-bad","hardcoded-eq-true-or-false"]},"owasp":{"totals":{"":9,"A01:2017: Injection":1,"A03:2021: Injection":8,"A01:2021: Broken Access Control":5,"A05:2017: Broken Access Control":1,"A02:2021: Cryptographic Failures":10,"A03:2017: Sensitive Data Exposure":8,"A06:2017: Security Misconfiguration":1,"A07:2017: Cross-Site Scripting (XSS)":6,"A07:2021: Identification and Authentication Failures":3},"per_framework":{"":{"go":{"":9}},"A01:2017: Injection":{"go":{"":1}},"A03:2021: Injection":{"go":{"":8}},"A01:2021: Broken Access Control":{"go":{"":5}},"A05:2017: Broken Access Control":{"go":{"":1}},"A02:2021: Cryptographic Failures":{"go":{"":10}},"A03:2017: Sensitive Data Exposure":{"go":{"":8}},"A06:2017: Security Misconfiguration":{"go":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":6}},"A07:2021: Identification and Authentication Failures":{"go":{"":3}}},"rules_with_no_owasp":["handler-assignment-from-multiple-sources","channel-guarded-with-mutex","hidden-goroutine","useless-if-conditional","useless-if-body","potential-dos-via-decompression-bomb","use-of-unsafe-block","eqeq-is-bad","hardcoded-eq-true-or-false"]}},"author":"Kristin Mayo","counts":{"total_rules":36,"premium_rules":0},"hidden":true,"description":"","id":"98Y","name":"kristinnmayo.go-all","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-523: Unprotected Transport of Credentials":3},"per_framework":{"CWE-798: Use of Hard-coded Credentials":{"python":{"":2}},"CWE-326: Inadequate Encryption Strength":{"python":{"":3}},"CWE-295: Improper Certificate Validation":{"python":{"":3}},"CWE-502: Deserialization of Untrusted Data":{"python":{"":6}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-116: Improper Encoding or Escaping of Output":{"python":{"":1}},"CWE-322: Key Exchange without Entity Authentication":{"python":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"python":{"":3}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"python":{"":9}},"CWE-611: Improper Restriction of XML External Entity Reference":{"python":{"":1}},"CWE-939: Improper Authorization in Handler for Custom URL Scheme":{"python":{"":1}},"CWE-1236: Improper Neutralization of Formula Elements in a CSV File":{"python":{"":1}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"python":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":3}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":5}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A1: Injection":2,"A01:2017: Injection":5,"A03:2021: Injection":6,"A3: Sensitive Data Exposure":4,"A6: Security Misconfiguration":1,"A02:2017: Broken Authentication":1,"A02:2021: Cryptographic Failures":13,"A03:2017: Sensitive Data Exposure":14,"A08:2017: Insecure Deserialization":6,"A05:2021: Security Misconfiguration":2,"A04:2017: XML External Entities (XXE)":2,"A08:2021: Software and Data Integrity Failures":6,"A07:2021: Identification and Authentication Failures":5},"per_framework":{"A1: Injection":{"python":{"":2}},"A01:2017: Injection":{"python":{"":5}},"A03:2021: Injection":{"python":{"":6}},"A3: Sensitive Data Exposure":{"python":{"":4}},"A6: Security Misconfiguration":{"python":{"":1}},"A02:2017: Broken Authentication":{"python":{"":1}},"A02:2021: Cryptographic Failures":{"python":{"":13}},"A03:2017: Sensitive Data Exposure":{"python":{"":14}},"A08:2017: Insecure Deserialization":{"python":{"":6}},"A05:2021: Security Misconfiguration":{"python":{"":2}},"A04:2017: XML External Entities (XXE)":{"python":{"":2}},"A08:2021: Software and Data Integrity Failures":{"python":{"":6}},"A07:2021: Identification and Authentication Failures":{"python":{"":5}}},"rules_with_no_owasp":[]}},"author":"Mathieu Deous","counts":{"total_rules":41,"premium_rules":0},"hidden":true,"description":"","id":"O7B","name":"mdeous.python-security","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-798: Use of Hard-coded Credentials":2},"per_framework":{"CWE-287: Improper Authentication":{"java":{"":1}},"CWE-276: Incorrect Default Permissions":{"java":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"javascript":{"":6}},"CWE-326: Inadequate Encryption Strength":{"java":{"":5}},"CWE-295: Improper Certificate Validation":{"java":{"":2}},"CWE-183: Permissive List of Allowed Inputs":{"java":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":2},"javascript":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":2},"javascript":{"":1}},"CWE-704: Incorrect Type Conversion or Cast":{"java":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"javascript":{"":7}},"CWE-522: Insufficiently Protected Credentials":{"javascript":{"":9}},"CWE-116: Improper Encoding or Escaping of Output":{"javascript":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"java":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"java":{"":1}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":2}},"CWE-345: Insufficient Verification of Data Authenticity":{"javascript":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"java":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"java":{"":5},"javascript":{"":2}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"java":{"":2}},"CWE-297: Improper Validation of Certificate with Host Mismatch":{"java":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":3},"javascript":{"":6}},"CWE-94: Improper Control of Generation of Code (Code Injection)":{"javascript":{"":6}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"java":{"":4},"javascript":{"":12}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"java":{"":1}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"java":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"java":{"":1}},"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer":{"javascript":{"":1}},"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)":{"javascript":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"java":{"":2},"javascript":{"":2}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"java":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"java":{"":2}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"java":{"":2}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"javascript":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":1},"javascript":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":1,"A1: Injection":6,"A01:2017: Injection":7,"A03:2021: Injection":30,"A04:2021: Insecure Design":10,"A01:2021: Broken Access Control":13,"A02:2017: Broken Authentication":10,"A05:2017: Broken Access Control":5,"A02:2021: Cryptographic Failures":12,"A03:2017: Sensitive Data Exposure":14,"A08:2017: Insecure Deserialization":3,"A05:2021: Security Misconfiguration":11,"A07:2017: Cross-Site Scripting (XSS)":2,"A04:2017: XML External Entities (XXE)":9,"A10:2021: Server-Side Request Forgery (SSRF)":7,"A08:2021: Software and Data Integrity Failures":4,"A9: Using Components with Known Vulnerabilities":2,"A07:2021: Identification and Authentication Failures":10},"per_framework":{"":{"javascript":{"":1}},"A1: Injection":{"javascript":{"":6}},"A01:2017: Injection":{"java":{"":5},"javascript":{"":2}},"A03:2021: Injection":{"java":{"":12},"javascript":{"":18}},"A04:2021: Insecure Design":{"java":{"":1},"javascript":{"":9}},"A01:2021: Broken Access Control":{"java":{"":8},"javascript":{"":5}},"A02:2017: Broken Authentication":{"java":{"":1},"javascript":{"":9}},"A05:2017: Broken Access Control":{"java":{"":2},"javascript":{"":3}},"A02:2021: Cryptographic Failures":{"java":{"":10},"javascript":{"":2}},"A03:2017: Sensitive Data Exposure":{"java":{"":12},"javascript":{"":2}},"A08:2017: Insecure Deserialization":{"java":{"":2},"javascript":{"":1}},"A05:2021: Security Misconfiguration":{"java":{"":5},"javascript":{"":6}},"A07:2017: Cross-Site Scripting (XSS)":{"java":{"":2}},"A04:2017: XML External Entities (XXE)":{"java":{"":3},"javascript":{"":6}},"A10:2021: Server-Side Request Forgery (SSRF)":{"javascript":{"":7}},"A08:2021: Software and Data Integrity Failures":{"java":{"":2},"javascript":{"":2}},"A9: Using Components with Known Vulnerabilities":{"java":{"":2}},"A07:2021: Identification and Authentication Failures":{"java":{"":4},"javascript":{"":6}}},"rules_with_no_owasp":["detect-buffer-noassert"]}},"author":"mfocuz","counts":{"total_rules":107,"premium_rules":0},"hidden":true,"description":"all java and JS rules for error and warning level","id":"e9b","name":"mfocuz.java-all-error-warnings","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"":2},"per_framework":{"":{"java":{"":4},"javascript":{"":7}},"CWE-369: Divide By Zero":{"ruby":{"":1}},"CWE-328: Use of Weak Hash":{"ruby":{"":1}},"CWE-287: Improper Authentication":{"java":{"":1}},"CWE-208: Observable Timing Discrepancy":{"ruby":{"":1}},"CWE-276: Incorrect Default Permissions":{"java":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"ruby":{"":1},"javascript":{"":6}},"CWE-326: Inadequate Encryption Strength":{"java":{"":5}},"CWE-295: Improper Certificate Validation":{"java":{"":2},"ruby":{"":1}},"CWE-183: Permissive List of Allowed Inputs":{"java":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":2},"ruby":{"":1},"javascript":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":2},"ruby":{"":1},"javascript":{"":1}},"CWE-704: Incorrect Type Conversion or Cast":{"java":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"javascript":{"":7}},"CWE-311: Missing Encryption of Sensitive Data":{"ruby":{"":1}},"CWE-522: Insufficiently Protected Credentials":{"javascript":{"":9}},"CWE-116: Improper Encoding or Escaping of Output":{"javascript":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"java":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"java":{"":1}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":2}},"CWE-345: Insufficient Verification of Data Authenticity":{"javascript":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"java":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"java":{"":5},"javascript":{"":2}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"java":{"":2},"javascript":{"":1}},"CWE-1021: Improper Restriction of Rendered UI Layers or Frames":{"ruby":{"":1}},"CWE-297: Improper Validation of Certificate with Host Mismatch":{"java":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":3},"javascript":{"":6}},"CWE-94: Improper Control of Generation of Code (Code Injection)":{"javascript":{"":6}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"java":{"":4},"ruby":{"":3},"javascript":{"":12}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"java":{"":1}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"java":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"java":{"":1}},"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer":{"javascript":{"":1}},"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)":{"javascript":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"java":{"":2},"ruby":{"":1},"javascript":{"":2}},"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":{"ruby":{"":3}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"java":{"":2},"javascript":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"java":{"":2},"javascript":{"":1}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"java":{"":2}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"javascript":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":1},"javascript":{"":2}},"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":{"java":{"":1}}},"rules_with_no_cwe":["assigned-undefined","javascript-alert","javascript-debugger","javascript-confirm","javascript-prompt","useless-assignment","eqeq-is-bad","no-string-eqeq","assignment-comparison","eqeq","hardcoded-conditional"]},"owasp":{"totals":{"":14,"A1: Injection":6,"A01:2017: Injection":8,"A03:2021: Injection":37,"A04:2021: Insecure Design":12,"A01:2021: Broken Access Control":16,"A02:2017: Broken Authentication":10,"A05:2017: Broken Access Control":6,"A02:2021: Cryptographic Failures":13,"A03:2017: Sensitive Data Exposure":17,"A08:2017: Insecure Deserialization":4,"A05:2021: Security Misconfiguration":11,"A07:2017: Cross-Site Scripting (XSS)":4,"A04:2017: XML External Entities (XXE)":9,"A10:2021: Server-Side Request Forgery (SSRF)":7,"A08:2021: Software and Data Integrity Failures":8,"A9: Using Components with Known Vulnerabilities":2,"A07:2021: Identification and Authentication Failures":12},"per_framework":{"":{"java":{"":4},"ruby":{"":2},"javascript":{"":8}},"A1: Injection":{"javascript":{"":6}},"A01:2017: Injection":{"java":{"":5},"javascript":{"":3}},"A03:2021: Injection":{"java":{"":13},"ruby":{"":3},"javascript":{"":21}},"A04:2021: Insecure Design":{"java":{"":1},"ruby":{"":2},"javascript":{"":9}},"A01:2021: Broken Access Control":{"java":{"":8},"ruby":{"":2},"javascript":{"":6}},"A02:2017: Broken Authentication":{"java":{"":1},"javascript":{"":9}},"A05:2017: Broken Access Control":{"java":{"":2},"ruby":{"":1},"javascript":{"":3}},"A02:2021: Cryptographic Failures":{"java":{"":10},"ruby":{"":1},"javascript":{"":2}},"A03:2017: Sensitive Data Exposure":{"java":{"":12},"ruby":{"":3},"javascript":{"":2}},"A08:2017: Insecure Deserialization":{"java":{"":2},"ruby":{"":1},"javascript":{"":1}},"A05:2021: Security Misconfiguration":{"java":{"":5},"javascript":{"":6}},"A07:2017: Cross-Site Scripting (XSS)":{"java":{"":2},"javascript":{"":2}},"A04:2017: XML External Entities (XXE)":{"java":{"":3},"javascript":{"":6}},"A10:2021: Server-Side Request Forgery (SSRF)":{"javascript":{"":7}},"A08:2021: Software and Data Integrity Failures":{"java":{"":2},"ruby":{"":4},"javascript":{"":2}},"A9: Using Components with Known Vulnerabilities":{"java":{"":2}},"A07:2021: Identification and Authentication Failures":{"java":{"":4},"ruby":{"":2},"javascript":{"":6}}},"rules_with_no_owasp":["assigned-undefined","javascript-alert","javascript-debugger","javascript-confirm","javascript-prompt","detect-buffer-noassert","useless-assignment","eqeq-is-bad","divide-by-zero","timing-attack","no-string-eqeq","assignment-comparison","eqeq","hardcoded-conditional"]}},"author":"nutmag","counts":{"total_rules":139,"premium_rules":0},"hidden":true,"description":"","id":"01k","name":"nutmag.dvja-test","visibility":"public","categories":[]},{"tags":["security","ai-security"],"stats":{"cwe":{"totals":{"CWE-284: Improper Access Control":2,"CWE-506: Embedded Malicious Code":1,"CWE-798: Use of Hard-coded Credentials":1,"CWE-918: Server-Side Request Forgery (SSRF)":1,"CWE-522: Insufficiently Protected Credentials":15,"CWE-494: Download of Code Without Integrity Check":11,"CWE-732: Incorrect Permission Assignment for Critical Resource":5,"CWE-94: Improper Control of Generation of Code ('Code Injection')":6,"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":5,"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":1,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":15},"per_framework":{"CWE-284: Improper Access Control":{"generic":{"":2}},"CWE-506: Embedded Malicious Code":{"generic":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"generic":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"generic":{"":1}},"CWE-522: Insufficiently Protected Credentials":{"generic":{"":15}},"CWE-494: Download of Code Without Integrity Check":{"generic":{"":11}},"CWE-732: Incorrect Permission Assignment for Critical Resource":{"generic":{"":5}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"bash":{"":1},"python":{"":2},"generic":{"":2},"javascript":{"":1}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"generic":{"":5}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"generic":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"go":{"":3},"rust":{"":3},"python":{"":1},"generic":{"":8}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":6,"A01:2017: Injection":16,"A03:2021: Injection":22,"A05:2025: Injection":22,"A04:2021: Insecure Design":15,"A06:2025: Insecure Design":15,"A01:2021: Broken Access Control":7,"A01:2025: Broken Access Control":8,"A02:2017: Broken Authentication":15,"A05:2017: Broken Access Control":2,"A07:2025: Authentication Failures":1,"A10:2021: Server-Side Request Forgery (SSRF)":1,"A08:2025: Software or Data Integrity Failures":11,"A08:2021: Software and Data Integrity Failures":11,"A07:2021: Identification and Authentication Failures":1},"per_framework":{"":{"generic":{"":6}},"A01:2017: Injection":{"go":{"":3},"rust":{"":3},"python":{"":1},"generic":{"":9}},"A03:2021: Injection":{"go":{"":3},"bash":{"":1},"rust":{"":3},"python":{"":3},"generic":{"":11},"javascript":{"":1}},"A05:2025: Injection":{"go":{"":3},"bash":{"":1},"rust":{"":3},"python":{"":3},"generic":{"":11},"javascript":{"":1}},"A04:2021: Insecure Design":{"generic":{"":15}},"A06:2025: Insecure Design":{"generic":{"":15}},"A01:2021: Broken Access Control":{"generic":{"":7}},"A01:2025: Broken Access Control":{"generic":{"":8}},"A02:2017: Broken Authentication":{"generic":{"":15}},"A05:2017: Broken Access Control":{"generic":{"":2}},"A07:2025: Authentication Failures":{"generic":{"":1}},"A10:2021: Server-Side Request Forgery (SSRF)":{"generic":{"":1}},"A08:2025: Software or Data Integrity Failures":{"generic":{"":11}},"A08:2021: Software and Data Integrity Failures":{"generic":{"":11}},"A07:2021: Identification and Authentication Failures":{"generic":{"":1}}},"rules_with_no_owasp":["skill-dangerous-command-wildcard","skill-network-bash-wildcard","skill-persistence-commands","skill-readonly-with-write-perms","skill-wildcard-all-tools","skill-preprocessing-encoding-network"]}},"author":"Semgrep","counts":{"total_rules":63,"premium_rules":63},"username":"semgrep","languages":["generic"],"description":"Detect malicious patterns in AI agent skill files (Claude, Cursor, Windsurf, Codex, Continue). Covers command execution, credential access, exfiltration, persistence, and prompt injection techniques used in campaigns like ClawHavoc targeting AI coding assistants.","id":"v2Wl","name":"agent-skills","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-798: Use of Hard-coded Credentials":6},"per_framework":{"CWE-798: Use of Hard-coded Credentials":{"python":{"":2},"javascript":{"":4}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A07:2021: Identification and Authentication Failures":6},"per_framework":{"A07:2021: Identification and Authentication Failures":{"python":{"":2},"javascript":{"":4}}},"rules_with_no_owasp":[]}},"author":"Joe Bollen","counts":{"total_rules":6,"premium_rules":0},"hidden":true,"description":"Detect possible hardcoded secrets in Java, JS and Python","id":"P7Y","name":"hazanasec.possible_hardcoded_secrets","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":1},"per_framework":{"CWE-489: Active Debug Code":{"python":{"":1}},"CWE-521: Weak Password Requirements":{"python":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"javascript":{"":6}},"CWE-295: Improper Certificate Validation":{"python":{"":2}},"CWE-502: Deserialization of Untrusted Data":{"python":{"":3},"javascript":{"":1}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":2}},"CWE-918: Server-Side Request Forgery (SSRF)":{"python":{"":1},"javascript":{"":4}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"python":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"go":{"":1},"javascript":{"":2}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"python":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"python":{"":1},"javascript":{"":2}},"CWE-94: Improper Control of Generation of Code (Code Injection)":{"javascript":{"":5}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"javascript":{"":1}},"CWE-1236: Improper Neutralization of Formula Elements in a CSV File":{"python":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"python":{"":1}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"python":{"":2}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"python":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":2}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":2},"javascript":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A1: Injection":5,"A01:2017: Injection":6,"A03:2021: Injection":9,"A01:2021: Broken Access Control":3,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":1,"A02:2021: Cryptographic Failures":5,"A03:2017: Sensitive Data Exposure":6,"A08:2017: Insecure Deserialization":4,"A05:2021: Security Misconfiguration":5,"A04:2017: XML External Entities (XXE)":4,"A10:2021: Server-Side Request Forgery (SSRF)":5,"A08:2021: Software and Data Integrity Failures":4,"A07:2021: Identification and Authentication Failures":11},"per_framework":{"A1: Injection":{"javascript":{"":5}},"A01:2017: Injection":{"python":{"":5},"javascript":{"":1}},"A03:2021: Injection":{"python":{"":7},"javascript":{"":2}},"A01:2021: Broken Access Control":{"python":{"":2},"javascript":{"":1}},"A02:2017: Broken Authentication":{"python":{"":1}},"A05:2017: Broken Access Control":{"python":{"":1}},"A02:2021: Cryptographic Failures":{"go":{"":1},"python":{"":2},"javascript":{"":2}},"A03:2017: Sensitive Data Exposure":{"go":{"":1},"python":{"":3},"javascript":{"":2}},"A08:2017: Insecure Deserialization":{"python":{"":3},"javascript":{"":1}},"A05:2021: Security Misconfiguration":{"python":{"":3},"javascript":{"":2}},"A04:2017: XML External Entities (XXE)":{"python":{"":2},"javascript":{"":2}},"A10:2021: Server-Side Request Forgery (SSRF)":{"python":{"":1},"javascript":{"":4}},"A08:2021: Software and Data Integrity Failures":{"python":{"":3},"javascript":{"":1}},"A07:2021: Identification and Authentication Failures":{"go":{"":2},"python":{"":3},"javascript":{"":6}}},"rules_with_no_owasp":[]}},"author":"Julian Berton","counts":{"total_rules":48,"premium_rules":0},"hidden":true,"description":"","id":"RWO","name":"bertonjulian.python-all-security","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-523: Unprotected Transport of Credentials":3},"per_framework":{"CWE-798: Use of Hard-coded Credentials":{"python":{"":2}},"CWE-326: Inadequate Encryption Strength":{"python":{"":3}},"CWE-295: Improper Certificate Validation":{"python":{"":3}},"CWE-502: Deserialization of Untrusted Data":{"python":{"":6}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-116: Improper Encoding or Escaping of Output":{"python":{"":1}},"CWE-322: Key Exchange without Entity Authentication":{"python":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"python":{"":3}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"python":{"":9}},"CWE-611: Improper Restriction of XML External Entity Reference":{"python":{"":1}},"CWE-939: Improper Authorization in Handler for Custom URL Scheme":{"python":{"":1}},"CWE-155: Improper Neutralization of Wildcards or Matching Symbols":{"python":{"":1}},"CWE-1236: Improper Neutralization of Formula Elements in a CSV File":{"python":{"":1}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"python":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"python":{"":1}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"python":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":3}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":6}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A1: Injection":2,"A01:2017: Injection":7,"A03:2021: Injection":8,"A3: Sensitive Data Exposure":4,"A6: Security Misconfiguration":1,"A01:2021: Broken Access Control":1,"A02:2017: Broken Authentication":1,"A02:2021: Cryptographic Failures":13,"A03:2017: Sensitive Data Exposure":14,"A08:2017: Insecure Deserialization":6,"A05:2021: Security Misconfiguration":2,"A07:2017: Cross-Site Scripting (XSS)":1,"A04:2017: XML External Entities (XXE)":2,"A08:2021: Software and Data Integrity Failures":6,"A07:2021: Identification and Authentication Failures":5},"per_framework":{"A1: Injection":{"python":{"":2}},"A01:2017: Injection":{"python":{"":7}},"A03:2021: Injection":{"python":{"":8}},"A3: Sensitive Data Exposure":{"python":{"":4}},"A6: Security Misconfiguration":{"python":{"":1}},"A01:2021: Broken Access Control":{"python":{"":1}},"A02:2017: Broken Authentication":{"python":{"":1}},"A02:2021: Cryptographic Failures":{"python":{"":13}},"A03:2017: Sensitive Data Exposure":{"python":{"":14}},"A08:2017: Insecure Deserialization":{"python":{"":6}},"A05:2021: Security Misconfiguration":{"python":{"":2}},"A07:2017: Cross-Site Scripting (XSS)":{"python":{"":1}},"A04:2017: XML External Entities (XXE)":{"python":{"":2}},"A08:2021: Software and Data Integrity Failures":{"python":{"":6}},"A07:2021: Identification and Authentication Failures":{"python":{"":5}}},"rules_with_no_owasp":[]}},"author":"Mathieu Deous","counts":{"total_rules":45,"premium_rules":0},"hidden":true,"description":"","id":"xvz","name":"mdeous-datadog.python-security-pack","visibility":"public","categories":[]},{"stats":{"cwe":{"totals":{"CWE-416: Use After Free":4,"CWE-328: Use of Weak Hash":12,"CWE-489: Active Debug Code":7,"CWE-125: Out-of-bounds Read":6,"CWE-787: Out-of-bounds Write":2,"CWE-778: Insufficient Logging":1,"CWE-682: Incorrect Calculation":2,"CWE-862: Missing Authorization":1,"CWE-23: Relative Path Traversal":2,"CWE-284: Improper Access Control":2,"CWE-287: Improper Authentication":53,"CWE-346: Origin Validation Error":6,"CWE-377: Insecure Temporary File":1,"CWE-506: Embedded Malicious Code":1,"CWE-20: Improper Input Validation":2,"CWE-476: NULL Pointer Dereference":1,"CWE-477: Use of Obsolete Function":2,"CWE-501: Trust Boundary Violation":1,"CWE-272: Least Privilege Violation":11,"CWE-259: Use of Hard-coded Password":1,"CWE-269: Improper Privilege Management":2,"CWE-798: Use of Hard-coded Credentials":166,"CWE-190: Integer Overflow or Wraparound":1,"CWE-326: Inadequate Encryption Strength":18,"CWE-295: Improper Certificate Validation":5,"CWE-613: Insufficient Session Expiration":3,"CWE-341: Predictable from Observable State":1,"CWE-352: Cross-Site Request Forgery (CSRF)":4,"CWE-467: Use of sizeof() on a Pointer Type":1,"CWE-502: Deserialization of Untrusted Data":80,"CWE-780: Use of RSA Algorithm without OAEP":1,"CWE-300: Channel Accessible by Non-Endpoint":3,"CWE-310: CWE CATEGORY: Cryptographic Issues":1,"CWE-918: Server-Side Request Forgery (SSRF)":265,"CWE-321: Use of Hard-coded Cryptographic Key":1,"CWE-311: Missing Encryption of Sensitive Data":2,"CWE-522: Insufficiently Protected Credentials":13,"CWE-668: Exposure of Resource to Wrong Sphere":1,"CWE-73: External Control of File Name or Path":98,"CWE-250: Execution with Unnecessary Privileges":2,"CWE-117: Improper Output Neutralization for Logs":6,"CWE-323: Reusing a Nonce, Key Pair in Encryption":1,"CWE-673: External Influence of Sphere Definition":1,"CWE-494: Download of Code Without Integrity Check":5,"CWE-91: XML Injection (aka Blind XPath Injection)":1,"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":17,"CWE-305: Authentication Bypass by Primary Weakness":2,"CWE-1333: Inefficient Regular Expression Complexity":4,"CWE-329: Generation of Predictable IV with CBC Mode":2,"CWE-509: Replicating Malicious Code (Virus or Worm)":1,"CWE-841: Improper Enforcement of Behavioral Workflow":7,"CWE-1204: Generation of Weak Initialization Vector (IV)":1,"CWE-345: Insufficient Verification of Data Authenticity":2,"CWE-319: Cleartext Transmission of Sensitive Information":6,"CWE-837: Improper Enforcement of a Single, Unique Action":1,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":47,"CWE-347: Improper Verification of Cryptographic Signature":1,"CWE-532: Insertion of Sensitive Information into Log File":1,"CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition":2,"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":12,"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":14,"CWE-296: Improper Following of a Certificate's Chain of Trust":1,"CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')":1,"CWE-611: Improper Restriction of XML External Entity Reference":45,"CWE-732: Incorrect Permission Assignment for Critical Resource":7,"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":2,"CWE-94: Improper Control of Generation of Code ('Code Injection')":53,"CWE-337: Predictable Seed in Pseudo-Random Number Generator (PRNG)":2,"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":11,"CWE-454: External Initialization of Trusted Variables or Data Stores":3,"CWE-916: Use of Password Hash With Insufficient Computational Effort":3,"CWE-209: Generation of Error Message Containing Sensitive Information":1,"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":21,"CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax":34,"CWE-323: Nonces should be used for the present occasion and only once.":1,"CWE-688: Function Call With Incorrect Variable or Reference as Argument":1,"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":24,"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":1,"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine":1,"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":9,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":127,"CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')":1,"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":3,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":34,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":248,"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":21,"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":10,"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":5,"CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)":3,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":62,"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":3,"CWE-329: Not using a random initialization Vector (IV) with Cipher Block Chaining (CBC) Mode causes algorithms to be susceptible to dictionary attacks.":1},"per_framework":{"CWE-416: Use After Free":{"cpp":{"":4}},"CWE-328: Use of Weak Hash":{"go":{"":1},"cpp":{"":1},"php":{"":1},"java":{"":4},"ruby":{"":1},"python":{"":2},"clojure":{"":2}},"CWE-489: Active Debug Code":{"php":{"":1},"yaml":{"":1},"kotlin":{"":1},"python":{"":3},"generic":{"":1}},"CWE-125: Out-of-bounds Read":{"cpp":{"":6}},"CWE-787: Out-of-bounds Write":{"cpp":{"":1},"solidity":{"":1}},"CWE-778: Insufficient Logging":{"hcl":{"":1}},"CWE-682: Incorrect Calculation":{"solidity":{"":2}},"CWE-862: Missing Authorization":{"dockerfile":{"":1}},"CWE-23: Relative Path Traversal":{"php":{"":1},"java":{"":1}},"CWE-284: Improper Access Control":{"python":{"":1},"solidity":{"":1}},"CWE-287: Improper Authentication":{"go":{"":8},"js":{"":5},"ruby":{"":6},"rust":{"":10},"yaml":{"":1},"kotlin":{"":4},"python":{"":18},"javascript":{"":1}},"CWE-346: Origin Validation Error":{"java":{"":1},"javascript":{"":5}},"CWE-377: Insecure Temporary File":{"python":{"":1}},"CWE-506: Embedded Malicious Code":{"generic":{"":1}},"CWE-20: Improper Input Validation":{"solidity":{"":2}},"CWE-476: NULL Pointer Dereference":{"cpp":{"":1}},"CWE-477: Use of Obsolete Function":{"swift":{"":2}},"CWE-501: Trust Boundary Violation":{"java":{"":1}},"CWE-272: Least Privilege Violation":{"xml":{"":2},"swift":{"":9}},"CWE-259: Use of Hard-coded Password":{"swift":{"":1}},"CWE-269: Improper Privilege Management":{"yaml":{"":1},"dockerfile":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"go":{"":10},"js":{"":22},"py":{"":1},"php":{"":1},"java":{"":21},"ruby":{"":18},"rust":{"":12},"regex":{"":1},"swift":{"":7},"csharp":{"":10},"kotlin":{"":21},"python":{"":35},"javascript":{"":7}},"CWE-190: Integer Overflow or Wraparound":{"php":{"":1}},"CWE-326: Inadequate Encryption Strength":{"go":{"":1},"kt":{"":1},"cpp":{"":1},"hcl":{"":1},"java":{"":6},"ruby":{"":1},"swift":{"":2},"python":{"":2},"generic":{"":1},"terraform":{"":1},"javascript":{"":1}},"CWE-295: Improper Certificate Validation":{"cpp":{"":1},"xml":{"":1},"rust":{"":3}},"CWE-613: Insufficient Session Expiration":{"csharp":{"":1},"python":{"":2}},"CWE-341: Predictable from Observable State":{"solidity":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":1},"python":{"":3}},"CWE-467: Use of sizeof() on a Pointer Type":{"cpp":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"C#":{"":1},"go":{"":1},"java":{"":7},"swift":{"":2},"python":{"":68},"javascript":{"":1}},"CWE-780: Use of RSA Algorithm without OAEP":{"scala":{"":1}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":3}},"CWE-310: CWE CATEGORY: Cryptographic Issues":{"javascript":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"go":{"":5},"php":{"":1},"java":{"":11},"rust":{"":3},"csharp":{"":5},"kotlin":{"":2},"python":{"":234},"generic":{"":1},"javascript":{"":3}},"CWE-321: Use of Hard-coded Cryptographic Key":{"swift":{"":1}},"CWE-311: Missing Encryption of Sensitive Data":{"ruby":{"":1},"swift":{"":1}},"CWE-522: Insufficiently Protected Credentials":{"scala":{"":2},"python":{"":2},"generic":{"":9}},"CWE-668: Exposure of Resource to Wrong Sphere":{"python":{"":1}},"CWE-73: External Control of File Name or Path":{"python":{"":98}},"CWE-250: Execution with Unnecessary Privileges":{"yaml":{"":1},"dockerfile":{"":1}},"CWE-117: Improper Output Neutralization for Logs":{"python":{"":4},"javascript":{"":2}},"CWE-323: Reusing a Nonce, Key Pair in Encryption":{"java":{"":1}},"CWE-673: External Influence of Sphere Definition":{"python":{"":1}},"CWE-494: Download of Code Without Integrity Check":{"generic":{"":5}},"CWE-91: XML Injection (aka Blind XPath Injection)":{"java":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"java":{"":4},"csharp":{"":2},"python":{"":7},"javascript":{"":4}},"CWE-305: Authentication Bypass by Primary Weakness":{"swift":{"":2}},"CWE-1333: Inefficient Regular Expression Complexity":{"java":{"":1},"python":{"":3}},"CWE-329: Generation of Predictable IV with CBC Mode":{"php":{"":1},"java":{"":1}},"CWE-509: Replicating Malicious Code (Virus or Worm)":{"yaml":{"":1}},"CWE-841: Improper Enforcement of Behavioral Workflow":{"solidity":{"":7}},"CWE-1204: Generation of Weak Initialization Vector (IV)":{"javascript":{"":1}},"CWE-345: Insufficient Verification of Data Authenticity":{"csharp":{"":1},"javascript":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"xml":{"":3},"html":{"":1},"java":{"":1},"python":{"":1}},"CWE-837: Improper Enforcement of a Single, Unique Action":{"solidity":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"go":{"":4},"xml":{"":1},"java":{"":9},"swift":{"":5},"csharp":{"":1},"kotlin":{"":2},"python":{"":18},"clojure":{"":1},"javascript":{"":6}},"CWE-347: Improper Verification of Cryptographic Signature":{"javascript":{"":1}},"CWE-532: Insertion of Sensitive Information into Log File":{"java":{"":1}},"CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition":{"cpp":{"":2}},"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":{"java":{"":1},"python":{"":6},"javascript":{"":5}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"go":{"":1},"java":{"":6},"kotlin":{"":1},"javascript":{"":6}},"CWE-296: Improper Following of a Certificate's Chain of Trust":{"xml":{"":1}},"CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')":{"yaml":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"go":{"":2},"cpp":{"":1},"php":{"":2},"java":{"":26},"scala":{"":3},"swift":{"":1},"python":{"":6},"clojure":{"":1},"javascript":{"":3}},"CWE-732: Incorrect Permission Assignment for Critical Resource":{"cpp":{"":1},"hcl":{"":1},"generic":{"":4},"javascript":{"":1}},"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":{"csharp":{"":2}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"yaml":{"":1},"csharp":{"":2},"kotlin":{"":1},"python":{"":33},"generic":{"":1},"terraform":{"":1},"javascript":{"":14}},"CWE-337: Predictable Seed in Pseudo-Random Number Generator (PRNG)":{"cpp":{"":2}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"go":{"":2},"java":{"":1},"csharp":{"":1},"python":{"":2},"generic":{"":4},"javascript":{"":1}},"CWE-454: External Initialization of Trusted Variables or Data Stores":{"python":{"":3}},"CWE-916: Use of Password Hash With Insufficient Computational Effort":{"swift":{"":3}},"CWE-209: Generation of Error Message Containing Sensitive Information":{"csharp":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"php":{"":1},"java":{"":4},"csharp":{"":2},"python":{"":9},"generic":{"":1},"javascript":{"":4}},"CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax":{"java":{"":2},"python":{"":32}},"CWE-323: Nonces should be used for the present occasion and only once.":{"swift":{"":1}},"CWE-688: Function Call With Incorrect Variable or Reference as Argument":{"solidity":{"":1}},"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":{"go":{"":4},"rust":{"":3},"csharp":{"":2},"kotlin":{"":5},"python":{"":3},"javascript":{"":7}},"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":{"csharp":{"":1}},"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine":{"javascript":{"":1}},"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":{"java":{"":3},"csharp":{"":2},"python":{"":3},"javascript":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"go":{"":5},"java":{"":3},"rust":{"":3},"csharp":{"":66},"python":{"":31},"javascript":{"":19}},"CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')":{"xml":{"":1}},"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":{"python":{"":1},"terraform":{"":1},"javascript":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":5},"java":{"":8},"kotlin":{"":1},"python":{"":3},"generic":{"":2},"javascript":{"":4},"typescript":{"":11}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":11},"java":{"":6},"rust":{"":12},"scala":{"":2},"swift":{"":1},"csharp":{"":34},"kotlin":{"":5},"python":{"":145},"javascript":{"":32}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"cpp":{"":2},"java":{"":2},"python":{"":17}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"java":{"":8},"python":{"":2}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"php":{"":1},"java":{"":2},"generic":{"":1},"javascript":{"":1}},"CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)":{"python":{"":3}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"go":{"":8},"cpp":{"":1},"java":{"":7},"rust":{"":6},"yaml":{"":1},"csharp":{"":3},"kotlin":{"":1},"python":{"":23},"generic":{"":7},"javascript":{"":5}},"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":{"javascript":{"":3}},"CWE-329: Not using a random initialization Vector (IV) with Cipher Block Chaining (CBC) Mode causes algorithms to be susceptible to dictionary attacks.":{"swift":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":74,"A01:2017: Injection":363,"A03:2021: Injection":477,"A05:2025: Injection":477,"A04:2021 Insecure Design":2,"A04:2021: Insecure Design":115,"A06:2025: Insecure Design":115,"LLM08:2023: Excessive Agency":1,"A01:2021: Broken Access Control":171,"A01:2025: Broken Access Control":426,"A02:2017: Broken Authentication":41,"A05:2017: Broken Access Control":127,"A02:2021: Cryptographic Failures":93,"A04:2025: Cryptographic Failures":93,"A03:2017: Sensitive Data Exposure":82,"A07:2025: Authentication Failures":232,"A08:2017: Insecure Deserialization":80,"A02:2021 – Cryptographic Failures":3,"A02:2025: Security Misconfiguration":93,"A05:2021: Security Misconfiguration":93,"A06:2017: Security Misconfiguration":5,"A07:2017: Cross-Site Scripting (XSS)":34,"A04:2017: XML External Entities (XXE)":47,"A05:2021 – Security Misconfiguration":1,"A10:2021: Server-Side Request Forgery (SSRF)":265,"A08:2025: Software or Data Integrity Failures":85,"A08:2021: Software and Data Integrity Failures":86,"A09:2025: Security Logging & Alerting Failures":8,"A10:2025: Mishandling of Exceptional Conditions":1,"A09:2021: Security Logging and Monitoring Failures":8,"A7:2021 Identification and Authentication Failures":1,"A07:2021 Identification and Authentication Failures":1,"A07:2021: Identification and Authentication Failures":232},"per_framework":{"":{"go":{"":1},"cpp":{"":15},"php":{"":1},"xml":{"":4},"java":{"":1},"rust":{"":3},"yaml":{"":1},"regex":{"":1},"swift":{"":13},"kotlin":{"":1},"python":{"":8},"generic":{"":6},"solidity":{"":15},"dockerfile":{"":1},"javascript":{"":3}},"A01:2017: Injection":{"go":{"":23},"cpp":{"":3},"java":{"":18},"rust":{"":21},"yaml":{"":2},"scala":{"":2},"swift":{"":1},"csharp":{"":39},"kotlin":{"":11},"python":{"":189},"generic":{"":8},"terraform":{"":1},"javascript":{"":45}},"A03:2021: Injection":{"go":{"":24},"cpp":{"":3},"php":{"":1},"java":{"":31},"rust":{"":18},"yaml":{"":3},"scala":{"":2},"swift":{"":1},"csharp":{"":41},"kotlin":{"":8},"python":{"":261},"generic":{"":11},"terraform":{"":1},"javascript":{"":61},"typescript":{"":11}},"A05:2025: Injection":{"go":{"":24},"cpp":{"":3},"php":{"":1},"java":{"":31},"rust":{"":18},"yaml":{"":3},"scala":{"":2},"swift":{"":1},"csharp":{"":41},"kotlin":{"":8},"python":{"":261},"generic":{"":11},"terraform":{"":1},"javascript":{"":61},"typescript":{"":11}},"A04:2021 Insecure Design":{"yaml":{"":2}},"A04:2021: Insecure Design":{"java":{"":1},"ruby":{"":1},"scala":{"":2},"swift":{"":1},"csharp":{"":1},"python":{"":100},"generic":{"":9}},"A06:2025: Insecure Design":{"java":{"":1},"ruby":{"":1},"scala":{"":2},"swift":{"":1},"csharp":{"":1},"python":{"":100},"generic":{"":9}},"LLM08:2023: Excessive Agency":{"yaml":{"":1}},"A01:2021: Broken Access Control":{"go":{"":7},"php":{"":1},"java":{"":13},"rust":{"":3},"csharp":{"":67},"kotlin":{"":1},"python":{"":44},"generic":{"":4},"javascript":{"":31}},"A01:2025: Broken Access Control":{"go":{"":10},"php":{"":2},"java":{"":22},"rust":{"":6},"csharp":{"":70},"kotlin":{"":3},"python":{"":276},"generic":{"":5},"javascript":{"":32}},"A02:2017: Broken Authentication":{"go":{"":8},"js":{"":3},"rust":{"":10},"scala":{"":2},"csharp":{"":1},"kotlin":{"":4},"python":{"":4},"generic":{"":9}},"A05:2017: Broken Access Control":{"go":{"":5},"java":{"":3},"rust":{"":3},"csharp":{"":66},"python":{"":31},"javascript":{"":19}},"A02:2021: Cryptographic Failures":{"go":{"":6},"kt":{"":1},"cpp":{"":4},"hcl":{"":1},"php":{"":2},"xml":{"":4},"html":{"":1},"java":{"":22},"ruby":{"":2},"scala":{"":1},"swift":{"":13},"csharp":{"":2},"kotlin":{"":2},"python":{"":20},"clojure":{"":2},"generic":{"":1},"terraform":{"":1},"javascript":{"":8}},"A04:2025: Cryptographic Failures":{"go":{"":6},"kt":{"":1},"cpp":{"":4},"hcl":{"":1},"php":{"":2},"xml":{"":4},"html":{"":1},"java":{"":22},"ruby":{"":2},"scala":{"":1},"swift":{"":13},"csharp":{"":2},"kotlin":{"":2},"python":{"":20},"clojure":{"":2},"generic":{"":1},"terraform":{"":1},"javascript":{"":8}},"A03:2017: Sensitive Data Exposure":{"go":{"":6},"kt":{"":1},"cpp":{"":3},"hcl":{"":1},"php":{"":1},"xml":{"":5},"html":{"":1},"java":{"":20},"ruby":{"":3},"swift":{"":8},"kotlin":{"":2},"python":{"":20},"clojure":{"":2},"generic":{"":1},"terraform":{"":1},"javascript":{"":7}},"A07:2025: Authentication Failures":{"go":{"":21},"js":{"":27},"py":{"":1},"cpp":{"":1},"php":{"":1},"xml":{"":1},"java":{"":22},"ruby":{"":24},"rust":{"":22},"swift":{"":8},"csharp":{"":11},"kotlin":{"":25},"python":{"":55},"javascript":{"":13}},"A08:2017: Insecure Deserialization":{"C#":{"":1},"go":{"":1},"java":{"":7},"swift":{"":2},"python":{"":68},"javascript":{"":1}},"A02:2021 – Cryptographic Failures":{"python":{"":3}},"A02:2025: Security Misconfiguration":{"go":{"":2},"cpp":{"":1},"hcl":{"":1},"php":{"":4},"java":{"":34},"yaml":{"":2},"scala":{"":3},"swift":{"":1},"csharp":{"":6},"python":{"":24},"clojure":{"":1},"generic":{"":1},"dockerfile":{"":1},"javascript":{"":12}},"A05:2021: Security Misconfiguration":{"go":{"":2},"cpp":{"":1},"hcl":{"":1},"php":{"":4},"java":{"":34},"yaml":{"":2},"scala":{"":3},"swift":{"":1},"csharp":{"":6},"python":{"":24},"clojure":{"":1},"generic":{"":1},"dockerfile":{"":1},"javascript":{"":12}},"A06:2017: Security Misconfiguration":{"php":{"":1},"yaml":{"":2},"csharp":{"":1},"python":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":5},"java":{"":8},"kotlin":{"":1},"python":{"":3},"generic":{"":2},"javascript":{"":4},"typescript":{"":11}},"A04:2017: XML External Entities (XXE)":{"go":{"":2},"cpp":{"":1},"php":{"":2},"java":{"":26},"scala":{"":3},"swift":{"":1},"python":{"":8},"clojure":{"":1},"javascript":{"":3}},"A05:2021 – Security Misconfiguration":{"python":{"":1}},"A10:2021: Server-Side Request Forgery (SSRF)":{"go":{"":5},"php":{"":1},"java":{"":11},"rust":{"":3},"csharp":{"":5},"kotlin":{"":2},"python":{"":234},"generic":{"":1},"javascript":{"":3}},"A08:2025: Software or Data Integrity Failures":{"C#":{"":1},"java":{"":7},"swift":{"":2},"csharp":{"":1},"python":{"":68},"generic":{"":5},"javascript":{"":1}},"A08:2021: Software and Data Integrity Failures":{"C#":{"":1},"go":{"":1},"java":{"":7},"swift":{"":2},"csharp":{"":1},"python":{"":68},"generic":{"":5},"javascript":{"":1}},"A09:2025: Security Logging & Alerting Failures":{"hcl":{"":1},"java":{"":1},"python":{"":4},"javascript":{"":2}},"A10:2025: Mishandling of Exceptional Conditions":{"cpp":{"":1}},"A09:2021: Security Logging and Monitoring Failures":{"hcl":{"":1},"java":{"":1},"python":{"":4},"javascript":{"":2}},"A7:2021 Identification and Authentication Failures":{"solidity":{"":1}},"A07:2021 Identification and Authentication Failures":{"yaml":{"":1}},"A07:2021: Identification and Authentication Failures":{"go":{"":21},"js":{"":27},"py":{"":1},"cpp":{"":1},"php":{"":1},"xml":{"":1},"java":{"":22},"ruby":{"":24},"rust":{"":22},"swift":{"":8},"csharp":{"":11},"kotlin":{"":25},"python":{"":55},"javascript":{"":13}}},"rules_with_no_owasp":["sizeof-this","std-return-data","std-vector-invalidation","file-access-before-action","file-stat-before-action","world-writable-file","negative-return-value-array-index","missing-nul-cpp-string-memcpy","narrow-to-wide-string-mismatch","readlink-null-terminator","return-c-str","std-string-npos","string-view-data-null-terminator","string-view-temporary-string","wide-to-narrow-string-mismatch","dockerfile-dockerd-socket-mount","detected-onfido-live-api-token","open-redirect","jax-rs-better-files-regex-injection-uri-params","cookies-default-express","dot-nestjs","create-de-cipher-no-iv","ktor-development-mode-conf","ktor-development-mode-gradle","ktor-development-mode-yaml","base-convert-loses-precision","tainted-dotenv-variable-django","tainted-regex-stdlib-django","tainted-dotenv-variable-fastapi","tainted-regex-stdlib-fastapi","debug-flask-passthrough-errors","active-debug-code-flask","tainted-dotenv-variable-flask","tainted-regex-stdlib-flask","reqwest-accept-invalid","rustls-dangerous","ssl-verify-none","skill-dangerous-command-wildcard","skill-network-bash-wildcard","skill-persistence-commands","skill-wildcard-all-tools","skill-preprocessing-encoding-network","balancer-readonly-reentrancy-getpooltokens","balancer-readonly-reentrancy-getrate","compound-borrowfresh-reentrancy","curve-readonly-reentrancy","encode-packed-collision","erc677-reentrancy","erc721-reentrancy","erc777-reentrancy","incorrect-use-of-blockhash","keeper-network-oracle-manipulation","no-bidi-characters","proxy-storage-collision","redacted-cartel-custom-approval-bug","rigoblock-missing-access-control","superfluid-ctx-injection","keychain-acl-allows-biometry-changes","keychain-accessible-always","insecure-biometrics","keychain-passcode-fallback","ATS-local-networking","ATS-consider-pinning","ATS-CA-pins","ATS-minimum-tls-version","swift-named-persistent-pasteboards","swift-forbidden-ios-apis","swift-webview-config-allows-js","swift-webview-config-base-url","swift-webview-config-allows-file-access","swift-webview-config-fraudulent-site-warning","swift-webview-config-https-upgrade","swift-webview-config-allows-js-open-windows","swift-webview-config-allows-universal-file-access"]}},"author":"Semgrep","counts":{"total_rules":1646,"premium_rules":1499},"hidden":true,"username":"semgrep","description":"This ruleset is intended to produce low false positives, and safe for use in CI/CD pipelines.","id":"Zbo","name":"ci","visibility":"public","categories":[]},{"tags":[],"stats":{"cwe":{"totals":{"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":3},"per_framework":{"":{"python":{"":3}},"CWE-489: Active Debug Code":{"python":{"":1}},"CWE-310: Cryptographic Issues":{"python":{"":1}},"CWE-377: Insecure Temporary File":{"python":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"python":{"":1}},"CWE-326: Inadequate Encryption Strength":{"python":{"":2}},"CWE-295: Improper Certificate Validation":{"python":{"":3}},"CWE-502: Deserialization of Untrusted Data":{"python":{"":6}},"CWE-116: Improper Encoding or Escaping of Output":{"python":{"":1}},"CWE-322: Key Exchange without Entity Authentication":{"python":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"python":{"":2}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"python":{"":18}},"CWE-611: Improper Restriction of XML External Entity Reference":{"python":{"":2}},"CWE-939: Improper Authorization in Handler for Custom URL Scheme":{"python":{"":1}},"CWE-155: Improper Neutralization of Wildcards or Matching Symbols":{"python":{"":1}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"python":{"":1}},"CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere":{"python":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"python":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"python":{"":2}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":3}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":5}}},"rules_with_no_cwe":["hardcoded-tmp-path","tempfile-insecure","unchecked-subprocess-call"]},"owasp":{"totals":{"":3,"A1: Injection":2,"A01:2017: Injection":7,"A03:2021: Injection":9,"A3: Sensitive Data Exposure":11,"A6: Security Misconfiguration":1,"A01:2021: Broken Access Control":1,"A02:2021: Cryptographic Failures":12,"A03:2017: Sensitive Data Exposure":14,"A08:2017: Insecure Deserialization":6,"A05:2021: Security Misconfiguration":3,"A06:2017: Security Misconfiguration":3,"A07:2017: Cross-Site Scripting (XSS)":2,"A04:2017: XML External Entities (XXE)":1,"A06:2021: Vulnerable and Outdated Components":3,"A08:2021: Software and Data Integrity Failures":6,"A07:2021: Identification and Authentication Failures":4,"A09:2017: Using Components with Known Vulnerabilities":3},"per_framework":{"":{"python":{"":3}},"A1: Injection":{"python":{"":2}},"A01:2017: Injection":{"python":{"":7}},"A03:2021: Injection":{"python":{"":9}},"A3: Sensitive Data Exposure":{"python":{"":11}},"A6: Security Misconfiguration":{"python":{"":1}},"A01:2021: Broken Access Control":{"python":{"":1}},"A02:2021: Cryptographic Failures":{"python":{"":12}},"A03:2017: Sensitive Data Exposure":{"python":{"":14}},"A08:2017: Insecure Deserialization":{"python":{"":6}},"A05:2021: Security Misconfiguration":{"python":{"":3}},"A06:2017: Security Misconfiguration":{"python":{"":3}},"A07:2017: Cross-Site Scripting (XSS)":{"python":{"":2}},"A04:2017: XML External Entities (XXE)":{"python":{"":1}},"A06:2021: Vulnerable and Outdated Components":{"python":{"":3}},"A08:2021: Software and Data Integrity Failures":{"python":{"":6}},"A07:2021: Identification and Authentication Failures":{"python":{"":4}},"A09:2017: Using Components with Known Vulnerabilities":{"python":{"":3}}},"rules_with_no_owasp":["hardcoded-tmp-path","tempfile-insecure","unchecked-subprocess-call"]}},"author":"minusworld","counts":{"total_rules":58,"premium_rules":0},"hidden":true,"description":"","id":"7LZ","name":"minusworld.bandit","visibility":"public","categories":[]},{"tags":[],"stats":{"cwe":{"totals":{"CWE-798: Use of Hard-coded Credentials":1},"per_framework":{"CWE-489: Active Debug Code":{"python":{"":1}},"CWE-521: Weak Password Requirements":{"python":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"javascript":{"":6}},"CWE-295: Improper Certificate Validation":{"python":{"":2}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":1},"python":{"":2},"javascript":{"":1}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":2}},"CWE-918: Server-Side Request Forgery (SSRF)":{"python":{"":1},"javascript":{"":4}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"python":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"javascript":{"":2}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"python":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":1},"python":{"":1},"javascript":{"":2}},"CWE-94: Improper Control of Generation of Code (Code Injection)":{"javascript":{"":5}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"javascript":{"":1}},"CWE-1236: Improper Neutralization of Formula Elements in a CSV File":{"python":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"python":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"java":{"":1}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":1},"python":{"":2}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"python":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":2}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":2},"javascript":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A1: Injection":5,"A01:2017: Injection":7,"A03:2021: Injection":11,"A01:2021: Broken Access Control":3,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":1,"A02:2021: Cryptographic Failures":4,"A03:2017: Sensitive Data Exposure":5,"A08:2017: Insecure Deserialization":4,"A05:2021: Security Misconfiguration":6,"A07:2017: Cross-Site Scripting (XSS)":1,"A04:2017: XML External Entities (XXE)":5,"A10:2021: Server-Side Request Forgery (SSRF)":5,"A08:2021: Software and Data Integrity Failures":4,"A07:2021: Identification and Authentication Failures":11},"per_framework":{"A1: Injection":{"javascript":{"":5}},"A01:2017: Injection":{"go":{"":1},"python":{"":5},"javascript":{"":1}},"A03:2021: Injection":{"go":{"":1},"java":{"":1},"python":{"":7},"javascript":{"":2}},"A01:2021: Broken Access Control":{"python":{"":2},"javascript":{"":1}},"A02:2017: Broken Authentication":{"python":{"":1}},"A05:2017: Broken Access Control":{"python":{"":1}},"A02:2021: Cryptographic Failures":{"python":{"":2},"javascript":{"":2}},"A03:2017: Sensitive Data Exposure":{"python":{"":3},"javascript":{"":2}},"A08:2017: Insecure Deserialization":{"java":{"":1},"python":{"":2},"javascript":{"":1}},"A05:2021: Security Misconfiguration":{"java":{"":1},"python":{"":3},"javascript":{"":2}},"A07:2017: Cross-Site Scripting (XSS)":{"java":{"":1}},"A04:2017: XML External Entities (XXE)":{"java":{"":1},"python":{"":2},"javascript":{"":2}},"A10:2021: Server-Side Request Forgery (SSRF)":{"python":{"":1},"javascript":{"":4}},"A08:2021: Software and Data Integrity Failures":{"java":{"":1},"python":{"":2},"javascript":{"":1}},"A07:2021: Identification and Authentication Failures":{"go":{"":2},"python":{"":3},"javascript":{"":6}}},"rules_with_no_owasp":[]}},"author":"Jeshventh Raja","counts":{"total_rules":50,"premium_rules":0},"hidden":true,"description":"","id":"2j0","name":"jeshventhraja.all-security-errors","visibility":"public","categories":[]},{"tags":["semgrep","security","express","express.js","javascript","xss","pug","ejs","mustache"],"stats":{"cwe":{"totals":{"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":11},"per_framework":{"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"regex":{"":8},"generic":{"":1},"javascript":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A03:2021: Injection":11,"A07:2017: Cross-Site Scripting (XSS)":11},"per_framework":{"A03:2021: Injection":{"regex":{"":8},"generic":{"":1},"javascript":{"":2}},"A07:2017: Cross-Site Scripting (XSS)":{"regex":{"":8},"generic":{"":1},"javascript":{"":2}}},"rules_with_no_owasp":[]}},"author":"r2c","counts":{"total_rules":11,"premium_rules":0},"hidden":true,"description":"Cross-site scripting (XSS) secure defaults for Express.js","id":"31r","name":"minusworld.express-xss","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{},"per_framework":{},"rules_with_no_cwe":[]},"owasp":{"totals":{},"per_framework":{},"rules_with_no_owasp":[]}},"author":"AnthonyHerman","counts":{"total_rules":0,"premium_rules":0},"hidden":true,"description":"","id":"xog","name":"anthonyherman.my_pack","visibility":"public","categories":[]},{"tags":[],"stats":{"cwe":{"totals":{},"per_framework":{},"rules_with_no_cwe":[]},"owasp":{"totals":{},"per_framework":{},"rules_with_no_owasp":[]}},"author":"Drew Dennison","counts":{"total_rules":0,"premium_rules":0},"hidden":true,"description":"","id":"nA2","name":"drewdennison.my-awesome-pack","visibility":"public","categories":[]},{"tags":[],"stats":{"cwe":{"totals":{"CWE-523: Unprotected Transport of Credentials":1},"per_framework":{"":{"python":{"":41}},"CWE-502: Deserialization of Untrusted Data":{"python":{"":3}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"python":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"python":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":1}}},"rules_with_no_cwe":["pass-body-fn","pass-body-range","missing-hash-with-eq","arbitrary-sleep","open-never-closed","manual-defaultdict-dict-create","manual-defaultdict-set-create","manual-defaultdict-list-create","manual-counter-create","useless-inner-function","useless-literal-dict","useless-assignment-keyed","useless-if-conditional","useless-if-body","code-after-unconditional-return","return-not-in-function","python36-compatibility-ssl","python36-compatibility-Popen1","python36-compatibility-Popen2","python37-compatibility-importlib","python37-compatibility-importlib2","python37-compatibility-importlib3","python37-compatibility-httpconn","use-sys-exit","return-in-init","yield-in-init","file-object-redefined-before-close","unchecked-subprocess-call","baseclass-attribute-override","useless-eqeq","dict-del-while-iterate","is-not-is-not","default-mutable-list","default-mutable-dict","identical-is-comparison","string-is-comparison","string-concat-in-list","raise-not-base-exception","tempfile-insecure","tempfile-without-flush","use-timeout"]},"owasp":{"totals":{"":41,"A03:2021: Injection":1,"A01:2021: Broken Access Control":2,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":1,"A02:2021: Cryptographic Failures":1,"A08:2017: Insecure Deserialization":3,"A08:2021: Software and Data Integrity Failures":3},"per_framework":{"":{"python":{"":41}},"A03:2021: Injection":{"python":{"":1}},"A01:2021: Broken Access Control":{"python":{"":2}},"A02:2017: Broken Authentication":{"python":{"":1}},"A05:2017: Broken Access Control":{"python":{"":1}},"A02:2021: Cryptographic Failures":{"python":{"":1}},"A08:2017: Insecure Deserialization":{"python":{"":3}},"A08:2021: Software and Data Integrity Failures":{"python":{"":3}}},"rules_with_no_owasp":["pass-body-fn","pass-body-range","missing-hash-with-eq","arbitrary-sleep","open-never-closed","manual-defaultdict-dict-create","manual-defaultdict-set-create","manual-defaultdict-list-create","manual-counter-create","useless-inner-function","useless-literal-dict","useless-assignment-keyed","useless-if-conditional","useless-if-body","code-after-unconditional-return","return-not-in-function","python36-compatibility-ssl","python36-compatibility-Popen1","python36-compatibility-Popen2","python37-compatibility-importlib","python37-compatibility-importlib2","python37-compatibility-importlib3","python37-compatibility-httpconn","use-sys-exit","return-in-init","yield-in-init","file-object-redefined-before-close","unchecked-subprocess-call","baseclass-attribute-override","useless-eqeq","dict-del-while-iterate","is-not-is-not","default-mutable-list","default-mutable-dict","identical-is-comparison","string-is-comparison","string-concat-in-list","raise-not-base-exception","tempfile-insecure","tempfile-without-flush","use-timeout"]}},"author":"Isaac Evans","counts":{"total_rules":48,"premium_rules":0},"hidden":true,"description":"Just a massive collection of python checks, I want to see everything","id":"Ww4","name":"ievans.experimental-python-all","visibility":"public","categories":[]},{"tags":[],"stats":{"cwe":{"totals":{"":5},"per_framework":{"":{"python":{"":23}},"CWE-521: Weak Password Requirements":{"python":{"":1}},"CWE-295: Improper Certificate Validation":{"python":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"python":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"python":{"":7}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"python":{"":1}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"python":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"python":{"":1}},"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":{"python":{"":1}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"python":{"":4}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":5}}},"rules_with_no_cwe":["use-json-response","use-django-environ","use-onetoonefield","nontext-field-must-set-null-true","string-field-must-set-null-true","no-null-string-field","use-count-method","use-earliest-or-latest","use-timeout","list-modify-while-iterate","return-in-init","yield-in-init","dict-del-while-iterate","no-strings-as-booleans","use-sys-exit","useless-eqeq","raise-not-base-exception","default-mutable-dict","string-concat-in-list","identical-is-comparison","string-is-comparison","default-mutable-list","unchecked-subprocess-call"]},"owasp":{"totals":{"":23,"A01:2017: Injection":4,"A03:2021: Injection":9,"A01:2021: Broken Access Control":2,"A02:2017: Broken Authentication":1,"A02:2021: Cryptographic Failures":2,"A03:2017: Sensitive Data Exposure":2,"A08:2017: Insecure Deserialization":7,"A05:2021: Security Misconfiguration":1,"A08:2021: Software and Data Integrity Failures":8,"A07:2021: Identification and Authentication Failures":2},"per_framework":{"":{"python":{"":23}},"A01:2017: Injection":{"python":{"":4}},"A03:2021: Injection":{"python":{"":9}},"A01:2021: Broken Access Control":{"python":{"":2}},"A02:2017: Broken Authentication":{"python":{"":1}},"A02:2021: Cryptographic Failures":{"python":{"":2}},"A03:2017: Sensitive Data Exposure":{"python":{"":2}},"A08:2017: Insecure Deserialization":{"python":{"":7}},"A05:2021: Security Misconfiguration":{"python":{"":1}},"A08:2021: Software and Data Integrity Failures":{"python":{"":8}},"A07:2021: Identification and Authentication Failures":{"python":{"":2}}},"rules_with_no_owasp":["use-json-response","use-django-environ","use-onetoonefield","nontext-field-must-set-null-true","string-field-must-set-null-true","no-null-string-field","use-count-method","use-earliest-or-latest","use-timeout","list-modify-while-iterate","return-in-init","yield-in-init","dict-del-while-iterate","no-strings-as-booleans","use-sys-exit","useless-eqeq","raise-not-base-exception","default-mutable-dict","string-concat-in-list","identical-is-comparison","string-is-comparison","default-mutable-list","unchecked-subprocess-call"]}},"author":"mschwager","counts":{"total_rules":47,"premium_rules":0},"hidden":true,"description":"","id":"RAE","name":"mschwager.mega-python","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-183: Permissive List of Allowed Inputs":1},"per_framework":{"CWE-183: Permissive List of Allowed Inputs":{"java":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A04:2021: Insecure Design":1},"per_framework":{"A04:2021: Insecure Design":{"java":{"":1}}},"rules_with_no_owasp":[]}},"author":"Joe Bollen","counts":{"total_rules":1,"premium_rules":0},"hidden":true,"description":"Check for permissive CORS in Node, Express and Java","id":"4nl","name":"hazanasec.permissive_cors","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-521: Weak Password Requirements":1},"per_framework":{"CWE-489: Active Debug Code":{"python":{"":1}},"CWE-521: Weak Password Requirements":{"python":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"javascript":{"":6}},"CWE-295: Improper Certificate Validation":{"python":{"":2}},"CWE-502: Deserialization of Untrusted Data":{"python":{"":3},"javascript":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"python":{"":1},"javascript":{"":4}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"python":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"javascript":{"":2}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"python":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"python":{"":1},"javascript":{"":2}},"CWE-94: Improper Control of Generation of Code (Code Injection)":{"javascript":{"":5}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"javascript":{"":1}},"CWE-1236: Improper Neutralization of Formula Elements in a CSV File":{"python":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"python":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"javascript":{"":1}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"python":{"":2}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"python":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":2}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":2},"javascript":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A1: Injection":5,"A01:2017: Injection":6,"A03:2021: Injection":10,"A01:2021: Broken Access Control":3,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":1,"A02:2021: Cryptographic Failures":4,"A03:2017: Sensitive Data Exposure":5,"A08:2017: Insecure Deserialization":4,"A05:2021: Security Misconfiguration":5,"A07:2017: Cross-Site Scripting (XSS)":1,"A04:2017: XML External Entities (XXE)":4,"A10:2021: Server-Side Request Forgery (SSRF)":5,"A08:2021: Software and Data Integrity Failures":4,"A07:2021: Identification and Authentication Failures":9},"per_framework":{"A1: Injection":{"javascript":{"":5}},"A01:2017: Injection":{"python":{"":5},"javascript":{"":1}},"A03:2021: Injection":{"python":{"":7},"javascript":{"":3}},"A01:2021: Broken Access Control":{"python":{"":2},"javascript":{"":1}},"A02:2017: Broken Authentication":{"python":{"":1}},"A05:2017: Broken Access Control":{"python":{"":1}},"A02:2021: Cryptographic Failures":{"python":{"":2},"javascript":{"":2}},"A03:2017: Sensitive Data Exposure":{"python":{"":3},"javascript":{"":2}},"A08:2017: Insecure Deserialization":{"python":{"":3},"javascript":{"":1}},"A05:2021: Security Misconfiguration":{"python":{"":3},"javascript":{"":2}},"A07:2017: Cross-Site Scripting (XSS)":{"javascript":{"":1}},"A04:2017: XML External Entities (XXE)":{"python":{"":2},"javascript":{"":2}},"A10:2021: Server-Side Request Forgery (SSRF)":{"python":{"":1},"javascript":{"":4}},"A08:2021: Software and Data Integrity Failures":{"python":{"":3},"javascript":{"":1}},"A07:2021: Identification and Authentication Failures":{"python":{"":3},"javascript":{"":6}}},"rules_with_no_owasp":[]}},"author":"Paolo del Mundo","counts":{"total_rules":46,"premium_rules":0},"hidden":true,"description":"","id":"3np","name":"tmfrook.fool-python-pack","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"":1},"per_framework":{"":{"javascript":{"":1}}},"rules_with_no_cwe":["assigned-undefined"]},"owasp":{"totals":{"":1},"per_framework":{"":{"javascript":{"":1}}},"rules_with_no_owasp":["assigned-undefined"]}},"author":"ali0818","counts":{"total_rules":1,"premium_rules":0},"hidden":true,"description":"","id":"54X","name":"ali0818.kik","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{},"per_framework":{},"rules_with_no_cwe":[]},"owasp":{"totals":{},"per_framework":{},"rules_with_no_owasp":[]}},"author":"ali0818","counts":{"total_rules":0,"premium_rules":0},"hidden":true,"description":"","id":"Go2","name":"ali0818.test-pack","visibility":"public","categories":[]},{"tags":[],"stats":{"cwe":{"totals":{"CWE-918: Server-Side Request Forgery (SSRF)":5},"per_framework":{"":{"javascript":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"javascript":{"":6}},"CWE-502: Deserialization of Untrusted Data":{"javascript":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"javascript":{"":4}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"javascript":{"":2}},"CWE-611: Improper Restriction of XML External Entity Reference":{"javascript":{"":2}},"CWE-94: Improper Control of Generation of Code (Code Injection)":{"javascript":{"":5}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"javascript":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"javascript":{"":1}}},"rules_with_no_cwe":["eqeq-is-bad"]},"owasp":{"totals":{"":1,"A1: Injection":5,"A01:2017: Injection":1,"A03:2021: Injection":2,"A01:2021: Broken Access Control":1,"A02:2021: Cryptographic Failures":2,"A03:2017: Sensitive Data Exposure":2,"A08:2017: Insecure Deserialization":1,"A05:2021: Security Misconfiguration":2,"A04:2017: XML External Entities (XXE)":2,"A10:2021: Server-Side Request Forgery (SSRF)":4,"A08:2021: Software and Data Integrity Failures":1,"A07:2021: Identification and Authentication Failures":6},"per_framework":{"":{"javascript":{"":1}},"A1: Injection":{"javascript":{"":5}},"A01:2017: Injection":{"javascript":{"":1}},"A03:2021: Injection":{"javascript":{"":2}},"A01:2021: Broken Access Control":{"javascript":{"":1}},"A02:2021: Cryptographic Failures":{"javascript":{"":2}},"A03:2017: Sensitive Data Exposure":{"javascript":{"":2}},"A08:2017: Insecure Deserialization":{"javascript":{"":1}},"A05:2021: Security Misconfiguration":{"javascript":{"":2}},"A04:2017: XML External Entities (XXE)":{"javascript":{"":2}},"A10:2021: Server-Side Request Forgery (SSRF)":{"javascript":{"":4}},"A08:2021: Software and Data Integrity Failures":{"javascript":{"":1}},"A07:2021: Identification and Authentication Failures":{"javascript":{"":6}}},"rules_with_no_owasp":["eqeq-is-bad"]}},"author":"amccabe-splk","counts":{"total_rules":24,"premium_rules":0},"hidden":true,"description":"","id":"Dlo","name":"amccabe-splk.hack1046js-2","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-522: Insufficiently Protected Credentials":2},"per_framework":{"":{"javascript":{"":7}},"CWE-798: Use of Hard-coded Credentials":{"javascript":{"":6}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"javascript":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"javascript":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"javascript":{"":7}},"CWE-522: Insufficiently Protected Credentials":{"javascript":{"":9}},"CWE-116: Improper Encoding or Escaping of Output":{"javascript":{"":1}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":2}},"CWE-345: Insufficient Verification of Data Authenticity":{"javascript":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"javascript":{"":2}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"javascript":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"javascript":{"":6}},"CWE-94: Improper Control of Generation of Code (Code Injection)":{"javascript":{"":6}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"javascript":{"":14}},"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer":{"javascript":{"":1}},"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)":{"javascript":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"javascript":{"":2}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"javascript":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"javascript":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"javascript":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"javascript":{"":3}}},"rules_with_no_cwe":["assigned-undefined","javascript-alert","javascript-debugger","javascript-confirm","javascript-prompt","useless-assignment","eqeq-is-bad"]},"owasp":{"totals":{"":8,"A1: Injection":6,"A01:2017: Injection":4,"A03:2021: Injection":24,"A04:2021: Insecure Design":9,"A01:2021: Broken Access Control":6,"A02:2017: Broken Authentication":9,"A05:2017: Broken Access Control":3,"A02:2021: Cryptographic Failures":2,"A03:2017: Sensitive Data Exposure":2,"A08:2017: Insecure Deserialization":1,"A05:2021: Security Misconfiguration":6,"A07:2017: Cross-Site Scripting (XSS)":2,"A04:2017: XML External Entities (XXE)":6,"A10:2021: Server-Side Request Forgery (SSRF)":7,"A08:2021: Software and Data Integrity Failures":2,"A07:2021: Identification and Authentication Failures":6},"per_framework":{"":{"javascript":{"":8}},"A1: Injection":{"javascript":{"":6}},"A01:2017: Injection":{"javascript":{"":4}},"A03:2021: Injection":{"javascript":{"":24}},"A04:2021: Insecure Design":{"javascript":{"":9}},"A01:2021: Broken Access Control":{"javascript":{"":6}},"A02:2017: Broken Authentication":{"javascript":{"":9}},"A05:2017: Broken Access Control":{"javascript":{"":3}},"A02:2021: Cryptographic Failures":{"javascript":{"":2}},"A03:2017: Sensitive Data Exposure":{"javascript":{"":2}},"A08:2017: Insecure Deserialization":{"javascript":{"":1}},"A05:2021: Security Misconfiguration":{"javascript":{"":6}},"A07:2017: Cross-Site Scripting (XSS)":{"javascript":{"":2}},"A04:2017: XML External Entities (XXE)":{"javascript":{"":6}},"A10:2021: Server-Side Request Forgery (SSRF)":{"javascript":{"":7}},"A08:2021: Software and Data Integrity Failures":{"javascript":{"":2}},"A07:2021: Identification and Authentication Failures":{"javascript":{"":6}}},"rules_with_no_owasp":["assigned-undefined","javascript-alert","javascript-debugger","javascript-confirm","javascript-prompt","detect-buffer-noassert","useless-assignment","eqeq-is-bad"]}},"author":"Ben Cambourne","counts":{"total_rules":76,"premium_rules":0},"hidden":true,"description":"","id":"Gop","name":"ben-elttam.bdawg-javascript-all","visibility":"public","categories":[]},{"tags":[],"stats":{"cwe":{"totals":{"CWE-798: Use of Hard-coded Credentials":1},"per_framework":{"":{"go":{"":2},"java":{"":3},"python":{"":43},"javascript":{"":1}},"CWE-489: Active Debug Code":{"python":{"":1}},"CWE-521: Weak Password Requirements":{"python":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"javascript":{"":6}},"CWE-295: Improper Certificate Validation":{"python":{"":2}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":1},"python":{"":2},"javascript":{"":1}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":2}},"CWE-918: Server-Side Request Forgery (SSRF)":{"python":{"":1},"javascript":{"":4}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"python":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"javascript":{"":2}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"python":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":1},"python":{"":1},"javascript":{"":2}},"CWE-94: Improper Control of Generation of Code (Code Injection)":{"javascript":{"":5}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"javascript":{"":1}},"CWE-1236: Improper Neutralization of Formula Elements in a CSV File":{"python":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"python":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"java":{"":1}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":1},"python":{"":2}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":2}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":1},"javascript":{"":1}}},"rules_with_no_cwe":["tempfile-without-flush","tempfile-insecure","raise-not-base-exception","string-is-comparison","identical-is-comparison","default-mutable-dict","default-mutable-list","is-not-is-not","useless-eqeq","return-in-init","python37-compatibility-pdb","python37-compatibility-os2-ok2","python37-compatability-os-module","python37-compatibility-os1","python37-compatibility-multiprocess2","python37-compatibility-multiprocess1","python37-compatibility-math1","python37-compatibility-locale1","python37-compatibility-ipv4network2","python37-compatibility-ipv4network1","python37-compatibility-ipv6network2","python37-compatibility-ipv6network1","python37-compatibility-textiowrapper","python37-compatibility-importlib3","python37-compatibility-httpsconn","python37-compatibility-httpconn","python37-compatibility-importlib2","python37-compatibility-importlib","python36-compatibility-Popen2","python36-compatibility-Popen1","python36-compatibility-ssl","useless-inner-function","open-never-closed","arbitrary-sleep","use-jsonify","delete-where-no-execute","nontext-field-must-set-null-true","string-field-must-set-null-true","use-earliest-or-latest","use-count-method","use-json-response","use-django-environ","use-click-secho","hardcoded-conditional","eqeq","assignment-comparison","hardcoded-eq-true-or-false","eqeq-is-bad","eqeq-is-bad"]},"owasp":{"totals":{"":49,"A1: Injection":5,"A01:2017: Injection":6,"A03:2021: Injection":10,"A01:2021: Broken Access Control":3,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":1,"A02:2021: Cryptographic Failures":4,"A03:2017: Sensitive Data Exposure":5,"A08:2017: Insecure Deserialization":4,"A05:2021: Security Misconfiguration":5,"A07:2017: Cross-Site Scripting (XSS)":1,"A04:2017: XML External Entities (XXE)":4,"A10:2021: Server-Side Request Forgery (SSRF)":5,"A08:2021: Software and Data Integrity Failures":4,"A07:2021: Identification and Authentication Failures":11},"per_framework":{"":{"go":{"":2},"java":{"":3},"python":{"":43},"javascript":{"":1}},"A1: Injection":{"javascript":{"":5}},"A01:2017: Injection":{"go":{"":1},"python":{"":4},"javascript":{"":1}},"A03:2021: Injection":{"go":{"":1},"java":{"":1},"python":{"":6},"javascript":{"":2}},"A01:2021: Broken Access Control":{"python":{"":2},"javascript":{"":1}},"A02:2017: Broken Authentication":{"python":{"":1}},"A05:2017: Broken Access Control":{"python":{"":1}},"A02:2021: Cryptographic Failures":{"python":{"":2},"javascript":{"":2}},"A03:2017: Sensitive Data Exposure":{"python":{"":3},"javascript":{"":2}},"A08:2017: Insecure Deserialization":{"java":{"":1},"python":{"":2},"javascript":{"":1}},"A05:2021: Security Misconfiguration":{"java":{"":1},"python":{"":2},"javascript":{"":2}},"A07:2017: Cross-Site Scripting (XSS)":{"java":{"":1}},"A04:2017: XML External Entities (XXE)":{"java":{"":1},"python":{"":1},"javascript":{"":2}},"A10:2021: Server-Side Request Forgery (SSRF)":{"python":{"":1},"javascript":{"":4}},"A08:2021: Software and Data Integrity Failures":{"java":{"":1},"python":{"":2},"javascript":{"":1}},"A07:2021: Identification and Authentication Failures":{"go":{"":2},"python":{"":3},"javascript":{"":6}}},"rules_with_no_owasp":["tempfile-without-flush","tempfile-insecure","raise-not-base-exception","string-is-comparison","identical-is-comparison","default-mutable-dict","default-mutable-list","is-not-is-not","useless-eqeq","return-in-init","python37-compatibility-pdb","python37-compatibility-os2-ok2","python37-compatability-os-module","python37-compatibility-os1","python37-compatibility-multiprocess2","python37-compatibility-multiprocess1","python37-compatibility-math1","python37-compatibility-locale1","python37-compatibility-ipv4network2","python37-compatibility-ipv4network1","python37-compatibility-ipv6network2","python37-compatibility-ipv6network1","python37-compatibility-textiowrapper","python37-compatibility-importlib3","python37-compatibility-httpsconn","python37-compatibility-httpconn","python37-compatibility-importlib2","python37-compatibility-importlib","python36-compatibility-Popen2","python36-compatibility-Popen1","python36-compatibility-ssl","useless-inner-function","open-never-closed","arbitrary-sleep","use-jsonify","delete-where-no-execute","nontext-field-must-set-null-true","string-field-must-set-null-true","use-earliest-or-latest","use-count-method","use-json-response","use-django-environ","use-click-secho","hardcoded-conditional","eqeq","assignment-comparison","hardcoded-eq-true-or-false","eqeq-is-bad","eqeq-is-bad"]}},"author":"amccabe-splk","counts":{"total_rules":97,"premium_rules":0},"hidden":true,"description":"","id":"WYg","name":"amccabe-splk.hack1046js-all-error","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":1},"per_framework":{"CWE-798: Use of Hard-coded Credentials":{"go":{"":1},"javascript":{"":5}},"CWE-400: Uncontrolled Resource Consumption":{"go":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"javascript":{"":7}},"CWE-242: Use of Inherently Dangerous Function":{"go":{"":1}},"CWE-522: Insufficiently Protected Credentials":{"javascript":{"":5}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":2}},"CWE-345: Insufficient Verification of Data Authenticity":{"javascript":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"javascript":{"":2}},"CWE-611: Improper Restriction of XML External Entity Reference":{"javascript":{"":6}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"javascript":{"":7}},"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)":{"javascript":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"go":{"":1},"javascript":{"":2}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":4}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"javascript":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":2,"A01:2017: Injection":1,"A03:2021: Injection":14,"A04:2021: Insecure Design":5,"A01:2021: Broken Access Control":5,"A02:2017: Broken Authentication":5,"A05:2017: Broken Access Control":3,"A02:2021: Cryptographic Failures":2,"A03:2017: Sensitive Data Exposure":2,"A05:2021: Security Misconfiguration":6,"A07:2017: Cross-Site Scripting (XSS)":4,"A04:2017: XML External Entities (XXE)":6,"A10:2021: Server-Side Request Forgery (SSRF)":7,"A08:2021: Software and Data Integrity Failures":1,"A07:2021: Identification and Authentication Failures":6},"per_framework":{"":{"go":{"":2}},"A01:2017: Injection":{"go":{"":1}},"A03:2021: Injection":{"go":{"":5},"javascript":{"":9}},"A04:2021: Insecure Design":{"javascript":{"":5}},"A01:2021: Broken Access Control":{"go":{"":1},"javascript":{"":4}},"A02:2017: Broken Authentication":{"javascript":{"":5}},"A05:2017: Broken Access Control":{"go":{"":1},"javascript":{"":2}},"A02:2021: Cryptographic Failures":{"javascript":{"":2}},"A03:2017: Sensitive Data Exposure":{"javascript":{"":2}},"A05:2021: Security Misconfiguration":{"javascript":{"":6}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":4}},"A04:2017: XML External Entities (XXE)":{"javascript":{"":6}},"A10:2021: Server-Side Request Forgery (SSRF)":{"javascript":{"":7}},"A08:2021: Software and Data Integrity Failures":{"javascript":{"":1}},"A07:2021: Identification and Authentication Failures":{"go":{"":1},"javascript":{"":5}}},"rules_with_no_owasp":["potential-dos-via-decompression-bomb","use-of-unsafe-block"]}},"author":"Daniel Fürst","counts":{"total_rules":48,"premium_rules":0},"hidden":true,"description":"","id":"OAB","name":"dnlfrst.gitlab-security","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":3},"per_framework":{"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":1},"python":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A1: Injection":1,"A01:2017: Injection":2,"A03:2021: Injection":2},"per_framework":{"A1: Injection":{"python":{"":1}},"A01:2017: Injection":{"java":{"":1},"python":{"":1}},"A03:2021: Injection":{"java":{"":1},"python":{"":1}}},"rules_with_no_owasp":[]}},"author":"Joe Bollen","counts":{"total_rules":3,"premium_rules":0},"hidden":true,"description":"Find dangerous function calls in JS, Java and Python","id":"nvX","name":"hazanasec.dynamic code execution","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":6},"per_framework":{"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":5},"javascript":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":1},"python":{"":4}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A1: Injection":2,"A01:2017: Injection":3,"A03:2021: Injection":9},"per_framework":{"A1: Injection":{"python":{"":2}},"A01:2017: Injection":{"java":{"":1},"python":{"":2}},"A03:2021: Injection":{"java":{"":1},"python":{"":7},"javascript":{"":1}}},"rules_with_no_owasp":[]}},"author":"Joe Bollen","counts":{"total_rules":11,"premium_rules":0},"hidden":true,"description":"Detect use of dangerous dynamic code execution features in Java, JS and Python","id":"E7w","name":"hazanasec.dangerous_code_execution","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":3},"per_framework":{"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":3}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":1},"python":{"":4}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A1: Injection":2,"A01:2017: Injection":3,"A03:2021: Injection":6},"per_framework":{"A1: Injection":{"python":{"":2}},"A01:2017: Injection":{"java":{"":1},"python":{"":2}},"A03:2021: Injection":{"java":{"":1},"python":{"":5}}},"rules_with_no_owasp":[]}},"author":"Joe Bollen","counts":{"total_rules":8,"premium_rules":0},"hidden":true,"description":"Detect use of dangerous dynamic code execution features in Java, JS and Python","id":"7bZ","name":"hazanasec.dynamic_code_execution","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":2},"per_framework":{"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":1},"python":{"":2}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A03:2021: Injection":5,"A07:2017: Cross-Site Scripting (XSS)":3},"per_framework":{"A03:2021: Injection":{"go":{"":1},"python":{"":4}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":1},"python":{"":2}}},"rules_with_no_owasp":[]}},"author":"Joe Bollen","counts":{"total_rules":5,"premium_rules":0},"hidden":true,"description":"Detect known possible insecure use of templates that can introduce SSTI","id":"L7r","name":"hazanasec.generic_possible_ssti","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-522: Insufficiently Protected Credentials":6},"per_framework":{"CWE-798: Use of Hard-coded Credentials":{"javascript":{"":6}},"CWE-522: Insufficiently Protected Credentials":{"javascript":{"":2}},"CWE-345: Insufficient Verification of Data Authenticity":{"javascript":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"javascript":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A04:2021: Insecure Design":2,"A02:2017: Broken Authentication":2,"A02:2021: Cryptographic Failures":2,"A03:2017: Sensitive Data Exposure":2,"A08:2021: Software and Data Integrity Failures":1,"A07:2021: Identification and Authentication Failures":6},"per_framework":{"A04:2021: Insecure Design":{"javascript":{"":2}},"A02:2017: Broken Authentication":{"javascript":{"":2}},"A02:2021: Cryptographic Failures":{"javascript":{"":2}},"A03:2017: Sensitive Data Exposure":{"javascript":{"":2}},"A08:2021: Software and Data Integrity Failures":{"javascript":{"":1}},"A07:2021: Identification and Authentication Failures":{"javascript":{"":6}}},"rules_with_no_owasp":[]}},"author":"Joe Bollen","counts":{"total_rules":11,"premium_rules":0},"hidden":true,"description":"Check for security weaknesses in JWT's ","id":"gvJ","name":"hazanasec.jwt-security-audit","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{},"per_framework":{},"rules_with_no_cwe":[]},"owasp":{"totals":{},"per_framework":{},"rules_with_no_owasp":[]}},"author":"Joe Bollen","counts":{"total_rules":0,"premium_rules":0},"hidden":true,"description":"Detect possible NoSQL Injection in Node.js","id":"Q74","name":"hazanasec.nodejs_nosql_injection","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-502: Deserialization of Untrusted Data":1},"per_framework":{"CWE-502: Deserialization of Untrusted Data":{"java":{"":2},"ruby":{"":1},"python":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"ruby":{"":1}},"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)":{"javascript":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A03:2021: Injection":2,"A08:2017: Insecure Deserialization":4,"A08:2021: Software and Data Integrity Failures":4},"per_framework":{"A03:2021: Injection":{"ruby":{"":1},"javascript":{"":1}},"A08:2017: Insecure Deserialization":{"java":{"":2},"ruby":{"":1},"python":{"":1}},"A08:2021: Software and Data Integrity Failures":{"java":{"":2},"ruby":{"":1},"python":{"":1}}},"rules_with_no_owasp":[]}},"author":"Joe Bollen","counts":{"total_rules":6,"premium_rules":0},"hidden":true,"description":"Check for unsafe deserialization Java, JS and Python Django","id":"R7O","name":"hazanasec.unsafe-deserialization","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":4},"per_framework":{"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"java":{"":2},"python":{"":1},"javascript":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2021: Broken Access Control":4},"per_framework":{"A01:2021: Broken Access Control":{"java":{"":2},"python":{"":1},"javascript":{"":1}}},"rules_with_no_owasp":[]}},"author":"Joe Bollen","counts":{"total_rules":4,"premium_rules":0},"hidden":true,"description":"Detect use of unvalidated redirect in Java, JS and Python","id":"A7p","name":"hazanasec.unvalidated_redirects","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-319: Cleartext Transmission of Sensitive Information":7},"per_framework":{"CWE-326: Inadequate Encryption Strength":{"java":{"":4},"python":{"":1}},"CWE-1104: Use of Unmaintained Third Party Components":{"python":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"java":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"java":{"":4},"python":{"":3}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A3: Sensitive Data Exposure":2,"A02:2021: Cryptographic Failures":9,"A03:2017: Sensitive Data Exposure":9,"A06:2021: Vulnerable and Outdated Components":1,"A9: Using Components with Known Vulnerabilities":2,"A09:2017: Using Components with Known Vulnerabilities":1},"per_framework":{"A3: Sensitive Data Exposure":{"python":{"":2}},"A02:2021: Cryptographic Failures":{"java":{"":7},"python":{"":2}},"A03:2017: Sensitive Data Exposure":{"java":{"":7},"python":{"":2}},"A06:2021: Vulnerable and Outdated Components":{"python":{"":1}},"A9: Using Components with Known Vulnerabilities":{"java":{"":2}},"A09:2017: Using Components with Known Vulnerabilities":{"python":{"":1}}},"rules_with_no_owasp":[]}},"author":"Joe Bollen","counts":{"total_rules":14,"premium_rules":0},"hidden":true,"description":"Detect weak/depreciated crypto is being used in Java, JS and Python","id":"B7W","name":"hazanasec.weak_crypto","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-611: Improper Restriction of XML External Entity Reference":10},"per_framework":{"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":3},"python":{"":1},"javascript":{"":6}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A05:2021: Security Misconfiguration":10,"A04:2017: XML External Entities (XXE)":10},"per_framework":{"A05:2021: Security Misconfiguration":{"java":{"":3},"python":{"":1},"javascript":{"":6}},"A04:2017: XML External Entities (XXE)":{"java":{"":3},"python":{"":1},"javascript":{"":6}}},"rules_with_no_owasp":[]}},"author":"Joe Bollen","counts":{"total_rules":10,"premium_rules":0},"hidden":true,"description":"Check if insecure XML entities are being used in JS, Java and Python ","id":"DgY","name":"hazanasec.xml-entity-security","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-522: Insufficiently Protected Credentials":2},"per_framework":{"":{"javascript":{"":7}},"CWE-798: Use of Hard-coded Credentials":{"javascript":{"":6}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"javascript":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"javascript":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"javascript":{"":7}},"CWE-522: Insufficiently Protected Credentials":{"javascript":{"":9}},"CWE-116: Improper Encoding or Escaping of Output":{"javascript":{"":1}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":2}},"CWE-345: Insufficient Verification of Data Authenticity":{"javascript":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"javascript":{"":2}},"CWE-611: Improper Restriction of XML External Entity Reference":{"javascript":{"":6}},"CWE-94: Improper Control of Generation of Code (Code Injection)":{"javascript":{"":6}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"javascript":{"":12}},"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer":{"javascript":{"":1}},"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)":{"javascript":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"javascript":{"":2}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"javascript":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"javascript":{"":2}}},"rules_with_no_cwe":["assigned-undefined","javascript-alert","javascript-debugger","javascript-confirm","javascript-prompt","useless-assignment","eqeq-is-bad"]},"owasp":{"totals":{"":8,"A1: Injection":6,"A01:2017: Injection":2,"A03:2021: Injection":18,"A04:2021: Insecure Design":9,"A01:2021: Broken Access Control":5,"A02:2017: Broken Authentication":9,"A05:2017: Broken Access Control":3,"A02:2021: Cryptographic Failures":2,"A03:2017: Sensitive Data Exposure":2,"A08:2017: Insecure Deserialization":1,"A05:2021: Security Misconfiguration":6,"A04:2017: XML External Entities (XXE)":6,"A10:2021: Server-Side Request Forgery (SSRF)":7,"A08:2021: Software and Data Integrity Failures":2,"A07:2021: Identification and Authentication Failures":6},"per_framework":{"":{"javascript":{"":8}},"A1: Injection":{"javascript":{"":6}},"A01:2017: Injection":{"javascript":{"":2}},"A03:2021: Injection":{"javascript":{"":18}},"A04:2021: Insecure Design":{"javascript":{"":9}},"A01:2021: Broken Access Control":{"javascript":{"":5}},"A02:2017: Broken Authentication":{"javascript":{"":9}},"A05:2017: Broken Access Control":{"javascript":{"":3}},"A02:2021: Cryptographic Failures":{"javascript":{"":2}},"A03:2017: Sensitive Data Exposure":{"javascript":{"":2}},"A08:2017: Insecure Deserialization":{"javascript":{"":1}},"A05:2021: Security Misconfiguration":{"javascript":{"":6}},"A04:2017: XML External Entities (XXE)":{"javascript":{"":6}},"A10:2021: Server-Side Request Forgery (SSRF)":{"javascript":{"":7}},"A08:2021: Software and Data Integrity Failures":{"javascript":{"":2}},"A07:2021: Identification and Authentication Failures":{"javascript":{"":6}}},"rules_with_no_owasp":["assigned-undefined","javascript-alert","javascript-debugger","javascript-confirm","javascript-prompt","detect-buffer-noassert","useless-assignment","eqeq-is-bad"]}},"author":"Michael Whiteman","counts":{"total_rules":69,"premium_rules":0},"hidden":true,"description":"","id":"dLZ","name":"mikewhiteman.javascript-all","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-502: Deserialization of Untrusted Data":1},"per_framework":{"CWE-489: Active Debug Code":{"python":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"ruby":{"":1},"python":{"":1},"javascript":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":2},"python":{"":8},"javascript":{"":1}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":2}},"CWE-242: Use of Inherently Dangerous Function":{"go":{"":1}},"CWE-116: Improper Encoding or Escaping of Output":{"python":{"":1}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":1}},"CWE-345: Insufficient Verification of Data Authenticity":{"javascript":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"go":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"javascript":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"java":{"":1},"ruby":{"":2},"javascript":{"":2}},"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)":{"javascript":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":1},"java":{"":2},"python":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"java":{"":1},"python":{"":4}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":8},"javascript":{"":1}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":1},"python":{"":5},"javascript":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":1,"A1: Injection":1,"A01:2017: Injection":11,"A03:2021: Injection":32,"A6: Security Misconfiguration":1,"A01:2021: Broken Access Control":1,"A02:2021: Cryptographic Failures":2,"A03:2017: Sensitive Data Exposure":2,"A08:2017: Insecure Deserialization":11,"A05:2021: Security Misconfiguration":1,"A07:2017: Cross-Site Scripting (XSS)":5,"A08:2021: Software and Data Integrity Failures":12,"A07:2021: Identification and Authentication Failures":5},"per_framework":{"":{"go":{"":1}},"A1: Injection":{"python":{"":1}},"A01:2017: Injection":{"java":{"":2},"python":{"":8},"javascript":{"":1}},"A03:2021: Injection":{"go":{"":1},"java":{"":5},"ruby":{"":2},"python":{"":19},"javascript":{"":5}},"A6: Security Misconfiguration":{"python":{"":1}},"A01:2021: Broken Access Control":{"javascript":{"":1}},"A02:2021: Cryptographic Failures":{"go":{"":1},"javascript":{"":1}},"A03:2017: Sensitive Data Exposure":{"go":{"":1},"javascript":{"":1}},"A08:2017: Insecure Deserialization":{"java":{"":2},"python":{"":8},"javascript":{"":1}},"A05:2021: Security Misconfiguration":{"python":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":1},"java":{"":2},"python":{"":2}},"A08:2021: Software and Data Integrity Failures":{"java":{"":2},"python":{"":8},"javascript":{"":2}},"A07:2021: Identification and Authentication Failures":{"go":{"":2},"ruby":{"":1},"python":{"":1},"javascript":{"":1}}},"rules_with_no_owasp":["use-of-unsafe-block"]}},"author":"Michael Whiteman","counts":{"total_rules":56,"premium_rules":0},"hidden":true,"description":"","id":"ZwD","name":"mikewhiteman.mixed-critical-issues","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":2},"per_framework":{"":{"javascript":{"":7}},"CWE-798: Use of Hard-coded Credentials":{"javascript":{"":6}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"javascript":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"javascript":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"javascript":{"":7}},"CWE-522: Insufficiently Protected Credentials":{"javascript":{"":9}},"CWE-116: Improper Encoding or Escaping of Output":{"javascript":{"":1}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":2}},"CWE-345: Insufficient Verification of Data Authenticity":{"javascript":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"javascript":{"":3}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"javascript":{"":2}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"javascript":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"javascript":{"":6}},"CWE-94: Improper Control of Generation of Code (Code Injection)":{"javascript":{"":6}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"javascript":{"":14}},"CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls":{"json":{"":1}},"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer":{"javascript":{"":1}},"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)":{"javascript":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"javascript":{"":2}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"javascript":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"javascript":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"javascript":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"javascript":{"":3}}},"rules_with_no_cwe":["eqeq-is-bad","useless-assignment","javascript-prompt","javascript-confirm","javascript-debugger","javascript-alert","assigned-undefined"]},"owasp":{"totals":{"":8,"A1: Injection":6,"A01:2017: Injection":4,"A03:2021: Injection":24,"A04:2021: Insecure Design":9,"A01:2021: Broken Access Control":7,"A02:2017: Broken Authentication":9,"A05:2017: Broken Access Control":3,"A02:2021: Cryptographic Failures":3,"A03:2017: Sensitive Data Exposure":5,"A08:2017: Insecure Deserialization":1,"A05:2021: Security Misconfiguration":6,"A07:2017: Cross-Site Scripting (XSS)":2,"A04:2017: XML External Entities (XXE)":6,"A10:2021: Server-Side Request Forgery (SSRF)":7,"A08:2021: Software and Data Integrity Failures":2,"A07:2021: Identification and Authentication Failures":6},"per_framework":{"":{"javascript":{"":8}},"A1: Injection":{"javascript":{"":6}},"A01:2017: Injection":{"javascript":{"":4}},"A03:2021: Injection":{"javascript":{"":24}},"A04:2021: Insecure Design":{"javascript":{"":9}},"A01:2021: Broken Access Control":{"json":{"":1},"javascript":{"":6}},"A02:2017: Broken Authentication":{"javascript":{"":9}},"A05:2017: Broken Access Control":{"javascript":{"":3}},"A02:2021: Cryptographic Failures":{"javascript":{"":3}},"A03:2017: Sensitive Data Exposure":{"javascript":{"":5}},"A08:2017: Insecure Deserialization":{"javascript":{"":1}},"A05:2021: Security Misconfiguration":{"javascript":{"":6}},"A07:2017: Cross-Site Scripting (XSS)":{"javascript":{"":2}},"A04:2017: XML External Entities (XXE)":{"javascript":{"":6}},"A10:2021: Server-Side Request Forgery (SSRF)":{"javascript":{"":7}},"A08:2021: Software and Data Integrity Failures":{"javascript":{"":2}},"A07:2021: Identification and Authentication Failures":{"javascript":{"":6}}},"rules_with_no_owasp":["eqeq-is-bad","useless-assignment","detect-buffer-noassert","javascript-prompt","javascript-confirm","javascript-debugger","javascript-alert","assigned-undefined"]}},"author":"Tonimir Kisasondi","counts":{"total_rules":80,"premium_rules":0},"hidden":true,"description":"","id":"dyP","name":"tkisason.all-js-jscript-json","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-502: Deserialization of Untrusted Data":1},"per_framework":{"CWE-489: Active Debug Code":{"python":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"ruby":{"":1},"python":{"":1},"javascript":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":2},"python":{"":8},"javascript":{"":1}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":2}},"CWE-242: Use of Inherently Dangerous Function":{"go":{"":1}},"CWE-116: Improper Encoding or Escaping of Output":{"python":{"":1}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":1}},"CWE-345: Insufficient Verification of Data Authenticity":{"javascript":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"go":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"javascript":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"java":{"":1},"ruby":{"":2},"javascript":{"":1}},"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)":{"javascript":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":1},"java":{"":2},"python":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"java":{"":1},"python":{"":4}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":8},"javascript":{"":1}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":1},"python":{"":5},"javascript":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":1,"A1: Injection":1,"A01:2017: Injection":11,"A03:2021: Injection":31,"A6: Security Misconfiguration":1,"A01:2021: Broken Access Control":1,"A02:2021: Cryptographic Failures":2,"A03:2017: Sensitive Data Exposure":2,"A08:2017: Insecure Deserialization":11,"A05:2021: Security Misconfiguration":1,"A07:2017: Cross-Site Scripting (XSS)":5,"A08:2021: Software and Data Integrity Failures":12,"A07:2021: Identification and Authentication Failures":5},"per_framework":{"":{"go":{"":1}},"A1: Injection":{"python":{"":1}},"A01:2017: Injection":{"java":{"":2},"python":{"":8},"javascript":{"":1}},"A03:2021: Injection":{"go":{"":1},"java":{"":5},"ruby":{"":2},"python":{"":19},"javascript":{"":4}},"A6: Security Misconfiguration":{"python":{"":1}},"A01:2021: Broken Access Control":{"javascript":{"":1}},"A02:2021: Cryptographic Failures":{"go":{"":1},"javascript":{"":1}},"A03:2017: Sensitive Data Exposure":{"go":{"":1},"javascript":{"":1}},"A08:2017: Insecure Deserialization":{"java":{"":2},"python":{"":8},"javascript":{"":1}},"A05:2021: Security Misconfiguration":{"python":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":1},"java":{"":2},"python":{"":2}},"A08:2021: Software and Data Integrity Failures":{"java":{"":2},"python":{"":8},"javascript":{"":2}},"A07:2021: Identification and Authentication Failures":{"go":{"":2},"ruby":{"":1},"python":{"":1},"javascript":{"":1}}},"rules_with_no_owasp":["use-of-unsafe-block"]}},"author":"Michael Whiteman","counts":{"total_rules":55,"premium_rules":0},"hidden":true,"description":"","id":"Elw","name":"mikewhiteman.mixed-critical-v3","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-918: Server-Side Request Forgery (SSRF)":2},"per_framework":{"":{"javascript":{"":7}},"CWE-798: Use of Hard-coded Credentials":{"javascript":{"":6}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"javascript":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"javascript":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"javascript":{"":7}},"CWE-522: Insufficiently Protected Credentials":{"javascript":{"":9}},"CWE-116: Improper Encoding or Escaping of Output":{"javascript":{"":1}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":2}},"CWE-345: Insufficient Verification of Data Authenticity":{"javascript":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"javascript":{"":2}},"CWE-611: Improper Restriction of XML External Entity Reference":{"javascript":{"":6}},"CWE-94: Improper Control of Generation of Code (Code Injection)":{"javascript":{"":6}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"javascript":{"":12}},"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer":{"javascript":{"":1}},"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)":{"javascript":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"javascript":{"":2}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"javascript":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"javascript":{"":2}}},"rules_with_no_cwe":["eqeq-is-bad","useless-assignment","javascript-prompt","javascript-confirm","javascript-debugger","javascript-alert","assigned-undefined"]},"owasp":{"totals":{"":8,"A1: Injection":6,"A01:2017: Injection":2,"A03:2021: Injection":18,"A04:2021: Insecure Design":9,"A01:2021: Broken Access Control":5,"A02:2017: Broken Authentication":9,"A05:2017: Broken Access Control":3,"A02:2021: Cryptographic Failures":2,"A03:2017: Sensitive Data Exposure":2,"A08:2017: Insecure Deserialization":1,"A05:2021: Security Misconfiguration":6,"A04:2017: XML External Entities (XXE)":6,"A10:2021: Server-Side Request Forgery (SSRF)":7,"A08:2021: Software and Data Integrity Failures":2,"A07:2021: Identification and Authentication Failures":6},"per_framework":{"":{"javascript":{"":8}},"A1: Injection":{"javascript":{"":6}},"A01:2017: Injection":{"javascript":{"":2}},"A03:2021: Injection":{"javascript":{"":18}},"A04:2021: Insecure Design":{"javascript":{"":9}},"A01:2021: Broken Access Control":{"javascript":{"":5}},"A02:2017: Broken Authentication":{"javascript":{"":9}},"A05:2017: Broken Access Control":{"javascript":{"":3}},"A02:2021: Cryptographic Failures":{"javascript":{"":2}},"A03:2017: Sensitive Data Exposure":{"javascript":{"":2}},"A08:2017: Insecure Deserialization":{"javascript":{"":1}},"A05:2021: Security Misconfiguration":{"javascript":{"":6}},"A04:2017: XML External Entities (XXE)":{"javascript":{"":6}},"A10:2021: Server-Side Request Forgery (SSRF)":{"javascript":{"":7}},"A08:2021: Software and Data Integrity Failures":{"javascript":{"":2}},"A07:2021: Identification and Authentication Failures":{"javascript":{"":6}}},"rules_with_no_owasp":["eqeq-is-bad","useless-assignment","detect-buffer-noassert","javascript-prompt","javascript-confirm","javascript-debugger","javascript-alert","assigned-undefined"]}},"author":"Tonimir Kisasondi","counts":{"total_rules":69,"premium_rules":0},"hidden":true,"description":"Pretty much all js rules. ","id":"nPG","name":"tkisason.javascript-kitchensink","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-522: Insufficiently Protected Credentials":2},"per_framework":{"":{"javascript":{"":7}},"CWE-798: Use of Hard-coded Credentials":{"javascript":{"":6}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"javascript":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"javascript":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"javascript":{"":7}},"CWE-522: Insufficiently Protected Credentials":{"javascript":{"":9}},"CWE-116: Improper Encoding or Escaping of Output":{"javascript":{"":1}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":2}},"CWE-345: Insufficient Verification of Data Authenticity":{"javascript":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"javascript":{"":2}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"javascript":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"javascript":{"":6}},"CWE-94: Improper Control of Generation of Code (Code Injection)":{"javascript":{"":6}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"javascript":{"":14}},"CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls":{"json":{"":1}},"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer":{"javascript":{"":1}},"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)":{"javascript":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"javascript":{"":2}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"javascript":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"javascript":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"javascript":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"javascript":{"":3}}},"rules_with_no_cwe":["eqeq-is-bad","useless-assignment","javascript-prompt","javascript-confirm","javascript-debugger","javascript-alert","assigned-undefined"]},"owasp":{"totals":{"":8,"A1: Injection":6,"A01:2017: Injection":4,"A03:2021: Injection":24,"A04:2021: Insecure Design":9,"A01:2021: Broken Access Control":7,"A02:2017: Broken Authentication":9,"A05:2017: Broken Access Control":3,"A02:2021: Cryptographic Failures":2,"A03:2017: Sensitive Data Exposure":2,"A08:2017: Insecure Deserialization":1,"A05:2021: Security Misconfiguration":6,"A07:2017: Cross-Site Scripting (XSS)":2,"A04:2017: XML External Entities (XXE)":6,"A10:2021: Server-Side Request Forgery (SSRF)":7,"A08:2021: Software and Data Integrity Failures":2,"A07:2021: Identification and Authentication Failures":6},"per_framework":{"":{"javascript":{"":8}},"A1: Injection":{"javascript":{"":6}},"A01:2017: Injection":{"javascript":{"":4}},"A03:2021: Injection":{"javascript":{"":24}},"A04:2021: Insecure Design":{"javascript":{"":9}},"A01:2021: Broken Access Control":{"json":{"":1},"javascript":{"":6}},"A02:2017: Broken Authentication":{"javascript":{"":9}},"A05:2017: Broken Access Control":{"javascript":{"":3}},"A02:2021: Cryptographic Failures":{"javascript":{"":2}},"A03:2017: Sensitive Data Exposure":{"javascript":{"":2}},"A08:2017: Insecure Deserialization":{"javascript":{"":1}},"A05:2021: Security Misconfiguration":{"javascript":{"":6}},"A07:2017: Cross-Site Scripting (XSS)":{"javascript":{"":2}},"A04:2017: XML External Entities (XXE)":{"javascript":{"":6}},"A10:2021: Server-Side Request Forgery (SSRF)":{"javascript":{"":7}},"A08:2021: Software and Data Integrity Failures":{"javascript":{"":2}},"A07:2021: Identification and Authentication Failures":{"javascript":{"":6}}},"rules_with_no_owasp":["eqeq-is-bad","useless-assignment","detect-buffer-noassert","javascript-prompt","javascript-confirm","javascript-debugger","javascript-alert","assigned-undefined"]}},"author":"Tonimir Kisasondi","counts":{"total_rules":77,"premium_rules":0},"hidden":true,"description":"","id":"EN8","name":"tkisason.js-all-test","visibility":"public","categories":[]},{"stats":{"cwe":{"totals":{"cwe-330":1},"per_framework":{"":{"java":{"":4}},"cwe-330":{"java":{"":1}},"CWE-501: Trust Boundary Violation":{"java":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"java":{"ssrf":3}},"CWE-330: Use of Insufficiently Random Values":{"java":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":4,"xxe":1}},"CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences":{"regex":{"":1}},"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":{"java":{"":1}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"java":{"":3}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"java":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":1}}},"rules_with_no_cwe":["assignment-comparison","eqeq","hardcoded-conditional","no-string-eqeq"]},"owasp":{"totals":{"":8,"A01:2017: Injection":5,"A03:2021: Injection":6,"A04:2021: Insecure Design":1,"A02:2021: Cryptographic Failures":1,"A05:2021: Security Misconfiguration":4,"A07:2017: Cross-Site Scripting (XSS)":1,"A04:2017: XML External Entities (XXE)":5},"per_framework":{"":{"java":{"":5,"ssrf":3}},"A01:2017: Injection":{"java":{"":5}},"A03:2021: Injection":{"java":{"":6}},"A04:2021: Insecure Design":{"java":{"":1}},"A02:2021: Cryptographic Failures":{"java":{"":1}},"A05:2021: Security Misconfiguration":{"java":{"":4}},"A07:2017: Cross-Site Scripting (XSS)":{"regex":{"":1}},"A04:2017: XML External Entities (XXE)":{"java":{"":4,"xxe":1}}},"rules_with_no_owasp":["owasp.java.ssrf.java.net.url","owasp.java.ssrf.org.apache.commons.httpclient","owasp.java.ssrf.org.apache.http.impl.client.CloseableHttpClient","assignment-comparison","eqeq","hardcoded-conditional","no-string-eqeq","java_insecure_random"]}},"author":"Andy Huang","counts":{"total_rules":22,"premium_rules":0},"hidden":true,"languages":["Java"],"description":"Another test ruleset","id":"Qr1o","name":"andy-test","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-918: Server-Side Request Forgery (SSRF)":2},"per_framework":{"":{"javascript":{"":7}},"CWE-798: Use of Hard-coded Credentials":{"javascript":{"":6}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"javascript":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"javascript":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"javascript":{"":7}},"CWE-522: Insufficiently Protected Credentials":{"javascript":{"":9}},"CWE-116: Improper Encoding or Escaping of Output":{"javascript":{"":1}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":2}},"CWE-345: Insufficient Verification of Data Authenticity":{"javascript":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"javascript":{"":2}},"CWE-611: Improper Restriction of XML External Entity Reference":{"javascript":{"":6}},"CWE-94: Improper Control of Generation of Code (Code Injection)":{"javascript":{"":6}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"javascript":{"":12}},"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":{"javascript":{"":1}},"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer":{"javascript":{"":1}},"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)":{"javascript":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"javascript":{"":2}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"javascript":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"javascript":{"":2}}},"rules_with_no_cwe":["eqeq-is-bad","useless-assignment","javascript-prompt","assigned-undefined","javascript-alert","javascript-debugger","javascript-confirm"]},"owasp":{"totals":{"":8,"A1: Injection":6,"A01:2017: Injection":2,"A03:2021: Injection":18,"A04:2021: Insecure Design":9,"A01:2021: Broken Access Control":5,"A02:2017: Broken Authentication":9,"A05:2017: Broken Access Control":3,"A02:2021: Cryptographic Failures":3,"A03:2017: Sensitive Data Exposure":2,"A08:2017: Insecure Deserialization":1,"A05:2021: Security Misconfiguration":6,"A04:2017: XML External Entities (XXE)":6,"A10:2021: Server-Side Request Forgery (SSRF)":7,"A08:2021: Software and Data Integrity Failures":2,"A07:2021: Identification and Authentication Failures":6},"per_framework":{"":{"javascript":{"":8}},"A1: Injection":{"javascript":{"":6}},"A01:2017: Injection":{"javascript":{"":2}},"A03:2021: Injection":{"javascript":{"":18}},"A04:2021: Insecure Design":{"javascript":{"":9}},"A01:2021: Broken Access Control":{"javascript":{"":5}},"A02:2017: Broken Authentication":{"javascript":{"":9}},"A05:2017: Broken Access Control":{"javascript":{"":3}},"A02:2021: Cryptographic Failures":{"javascript":{"":3}},"A03:2017: Sensitive Data Exposure":{"javascript":{"":2}},"A08:2017: Insecure Deserialization":{"javascript":{"":1}},"A05:2021: Security Misconfiguration":{"javascript":{"":6}},"A04:2017: XML External Entities (XXE)":{"javascript":{"":6}},"A10:2021: Server-Side Request Forgery (SSRF)":{"javascript":{"":7}},"A08:2021: Software and Data Integrity Failures":{"javascript":{"":2}},"A07:2021: Identification and Authentication Failures":{"javascript":{"":6}}},"rules_with_no_owasp":["detect-buffer-noassert","eqeq-is-bad","useless-assignment","javascript-prompt","assigned-undefined","javascript-alert","javascript-debugger","javascript-confirm"]}},"author":"Kristin Mayo","counts":{"total_rules":70,"premium_rules":0},"hidden":true,"description":"","id":"1jw","name":"kristinnmayo.awesome-pack","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":3},"per_framework":{"CWE-415: Double Free":{"c":{"":1}},"CWE-369: Divide By Zero":{"ruby":{"":1}},"CWE-416: Use After Free":{"c":{"":1}},"CWE-328: Use of Weak Hash":{"java":{"":2},"ruby":{"":2}},"CWE-489: Active Debug Code":{"go":{"":1},"python":{"":5}},"CWE-287: Improper Authentication":{"java":{"":1}},"CWE-377: Insecure Temporary File":{"go":{"":1}},"CWE-501: Trust Boundary Violation":{"java":{"":1}},"CWE-16: CWE CATEGORY: Configuration":{"generic":{"":3}},"CWE-521: Weak Password Requirements":{"python":{"":2}},"CWE-208: Observable Timing Discrepancy":{"ruby":{"":1}},"CWE-269: Improper Privilege Management":{"dockerfile":{"":1}},"CWE-276: Incorrect Default Permissions":{"java":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"go":{"":1},"ruby":{"":1},"python":{"":2},"javascript":{"":4}},"CWE-326: Inadequate Encryption Strength":{"java":{"":5},"python":{"":3},"generic":{"":2}},"CWE-295: Improper Certificate Validation":{"java":{"":2},"ruby":{"":1},"python":{"":3}},"CWE-183: Permissive List of Allowed Inputs":{"java":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":3},"ruby":{"":1},"python":{"":2},"javascript":{"":1}},"CWE-400: Uncontrolled Resource Consumption":{"go":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":2},"ruby":{"":1},"python":{"":9},"javascript":{"":1}},"CWE-704: Incorrect Type Conversion or Cast":{"java":{"":1}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":2}},"CWE-330: Use of Insufficiently Random Values":{"java":{"":1}},"CWE-242: Use of Inherently Dangerous Function":{"go":{"":1}},"CWE-311: Missing Encryption of Sensitive Data":{"hcl":{"":1},"ruby":{"":1}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-668: Exposure of Resource to Wrong Sphere":{"python":{"":2}},"CWE-73: External Control of File Name or Path":{"python":{"":1}},"CWE-676: Use of Potentially Dangerous Function":{"c":{"":5}},"CWE-116: Improper Encoding or Escaping of Output":{"python":{"":1},"javascript":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"java":{"":1}},"CWE-134: Use of Externally-Controlled Format String":{"c":{"":1}},"CWE-322: Key Exchange without Entity Authentication":{"go":{"":1},"python":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"java":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"go":{"":1},"java":{"":1},"python":{"":3},"generic":{"":1},"typescript":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"go":{"":7},"java":{"":5},"python":{"":18},"javascript":{"":2}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"java":{"":2},"python":{"":1},"javascript":{"":1}},"CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')":{"generic":{"":1}},"CWE-1021: Improper Restriction of Rendered UI Layers or Frames":{"ruby":{"":1}},"CWE-297: Improper Validation of Certificate with Host Mismatch":{"java":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":3},"python":{"":1},"javascript":{"":3}},"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":{"hcl":{"":1}},"CWE-913: Improper Control of Dynamically-Managed Code Resources":{"go":{"":2}},"CWE-939: Improper Authorization in Handler for Custom URL Scheme":{"python":{"":1}},"CWE-155: Improper Neutralization of Wildcards or Matching Symbols":{"python":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"go":{"":1},"java":{"":4},"ruby":{"":3}},"CWE-1236: Improper Neutralization of Formula Elements in a CSV File":{"python":{"":1}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"go":{"":1},"hcl":{"":2},"java":{"":1},"python":{"":1},"typescript":{"":1}},"CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls":{"json":{"":1}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"java":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"java":{"":1},"python":{"":2}},"CWE-1022: Use of Web Link to Untrusted Target with window.opener Access":{"generic":{"":3}},"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":{"go":{"":1},"javascript":{"":1}},"CWE-774: Allocation of File Descriptors or Handles Without Limits or Throttling":{"c":{"":1}},"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer":{"javascript":{"":1}},"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":{"java":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"go":{"":1},"java":{"":2},"ruby":{"":1},"python":{"":1},"generic":{"":1}},"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":{"ruby":{"":3},"python":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":5},"java":{"":3},"regex":{"":4},"python":{"":6},"generic":{"":6},"javascript":{"":1},"typescript":{"":3}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":1},"java":{"":3},"python":{"":5}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"java":{"":3}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"python":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":7},"javascript":{"":2}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":3}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":2},"python":{"":6},"javascript":{"":2}},"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":{"java":{"":1},"generic":{"":1}},"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":{"python":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":13,"A1: Injection":2,"A01:2017: Injection":24,"A03:2021: Injection":76,"A04:2021: Insecure Design":7,"A3: Sensitive Data Exposure":11,"A6: Security Misconfiguration":1,"A01:2021: Broken Access Control":34,"A02:2017: Broken Authentication":2,"A05:2017: Broken Access Control":10,"A02:2021: Cryptographic Failures":47,"A03:2017: Sensitive Data Exposure":49,"A08:2017: Insecure Deserialization":13,"A05:2021: Security Misconfiguration":20,"A06:2017: Security Misconfiguration":5,"A07:2017: Cross-Site Scripting (XSS)":28,"A04:2017: XML External Entities (XXE)":8,"A08:2021: Software and Data Integrity Failures":17,"A9: Using Components with Known Vulnerabilities":2,"A07:2021: Identification and Authentication Failures":20},"per_framework":{"":{"c":{"":8},"go":{"":2},"ruby":{"":2},"javascript":{"":1}},"A1: Injection":{"python":{"":2}},"A01:2017: Injection":{"c":{"":1},"go":{"":1},"java":{"":8},"python":{"":12},"javascript":{"":2}},"A03:2021: Injection":{"c":{"":1},"go":{"":7},"java":{"":18},"ruby":{"":3},"regex":{"":4},"python":{"":27},"generic":{"":7},"javascript":{"":6},"typescript":{"":3}},"A04:2021: Insecure Design":{"hcl":{"":1},"java":{"":2},"ruby":{"":2},"python":{"":1},"dockerfile":{"":1}},"A3: Sensitive Data Exposure":{"python":{"":11}},"A6: Security Misconfiguration":{"python":{"":1}},"A01:2021: Broken Access Control":{"go":{"":5},"hcl":{"":2},"java":{"":9},"json":{"":1},"ruby":{"":2},"python":{"":7},"generic":{"":5},"javascript":{"":2},"typescript":{"":1}},"A02:2017: Broken Authentication":{"java":{"":1},"python":{"":1}},"A05:2017: Broken Access Control":{"go":{"":1},"java":{"":2},"ruby":{"":1},"python":{"":1},"generic":{"":4},"javascript":{"":1}},"A02:2021: Cryptographic Failures":{"go":{"":10},"java":{"":13},"ruby":{"":2},"python":{"":15},"generic":{"":3},"javascript":{"":3},"typescript":{"":1}},"A03:2017: Sensitive Data Exposure":{"go":{"":8},"hcl":{"":1},"java":{"":14},"ruby":{"":4},"python":{"":16},"generic":{"":3},"javascript":{"":2},"typescript":{"":1}},"A08:2017: Insecure Deserialization":{"java":{"":2},"ruby":{"":1},"python":{"":9},"javascript":{"":1}},"A05:2021: Security Misconfiguration":{"hcl":{"":1},"java":{"":5},"python":{"":8},"generic":{"":3},"javascript":{"":3}},"A06:2017: Security Misconfiguration":{"go":{"":1},"python":{"":1},"generic":{"":3}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":5},"java":{"":3},"regex":{"":4},"python":{"":6},"generic":{"":6},"javascript":{"":1},"typescript":{"":3}},"A04:2017: XML External Entities (XXE)":{"java":{"":3},"python":{"":2},"javascript":{"":3}},"A08:2021: Software and Data Integrity Failures":{"java":{"":2},"ruby":{"":4},"python":{"":10},"javascript":{"":1}},"A9: Using Components with Known Vulnerabilities":{"java":{"":2}},"A07:2021: Identification and Authentication Failures":{"go":{"":3},"java":{"":4},"ruby":{"":2},"python":{"":7},"javascript":{"":4}}},"rules_with_no_owasp":["detect-buffer-noassert","use-of-unsafe-block","divide-by-zero","insecure-use-strcat-fn","timing-attack","potential-dos-via-decompression-bomb","use-after-free","insecure-use-gets-fn","insecure-use-string-copy-fn","insecure-use-strtok-fn","random-fd-exhaustion","insecure-use-scanf-fn","insecure-use-printf-fn"]}},"author":"Rajkumar-R5369","counts":{"total_rules":256,"premium_rules":0},"hidden":true,"description":"","id":"goZ","name":"rajkumar-r5369.my-java-securityrules","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-522: Insufficiently Protected Credentials":3},"per_framework":{"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":1}},"CWE-522: Insufficiently Protected Credentials":{"javascript":{"":3}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"java":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"java":{"":1},"python":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A04:2021: Insecure Design":3,"A01:2021: Broken Access Control":1,"A02:2017: Broken Authentication":3,"A05:2021: Security Misconfiguration":4},"per_framework":{"A04:2021: Insecure Design":{"javascript":{"":3}},"A01:2021: Broken Access Control":{"java":{"":1}},"A02:2017: Broken Authentication":{"javascript":{"":3}},"A05:2021: Security Misconfiguration":{"java":{"":2},"python":{"":2}}},"rules_with_no_owasp":[]}},"author":"Joe Bollen","counts":{"total_rules":8,"premium_rules":0},"hidden":true,"description":"Check cookies are being set securely in Java, JS and Python","id":"5jA","name":"hazanasec.secure_cookie_attributes","visibility":"public","categories":[]},{"tags":["semgrep","security","java","xss","jsp","httpservlet"],"stats":{"cwe":{"totals":{"CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences":1},"per_framework":{"CWE-116: Improper Encoding or Escaping of Output":{"regex":{"":2}},"CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences":{"regex":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"java":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A03:2021: Injection":3,"A07:2017: Cross-Site Scripting (XSS)":2},"per_framework":{"A03:2021: Injection":{"java":{"":1},"regex":{"":2}},"A07:2017: Cross-Site Scripting (XSS)":{"java":{"":1},"regex":{"":1}}},"rules_with_no_owasp":[]}},"author":"r2c","counts":{"total_rules":4,"premium_rules":0},"hidden":true,"description":"Secure XSS defaults for HttpServlets+JSP.","id":"Jpw","name":"minusworld.java-httpservlet-jsp-xss","visibility":"public","categories":[]},{"tags":[],"stats":{"cwe":{"totals":{"CWE-798: Use of Hard-coded Credentials":7},"per_framework":{"CWE-798: Use of Hard-coded Credentials":{"go":{"":1},"javascript":{"":6}},"CWE-522: Insufficiently Protected Credentials":{"javascript":{"":2}},"CWE-345: Insufficient Verification of Data Authenticity":{"javascript":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"javascript":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A04:2021: Insecure Design":2,"A02:2017: Broken Authentication":2,"A02:2021: Cryptographic Failures":2,"A03:2017: Sensitive Data Exposure":2,"A08:2021: Software and Data Integrity Failures":1,"A07:2021: Identification and Authentication Failures":7},"per_framework":{"A04:2021: Insecure Design":{"javascript":{"":2}},"A02:2017: Broken Authentication":{"javascript":{"":2}},"A02:2021: Cryptographic Failures":{"javascript":{"":2}},"A03:2017: Sensitive Data Exposure":{"javascript":{"":2}},"A08:2021: Software and Data Integrity Failures":{"javascript":{"":1}},"A07:2021: Identification and Authentication Failures":{"go":{"":1},"javascript":{"":6}}},"rules_with_no_owasp":[]}},"author":"Pablo Estrada","counts":{"total_rules":12,"premium_rules":0},"hidden":true,"description":"","id":"K2P","name":"pabloest.jwt","visibility":"public","categories":[]},{"tags":["semgrep","security","xss","java","jsp","javascript","express","python","flask","django","ruby","rails","go"],"stats":{"cwe":{"totals":{"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":2},"per_framework":{"CWE-116: Improper Encoding or Escaping of Output":{"regex":{"":2},"python":{"":1}},"CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences":{"regex":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":6},"java":{"":1},"ruby":{"":7},"regex":{"":12},"python":{"":13},"generic":{"":13},"javascript":{"":2}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A03:2021: Injection":58,"A6: Security Misconfiguration":1,"A07:2017: Cross-Site Scripting (XSS)":55},"per_framework":{"A03:2021: Injection":{"go":{"":6},"java":{"":1},"ruby":{"":7},"regex":{"":14},"python":{"":15},"generic":{"":13},"javascript":{"":2}},"A6: Security Misconfiguration":{"python":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":6},"java":{"":1},"ruby":{"":7},"regex":{"":13},"python":{"":13},"generic":{"":13},"javascript":{"":2}}},"rules_with_no_owasp":[]}},"author":"r2c","counts":{"total_rules":60,"premium_rules":0},"hidden":true,"description":"Secure defaults for XSS prevention","id":"G6p","name":"minusworld.omni-xss","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-289: Authentication Bypass by Alternate Name":1},"per_framework":{"":{"go":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"go":{"":1}},"CWE-289: Authentication Bypass by Alternate Name":{"go":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"go":{"":1}}},"rules_with_no_cwe":["eqeq-is-bad"]},"owasp":{"totals":{"":2,"A02:2021: Cryptographic Failures":1,"A03:2017: Sensitive Data Exposure":1,"A07:2021: Identification and Authentication Failures":1},"per_framework":{"":{"go":{"":2}},"A02:2021: Cryptographic Failures":{"go":{"":1}},"A03:2017: Sensitive Data Exposure":{"go":{"":1}},"A07:2021: Identification and Authentication Failures":{"go":{"":1}}},"rules_with_no_owasp":["eqeq-is-bad","handler-assignment-from-multiple-sources"]}},"author":"Max Kotliar","counts":{"total_rules":4,"premium_rules":0},"hidden":true,"description":"","id":"rvn","name":"makasim.test-pack","visibility":"public","categories":[]},{"tags":["security","correctness","logic","bugs","injection","xss","injection","jwt","go"],"stats":{"cwe":{"totals":{"CWE-300: Channel Accessible by Non-Endpoint":1},"per_framework":{"":{"go":{"":3}},"CWE-489: Active Debug Code":{"go":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"go":{"":1}},"CWE-400: Uncontrolled Resource Consumption":{"go":{"":1}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":2}},"CWE-322: Key Exchange without Entity Authentication":{"go":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"go":{"":7}},"CWE-913: Improper Control of Dynamically-Managed Code Resources":{"go":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"go":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":1}}},"rules_with_no_cwe":["hardcoded-eq-true-or-false","useless-if-conditional","useless-if-body"]},"owasp":{"totals":{"":4,"A03:2021: Injection":1,"A01:2021: Broken Access Control":2,"A05:2017: Broken Access Control":1,"A02:2021: Cryptographic Failures":8,"A03:2017: Sensitive Data Exposure":7,"A06:2017: Security Misconfiguration":1,"A07:2017: Cross-Site Scripting (XSS)":1,"A07:2021: Identification and Authentication Failures":3},"per_framework":{"":{"go":{"":4}},"A03:2021: Injection":{"go":{"":1}},"A01:2021: Broken Access Control":{"go":{"":2}},"A05:2017: Broken Access Control":{"go":{"":1}},"A02:2021: Cryptographic Failures":{"go":{"":8}},"A03:2017: Sensitive Data Exposure":{"go":{"":7}},"A06:2017: Security Misconfiguration":{"go":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":1}},"A07:2021: Identification and Authentication Failures":{"go":{"":3}}},"rules_with_no_owasp":["potential-dos-via-decompression-bomb","hardcoded-eq-true-or-false","useless-if-conditional","useless-if-body"]}},"author":"r2c","counts":{"total_rules":19,"premium_rules":0},"hidden":true,"description":"Scan for runtime errors, logic bus, and high-confidence security vulnerabilities. Recommended for use in CI to block serious issues from reaching production.","id":"01v","name":"minusworld.r2c-go-ci","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"":4},"per_framework":{"":{"java":{"":4}},"CWE-287: Improper Authentication":{"java":{"":1}},"CWE-276: Incorrect Default Permissions":{"java":{"":1}},"CWE-326: Inadequate Encryption Strength":{"java":{"":5}},"CWE-295: Improper Certificate Validation":{"java":{"":2}},"CWE-183: Permissive List of Allowed Inputs":{"java":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":2}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":2}},"CWE-704: Incorrect Type Conversion or Cast":{"java":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"java":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"java":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"java":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"java":{"":5}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"java":{"":2}},"CWE-297: Improper Validation of Certificate with Host Mismatch":{"java":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":3}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"java":{"":4}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"java":{"":1}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"java":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"java":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"java":{"":2}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"java":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"java":{"":2}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"java":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":1}},"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":{"java":{"":1}}},"rules_with_no_cwe":["no-string-eqeq","assignment-comparison","eqeq","hardcoded-conditional"]},"owasp":{"totals":{"":4,"A01:2017: Injection":5,"A03:2021: Injection":13,"A04:2021: Insecure Design":1,"A01:2021: Broken Access Control":8,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":2,"A02:2021: Cryptographic Failures":10,"A03:2017: Sensitive Data Exposure":12,"A08:2017: Insecure Deserialization":2,"A05:2021: Security Misconfiguration":5,"A07:2017: Cross-Site Scripting (XSS)":2,"A04:2017: XML External Entities (XXE)":3,"A08:2021: Software and Data Integrity Failures":2,"A9: Using Components with Known Vulnerabilities":2,"A07:2021: Identification and Authentication Failures":4},"per_framework":{"":{"java":{"":4}},"A01:2017: Injection":{"java":{"":5}},"A03:2021: Injection":{"java":{"":13}},"A04:2021: Insecure Design":{"java":{"":1}},"A01:2021: Broken Access Control":{"java":{"":8}},"A02:2017: Broken Authentication":{"java":{"":1}},"A05:2017: Broken Access Control":{"java":{"":2}},"A02:2021: Cryptographic Failures":{"java":{"":10}},"A03:2017: Sensitive Data Exposure":{"java":{"":12}},"A08:2017: Insecure Deserialization":{"java":{"":2}},"A05:2021: Security Misconfiguration":{"java":{"":5}},"A07:2017: Cross-Site Scripting (XSS)":{"java":{"":2}},"A04:2017: XML External Entities (XXE)":{"java":{"":3}},"A08:2021: Software and Data Integrity Failures":{"java":{"":2}},"A9: Using Components with Known Vulnerabilities":{"java":{"":2}},"A07:2021: Identification and Authentication Failures":{"java":{"":4}}},"rules_with_no_owasp":["no-string-eqeq","assignment-comparison","eqeq","hardcoded-conditional"]}},"author":"Andreas Happe","counts":{"total_rules":50,"premium_rules":0},"hidden":true,"description":"","id":"4vl","name":"andreashappe.test-ct-1","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-326: Inadequate Encryption Strength":4},"per_framework":{"CWE-287: Improper Authentication":{"java":{"":1}},"CWE-276: Incorrect Default Permissions":{"java":{"":1}},"CWE-326: Inadequate Encryption Strength":{"java":{"":5}},"CWE-295: Improper Certificate Validation":{"java":{"":2}},"CWE-183: Permissive List of Allowed Inputs":{"java":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":2}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":2}},"CWE-704: Incorrect Type Conversion or Cast":{"java":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"java":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"java":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"java":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"java":{"":5}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"java":{"":2}},"CWE-297: Improper Validation of Certificate with Host Mismatch":{"java":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":3}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"java":{"":4}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"java":{"":1}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"java":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"java":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"java":{"":2}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"java":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"java":{"":2}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"java":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":1}},"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":{"java":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2017: Injection":5,"A03:2021: Injection":13,"A04:2021: Insecure Design":1,"A01:2021: Broken Access Control":8,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":2,"A02:2021: Cryptographic Failures":10,"A03:2017: Sensitive Data Exposure":12,"A08:2017: Insecure Deserialization":2,"A05:2021: Security Misconfiguration":5,"A07:2017: Cross-Site Scripting (XSS)":2,"A04:2017: XML External Entities (XXE)":3,"A08:2021: Software and Data Integrity Failures":2,"A9: Using Components with Known Vulnerabilities":2,"A07:2021: Identification and Authentication Failures":4},"per_framework":{"A01:2017: Injection":{"java":{"":5}},"A03:2021: Injection":{"java":{"":13}},"A04:2021: Insecure Design":{"java":{"":1}},"A01:2021: Broken Access Control":{"java":{"":8}},"A02:2017: Broken Authentication":{"java":{"":1}},"A05:2017: Broken Access Control":{"java":{"":2}},"A02:2021: Cryptographic Failures":{"java":{"":10}},"A03:2017: Sensitive Data Exposure":{"java":{"":12}},"A08:2017: Insecure Deserialization":{"java":{"":2}},"A05:2021: Security Misconfiguration":{"java":{"":5}},"A07:2017: Cross-Site Scripting (XSS)":{"java":{"":2}},"A04:2017: XML External Entities (XXE)":{"java":{"":3}},"A08:2021: Software and Data Integrity Failures":{"java":{"":2}},"A9: Using Components with Known Vulnerabilities":{"java":{"":2}},"A07:2021: Identification and Authentication Failures":{"java":{"":4}}},"rules_with_no_owasp":[]}},"author":"Kishor Bhat","counts":{"total_rules":46,"premium_rules":0},"hidden":true,"description":"","id":"A0p","name":"bhatkishor.java-security-all","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"":4},"per_framework":{"":{"java":{"":4}},"CWE-287: Improper Authentication":{"java":{"":1}},"CWE-276: Incorrect Default Permissions":{"java":{"":1}},"CWE-326: Inadequate Encryption Strength":{"java":{"":5}},"CWE-295: Improper Certificate Validation":{"java":{"":2}},"CWE-183: Permissive List of Allowed Inputs":{"java":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":2}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":2}},"CWE-704: Incorrect Type Conversion or Cast":{"java":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"java":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"java":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"java":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"java":{"":5}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"java":{"":2}},"CWE-297: Improper Validation of Certificate with Host Mismatch":{"java":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":3}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"java":{"":4}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"java":{"":1}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"java":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"java":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"java":{"":2}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"java":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"java":{"":2}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"java":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":1}}},"rules_with_no_cwe":["no-string-eqeq","assignment-comparison","eqeq","hardcoded-conditional"]},"owasp":{"totals":{"":4,"A01:2017: Injection":5,"A03:2021: Injection":12,"A04:2021: Insecure Design":1,"A01:2021: Broken Access Control":8,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":2,"A02:2021: Cryptographic Failures":10,"A03:2017: Sensitive Data Exposure":12,"A08:2017: Insecure Deserialization":2,"A05:2021: Security Misconfiguration":5,"A07:2017: Cross-Site Scripting (XSS)":2,"A04:2017: XML External Entities (XXE)":3,"A08:2021: Software and Data Integrity Failures":2,"A9: Using Components with Known Vulnerabilities":2,"A07:2021: Identification and Authentication Failures":4},"per_framework":{"":{"java":{"":4}},"A01:2017: Injection":{"java":{"":5}},"A03:2021: Injection":{"java":{"":12}},"A04:2021: Insecure Design":{"java":{"":1}},"A01:2021: Broken Access Control":{"java":{"":8}},"A02:2017: Broken Authentication":{"java":{"":1}},"A05:2017: Broken Access Control":{"java":{"":2}},"A02:2021: Cryptographic Failures":{"java":{"":10}},"A03:2017: Sensitive Data Exposure":{"java":{"":12}},"A08:2017: Insecure Deserialization":{"java":{"":2}},"A05:2021: Security Misconfiguration":{"java":{"":5}},"A07:2017: Cross-Site Scripting (XSS)":{"java":{"":2}},"A04:2017: XML External Entities (XXE)":{"java":{"":3}},"A08:2021: Software and Data Integrity Failures":{"java":{"":2}},"A9: Using Components with Known Vulnerabilities":{"java":{"":2}},"A07:2021: Identification and Authentication Failures":{"java":{"":4}}},"rules_with_no_owasp":["no-string-eqeq","assignment-comparison","eqeq","hardcoded-conditional"]}},"author":"Daniel Cuthbert","counts":{"total_rules":49,"premium_rules":0},"hidden":true,"description":"mega java pack ","id":"1vw","name":"danielcuthbert.scanalltehthings","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":2},"per_framework":{"CWE-502: Deserialization of Untrusted Data":{"java":{"":2}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"java":{"":1}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"java":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2017: Injection":2,"A03:2021: Injection":2,"A01:2021: Broken Access Control":1,"A08:2017: Insecure Deserialization":2,"A08:2021: Software and Data Integrity Failures":2},"per_framework":{"A01:2017: Injection":{"java":{"":2}},"A03:2021: Injection":{"java":{"":2}},"A01:2021: Broken Access Control":{"java":{"":1}},"A08:2017: Insecure Deserialization":{"java":{"":2}},"A08:2021: Software and Data Integrity Failures":{"java":{"":2}}},"rules_with_no_owasp":[]}},"author":"Daniel Cuthbert","counts":{"total_rules":5,"premium_rules":0},"hidden":true,"description":"java is phun","id":"9JY","name":"danielcuthbert.you-even-security-bro","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-326: Inadequate Encryption Strength":4},"per_framework":{"CWE-287: Improper Authentication":{"java":{"":1}},"CWE-276: Incorrect Default Permissions":{"java":{"":1}},"CWE-326: Inadequate Encryption Strength":{"java":{"":5}},"CWE-295: Improper Certificate Validation":{"java":{"":2}},"CWE-183: Permissive List of Allowed Inputs":{"java":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":2}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":2}},"CWE-704: Incorrect Type Conversion or Cast":{"java":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"java":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"java":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"java":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"java":{"":5}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"java":{"":2}},"CWE-297: Improper Validation of Certificate with Host Mismatch":{"java":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":3}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"java":{"":4}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"java":{"":1}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"java":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"java":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"java":{"":2}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"java":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"java":{"":2}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"java":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":1}},"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":{"java":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2017: Injection":5,"A03:2021: Injection":13,"A04:2021: Insecure Design":1,"A01:2021: Broken Access Control":8,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":2,"A02:2021: Cryptographic Failures":10,"A03:2017: Sensitive Data Exposure":12,"A08:2017: Insecure Deserialization":2,"A05:2021: Security Misconfiguration":5,"A07:2017: Cross-Site Scripting (XSS)":2,"A04:2017: XML External Entities (XXE)":3,"A08:2021: Software and Data Integrity Failures":2,"A9: Using Components with Known Vulnerabilities":2,"A07:2021: Identification and Authentication Failures":4},"per_framework":{"A01:2017: Injection":{"java":{"":5}},"A03:2021: Injection":{"java":{"":13}},"A04:2021: Insecure Design":{"java":{"":1}},"A01:2021: Broken Access Control":{"java":{"":8}},"A02:2017: Broken Authentication":{"java":{"":1}},"A05:2017: Broken Access Control":{"java":{"":2}},"A02:2021: Cryptographic Failures":{"java":{"":10}},"A03:2017: Sensitive Data Exposure":{"java":{"":12}},"A08:2017: Insecure Deserialization":{"java":{"":2}},"A05:2021: Security Misconfiguration":{"java":{"":5}},"A07:2017: Cross-Site Scripting (XSS)":{"java":{"":2}},"A04:2017: XML External Entities (XXE)":{"java":{"":3}},"A08:2021: Software and Data Integrity Failures":{"java":{"":2}},"A9: Using Components with Known Vulnerabilities":{"java":{"":2}},"A07:2021: Identification and Authentication Failures":{"java":{"":4}}},"rules_with_no_owasp":[]}},"author":"Paul Harrington","counts":{"total_rules":46,"premium_rules":0},"hidden":true,"description":"","id":"NRp","name":"didn0t.ph-java-sec2","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":6},"per_framework":{"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"java":{"":2},"python":{"":3},"javascript":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2017: Injection":6,"A03:2021: Injection":6},"per_framework":{"A01:2017: Injection":{"java":{"":2},"python":{"":3},"javascript":{"":1}},"A03:2021: Injection":{"java":{"":2},"python":{"":3},"javascript":{"":1}}},"rules_with_no_owasp":[]}},"author":"Joe Bollen","counts":{"total_rules":6,"premium_rules":0},"hidden":true,"description":"Check for non prepared SQL statements in Java, JS and Python Django","id":"3gr","name":"hazanasec.non-prepared-sql-statements","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":4},"per_framework":{"":{"java":{"":4}},"CWE-287: Improper Authentication":{"java":{"":1}},"CWE-276: Incorrect Default Permissions":{"java":{"":1}},"CWE-326: Inadequate Encryption Strength":{"java":{"":5}},"CWE-295: Improper Certificate Validation":{"java":{"":2}},"CWE-183: Permissive List of Allowed Inputs":{"java":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":2}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":2}},"CWE-704: Incorrect Type Conversion or Cast":{"java":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"java":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"java":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"java":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"java":{"":5}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"java":{"":2}},"CWE-297: Improper Validation of Certificate with Host Mismatch":{"java":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":3}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"java":{"":4}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"java":{"":1}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"java":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"java":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"java":{"":2}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"java":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"java":{"":2}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"java":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":1}},"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":{"java":{"":1}}},"rules_with_no_cwe":["hardcoded-conditional","eqeq","assignment-comparison","no-string-eqeq"]},"owasp":{"totals":{"":4,"A01:2017: Injection":5,"A03:2021: Injection":13,"A04:2021: Insecure Design":1,"A01:2021: Broken Access Control":8,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":2,"A02:2021: Cryptographic Failures":10,"A03:2017: Sensitive Data Exposure":12,"A08:2017: Insecure Deserialization":2,"A05:2021: Security Misconfiguration":5,"A07:2017: Cross-Site Scripting (XSS)":2,"A04:2017: XML External Entities (XXE)":3,"A08:2021: Software and Data Integrity Failures":2,"A9: Using Components with Known Vulnerabilities":2,"A07:2021: Identification and Authentication Failures":4},"per_framework":{"":{"java":{"":4}},"A01:2017: Injection":{"java":{"":5}},"A03:2021: Injection":{"java":{"":13}},"A04:2021: Insecure Design":{"java":{"":1}},"A01:2021: Broken Access Control":{"java":{"":8}},"A02:2017: Broken Authentication":{"java":{"":1}},"A05:2017: Broken Access Control":{"java":{"":2}},"A02:2021: Cryptographic Failures":{"java":{"":10}},"A03:2017: Sensitive Data Exposure":{"java":{"":12}},"A08:2017: Insecure Deserialization":{"java":{"":2}},"A05:2021: Security Misconfiguration":{"java":{"":5}},"A07:2017: Cross-Site Scripting (XSS)":{"java":{"":2}},"A04:2017: XML External Entities (XXE)":{"java":{"":3}},"A08:2021: Software and Data Integrity Failures":{"java":{"":2}},"A9: Using Components with Known Vulnerabilities":{"java":{"":2}},"A07:2021: Identification and Authentication Failures":{"java":{"":4}}},"rules_with_no_owasp":["hardcoded-conditional","eqeq","assignment-comparison","no-string-eqeq"]}},"author":"javixeneize","counts":{"total_rules":50,"premium_rules":0},"hidden":true,"description":"","id":"ov9","name":"javixeneize.java_rules","visibility":"public","categories":[]},{"tags":[],"stats":{"cwe":{"totals":{"CWE-326: Inadequate Encryption Strength":4},"per_framework":{"CWE-287: Improper Authentication":{"java":{"":1}},"CWE-276: Incorrect Default Permissions":{"java":{"":1}},"CWE-326: Inadequate Encryption Strength":{"java":{"":5}},"CWE-295: Improper Certificate Validation":{"java":{"":2}},"CWE-183: Permissive List of Allowed Inputs":{"java":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":2}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":2}},"CWE-704: Incorrect Type Conversion or Cast":{"java":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"java":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"java":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"java":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"java":{"":5}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"java":{"":2}},"CWE-297: Improper Validation of Certificate with Host Mismatch":{"java":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":3}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"java":{"":4}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"java":{"":1}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"java":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"java":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"java":{"":2}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"java":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"java":{"":2}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"java":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":1}},"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":{"java":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2017: Injection":5,"A03:2021: Injection":13,"A04:2021: Insecure Design":1,"A01:2021: Broken Access Control":8,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":2,"A02:2021: Cryptographic Failures":10,"A03:2017: Sensitive Data Exposure":12,"A08:2017: Insecure Deserialization":2,"A05:2021: Security Misconfiguration":5,"A07:2017: Cross-Site Scripting (XSS)":2,"A04:2017: XML External Entities (XXE)":3,"A08:2021: Software and Data Integrity Failures":2,"A9: Using Components with Known Vulnerabilities":2,"A07:2021: Identification and Authentication Failures":4},"per_framework":{"A01:2017: Injection":{"java":{"":5}},"A03:2021: Injection":{"java":{"":13}},"A04:2021: Insecure Design":{"java":{"":1}},"A01:2021: Broken Access Control":{"java":{"":8}},"A02:2017: Broken Authentication":{"java":{"":1}},"A05:2017: Broken Access Control":{"java":{"":2}},"A02:2021: Cryptographic Failures":{"java":{"":10}},"A03:2017: Sensitive Data Exposure":{"java":{"":12}},"A08:2017: Insecure Deserialization":{"java":{"":2}},"A05:2021: Security Misconfiguration":{"java":{"":5}},"A07:2017: Cross-Site Scripting (XSS)":{"java":{"":2}},"A04:2017: XML External Entities (XXE)":{"java":{"":3}},"A08:2021: Software and Data Integrity Failures":{"java":{"":2}},"A9: Using Components with Known Vulnerabilities":{"java":{"":2}},"A07:2021: Identification and Authentication Failures":{"java":{"":4}}},"rules_with_no_owasp":[]}},"author":"pawayf","counts":{"total_rules":46,"premium_rules":0},"hidden":true,"description":"","id":"YlW","name":"pawayf.semgrep-java-sec-rules","visibility":"public","categories":[]},{"tags":[],"tier":null,"stats":{"cwe":{"totals":{"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":4},"per_framework":{"CWE-287: Improper Authentication":{"java":{"":1}},"CWE-276: Incorrect Default Permissions":{"java":{"":1}},"CWE-326: Inadequate Encryption Strength":{"java":{"":5}},"CWE-295: Improper Certificate Validation":{"java":{"":2}},"CWE-183: Permissive List of Allowed Inputs":{"java":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":1}},"CWE-704: Incorrect Type Conversion or Cast":{"java":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"java":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"java":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"java":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"java":{"":4}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"java":{"":2}},"CWE-297: Improper Validation of Certificate with Host Mismatch":{"java":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":3}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"java":{"":4}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"java":{"":1}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"java":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"java":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"java":{"":2}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"java":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"java":{"":3}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"java":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":1}},"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":{"java":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2017: Injection":6,"A03:2021: Injection":14,"A04:2021: Insecure Design":1,"A01:2021: Broken Access Control":7,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":2,"A02:2021: Cryptographic Failures":9,"A03:2017: Sensitive Data Exposure":11,"A08:2017: Insecure Deserialization":1,"A05:2021: Security Misconfiguration":5,"A07:2017: Cross-Site Scripting (XSS)":2,"A04:2017: XML External Entities (XXE)":3,"A08:2021: Software and Data Integrity Failures":1,"A9: Using Components with Known Vulnerabilities":2,"A07:2021: Identification and Authentication Failures":4},"per_framework":{"A01:2017: Injection":{"java":{"":6}},"A03:2021: Injection":{"java":{"":14}},"A04:2021: Insecure Design":{"java":{"":1}},"A01:2021: Broken Access Control":{"java":{"":7}},"A02:2017: Broken Authentication":{"java":{"":1}},"A05:2017: Broken Access Control":{"java":{"":2}},"A02:2021: Cryptographic Failures":{"java":{"":9}},"A03:2017: Sensitive Data Exposure":{"java":{"":11}},"A08:2017: Insecure Deserialization":{"java":{"":1}},"A05:2021: Security Misconfiguration":{"java":{"":5}},"A07:2017: Cross-Site Scripting (XSS)":{"java":{"":2}},"A04:2017: XML External Entities (XXE)":{"java":{"":3}},"A08:2021: Software and Data Integrity Failures":{"java":{"":1}},"A9: Using Components with Known Vulnerabilities":{"java":{"":2}},"A07:2021: Identification and Authentication Failures":{"java":{"":4}}},"rules_with_no_owasp":[]}},"author":"reeyaa","counts":{"total_rules":44,"premium_rules":1},"hidden":true,"description":"","id":"1eb","name":"reeyaa.nodejs-findsecbugs","visibility":"public","categories":[]},{"tags":["owasp","flask","django","boto3","security","requests"],"stats":{"cwe":{"totals":{"CWE-798: Use of Hard-coded Credentials":1},"per_framework":{"":{"python":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"python":{"":1}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-668: Exposure of Resource to Wrong Sphere":{"python":{"":2}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"python":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"python":{"":2}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":1}}},"rules_with_no_cwe":["use-timeout"]},"owasp":{"totals":{"":1,"A03:2021: Injection":3,"A01:2021: Broken Access Control":2,"A02:2017: Broken Authentication":1,"A02:2021: Cryptographic Failures":1,"A05:2021: Security Misconfiguration":1,"A07:2017: Cross-Site Scripting (XSS)":2,"A07:2021: Identification and Authentication Failures":1},"per_framework":{"":{"python":{"":1}},"A03:2021: Injection":{"python":{"":3}},"A01:2021: Broken Access Control":{"python":{"":2}},"A02:2017: Broken Authentication":{"python":{"":1}},"A02:2021: Cryptographic Failures":{"python":{"":1}},"A05:2021: Security Misconfiguration":{"python":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"python":{"":2}},"A07:2021: Identification and Authentication Failures":{"python":{"":1}}},"rules_with_no_owasp":["use-timeout"]}},"author":"Grayson Hardaway","counts":{"total_rules":9,"premium_rules":0},"hidden":true,"username":"minusworld","languages":["Python"],"description":"Python Meetup Check Ruleset","id":"lG9","name":"python-flask-meetup","visibility":"public","categories":[]},{"tags":["correctness","performance","maintainability","go"],"stats":{"cwe":{"totals":{"":66},"per_framework":{"":{"go":{"":66}}},"rules_with_no_cwe":["err-nil-check","use-err-error","leaky-time-after","use-write-not-fprint","hmac-needs-new","use-hmac-equal","deprecated-ioutil-nopcloser","deprecated-ioutil-readall","use-strings-join-path","deprecated-ioutil-discard","http-request-go-context","parseint-downcast","sprintf-host-port","io-readfull-n","deprecated-ioutil-tempdir","deprecated-ioutil-tempfile","deprecated-ioutil-writefile","cancelable-context-not-systematically-cancelled","go-fuzz-to-native-fuzzing","anonymous-struct-args","bad-exponentiation","bad-nil-guard","rows-not-closed","context-todo","use-net-errclosed","err-todo","hash-sum-without-write","deprecated-ioutil-readdir","deprecated-ioutil-readfile","json-encoder-needs-type","sprintf-mail-address","marshal-json-misspell","marshal-json-pointer-receiver","unmarshal-json-misspell","marshal-yaml-misspell","unmarshal-yaml-misspell","use-math-bits","return-nil-err","odd-bitwise","odd-comparison-subtract-eq-zero","odd-comparison-subtract-gte-zero","odd-comparison-subtract-gt-zero","odd-comparison-subtract-lte-zero","odd-comparison-subtract-lt-zero","odd-comparison-subtract-neq-zero","odd-comparison-xor-eq-zero","odd-comparison-xor-neq-zero","odd-compound-expression","odd-sequence-ifs","os-error-is-exist","os-error-is-not-exist","os-error-is-permission","os-error-is-timeout","not-before","ctx-done-and-timers","bad-sort-slice-function","use-fprintf-not-write-fsprint","use-writer-not-writestring","maybe-wrong-err","wrong-lock-unlock","read-io-eof","newrelic-start-without-end","odd-bits-leadingzeros","not-after","return-nil","net-ip-req-remoteaddr"]},"owasp":{"totals":{"":66},"per_framework":{"":{"go":{"":66}}},"rules_with_no_owasp":["err-nil-check","use-err-error","leaky-time-after","use-write-not-fprint","hmac-needs-new","use-hmac-equal","deprecated-ioutil-nopcloser","deprecated-ioutil-readall","use-strings-join-path","deprecated-ioutil-discard","http-request-go-context","parseint-downcast","sprintf-host-port","io-readfull-n","deprecated-ioutil-tempdir","deprecated-ioutil-tempfile","deprecated-ioutil-writefile","cancelable-context-not-systematically-cancelled","go-fuzz-to-native-fuzzing","anonymous-struct-args","bad-exponentiation","bad-nil-guard","rows-not-closed","context-todo","use-net-errclosed","err-todo","hash-sum-without-write","deprecated-ioutil-readdir","deprecated-ioutil-readfile","json-encoder-needs-type","sprintf-mail-address","marshal-json-misspell","marshal-json-pointer-receiver","unmarshal-json-misspell","marshal-yaml-misspell","unmarshal-yaml-misspell","use-math-bits","return-nil-err","odd-bitwise","odd-comparison-subtract-eq-zero","odd-comparison-subtract-gte-zero","odd-comparison-subtract-gt-zero","odd-comparison-subtract-lte-zero","odd-comparison-subtract-lt-zero","odd-comparison-subtract-neq-zero","odd-comparison-xor-eq-zero","odd-comparison-xor-neq-zero","odd-compound-expression","odd-sequence-ifs","os-error-is-exist","os-error-is-not-exist","os-error-is-permission","os-error-is-timeout","not-before","ctx-done-and-timers","bad-sort-slice-function","use-fprintf-not-write-fsprint","use-writer-not-writestring","maybe-wrong-err","wrong-lock-unlock","read-io-eof","newrelic-start-without-end","odd-bits-leadingzeros","not-after","return-nil","net-ip-req-remoteaddr"]}},"author":"Damian Gryski","counts":{"total_rules":66,"premium_rules":0},"username":"dgryski","languages":["Go"],"description":"Rules for finding odd Go code. See github.com/dgryski/semgrep-go to contribute.","id":"X5Zw","name":"semgrep-go-correctness","visibility":"public","categories":[]},{"tags":["node","node.js","nodejs","nestjs"],"stats":{"cwe":{"totals":{"CWE-918: Server-Side Request Forgery (SSRF)":12,"CWE-117: Improper Output Neutralization for Logs":1,"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":1,"CWE-611: Improper Restriction of XML External Entity Reference":1,"CWE-94: Improper Control of Generation of Code ('Code Injection')":1,"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine":1,"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":1,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":4,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":3,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":3,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":1,"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":2},"per_framework":{"CWE-918: Server-Side Request Forgery (SSRF)":{"javascript":{"":12}},"CWE-117: Improper Output Neutralization for Logs":{"javascript":{"":1}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"javascript":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"javascript":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"javascript":{"":1}},"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine":{"javascript":{"":1}},"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":{"javascript":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"javascript":{"":4}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"javascript":{"":3}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"javascript":{"":3}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"javascript":{"":1}},"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":{"javascript":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":1,"A01:2017: Injection":4,"A03:2021: Injection":11,"A05:2025: Injection":11,"A01:2021: Broken Access Control":5,"A01:2025: Broken Access Control":17,"A05:2017: Broken Access Control":4,"A02:2025: Security Misconfiguration":1,"A05:2021: Security Misconfiguration":1,"A07:2017: Cross-Site Scripting (XSS)":3,"A04:2017: XML External Entities (XXE)":1,"A10:2021: Server-Side Request Forgery (SSRF)":12,"A09:2025: Security Logging & Alerting Failures":1,"A09:2021: Security Logging and Monitoring Failures":1},"per_framework":{"":{"javascript":{"":1}},"A01:2017: Injection":{"javascript":{"":4}},"A03:2021: Injection":{"javascript":{"":11}},"A05:2025: Injection":{"javascript":{"":11}},"A01:2021: Broken Access Control":{"javascript":{"":5}},"A01:2025: Broken Access Control":{"javascript":{"":17}},"A05:2017: Broken Access Control":{"javascript":{"":4}},"A02:2025: Security Misconfiguration":{"javascript":{"":1}},"A05:2021: Security Misconfiguration":{"javascript":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"javascript":{"":3}},"A04:2017: XML External Entities (XXE)":{"javascript":{"":1}},"A10:2021: Server-Side Request Forgery (SSRF)":{"javascript":{"":12}},"A09:2025: Security Logging & Alerting Failures":{"javascript":{"":1}},"A09:2021: Security Logging and Monitoring Failures":{"javascript":{"":1}}},"rules_with_no_owasp":["dot-nestjs"]}},"author":"Semgrep","counts":{"total_rules":31,"premium_rules":31},"username":"semgrep","languages":["JavaScript","TypeScript"],"description":"Default ruleset for NestJS, curated by Semgrep.","id":"N83G","name":"nestjs","visibility":"public","categories":[]},{"stats":{"cwe":{"totals":{"CWE-328: Use of Weak Hash":2,"CWE-489: Active Debug Code":2,"CWE-23: Relative Path Traversal":1,"CWE-798: Use of Hard-coded Credentials":43,"CWE-326: Inadequate Encryption Strength":13,"CWE-613: Insufficient Session Expiration":1,"CWE-352: Cross-Site Request Forgery (CSRF)":1,"CWE-502: Deserialization of Untrusted Data":2,"CWE-780: Use of RSA Algorithm without OAEP":1,"CWE-300: Channel Accessible by Non-Endpoint":2,"CWE-311: Missing Encryption of Sensitive Data":1,"CWE-522: Insufficiently Protected Credentials":3,"CWE-668: Exposure of Resource to Wrong Sphere":1,"CWE-250: Execution with Unnecessary Privileges":1,"CWE-323: Reusing a Nonce, Key Pair in Encryption":2,"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":2,"CWE-329: Generation of Predictable IV with CBC Mode":2,"CWE-319: Cleartext Transmission of Sensitive Information":1,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":9,"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":2,"CWE-611: Improper Restriction of XML External Entity Reference":10,"CWE-94: Improper Control of Generation of Code ('Code Injection')":2,"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":2,"CWE-209: Generation of Error Message Containing Sensitive Information":1,"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":4,"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":1,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":12,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":7,"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":2,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":4},"per_framework":{"CWE-328: Use of Weak Hash":{"java":{"":2}},"CWE-489: Active Debug Code":{"php":{"":1},"python":{"":1}},"CWE-23: Relative Path Traversal":{"php":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"js":{"":5},"py":{"":1},"java":{"":6},"ruby":{"":2},"swift":{"":7},"csharp":{"":9},"python":{"":8},"javascript":{"":5}},"CWE-326: Inadequate Encryption Strength":{"go":{"":1},"kt":{"":1},"hcl":{"":1},"java":{"":6},"ruby":{"":1},"generic":{"":1},"terraform":{"":1},"javascript":{"":1}},"CWE-613: Insufficient Session Expiration":{"csharp":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"C#":{"":1},"javascript":{"":1}},"CWE-780: Use of RSA Algorithm without OAEP":{"scala":{"":1}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":2}},"CWE-311: Missing Encryption of Sensitive Data":{"ruby":{"":1}},"CWE-522: Insufficiently Protected Credentials":{"scala":{"":2},"python":{"":1}},"CWE-668: Exposure of Resource to Wrong Sphere":{"python":{"":1}},"CWE-250: Execution with Unnecessary Privileges":{"yaml":{"":1}},"CWE-323: Reusing a Nonce, Key Pair in Encryption":{"java":{"":2}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"java":{"":2}},"CWE-329: Generation of Predictable IV with CBC Mode":{"php":{"":1},"java":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"java":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"go":{"":4},"java":{"":4},"javascript":{"":1}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"javascript":{"":2}},"CWE-611: Improper Restriction of XML External Entity Reference":{"php":{"":2},"java":{"":4},"scala":{"":3},"javascript":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"yaml":{"":1},"generic":{"":1}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"go":{"":1},"python":{"":1}},"CWE-209: Generation of Error Message Containing Sensitive Information":{"csharp":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"php":{"":1},"java":{"":2},"generic":{"":1}},"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":{"javascript":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"javascript":{"":1},"typescript":{"":11}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":2},"scala":{"":2},"javascript":{"":3}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"php":{"":1},"javascript":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":1},"yaml":{"":1},"python":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2017: Injection":12,"A03:2021: Injection":27,"A05:2025: Injection":27,"A04:2021: Insecure Design":5,"A06:2025: Insecure Design":5,"A01:2021: Broken Access Control":7,"A01:2025: Broken Access Control":7,"A02:2017: Broken Authentication":4,"A02:2021: Cryptographic Failures":30,"A04:2025: Cryptographic Failures":30,"A03:2017: Sensitive Data Exposure":26,"A07:2025: Authentication Failures":46,"A08:2017: Insecure Deserialization":2,"A02:2025: Security Misconfiguration":18,"A05:2021: Security Misconfiguration":18,"A06:2017: Security Misconfiguration":4,"A07:2017: Cross-Site Scripting (XSS)":12,"A04:2017: XML External Entities (XXE)":10,"A08:2025: Software or Data Integrity Failures":2,"A08:2021: Software and Data Integrity Failures":2,"A07:2021: Identification and Authentication Failures":46},"per_framework":{"A01:2017: Injection":{"go":{"":2},"java":{"":1},"yaml":{"":1},"scala":{"":2},"python":{"":2},"javascript":{"":4}},"A03:2021: Injection":{"go":{"":2},"php":{"":1},"java":{"":1},"yaml":{"":2},"scala":{"":2},"python":{"":2},"generic":{"":1},"javascript":{"":5},"typescript":{"":11}},"A05:2025: Injection":{"go":{"":2},"php":{"":1},"java":{"":1},"yaml":{"":2},"scala":{"":2},"python":{"":2},"generic":{"":1},"javascript":{"":5},"typescript":{"":11}},"A04:2021: Insecure Design":{"ruby":{"":1},"scala":{"":2},"csharp":{"":1},"python":{"":1}},"A06:2025: Insecure Design":{"ruby":{"":1},"scala":{"":2},"csharp":{"":1},"python":{"":1}},"A01:2021: Broken Access Control":{"go":{"":1},"php":{"":1},"java":{"":1},"python":{"":2},"javascript":{"":2}},"A01:2025: Broken Access Control":{"go":{"":1},"php":{"":1},"java":{"":1},"python":{"":2},"javascript":{"":2}},"A02:2017: Broken Authentication":{"scala":{"":2},"csharp":{"":1},"python":{"":1}},"A02:2021: Cryptographic Failures":{"go":{"":5},"kt":{"":1},"hcl":{"":1},"php":{"":1},"java":{"":16},"ruby":{"":1},"scala":{"":1},"generic":{"":1},"terraform":{"":1},"javascript":{"":2}},"A04:2025: Cryptographic Failures":{"go":{"":5},"kt":{"":1},"hcl":{"":1},"php":{"":1},"java":{"":16},"ruby":{"":1},"scala":{"":1},"generic":{"":1},"terraform":{"":1},"javascript":{"":2}},"A03:2017: Sensitive Data Exposure":{"go":{"":5},"kt":{"":1},"hcl":{"":1},"java":{"":13},"ruby":{"":2},"generic":{"":1},"terraform":{"":1},"javascript":{"":2}},"A07:2025: Authentication Failures":{"go":{"":2},"js":{"":5},"py":{"":1},"java":{"":6},"ruby":{"":2},"swift":{"":7},"csharp":{"":10},"python":{"":8},"javascript":{"":5}},"A08:2017: Insecure Deserialization":{"C#":{"":1},"javascript":{"":1}},"A02:2025: Security Misconfiguration":{"php":{"":4},"java":{"":8},"yaml":{"":1},"scala":{"":3},"generic":{"":1},"javascript":{"":1}},"A05:2021: Security Misconfiguration":{"php":{"":4},"java":{"":8},"yaml":{"":1},"scala":{"":3},"generic":{"":1},"javascript":{"":1}},"A06:2017: Security Misconfiguration":{"php":{"":1},"yaml":{"":1},"csharp":{"":1},"python":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"javascript":{"":1},"typescript":{"":11}},"A04:2017: XML External Entities (XXE)":{"php":{"":2},"java":{"":4},"scala":{"":3},"javascript":{"":1}},"A08:2025: Software or Data Integrity Failures":{"C#":{"":1},"javascript":{"":1}},"A08:2021: Software and Data Integrity Failures":{"C#":{"":1},"javascript":{"":1}},"A07:2021: Identification and Authentication Failures":{"go":{"":2},"js":{"":5},"py":{"":1},"java":{"":6},"ruby":{"":2},"swift":{"":7},"csharp":{"":10},"python":{"":8},"javascript":{"":5}}},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":137,"premium_rules":62},"hidden":true,"username":"semgrep","description":"Default ruleset, curated by Semgrep","id":"XPb","name":"r2c","visibility":"public","categories":[]},{"tags":["security"],"stats":{"cwe":{"totals":{"CWE-328: Use of Weak Hash":1,"CWE-862: Missing Authorization":1,"CWE-798: Use of Hard-coded Credentials":10,"CWE-295: Improper Certificate Validation":1,"CWE-613: Insufficient Session Expiration":1,"CWE-502: Deserialization of Untrusted Data":5,"CWE-780: Use of RSA Algorithm without OAEP":1,"CWE-918: Server-Side Request Forgery (SSRF)":5,"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":2,"CWE-1333: Inefficient Regular Expression Complexity":2,"CWE-706: Use of Incorrectly-Resolved Name or Reference":1,"CWE-345: Insufficient Verification of Data Authenticity":1,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":6,"CWE-347: Improper Verification of Cryptographic Signature":1,"CWE-548: Exposure of Information Through Directory Listing":1,"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":1,"CWE-611: Improper Restriction of XML External Entity Reference":4,"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":2,"CWE-94: Improper Control of Generation of Code ('Code Injection')":3,"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":1,"CWE-209: Generation of Error Message Containing Sensitive Information":1,"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":2,"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":2,"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":1,"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":3,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":67,"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":1,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":4,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":43,"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":1,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":3},"per_framework":{"CWE-328: Use of Weak Hash":{"csharp":{"":1}},"CWE-862: Missing Authorization":{"csharp":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"csharp":{"":10}},"CWE-295: Improper Certificate Validation":{"csharp":{"":1}},"CWE-613: Insufficient Session Expiration":{"csharp":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"C#":{"":5}},"CWE-780: Use of RSA Algorithm without OAEP":{"csharp":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"csharp":{"":5}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"csharp":{"":2}},"CWE-1333: Inefficient Regular Expression Complexity":{"C#":{"":2}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"C#":{"":1}},"CWE-345: Insufficient Verification of Data Authenticity":{"csharp":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"csharp":{"":6}},"CWE-347: Improper Verification of Cryptographic Signature":{"csharp":{"":1}},"CWE-548: Exposure of Information Through Directory Listing":{"csharp":{"":1}},"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":{"csharp":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"csharp":{"":4}},"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":{"csharp":{"":2}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"csharp":{"":3}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"csharp":{"":1}},"CWE-209: Generation of Error Message Containing Sensitive Information":{"csharp":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"csharp":{"":2}},"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":{"csharp":{"":2}},"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":{"csharp":{"":1}},"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":{"csharp":{"":3}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"csharp":{"":67}},"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":{"csharp":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"csharp":{"":4}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"csharp":{"":43}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"csharp":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"csharp":{"":3}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2017: Injection":51,"A03:2021: Injection":57,"A05:2025: Injection":57,"A04:2021: Insecure Design":1,"A06:2025: Insecure Design":1,"A01:2021: Broken Access Control":72,"A01:2025: Broken Access Control":75,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":67,"A02:2021: Cryptographic Failures":10,"A04:2025: Cryptographic Failures":10,"A03:2017: Sensitive Data Exposure":6,"A07:2025: Authentication Failures":12,"A08:2017: Insecure Deserialization":5,"A02:2025: Security Misconfiguration":10,"A05:2021: Security Misconfiguration":10,"A06:2017: Security Misconfiguration":2,"A07:2017: Cross-Site Scripting (XSS)":4,"A04:2017: XML External Entities (XXE)":4,"A10:2021: Server-Side Request Forgery (SSRF)":5,"A08:2025: Software or Data Integrity Failures":7,"A08:2021: Software and Data Integrity Failures":7,"A07:2021: Identification and Authentication Failures":12},"per_framework":{"A01:2017: Injection":{"C#":{"":2},"csharp":{"":49}},"A03:2021: Injection":{"csharp":{"":57}},"A05:2025: Injection":{"csharp":{"":57}},"A04:2021: Insecure Design":{"csharp":{"":1}},"A06:2025: Insecure Design":{"csharp":{"":1}},"A01:2021: Broken Access Control":{"C#":{"":1},"csharp":{"":71}},"A01:2025: Broken Access Control":{"C#":{"":1},"csharp":{"":74}},"A02:2017: Broken Authentication":{"csharp":{"":1}},"A05:2017: Broken Access Control":{"csharp":{"":67}},"A02:2021: Cryptographic Failures":{"csharp":{"":10}},"A04:2025: Cryptographic Failures":{"csharp":{"":10}},"A03:2017: Sensitive Data Exposure":{"csharp":{"":6}},"A07:2025: Authentication Failures":{"csharp":{"":12}},"A08:2017: Insecure Deserialization":{"C#":{"":5}},"A02:2025: Security Misconfiguration":{"csharp":{"":10}},"A05:2021: Security Misconfiguration":{"csharp":{"":10}},"A06:2017: Security Misconfiguration":{"csharp":{"":2}},"A07:2017: Cross-Site Scripting (XSS)":{"csharp":{"":4}},"A04:2017: XML External Entities (XXE)":{"csharp":{"":4}},"A10:2021: Server-Side Request Forgery (SSRF)":{"csharp":{"":5}},"A08:2025: Software or Data Integrity Failures":{"C#":{"":5},"csharp":{"":2}},"A08:2021: Software and Data Integrity Failures":{"C#":{"":5},"csharp":{"":2}},"A07:2021: Identification and Authentication Failures":{"csharp":{"":12}}},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":178,"premium_rules":151},"username":"semgrep","languages":["csharp"],"description":"Default ruleset for C#, curated by Semgrep.","id":"zd9Z","name":"csharp","visibility":"public","categories":[]},{"tags":["flask","header"],"stats":{"cwe":{"totals":{"CWE-358: Improperly Implemented Security Check for Standard":36,"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":1},"per_framework":{"CWE-358: Improperly Implemented Security Check for Standard":{"python":{"":36}},"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":{"python":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A05:2021-Security misconfiguration":36,"A02:2025: Security Misconfiguration":1,"A05:2021: Security Misconfiguration":1},"per_framework":{"A05:2021-Security misconfiguration":{"python":{"":36}},"A02:2025: Security Misconfiguration":{"python":{"":1}},"A05:2021: Security Misconfiguration":{"python":{"":1}}},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":37,"premium_rules":37},"username":"semgrep","languages":["python"],"description":"Ruleset for HTTP security headers, curated by Semgrep.","id":"O8N2","name":"security-headers","visibility":"public","categories":[]},{"tags":["security"],"stats":{"cwe":{"totals":{"":6,"CWE-489: Active Debug Code":1,"CWE-284: Improper Access Control":2,"CWE-346: Origin Validation Error":1,"CWE-863: Incorrect Authorization":1,"CWE-779: Logging of Excessive Data":1,"CWE-352: Cross-Site Request Forgery (CSRF)":2,"CWE-321: Use of Hard-coded Cryptographic Key":1,"CWE-319: Cleartext Transmission of Sensitive Information":1,"CWE-540: Inclusion of Sensitive Information in Source Code":2,"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":2,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":3},"per_framework":{"":{"apex":{"":1},"generic":{"":5}},"CWE-489: Active Debug Code":{"apex":{"":1}},"CWE-284: Improper Access Control":{"apex":{"":2}},"CWE-346: Origin Validation Error":{"generic":{"":1}},"CWE-863: Incorrect Authorization":{"apex":{"":1}},"CWE-779: Logging of Excessive Data":{"apex":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"apex":{"":1},"generic":{"":1}},"CWE-321: Use of Hard-coded Cryptographic Key":{"apex":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"apex":{"":1}},"CWE-540: Inclusion of Sensitive Information in Source Code":{"apex":{"":2}},"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":{"apex":{"":2}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"generic":{"":3}}},"rules_with_no_cwe":["use-assert-class","absolute-urls","avoid-native-dml-in-loops","avoid-operations-with-limits-in-loops","avoid-soql-in-loops","avoid-sosl-in-loops"]},"owasp":{"totals":{"":11,"A03:2021: Injection":5,"A05:2025: Injection":5,"A04:2021: Insecure Design":2,"A06:2025: Insecure Design":2,"A01:2021: Broken Access Control":3,"A01:2025: Broken Access Control":3,"A02:2021: Cryptographic Failures":1,"A04:2025: Cryptographic Failures":1,"A07:2025: Authentication Failures":1,"A07:2017: Cross-Site Scripting (XSS)":3,"A07:2021: Identification and Authentication Failures":1},"per_framework":{"":{"apex":{"":6},"generic":{"":5}},"A03:2021: Injection":{"apex":{"":2},"generic":{"":3}},"A05:2025: Injection":{"apex":{"":2},"generic":{"":3}},"A04:2021: Insecure Design":{"apex":{"":2}},"A06:2025: Insecure Design":{"apex":{"":2}},"A01:2021: Broken Access Control":{"apex":{"":2},"generic":{"":1}},"A01:2025: Broken Access Control":{"apex":{"":2},"generic":{"":1}},"A02:2021: Cryptographic Failures":{"apex":{"":1}},"A04:2025: Cryptographic Failures":{"apex":{"":1}},"A07:2025: Authentication Failures":{"generic":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"generic":{"":3}},"A07:2021: Identification and Authentication Failures":{"generic":{"":1}}},"rules_with_no_owasp":["global-access-modifiers","use-assert-class","absolute-urls","avoid-native-dml-in-loops","avoid-operations-with-limits-in-loops","avoid-soql-in-loops","avoid-sosl-in-loops","insecure-http-request","named-credentials-constant-match","named-credentials-string-match","system-debug"]}},"author":"Semgrep","counts":{"total_rules":22,"premium_rules":0},"username":"semgrep","languages":["Apex"],"description":"Default ruleset for Apex, curated by Semgrep. Includes rules contributed by nCino. Semgrep Pro >= 1.44.0 is required to run rules in this ruleset.","id":"AwnL","name":"apex","visibility":"public","categories":[]},{"tags":["semgrep","security","correctness","best practices","docker","docker-compose","configuration","infrastructure","infrastructure as code"],"stats":{"cwe":{"totals":{"CWE-284: Improper Access Control":2,"CWE-250: Execution with Unnecessary Privileges":2,"CWE-732: Incorrect Permission Assignment for Critical Resource":2},"per_framework":{"CWE-284: Improper Access Control":{"yaml":{"":2}},"CWE-250: Execution with Unnecessary Privileges":{"yaml":{"":2}},"CWE-732: Incorrect Permission Assignment for Critical Resource":{"yaml":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2021: Broken Access Control":2,"A01:2025: Broken Access Control":2,"A05:2017: Broken Access Control":2,"A02:2025: Security Misconfiguration":4,"A05:2021: Security Misconfiguration":4,"A06:2017: Security Misconfiguration":4},"per_framework":{"A01:2021: Broken Access Control":{"yaml":{"":2}},"A01:2025: Broken Access Control":{"yaml":{"":2}},"A05:2017: Broken Access Control":{"yaml":{"":2}},"A02:2025: Security Misconfiguration":{"yaml":{"":4}},"A05:2021: Security Misconfiguration":{"yaml":{"":4}},"A06:2017: Security Misconfiguration":{"yaml":{"":4}}},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":6,"premium_rules":0},"username":"semgrep","languages":["yaml"],"description":"Security checks for docker-compose configuration files.","id":"D0v","name":"docker-compose","visibility":"public","categories":[{"id":"aGe","slug":"configuration-files","name":"Configuration Files [Beta]","description":"Scan your configuration files using Semgrep's generic pattern matching."}]},{"tags":["semgrep","security","docker","dockerfile","configuration","infrastructure","infrastructure as code"],"stats":{"cwe":{"totals":{"":1,"CWE-862: Missing Authorization":1,"CWE-269: Improper Privilege Management":3,"CWE-427: Uncontrolled Search Path Element":1,"CWE-250: Execution with Unnecessary Privileges":2},"per_framework":{"":{"dockerfile":{"":1}},"CWE-862: Missing Authorization":{"dockerfile":{"":1}},"CWE-269: Improper Privilege Management":{"dockerfile":{"":3}},"CWE-427: Uncontrolled Search Path Element":{"dockerfile":{"":1}},"CWE-250: Execution with Unnecessary Privileges":{"dockerfile":{"":2}}},"rules_with_no_cwe":["missing-zypper-no-confirm-switch"]},"owasp":{"totals":{"":3,"A04:2021: Insecure Design":3,"A06:2025: Insecure Design":3,"A02:2025: Security Misconfiguration":1,"A05:2021: Security Misconfiguration":1},"per_framework":{"":{"dockerfile":{"":3}},"A04:2021: Insecure Design":{"dockerfile":{"":3}},"A06:2025: Insecure Design":{"dockerfile":{"":3}},"A02:2025: Security Misconfiguration":{"dockerfile":{"":1}},"A05:2021: Security Misconfiguration":{"dockerfile":{"":1}}},"rules_with_no_owasp":["dockerfile-pip-extra-index-url","dockerfile-dockerd-socket-mount","missing-zypper-no-confirm-switch"]}},"author":"Semgrep","counts":{"total_rules":7,"premium_rules":0},"username":"semgrep","languages":["generic","dockerfile"],"description":"Selected rules from Hadolint, a Dockerfile linter, rewritten in Semgrep.","id":"Leo","name":"dockerfile","visibility":"public","categories":[{"id":"aGe","slug":"configuration-files","name":"Configuration Files [Beta]","description":"Scan your configuration files using Semgrep's generic pattern matching."}]},{"tags":["node","node.js","nodejs","hapi"],"stats":{"cwe":{"totals":{"CWE-384: Session Fixation":1,"CWE-346: Origin Validation Error":4,"CWE-798: Use of Hard-coded Credentials":3,"CWE-502: Deserialization of Untrusted Data":1,"CWE-918: Server-Side Request Forgery (SSRF)":29,"CWE-522: Insufficiently Protected Credentials":7,"CWE-73: External Control of File Name or Path":1,"CWE-117: Improper Output Neutralization for Logs":1,"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":4,"CWE-1333: Inefficient Regular Expression Complexity":1,"CWE-706: Use of Incorrectly-Resolved Name or Reference":2,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":2,"CWE-548: Exposure of Information Through Directory Listing":1,"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":4,"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":5,"CWE-611: Improper Restriction of XML External Entity Reference":5,"CWE-732: Incorrect Permission Assignment for Critical Resource":2,"CWE-94: Improper Control of Generation of Code ('Code Injection')":11,"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":5,"CWE-451: User Interface (UI) Misrepresentation of Critical Information":1,"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":5,"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine":1,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":12,"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":1,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":6,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":21,"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":1,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":3,"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":1},"per_framework":{"CWE-384: Session Fixation":{"javascript":{"":1}},"CWE-346: Origin Validation Error":{"javascript":{"":4}},"CWE-798: Use of Hard-coded Credentials":{"javascript":{"":3}},"CWE-502: Deserialization of Untrusted Data":{"javascript":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"javascript":{"":29}},"CWE-522: Insufficiently Protected Credentials":{"javascript":{"":7}},"CWE-73: External Control of File Name or Path":{"javascript":{"":1}},"CWE-117: Improper Output Neutralization for Logs":{"javascript":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"javascript":{"":4}},"CWE-1333: Inefficient Regular Expression Complexity":{"javascript":{"":1}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":2}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"javascript":{"":2}},"CWE-548: Exposure of Information Through Directory Listing":{"javascript":{"":1}},"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":{"javascript":{"":4}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"javascript":{"":5}},"CWE-611: Improper Restriction of XML External Entity Reference":{"javascript":{"":5}},"CWE-732: Incorrect Permission Assignment for Critical Resource":{"javascript":{"":2}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"javascript":{"":11}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"javascript":{"":5}},"CWE-451: User Interface (UI) Misrepresentation of Critical Information":{"javascript":{"":1}},"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":{"javascript":{"":5}},"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine":{"javascript":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"javascript":{"":12}},"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":{"javascript":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"javascript":{"":6}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"javascript":{"":21}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"javascript":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"javascript":{"":3}},"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":{"javascript":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":3,"A01:2017: Injection":31,"A03:2021: Injection":45,"A05:2025: Injection":45,"A04:2021: Insecure Design":9,"A06:2025: Insecure Design":9,"A01:2021: Broken Access Control":24,"A01:2025: Broken Access Control":53,"A02:2017: Broken Authentication":8,"A05:2017: Broken Access Control":12,"A02:2021: Cryptographic Failures":2,"A04:2025: Cryptographic Failures":2,"A03:2017: Sensitive Data Exposure":2,"A07:2025: Authentication Failures":8,"A08:2017: Insecure Deserialization":1,"A02:2025: Security Misconfiguration":14,"A05:2021: Security Misconfiguration":14,"A06:2017: Security Misconfiguration":1,"A07:2017: Cross-Site Scripting (XSS)":6,"A04:2017: XML External Entities (XXE)":5,"A10:2021: Server-Side Request Forgery (SSRF)":29,"A08:2025: Software or Data Integrity Failures":1,"A08:2021: Software and Data Integrity Failures":1,"A09:2025: Security Logging & Alerting Failures":1,"A09:2021: Security Logging and Monitoring Failures":1,"A07:2021: Identification and Authentication Failures":8},"per_framework":{"":{"javascript":{"":3}},"A01:2017: Injection":{"javascript":{"":31}},"A03:2021: Injection":{"javascript":{"":45}},"A05:2025: Injection":{"javascript":{"":45}},"A04:2021: Insecure Design":{"javascript":{"":9}},"A06:2025: Insecure Design":{"javascript":{"":9}},"A01:2021: Broken Access Control":{"javascript":{"":24}},"A01:2025: Broken Access Control":{"javascript":{"":53}},"A02:2017: Broken Authentication":{"javascript":{"":8}},"A05:2017: Broken Access Control":{"javascript":{"":12}},"A02:2021: Cryptographic Failures":{"javascript":{"":2}},"A04:2025: Cryptographic Failures":{"javascript":{"":2}},"A03:2017: Sensitive Data Exposure":{"javascript":{"":2}},"A07:2025: Authentication Failures":{"javascript":{"":8}},"A08:2017: Insecure Deserialization":{"javascript":{"":1}},"A02:2025: Security Misconfiguration":{"javascript":{"":14}},"A05:2021: Security Misconfiguration":{"javascript":{"":14}},"A06:2017: Security Misconfiguration":{"javascript":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"javascript":{"":6}},"A04:2017: XML External Entities (XXE)":{"javascript":{"":5}},"A10:2021: Server-Side Request Forgery (SSRF)":{"javascript":{"":29}},"A08:2025: Software or Data Integrity Failures":{"javascript":{"":1}},"A08:2021: Software and Data Integrity Failures":{"javascript":{"":1}},"A09:2025: Security Logging & Alerting Failures":{"javascript":{"":1}},"A09:2021: Security Logging and Monitoring Failures":{"javascript":{"":1}},"A07:2021: Identification and Authentication Failures":{"javascript":{"":8}}},"rules_with_no_owasp":["regexp-redos","cookies-default-express","session-cookie-default-express"]}},"author":"Semgrep","counts":{"total_rules":141,"premium_rules":107},"username":"semgrep","languages":["JavaScript","TypeScript"],"description":"Default ruleset for Hapi, curated by Semgrep.","id":"rkR1","name":"hapi","visibility":"public","categories":[]},{"tags":["OWASP","github","actions","github-actions","workflow","security","ci/cd"],"stats":{"cwe":{"totals":{"CWE-749: Exposed Dangerous Method or Function":1,"CWE-829: Inclusion of Functionality from Untrusted Control Sphere":1,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":1},"per_framework":{"CWE-749: Exposed Dangerous Method or Function":{"yaml":{"":1}},"CWE-829: Inclusion of Functionality from Untrusted Control Sphere":{"yaml":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"yaml":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2017: Injection":1,"A03:2021: Injection":1,"A05:2025: Injection":1,"A06:2017: Security Misconfiguration":1,"A08:2021: Software and Data Integrity Failures":1,"A08:2025: Software and Data Integrity Failures":1},"per_framework":{"A01:2017: Injection":{"yaml":{"":1}},"A03:2021: Injection":{"yaml":{"":1}},"A05:2025: Injection":{"yaml":{"":1}},"A06:2017: Security Misconfiguration":{"yaml":{"":1}},"A08:2021: Software and Data Integrity Failures":{"yaml":{"":1}},"A08:2025: Software and Data Integrity Failures":{"yaml":{"":1}}},"rules_with_no_owasp":[]}},"author":"Grayson Hardaway","counts":{"total_rules":3,"premium_rules":0},"username":"minusworld","languages":["yaml"],"description":"Security rules for GitHub Actions workflow files","id":"qPy","name":"github-actions","visibility":"public","categories":[]},{"tags":["node","node.js","nodejs","koa"],"stats":{"cwe":{"totals":{"CWE-384: Session Fixation":1,"CWE-346: Origin Validation Error":5,"CWE-798: Use of Hard-coded Credentials":3,"CWE-502: Deserialization of Untrusted Data":1,"CWE-918: Server-Side Request Forgery (SSRF)":29,"CWE-522: Insufficiently Protected Credentials":7,"CWE-73: External Control of File Name or Path":1,"CWE-117: Improper Output Neutralization for Logs":1,"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":4,"CWE-1333: Inefficient Regular Expression Complexity":1,"CWE-706: Use of Incorrectly-Resolved Name or Reference":2,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":2,"CWE-548: Exposure of Information Through Directory Listing":1,"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":7,"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":5,"CWE-611: Improper Restriction of XML External Entity Reference":5,"CWE-732: Incorrect Permission Assignment for Critical Resource":2,"CWE-94: Improper Control of Generation of Code ('Code Injection')":11,"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":5,"CWE-451: User Interface (UI) Misrepresentation of Critical Information":1,"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":5,"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine":1,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":12,"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":1,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":6,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":21,"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":1,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":3,"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":1},"per_framework":{"CWE-384: Session Fixation":{"javascript":{"":1}},"CWE-346: Origin Validation Error":{"javascript":{"":5}},"CWE-798: Use of Hard-coded Credentials":{"javascript":{"":3}},"CWE-502: Deserialization of Untrusted Data":{"javascript":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"javascript":{"":29}},"CWE-522: Insufficiently Protected Credentials":{"javascript":{"":7}},"CWE-73: External Control of File Name or Path":{"javascript":{"":1}},"CWE-117: Improper Output Neutralization for Logs":{"javascript":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"javascript":{"":4}},"CWE-1333: Inefficient Regular Expression Complexity":{"javascript":{"":1}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":2}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"javascript":{"":2}},"CWE-548: Exposure of Information Through Directory Listing":{"javascript":{"":1}},"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":{"javascript":{"":7}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"javascript":{"":5}},"CWE-611: Improper Restriction of XML External Entity Reference":{"javascript":{"":5}},"CWE-732: Incorrect Permission Assignment for Critical Resource":{"javascript":{"":2}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"javascript":{"":11}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"javascript":{"":5}},"CWE-451: User Interface (UI) Misrepresentation of Critical Information":{"javascript":{"":1}},"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":{"javascript":{"":5}},"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine":{"javascript":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"javascript":{"":12}},"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":{"javascript":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"javascript":{"":6}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"javascript":{"":21}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"javascript":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"javascript":{"":3}},"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":{"javascript":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":3,"A01:2017: Injection":31,"A03:2021: Injection":45,"A05:2025: Injection":45,"A04:2021: Insecure Design":9,"A06:2025: Insecure Design":9,"A01:2021: Broken Access Control":27,"A01:2025: Broken Access Control":56,"A02:2017: Broken Authentication":8,"A05:2017: Broken Access Control":12,"A02:2021: Cryptographic Failures":2,"A04:2025: Cryptographic Failures":2,"A03:2017: Sensitive Data Exposure":2,"A07:2025: Authentication Failures":9,"A08:2017: Insecure Deserialization":1,"A02:2025: Security Misconfiguration":14,"A05:2021: Security Misconfiguration":14,"A06:2017: Security Misconfiguration":1,"A07:2017: Cross-Site Scripting (XSS)":6,"A04:2017: XML External Entities (XXE)":5,"A10:2021: Server-Side Request Forgery (SSRF)":29,"A08:2025: Software or Data Integrity Failures":1,"A08:2021: Software and Data Integrity Failures":1,"A09:2025: Security Logging & Alerting Failures":1,"A09:2021: Security Logging and Monitoring Failures":1,"A07:2021: Identification and Authentication Failures":9},"per_framework":{"":{"javascript":{"":3}},"A01:2017: Injection":{"javascript":{"":31}},"A03:2021: Injection":{"javascript":{"":45}},"A05:2025: Injection":{"javascript":{"":45}},"A04:2021: Insecure Design":{"javascript":{"":9}},"A06:2025: Insecure Design":{"javascript":{"":9}},"A01:2021: Broken Access Control":{"javascript":{"":27}},"A01:2025: Broken Access Control":{"javascript":{"":56}},"A02:2017: Broken Authentication":{"javascript":{"":8}},"A05:2017: Broken Access Control":{"javascript":{"":12}},"A02:2021: Cryptographic Failures":{"javascript":{"":2}},"A04:2025: Cryptographic Failures":{"javascript":{"":2}},"A03:2017: Sensitive Data Exposure":{"javascript":{"":2}},"A07:2025: Authentication Failures":{"javascript":{"":9}},"A08:2017: Insecure Deserialization":{"javascript":{"":1}},"A02:2025: Security Misconfiguration":{"javascript":{"":14}},"A05:2021: Security Misconfiguration":{"javascript":{"":14}},"A06:2017: Security Misconfiguration":{"javascript":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"javascript":{"":6}},"A04:2017: XML External Entities (XXE)":{"javascript":{"":5}},"A10:2021: Server-Side Request Forgery (SSRF)":{"javascript":{"":29}},"A08:2025: Software or Data Integrity Failures":{"javascript":{"":1}},"A08:2021: Software and Data Integrity Failures":{"javascript":{"":1}},"A09:2025: Security Logging & Alerting Failures":{"javascript":{"":1}},"A09:2021: Security Logging and Monitoring Failures":{"javascript":{"":1}},"A07:2021: Identification and Authentication Failures":{"javascript":{"":9}}},"rules_with_no_owasp":["regexp-redos","cookies-default-express","session-cookie-default-express"]}},"author":"Semgrep","counts":{"total_rules":145,"premium_rules":111},"username":"semgrep","languages":["JavaScript","TypeScript"],"description":"Default ruleset for Koa, curated by Semgrep.","id":"brnd","name":"koa","visibility":"public","categories":[]},{"stats":{"cwe":{"totals":{"CWE-94: Improper Control of Generation of Code ('Code Injection')":2,"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":3,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":97},"per_framework":{"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"yaml":{"":1},"terraform":{"":1}},"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":{"python":{"":1},"terraform":{"":1},"javascript":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"go":{"":8},"cpp":{"":2},"php":{"":5},"java":{"":11},"ruby":{"":1},"rust":{"":6},"yaml":{"":2},"csharp":{"":3},"kotlin":{"":1},"python":{"":42},"generic":{"":8},"javascript":{"":8}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2017: Injection":98,"A03:2021: Injection":99,"A05:2025: Injection":99,"A03:2021 – Injection":1},"per_framework":{"A01:2017: Injection":{"go":{"":8},"cpp":{"":2},"php":{"":4},"java":{"":11},"ruby":{"":1},"rust":{"":6},"yaml":{"":1},"csharp":{"":3},"kotlin":{"":1},"python":{"":43},"generic":{"":8},"terraform":{"":1},"javascript":{"":9}},"A03:2021: Injection":{"go":{"":8},"cpp":{"":2},"php":{"":5},"java":{"":11},"ruby":{"":1},"rust":{"":6},"yaml":{"":1},"csharp":{"":3},"kotlin":{"":1},"python":{"":43},"generic":{"":8},"terraform":{"":1},"javascript":{"":9}},"A05:2025: Injection":{"go":{"":8},"cpp":{"":2},"php":{"":5},"java":{"":11},"ruby":{"":1},"rust":{"":6},"yaml":{"":1},"csharp":{"":3},"kotlin":{"":1},"python":{"":43},"generic":{"":8},"terraform":{"":1},"javascript":{"":9}},"A03:2021 – Injection":{"yaml":{"":1}}},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":100,"premium_rules":70},"username":"semgrep","description":"Find Command Injection vulnerabilities in your code base.","id":"pQk","name":"command-injection","visibility":"public","categories":[{"id":"VJd","slug":"enforce-secure-guardrails","name":"Enforce Secure Guardrails","description":"Use Semgrep to ensure your code enforces secure defaults and framework protections, which can proactively eradicate entire classes of vulnerabilities. Avoid playing bug whack-a-mole and scale your security program."}]},{"tags":["security"],"stats":{"cwe":{"totals":{"CWE-328: Use of Weak Hash":1,"CWE-489: Active Debug Code":1,"CWE-287: Improper Authentication":5,"CWE-798: Use of Hard-coded Credentials":23,"CWE-326: Inadequate Encryption Strength":4,"CWE-918: Server-Side Request Forgery (SSRF)":2,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":5,"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":1,"CWE-94: Improper Control of Generation of Code ('Code Injection')":1,"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":5,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":1,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":6,"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":15,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":1},"per_framework":{"CWE-328: Use of Weak Hash":{"kt":{"":1}},"CWE-489: Active Debug Code":{"kotlin":{"":1}},"CWE-287: Improper Authentication":{"kt":{"":1},"kotlin":{"":4}},"CWE-798: Use of Hard-coded Credentials":{"java":{"":1},"kotlin":{"":22}},"CWE-326: Inadequate Encryption Strength":{"kt":{"":1},"java":{"":3}},"CWE-918: Server-Side Request Forgery (SSRF)":{"kotlin":{"":2}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"kt":{"":3},"kotlin":{"":2}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"kotlin":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"kotlin":{"":1}},"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":{"kotlin":{"":5}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"kotlin":{"":1}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"kotlin":{"":6}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"kotlin":{"":15}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"kotlin":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":1,"A01:2017: Injection":12,"A03:2021: Injection":9,"A05:2025: Injection":9,"A01:2021: Broken Access Control":1,"A01:2025: Broken Access Control":3,"A02:2017: Broken Authentication":5,"A02:2021: Cryptographic Failures":10,"A04:2025: Cryptographic Failures":10,"A03:2017: Sensitive Data Exposure":10,"A07:2025: Authentication Failures":28,"A02:2025: Security Misconfiguration":15,"A05:2021: Security Misconfiguration":15,"A07:2017: Cross-Site Scripting (XSS)":1,"A04:2017: XML External Entities (XXE)":15,"A10:2021: Server-Side Request Forgery (SSRF)":2,"A07:2021: Identification and Authentication Failures":28},"per_framework":{"":{"kotlin":{"":1}},"A01:2017: Injection":{"kotlin":{"":12}},"A03:2021: Injection":{"kotlin":{"":9}},"A05:2025: Injection":{"kotlin":{"":9}},"A01:2021: Broken Access Control":{"kotlin":{"":1}},"A01:2025: Broken Access Control":{"kotlin":{"":3}},"A02:2017: Broken Authentication":{"kt":{"":1},"kotlin":{"":4}},"A02:2021: Cryptographic Failures":{"kt":{"":5},"java":{"":3},"kotlin":{"":2}},"A04:2025: Cryptographic Failures":{"kt":{"":5},"java":{"":3},"kotlin":{"":2}},"A03:2017: Sensitive Data Exposure":{"kt":{"":5},"java":{"":3},"kotlin":{"":2}},"A07:2025: Authentication Failures":{"kt":{"":1},"java":{"":1},"kotlin":{"":26}},"A02:2025: Security Misconfiguration":{"kotlin":{"":15}},"A05:2021: Security Misconfiguration":{"kotlin":{"":15}},"A07:2017: Cross-Site Scripting (XSS)":{"kotlin":{"":1}},"A04:2017: XML External Entities (XXE)":{"kotlin":{"":15}},"A10:2021: Server-Side Request Forgery (SSRF)":{"kotlin":{"":2}},"A07:2021: Identification and Authentication Failures":{"kt":{"":1},"java":{"":1},"kotlin":{"":26}}},"rules_with_no_owasp":["ktor-development-mode-gradle"]}},"author":"Semgrep","counts":{"total_rules":71,"premium_rules":61},"username":"semgrep","languages":["Kotlin"],"description":"Default ruleset for Kotlin, curated by Semgrep.","id":"108l","name":"kotlin","visibility":"public","categories":[]},{"tags":["security","owasp"],"stats":{"cwe":{"totals":{"CWE-91: XML Injection":1,"CWE-35: Path Traversal":1,"CWE-328: Use of Weak Hash":18,"CWE-384: Session Fixation":1,"CWE-489: Active Debug Code":6,"CWE-1390: Weak Authentication":1,"CWE-310: Cryptographic Issues":1,"CWE-778: Insufficient Logging":5,"CWE-682: Incorrect Calculation":1,"CWE-862: Missing Authorization":1,"CWE-23: Relative Path Traversal":2,"CWE-284: Improper Access Control":6,"CWE-287: Improper Authentication":58,"CWE-346: Origin Validation Error":9,"CWE-377: Insecure Temporary File":1,"CWE-476: NULL Pointer Dereference":1,"CWE-501: Trust Boundary Violation":3,"CWE-16: CWE CATEGORY: Configuration":1,"CWE-259: Use of Hard-coded Password":1,"CWE-521: Weak Password Requirements":2,"CWE-185: Incorrect Regular Expression":1,"CWE-269: Improper Privilege Management":3,"CWE-276: Incorrect Default Permissions":2,"CWE-798: Use of Hard-coded Credentials":177,"CWE-326: Inadequate Encryption Strength":40,"CWE-295: Improper Certificate Validation":9,"CWE-613: Insufficient Session Expiration":3,"CWE-290: Authentication Bypass by Spoofing":1,"CWE-352: Cross-Site Request Forgery (CSRF)":14,"CWE-502: Deserialization of Untrusted Data":102,"CWE-704: Incorrect Type Conversion or Cast":1,"CWE-780: Use of RSA Algorithm without OAEP":2,"CWE-300: Channel Accessible by Non-Endpoint":3,"CWE-310: CWE CATEGORY: Cryptographic Issues":2,"CWE-918: Server-Side Request Forgery (SSRF)":331,"CWE-320: CWE CATEGORY: Key Management Errors":8,"CWE-321: Use of Hard-coded Cryptographic Key":2,"CWE-330: Use of Insufficiently Random Values":1,"CWE-311: Missing Encryption of Sensitive Data":10,"CWE-522: Insufficiently Protected Credentials":27,"CWE-668: Exposure of Resource to Wrong Sphere":2,"CWE-73: External Control of File Name or Path":110,"CWE-749: Exposed Dangerous Method or Function":1,"CWE-250: Execution with Unnecessary Privileges":6,"CWE-116: Improper Encoding or Escaping of Output":2,"CWE-117: Improper Output Neutralization for Logs":6,"CWE-323: Reusing a Nonce, Key Pair in Encryption":1,"CWE-673: External Influence of Sphere Definition":1,"CWE-494: Download of Code Without Integrity Check":11,"CWE-91: XML Injection (aka Blind XPath Injection)":1,"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":24,"CWE-922: Insecure Storage of Sensitive Information":1,"CWE-1333: Inefficient Regular Expression Complexity":3,"CWE-322: Key Exchange without Entity Authentication":1,"CWE-329: Generation of Predictable IV with CBC Mode":2,"CWE-509: Replicating Malicious Code (Virus or Worm)":1,"CWE-1220: Insufficient Granularity of Access Control":4,"CWE-306: Missing Authentication for Critical Function":2,"CWE-706: Use of Incorrectly-Resolved Name or Reference":3,"CWE-345: Insufficient Verification of Data Authenticity":6,"CWE-319: Cleartext Transmission of Sensitive Information":22,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":85,"CWE-347: Improper Verification of Cryptographic Signature":2,"CWE-532: Insertion of Sensitive Information into Log File":2,"CWE-639: Authorization Bypass Through User-Controlled Key":1,"CWE-540: Inclusion of Sensitive Information in Source Code":1,"CWE-548: Exposure of Information Through Directory Listing":3,"CWE-926: Improper Export of Android Application Components":1,"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":17,"CWE-358: Improperly Implemented Security Check for Standard":36,"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":25,"CWE-650: Trusting HTTP Permission Methods on the Server Side":1,"CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')":2,"CWE-297: Improper Validation of Certificate with Host Mismatch":1,"CWE-611: Improper Restriction of XML External Entity Reference":77,"CWE-732: Incorrect Permission Assignment for Critical Resource":10,"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":4,"CWE-913: Improper Control of Dynamically-Managed Code Resources":2,"CWE-94: Improper Control of Generation of Code ('Code Injection')":73,"CWE-337: Predictable Seed in Pseudo-Random Number Generator (PRNG)":2,"CWE-1236: Improper Neutralization of Formula Elements in a CSV File":2,"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":20,"CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls":2,"CWE-454: External Initialization of Trusted Variables or Data Stores":1,"CWE-916: Use of Password Hash With Insufficient Computational Effort":4,"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":4,"CWE-209: Generation of Error Message Containing Sensitive Information":1,"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":28,"CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax":36,"CWE-323: Nonces should be used for the present occasion and only once.":1,"CWE-451: User Interface (UI) Misrepresentation of Critical Information":1,"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":26,"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":2,"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine":1,"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":14,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":149,"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":1,"CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory":1,"CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')":2,"CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')":1,"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":3,"CWE-79:Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":1,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":82,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":320,"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":25,"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":43,"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":21,"CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)":3,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":97,"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":2,"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":5,"CWE-329: Not using a random initialization Vector (IV) with Cipher Block Chaining (CBC) Mode causes algorithms to be susceptible to dictionary attacks.":1},"per_framework":{"CWE-91: XML Injection":{"python":{"":1}},"CWE-35: Path Traversal":{"swift":{"":1}},"CWE-328: Use of Weak Hash":{"go":{"":3},"kt":{"":1},"cpp":{"":1},"php":{"":1},"java":{"":4},"ruby":{"":3},"csharp":{"":1},"python":{"":2},"clojure":{"":2}},"CWE-384: Session Fixation":{"javascript":{"":1}},"CWE-489: Active Debug Code":{"go":{"":1},"php":{"":1},"java":{"":2},"python":{"":1},"generic":{"":1}},"CWE-1390: Weak Authentication":{"hcl":{"":1}},"CWE-310: Cryptographic Issues":{"python":{"":1}},"CWE-778: Insufficient Logging":{"hcl":{"":5}},"CWE-682: Incorrect Calculation":{"solidity":{"":1}},"CWE-862: Missing Authorization":{"csharp":{"":1}},"CWE-23: Relative Path Traversal":{"php":{"":1},"java":{"":1}},"CWE-284: Improper Access Control":{"php":{"":1},"ruby":{"":1},"yaml":{"":1},"python":{"":1},"generic":{"":2}},"CWE-287: Improper Authentication":{"go":{"":8},"js":{"":6},"kt":{"":1},"hcl":{"":1},"ruby":{"":6},"rust":{"":10},"yaml":{"":1},"swift":{"":1},"kotlin":{"":4},"python":{"":19},"javascript":{"":1}},"CWE-346: Origin Validation Error":{"go":{"":1},"java":{"":1},"generic":{"":1},"javascript":{"":6}},"CWE-377: Insecure Temporary File":{"python":{"":1}},"CWE-476: NULL Pointer Dereference":{"cpp":{"":1}},"CWE-501: Trust Boundary Violation":{"java":{"":3}},"CWE-16: CWE CATEGORY: Configuration":{"generic":{"":1}},"CWE-259: Use of Hard-coded Password":{"swift":{"":1}},"CWE-521: Weak Password Requirements":{"python":{"":2}},"CWE-185: Incorrect Regular Expression":{"ruby":{"":1}},"CWE-269: Improper Privilege Management":{"yaml":{"":1},"dockerfile":{"":2}},"CWE-276: Incorrect Default Permissions":{"ruby":{"":1},"python":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"go":{"":11},"js":{"":24},"py":{"":1},"hcl":{"":1},"php":{"":1},"java":{"":22},"ruby":{"":18},"rust":{"":12},"yaml":{"":1},"regex":{"":1},"swift":{"":7},"csharp":{"":10},"kotlin":{"":22},"python":{"":37},"generic":{"":2},"javascript":{"":7}},"CWE-326: Inadequate Encryption Strength":{"go":{"":1},"kt":{"":1},"cpp":{"":1},"hcl":{"":16},"java":{"":6},"ruby":{"":1},"swift":{"":2},"python":{"":7},"generic":{"":2},"terraform":{"":2},"javascript":{"":1}},"CWE-295: Improper Certificate Validation":{"cpp":{"":2},"hcl":{"":1},"xml":{"":1},"ruby":{"":1},"swift":{"":1},"csharp":{"":1},"python":{"":2}},"CWE-613: Insufficient Session Expiration":{"csharp":{"":1},"python":{"":2}},"CWE-290: Authentication Bypass by Spoofing":{"generic":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"go":{"":4},"php":{"":2},"java":{"":1},"python":{"":6},"generic":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"C#":{"":5},"go":{"":1},"php":{"":1},"java":{"":17},"ruby":{"":2},"swift":{"":2},"python":{"":73},"javascript":{"":1}},"CWE-704: Incorrect Type Conversion or Cast":{"python":{"":1}},"CWE-780: Use of RSA Algorithm without OAEP":{"scala":{"":1},"csharp":{"":1}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":3}},"CWE-310: CWE CATEGORY: Cryptographic Issues":{"javascript":{"":2}},"CWE-918: Server-Side Request Forgery (SSRF)":{"go":{"":6},"cpp":{"":1},"hcl":{"":1},"php":{"":7},"java":{"":18},"ruby":{"":1},"rust":{"":3},"scala":{"":1},"csharp":{"":5},"kotlin":{"":2},"python":{"":278},"generic":{"":1},"javascript":{"":7}},"CWE-320: CWE CATEGORY: Key Management Errors":{"hcl":{"":8}},"CWE-321: Use of Hard-coded Cryptographic Key":{"swift":{"":2}},"CWE-330: Use of Insufficiently Random Values":{"python":{"":1}},"CWE-311: Missing Encryption of Sensitive Data":{"ts":{"":1},"hcl":{"":4},"ruby":{"":1},"swift":{"":3},"typescript":{"":1}},"CWE-522: Insufficiently Protected Credentials":{"hcl":{"":1},"scala":{"":2},"python":{"":2},"generic":{"":15},"javascript":{"":7}},"CWE-668: Exposure of Resource to Wrong Sphere":{"python":{"":2}},"CWE-73: External Control of File Name or Path":{"ruby":{"":1},"python":{"":108},"javascript":{"":1}},"CWE-749: Exposed Dangerous Method or Function":{"yaml":{"":1}},"CWE-250: Execution with Unnecessary Privileges":{"hcl":{"":1},"json":{"":1},"yaml":{"":2},"dockerfile":{"":2}},"CWE-116: Improper Encoding or Escaping of Output":{"python":{"":2}},"CWE-117: Improper Output Neutralization for Logs":{"python":{"":4},"javascript":{"":2}},"CWE-323: Reusing a Nonce, Key Pair in Encryption":{"java":{"":1}},"CWE-673: External Influence of Sphere Definition":{"python":{"":1}},"CWE-494: Download of Code Without Integrity Check":{"generic":{"":11}},"CWE-91: XML Injection (aka Blind XPath Injection)":{"java":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"go":{"":2},"php":{"":1},"java":{"":4},"csharp":{"":2},"python":{"":11},"javascript":{"":4}},"CWE-922: Insecure Storage of Sensitive Information":{"swift":{"":1}},"CWE-1333: Inefficient Regular Expression Complexity":{"C#":{"":2},"ruby":{"":1}},"CWE-322: Key Exchange without Entity Authentication":{"go":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"php":{"":1},"java":{"":1}},"CWE-509: Replicating Malicious Code (Virus or Worm)":{"yaml":{"":1}},"CWE-1220: Insufficient Granularity of Access Control":{"hcl":{"":4}},"CWE-306: Missing Authentication for Critical Function":{"ts":{"":2}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"C#":{"":1},"javascript":{"":2}},"CWE-345: Insufficient Verification of Data Authenticity":{"go":{"":1},"hcl":{"":1},"java":{"":1},"csharp":{"":1},"javascript":{"":2}},"CWE-319: Cleartext Transmission of Sensitive Information":{"go":{"":1},"ts":{"":1},"cpp":{"":1},"hcl":{"":3},"php":{"":1},"xml":{"":3},"html":{"":1},"java":{"":2},"yaml":{"":2},"python":{"":6},"typescript":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"go":{"":8},"kt":{"":3},"cpp":{"":2},"php":{"":1},"xml":{"":1},"java":{"":10},"ruby":{"":1},"swift":{"":9},"csharp":{"":6},"kotlin":{"":2},"python":{"":34},"clojure":{"":1},"javascript":{"":7}},"CWE-347: Improper Verification of Cryptographic Signature":{"csharp":{"":1},"javascript":{"":1}},"CWE-532: Insertion of Sensitive Information into Log File":{"java":{"":1},"python":{"":1}},"CWE-639: Authorization Bypass Through User-Controlled Key":{"ruby":{"":1}},"CWE-540: Inclusion of Sensitive Information in Source Code":{"ruby":{"":1}},"CWE-548: Exposure of Information Through Directory Listing":{"go":{"":1},"csharp":{"":1},"javascript":{"":1}},"CWE-926: Improper Export of Android Application Components":{"generic":{"":1}},"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":{"go":{"":1},"java":{"":1},"csharp":{"":1},"python":{"":9},"javascript":{"":5}},"CWE-358: Improperly Implemented Security Check for Standard":{"python":{"":36}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"php":{"":1},"java":{"":11},"ruby":{"":2},"kotlin":{"":1},"python":{"":3},"javascript":{"":7}},"CWE-650: Trusting HTTP Permission Methods on the Server Side":{"ruby":{"":1}},"CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')":{"yaml":{"":1},"generic":{"":1}},"CWE-297: Improper Validation of Certificate with Host Mismatch":{"java":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"go":{"":2},"cpp":{"":4},"php":{"":4},"java":{"":45},"scala":{"":3},"swift":{"":1},"csharp":{"":4},"python":{"":7},"clojure":{"":1},"javascript":{"":6}},"CWE-732: Incorrect Permission Assignment for Critical Resource":{"hcl":{"":7},"yaml":{"":3}},"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":{"csharp":{"":2},"python":{"":2}},"CWE-913: Improper Control of Dynamically-Managed Code Resources":{"go":{"":1},"yaml":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"go":{"":1},"php":{"":4},"bash":{"":1},"ruby":{"":4},"yaml":{"":2},"csharp":{"":3},"kotlin":{"":1},"python":{"":35},"generic":{"":3},"terraform":{"":1},"javascript":{"":18}},"CWE-337: Predictable Seed in Pseudo-Random Number Generator (PRNG)":{"cpp":{"":2}},"CWE-1236: Improper Neutralization of Formula Elements in a CSV File":{"python":{"":2}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"go":{"":2},"hcl":{"":1},"php":{"":1},"java":{"":2},"ruby":{"":1},"yaml":{"":2},"csharp":{"":1},"python":{"":2},"generic":{"":7},"javascript":{"":1}},"CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls":{"json":{"":2}},"CWE-454: External Initialization of Trusted Variables or Data Stores":{"java":{"":1}},"CWE-916: Use of Password Hash With Insufficient Computational Effort":{"swift":{"":3},"javascript":{"":1}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"java":{"":3},"python":{"":1}},"CWE-209: Generation of Error Message Containing Sensitive Information":{"csharp":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"go":{"":2},"php":{"":1},"java":{"":4},"csharp":{"":2},"python":{"":13},"generic":{"":2},"javascript":{"":4}},"CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax":{"java":{"":2},"python":{"":34}},"CWE-323: Nonces should be used for the present occasion and only once.":{"swift":{"":1}},"CWE-451: User Interface (UI) Misrepresentation of Critical Information":{"javascript":{"":1}},"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":{"go":{"":4},"rust":{"":3},"csharp":{"":2},"kotlin":{"":5},"python":{"":4},"javascript":{"":8}},"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":{"go":{"":1},"csharp":{"":1}},"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine":{"javascript":{"":1}},"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":{"java":{"":7},"csharp":{"":3},"python":{"":3},"javascript":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"go":{"":6},"cpp":{"":1},"php":{"":2},"java":{"":10},"ruby":{"":4},"rust":{"":3},"csharp":{"":67},"python":{"":34},"generic":{"":1},"javascript":{"":21}},"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":{"csharp":{"":1}},"CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory":{"generic":{"":1}},"CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')":{"hcl":{"":1},"generic":{"":1}},"CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')":{"php":{"":1}},"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":{"python":{"":1},"terraform":{"":1},"javascript":{"":1}},"CWE-79:Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"swift":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":8},"php":{"":5},"java":{"":17},"ruby":{"":3},"scala":{"":1},"swift":{"":1},"csharp":{"":4},"kotlin":{"":1},"python":{"":11},"generic":{"":3},"javascript":{"":12},"typescript":{"":16}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":21},"cpp":{"":1},"php":{"":8},"java":{"":19},"ruby":{"":8},"rust":{"":12},"scala":{"":3},"swift":{"":1},"csharp":{"":35},"kotlin":{"":6},"python":{"":169},"javascript":{"":37}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"cpp":{"":2},"java":{"":4},"csharp":{"":1},"python":{"":18}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"java":{"":25},"kotlin":{"":15},"python":{"":3}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"php":{"":1},"bash":{"":1},"java":{"":3},"python":{"":13},"generic":{"":1},"javascript":{"":2}},"CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)":{"python":{"":3}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"go":{"":8},"cpp":{"":2},"php":{"":5},"java":{"":11},"ruby":{"":1},"rust":{"":6},"yaml":{"":2},"csharp":{"":3},"kotlin":{"":1},"python":{"":42},"generic":{"":8},"javascript":{"":8}},"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":{"java":{"":1},"generic":{"":1}},"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":{"python":{"":2},"javascript":{"":3}},"CWE-329: Not using a random initialization Vector (IV) with Cipher Block Chaining (CBC) Mode causes algorithms to be susceptible to dictionary attacks.":{"swift":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2017: Injection":483,"A03:2021: Injection":695,"A05:2025: Injection":695,"A03:2021 – Injection":1,"A04:2021 Insecure Design":2,"A6:2017 misconfiguration":1,"A04:2021: Insecure Design":158,"A06:2025: Insecure Design":158,"LLM08:2023: Excessive Agency":1,"A01:2021: Broken Access Control":254,"A01:2025: Broken Access Control":574,"A02:2017: Broken Authentication":60,"A05:2017: Broken Access Control":159,"A3:2017 Sensitive Data Exposure":1,"A02:2021: Cryptographic Failures":181,"A04:2025: Cryptographic Failures":181,"A8:2017 Insecure Deserialization":1,"A03:2017: Sensitive Data Exposure":186,"A05:2017: Sensitive Data Exposure":1,"A07:2025: Authentication Failures":266,"A5:2021 Security Misconfiguration":1,"A05:2021-Security misconfiguration":36,"A08:2017: Insecure Deserialization":101,"A02:2021 – Cryptographic Failures":3,"A02:2025: Security Misconfiguration":175,"A05:2021: Security Misconfiguration":176,"A06:2017: Security Misconfiguration":20,"A07:2017: Cross-Site Scripting (XSS)":83,"A04:2017: XML External Entities (XXE)":95,"A05:2021 – Security Misconfiguration":2,"A10:2004: Insecure Configuration Management":2,"A10:2017: Insufficient Logging & Monitoring":3,"A10:2021: Server-Side Request Forgery (SSRF)":331,"A8:2021 Software and Data Integrity Failures":1,"A08:2025: Software or Data Integrity Failures":117,"A08:2021: Software and Data Integrity Failures":118,"A09:2025: Security Logging & Alerting Failures":13,"A10:2025: Mishandling of Exceptional Conditions":1,"A09:2021 Security Logging and Monitoring Failures":1,"A09:2021: Security Logging and Monitoring Failures":13,"A7:2021 Identification and Authentication Failures":1,"A07:2021 Identification and Authentication Failures":1,"A07:2021: Identification and Authentication Failures":266},"per_framework":{"A01:2017: Injection":{"C#":{"":2},"go":{"":33},"cpp":{"":5},"php":{"":13},"java":{"":38},"ruby":{"":9},"rust":{"":21},"yaml":{"":3},"scala":{"":3},"swift":{"":1},"csharp":{"":41},"kotlin":{"":12},"python":{"":237},"generic":{"":9},"terraform":{"":1},"javascript":{"":55}},"A03:2021: Injection":{"go":{"":38},"cpp":{"":5},"php":{"":24},"bash":{"":2},"java":{"":69},"ruby":{"":16},"rust":{"":18},"yaml":{"":3},"scala":{"":4},"swift":{"":3},"csharp":{"":49},"kotlin":{"":9},"python":{"":339},"generic":{"":16},"terraform":{"":1},"javascript":{"":83},"typescript":{"":16}},"A05:2025: Injection":{"go":{"":38},"cpp":{"":5},"php":{"":24},"bash":{"":2},"java":{"":69},"ruby":{"":16},"rust":{"":18},"yaml":{"":3},"scala":{"":4},"swift":{"":3},"csharp":{"":49},"kotlin":{"":9},"python":{"":339},"generic":{"":16},"terraform":{"":1},"javascript":{"":83},"typescript":{"":16}},"A03:2021 – Injection":{"yaml":{"":1}},"A04:2021 Insecure Design":{"yaml":{"":2}},"A6:2017 misconfiguration":{"python":{"":1}},"A04:2021: Insecure Design":{"ts":{"":1},"hcl":{"":6},"java":{"":3},"ruby":{"":3},"scala":{"":2},"swift":{"":3},"csharp":{"":1},"python":{"":110},"generic":{"":16},"dockerfile":{"":3},"javascript":{"":9},"typescript":{"":1}},"A06:2025: Insecure Design":{"ts":{"":1},"hcl":{"":6},"java":{"":3},"ruby":{"":3},"scala":{"":2},"swift":{"":3},"csharp":{"":1},"python":{"":110},"generic":{"":16},"dockerfile":{"":3},"javascript":{"":9},"typescript":{"":1}},"LLM08:2023: Excessive Agency":{"yaml":{"":1}},"A01:2021: Broken Access Control":{"C#":{"":1},"go":{"":14},"cpp":{"":1},"hcl":{"":5},"php":{"":6},"java":{"":26},"json":{"":2},"ruby":{"":12},"rust":{"":3},"yaml":{"":3},"swift":{"":2},"csharp":{"":71},"kotlin":{"":1},"python":{"":58},"generic":{"":12},"javascript":{"":37}},"A01:2025: Broken Access Control":{"C#":{"":1},"go":{"":18},"cpp":{"":2},"hcl":{"":6},"php":{"":12},"java":{"":42},"json":{"":2},"ruby":{"":13},"rust":{"":6},"yaml":{"":3},"scala":{"":1},"swift":{"":2},"csharp":{"":74},"kotlin":{"":3},"python":{"":334},"generic":{"":13},"javascript":{"":42}},"A02:2017: Broken Authentication":{"go":{"":8},"js":{"":3},"kt":{"":1},"hcl":{"":2},"rust":{"":10},"scala":{"":2},"swift":{"":1},"csharp":{"":1},"kotlin":{"":4},"python":{"":5},"generic":{"":15},"javascript":{"":8}},"A05:2017: Broken Access Control":{"go":{"":9},"cpp":{"":1},"hcl":{"":2},"php":{"":1},"java":{"":10},"ruby":{"":7},"rust":{"":3},"yaml":{"":1},"csharp":{"":67},"python":{"":34},"generic":{"":3},"javascript":{"":21}},"A3:2017 Sensitive Data Exposure":{"generic":{"":1}},"A02:2021: Cryptographic Failures":{"go":{"":15},"kt":{"":5},"ts":{"":1},"cpp":{"":7},"hcl":{"":19},"php":{"":4},"xml":{"":4},"html":{"":1},"java":{"":23},"ruby":{"":5},"yaml":{"":2},"scala":{"":1},"swift":{"":18},"csharp":{"":10},"kotlin":{"":2},"python":{"":46},"clojure":{"":2},"generic":{"":2},"terraform":{"":2},"javascript":{"":11},"typescript":{"":1}},"A04:2025: Cryptographic Failures":{"go":{"":15},"kt":{"":5},"ts":{"":1},"cpp":{"":7},"hcl":{"":19},"php":{"":4},"xml":{"":4},"html":{"":1},"java":{"":23},"ruby":{"":5},"yaml":{"":2},"scala":{"":1},"swift":{"":18},"csharp":{"":10},"kotlin":{"":2},"python":{"":46},"clojure":{"":2},"generic":{"":2},"terraform":{"":2},"javascript":{"":11},"typescript":{"":1}},"A8:2017 Insecure Deserialization":{"java":{"":1}},"A03:2017: Sensitive Data Exposure":{"go":{"":13},"kt":{"":5},"ts":{"":2},"cpp":{"":7},"hcl":{"":32},"php":{"":3},"xml":{"":5},"html":{"":1},"java":{"":22},"ruby":{"":8},"yaml":{"":2},"swift":{"":15},"csharp":{"":6},"kotlin":{"":2},"python":{"":47},"clojure":{"":2},"generic":{"":2},"terraform":{"":2},"javascript":{"":8},"typescript":{"":2}},"A05:2017: Sensitive Data Exposure":{"hcl":{"":1}},"A07:2025: Authentication Failures":{"go":{"":22},"js":{"":30},"kt":{"":1},"py":{"":1},"ts":{"":2},"cpp":{"":2},"hcl":{"":4},"php":{"":1},"xml":{"":1},"java":{"":24},"ruby":{"":25},"rust":{"":22},"yaml":{"":1},"regex":{"":1},"swift":{"":10},"csharp":{"":12},"kotlin":{"":26},"python":{"":62},"generic":{"":4},"javascript":{"":15}},"A5:2021 Security Misconfiguration":{"generic":{"":1}},"A05:2021-Security misconfiguration":{"python":{"":36}},"A08:2017: Insecure Deserialization":{"C#":{"":5},"go":{"":1},"php":{"":1},"java":{"":16},"ruby":{"":2},"swift":{"":2},"python":{"":73},"javascript":{"":1}},"A02:2021 – Cryptographic Failures":{"python":{"":3}},"A02:2025: Security Misconfiguration":{"go":{"":7},"cpp":{"":4},"hcl":{"":8},"php":{"":9},"java":{"":55},"json":{"":1},"yaml":{"":6},"scala":{"":3},"swift":{"":1},"csharp":{"":10},"kotlin":{"":15},"python":{"":36},"clojure":{"":1},"generic":{"":3},"dockerfile":{"":1},"javascript":{"":15}},"A05:2021: Security Misconfiguration":{"go":{"":7},"cpp":{"":4},"hcl":{"":8},"php":{"":9},"java":{"":55},"json":{"":1},"yaml":{"":6},"scala":{"":3},"swift":{"":1},"csharp":{"":10},"kotlin":{"":15},"python":{"":36},"clojure":{"":1},"generic":{"":4},"dockerfile":{"":1},"javascript":{"":15}},"A06:2017: Security Misconfiguration":{"go":{"":1},"hcl":{"":1},"php":{"":3},"java":{"":2},"json":{"":1},"yaml":{"":7},"csharp":{"":2},"python":{"":1},"generic":{"":1},"javascript":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":8},"php":{"":5},"java":{"":17},"ruby":{"":3},"scala":{"":1},"swift":{"":2},"csharp":{"":4},"kotlin":{"":1},"python":{"":11},"generic":{"":3},"javascript":{"":12},"typescript":{"":16}},"A04:2017: XML External Entities (XXE)":{"go":{"":2},"cpp":{"":4},"php":{"":4},"java":{"":45},"scala":{"":3},"swift":{"":1},"csharp":{"":4},"kotlin":{"":15},"python":{"":10},"clojure":{"":1},"javascript":{"":6}},"A05:2021 – Security Misconfiguration":{"go":{"":1},"python":{"":1}},"A10:2004: Insecure Configuration Management":{"java":{"":2}},"A10:2017: Insufficient Logging & Monitoring":{"go":{"":1},"hcl":{"":2}},"A10:2021: Server-Side Request Forgery (SSRF)":{"go":{"":6},"cpp":{"":1},"hcl":{"":1},"php":{"":7},"java":{"":18},"ruby":{"":1},"rust":{"":3},"scala":{"":1},"csharp":{"":5},"kotlin":{"":2},"python":{"":278},"generic":{"":1},"javascript":{"":7}},"A8:2021 Software and Data Integrity Failures":{"java":{"":1}},"A08:2025: Software or Data Integrity Failures":{"C#":{"":5},"go":{"":1},"hcl":{"":1},"php":{"":1},"java":{"":17},"ruby":{"":2},"swift":{"":2},"csharp":{"":2},"python":{"":73},"generic":{"":11},"javascript":{"":2}},"A08:2021: Software and Data Integrity Failures":{"C#":{"":5},"go":{"":2},"hcl":{"":1},"php":{"":1},"java":{"":17},"ruby":{"":2},"swift":{"":2},"csharp":{"":2},"python":{"":73},"generic":{"":11},"javascript":{"":2}},"A09:2025: Security Logging & Alerting Failures":{"go":{"":1},"hcl":{"":4},"java":{"":1},"python":{"":5},"javascript":{"":2}},"A10:2025: Mishandling of Exceptional Conditions":{"cpp":{"":1}},"A09:2021 Security Logging and Monitoring Failures":{"hcl":{"":1}},"A09:2021: Security Logging and Monitoring Failures":{"go":{"":1},"hcl":{"":4},"java":{"":1},"python":{"":5},"javascript":{"":2}},"A7:2021 Identification and Authentication Failures":{"solidity":{"":1}},"A07:2021 Identification and Authentication Failures":{"yaml":{"":1}},"A07:2021: Identification and Authentication Failures":{"go":{"":22},"js":{"":30},"kt":{"":1},"py":{"":1},"ts":{"":2},"cpp":{"":2},"hcl":{"":4},"php":{"":1},"xml":{"":1},"java":{"":24},"ruby":{"":25},"rust":{"":22},"yaml":{"":1},"regex":{"":1},"swift":{"":10},"csharp":{"":12},"kotlin":{"":26},"python":{"":62},"generic":{"":4},"javascript":{"":15}}},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":2283,"premium_rules":1739},"username":"semgrep","description":"The OWASP Top 10 is an industry-recognized report of top web application security risks. Use this ruleset to scan for OWASP Top 10 vulnerabilities.","id":"Kr6","name":"owasp-top-ten","visibility":"public","categories":[{"id":"MPe","slug":"quick-start","name":"Getting Started","description":"These rulesets cover a wide range of use cases. Start here to get up and running quickly."}]},{"tags":["security"],"stats":{"cwe":{"totals":{"CWE-35: Path Traversal":1,"CWE-287: Improper Authentication":1,"CWE-477: Use of Obsolete Function":2,"CWE-272: Least Privilege Violation":12,"CWE-259: Use of Hard-coded Password":1,"CWE-798: Use of Hard-coded Credentials":7,"CWE-326: Inadequate Encryption Strength":2,"CWE-295: Improper Certificate Validation":2,"CWE-502: Deserialization of Untrusted Data":2,"CWE-321: Use of Hard-coded Cryptographic Key":2,"CWE-311: Missing Encryption of Sensitive Data":3,"CWE-305: Authentication Bypass by Primary Weakness":3,"CWE-922: Insecure Storage of Sensitive Information":1,"CWE-134: Use of Externally-Controlled Format String":1,"CWE-319: Cleartext Transmission of Sensitive Information":3,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":10,"CWE-296: Improper Following of a Certificate's Chain of Trust":1,"CWE-611: Improper Restriction of XML External Entity Reference":1,"CWE-916: Use of Password Hash With Insufficient Computational Effort":3,"CWE-323: Nonces should be used for the present occasion and only once.":1,"CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')":1,"CWE-79:Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":1,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":1,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":1,"CWE-329: Not using a random initialization Vector (IV) with Cipher Block Chaining (CBC) Mode causes algorithms to be susceptible to dictionary attacks.":1},"per_framework":{"CWE-35: Path Traversal":{"swift":{"":1}},"CWE-287: Improper Authentication":{"swift":{"":1}},"CWE-477: Use of Obsolete Function":{"swift":{"":2}},"CWE-272: Least Privilege Violation":{"xml":{"":2},"swift":{"":10}},"CWE-259: Use of Hard-coded Password":{"swift":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"swift":{"":7}},"CWE-326: Inadequate Encryption Strength":{"swift":{"":2}},"CWE-295: Improper Certificate Validation":{"xml":{"":1},"swift":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"swift":{"":2}},"CWE-321: Use of Hard-coded Cryptographic Key":{"swift":{"":2}},"CWE-311: Missing Encryption of Sensitive Data":{"swift":{"":3}},"CWE-305: Authentication Bypass by Primary Weakness":{"swift":{"":3}},"CWE-922: Insecure Storage of Sensitive Information":{"swift":{"":1}},"CWE-134: Use of Externally-Controlled Format String":{"swift":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"xml":{"":3}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"xml":{"":1},"swift":{"":9}},"CWE-296: Improper Following of a Certificate's Chain of Trust":{"xml":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"swift":{"":1}},"CWE-916: Use of Password Hash With Insufficient Computational Effort":{"swift":{"":3}},"CWE-323: Nonces should be used for the present occasion and only once.":{"swift":{"":1}},"CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')":{"xml":{"":1}},"CWE-79:Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"swift":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"swift":{"":1}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"swift":{"":1}},"CWE-329: Not using a random initialization Vector (IV) with Cipher Block Chaining (CBC) Mode causes algorithms to be susceptible to dictionary attacks.":{"swift":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":20,"A01:2017: Injection":1,"A03:2021: Injection":3,"A05:2025: Injection":3,"A04:2021: Insecure Design":3,"A06:2025: Insecure Design":3,"A01:2021: Broken Access Control":2,"A01:2025: Broken Access Control":2,"A02:2017: Broken Authentication":1,"A02:2021: Cryptographic Failures":22,"A04:2025: Cryptographic Failures":22,"A03:2017: Sensitive Data Exposure":20,"A07:2025: Authentication Failures":11,"A08:2017: Insecure Deserialization":2,"A02:2025: Security Misconfiguration":1,"A05:2021: Security Misconfiguration":1,"A07:2017: Cross-Site Scripting (XSS)":2,"A04:2017: XML External Entities (XXE)":1,"A08:2025: Software or Data Integrity Failures":2,"A08:2021: Software and Data Integrity Failures":2,"A07:2021: Identification and Authentication Failures":11},"per_framework":{"":{"xml":{"":4},"swift":{"":16}},"A01:2017: Injection":{"swift":{"":1}},"A03:2021: Injection":{"swift":{"":3}},"A05:2025: Injection":{"swift":{"":3}},"A04:2021: Insecure Design":{"swift":{"":3}},"A06:2025: Insecure Design":{"swift":{"":3}},"A01:2021: Broken Access Control":{"swift":{"":2}},"A01:2025: Broken Access Control":{"swift":{"":2}},"A02:2017: Broken Authentication":{"swift":{"":1}},"A02:2021: Cryptographic Failures":{"xml":{"":4},"swift":{"":18}},"A04:2025: Cryptographic Failures":{"xml":{"":4},"swift":{"":18}},"A03:2017: Sensitive Data Exposure":{"xml":{"":5},"swift":{"":15}},"A07:2025: Authentication Failures":{"xml":{"":1},"swift":{"":10}},"A08:2017: Insecure Deserialization":{"swift":{"":2}},"A02:2025: Security Misconfiguration":{"swift":{"":1}},"A05:2021: Security Misconfiguration":{"swift":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"swift":{"":2}},"A04:2017: XML External Entities (XXE)":{"swift":{"":1}},"A08:2025: Software or Data Integrity Failures":{"swift":{"":2}},"A08:2021: Software and Data Integrity Failures":{"swift":{"":2}},"A07:2021: Identification and Authentication Failures":{"xml":{"":1},"swift":{"":10}}},"rules_with_no_owasp":["keychain-acl-allows-biometry-changes","keychain-accessible-always","keychain-device-sync","insecure-biometrics","verify-biometric-changes","keychain-passcode-fallback","ATS-local-networking","ATS-consider-pinning","ATS-CA-pins","ATS-minimum-tls-version","swift-named-persistent-pasteboards","swift-forbidden-ios-apis","swift-format-string","swift-webview-config-allows-js","swift-webview-config-base-url","swift-webview-config-allows-file-access","swift-webview-config-fraudulent-site-warning","swift-webview-config-https-upgrade","swift-webview-config-allows-js-open-windows","swift-webview-config-allows-universal-file-access"]}},"author":"Semgrep","counts":{"total_rules":64,"premium_rules":62},"username":"semgrep","languages":["swift"],"description":"Default ruleset for Swift, curated by Semgrep.","id":"GwNy","name":"swift","visibility":"public","categories":[]},{"tags":["security"],"stats":{"cwe":{"totals":{"CWE-918: Server-Side Request Forgery (SSRF)":4,"CWE-611: Improper Restriction of XML External Entity Reference":1,"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":1,"CWE-94: Improper Control of Generation of Code ('Code Injection')":2,"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":2,"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":2,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":66,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":4,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":34,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":2},"per_framework":{"CWE-918: Server-Side Request Forgery (SSRF)":{"csharp":{"":4}},"CWE-611: Improper Restriction of XML External Entity Reference":{"csharp":{"":1}},"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":{"csharp":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"csharp":{"":2}},"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":{"csharp":{"":2}},"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":{"csharp":{"":2}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"csharp":{"":66}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"csharp":{"":4}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"csharp":{"":34}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"csharp":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2017: Injection":38,"A03:2021: Injection":44,"A05:2025: Injection":44,"A01:2021: Broken Access Control":66,"A01:2025: Broken Access Control":70,"A05:2017: Broken Access Control":66,"A02:2025: Security Misconfiguration":2,"A05:2021: Security Misconfiguration":2,"A07:2017: Cross-Site Scripting (XSS)":4,"A04:2017: XML External Entities (XXE)":1,"A10:2021: Server-Side Request Forgery (SSRF)":4},"per_framework":{"A01:2017: Injection":{"csharp":{"":38}},"A03:2021: Injection":{"csharp":{"":44}},"A05:2025: Injection":{"csharp":{"":44}},"A01:2021: Broken Access Control":{"csharp":{"":66}},"A01:2025: Broken Access Control":{"csharp":{"":70}},"A05:2017: Broken Access Control":{"csharp":{"":66}},"A02:2025: Security Misconfiguration":{"csharp":{"":2}},"A05:2021: Security Misconfiguration":{"csharp":{"":2}},"A07:2017: Cross-Site Scripting (XSS)":{"csharp":{"":4}},"A04:2017: XML External Entities (XXE)":{"csharp":{"":1}},"A10:2021: Server-Side Request Forgery (SSRF)":{"csharp":{"":4}}},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":118,"premium_rules":118},"hidden":true,"username":"semgrep","languages":["csharp"],"description":"C# interfile rules","id":"BLdx","name":"csharp-interfile","visibility":"public","categories":[]},{"tags":["security"],"stats":{"cwe":{"totals":{"CWE-91: XML Injection":1,"CWE-328: Use of Weak Hash":2,"CWE-489: Active Debug Code":3,"CWE-310: Cryptographic Issues":1,"CWE-284: Improper Access Control":1,"CWE-287: Improper Authentication":19,"CWE-377: Insecure Temporary File":1,"CWE-20: Improper Input Validation":1,"CWE-477: Use of Obsolete Function":1,"CWE-521: Weak Password Requirements":2,"CWE-276: Incorrect Default Permissions":1,"CWE-798: Use of Hard-coded Credentials":38,"CWE-326: Inadequate Encryption Strength":7,"CWE-295: Improper Certificate Validation":2,"CWE-613: Insufficient Session Expiration":2,"CWE-352: Cross-Site Request Forgery (CSRF)":6,"CWE-502: Deserialization of Untrusted Data":73,"CWE-704: Incorrect Type Conversion or Cast":3,"CWE-918: Server-Side Request Forgery (SSRF)":278,"CWE-330: Use of Insufficiently Random Values":1,"CWE-522: Insufficiently Protected Credentials":2,"CWE-668: Exposure of Resource to Wrong Sphere":2,"CWE-73: External Control of File Name or Path":108,"CWE-116: Improper Encoding or Escaping of Output":2,"CWE-117: Improper Output Neutralization for Logs":4,"CWE-673: External Influence of Sphere Definition":1,"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":11,"CWE-1333: Inefficient Regular Expression Complexity":3,"CWE-319: Cleartext Transmission of Sensitive Information":6,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":34,"CWE-532: Insertion of Sensitive Information into Log File":1,"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":9,"CWE-358: Improperly Implemented Security Check for Standard":36,"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":3,"CWE-611: Improper Restriction of XML External Entity Reference":7,"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":2,"CWE-94: Improper Control of Generation of Code ('Code Injection')":35,"CWE-1236: Improper Neutralization of Formula Elements in a CSV File":2,"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":2,"CWE-454: External Initialization of Trusted Variables or Data Stores":6,"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":1,"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":13,"CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax":34,"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":4,"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":3,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":34,"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":1,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":11,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":169,"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":18,"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":3,"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":13,"CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)":3,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":42,"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":2},"per_framework":{"CWE-91: XML Injection":{"python":{"":1}},"CWE-328: Use of Weak Hash":{"python":{"":2}},"CWE-489: Active Debug Code":{"python":{"":3}},"CWE-310: Cryptographic Issues":{"python":{"":1}},"CWE-284: Improper Access Control":{"python":{"":1}},"CWE-287: Improper Authentication":{"python":{"":19}},"CWE-377: Insecure Temporary File":{"python":{"":1}},"CWE-20: Improper Input Validation":{"python":{"":1}},"CWE-477: Use of Obsolete Function":{"python":{"":1}},"CWE-521: Weak Password Requirements":{"python":{"":2}},"CWE-276: Incorrect Default Permissions":{"python":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"py":{"":1},"python":{"":37}},"CWE-326: Inadequate Encryption Strength":{"python":{"":7}},"CWE-295: Improper Certificate Validation":{"python":{"":2}},"CWE-613: Insufficient Session Expiration":{"python":{"":2}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"python":{"":6}},"CWE-502: Deserialization of Untrusted Data":{"python":{"":73}},"CWE-704: Incorrect Type Conversion or Cast":{"python":{"":3}},"CWE-918: Server-Side Request Forgery (SSRF)":{"python":{"":278}},"CWE-330: Use of Insufficiently Random Values":{"python":{"":1}},"CWE-522: Insufficiently Protected Credentials":{"python":{"":2}},"CWE-668: Exposure of Resource to Wrong Sphere":{"python":{"":2}},"CWE-73: External Control of File Name or Path":{"python":{"":108}},"CWE-116: Improper Encoding or Escaping of Output":{"python":{"":2}},"CWE-117: Improper Output Neutralization for Logs":{"python":{"":4}},"CWE-673: External Influence of Sphere Definition":{"python":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"python":{"":11}},"CWE-1333: Inefficient Regular Expression Complexity":{"python":{"":3}},"CWE-319: Cleartext Transmission of Sensitive Information":{"python":{"":6}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"python":{"":34}},"CWE-532: Insertion of Sensitive Information into Log File":{"python":{"":1}},"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":{"python":{"":9}},"CWE-358: Improperly Implemented Security Check for Standard":{"python":{"":36}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"python":{"":3}},"CWE-611: Improper Restriction of XML External Entity Reference":{"python":{"":7}},"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":{"python":{"":2}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"python":{"":35}},"CWE-1236: Improper Neutralization of Formula Elements in a CSV File":{"python":{"":2}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"python":{"":2}},"CWE-454: External Initialization of Trusted Variables or Data Stores":{"python":{"":6}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"python":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"python":{"":13}},"CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax":{"python":{"":34}},"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":{"python":{"":4}},"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":{"python":{"":3}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"python":{"":34}},"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":{"python":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"python":{"":11}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"python":{"":169}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"python":{"":18}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"python":{"":3}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":13}},"CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)":{"python":{"":3}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":42}},"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":{"python":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":15,"A01:2017: Injection":237,"A03:2021: Injection":339,"A05:2025: Injection":339,"A6:2017 misconfiguration":1,"A04:2021: Insecure Design":110,"A06:2025: Insecure Design":110,"A01:2021: Broken Access Control":58,"A01:2025: Broken Access Control":334,"A02:2017: Broken Authentication":5,"A05:2017: Broken Access Control":34,"A02:2021: Cryptographic Failures":46,"A04:2025: Cryptographic Failures":46,"A03:2017: Sensitive Data Exposure":47,"A07:2025: Authentication Failures":63,"A05:2021-Security misconfiguration":36,"A08:2017: Insecure Deserialization":73,"A02:2021 – Cryptographic Failures":3,"A02:2025: Security Misconfiguration":36,"A05:2021: Security Misconfiguration":36,"A06:2017: Security Misconfiguration":1,"A07:2017: Cross-Site Scripting (XSS)":11,"A04:2017: XML External Entities (XXE)":10,"A05:2021 – Security Misconfiguration":1,"A10:2021: Server-Side Request Forgery (SSRF)":278,"A08:2025: Software or Data Integrity Failures":73,"A08:2021: Software and Data Integrity Failures":73,"A09:2025: Security Logging & Alerting Failures":5,"A09:2021: Security Logging and Monitoring Failures":5,"A07:2021: Identification and Authentication Failures":63},"per_framework":{"":{"python":{"":15}},"A01:2017: Injection":{"python":{"":237}},"A03:2021: Injection":{"python":{"":339}},"A05:2025: Injection":{"python":{"":339}},"A6:2017 misconfiguration":{"python":{"":1}},"A04:2021: Insecure Design":{"python":{"":110}},"A06:2025: Insecure Design":{"python":{"":110}},"A01:2021: Broken Access Control":{"python":{"":58}},"A01:2025: Broken Access Control":{"python":{"":334}},"A02:2017: Broken Authentication":{"python":{"":5}},"A05:2017: Broken Access Control":{"python":{"":34}},"A02:2021: Cryptographic Failures":{"python":{"":46}},"A04:2025: Cryptographic Failures":{"python":{"":46}},"A03:2017: Sensitive Data Exposure":{"python":{"":47}},"A07:2025: Authentication Failures":{"py":{"":1},"python":{"":62}},"A05:2021-Security misconfiguration":{"python":{"":36}},"A08:2017: Insecure Deserialization":{"python":{"":73}},"A02:2021 – Cryptographic Failures":{"python":{"":3}},"A02:2025: Security Misconfiguration":{"python":{"":36}},"A05:2021: Security Misconfiguration":{"python":{"":36}},"A06:2017: Security Misconfiguration":{"python":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"python":{"":11}},"A04:2017: XML External Entities (XXE)":{"python":{"":10}},"A05:2021 – Security Misconfiguration":{"python":{"":1}},"A10:2021: Server-Side Request Forgery (SSRF)":{"python":{"":278}},"A08:2025: Software or Data Integrity Failures":{"python":{"":73}},"A08:2021: Software and Data Integrity Failures":{"python":{"":73}},"A09:2025: Security Logging & Alerting Failures":{"python":{"":5}},"A09:2021: Security Logging and Monitoring Failures":{"python":{"":5}},"A07:2021: Identification and Authentication Failures":{"py":{"":1},"python":{"":62}}},"rules_with_no_owasp":["tainted-dotenv-variable-django","tainted-environ-variable-django","tainted-regex-stdlib-django","django-using-request-post-after-is-valid","nan-injection","tainted-dotenv-variable-fastapi","tainted-environ-variable-fastapi","tainted-regex-stdlib-fastapi","debug-flask-passthrough-errors","active-debug-code-flask","tainted-dotenv-variable-flask","tainted-environ-variable-flask","tainted-regex-stdlib-flask","nan-injection","mongo-client-bad-auth"]}},"author":"Semgrep","counts":{"total_rules":1069,"premium_rules":918},"username":"semgrep","languages":["Python"],"description":"Default ruleset for Python, curated by Semgrep.","id":"YJ4","name":"python","visibility":"public","categories":[{"id":"V5W","slug":"languages-and-frameworks","name":"Languages and Frameworks","description":"Check your code for security problems and best practices in these languages and frameworks."}]},{"tags":["eslint","security"],"stats":{"cwe":{"totals":{"CWE-352: Cross-Site Request Forgery (CSRF)":1,"CWE-116: Improper Encoding or Escaping of Output":1,"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":1,"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer":1,"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":1,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":1},"per_framework":{"CWE-352: Cross-Site Request Forgery (CSRF)":{"javascript":{"":1}},"CWE-116: Improper Encoding or Escaping of Output":{"javascript":{"":1}},"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":{"javascript":{"":1}},"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer":{"javascript":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"javascript":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"javascript":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":1,"A01:2017: Injection":1,"A03:2021: Injection":3,"A05:2025: Injection":3,"A01:2021: Broken Access Control":1,"A01:2025: Broken Access Control":1,"A05:2017: Broken Access Control":1,"A02:2021: Cryptographic Failures":1,"A04:2025: Cryptographic Failures":1},"per_framework":{"":{"javascript":{"":1}},"A01:2017: Injection":{"javascript":{"":1}},"A03:2021: Injection":{"javascript":{"":3}},"A05:2025: Injection":{"javascript":{"":3}},"A01:2021: Broken Access Control":{"javascript":{"":1}},"A01:2025: Broken Access Control":{"javascript":{"":1}},"A05:2017: Broken Access Control":{"javascript":{"":1}},"A02:2021: Cryptographic Failures":{"javascript":{"":1}},"A04:2025: Cryptographic Failures":{"javascript":{"":1}}},"rules_with_no_owasp":["detect-buffer-noassert"]}},"author":"Sabrina Brogren","counts":{"total_rules":6,"premium_rules":0},"hidden":true,"languages":["JavaScript"],"description":"Selected rules from eslint-plugin-security, a security plugin for ESLint, rewritten in Semgrep.","id":"g1Z","name":"eslint-plugin-security","visibility":"public","categories":[]},{"tags":["semgrep","security","https","ssl","encryption"],"stats":{"cwe":{"totals":{"CWE-326: Inadequate Encryption Strength":1,"CWE-319: Cleartext Transmission of Sensitive Information":52},"per_framework":{"CWE-326: Inadequate Encryption Strength":{"python":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"go":{"":9},"java":{"":14},"ruby":{"":5},"python":{"":16},"javascript":{"":8}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A02:2021: Cryptographic Failures":18,"A04:2025: Cryptographic Failures":18,"A03:2017: Sensitive Data Exposure":53},"per_framework":{"A02:2021: Cryptographic Failures":{"python":{"":17},"javascript":{"":1}},"A04:2025: Cryptographic Failures":{"python":{"":17},"javascript":{"":1}},"A03:2017: Sensitive Data Exposure":{"go":{"":9},"java":{"":14},"ruby":{"":5},"python":{"":17},"javascript":{"":8}}},"rules_with_no_owasp":[]}},"author":"Colleen Dai","counts":{"total_rules":53,"premium_rules":0},"username":"colleend","languages":["java","javascript","go","python","ruby"],"description":"Ensure your code communicates over encrypted channels instead of plaintext.","id":"5gX","name":"insecure-transport","visibility":"public","categories":[{"id":"VJd","slug":"enforce-secure-guardrails","name":"Enforce Secure Guardrails","description":"Use Semgrep to ensure your code enforces secure defaults and framework protections, which can proactively eradicate entire classes of vulnerabilities. Avoid playing bug whack-a-mole and scale your security program."}]},{"stats":{"cwe":{"totals":{"CWE-416: Use After Free":4,"CWE-328: Use of Weak Hash":8,"CWE-489: Active Debug Code":2,"CWE-125: Out-of-bounds Read":6,"CWE-787: Out-of-bounds Write":2,"CWE-778: Insufficient Logging":1,"CWE-682: Incorrect Calculation":2,"CWE-862: Missing Authorization":1,"CWE-23: Relative Path Traversal":2,"CWE-284: Improper Access Control":2,"CWE-287: Improper Authentication":52,"CWE-346: Origin Validation Error":6,"CWE-506: Embedded Malicious Code":1,"CWE-20: Improper Input Validation":2,"CWE-476: NULL Pointer Dereference":1,"CWE-477: Use of Obsolete Function":2,"CWE-272: Least Privilege Violation":11,"CWE-259: Use of Hard-coded Password":1,"CWE-269: Improper Privilege Management":2,"CWE-798: Use of Hard-coded Credentials":157,"CWE-190: Integer Overflow or Wraparound":1,"CWE-326: Inadequate Encryption Strength":16,"CWE-295: Improper Certificate Validation":5,"CWE-341: Predictable from Observable State":1,"CWE-467: Use of sizeof() on a Pointer Type":1,"CWE-502: Deserialization of Untrusted Data":79,"CWE-780: Use of RSA Algorithm without OAEP":1,"CWE-300: Channel Accessible by Non-Endpoint":2,"CWE-310: CWE CATEGORY: Cryptographic Issues":1,"CWE-918: Server-Side Request Forgery (SSRF)":265,"CWE-321: Use of Hard-coded Cryptographic Key":1,"CWE-311: Missing Encryption of Sensitive Data":2,"CWE-522: Insufficiently Protected Credentials":13,"CWE-668: Exposure of Resource to Wrong Sphere":1,"CWE-73: External Control of File Name or Path":98,"CWE-250: Execution with Unnecessary Privileges":1,"CWE-323: Reusing a Nonce, Key Pair in Encryption":1,"CWE-673: External Influence of Sphere Definition":1,"CWE-494: Download of Code Without Integrity Check":5,"CWE-91: XML Injection (aka Blind XPath Injection)":1,"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":5,"CWE-305: Authentication Bypass by Primary Weakness":2,"CWE-1333: Inefficient Regular Expression Complexity":4,"CWE-329: Generation of Predictable IV with CBC Mode":1,"CWE-509: Replicating Malicious Code (Virus or Worm)":1,"CWE-841: Improper Enforcement of Behavioral Workflow":7,"CWE-1204: Generation of Weak Initialization Vector (IV)":1,"CWE-345: Insufficient Verification of Data Authenticity":2,"CWE-319: Cleartext Transmission of Sensitive Information":4,"CWE-837: Improper Enforcement of a Single, Unique Action":1,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":45,"CWE-347: Improper Verification of Cryptographic Signature":1,"CWE-532: Insertion of Sensitive Information into Log File":1,"CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition":2,"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":1,"CWE-358: Improperly Implemented Security Check for Standard":36,"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":13,"CWE-296: Improper Following of a Certificate's Chain of Trust":1,"CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')":1,"CWE-611: Improper Restriction of XML External Entity Reference":43,"CWE-732: Incorrect Permission Assignment for Critical Resource":7,"CWE-94: Improper Control of Generation of Code ('Code Injection')":53,"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":5,"CWE-916: Use of Password Hash With Insufficient Computational Effort":3,"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":7,"CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax":12,"CWE-323: Nonces should be used for the present occasion and only once.":1,"CWE-688: Function Call With Incorrect Variable or Reference as Argument":1,"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":23,"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":1,"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine":1,"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":9,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":126,"CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')":1,"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":3,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":36,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":248,"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":21,"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":10,"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":4,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":60,"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":3,"CWE-329: Not using a random initialization Vector (IV) with Cipher Block Chaining (CBC) Mode causes algorithms to be susceptible to dictionary attacks.":1},"per_framework":{"CWE-416: Use After Free":{"cpp":{"":4}},"CWE-328: Use of Weak Hash":{"go":{"":1},"php":{"":1},"java":{"":3},"ruby":{"":1},"clojure":{"":2}},"CWE-489: Active Debug Code":{"php":{"":1},"python":{"":1}},"CWE-125: Out-of-bounds Read":{"cpp":{"":6}},"CWE-787: Out-of-bounds Write":{"cpp":{"":1},"solidity":{"":1}},"CWE-778: Insufficient Logging":{"hcl":{"":1}},"CWE-682: Incorrect Calculation":{"solidity":{"":2}},"CWE-862: Missing Authorization":{"dockerfile":{"":1}},"CWE-23: Relative Path Traversal":{"php":{"":1},"java":{"":1}},"CWE-284: Improper Access Control":{"python":{"":1},"solidity":{"":1}},"CWE-287: Improper Authentication":{"go":{"":8},"js":{"":5},"ruby":{"":6},"rust":{"":10},"yaml":{"":1},"kotlin":{"":4},"python":{"":17},"javascript":{"":1}},"CWE-346: Origin Validation Error":{"java":{"":1},"javascript":{"":5}},"CWE-506: Embedded Malicious Code":{"generic":{"":1}},"CWE-20: Improper Input Validation":{"solidity":{"":2}},"CWE-476: NULL Pointer Dereference":{"cpp":{"":1}},"CWE-477: Use of Obsolete Function":{"swift":{"":2}},"CWE-272: Least Privilege Violation":{"xml":{"":2},"swift":{"":9}},"CWE-259: Use of Hard-coded Password":{"swift":{"":1}},"CWE-269: Improper Privilege Management":{"yaml":{"":1},"dockerfile":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"go":{"":10},"js":{"":22},"py":{"":1},"php":{"":1},"java":{"":20},"ruby":{"":18},"rust":{"":12},"regex":{"":1},"swift":{"":7},"csharp":{"":9},"kotlin":{"":21},"python":{"":30},"javascript":{"":5}},"CWE-190: Integer Overflow or Wraparound":{"php":{"":1}},"CWE-326: Inadequate Encryption Strength":{"go":{"":1},"kt":{"":1},"cpp":{"":1},"hcl":{"":1},"java":{"":5},"ruby":{"":1},"swift":{"":2},"python":{"":2},"terraform":{"":1},"javascript":{"":1}},"CWE-295: Improper Certificate Validation":{"cpp":{"":1},"xml":{"":1},"rust":{"":3}},"CWE-341: Predictable from Observable State":{"solidity":{"":1}},"CWE-467: Use of sizeof() on a Pointer Type":{"cpp":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"go":{"":1},"java":{"":7},"swift":{"":2},"python":{"":68},"javascript":{"":1}},"CWE-780: Use of RSA Algorithm without OAEP":{"scala":{"":1}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":2}},"CWE-310: CWE CATEGORY: Cryptographic Issues":{"javascript":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"go":{"":5},"php":{"":1},"java":{"":11},"rust":{"":3},"csharp":{"":5},"kotlin":{"":2},"python":{"":234},"generic":{"":1},"javascript":{"":3}},"CWE-321: Use of Hard-coded Cryptographic Key":{"swift":{"":1}},"CWE-311: Missing Encryption of Sensitive Data":{"ruby":{"":1},"swift":{"":1}},"CWE-522: Insufficiently Protected Credentials":{"scala":{"":2},"python":{"":2},"generic":{"":9}},"CWE-668: Exposure of Resource to Wrong Sphere":{"python":{"":1}},"CWE-73: External Control of File Name or Path":{"python":{"":98}},"CWE-250: Execution with Unnecessary Privileges":{"dockerfile":{"":1}},"CWE-323: Reusing a Nonce, Key Pair in Encryption":{"java":{"":1}},"CWE-673: External Influence of Sphere Definition":{"python":{"":1}},"CWE-494: Download of Code Without Integrity Check":{"generic":{"":5}},"CWE-91: XML Injection (aka Blind XPath Injection)":{"java":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"java":{"":3},"csharp":{"":2}},"CWE-305: Authentication Bypass by Primary Weakness":{"swift":{"":2}},"CWE-1333: Inefficient Regular Expression Complexity":{"java":{"":1},"python":{"":3}},"CWE-329: Generation of Predictable IV with CBC Mode":{"php":{"":1}},"CWE-509: Replicating Malicious Code (Virus or Worm)":{"yaml":{"":1}},"CWE-841: Improper Enforcement of Behavioral Workflow":{"solidity":{"":7}},"CWE-1204: Generation of Weak Initialization Vector (IV)":{"javascript":{"":1}},"CWE-345: Insufficient Verification of Data Authenticity":{"csharp":{"":1},"javascript":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"xml":{"":3},"python":{"":1}},"CWE-837: Improper Enforcement of a Single, Unique Action":{"solidity":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"go":{"":3},"xml":{"":1},"java":{"":9},"swift":{"":5},"csharp":{"":1},"kotlin":{"":2},"python":{"":17},"clojure":{"":1},"javascript":{"":6}},"CWE-347: Improper Verification of Cryptographic Signature":{"javascript":{"":1}},"CWE-532: Insertion of Sensitive Information into Log File":{"java":{"":1}},"CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition":{"cpp":{"":2}},"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":{"java":{"":1}},"CWE-358: Improperly Implemented Security Check for Standard":{"python":{"":36}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"go":{"":1},"java":{"":6},"kotlin":{"":1},"javascript":{"":5}},"CWE-296: Improper Following of a Certificate's Chain of Trust":{"xml":{"":1}},"CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')":{"yaml":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"go":{"":2},"php":{"":2},"java":{"":25},"scala":{"":3},"swift":{"":1},"python":{"":6},"clojure":{"":1},"javascript":{"":3}},"CWE-732: Incorrect Permission Assignment for Critical Resource":{"cpp":{"":1},"hcl":{"":1},"generic":{"":4},"javascript":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"yaml":{"":1},"csharp":{"":2},"kotlin":{"":1},"python":{"":33},"generic":{"":1},"terraform":{"":1},"javascript":{"":14}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"go":{"":1},"generic":{"":4}},"CWE-916: Use of Password Hash With Insufficient Computational Effort":{"swift":{"":3}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"php":{"":1},"java":{"":3},"csharp":{"":2},"generic":{"":1}},"CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax":{"java":{"":2},"python":{"":10}},"CWE-323: Nonces should be used for the present occasion and only once.":{"swift":{"":1}},"CWE-688: Function Call With Incorrect Variable or Reference as Argument":{"solidity":{"":1}},"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":{"go":{"":4},"rust":{"":3},"csharp":{"":2},"kotlin":{"":5},"python":{"":3},"javascript":{"":6}},"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":{"csharp":{"":1}},"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine":{"javascript":{"":1}},"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":{"java":{"":3},"csharp":{"":2},"python":{"":3},"javascript":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"go":{"":5},"java":{"":3},"rust":{"":3},"csharp":{"":66},"python":{"":30},"javascript":{"":19}},"CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')":{"xml":{"":1}},"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":{"python":{"":1},"terraform":{"":1},"javascript":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":5},"java":{"":8},"csharp":{"":4},"kotlin":{"":1},"python":{"":2},"generic":{"":1},"javascript":{"":4},"typescript":{"":11}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":11},"java":{"":6},"rust":{"":12},"scala":{"":2},"swift":{"":1},"csharp":{"":34},"kotlin":{"":5},"python":{"":145},"javascript":{"":32}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"cpp":{"":2},"java":{"":2},"python":{"":17}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"java":{"":8},"python":{"":2}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"php":{"":1},"java":{"":2},"generic":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"go":{"":8},"java":{"":7},"rust":{"":6},"csharp":{"":3},"kotlin":{"":1},"python":{"":23},"generic":{"":7},"javascript":{"":5}},"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":{"javascript":{"":3}},"CWE-329: Not using a random initialization Vector (IV) with Cipher Block Chaining (CBC) Mode causes algorithms to be susceptible to dictionary attacks.":{"swift":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":66,"A01:2017: Injection":360,"A03:2021: Injection":451,"A05:2025: Injection":451,"A04:2021 Insecure Design":2,"A04:2021: Insecure Design":113,"A06:2025: Insecure Design":113,"LLM08:2023: Excessive Agency":1,"A01:2021: Broken Access Control":147,"A01:2025: Broken Access Control":407,"A02:2017: Broken Authentication":38,"A05:2017: Broken Access Control":126,"A02:2021: Cryptographic Failures":80,"A04:2025: Cryptographic Failures":80,"A03:2017: Sensitive Data Exposure":72,"A07:2025: Authentication Failures":218,"A05:2021-Security misconfiguration":36,"A08:2017: Insecure Deserialization":79,"A02:2021 – Cryptographic Failures":3,"A02:2025: Security Misconfiguration":62,"A05:2021: Security Misconfiguration":62,"A06:2017: Security Misconfiguration":3,"A07:2017: Cross-Site Scripting (XSS)":36,"A04:2017: XML External Entities (XXE)":45,"A05:2021 – Security Misconfiguration":1,"A10:2021: Server-Side Request Forgery (SSRF)":265,"A08:2025: Software or Data Integrity Failures":84,"A08:2021: Software and Data Integrity Failures":85,"A09:2025: Security Logging & Alerting Failures":2,"A10:2025: Mishandling of Exceptional Conditions":1,"A09:2021: Security Logging and Monitoring Failures":2,"A7:2021 Identification and Authentication Failures":1,"A07:2021 Identification and Authentication Failures":1,"A07:2021: Identification and Authentication Failures":218},"per_framework":{"":{"go":{"":1},"cpp":{"":15},"php":{"":1},"xml":{"":4},"java":{"":1},"rust":{"":3},"regex":{"":1},"swift":{"":13},"python":{"":3},"generic":{"":5},"solidity":{"":15},"dockerfile":{"":1},"javascript":{"":3}},"A01:2017: Injection":{"go":{"":23},"cpp":{"":2},"java":{"":18},"rust":{"":21},"yaml":{"":1},"scala":{"":2},"swift":{"":1},"csharp":{"":39},"kotlin":{"":11},"python":{"":189},"generic":{"":8},"terraform":{"":1},"javascript":{"":44}},"A03:2021: Injection":{"go":{"":24},"cpp":{"":2},"php":{"":1},"java":{"":31},"rust":{"":18},"yaml":{"":2},"scala":{"":2},"swift":{"":1},"csharp":{"":45},"kotlin":{"":8},"python":{"":235},"generic":{"":10},"terraform":{"":1},"javascript":{"":60},"typescript":{"":11}},"A05:2025: Injection":{"go":{"":24},"cpp":{"":2},"php":{"":1},"java":{"":31},"rust":{"":18},"yaml":{"":2},"scala":{"":2},"swift":{"":1},"csharp":{"":45},"kotlin":{"":8},"python":{"":235},"generic":{"":10},"terraform":{"":1},"javascript":{"":60},"typescript":{"":11}},"A04:2021 Insecure Design":{"yaml":{"":2}},"A04:2021: Insecure Design":{"ruby":{"":1},"scala":{"":2},"swift":{"":1},"python":{"":100},"generic":{"":9}},"A06:2025: Insecure Design":{"ruby":{"":1},"scala":{"":2},"swift":{"":1},"python":{"":100},"generic":{"":9}},"LLM08:2023: Excessive Agency":{"yaml":{"":1}},"A01:2021: Broken Access Control":{"go":{"":6},"php":{"":1},"java":{"":11},"rust":{"":3},"csharp":{"":66},"kotlin":{"":1},"python":{"":31},"generic":{"":4},"javascript":{"":24}},"A01:2025: Broken Access Control":{"go":{"":10},"php":{"":2},"java":{"":21},"rust":{"":6},"csharp":{"":70},"kotlin":{"":3},"python":{"":264},"generic":{"":5},"javascript":{"":26}},"A02:2017: Broken Authentication":{"go":{"":8},"js":{"":3},"rust":{"":10},"scala":{"":2},"kotlin":{"":4},"python":{"":2},"generic":{"":9}},"A05:2017: Broken Access Control":{"go":{"":5},"java":{"":3},"rust":{"":3},"csharp":{"":66},"python":{"":30},"javascript":{"":19}},"A02:2021: Cryptographic Failures":{"go":{"":5},"kt":{"":1},"cpp":{"":1},"hcl":{"":1},"php":{"":2},"xml":{"":4},"java":{"":18},"ruby":{"":2},"scala":{"":1},"swift":{"":13},"csharp":{"":2},"kotlin":{"":2},"python":{"":17},"clojure":{"":2},"terraform":{"":1},"javascript":{"":8}},"A04:2025: Cryptographic Failures":{"go":{"":5},"kt":{"":1},"cpp":{"":1},"hcl":{"":1},"php":{"":2},"xml":{"":4},"java":{"":18},"ruby":{"":2},"scala":{"":1},"swift":{"":13},"csharp":{"":2},"kotlin":{"":2},"python":{"":17},"clojure":{"":2},"terraform":{"":1},"javascript":{"":8}},"A03:2017: Sensitive Data Exposure":{"go":{"":5},"kt":{"":1},"cpp":{"":2},"hcl":{"":1},"php":{"":1},"xml":{"":5},"java":{"":17},"ruby":{"":3},"swift":{"":8},"kotlin":{"":2},"python":{"":17},"clojure":{"":2},"terraform":{"":1},"javascript":{"":7}},"A07:2025: Authentication Failures":{"go":{"":20},"js":{"":27},"py":{"":1},"cpp":{"":1},"php":{"":1},"xml":{"":1},"java":{"":21},"ruby":{"":24},"rust":{"":22},"swift":{"":8},"csharp":{"":9},"kotlin":{"":25},"python":{"":47},"javascript":{"":11}},"A05:2021-Security misconfiguration":{"python":{"":36}},"A08:2017: Insecure Deserialization":{"go":{"":1},"java":{"":7},"swift":{"":2},"python":{"":68},"javascript":{"":1}},"A02:2021 – Cryptographic Failures":{"python":{"":3}},"A02:2025: Security Misconfiguration":{"go":{"":2},"hcl":{"":1},"php":{"":4},"java":{"":31},"yaml":{"":1},"scala":{"":3},"swift":{"":1},"csharp":{"":4},"python":{"":8},"clojure":{"":1},"generic":{"":1},"dockerfile":{"":1},"javascript":{"":4}},"A05:2021: Security Misconfiguration":{"go":{"":2},"hcl":{"":1},"php":{"":4},"java":{"":31},"yaml":{"":1},"scala":{"":3},"swift":{"":1},"csharp":{"":4},"python":{"":8},"clojure":{"":1},"generic":{"":1},"dockerfile":{"":1},"javascript":{"":4}},"A06:2017: Security Misconfiguration":{"php":{"":1},"yaml":{"":1},"python":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":5},"java":{"":8},"csharp":{"":4},"kotlin":{"":1},"python":{"":2},"generic":{"":1},"javascript":{"":4},"typescript":{"":11}},"A04:2017: XML External Entities (XXE)":{"go":{"":2},"php":{"":2},"java":{"":25},"scala":{"":3},"swift":{"":1},"python":{"":8},"clojure":{"":1},"javascript":{"":3}},"A05:2021 – Security Misconfiguration":{"python":{"":1}},"A10:2021: Server-Side Request Forgery (SSRF)":{"go":{"":5},"php":{"":1},"java":{"":11},"rust":{"":3},"csharp":{"":5},"kotlin":{"":2},"python":{"":234},"generic":{"":1},"javascript":{"":3}},"A08:2025: Software or Data Integrity Failures":{"java":{"":7},"swift":{"":2},"csharp":{"":1},"python":{"":68},"generic":{"":5},"javascript":{"":1}},"A08:2021: Software and Data Integrity Failures":{"go":{"":1},"java":{"":7},"swift":{"":2},"csharp":{"":1},"python":{"":68},"generic":{"":5},"javascript":{"":1}},"A09:2025: Security Logging & Alerting Failures":{"hcl":{"":1},"java":{"":1}},"A10:2025: Mishandling of Exceptional Conditions":{"cpp":{"":1}},"A09:2021: Security Logging and Monitoring Failures":{"hcl":{"":1},"java":{"":1}},"A7:2021 Identification and Authentication Failures":{"solidity":{"":1}},"A07:2021 Identification and Authentication Failures":{"yaml":{"":1}},"A07:2021: Identification and Authentication Failures":{"go":{"":20},"js":{"":27},"py":{"":1},"cpp":{"":1},"php":{"":1},"xml":{"":1},"java":{"":21},"ruby":{"":24},"rust":{"":22},"swift":{"":8},"csharp":{"":9},"kotlin":{"":25},"python":{"":47},"javascript":{"":11}}},"rules_with_no_owasp":["sizeof-this","std-return-data","std-vector-invalidation","file-access-before-action","file-stat-before-action","world-writable-file","negative-return-value-array-index","missing-nul-cpp-string-memcpy","narrow-to-wide-string-mismatch","readlink-null-terminator","return-c-str","std-string-npos","string-view-data-null-terminator","string-view-temporary-string","wide-to-narrow-string-mismatch","dockerfile-dockerd-socket-mount","detected-onfido-live-api-token","open-redirect","jax-rs-better-files-regex-injection-uri-params","cookies-default-express","dot-nestjs","create-de-cipher-no-iv","base-convert-loses-precision","tainted-regex-stdlib-django","tainted-regex-stdlib-fastapi","tainted-regex-stdlib-flask","reqwest-accept-invalid","rustls-dangerous","ssl-verify-none","skill-dangerous-command-wildcard","skill-network-bash-wildcard","skill-persistence-commands","skill-wildcard-all-tools","skill-preprocessing-encoding-network","balancer-readonly-reentrancy-getpooltokens","balancer-readonly-reentrancy-getrate","compound-borrowfresh-reentrancy","curve-readonly-reentrancy","encode-packed-collision","erc677-reentrancy","erc721-reentrancy","erc777-reentrancy","incorrect-use-of-blockhash","keeper-network-oracle-manipulation","no-bidi-characters","proxy-storage-collision","redacted-cartel-custom-approval-bug","rigoblock-missing-access-control","superfluid-ctx-injection","keychain-acl-allows-biometry-changes","keychain-accessible-always","insecure-biometrics","keychain-passcode-fallback","ATS-local-networking","ATS-consider-pinning","ATS-CA-pins","ATS-minimum-tls-version","swift-named-persistent-pasteboards","swift-forbidden-ios-apis","swift-webview-config-allows-js","swift-webview-config-base-url","swift-webview-config-allows-file-access","swift-webview-config-fraudulent-site-warning","swift-webview-config-https-upgrade","swift-webview-config-allows-js-open-windows","swift-webview-config-allows-universal-file-access"]}},"author":"Semgrep","counts":{"total_rules":1556,"premium_rules":1429},"username":"semgrep","description":"This ruleset is curated to be placed in Semgrep Code's Rule Board \"Comment\" column.","id":"EkPB","name":"comment","visibility":"public","categories":[{"id":"MPe","slug":"quick-start","name":"Getting Started","description":"These rulesets cover a wide range of use cases. Start here to get up and running quickly."}]},{"stats":{"cwe":{"totals":{"CWE-369: Divide By Zero":1,"CWE-416: Use After Free":4,"CWE-328: Use of Weak Hash":12,"CWE-384: Session Fixation":1,"CWE-489: Active Debug Code":9,"CWE-125: Out-of-bounds Read":7,"CWE-787: Out-of-bounds Write":2,"CWE-778: Insufficient Logging":1,"CWE-682: Incorrect Calculation":2,"CWE-862: Missing Authorization":1,"CWE-23: Relative Path Traversal":2,"CWE-284: Improper Access Control":2,"CWE-287: Improper Authentication":54,"CWE-346: Origin Validation Error":7,"CWE-377: Insecure Temporary File":1,"CWE-506: Embedded Malicious Code":1,"CWE-20: Improper Input Validation":2,"CWE-476: NULL Pointer Dereference":1,"CWE-477: Use of Obsolete Function":2,"CWE-501: Trust Boundary Violation":3,"CWE-272: Least Privilege Violation":11,"CWE-16: CWE CATEGORY: Configuration":1,"CWE-259: Use of Hard-coded Password":1,"CWE-269: Improper Privilege Management":2,"CWE-798: Use of Hard-coded Credentials":172,"CWE-190: Integer Overflow or Wraparound":1,"CWE-326: Inadequate Encryption Strength":20,"CWE-295: Improper Certificate Validation":5,"CWE-613: Insufficient Session Expiration":3,"CWE-341: Predictable from Observable State":1,"CWE-352: Cross-Site Request Forgery (CSRF)":7,"CWE-467: Use of sizeof() on a Pointer Type":1,"CWE-502: Deserialization of Untrusted Data":96,"CWE-704: Incorrect Type Conversion or Cast":3,"CWE-780: Use of RSA Algorithm without OAEP":1,"CWE-300: Channel Accessible by Non-Endpoint":3,"CWE-310: CWE CATEGORY: Cryptographic Issues":1,"CWE-918: Server-Side Request Forgery (SSRF)":276,"CWE-321: Use of Hard-coded Cryptographic Key":1,"CWE-311: Missing Encryption of Sensitive Data":2,"CWE-522: Insufficiently Protected Credentials":13,"CWE-668: Exposure of Resource to Wrong Sphere":1,"CWE-73: External Control of File Name or Path":99,"CWE-250: Execution with Unnecessary Privileges":2,"CWE-676: Use of Potentially Dangerous Function":2,"CWE-117: Improper Output Neutralization for Logs":6,"CWE-323: Reusing a Nonce, Key Pair in Encryption":1,"CWE-673: External Influence of Sphere Definition":1,"CWE-494: Download of Code Without Integrity Check":5,"CWE-91: XML Injection (aka Blind XPath Injection)":1,"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":18,"CWE-305: Authentication Bypass by Primary Weakness":2,"CWE-1333: Inefficient Regular Expression Complexity":6,"CWE-134: Use of Externally-Controlled Format String":1,"CWE-329: Generation of Predictable IV with CBC Mode":2,"CWE-509: Replicating Malicious Code (Virus or Worm)":1,"CWE-841: Improper Enforcement of Behavioral Workflow":7,"CWE-1323: Improper Management of Sensitive Trace Data":1,"CWE-706: Use of Incorrectly-Resolved Name or Reference":2,"CWE-11: ASP.NET Misconfiguration: Creating Debug Binary":1,"CWE-1204: Generation of Weak Initialization Vector (IV)":1,"CWE-345: Insufficient Verification of Data Authenticity":2,"CWE-319: Cleartext Transmission of Sensitive Information":6,"CWE-837: Improper Enforcement of a Single, Unique Action":1,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":51,"CWE-347: Improper Verification of Cryptographic Signature":1,"CWE-532: Insertion of Sensitive Information into Log File":1,"CWE-639: Authorization Bypass Through User-Controlled Key":1,"CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition":2,"CWE-548: Exposure of Information Through Directory Listing":1,"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":12,"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":19,"CWE-296: Improper Following of a Certificate's Chain of Trust":1,"CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')":1,"CWE-611: Improper Restriction of XML External Entity Reference":68,"CWE-732: Incorrect Permission Assignment for Critical Resource":7,"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":2,"CWE-94: Improper Control of Generation of Code ('Code Injection')":62,"CWE-337: Predictable Seed in Pseudo-Random Number Generator (PRNG)":2,"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":12,"CWE-454: External Initialization of Trusted Variables or Data Stores":3,"CWE-916: Use of Password Hash With Insufficient Computational Effort":4,"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":2,"CWE-209: Generation of Error Message Containing Sensitive Information":1,"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":22,"CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax":34,"CWE-323: Nonces should be used for the present occasion and only once.":1,"CWE-451: User Interface (UI) Misrepresentation of Critical Information":1,"CWE-688: Function Call With Incorrect Variable or Reference as Argument":1,"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":26,"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":1,"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine":2,"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":10,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":133,"CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')":1,"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":3,"CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')":1,"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":3,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":64,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":284,"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":22,"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":27,"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":10,"CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)":3,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":73,"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":1,"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":3,"CWE-329: Not using a random initialization Vector (IV) with Cipher Block Chaining (CBC) Mode causes algorithms to be susceptible to dictionary attacks.":1},"per_framework":{"CWE-369: Divide By Zero":{"ruby":{"":1}},"CWE-416: Use After Free":{"cpp":{"":4}},"CWE-328: Use of Weak Hash":{"go":{"":1},"cpp":{"":1},"php":{"":1},"java":{"":4},"ruby":{"":1},"python":{"":2},"clojure":{"":2}},"CWE-384: Session Fixation":{"javascript":{"":1}},"CWE-489: Active Debug Code":{"php":{"":1},"java":{"":1},"yaml":{"":1},"kotlin":{"":1},"python":{"":3},"generic":{"":2}},"CWE-125: Out-of-bounds Read":{"cpp":{"":7}},"CWE-787: Out-of-bounds Write":{"cpp":{"":1},"solidity":{"":1}},"CWE-778: Insufficient Logging":{"hcl":{"":1}},"CWE-682: Incorrect Calculation":{"solidity":{"":2}},"CWE-862: Missing Authorization":{"dockerfile":{"":1}},"CWE-23: Relative Path Traversal":{"php":{"":1},"java":{"":1}},"CWE-284: Improper Access Control":{"python":{"":1},"solidity":{"":1}},"CWE-287: Improper Authentication":{"go":{"":8},"js":{"":6},"ruby":{"":6},"rust":{"":10},"yaml":{"":1},"kotlin":{"":4},"python":{"":18},"javascript":{"":1}},"CWE-346: Origin Validation Error":{"java":{"":1},"javascript":{"":6}},"CWE-377: Insecure Temporary File":{"python":{"":1}},"CWE-506: Embedded Malicious Code":{"generic":{"":1}},"CWE-20: Improper Input Validation":{"solidity":{"":2}},"CWE-476: NULL Pointer Dereference":{"cpp":{"":1}},"CWE-477: Use of Obsolete Function":{"swift":{"":2}},"CWE-501: Trust Boundary Violation":{"java":{"":3}},"CWE-272: Least Privilege Violation":{"xml":{"":2},"swift":{"":9}},"CWE-16: CWE CATEGORY: Configuration":{"generic":{"":1}},"CWE-259: Use of Hard-coded Password":{"swift":{"":1}},"CWE-269: Improper Privilege Management":{"yaml":{"":1},"dockerfile":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"go":{"":11},"js":{"":24},"py":{"":1},"hcl":{"":1},"php":{"":1},"java":{"":21},"ruby":{"":18},"rust":{"":12},"regex":{"":1},"swift":{"":7},"csharp":{"":10},"kotlin":{"":21},"python":{"":36},"javascript":{"":8}},"CWE-190: Integer Overflow or Wraparound":{"php":{"":1}},"CWE-326: Inadequate Encryption Strength":{"go":{"":1},"kt":{"":1},"cpp":{"":1},"hcl":{"":2},"java":{"":6},"ruby":{"":1},"swift":{"":2},"python":{"":2},"generic":{"":2},"terraform":{"":1},"javascript":{"":1}},"CWE-295: Improper Certificate Validation":{"cpp":{"":1},"xml":{"":1},"rust":{"":3}},"CWE-613: Insufficient Session Expiration":{"csharp":{"":1},"python":{"":2}},"CWE-341: Predictable from Observable State":{"solidity":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":1},"csharp":{"":1},"python":{"":3},"generic":{"":2}},"CWE-467: Use of sizeof() on a Pointer Type":{"cpp":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"C#":{"":7},"go":{"":1},"php":{"":1},"java":{"":14},"ruby":{"":1},"swift":{"":2},"python":{"":69},"javascript":{"":1}},"CWE-704: Incorrect Type Conversion or Cast":{"python":{"":3}},"CWE-780: Use of RSA Algorithm without OAEP":{"scala":{"":1}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":3}},"CWE-310: CWE CATEGORY: Cryptographic Issues":{"javascript":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"go":{"":6},"php":{"":6},"java":{"":14},"rust":{"":3},"csharp":{"":5},"kotlin":{"":2},"python":{"":236},"generic":{"":1},"javascript":{"":3}},"CWE-321: Use of Hard-coded Cryptographic Key":{"swift":{"":1}},"CWE-311: Missing Encryption of Sensitive Data":{"ruby":{"":1},"swift":{"":1}},"CWE-522: Insufficiently Protected Credentials":{"scala":{"":2},"python":{"":2},"generic":{"":9}},"CWE-668: Exposure of Resource to Wrong Sphere":{"python":{"":1}},"CWE-73: External Control of File Name or Path":{"ruby":{"":1},"python":{"":98}},"CWE-250: Execution with Unnecessary Privileges":{"yaml":{"":1},"dockerfile":{"":1}},"CWE-676: Use of Potentially Dangerous Function":{"c":{"":2}},"CWE-117: Improper Output Neutralization for Logs":{"python":{"":4},"javascript":{"":2}},"CWE-323: Reusing a Nonce, Key Pair in Encryption":{"java":{"":1}},"CWE-673: External Influence of Sphere Definition":{"python":{"":1}},"CWE-494: Download of Code Without Integrity Check":{"generic":{"":5}},"CWE-91: XML Injection (aka Blind XPath Injection)":{"java":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"php":{"":1},"java":{"":4},"csharp":{"":2},"python":{"":7},"javascript":{"":4}},"CWE-305: Authentication Bypass by Primary Weakness":{"swift":{"":2}},"CWE-1333: Inefficient Regular Expression Complexity":{"java":{"":1},"ruby":{"":1},"python":{"":3},"javascript":{"":1}},"CWE-134: Use of Externally-Controlled Format String":{"c":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"php":{"":1},"java":{"":1}},"CWE-509: Replicating Malicious Code (Virus or Worm)":{"yaml":{"":1}},"CWE-841: Improper Enforcement of Behavioral Workflow":{"solidity":{"":7}},"CWE-1323: Improper Management of Sensitive Trace Data":{"generic":{"":1}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":2}},"CWE-11: ASP.NET Misconfiguration: Creating Debug Binary":{"generic":{"":1}},"CWE-1204: Generation of Weak Initialization Vector (IV)":{"javascript":{"":1}},"CWE-345: Insufficient Verification of Data Authenticity":{"csharp":{"":1},"javascript":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"xml":{"":3},"html":{"":1},"java":{"":1},"python":{"":1}},"CWE-837: Improper Enforcement of a Single, Unique Action":{"solidity":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"go":{"":5},"php":{"":1},"xml":{"":1},"java":{"":10},"ruby":{"":1},"swift":{"":5},"csharp":{"":1},"kotlin":{"":2},"python":{"":18},"clojure":{"":1},"javascript":{"":6}},"CWE-347: Improper Verification of Cryptographic Signature":{"javascript":{"":1}},"CWE-532: Insertion of Sensitive Information into Log File":{"java":{"":1}},"CWE-639: Authorization Bypass Through User-Controlled Key":{"ruby":{"":1}},"CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition":{"cpp":{"":2}},"CWE-548: Exposure of Information Through Directory Listing":{"javascript":{"":1}},"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":{"java":{"":1},"python":{"":6},"javascript":{"":5}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"go":{"":1},"java":{"":7},"ruby":{"":1},"csharp":{"":1},"kotlin":{"":1},"javascript":{"":8}},"CWE-296: Improper Following of a Certificate's Chain of Trust":{"xml":{"":1}},"CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')":{"yaml":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"go":{"":2},"cpp":{"":2},"php":{"":2},"java":{"":44},"scala":{"":3},"swift":{"":1},"csharp":{"":3},"python":{"":6},"clojure":{"":1},"javascript":{"":4}},"CWE-732: Incorrect Permission Assignment for Critical Resource":{"cpp":{"":1},"hcl":{"":1},"generic":{"":4},"javascript":{"":1}},"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":{"csharp":{"":2}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"php":{"":1},"ruby":{"":2},"yaml":{"":1},"scala":{"":1},"csharp":{"":3},"kotlin":{"":1},"python":{"":33},"generic":{"":1},"terraform":{"":1},"javascript":{"":18}},"CWE-337: Predictable Seed in Pseudo-Random Number Generator (PRNG)":{"cpp":{"":2}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"go":{"":2},"java":{"":2},"csharp":{"":1},"python":{"":2},"generic":{"":4},"javascript":{"":1}},"CWE-454: External Initialization of Trusted Variables or Data Stores":{"python":{"":3}},"CWE-916: Use of Password Hash With Insufficient Computational Effort":{"swift":{"":3},"javascript":{"":1}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"java":{"":2}},"CWE-209: Generation of Error Message Containing Sensitive Information":{"csharp":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"php":{"":1},"java":{"":5},"csharp":{"":2},"python":{"":9},"generic":{"":1},"javascript":{"":4}},"CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax":{"java":{"":2},"python":{"":32}},"CWE-323: Nonces should be used for the present occasion and only once.":{"swift":{"":1}},"CWE-451: User Interface (UI) Misrepresentation of Critical Information":{"javascript":{"":1}},"CWE-688: Function Call With Incorrect Variable or Reference as Argument":{"solidity":{"":1}},"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":{"go":{"":4},"rust":{"":3},"csharp":{"":2},"kotlin":{"":5},"python":{"":4},"javascript":{"":8}},"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":{"csharp":{"":1}},"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine":{"javascript":{"":2}},"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":{"java":{"":4},"csharp":{"":2},"python":{"":3},"javascript":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"go":{"":6},"java":{"":5},"ruby":{"":1},"rust":{"":3},"csharp":{"":67},"python":{"":31},"generic":{"":1},"javascript":{"":19}},"CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')":{"xml":{"":1}},"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":{"csharp":{"":1},"python":{"":1},"javascript":{"":1}},"CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')":{"php":{"":1}},"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":{"python":{"":1},"terraform":{"":1},"javascript":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":6},"php":{"":2},"java":{"":13},"ruby":{"":2},"scala":{"":1},"kotlin":{"":1},"python":{"":7},"generic":{"":3},"javascript":{"":12},"typescript":{"":17}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":13},"php":{"":4},"java":{"":16},"ruby":{"":7},"rust":{"":12},"scala":{"":2},"swift":{"":1},"csharp":{"":34},"kotlin":{"":5},"python":{"":152},"javascript":{"":38}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"cpp":{"":2},"java":{"":3},"python":{"":17}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"java":{"":25},"python":{"":2}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"php":{"":1},"bash":{"":1},"java":{"":3},"python":{"":1},"generic":{"":1},"javascript":{"":3}},"CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)":{"python":{"":3}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"go":{"":8},"cpp":{"":1},"php":{"":2},"java":{"":8},"rust":{"":6},"yaml":{"":1},"csharp":{"":3},"kotlin":{"":1},"python":{"":29},"generic":{"":7},"javascript":{"":7}},"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":{"java":{"":1}},"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":{"javascript":{"":3}},"CWE-329: Not using a random initialization Vector (IV) with Cipher Block Chaining (CBC) Mode causes algorithms to be susceptible to dictionary attacks.":{"swift":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":82,"A01:2017: Injection":415,"A03:2021: Injection":576,"A05:2025: Injection":576,"A04:2021 Insecure Design":2,"A04:2021: Insecure Design":119,"A06:2025: Insecure Design":119,"LLM08:2023: Excessive Agency":1,"A01:2021: Broken Access Control":190,"A01:2025: Broken Access Control":456,"A02:2017: Broken Authentication":42,"A05:2017: Broken Access Control":134,"A02:2021: Cryptographic Failures":100,"A04:2025: Cryptographic Failures":100,"A03:2017: Sensitive Data Exposure":89,"A07:2025: Authentication Failures":241,"A08:2017: Insecure Deserialization":96,"A02:2021 – Cryptographic Failures":3,"A02:2025: Security Misconfiguration":121,"A05:2021: Security Misconfiguration":123,"A06:2017: Security Misconfiguration":8,"A07:2017: Cross-Site Scripting (XSS)":64,"A04:2017: XML External Entities (XXE)":70,"A05:2021 – Security Misconfiguration":1,"A10:2004: Insecure Configuration Management":1,"A10:2021: Server-Side Request Forgery (SSRF)":276,"A08:2025: Software or Data Integrity Failures":104,"A08:2021: Software and Data Integrity Failures":105,"A09:2025: Security Logging & Alerting Failures":8,"A10:2025: Mishandling of Exceptional Conditions":1,"A09:2021: Security Logging and Monitoring Failures":8,"A7:2021 Identification and Authentication Failures":1,"A07:2021 Identification and Authentication Failures":1,"A07:2021: Identification and Authentication Failures":241},"per_framework":{"":{"c":{"":3},"go":{"":1},"cpp":{"":16},"php":{"":1},"xml":{"":4},"java":{"":1},"ruby":{"":1},"rust":{"":3},"yaml":{"":1},"regex":{"":1},"swift":{"":13},"kotlin":{"":1},"python":{"":10},"generic":{"":6},"solidity":{"":15},"dockerfile":{"":1},"javascript":{"":4}},"A01:2017: Injection":{"go":{"":25},"cpp":{"":3},"php":{"":6},"java":{"":30},"ruby":{"":7},"rust":{"":21},"yaml":{"":2},"scala":{"":2},"swift":{"":1},"csharp":{"":39},"kotlin":{"":11},"python":{"":204},"generic":{"":8},"terraform":{"":1},"javascript":{"":55}},"A03:2021: Injection":{"go":{"":27},"cpp":{"":3},"php":{"":11},"bash":{"":1},"java":{"":53},"ruby":{"":11},"rust":{"":18},"yaml":{"":3},"scala":{"":4},"swift":{"":1},"csharp":{"":42},"kotlin":{"":8},"python":{"":280},"generic":{"":12},"terraform":{"":1},"javascript":{"":84},"typescript":{"":17}},"A05:2025: Injection":{"go":{"":27},"cpp":{"":3},"php":{"":11},"bash":{"":1},"java":{"":53},"ruby":{"":11},"rust":{"":18},"yaml":{"":3},"scala":{"":4},"swift":{"":1},"csharp":{"":42},"kotlin":{"":8},"python":{"":280},"generic":{"":12},"terraform":{"":1},"javascript":{"":84},"typescript":{"":17}},"A04:2021 Insecure Design":{"yaml":{"":2}},"A04:2021: Insecure Design":{"java":{"":3},"ruby":{"":2},"scala":{"":2},"swift":{"":1},"csharp":{"":1},"python":{"":100},"generic":{"":9},"javascript":{"":1}},"A06:2025: Insecure Design":{"java":{"":3},"ruby":{"":2},"scala":{"":2},"swift":{"":1},"csharp":{"":1},"python":{"":100},"generic":{"":9},"javascript":{"":1}},"LLM08:2023: Excessive Agency":{"yaml":{"":1}},"A01:2021: Broken Access Control":{"go":{"":8},"php":{"":1},"java":{"":17},"ruby":{"":3},"rust":{"":3},"csharp":{"":70},"kotlin":{"":1},"python":{"":44},"generic":{"":7},"javascript":{"":36}},"A01:2025: Broken Access Control":{"go":{"":12},"php":{"":7},"java":{"":29},"ruby":{"":3},"rust":{"":6},"csharp":{"":73},"kotlin":{"":3},"python":{"":278},"generic":{"":8},"javascript":{"":37}},"A02:2017: Broken Authentication":{"go":{"":8},"js":{"":3},"rust":{"":10},"scala":{"":2},"csharp":{"":1},"kotlin":{"":4},"python":{"":4},"generic":{"":9},"javascript":{"":1}},"A05:2017: Broken Access Control":{"go":{"":6},"java":{"":5},"ruby":{"":2},"rust":{"":3},"csharp":{"":67},"python":{"":31},"generic":{"":1},"javascript":{"":19}},"A02:2021: Cryptographic Failures":{"go":{"":7},"kt":{"":1},"cpp":{"":4},"hcl":{"":2},"php":{"":3},"xml":{"":4},"html":{"":1},"java":{"":23},"ruby":{"":3},"scala":{"":1},"swift":{"":13},"csharp":{"":2},"kotlin":{"":2},"python":{"":20},"clojure":{"":2},"generic":{"":2},"terraform":{"":1},"javascript":{"":9}},"A04:2025: Cryptographic Failures":{"go":{"":7},"kt":{"":1},"cpp":{"":4},"hcl":{"":2},"php":{"":3},"xml":{"":4},"html":{"":1},"java":{"":23},"ruby":{"":3},"scala":{"":1},"swift":{"":13},"csharp":{"":2},"kotlin":{"":2},"python":{"":20},"clojure":{"":2},"generic":{"":2},"terraform":{"":1},"javascript":{"":9}},"A03:2017: Sensitive Data Exposure":{"go":{"":7},"kt":{"":1},"cpp":{"":3},"hcl":{"":2},"php":{"":2},"xml":{"":5},"html":{"":1},"java":{"":21},"ruby":{"":5},"swift":{"":8},"kotlin":{"":2},"python":{"":20},"clojure":{"":2},"generic":{"":2},"terraform":{"":1},"javascript":{"":7}},"A07:2025: Authentication Failures":{"go":{"":22},"js":{"":30},"py":{"":1},"cpp":{"":1},"hcl":{"":1},"php":{"":1},"xml":{"":1},"java":{"":22},"ruby":{"":24},"rust":{"":22},"swift":{"":8},"csharp":{"":11},"kotlin":{"":25},"python":{"":56},"javascript":{"":16}},"A08:2017: Insecure Deserialization":{"C#":{"":7},"go":{"":1},"php":{"":1},"java":{"":14},"ruby":{"":1},"swift":{"":2},"python":{"":69},"javascript":{"":1}},"A02:2021 – Cryptographic Failures":{"python":{"":3}},"A02:2025: Security Misconfiguration":{"go":{"":2},"cpp":{"":2},"hcl":{"":1},"php":{"":5},"java":{"":54},"yaml":{"":2},"scala":{"":3},"swift":{"":1},"csharp":{"":9},"python":{"":24},"clojure":{"":1},"generic":{"":3},"dockerfile":{"":1},"javascript":{"":13}},"A05:2021: Security Misconfiguration":{"go":{"":2},"cpp":{"":2},"hcl":{"":1},"php":{"":5},"java":{"":54},"yaml":{"":2},"scala":{"":3},"swift":{"":1},"csharp":{"":9},"python":{"":24},"clojure":{"":1},"generic":{"":5},"dockerfile":{"":1},"javascript":{"":13}},"A06:2017: Security Misconfiguration":{"php":{"":1},"java":{"":1},"yaml":{"":2},"csharp":{"":1},"python":{"":1},"generic":{"":1},"javascript":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":6},"php":{"":2},"java":{"":13},"ruby":{"":2},"scala":{"":1},"kotlin":{"":1},"python":{"":7},"generic":{"":3},"javascript":{"":12},"typescript":{"":17}},"A04:2017: XML External Entities (XXE)":{"go":{"":2},"cpp":{"":2},"php":{"":2},"java":{"":44},"scala":{"":3},"swift":{"":1},"csharp":{"":3},"python":{"":8},"clojure":{"":1},"javascript":{"":4}},"A05:2021 – Security Misconfiguration":{"python":{"":1}},"A10:2004: Insecure Configuration Management":{"java":{"":1}},"A10:2021: Server-Side Request Forgery (SSRF)":{"go":{"":6},"php":{"":6},"java":{"":14},"rust":{"":3},"csharp":{"":5},"kotlin":{"":2},"python":{"":236},"generic":{"":1},"javascript":{"":3}},"A08:2025: Software or Data Integrity Failures":{"C#":{"":7},"php":{"":1},"java":{"":14},"ruby":{"":1},"swift":{"":2},"csharp":{"":2},"python":{"":70},"generic":{"":5},"javascript":{"":2}},"A08:2021: Software and Data Integrity Failures":{"C#":{"":7},"go":{"":1},"php":{"":1},"java":{"":14},"ruby":{"":1},"swift":{"":2},"csharp":{"":2},"python":{"":70},"generic":{"":5},"javascript":{"":2}},"A09:2025: Security Logging & Alerting Failures":{"hcl":{"":1},"java":{"":1},"python":{"":4},"javascript":{"":2}},"A10:2025: Mishandling of Exceptional Conditions":{"cpp":{"":1}},"A09:2021: Security Logging and Monitoring Failures":{"hcl":{"":1},"java":{"":1},"python":{"":4},"javascript":{"":2}},"A7:2021 Identification and Authentication Failures":{"solidity":{"":1}},"A07:2021 Identification and Authentication Failures":{"yaml":{"":1}},"A07:2021: Identification and Authentication Failures":{"go":{"":22},"js":{"":30},"py":{"":1},"cpp":{"":1},"hcl":{"":1},"php":{"":1},"xml":{"":1},"java":{"":22},"ruby":{"":24},"rust":{"":22},"swift":{"":8},"csharp":{"":11},"kotlin":{"":25},"python":{"":56},"javascript":{"":16}}},"rules_with_no_owasp":["insecure-use-gets-fn","insecure-use-printf-fn","insecure-use-scanf-fn","sizeof-this","std-return-data","std-vector-invalidation","file-access-before-action","file-stat-before-action","world-writable-file","tainted-allocation-size","negative-return-value-array-index","missing-nul-cpp-string-memcpy","narrow-to-wide-string-mismatch","readlink-null-terminator","return-c-str","std-string-npos","string-view-data-null-terminator","string-view-temporary-string","wide-to-narrow-string-mismatch","dockerfile-dockerd-socket-mount","detected-onfido-live-api-token","open-redirect","jax-rs-better-files-regex-injection-uri-params","regexp-redos","cookies-default-express","dot-nestjs","create-de-cipher-no-iv","ktor-development-mode-conf","ktor-development-mode-gradle","ktor-development-mode-yaml","base-convert-loses-precision","tainted-dotenv-variable-django","tainted-regex-stdlib-django","nan-injection","tainted-dotenv-variable-fastapi","tainted-regex-stdlib-fastapi","debug-flask-passthrough-errors","active-debug-code-flask","tainted-dotenv-variable-flask","tainted-regex-stdlib-flask","nan-injection","divide-by-zero","reqwest-accept-invalid","rustls-dangerous","ssl-verify-none","skill-dangerous-command-wildcard","skill-network-bash-wildcard","skill-persistence-commands","skill-wildcard-all-tools","skill-preprocessing-encoding-network","balancer-readonly-reentrancy-getpooltokens","balancer-readonly-reentrancy-getrate","compound-borrowfresh-reentrancy","curve-readonly-reentrancy","encode-packed-collision","erc677-reentrancy","erc721-reentrancy","erc777-reentrancy","incorrect-use-of-blockhash","keeper-network-oracle-manipulation","no-bidi-characters","proxy-storage-collision","redacted-cartel-custom-approval-bug","rigoblock-missing-access-control","superfluid-ctx-injection","keychain-acl-allows-biometry-changes","keychain-accessible-always","insecure-biometrics","keychain-passcode-fallback","ATS-local-networking","ATS-consider-pinning","ATS-CA-pins","ATS-minimum-tls-version","swift-named-persistent-pasteboards","swift-forbidden-ios-apis","swift-webview-config-allows-js","swift-webview-config-base-url","swift-webview-config-allows-file-access","swift-webview-config-fraudulent-site-warning","swift-webview-config-https-upgrade","swift-webview-config-allows-js-open-windows","swift-webview-config-allows-universal-file-access"]}},"author":"Semgrep","counts":{"total_rules":1855,"premium_rules":1576},"hidden":true,"username":"semgrep","description":"This ruleset is intended to produce low false positives and to be safe for use in CI/CD pipelines.","id":"Klen","name":"deepsemgrep","visibility":"public","categories":[]},{"stats":{"cwe":{"totals":{"CWE-369: Divide By Zero":1,"CWE-416: Use After Free":4,"CWE-328: Use of Weak Hash":12,"CWE-384: Session Fixation":1,"CWE-489: Active Debug Code":9,"CWE-125: Out-of-bounds Read":7,"CWE-787: Out-of-bounds Write":2,"CWE-778: Insufficient Logging":1,"CWE-682: Incorrect Calculation":2,"CWE-862: Missing Authorization":1,"CWE-23: Relative Path Traversal":2,"CWE-284: Improper Access Control":2,"CWE-287: Improper Authentication":54,"CWE-346: Origin Validation Error":8,"CWE-377: Insecure Temporary File":1,"CWE-506: Embedded Malicious Code":1,"CWE-20: Improper Input Validation":2,"CWE-476: NULL Pointer Dereference":1,"CWE-477: Use of Obsolete Function":2,"CWE-501: Trust Boundary Violation":3,"CWE-272: Least Privilege Violation":11,"CWE-16: CWE CATEGORY: Configuration":1,"CWE-259: Use of Hard-coded Password":1,"CWE-269: Improper Privilege Management":2,"CWE-798: Use of Hard-coded Credentials":172,"CWE-190: Integer Overflow or Wraparound":1,"CWE-326: Inadequate Encryption Strength":20,"CWE-295: Improper Certificate Validation":5,"CWE-613: Insufficient Session Expiration":3,"CWE-341: Predictable from Observable State":1,"CWE-352: Cross-Site Request Forgery (CSRF)":7,"CWE-467: Use of sizeof() on a Pointer Type":1,"CWE-502: Deserialization of Untrusted Data":96,"CWE-704: Incorrect Type Conversion or Cast":3,"CWE-780: Use of RSA Algorithm without OAEP":1,"CWE-300: Channel Accessible by Non-Endpoint":3,"CWE-310: CWE CATEGORY: Cryptographic Issues":1,"CWE-918: Server-Side Request Forgery (SSRF)":276,"CWE-321: Use of Hard-coded Cryptographic Key":1,"CWE-311: Missing Encryption of Sensitive Data":2,"CWE-522: Insufficiently Protected Credentials":13,"CWE-668: Exposure of Resource to Wrong Sphere":1,"CWE-73: External Control of File Name or Path":99,"CWE-250: Execution with Unnecessary Privileges":2,"CWE-676: Use of Potentially Dangerous Function":2,"CWE-117: Improper Output Neutralization for Logs":6,"CWE-323: Reusing a Nonce, Key Pair in Encryption":1,"CWE-673: External Influence of Sphere Definition":1,"CWE-494: Download of Code Without Integrity Check":5,"CWE-91: XML Injection (aka Blind XPath Injection)":1,"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":18,"CWE-305: Authentication Bypass by Primary Weakness":2,"CWE-1333: Inefficient Regular Expression Complexity":6,"CWE-134: Use of Externally-Controlled Format String":1,"CWE-329: Generation of Predictable IV with CBC Mode":2,"CWE-509: Replicating Malicious Code (Virus or Worm)":1,"CWE-841: Improper Enforcement of Behavioral Workflow":7,"CWE-1323: Improper Management of Sensitive Trace Data":1,"CWE-706: Use of Incorrectly-Resolved Name or Reference":2,"CWE-11: ASP.NET Misconfiguration: Creating Debug Binary":1,"CWE-1204: Generation of Weak Initialization Vector (IV)":1,"CWE-345: Insufficient Verification of Data Authenticity":2,"CWE-319: Cleartext Transmission of Sensitive Information":6,"CWE-837: Improper Enforcement of a Single, Unique Action":1,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":51,"CWE-347: Improper Verification of Cryptographic Signature":1,"CWE-532: Insertion of Sensitive Information into Log File":1,"CWE-639: Authorization Bypass Through User-Controlled Key":1,"CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition":2,"CWE-548: Exposure of Information Through Directory Listing":1,"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":12,"CWE-358: Improperly Implemented Security Check for Standard":36,"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":19,"CWE-296: Improper Following of a Certificate's Chain of Trust":1,"CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')":1,"CWE-611: Improper Restriction of XML External Entity Reference":68,"CWE-732: Incorrect Permission Assignment for Critical Resource":7,"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":3,"CWE-94: Improper Control of Generation of Code ('Code Injection')":62,"CWE-337: Predictable Seed in Pseudo-Random Number Generator (PRNG)":2,"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":12,"CWE-454: External Initialization of Trusted Variables or Data Stores":3,"CWE-916: Use of Password Hash With Insufficient Computational Effort":4,"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":2,"CWE-209: Generation of Error Message Containing Sensitive Information":1,"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":22,"CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax":34,"CWE-323: Nonces should be used for the present occasion and only once.":1,"CWE-451: User Interface (UI) Misrepresentation of Critical Information":1,"CWE-688: Function Call With Incorrect Variable or Reference as Argument":1,"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":26,"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":1,"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine":2,"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":10,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":133,"CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')":1,"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":3,"CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')":1,"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":3,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":68,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":284,"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":22,"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":27,"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":10,"CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)":3,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":73,"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":1,"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":3,"CWE-329: Not using a random initialization Vector (IV) with Cipher Block Chaining (CBC) Mode causes algorithms to be susceptible to dictionary attacks.":1},"per_framework":{"CWE-369: Divide By Zero":{"ruby":{"":1}},"CWE-416: Use After Free":{"cpp":{"":4}},"CWE-328: Use of Weak Hash":{"go":{"":1},"cpp":{"":1},"php":{"":1},"java":{"":4},"ruby":{"":1},"python":{"":2},"clojure":{"":2}},"CWE-384: Session Fixation":{"javascript":{"":1}},"CWE-489: Active Debug Code":{"php":{"":1},"java":{"":1},"yaml":{"":1},"kotlin":{"":1},"python":{"":3},"generic":{"":2}},"CWE-125: Out-of-bounds Read":{"cpp":{"":7}},"CWE-787: Out-of-bounds Write":{"cpp":{"":1},"solidity":{"":1}},"CWE-778: Insufficient Logging":{"hcl":{"":1}},"CWE-682: Incorrect Calculation":{"solidity":{"":2}},"CWE-862: Missing Authorization":{"dockerfile":{"":1}},"CWE-23: Relative Path Traversal":{"php":{"":1},"java":{"":1}},"CWE-284: Improper Access Control":{"python":{"":1},"solidity":{"":1}},"CWE-287: Improper Authentication":{"go":{"":8},"js":{"":6},"ruby":{"":6},"rust":{"":10},"yaml":{"":1},"kotlin":{"":4},"python":{"":18},"javascript":{"":1}},"CWE-346: Origin Validation Error":{"go":{"":1},"java":{"":1},"javascript":{"":6}},"CWE-377: Insecure Temporary File":{"python":{"":1}},"CWE-506: Embedded Malicious Code":{"generic":{"":1}},"CWE-20: Improper Input Validation":{"solidity":{"":2}},"CWE-476: NULL Pointer Dereference":{"cpp":{"":1}},"CWE-477: Use of Obsolete Function":{"swift":{"":2}},"CWE-501: Trust Boundary Violation":{"java":{"":3}},"CWE-272: Least Privilege Violation":{"xml":{"":2},"swift":{"":9}},"CWE-16: CWE CATEGORY: Configuration":{"generic":{"":1}},"CWE-259: Use of Hard-coded Password":{"swift":{"":1}},"CWE-269: Improper Privilege Management":{"yaml":{"":1},"dockerfile":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"go":{"":11},"js":{"":24},"py":{"":1},"hcl":{"":1},"php":{"":1},"java":{"":21},"ruby":{"":18},"rust":{"":12},"regex":{"":1},"swift":{"":7},"csharp":{"":10},"kotlin":{"":21},"python":{"":36},"javascript":{"":8}},"CWE-190: Integer Overflow or Wraparound":{"php":{"":1}},"CWE-326: Inadequate Encryption Strength":{"go":{"":1},"kt":{"":1},"cpp":{"":1},"hcl":{"":2},"java":{"":6},"ruby":{"":1},"swift":{"":2},"python":{"":2},"generic":{"":2},"terraform":{"":1},"javascript":{"":1}},"CWE-295: Improper Certificate Validation":{"cpp":{"":1},"xml":{"":1},"rust":{"":3}},"CWE-613: Insufficient Session Expiration":{"csharp":{"":1},"python":{"":2}},"CWE-341: Predictable from Observable State":{"solidity":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":1},"csharp":{"":1},"python":{"":3},"generic":{"":2}},"CWE-467: Use of sizeof() on a Pointer Type":{"cpp":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"C#":{"":7},"go":{"":1},"php":{"":1},"java":{"":14},"ruby":{"":1},"swift":{"":2},"python":{"":69},"javascript":{"":1}},"CWE-704: Incorrect Type Conversion or Cast":{"python":{"":3}},"CWE-780: Use of RSA Algorithm without OAEP":{"scala":{"":1}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":3}},"CWE-310: CWE CATEGORY: Cryptographic Issues":{"javascript":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"go":{"":6},"php":{"":6},"java":{"":14},"rust":{"":3},"csharp":{"":5},"kotlin":{"":2},"python":{"":236},"generic":{"":1},"javascript":{"":3}},"CWE-321: Use of Hard-coded Cryptographic Key":{"swift":{"":1}},"CWE-311: Missing Encryption of Sensitive Data":{"ruby":{"":1},"swift":{"":1}},"CWE-522: Insufficiently Protected Credentials":{"scala":{"":2},"python":{"":2},"generic":{"":9}},"CWE-668: Exposure of Resource to Wrong Sphere":{"python":{"":1}},"CWE-73: External Control of File Name or Path":{"ruby":{"":1},"python":{"":98}},"CWE-250: Execution with Unnecessary Privileges":{"yaml":{"":1},"dockerfile":{"":1}},"CWE-676: Use of Potentially Dangerous Function":{"c":{"":2}},"CWE-117: Improper Output Neutralization for Logs":{"python":{"":4},"javascript":{"":2}},"CWE-323: Reusing a Nonce, Key Pair in Encryption":{"java":{"":1}},"CWE-673: External Influence of Sphere Definition":{"python":{"":1}},"CWE-494: Download of Code Without Integrity Check":{"generic":{"":5}},"CWE-91: XML Injection (aka Blind XPath Injection)":{"java":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"php":{"":1},"java":{"":4},"csharp":{"":2},"python":{"":7},"javascript":{"":4}},"CWE-305: Authentication Bypass by Primary Weakness":{"swift":{"":2}},"CWE-1333: Inefficient Regular Expression Complexity":{"java":{"":1},"ruby":{"":1},"python":{"":3},"javascript":{"":1}},"CWE-134: Use of Externally-Controlled Format String":{"c":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"php":{"":1},"java":{"":1}},"CWE-509: Replicating Malicious Code (Virus or Worm)":{"yaml":{"":1}},"CWE-841: Improper Enforcement of Behavioral Workflow":{"solidity":{"":7}},"CWE-1323: Improper Management of Sensitive Trace Data":{"generic":{"":1}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":2}},"CWE-11: ASP.NET Misconfiguration: Creating Debug Binary":{"generic":{"":1}},"CWE-1204: Generation of Weak Initialization Vector (IV)":{"javascript":{"":1}},"CWE-345: Insufficient Verification of Data Authenticity":{"csharp":{"":1},"javascript":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"xml":{"":3},"html":{"":1},"java":{"":1},"python":{"":1}},"CWE-837: Improper Enforcement of a Single, Unique Action":{"solidity":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"go":{"":5},"php":{"":1},"xml":{"":1},"java":{"":10},"ruby":{"":1},"swift":{"":5},"csharp":{"":1},"kotlin":{"":2},"python":{"":18},"clojure":{"":1},"javascript":{"":6}},"CWE-347: Improper Verification of Cryptographic Signature":{"javascript":{"":1}},"CWE-532: Insertion of Sensitive Information into Log File":{"java":{"":1}},"CWE-639: Authorization Bypass Through User-Controlled Key":{"ruby":{"":1}},"CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition":{"cpp":{"":2}},"CWE-548: Exposure of Information Through Directory Listing":{"javascript":{"":1}},"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":{"java":{"":1},"python":{"":6},"javascript":{"":5}},"CWE-358: Improperly Implemented Security Check for Standard":{"python":{"":36}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"go":{"":1},"java":{"":7},"ruby":{"":1},"csharp":{"":1},"kotlin":{"":1},"javascript":{"":8}},"CWE-296: Improper Following of a Certificate's Chain of Trust":{"xml":{"":1}},"CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')":{"yaml":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"go":{"":2},"cpp":{"":2},"php":{"":2},"java":{"":44},"scala":{"":3},"swift":{"":1},"csharp":{"":3},"python":{"":6},"clojure":{"":1},"javascript":{"":4}},"CWE-732: Incorrect Permission Assignment for Critical Resource":{"cpp":{"":1},"hcl":{"":1},"generic":{"":4},"javascript":{"":1}},"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":{"csharp":{"":2},"python":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"php":{"":1},"ruby":{"":2},"yaml":{"":1},"scala":{"":1},"csharp":{"":3},"kotlin":{"":1},"python":{"":33},"generic":{"":1},"terraform":{"":1},"javascript":{"":18}},"CWE-337: Predictable Seed in Pseudo-Random Number Generator (PRNG)":{"cpp":{"":2}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"go":{"":2},"java":{"":2},"csharp":{"":1},"python":{"":2},"generic":{"":4},"javascript":{"":1}},"CWE-454: External Initialization of Trusted Variables or Data Stores":{"python":{"":3}},"CWE-916: Use of Password Hash With Insufficient Computational Effort":{"swift":{"":3},"javascript":{"":1}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"java":{"":2}},"CWE-209: Generation of Error Message Containing Sensitive Information":{"csharp":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"php":{"":1},"java":{"":5},"csharp":{"":2},"python":{"":9},"generic":{"":1},"javascript":{"":4}},"CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax":{"java":{"":2},"python":{"":32}},"CWE-323: Nonces should be used for the present occasion and only once.":{"swift":{"":1}},"CWE-451: User Interface (UI) Misrepresentation of Critical Information":{"javascript":{"":1}},"CWE-688: Function Call With Incorrect Variable or Reference as Argument":{"solidity":{"":1}},"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":{"go":{"":4},"rust":{"":3},"csharp":{"":2},"kotlin":{"":5},"python":{"":4},"javascript":{"":8}},"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":{"csharp":{"":1}},"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine":{"javascript":{"":2}},"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":{"java":{"":4},"csharp":{"":2},"python":{"":3},"javascript":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"go":{"":6},"java":{"":5},"ruby":{"":1},"rust":{"":3},"csharp":{"":67},"python":{"":31},"generic":{"":1},"javascript":{"":19}},"CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')":{"xml":{"":1}},"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":{"csharp":{"":1},"python":{"":1},"javascript":{"":1}},"CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')":{"php":{"":1}},"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":{"python":{"":1},"terraform":{"":1},"javascript":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":6},"php":{"":2},"java":{"":13},"ruby":{"":2},"scala":{"":1},"csharp":{"":4},"kotlin":{"":1},"python":{"":7},"generic":{"":3},"javascript":{"":12},"typescript":{"":17}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":13},"php":{"":4},"java":{"":16},"ruby":{"":7},"rust":{"":12},"scala":{"":2},"swift":{"":1},"csharp":{"":34},"kotlin":{"":5},"python":{"":152},"javascript":{"":38}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"cpp":{"":2},"java":{"":3},"python":{"":17}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"java":{"":25},"python":{"":2}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"php":{"":1},"bash":{"":1},"java":{"":3},"python":{"":1},"generic":{"":1},"javascript":{"":3}},"CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)":{"python":{"":3}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"go":{"":8},"cpp":{"":1},"php":{"":2},"java":{"":8},"rust":{"":6},"yaml":{"":1},"csharp":{"":3},"kotlin":{"":1},"python":{"":29},"generic":{"":7},"javascript":{"":7}},"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":{"java":{"":1}},"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":{"javascript":{"":3}},"CWE-329: Not using a random initialization Vector (IV) with Cipher Block Chaining (CBC) Mode causes algorithms to be susceptible to dictionary attacks.":{"swift":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":82,"A01:2017: Injection":415,"A03:2021: Injection":580,"A05:2025: Injection":580,"A04:2021 Insecure Design":2,"A04:2021: Insecure Design":119,"A06:2025: Insecure Design":119,"LLM08:2023: Excessive Agency":1,"A01:2021: Broken Access Control":190,"A01:2025: Broken Access Control":456,"A02:2017: Broken Authentication":42,"A05:2017: Broken Access Control":134,"A02:2021: Cryptographic Failures":100,"A04:2025: Cryptographic Failures":100,"A03:2017: Sensitive Data Exposure":89,"A07:2025: Authentication Failures":241,"A05:2021-Security misconfiguration":36,"A08:2017: Insecure Deserialization":96,"A02:2021 – Cryptographic Failures":3,"A02:2025: Security Misconfiguration":122,"A05:2021: Security Misconfiguration":124,"A06:2017: Security Misconfiguration":8,"A07:2017: Cross-Site Scripting (XSS)":68,"A04:2017: XML External Entities (XXE)":70,"A05:2021 – Security Misconfiguration":2,"A10:2004: Insecure Configuration Management":1,"A10:2021: Server-Side Request Forgery (SSRF)":276,"A08:2025: Software or Data Integrity Failures":104,"A08:2021: Software and Data Integrity Failures":105,"A09:2025: Security Logging & Alerting Failures":8,"A10:2025: Mishandling of Exceptional Conditions":1,"A09:2021: Security Logging and Monitoring Failures":8,"A7:2021 Identification and Authentication Failures":1,"A07:2021 Identification and Authentication Failures":1,"A07:2021: Identification and Authentication Failures":241},"per_framework":{"":{"c":{"":3},"go":{"":1},"cpp":{"":16},"php":{"":1},"xml":{"":4},"java":{"":1},"ruby":{"":1},"rust":{"":3},"yaml":{"":1},"regex":{"":1},"swift":{"":13},"kotlin":{"":1},"python":{"":10},"generic":{"":6},"solidity":{"":15},"dockerfile":{"":1},"javascript":{"":4}},"A01:2017: Injection":{"go":{"":25},"cpp":{"":3},"php":{"":6},"java":{"":30},"ruby":{"":7},"rust":{"":21},"yaml":{"":2},"scala":{"":2},"swift":{"":1},"csharp":{"":39},"kotlin":{"":11},"python":{"":204},"generic":{"":8},"terraform":{"":1},"javascript":{"":55}},"A03:2021: Injection":{"go":{"":27},"cpp":{"":3},"php":{"":11},"bash":{"":1},"java":{"":53},"ruby":{"":11},"rust":{"":18},"yaml":{"":3},"scala":{"":4},"swift":{"":1},"csharp":{"":46},"kotlin":{"":8},"python":{"":280},"generic":{"":12},"terraform":{"":1},"javascript":{"":84},"typescript":{"":17}},"A05:2025: Injection":{"go":{"":27},"cpp":{"":3},"php":{"":11},"bash":{"":1},"java":{"":53},"ruby":{"":11},"rust":{"":18},"yaml":{"":3},"scala":{"":4},"swift":{"":1},"csharp":{"":46},"kotlin":{"":8},"python":{"":280},"generic":{"":12},"terraform":{"":1},"javascript":{"":84},"typescript":{"":17}},"A04:2021 Insecure Design":{"yaml":{"":2}},"A04:2021: Insecure Design":{"java":{"":3},"ruby":{"":2},"scala":{"":2},"swift":{"":1},"csharp":{"":1},"python":{"":100},"generic":{"":9},"javascript":{"":1}},"A06:2025: Insecure Design":{"java":{"":3},"ruby":{"":2},"scala":{"":2},"swift":{"":1},"csharp":{"":1},"python":{"":100},"generic":{"":9},"javascript":{"":1}},"LLM08:2023: Excessive Agency":{"yaml":{"":1}},"A01:2021: Broken Access Control":{"go":{"":8},"php":{"":1},"java":{"":17},"ruby":{"":3},"rust":{"":3},"csharp":{"":70},"kotlin":{"":1},"python":{"":44},"generic":{"":7},"javascript":{"":36}},"A01:2025: Broken Access Control":{"go":{"":12},"php":{"":7},"java":{"":29},"ruby":{"":3},"rust":{"":6},"csharp":{"":73},"kotlin":{"":3},"python":{"":278},"generic":{"":8},"javascript":{"":37}},"A02:2017: Broken Authentication":{"go":{"":8},"js":{"":3},"rust":{"":10},"scala":{"":2},"csharp":{"":1},"kotlin":{"":4},"python":{"":4},"generic":{"":9},"javascript":{"":1}},"A05:2017: Broken Access Control":{"go":{"":6},"java":{"":5},"ruby":{"":2},"rust":{"":3},"csharp":{"":67},"python":{"":31},"generic":{"":1},"javascript":{"":19}},"A02:2021: Cryptographic Failures":{"go":{"":7},"kt":{"":1},"cpp":{"":4},"hcl":{"":2},"php":{"":3},"xml":{"":4},"html":{"":1},"java":{"":23},"ruby":{"":3},"scala":{"":1},"swift":{"":13},"csharp":{"":2},"kotlin":{"":2},"python":{"":20},"clojure":{"":2},"generic":{"":2},"terraform":{"":1},"javascript":{"":9}},"A04:2025: Cryptographic Failures":{"go":{"":7},"kt":{"":1},"cpp":{"":4},"hcl":{"":2},"php":{"":3},"xml":{"":4},"html":{"":1},"java":{"":23},"ruby":{"":3},"scala":{"":1},"swift":{"":13},"csharp":{"":2},"kotlin":{"":2},"python":{"":20},"clojure":{"":2},"generic":{"":2},"terraform":{"":1},"javascript":{"":9}},"A03:2017: Sensitive Data Exposure":{"go":{"":7},"kt":{"":1},"cpp":{"":3},"hcl":{"":2},"php":{"":2},"xml":{"":5},"html":{"":1},"java":{"":21},"ruby":{"":5},"swift":{"":8},"kotlin":{"":2},"python":{"":20},"clojure":{"":2},"generic":{"":2},"terraform":{"":1},"javascript":{"":7}},"A07:2025: Authentication Failures":{"go":{"":22},"js":{"":30},"py":{"":1},"cpp":{"":1},"hcl":{"":1},"php":{"":1},"xml":{"":1},"java":{"":22},"ruby":{"":24},"rust":{"":22},"swift":{"":8},"csharp":{"":11},"kotlin":{"":25},"python":{"":56},"javascript":{"":16}},"A05:2021-Security misconfiguration":{"python":{"":36}},"A08:2017: Insecure Deserialization":{"C#":{"":7},"go":{"":1},"php":{"":1},"java":{"":14},"ruby":{"":1},"swift":{"":2},"python":{"":69},"javascript":{"":1}},"A02:2021 – Cryptographic Failures":{"python":{"":3}},"A02:2025: Security Misconfiguration":{"go":{"":2},"cpp":{"":2},"hcl":{"":1},"php":{"":5},"java":{"":54},"yaml":{"":2},"scala":{"":3},"swift":{"":1},"csharp":{"":9},"python":{"":25},"clojure":{"":1},"generic":{"":3},"dockerfile":{"":1},"javascript":{"":13}},"A05:2021: Security Misconfiguration":{"go":{"":2},"cpp":{"":2},"hcl":{"":1},"php":{"":5},"java":{"":54},"yaml":{"":2},"scala":{"":3},"swift":{"":1},"csharp":{"":9},"python":{"":25},"clojure":{"":1},"generic":{"":5},"dockerfile":{"":1},"javascript":{"":13}},"A06:2017: Security Misconfiguration":{"php":{"":1},"java":{"":1},"yaml":{"":2},"csharp":{"":1},"python":{"":1},"generic":{"":1},"javascript":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":6},"php":{"":2},"java":{"":13},"ruby":{"":2},"scala":{"":1},"csharp":{"":4},"kotlin":{"":1},"python":{"":7},"generic":{"":3},"javascript":{"":12},"typescript":{"":17}},"A04:2017: XML External Entities (XXE)":{"go":{"":2},"cpp":{"":2},"php":{"":2},"java":{"":44},"scala":{"":3},"swift":{"":1},"csharp":{"":3},"python":{"":8},"clojure":{"":1},"javascript":{"":4}},"A05:2021 – Security Misconfiguration":{"go":{"":1},"python":{"":1}},"A10:2004: Insecure Configuration Management":{"java":{"":1}},"A10:2021: Server-Side Request Forgery (SSRF)":{"go":{"":6},"php":{"":6},"java":{"":14},"rust":{"":3},"csharp":{"":5},"kotlin":{"":2},"python":{"":236},"generic":{"":1},"javascript":{"":3}},"A08:2025: Software or Data Integrity Failures":{"C#":{"":7},"php":{"":1},"java":{"":14},"ruby":{"":1},"swift":{"":2},"csharp":{"":2},"python":{"":70},"generic":{"":5},"javascript":{"":2}},"A08:2021: Software and Data Integrity Failures":{"C#":{"":7},"go":{"":1},"php":{"":1},"java":{"":14},"ruby":{"":1},"swift":{"":2},"csharp":{"":2},"python":{"":70},"generic":{"":5},"javascript":{"":2}},"A09:2025: Security Logging & Alerting Failures":{"hcl":{"":1},"java":{"":1},"python":{"":4},"javascript":{"":2}},"A10:2025: Mishandling of Exceptional Conditions":{"cpp":{"":1}},"A09:2021: Security Logging and Monitoring Failures":{"hcl":{"":1},"java":{"":1},"python":{"":4},"javascript":{"":2}},"A7:2021 Identification and Authentication Failures":{"solidity":{"":1}},"A07:2021 Identification and Authentication Failures":{"yaml":{"":1}},"A07:2021: Identification and Authentication Failures":{"go":{"":22},"js":{"":30},"py":{"":1},"cpp":{"":1},"hcl":{"":1},"php":{"":1},"xml":{"":1},"java":{"":22},"ruby":{"":24},"rust":{"":22},"swift":{"":8},"csharp":{"":11},"kotlin":{"":25},"python":{"":56},"javascript":{"":16}}},"rules_with_no_owasp":["insecure-use-gets-fn","insecure-use-printf-fn","insecure-use-scanf-fn","sizeof-this","std-return-data","std-vector-invalidation","file-access-before-action","file-stat-before-action","world-writable-file","tainted-allocation-size","negative-return-value-array-index","missing-nul-cpp-string-memcpy","narrow-to-wide-string-mismatch","readlink-null-terminator","return-c-str","std-string-npos","string-view-data-null-terminator","string-view-temporary-string","wide-to-narrow-string-mismatch","dockerfile-dockerd-socket-mount","detected-onfido-live-api-token","open-redirect","jax-rs-better-files-regex-injection-uri-params","regexp-redos","cookies-default-express","dot-nestjs","create-de-cipher-no-iv","ktor-development-mode-conf","ktor-development-mode-gradle","ktor-development-mode-yaml","base-convert-loses-precision","tainted-dotenv-variable-django","tainted-regex-stdlib-django","nan-injection","tainted-dotenv-variable-fastapi","tainted-regex-stdlib-fastapi","debug-flask-passthrough-errors","active-debug-code-flask","tainted-dotenv-variable-flask","tainted-regex-stdlib-flask","nan-injection","divide-by-zero","reqwest-accept-invalid","rustls-dangerous","ssl-verify-none","skill-dangerous-command-wildcard","skill-network-bash-wildcard","skill-persistence-commands","skill-wildcard-all-tools","skill-preprocessing-encoding-network","balancer-readonly-reentrancy-getpooltokens","balancer-readonly-reentrancy-getrate","compound-borrowfresh-reentrancy","curve-readonly-reentrancy","encode-packed-collision","erc677-reentrancy","erc721-reentrancy","erc777-reentrancy","incorrect-use-of-blockhash","keeper-network-oracle-manipulation","no-bidi-characters","proxy-storage-collision","redacted-cartel-custom-approval-bug","rigoblock-missing-access-control","superfluid-ctx-injection","keychain-acl-allows-biometry-changes","keychain-accessible-always","insecure-biometrics","keychain-passcode-fallback","ATS-local-networking","ATS-consider-pinning","ATS-CA-pins","ATS-minimum-tls-version","swift-named-persistent-pasteboards","swift-forbidden-ios-apis","swift-webview-config-allows-js","swift-webview-config-base-url","swift-webview-config-allows-file-access","swift-webview-config-fraudulent-site-warning","swift-webview-config-https-upgrade","swift-webview-config-allows-js-open-windows","swift-webview-config-allows-universal-file-access"]}},"author":"Semgrep","counts":{"total_rules":1897,"premium_rules":1618},"hidden":true,"username":"semgrep","description":"This ruleset is intended to produce low false positives and to be safe for use in CI/CD pipelines.","id":"WrQj","name":"default-v2","visibility":"public","categories":[]},{"stats":{"cwe":{"totals":{"":30,"CWE-415: Double Free":2,"CWE-91: XML Injection":1,"CWE-35: Path Traversal":1,"CWE-369: Divide By Zero":1,"CWE-416: Use After Free":6,"CWE-114: Process Control":1,"CWE-328: Use of Weak Hash":18,"CWE-384: Session Fixation":1,"CWE-667: Improper Locking":4,"CWE-489: Active Debug Code":18,"CWE-125: Out-of-bounds Read":8,"CWE-787: Out-of-bounds Write":5,"CWE-1390: Weak Authentication":1,"CWE-310: Cryptographic Issues":1,"CWE-697: Incorrect Comparison":1,"CWE-778: Insufficient Logging":5,"CWE-682: Incorrect Calculation":3,"CWE-862: Missing Authorization":1,"CWE-23: Relative Path Traversal":2,"CWE-252: Unchecked Return Value":1,"CWE-284: Improper Access Control":10,"CWE-287: Improper Authentication":63,"CWE-346: Origin Validation Error":10,"CWE-377: Insecure Temporary File":2,"CWE-506: Embedded Malicious Code":1,"CWE-665: Improper Initialization":2,"CWE-20: Improper Input Validation":4,"CWE-262: Not Using Password Aging":2,"CWE-476: NULL Pointer Dereference":2,"CWE-477: Use of Obsolete Function":3,"CWE-501: Trust Boundary Violation":3,"CWE-272: Least Privilege Violation":12,"CWE-115: Misinterpretation of Input":1,"CWE-16: CWE CATEGORY: Configuration":4,"CWE-259: Use of Hard-coded Password":1,"CWE-521: Weak Password Requirements":3,"CWE-693: Protection Mechanism Failure":2,"CWE-269: Improper Privilege Management":10,"CWE-276: Incorrect Default Permissions":4,"CWE-798: Use of Hard-coded Credentials":218,"CWE-190: Integer Overflow or Wraparound":1,"CWE-326: Inadequate Encryption Strength":41,"CWE-295: Improper Certificate Validation":16,"CWE-613: Insufficient Session Expiration":3,"CWE-427: Uncontrolled Search Path Element":1,"CWE-183: Permissive List of Allowed Inputs":3,"CWE-341: Predictable from Observable State":1,"CWE-352: Cross-Site Request Forgery (CSRF)":21,"CWE-400: Uncontrolled Resource Consumption":2,"CWE-467: Use of sizeof() on a Pointer Type":2,"CWE-502: Deserialization of Untrusted Data":123,"CWE-704: Incorrect Type Conversion or Cast":5,"CWE-780: Use of RSA Algorithm without OAEP":1,"CWE-300: Channel Accessible by Non-Endpoint":3,"CWE-310: CWE CATEGORY: Cryptographic Issues":2,"CWE-918: Server-Side Request Forgery (SSRF)":348,"CWE-320: CWE CATEGORY: Key Management Errors":24,"CWE-321: Use of Hard-coded Cryptographic Key":3,"CWE-330: Use of Insufficiently Random Values":3,"CWE-353: Missing Support for Integrity Check":1,"CWE-131: Incorrect Calculation of Buffer Size":1,"CWE-311: Missing Encryption of Sensitive Data":13,"CWE-522: Insufficiently Protected Credentials":34,"CWE-523: Unprotected Transport of Credentials":1,"CWE-668: Exposure of Resource to Wrong Sphere":2,"CWE-73: External Control of File Name or Path":111,"CWE-749: Exposed Dangerous Method or Function":1,"CWE-250: Execution with Unnecessary Privileges":11,"CWE-676: Use of Potentially Dangerous Function":5,"CWE-116: Improper Encoding or Escaping of Output":2,"CWE-117: Improper Output Neutralization for Logs":6,"CWE-323: Reusing a Nonce, Key Pair in Encryption":2,"CWE-673: External Influence of Sphere Definition":1,"CWE-14: Compiler Removal of Code to Clear Buffers":1,"CWE-494: Download of Code Without Integrity Check":11,"CWE-91: XML Injection (aka Blind XPath Injection)":1,"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":22,"CWE-305: Authentication Bypass by Primary Weakness":3,"CWE-922: Insecure Storage of Sensitive Information":3,"CWE-1333: Inefficient Regular Expression Complexity":8,"CWE-134: Use of Externally-Controlled Format String":4,"CWE-322: Key Exchange without Entity Authentication":2,"CWE-329: Generation of Predictable IV with CBC Mode":2,"CWE-509: Replicating Malicious Code (Virus or Worm)":1,"CWE-681: Incorrect Conversion between Numeric Types":1,"CWE-1104: Use of Unmaintained Third Party Components":2,"CWE-1220: Insufficient Granularity of Access Control":8,"CWE-242: Use of Inherently Dangerous Function (4.12)":1,"CWE-841: Improper Enforcement of Behavioral Workflow":7,"CWE-1323: Improper Management of Sensitive Trace Data":1,"CWE-306: Missing Authentication for Critical Function":2,"CWE-706: Use of Incorrectly-Resolved Name or Reference":4,"CWE-11: ASP.NET Misconfiguration: Creating Debug Binary":1,"CWE-1204: Generation of Weak Initialization Vector (IV)":1,"CWE-345: Insufficient Verification of Data Authenticity":9,"CWE-319: Cleartext Transmission of Sensitive Information":77,"CWE-837: Improper Enforcement of a Single, Unique Action":1,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":86,"CWE-347: Improper Verification of Cryptographic Signature":1,"CWE-532: Insertion of Sensitive Information into Log File":2,"CWE-553: Command Shell in Externally Accessible Directory":1,"CWE-639: Authorization Bypass Through User-Controlled Key":1,"CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition":2,"CWE-548: Exposure of Information Through Directory Listing":1,"CWE-926: Improper Export of Android Application Components":1,"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":14,"CWE-358: Improperly Implemented Security Check for Standard":36,"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":29,"CWE-296: Improper Following of a Certificate's Chain of Trust":1,"CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')":2,"CWE-770: Allocation of Resources Without Limits or Throttling":1,"CWE-297: Improper Validation of Certificate with Host Mismatch":1,"CWE-611: Improper Restriction of XML External Entity Reference":84,"CWE-732: Incorrect Permission Assignment for Critical Resource":20,"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":5,"CWE-913: Improper Control of Dynamically-Managed Code Resources":3,"CWE-939: Improper Authorization in Handler for Custom URL Scheme":1,"CWE-155: Improper Neutralization of Wildcards or Matching Symbols":1,"CWE-829: Inclusion of Functionality from Untrusted Control Sphere":1,"CWE-94: Improper Control of Generation of Code ('Code Injection')":99,"CWE-337: Predictable Seed in Pseudo-Random Number Generator (PRNG)":2,"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":19,"CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls":2,"CWE-454: External Initialization of Trusted Variables or Data Stores":7,"CWE-916: Use of Password Hash With Insufficient Computational Effort":4,"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":4,"CWE-209: Generation of Error Message Containing Sensitive Information":1,"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":29,"CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax":36,"CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences":1,"CWE-323: Nonces should be used for the present occasion and only once.":1,"CWE-451: User Interface (UI) Misrepresentation of Critical Information":1,"CWE-688: Function Call With Incorrect Variable or Reference as Argument":3,"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":26,"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":3,"CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')":2,"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine":2,"CWE-406: Insufficient Control of Network Message Volume (Network Amplification)":1,"CWE-774: Allocation of File Descriptors or Handles Without Limits or Throttling":1,"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer":1,"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":13,"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)":1,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":157,"CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')":1,"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":11,"CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory":1,"CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')":3,"CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')":3,"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":3,"CWE-79:Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":1,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":149,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":346,"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":26,"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":44,"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":27,"CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)":3,"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":6,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":105,"CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')":2,"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":2,"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":5,"CWE-329: Not using a random initialization Vector (IV) with Cipher Block Chaining (CBC) Mode causes algorithms to be susceptible to dictionary attacks.":1},"per_framework":{"":{"hcl":{"":1},"ocaml":{"":5},"python":{"":24}},"CWE-415: Double Free":{"cpp":{"":2}},"CWE-91: XML Injection":{"python":{"":1}},"CWE-35: Path Traversal":{"swift":{"":1}},"CWE-369: Divide By Zero":{"ruby":{"":1}},"CWE-416: Use After Free":{"cpp":{"":6}},"CWE-114: Process Control":{"cpp":{"":1}},"CWE-328: Use of Weak Hash":{"go":{"":3},"kt":{"":1},"cpp":{"":1},"php":{"":1},"java":{"":4},"ruby":{"":3},"csharp":{"":1},"python":{"":2},"clojure":{"":2}},"CWE-384: Session Fixation":{"javascript":{"":1}},"CWE-667: Improper Locking":{"go":{"":4}},"CWE-489: Active Debug Code":{"go":{"":2},"php":{"":1},"java":{"":2},"yaml":{"":2},"regex":{"":1},"kotlin":{"":1},"python":{"":7},"generic":{"":2}},"CWE-125: Out-of-bounds Read":{"C#":{"":1},"cpp":{"":7}},"CWE-787: Out-of-bounds Write":{"cpp":{"":4},"solidity":{"":1}},"CWE-1390: Weak Authentication":{"hcl":{"":1}},"CWE-310: Cryptographic Issues":{"python":{"":1}},"CWE-697: Incorrect Comparison":{"php":{"":1}},"CWE-778: Insufficient Logging":{"hcl":{"":5}},"CWE-682: Incorrect Calculation":{"solidity":{"":3}},"CWE-862: Missing Authorization":{"dockerfile":{"":1}},"CWE-23: Relative Path Traversal":{"php":{"":1},"java":{"":1}},"CWE-252: Unchecked Return Value":{"php":{"":1}},"CWE-284: Improper Access Control":{"php":{"":1},"yaml":{"":3},"generic":{"":2},"solidity":{"":4}},"CWE-287: Improper Authentication":{"go":{"":8},"js":{"":7},"kt":{"":1},"hcl":{"":3},"php":{"":1},"java":{"":1},"ruby":{"":6},"rust":{"":10},"yaml":{"":1},"swift":{"":1},"kotlin":{"":4},"python":{"":19},"javascript":{"":1}},"CWE-346: Origin Validation Error":{"php":{"":2},"java":{"":1},"generic":{"":1},"javascript":{"":6}},"CWE-377: Insecure Temporary File":{"go":{"":1},"python":{"":1}},"CWE-506: Embedded Malicious Code":{"generic":{"":1}},"CWE-665: Improper Initialization":{"go":{"":2}},"CWE-20: Improper Input Validation":{"bash":{"":1},"python":{"":1},"solidity":{"":2}},"CWE-262: Not Using Password Aging":{"hcl":{"":2}},"CWE-476: NULL Pointer Dereference":{"go":{"":1},"cpp":{"":1}},"CWE-477: Use of Obsolete Function":{"swift":{"":2},"python":{"":1}},"CWE-501: Trust Boundary Violation":{"java":{"":3}},"CWE-272: Least Privilege Violation":{"xml":{"":2},"swift":{"":10}},"CWE-115: Misinterpretation of Input":{"go":{"":1}},"CWE-16: CWE CATEGORY: Configuration":{"hcl":{"":1},"generic":{"":3}},"CWE-259: Use of Hard-coded Password":{"swift":{"":1}},"CWE-521: Weak Password Requirements":{"python":{"":3}},"CWE-693: Protection Mechanism Failure":{"hcl":{"":1},"yaml":{"":1}},"CWE-269: Improper Privilege Management":{"hcl":{"":4},"java":{"":1},"yaml":{"":2},"dockerfile":{"":3}},"CWE-276: Incorrect Default Permissions":{"java":{"":1},"ruby":{"":2},"python":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"go":{"":11},"js":{"":24},"py":{"":1},"hcl":{"":1},"php":{"":1},"java":{"":22},"ruby":{"":18},"rust":{"":12},"regex":{"":39},"swift":{"":7},"csharp":{"":10},"kotlin":{"":22},"python":{"":38},"generic":{"":4},"javascript":{"":8}},"CWE-190: Integer Overflow or Wraparound":{"php":{"":1}},"CWE-326: Inadequate Encryption Strength":{"go":{"":1},"kt":{"":2},"cpp":{"":1},"hcl":{"":15},"java":{"":7},"ruby":{"":1},"swift":{"":2},"python":{"":8},"generic":{"":2},"terraform":{"":1},"javascript":{"":1}},"CWE-295: Improper Certificate Validation":{"cpp":{"":2},"hcl":{"":1},"xml":{"":1},"java":{"":2},"ruby":{"":1},"rust":{"":3},"swift":{"":1},"csharp":{"":1},"python":{"":4}},"CWE-613: Insufficient Session Expiration":{"csharp":{"":1},"python":{"":2}},"CWE-427: Uncontrolled Search Path Element":{"dockerfile":{"":1}},"CWE-183: Permissive List of Allowed Inputs":{"ts":{"":1},"java":{"":1},"typescript":{"":1}},"CWE-341: Predictable from Observable State":{"solidity":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"go":{"":4},"php":{"":3},"java":{"":3},"ruby":{"":2},"csharp":{"":1},"python":{"":5},"generic":{"":1},"javascript":{"":2}},"CWE-400: Uncontrolled Resource Consumption":{"go":{"":1},"javascript":{"":1}},"CWE-467: Use of sizeof() on a Pointer Type":{"cpp":{"":2}},"CWE-502: Deserialization of Untrusted Data":{"C#":{"":9},"go":{"":1},"php":{"":2},"java":{"":21},"ruby":{"":2},"swift":{"":2},"csharp":{"":1},"python":{"":83},"javascript":{"":2}},"CWE-704: Incorrect Type Conversion or Cast":{"kt":{"":1},"java":{"":1},"python":{"":3}},"CWE-780: Use of RSA Algorithm without OAEP":{"scala":{"":1}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":3}},"CWE-310: CWE CATEGORY: Cryptographic Issues":{"javascript":{"":2}},"CWE-918: Server-Side Request Forgery (SSRF)":{"go":{"":5},"cpp":{"":1},"php":{"":7},"java":{"":17},"ruby":{"":1},"rust":{"":3},"scala":{"":4},"csharp":{"":8},"kotlin":{"":2},"python":{"":278},"generic":{"":1},"javascript":{"":21}},"CWE-320: CWE CATEGORY: Key Management Errors":{"hcl":{"":24}},"CWE-321: Use of Hard-coded Cryptographic Key":{"regex":{"":1},"swift":{"":2}},"CWE-330: Use of Insufficiently Random Values":{"java":{"":1},"scala":{"":1},"python":{"":1}},"CWE-353: Missing Support for Integrity Check":{"generic":{"":1}},"CWE-131: Incorrect Calculation of Buffer Size":{"cpp":{"":1}},"CWE-311: Missing Encryption of Sensitive Data":{"ts":{"":1},"hcl":{"":7},"ruby":{"":1},"swift":{"":3},"typescript":{"":1}},"CWE-522: Insufficiently Protected Credentials":{"hcl":{"":1},"ruby":{"":3},"scala":{"":2},"python":{"":3},"generic":{"":15},"javascript":{"":10}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-668: Exposure of Resource to Wrong Sphere":{"python":{"":2}},"CWE-73: External Control of File Name or Path":{"ruby":{"":1},"python":{"":109},"javascript":{"":1}},"CWE-749: Exposed Dangerous Method or Function":{"yaml":{"":1}},"CWE-250: Execution with Unnecessary Privileges":{"hcl":{"":2},"json":{"":1},"yaml":{"":5},"python":{"":1},"dockerfile":{"":2}},"CWE-676: Use of Potentially Dangerous Function":{"c":{"":3},"php":{"":1},"python":{"":1}},"CWE-116: Improper Encoding or Escaping of Output":{"javascript":{"":2}},"CWE-117: Improper Output Neutralization for Logs":{"python":{"":4},"javascript":{"":2}},"CWE-323: Reusing a Nonce, Key Pair in Encryption":{"kt":{"":1},"java":{"":1}},"CWE-673: External Influence of Sphere Definition":{"python":{"":1}},"CWE-14: Compiler Removal of Code to Clear Buffers":{"cpp":{"":1}},"CWE-494: Download of Code Without Integrity Check":{"generic":{"":11}},"CWE-91: XML Injection (aka Blind XPath Injection)":{"java":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"go":{"":2},"kt":{"":1},"php":{"":1},"java":{"":5},"csharp":{"":2},"python":{"":7},"javascript":{"":4}},"CWE-305: Authentication Bypass by Primary Weakness":{"swift":{"":3}},"CWE-922: Insecure Storage of Sensitive Information":{"swift":{"":1},"typescript":{"":2}},"CWE-1333: Inefficient Regular Expression Complexity":{"C#":{"":2},"java":{"":1},"ruby":{"":1},"python":{"":3},"javascript":{"":1}},"CWE-134: Use of Externally-Controlled Format String":{"cpp":{"":1},"swift":{"":1},"python":{"":1},"javascript":{"":1}},"CWE-322: Key Exchange without Entity Authentication":{"go":{"":1},"python":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"php":{"":1},"java":{"":1}},"CWE-509: Replicating Malicious Code (Virus or Worm)":{"yaml":{"":1}},"CWE-681: Incorrect Conversion between Numeric Types":{"go":{"":1}},"CWE-1104: Use of Unmaintained Third Party Components":{"hcl":{"":1},"javascript":{"":1}},"CWE-1220: Insufficient Granularity of Access Control":{"hcl":{"":8}},"CWE-242: Use of Inherently Dangerous Function (4.12)":{"ocaml":{"":1}},"CWE-841: Improper Enforcement of Behavioral Workflow":{"solidity":{"":7}},"CWE-1323: Improper Management of Sensitive Trace Data":{"generic":{"":1}},"CWE-306: Missing Authentication for Critical Function":{"ts":{"":2}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"C#":{"":1},"python":{"":1},"javascript":{"":2}},"CWE-11: ASP.NET Misconfiguration: Creating Debug Binary":{"generic":{"":1}},"CWE-1204: Generation of Weak Initialization Vector (IV)":{"javascript":{"":1}},"CWE-345: Insufficient Verification of Data Authenticity":{"go":{"":1},"hcl":{"":1},"java":{"":1},"ruby":{"":1},"csharp":{"":1},"javascript":{"":4}},"CWE-319: Cleartext Transmission of Sensitive Information":{"go":{"":10},"kt":{"":1},"ts":{"":1},"cpp":{"":1},"hcl":{"":2},"php":{"":2},"xml":{"":3},"html":{"":1},"java":{"":17},"ruby":{"":5},"yaml":{"":2},"regex":{"":1},"python":{"":19},"generic":{"":1},"javascript":{"":10},"typescript":{"":1}},"CWE-837: Improper Enforcement of a Single, Unique Action":{"solidity":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"go":{"":8},"js":{"":1},"kt":{"":3},"cpp":{"":2},"php":{"":1},"xml":{"":1},"java":{"":12},"ruby":{"":2},"swift":{"":9},"csharp":{"":5},"kotlin":{"":2},"python":{"":31},"clojure":{"":1},"javascript":{"":8}},"CWE-347: Improper Verification of Cryptographic Signature":{"javascript":{"":1}},"CWE-532: Insertion of Sensitive Information into Log File":{"java":{"":1},"python":{"":1}},"CWE-553: Command Shell in Externally Accessible Directory":{"python":{"":1}},"CWE-639: Authorization Bypass Through User-Controlled Key":{"ruby":{"":1}},"CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition":{"cpp":{"":2}},"CWE-548: Exposure of Information Through Directory Listing":{"javascript":{"":1}},"CWE-926: Improper Export of Android Application Components":{"generic":{"":1}},"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":{"go":{"":1},"java":{"":1},"csharp":{"":1},"python":{"":6},"javascript":{"":5}},"CWE-358: Improperly Implemented Security Check for Standard":{"python":{"":36}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"go":{"":1},"php":{"":1},"java":{"":11},"ruby":{"":2},"kotlin":{"":1},"python":{"":4},"javascript":{"":8},"typescript":{"":1}},"CWE-296: Improper Following of a Certificate's Chain of Trust":{"xml":{"":1}},"CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')":{"yaml":{"":1},"generic":{"":1}},"CWE-770: Allocation of Resources Without Limits or Throttling":{"python":{"":1}},"CWE-297: Improper Validation of Certificate with Host Mismatch":{"java":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"go":{"":2},"cpp":{"":4},"php":{"":4},"java":{"":47},"scala":{"":3},"swift":{"":1},"csharp":{"":4},"python":{"":8},"clojure":{"":1},"javascript":{"":10}},"CWE-732: Incorrect Permission Assignment for Critical Resource":{"cpp":{"":1},"hcl":{"":8},"yaml":{"":5},"generic":{"":5},"javascript":{"":1}},"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":{"hcl":{"":1},"csharp":{"":2},"python":{"":2}},"CWE-913: Improper Control of Dynamically-Managed Code Resources":{"go":{"":2},"yaml":{"":1}},"CWE-939: Improper Authorization in Handler for Custom URL Scheme":{"python":{"":1}},"CWE-155: Improper Neutralization of Wildcards or Matching Symbols":{"python":{"":1}},"CWE-829: Inclusion of Functionality from Untrusted Control Sphere":{"yaml":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"go":{"":4},"php":{"":7},"bash":{"":2},"java":{"":5},"ruby":{"":10},"yaml":{"":2},"csharp":{"":3},"kotlin":{"":1},"python":{"":35},"generic":{"":3},"terraform":{"":1},"javascript":{"":26}},"CWE-337: Predictable Seed in Pseudo-Random Number Generator (PRNG)":{"cpp":{"":2}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"go":{"":1},"hcl":{"":7},"php":{"":1},"java":{"":2},"ruby":{"":1},"python":{"":1},"generic":{"":6}},"CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls":{"json":{"":2}},"CWE-454: External Initialization of Trusted Variables or Data Stores":{"java":{"":1},"python":{"":6}},"CWE-916: Use of Password Hash With Insufficient Computational Effort":{"swift":{"":3},"javascript":{"":1}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"java":{"":3},"python":{"":1}},"CWE-209: Generation of Error Message Containing Sensitive Information":{"csharp":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"go":{"":2},"kt":{"":1},"php":{"":1},"java":{"":5},"csharp":{"":2},"python":{"":11},"generic":{"":3},"javascript":{"":4}},"CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax":{"java":{"":2},"python":{"":34}},"CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences":{"regex":{"":1}},"CWE-323: Nonces should be used for the present occasion and only once.":{"swift":{"":1}},"CWE-451: User Interface (UI) Misrepresentation of Critical Information":{"javascript":{"":1}},"CWE-688: Function Call With Incorrect Variable or Reference as Argument":{"go":{"":1},"solidity":{"":2}},"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":{"go":{"":4},"rust":{"":3},"csharp":{"":2},"kotlin":{"":5},"python":{"":4},"javascript":{"":8}},"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":{"go":{"":1},"csharp":{"":1},"javascript":{"":1}},"CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')":{"cpp":{"":2}},"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine":{"javascript":{"":2}},"CWE-406: Insufficient Control of Network Message Volume (Network Amplification)":{"yaml":{"":1}},"CWE-774: Allocation of File Descriptors or Handles Without Limits or Throttling":{"c":{"":1}},"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer":{"javascript":{"":1}},"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":{"java":{"":7},"csharp":{"":2},"python":{"":3},"javascript":{"":1}},"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)":{"javascript":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"go":{"":7},"cpp":{"":1},"php":{"":3},"java":{"":10},"ruby":{"":5},"rust":{"":3},"scala":{"":1},"csharp":{"":67},"python":{"":37},"generic":{"":1},"javascript":{"":22}},"CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')":{"xml":{"":1}},"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":{"ruby":{"":5},"csharp":{"":1},"python":{"":2},"javascript":{"":2},"typescript":{"":1}},"CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory":{"generic":{"":1}},"CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')":{"hcl":{"":2},"generic":{"":1}},"CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')":{"go":{"":1},"php":{"":1},"java":{"":1}},"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":{"python":{"":1},"terraform":{"":1},"javascript":{"":1}},"CWE-79:Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"swift":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":17},"php":{"":4},"java":{"":18},"ruby":{"":10},"regex":{"":10},"scala":{"":1},"swift":{"":1},"csharp":{"":4},"kotlin":{"":1},"python":{"":25},"generic":{"":16},"javascript":{"":24},"typescript":{"":18}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":25},"cpp":{"":1},"php":{"":9},"java":{"":26},"ruby":{"":9},"rust":{"":12},"scala":{"":4},"swift":{"":1},"csharp":{"":35},"kotlin":{"":6},"python":{"":179},"javascript":{"":39}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"cpp":{"":2},"java":{"":6},"python":{"":18}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"java":{"":25},"kotlin":{"":15},"python":{"":4}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"php":{"":1},"bash":{"":2},"java":{"":4},"python":{"":14},"generic":{"":2},"javascript":{"":4}},"CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)":{"python":{"":3}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":6}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"go":{"":8},"kt":{"":1},"cpp":{"":2},"php":{"":6},"java":{"":13},"ruby":{"":1},"rust":{"":6},"yaml":{"":3},"scala":{"":3},"csharp":{"":3},"kotlin":{"":1},"python":{"":38},"generic":{"":8},"javascript":{"":12}},"CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')":{"go":{"":2}},"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":{"java":{"":1},"generic":{"":1}},"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":{"python":{"":2},"javascript":{"":3}},"CWE-329: Not using a random initialization Vector (IV) with Cipher Block Chaining (CBC) Mode causes algorithms to be susceptible to dictionary attacks.":{"swift":{"":1}}},"rules_with_no_cwe":["deprecated-pervasives","broken-input-line","prefer-read-in-binary-mode","prefer-write-in-binary-mode","not-portable-tmp-string","flask-cache-query-string","python36-compatibility-Popen1","python36-compatibility-Popen2","python36-compatibility-ssl","python37-compatibility-httpconn","python37-compatibility-httpsconn","python37-compatibility-importlib","python37-compatibility-importlib2","python37-compatibility-importlib3","python37-compatibility-ipv4network1","python37-compatibility-ipv4network2","python37-compatibility-ipv6network1","python37-compatibility-ipv6network2","python37-compatibility-locale1","python37-compatibility-math1","python37-compatibility-multiprocess1","python37-compatibility-multiprocess2","python37-compatibility-os1","python37-compatibility-os2-ok2","python37-compatibility-pdb","python37-compatibility-textiowrapper","batch-import","len-all-count","keyvault-content-type-for-secret","numpy-in-pytorch-modules"]},"owasp":{"totals":{"":178,"A01:2017: Injection":518,"A03:2021: Injection":836,"A05:2025: Injection":836,"A03:2021 – Injection":1,"A04:2021 Insecure Design":2,"A6:2017 misconfiguration":1,"A04:2021: Insecure Design":179,"A06:2025: Insecure Design":179,"LLM08:2023: Excessive Agency":1,"A01:2021: Broken Access Control":274,"A01:2025: Broken Access Control":621,"A02:2017: Broken Authentication":72,"A05:2017: Broken Access Control":170,"A3:2017 Sensitive Data Exposure":1,"A02:2021: Cryptographic Failures":211,"A04:2025: Cryptographic Failures":211,"A8:2017 Insecure Deserialization":1,"A03:2017: Sensitive Data Exposure":270,"A05:2017: Sensitive Data Exposure":1,"A07:2025: Authentication Failures":316,"A5:2021 Security Misconfiguration":1,"A05:2021-Security misconfiguration":36,"A08:2017: Insecure Deserialization":119,"A02:2021 – Cryptographic Failures":2,"A02:2025: Security Misconfiguration":195,"A05:2021: Security Misconfiguration":197,"A06:2017: Security Misconfiguration":29,"A07:2017: Cross-Site Scripting (XSS)":151,"A04:2017: XML External Entities (XXE)":102,"A03:2025: Software Supply Chain Failures":2,"A10:2004: Insecure Configuration Management":2,"A10:2017: Insufficient Logging & Monitoring":3,"A06:2021: Vulnerable and Outdated Components":2,"A10:2021: Server-Side Request Forgery (SSRF)":348,"A8:2021 Software and Data Integrity Failures":1,"A08:2025: Software or Data Integrity Failures":149,"A08:2021: Software and Data Integrity Failures":151,"A08:2025: Software and Data Integrity Failures":1,"A09:2025: Security Logging & Alerting Failures":13,"A10:2025: Mishandling of Exceptional Conditions":1,"A09:2021 Security Logging and Monitoring Failures":1,"A09:2021: Security Logging and Monitoring Failures":13,"A7:2021 Identification and Authentication Failures":1,"A07:2021 Identification and Authentication Failures":1,"A07:2021: Identification and Authentication Failures":316},"per_framework":{"":{"c":{"":4},"go":{"":14},"js":{"":1},"cpp":{"":30},"hcl":{"":5},"php":{"":3},"xml":{"":4},"java":{"":1},"ruby":{"":1},"rust":{"":3},"yaml":{"":5},"ocaml":{"":6},"regex":{"":1},"swift":{"":16},"kotlin":{"":1},"python":{"":48},"generic":{"":8},"solidity":{"":20},"dockerfile":{"":2},"javascript":{"":5}},"A01:2017: Injection":{"C#":{"":2},"go":{"":37},"kt":{"":1},"cpp":{"":5},"php":{"":15},"java":{"":49},"ruby":{"":10},"rust":{"":21},"yaml":{"":4},"scala":{"":7},"swift":{"":1},"csharp":{"":40},"kotlin":{"":12},"python":{"":243},"generic":{"":9},"terraform":{"":1},"javascript":{"":61}},"A03:2021: Injection":{"go":{"":55},"kt":{"":1},"cpp":{"":5},"php":{"":28},"bash":{"":5},"java":{"":88},"ruby":{"":30},"rust":{"":18},"yaml":{"":4},"regex":{"":10},"scala":{"":8},"swift":{"":3},"csharp":{"":47},"kotlin":{"":9},"python":{"":362},"generic":{"":30},"terraform":{"":1},"javascript":{"":114},"typescript":{"":18}},"A05:2025: Injection":{"go":{"":55},"kt":{"":1},"cpp":{"":5},"php":{"":28},"bash":{"":5},"java":{"":88},"ruby":{"":30},"rust":{"":18},"yaml":{"":4},"regex":{"":10},"scala":{"":8},"swift":{"":3},"csharp":{"":47},"kotlin":{"":9},"python":{"":362},"generic":{"":30},"terraform":{"":1},"javascript":{"":114},"typescript":{"":18}},"A03:2021 – Injection":{"yaml":{"":1}},"A04:2021 Insecure Design":{"yaml":{"":2}},"A6:2017 misconfiguration":{"python":{"":1}},"A04:2021: Insecure Design":{"C#":{"":1},"ts":{"":2},"hcl":{"":14},"java":{"":5},"ruby":{"":5},"yaml":{"":1},"scala":{"":2},"swift":{"":3},"csharp":{"":1},"python":{"":112},"generic":{"":16},"dockerfile":{"":3},"javascript":{"":12},"typescript":{"":2}},"A06:2025: Insecure Design":{"C#":{"":1},"ts":{"":2},"hcl":{"":14},"java":{"":5},"ruby":{"":5},"yaml":{"":1},"scala":{"":2},"swift":{"":3},"csharp":{"":1},"python":{"":112},"generic":{"":16},"dockerfile":{"":3},"javascript":{"":12},"typescript":{"":2}},"LLM08:2023: Excessive Agency":{"yaml":{"":1}},"A01:2021: Broken Access Control":{"C#":{"":1},"go":{"":15},"cpp":{"":1},"hcl":{"":15},"php":{"":8},"java":{"":29},"json":{"":2},"ruby":{"":13},"rust":{"":3},"yaml":{"":3},"scala":{"":1},"swift":{"":2},"csharp":{"":69},"kotlin":{"":1},"python":{"":57},"generic":{"":10},"javascript":{"":41},"typescript":{"":3}},"A01:2025: Broken Access Control":{"C#":{"":1},"go":{"":20},"cpp":{"":2},"hcl":{"":15},"php":{"":14},"java":{"":46},"json":{"":2},"ruby":{"":14},"rust":{"":6},"yaml":{"":3},"scala":{"":5},"swift":{"":2},"csharp":{"":77},"kotlin":{"":3},"python":{"":335},"generic":{"":11},"javascript":{"":62},"typescript":{"":3}},"A02:2017: Broken Authentication":{"go":{"":8},"js":{"":3},"kt":{"":1},"hcl":{"":4},"php":{"":1},"java":{"":1},"ruby":{"":3},"rust":{"":10},"scala":{"":2},"swift":{"":1},"csharp":{"":1},"kotlin":{"":4},"python":{"":7},"generic":{"":15},"javascript":{"":11}},"A05:2017: Broken Access Control":{"go":{"":10},"cpp":{"":1},"hcl":{"":6},"php":{"":1},"java":{"":10},"ruby":{"":6},"rust":{"":3},"yaml":{"":3},"scala":{"":1},"csharp":{"":67},"python":{"":36},"generic":{"":3},"javascript":{"":23}},"A3:2017 Sensitive Data Exposure":{"generic":{"":1}},"A02:2021: Cryptographic Failures":{"go":{"":15},"js":{"":1},"kt":{"":8},"ts":{"":1},"cpp":{"":7},"hcl":{"":18},"php":{"":6},"xml":{"":4},"html":{"":1},"java":{"":28},"ruby":{"":6},"yaml":{"":2},"regex":{"":2},"scala":{"":2},"swift":{"":18},"csharp":{"":7},"kotlin":{"":2},"python":{"":60},"clojure":{"":2},"generic":{"":3},"terraform":{"":1},"javascript":{"":16},"typescript":{"":1}},"A04:2025: Cryptographic Failures":{"go":{"":15},"js":{"":1},"kt":{"":8},"ts":{"":1},"cpp":{"":7},"hcl":{"":18},"php":{"":6},"xml":{"":4},"html":{"":1},"java":{"":28},"ruby":{"":6},"yaml":{"":2},"regex":{"":2},"scala":{"":2},"swift":{"":18},"csharp":{"":7},"kotlin":{"":2},"python":{"":60},"clojure":{"":2},"generic":{"":3},"terraform":{"":1},"javascript":{"":16},"typescript":{"":1}},"A8:2017 Insecure Deserialization":{"java":{"":1}},"A03:2017: Sensitive Data Exposure":{"go":{"":22},"js":{"":1},"kt":{"":8},"ts":{"":2},"cpp":{"":7},"hcl":{"":49},"php":{"":4},"xml":{"":5},"html":{"":1},"java":{"":43},"ruby":{"":14},"yaml":{"":2},"regex":{"":1},"swift":{"":15},"csharp":{"":6},"kotlin":{"":2},"python":{"":61},"clojure":{"":2},"generic":{"":3},"terraform":{"":1},"javascript":{"":19},"typescript":{"":2}},"A05:2017: Sensitive Data Exposure":{"hcl":{"":1}},"A07:2025: Authentication Failures":{"go":{"":22},"js":{"":30},"kt":{"":1},"py":{"":1},"ts":{"":2},"cpp":{"":2},"hcl":{"":6},"php":{"":4},"xml":{"":1},"java":{"":27},"ruby":{"":25},"rust":{"":22},"regex":{"":38},"swift":{"":10},"csharp":{"":12},"kotlin":{"":26},"python":{"":66},"generic":{"":5},"javascript":{"":16}},"A5:2021 Security Misconfiguration":{"generic":{"":1}},"A05:2021-Security misconfiguration":{"python":{"":36}},"A08:2017: Insecure Deserialization":{"C#":{"":9},"go":{"":1},"php":{"":2},"java":{"":20},"ruby":{"":2},"swift":{"":2},"csharp":{"":1},"python":{"":80},"javascript":{"":2}},"A02:2021 – Cryptographic Failures":{"python":{"":2}},"A02:2025: Security Misconfiguration":{"go":{"":7},"kt":{"":2},"cpp":{"":4},"hcl":{"":10},"php":{"":9},"java":{"":59},"json":{"":1},"yaml":{"":9},"scala":{"":3},"swift":{"":1},"csharp":{"":10},"kotlin":{"":15},"python":{"":36},"clojure":{"":1},"generic":{"":7},"dockerfile":{"":1},"javascript":{"":20}},"A05:2021: Security Misconfiguration":{"go":{"":7},"kt":{"":2},"cpp":{"":4},"hcl":{"":10},"php":{"":9},"java":{"":59},"json":{"":1},"yaml":{"":9},"scala":{"":3},"swift":{"":1},"csharp":{"":10},"kotlin":{"":15},"python":{"":36},"clojure":{"":1},"generic":{"":9},"dockerfile":{"":1},"javascript":{"":20}},"A06:2017: Security Misconfiguration":{"go":{"":1},"hcl":{"":2},"php":{"":3},"java":{"":2},"json":{"":1},"yaml":{"":11},"regex":{"":1},"csharp":{"":1},"python":{"":2},"generic":{"":3},"javascript":{"":2}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":17},"php":{"":4},"java":{"":18},"ruby":{"":10},"regex":{"":11},"scala":{"":1},"swift":{"":2},"csharp":{"":4},"kotlin":{"":1},"python":{"":25},"generic":{"":16},"javascript":{"":24},"typescript":{"":18}},"A04:2017: XML External Entities (XXE)":{"go":{"":2},"cpp":{"":4},"php":{"":4},"java":{"":47},"scala":{"":3},"swift":{"":1},"csharp":{"":4},"kotlin":{"":15},"python":{"":11},"clojure":{"":1},"javascript":{"":10}},"A03:2025: Software Supply Chain Failures":{"hcl":{"":1},"javascript":{"":1}},"A10:2004: Insecure Configuration Management":{"java":{"":2}},"A10:2017: Insufficient Logging & Monitoring":{"go":{"":1},"hcl":{"":2}},"A06:2021: Vulnerable and Outdated Components":{"hcl":{"":1},"javascript":{"":1}},"A10:2021: Server-Side Request Forgery (SSRF)":{"go":{"":5},"cpp":{"":1},"php":{"":7},"java":{"":17},"ruby":{"":1},"rust":{"":3},"scala":{"":4},"csharp":{"":8},"kotlin":{"":2},"python":{"":278},"generic":{"":1},"javascript":{"":21}},"A8:2021 Software and Data Integrity Failures":{"java":{"":1}},"A08:2025: Software or Data Integrity Failures":{"C#":{"":9},"go":{"":1},"hcl":{"":1},"php":{"":2},"java":{"":21},"ruby":{"":8},"swift":{"":2},"csharp":{"":3},"python":{"":82},"generic":{"":12},"javascript":{"":7},"typescript":{"":1}},"A08:2021: Software and Data Integrity Failures":{"C#":{"":9},"go":{"":2},"hcl":{"":1},"php":{"":2},"java":{"":21},"ruby":{"":8},"yaml":{"":1},"swift":{"":2},"csharp":{"":3},"python":{"":82},"generic":{"":12},"javascript":{"":7},"typescript":{"":1}},"A08:2025: Software and Data Integrity Failures":{"yaml":{"":1}},"A09:2025: Security Logging & Alerting Failures":{"go":{"":1},"hcl":{"":4},"java":{"":1},"python":{"":5},"javascript":{"":2}},"A10:2025: Mishandling of Exceptional Conditions":{"cpp":{"":1}},"A09:2021 Security Logging and Monitoring Failures":{"hcl":{"":1}},"A09:2021: Security Logging and Monitoring Failures":{"go":{"":1},"hcl":{"":4},"java":{"":1},"python":{"":5},"javascript":{"":2}},"A7:2021 Identification and Authentication Failures":{"solidity":{"":1}},"A07:2021 Identification and Authentication Failures":{"yaml":{"":1}},"A07:2021: Identification and Authentication Failures":{"go":{"":22},"js":{"":30},"kt":{"":1},"py":{"":1},"ts":{"":2},"cpp":{"":2},"hcl":{"":6},"php":{"":4},"xml":{"":1},"java":{"":27},"ruby":{"":25},"rust":{"":22},"regex":{"":38},"swift":{"":10},"csharp":{"":12},"kotlin":{"":26},"python":{"":66},"generic":{"":5},"javascript":{"":16}}},"rules_with_no_owasp":["insecure-use-gets-fn","insecure-use-scanf-fn","insecure-use-strtok-fn","random-fd-exhaustion","memset-removal","sizeof-pointer-type","sizeof-this","std-return-data","std-vector-invalidation","file-access-before-action","file-stat-before-action","world-writable-file","format-string-injection","dynamic-library-path","tainted-allocation-size","double-delete","double-free","negative-return-value-array-index","unvalidated-array-index","alloc-strlen","missing-nul-cpp-string-memcpy","narrow-to-wide-string-mismatch","readlink-null-terminator","return-c-str","snprintf-return-value-length","snprintf-return-value-snprintf","snprintf-source-size","std-string-npos","string-view-data-null-terminator","string-view-temporary-string","unbounded-copy-to-stack-buffer","wide-to-narrow-string-mismatch","local-variable-malloc-free","local-variable-new-delete","dockerfile-pip-extra-index-url","dockerfile-dockerd-socket-mount","detected-onfido-live-api-token","potential-dos-via-decompression-bomb","open-redirect","reverseproxy-director","jax-rs-better-files-regex-injection-uri-params","ajv-allerrors-true","cookies-default-express","intercom-settings-user-identifier-without-user-hash","detect-buffer-noassert","dot-nestjs","create-de-cipher-no-iv","ktor-development-mode-conf","ktor-development-mode-gradle","ktor-development-mode-yaml","deprecated-pervasives","broken-input-line","prefer-read-in-binary-mode","prefer-write-in-binary-mode","not-portable-tmp-string","ocamllint-unsafe","base-convert-loses-precision","mcrypt-use","md5-loose-equality","tainted-dotenv-variable-django","tainted-environ-variable-django","tainted-regex-stdlib-django","django-no-csrf-token","django-using-request-post-after-is-valid","nan-injection","docker-arbitrary-container-run","tainted-dotenv-variable-fastapi","tainted-environ-variable-fastapi","tainted-regex-stdlib-fastapi","flask-cache-query-string","debug-flask-passthrough-errors","active-debug-code-flask","tainted-dotenv-variable-flask","tainted-environ-variable-flask","tainted-regex-stdlib-flask","flask-api-method-string-format","nan-injection","python36-compatibility-Popen1","python36-compatibility-Popen2","python36-compatibility-ssl","python37-compatibility-httpconn","python37-compatibility-httpsconn","python37-compatibility-importlib","python37-compatibility-importlib2","python37-compatibility-importlib3","python37-compatibility-ipv4network1","python37-compatibility-ipv4network2","python37-compatibility-ipv6network1","python37-compatibility-ipv6network2","python37-compatibility-locale1","python37-compatibility-math1","python37-compatibility-multiprocess1","python37-compatibility-multiprocess2","python37-compatibility-os1","python37-compatibility-os2-ok2","python37-compatibility-pdb","python37-compatibility-textiowrapper","python-reverse-shell","mongo-client-bad-auth","batch-import","len-all-count","divide-by-zero","reqwest-accept-invalid","rustls-dangerous","ssl-verify-none","skill-dangerous-command-wildcard","skill-network-bash-wildcard","skill-persistence-commands","skill-readonly-with-write-perms","skill-wildcard-all-tools","skill-preprocessing-encoding-network","balancer-readonly-reentrancy-getpooltokens","balancer-readonly-reentrancy-getrate","compound-borrowfresh-reentrancy","compound-sweeptoken-not-restricted","curve-readonly-reentrancy","encode-packed-collision","erc677-reentrancy","erc721-arbitrary-transferfrom","erc721-reentrancy","erc777-reentrancy","incorrect-use-of-blockhash","keeper-network-oracle-manipulation","no-bidi-characters","no-slippage-check","proxy-storage-collision","redacted-cartel-custom-approval-bug","rigoblock-missing-access-control","sense-missing-oracle-access-control","superfluid-ctx-injection","tecra-coin-burnfrom-bug","keychain-acl-allows-biometry-changes","keychain-accessible-always","keychain-device-sync","insecure-biometrics","verify-biometric-changes","keychain-passcode-fallback","ATS-local-networking","ATS-consider-pinning","ATS-CA-pins","ATS-minimum-tls-version","swift-named-persistent-pasteboards","swift-forbidden-ios-apis","swift-format-string","swift-webview-config-allows-js","swift-webview-config-base-url","swift-webview-config-allows-file-access","swift-webview-config-fraudulent-site-warning","swift-webview-config-https-upgrade","swift-webview-config-allows-js-open-windows","swift-webview-config-allows-universal-file-access","keyvault-content-type-for-secret","keyvault-ensure-key-expires","keyvault-ensure-secret-expires","keyvault-purge-enabled","no-iam-priv-esc-funcs","invalid-usage-of-modified-variable","iterate-over-empty-map","missing-runlock-on-rwmutex","missing-unlock-before-return","racy-append-to-slice","racy-write-to-map","servercodec-readrequestbody-unhandled-nil","string-to-int-signedness-cast","sync-mutex-value-copied","waitgroup-add-called-inside-goroutine","waitgroup-wait-inside-loop","automatic-memory-pinning","lxml-in-pandas","numpy-in-pytorch-modules","pickles-in-numpy","pickles-in-pandas","pickles-in-pytorch","tarfile-extractall-traversal","exposing-docker-socket-hostpath","hostipc-pod","hostnetwork-pod","privileged-container"]}},"author":"Semgrep","counts":{"total_rules":2852,"premium_rules":1793},"username":"semgrep","description":"The default ruleset configured in Semgrep App. Changes can be made via the Rule Board.","id":"NbeA","name":"default","visibility":"public","categories":[{"id":"MPe","slug":"quick-start","name":"Getting Started","description":"These rulesets cover a wide range of use cases. Start here to get up and running quickly."}]},{"tags":["semgrep","security","command injection","command","injection","eval","rce"],"stats":{"cwe":{"totals":{"CWE-94: Improper Control of Generation of Code ('Code Injection')":5,"CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')":1,"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":2,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":2},"per_framework":{"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"java":{"":5}},"CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')":{"java":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"java":{"":1},"generic":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2017: Injection":2,"A03:2021: Injection":10,"A05:2025: Injection":10},"per_framework":{"A01:2017: Injection":{"java":{"":2}},"A03:2021: Injection":{"java":{"":9},"generic":{"":1}},"A05:2025: Injection":{"java":{"":9},"generic":{"":1}}},"rules_with_no_owasp":[]}},"author":"Vasilii Ermilov","counts":{"total_rules":10,"premium_rules":0},"hidden":true,"username":"inkz","languages":["Java"],"description":"Secure defaults for Command injection prevention","id":"6oW","name":"java-command-injection","visibility":"public","categories":[]},{"tags":["semgrep","security","command injection","command","injection","eval","rce"],"stats":{"cwe":{"totals":{"CWE-94: Improper Control of Generation of Code ('Code Injection')":8,"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":1,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":5},"per_framework":{"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"javascript":{"":8}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"javascript":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"javascript":{"":5}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2017: Injection":5,"A03:2021: Injection":14,"A05:2025: Injection":14},"per_framework":{"A01:2017: Injection":{"javascript":{"":5}},"A03:2021: Injection":{"javascript":{"":14}},"A05:2025: Injection":{"javascript":{"":14}}},"rules_with_no_owasp":[]}},"author":"Vasilii Ermilov","counts":{"total_rules":14,"premium_rules":0},"hidden":true,"username":"inkz","languages":["javascript"],"description":"Secure defaults for Command injection prevention","id":"oQx","name":"javascript-command-injection","visibility":"public","categories":[]},{"tags":["semgrep","security","correctness","best practices","docker","kubernetes","configuration","infrastructure","infrastructure as code"],"stats":{"cwe":{"totals":{"CWE-284: Improper Access Control":1,"CWE-693: Protection Mechanism Failure":1,"CWE-269: Improper Privilege Management":1,"CWE-250: Execution with Unnecessary Privileges":3,"CWE-319: Cleartext Transmission of Sensitive Information":2,"CWE-732: Incorrect Permission Assignment for Critical Resource":2,"CWE-406: Insufficient Control of Network Message Volume (Network Amplification)":1},"per_framework":{"CWE-284: Improper Access Control":{"yaml":{"":1}},"CWE-693: Protection Mechanism Failure":{"yaml":{"":1}},"CWE-269: Improper Privilege Management":{"yaml":{"":1}},"CWE-250: Execution with Unnecessary Privileges":{"yaml":{"":3}},"CWE-319: Cleartext Transmission of Sensitive Information":{"yaml":{"":2}},"CWE-732: Incorrect Permission Assignment for Critical Resource":{"yaml":{"":2}},"CWE-406: Insufficient Control of Network Message Volume (Network Amplification)":{"yaml":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":4,"A04:2021: Insecure Design":1,"A06:2025: Insecure Design":1,"A01:2021: Broken Access Control":1,"A01:2025: Broken Access Control":1,"A05:2017: Broken Access Control":1,"A02:2021: Cryptographic Failures":2,"A04:2025: Cryptographic Failures":2,"A03:2017: Sensitive Data Exposure":2,"A02:2025: Security Misconfiguration":3,"A05:2021: Security Misconfiguration":3,"A06:2017: Security Misconfiguration":3},"per_framework":{"":{"yaml":{"":4}},"A04:2021: Insecure Design":{"yaml":{"":1}},"A06:2025: Insecure Design":{"yaml":{"":1}},"A01:2021: Broken Access Control":{"yaml":{"":1}},"A01:2025: Broken Access Control":{"yaml":{"":1}},"A05:2017: Broken Access Control":{"yaml":{"":1}},"A02:2021: Cryptographic Failures":{"yaml":{"":2}},"A04:2025: Cryptographic Failures":{"yaml":{"":2}},"A03:2017: Sensitive Data Exposure":{"yaml":{"":2}},"A02:2025: Security Misconfiguration":{"yaml":{"":3}},"A05:2021: Security Misconfiguration":{"yaml":{"":3}},"A06:2017: Security Misconfiguration":{"yaml":{"":3}}},"rules_with_no_owasp":["exposing-docker-socket-hostpath","privileged-container","hostipc-pod","hostnetwork-pod"]}},"author":"Semgrep","counts":{"total_rules":11,"premium_rules":0},"username":"semgrep","languages":["yaml"],"description":"Security checks for kubernetes configuration files.","id":"Wxo","name":"kubernetes","visibility":"public","categories":[{"id":"aGe","slug":"configuration-files","name":"Configuration Files [Beta]","description":"Scan your configuration files using Semgrep's generic pattern matching."}]},{"tags":["semgrep","security","generic","nginx","web","web server","server","ssrf","ssl"],"stats":{"cwe":{"totals":{"CWE-16: CWE CATEGORY: Configuration":1,"CWE-326: Inadequate Encryption Strength":2,"CWE-290: Authentication Bypass by Spoofing":1,"CWE-319: Cleartext Transmission of Sensitive Information":1,"CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')":1,"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":1},"per_framework":{"CWE-16: CWE CATEGORY: Configuration":{"generic":{"":1}},"CWE-326: Inadequate Encryption Strength":{"generic":{"":2}},"CWE-290: Authentication Bypass by Spoofing":{"generic":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"generic":{"":1}},"CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')":{"generic":{"":1}},"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":{"generic":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A03:2021: Injection":1,"A05:2025: Injection":1,"A01:2021: Broken Access Control":1,"A01:2025: Broken Access Control":1,"A02:2021: Cryptographic Failures":3,"A04:2025: Cryptographic Failures":3,"A03:2017: Sensitive Data Exposure":3,"A07:2025: Authentication Failures":1,"A02:2025: Security Misconfiguration":1,"A05:2021: Security Misconfiguration":1,"A06:2017: Security Misconfiguration":1,"A07:2021: Identification and Authentication Failures":1},"per_framework":{"A03:2021: Injection":{"generic":{"":1}},"A05:2025: Injection":{"generic":{"":1}},"A01:2021: Broken Access Control":{"generic":{"":1}},"A01:2025: Broken Access Control":{"generic":{"":1}},"A02:2021: Cryptographic Failures":{"generic":{"":3}},"A04:2025: Cryptographic Failures":{"generic":{"":3}},"A03:2017: Sensitive Data Exposure":{"generic":{"":3}},"A07:2025: Authentication Failures":{"generic":{"":1}},"A02:2025: Security Misconfiguration":{"generic":{"":1}},"A05:2021: Security Misconfiguration":{"generic":{"":1}},"A06:2017: Security Misconfiguration":{"generic":{"":1}},"A07:2021: Identification and Authentication Failures":{"generic":{"":1}}},"rules_with_no_owasp":[]}},"author":"Grayson Hardaway","counts":{"total_rules":7,"premium_rules":0},"username":"minusworld","languages":["generic"],"description":"Security checks for nginx configuration files.","id":"Bl2","name":"nginx","visibility":"public","categories":[{"id":"aGe","slug":"configuration-files","name":"Configuration Files [Beta]","description":"Scan your configuration files using Semgrep's generic pattern matching."}]},{"tags":["owasp","security","java","requests"],"stats":{"cwe":{"totals":{"CWE-328: Use of Weak Hash":3,"CWE-501: Trust Boundary Violation":1,"CWE-326: Inadequate Encryption Strength":1,"CWE-330: Use of Insufficiently Random Values":1,"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":1,"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":1,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":1,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":1,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":1,"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":1,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":1},"per_framework":{"CWE-328: Use of Weak Hash":{"java":{"":3}},"CWE-501: Trust Boundary Violation":{"java":{"":1}},"CWE-326: Inadequate Encryption Strength":{"java":{"":1}},"CWE-330: Use of Insufficiently Random Values":{"java":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"java":{"":1}},"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":{"java":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"java":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"java":{"":1}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"java":{"":1}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"java":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2017: Injection":3,"A03:2021: Injection":5,"A05:2025: Injection":5,"A04:2021: Insecure Design":1,"A06:2025: Insecure Design":1,"A01:2021: Broken Access Control":1,"A01:2025: Broken Access Control":1,"A05:2017: Broken Access Control":1,"A02:2021: Cryptographic Failures":5,"A04:2025: Cryptographic Failures":5,"A03:2017: Sensitive Data Exposure":4,"A02:2025: Security Misconfiguration":1,"A05:2021: Security Misconfiguration":1,"A07:2017: Cross-Site Scripting (XSS)":1},"per_framework":{"A01:2017: Injection":{"java":{"":3}},"A03:2021: Injection":{"java":{"":5}},"A05:2025: Injection":{"java":{"":5}},"A04:2021: Insecure Design":{"java":{"":1}},"A06:2025: Insecure Design":{"java":{"":1}},"A01:2021: Broken Access Control":{"java":{"":1}},"A01:2025: Broken Access Control":{"java":{"":1}},"A05:2017: Broken Access Control":{"java":{"":1}},"A02:2021: Cryptographic Failures":{"java":{"":5}},"A04:2025: Cryptographic Failures":{"java":{"":5}},"A03:2017: Sensitive Data Exposure":{"java":{"":4}},"A02:2025: Security Misconfiguration":{"java":{"":1}},"A05:2021: Security Misconfiguration":{"java":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"java":{"":1}}},"rules_with_no_owasp":[]}},"author":"Colleen Dai","counts":{"total_rules":13,"premium_rules":0},"hidden":true,"username":"colleend","languages":["Java"],"description":"OWASP Java Benchmark ruleset, a subset of java rules for faster results.","id":"5rw6","name":"owasp-java-benchmark","visibility":"public","categories":[]},{"tags":["security","phpcs-security-audit","injection","lfi","rfi","insecure-transport","info-leak","crypto"],"stats":{"cwe":{"totals":{"CWE-328: Use of Weak Hash":1,"CWE-676: Use of Potentially Dangerous Function":1,"CWE-319: Cleartext Transmission of Sensitive Information":1,"CWE-94: Improper Control of Generation of Code ('Code Injection')":2,"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":1,"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":1,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":1,"CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')":1},"per_framework":{"CWE-328: Use of Weak Hash":{"php":{"":1}},"CWE-676: Use of Potentially Dangerous Function":{"php":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"php":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"php":{"":2}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"php":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"php":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"php":{"":1}},"CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')":{"php":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":1,"A01:2017: Injection":1,"A03:2021: Injection":5,"A05:2025: Injection":5,"A01:2021: Broken Access Control":1,"A01:2025: Broken Access Control":1,"A02:2021: Cryptographic Failures":2,"A04:2025: Cryptographic Failures":2,"A03:2017: Sensitive Data Exposure":2},"per_framework":{"":{"php":{"":1}},"A01:2017: Injection":{"php":{"":1}},"A03:2021: Injection":{"php":{"":5}},"A05:2025: Injection":{"php":{"":5}},"A01:2021: Broken Access Control":{"php":{"":1}},"A01:2025: Broken Access Control":{"php":{"":1}},"A02:2021: Cryptographic Failures":{"php":{"":2}},"A04:2025: Cryptographic Failures":{"php":{"":2}},"A03:2017: Sensitive Data Exposure":{"php":{"":2}}},"rules_with_no_owasp":["mcrypt-use"]}},"author":"Semgrep","counts":{"total_rules":9,"premium_rules":0},"username":"semgrep","languages":["PHP"],"description":"Selected rules from phpcs-security-audit, a security checker for PHP, rewritten in Semgrep.","id":"qWy","name":"phpcs-security-audit","visibility":"public","categories":[{"id":"aR8","slug":"ported-security-tools","name":"Ported Security Tools","description":"Select rules ported from open-source security tools. Start here if you're familiar with these tools."}]},{"tags":["security","cwe"],"stats":{"cwe":{"totals":{"CWE-416: Use After Free":6,"CWE-125: Out-of-bounds Read":7,"CWE-787: Out-of-bounds Write":4,"CWE-862: Missing Authorization":1,"CWE-284: Improper Access Control":1,"CWE-287: Improper Authentication":55,"CWE-476: NULL Pointer Dereference":1,"CWE-276: Incorrect Default Permissions":2,"CWE-798: Use of Hard-coded Credentials":177,"CWE-352: Cross-Site Request Forgery (CSRF)":9,"CWE-502: Deserialization of Untrusted Data":98,"CWE-918: Server-Side Request Forgery (SSRF)":330,"CWE-509: Replicating Malicious Code (Virus or Worm)":1,"CWE-306: Missing Authentication for Critical Function":2,"CWE-611: Improper Restriction of XML External Entity Reference":49,"CWE-94: Improper Control of Generation of Code ('Code Injection')":70,"CWE-454: External Initialization of Trusted Variables or Data Stores":1,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":147,"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":2,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":80,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":316,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":93},"per_framework":{"CWE-416: Use After Free":{"cpp":{"":6}},"CWE-125: Out-of-bounds Read":{"cpp":{"":7}},"CWE-787: Out-of-bounds Write":{"cpp":{"":4}},"CWE-862: Missing Authorization":{"csharp":{"":1}},"CWE-284: Improper Access Control":{"php":{"":1}},"CWE-287: Improper Authentication":{"go":{"":8},"js":{"":6},"kt":{"":1},"hcl":{"":1},"ruby":{"":6},"rust":{"":10},"kotlin":{"":4},"python":{"":19}},"CWE-476: NULL Pointer Dereference":{"cpp":{"":1}},"CWE-276: Incorrect Default Permissions":{"ruby":{"":1},"python":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"go":{"":11},"js":{"":24},"py":{"":1},"hcl":{"":1},"php":{"":1},"java":{"":22},"ruby":{"":18},"rust":{"":12},"yaml":{"":1},"regex":{"":1},"swift":{"":7},"csharp":{"":10},"kotlin":{"":22},"python":{"":37},"generic":{"":2},"javascript":{"":7}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"go":{"":1},"java":{"":1},"python":{"":6},"generic":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"C#":{"":5},"php":{"":1},"java":{"":16},"ruby":{"":2},"python":{"":73},"javascript":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"go":{"":6},"cpp":{"":1},"hcl":{"":1},"php":{"":6},"java":{"":18},"ruby":{"":1},"rust":{"":3},"scala":{"":1},"csharp":{"":5},"kotlin":{"":2},"python":{"":278},"generic":{"":1},"javascript":{"":7}},"CWE-509: Replicating Malicious Code (Virus or Worm)":{"yaml":{"":1}},"CWE-306: Missing Authentication for Critical Function":{"ts":{"":2}},"CWE-611: Improper Restriction of XML External Entity Reference":{"go":{"":2},"cpp":{"":4},"php":{"":2},"java":{"":20},"scala":{"":3},"csharp":{"":4},"python":{"":7},"clojure":{"":1},"javascript":{"":6}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"go":{"":1},"php":{"":3},"bash":{"":1},"ruby":{"":4},"yaml":{"":1},"csharp":{"":3},"kotlin":{"":1},"python":{"":35},"generic":{"":3},"javascript":{"":18}},"CWE-454: External Initialization of Trusted Variables or Data Stores":{"java":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"go":{"":6},"cpp":{"":1},"java":{"":10},"ruby":{"":4},"rust":{"":3},"csharp":{"":67},"python":{"":34},"generic":{"":1},"javascript":{"":21}},"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":{"python":{"":1},"javascript":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":8},"php":{"":4},"java":{"":17},"ruby":{"":3},"scala":{"":1},"csharp":{"":4},"kotlin":{"":1},"python":{"":11},"generic":{"":3},"javascript":{"":12},"typescript":{"":16}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":21},"cpp":{"":1},"php":{"":8},"java":{"":16},"ruby":{"":8},"rust":{"":12},"scala":{"":3},"csharp":{"":35},"kotlin":{"":6},"python":{"":169},"javascript":{"":37}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"go":{"":8},"cpp":{"":2},"php":{"":2},"java":{"":11},"ruby":{"":1},"rust":{"":6},"yaml":{"":1},"csharp":{"":3},"kotlin":{"":1},"python":{"":42},"generic":{"":8},"javascript":{"":8}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":17,"A01:2017: Injection":414,"A03:2021: Injection":563,"A05:2025: Injection":563,"A01:2021: Broken Access Control":160,"A01:2025: Broken Access Control":485,"A02:2017: Broken Authentication":28,"A05:2017: Broken Access Control":147,"A07:2025: Authentication Failures":234,"A08:2017: Insecure Deserialization":98,"A02:2025: Security Misconfiguration":49,"A05:2021: Security Misconfiguration":49,"A07:2017: Cross-Site Scripting (XSS)":80,"A04:2017: XML External Entities (XXE)":49,"A10:2021: Server-Side Request Forgery (SSRF)":330,"A08:2025: Software or Data Integrity Failures":98,"A08:2021: Software and Data Integrity Failures":98,"A10:2025: Mishandling of Exceptional Conditions":1,"A07:2021: Identification and Authentication Failures":234},"per_framework":{"":{"cpp":{"":17}},"A01:2017: Injection":{"go":{"":29},"cpp":{"":3},"php":{"":11},"java":{"":28},"ruby":{"":9},"rust":{"":18},"yaml":{"":2},"scala":{"":3},"csharp":{"":38},"kotlin":{"":7},"python":{"":212},"generic":{"":8},"javascript":{"":46}},"A03:2021: Injection":{"go":{"":38},"cpp":{"":3},"php":{"":17},"bash":{"":1},"java":{"":45},"ruby":{"":16},"rust":{"":18},"yaml":{"":3},"scala":{"":4},"csharp":{"":45},"kotlin":{"":9},"python":{"":258},"generic":{"":14},"javascript":{"":76},"typescript":{"":16}},"A05:2025: Injection":{"go":{"":38},"cpp":{"":3},"php":{"":17},"bash":{"":1},"java":{"":45},"ruby":{"":16},"rust":{"":18},"yaml":{"":3},"scala":{"":4},"csharp":{"":45},"kotlin":{"":9},"python":{"":258},"generic":{"":14},"javascript":{"":76},"typescript":{"":16}},"A01:2021: Broken Access Control":{"go":{"":7},"cpp":{"":1},"php":{"":1},"java":{"":11},"ruby":{"":5},"rust":{"":3},"csharp":{"":68},"python":{"":41},"generic":{"":2},"javascript":{"":21}},"A01:2025: Broken Access Control":{"go":{"":12},"cpp":{"":2},"hcl":{"":1},"php":{"":7},"java":{"":28},"ruby":{"":6},"rust":{"":6},"scala":{"":1},"csharp":{"":72},"kotlin":{"":2},"python":{"":318},"generic":{"":3},"javascript":{"":27}},"A02:2017: Broken Authentication":{"go":{"":8},"js":{"":3},"kt":{"":1},"hcl":{"":1},"rust":{"":10},"kotlin":{"":4},"python":{"":1}},"A05:2017: Broken Access Control":{"go":{"":6},"cpp":{"":1},"java":{"":10},"ruby":{"":4},"rust":{"":3},"csharp":{"":67},"python":{"":34},"generic":{"":1},"javascript":{"":21}},"A07:2025: Authentication Failures":{"go":{"":19},"js":{"":30},"kt":{"":1},"py":{"":1},"ts":{"":2},"hcl":{"":2},"php":{"":1},"java":{"":22},"ruby":{"":24},"rust":{"":22},"yaml":{"":1},"regex":{"":1},"swift":{"":7},"csharp":{"":10},"kotlin":{"":26},"python":{"":56},"generic":{"":2},"javascript":{"":7}},"A08:2017: Insecure Deserialization":{"C#":{"":5},"php":{"":1},"java":{"":16},"ruby":{"":2},"python":{"":73},"javascript":{"":1}},"A02:2025: Security Misconfiguration":{"go":{"":2},"cpp":{"":4},"php":{"":2},"java":{"":20},"scala":{"":3},"csharp":{"":4},"python":{"":7},"clojure":{"":1},"javascript":{"":6}},"A05:2021: Security Misconfiguration":{"go":{"":2},"cpp":{"":4},"php":{"":2},"java":{"":20},"scala":{"":3},"csharp":{"":4},"python":{"":7},"clojure":{"":1},"javascript":{"":6}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":8},"php":{"":4},"java":{"":17},"ruby":{"":3},"scala":{"":1},"csharp":{"":4},"kotlin":{"":1},"python":{"":11},"generic":{"":3},"javascript":{"":12},"typescript":{"":16}},"A04:2017: XML External Entities (XXE)":{"go":{"":2},"cpp":{"":4},"php":{"":2},"java":{"":20},"scala":{"":3},"csharp":{"":4},"python":{"":7},"clojure":{"":1},"javascript":{"":6}},"A10:2021: Server-Side Request Forgery (SSRF)":{"go":{"":6},"cpp":{"":1},"hcl":{"":1},"php":{"":6},"java":{"":18},"ruby":{"":1},"rust":{"":3},"scala":{"":1},"csharp":{"":5},"kotlin":{"":2},"python":{"":278},"generic":{"":1},"javascript":{"":7}},"A08:2025: Software or Data Integrity Failures":{"C#":{"":5},"php":{"":1},"java":{"":16},"ruby":{"":2},"python":{"":73},"javascript":{"":1}},"A08:2021: Software and Data Integrity Failures":{"C#":{"":5},"php":{"":1},"java":{"":16},"ruby":{"":2},"python":{"":73},"javascript":{"":1}},"A10:2025: Mishandling of Exceptional Conditions":{"cpp":{"":1}},"A07:2021: Identification and Authentication Failures":{"go":{"":19},"js":{"":30},"kt":{"":1},"py":{"":1},"ts":{"":2},"hcl":{"":2},"php":{"":1},"java":{"":22},"ruby":{"":24},"rust":{"":22},"yaml":{"":1},"regex":{"":1},"swift":{"":7},"csharp":{"":10},"kotlin":{"":26},"python":{"":56},"generic":{"":2},"javascript":{"":7}}},"rules_with_no_owasp":["std-return-data","std-vector-invalidation","tainted-allocation-size","negative-return-value-array-index","missing-nul-cpp-string-memcpy","narrow-to-wide-string-mismatch","readlink-null-terminator","return-c-str","snprintf-return-value-length","snprintf-return-value-snprintf","snprintf-source-size","std-string-npos","string-view-data-null-terminator","string-view-temporary-string","wide-to-narrow-string-mismatch","local-variable-malloc-free","local-variable-new-delete"]}},"author":"Semgrep","counts":{"total_rules":1452,"premium_rules":1237},"username":"semgrep","description":"The CWE Top 25 is an industry-recognized report of top application security risks. Use this ruleset to scan for CWE Top 25 vulnerabilities.","id":"4B5x","name":"cwe-top-25","visibility":"public","categories":[{"id":"MPe","slug":"quick-start","name":"Getting Started","description":"These rulesets cover a wide range of use cases. Start here to get up and running quickly."}]},{"tags":["security"],"stats":{"cwe":{"totals":{"CWE-384: Session Fixation":1,"CWE-287: Improper Authentication":8,"CWE-346: Origin Validation Error":6,"CWE-798: Use of Hard-coded Credentials":32,"CWE-326: Inadequate Encryption Strength":1,"CWE-502: Deserialization of Untrusted Data":1,"CWE-310: CWE CATEGORY: Cryptographic Issues":2,"CWE-918: Server-Side Request Forgery (SSRF)":55,"CWE-311: Missing Encryption of Sensitive Data":2,"CWE-522: Insufficiently Protected Credentials":7,"CWE-73: External Control of File Name or Path":1,"CWE-117: Improper Output Neutralization for Logs":2,"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":5,"CWE-1333: Inefficient Regular Expression Complexity":1,"CWE-306: Missing Authentication for Critical Function":2,"CWE-706: Use of Incorrectly-Resolved Name or Reference":2,"CWE-1204: Generation of Weak Initialization Vector (IV)":1,"CWE-345: Insufficient Verification of Data Authenticity":2,"CWE-319: Cleartext Transmission of Sensitive Information":3,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":8,"CWE-347: Improper Verification of Cryptographic Signature":1,"CWE-548: Exposure of Information Through Directory Listing":1,"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":7,"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":10,"CWE-611: Improper Restriction of XML External Entity Reference":6,"CWE-732: Incorrect Permission Assignment for Critical Resource":2,"CWE-94: Improper Control of Generation of Code ('Code Injection')":18,"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":1,"CWE-916: Use of Password Hash With Insufficient Computational Effort":1,"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":6,"CWE-451: User Interface (UI) Misrepresentation of Critical Information":1,"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":8,"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine":2,"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":1,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":21,"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":1,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":39,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":37,"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":2,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":8,"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":3},"per_framework":{"CWE-384: Session Fixation":{"javascript":{"":1}},"CWE-287: Improper Authentication":{"js":{"":7},"javascript":{"":1}},"CWE-346: Origin Validation Error":{"javascript":{"":6}},"CWE-798: Use of Hard-coded Credentials":{"js":{"":24},"javascript":{"":8}},"CWE-326: Inadequate Encryption Strength":{"javascript":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"javascript":{"":1}},"CWE-310: CWE CATEGORY: Cryptographic Issues":{"javascript":{"":2}},"CWE-918: Server-Side Request Forgery (SSRF)":{"javascript":{"":55}},"CWE-311: Missing Encryption of Sensitive Data":{"ts":{"":1},"typescript":{"":1}},"CWE-522: Insufficiently Protected Credentials":{"javascript":{"":7}},"CWE-73: External Control of File Name or Path":{"javascript":{"":1}},"CWE-117: Improper Output Neutralization for Logs":{"javascript":{"":2}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"javascript":{"":5}},"CWE-1333: Inefficient Regular Expression Complexity":{"javascript":{"":1}},"CWE-306: Missing Authentication for Critical Function":{"ts":{"":2}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":2}},"CWE-1204: Generation of Weak Initialization Vector (IV)":{"javascript":{"":1}},"CWE-345: Insufficient Verification of Data Authenticity":{"javascript":{"":2}},"CWE-319: Cleartext Transmission of Sensitive Information":{"ts":{"":1},"javascript":{"":1},"typescript":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"js":{"":1},"javascript":{"":7}},"CWE-347: Improper Verification of Cryptographic Signature":{"javascript":{"":1}},"CWE-548: Exposure of Information Through Directory Listing":{"javascript":{"":1}},"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":{"javascript":{"":7}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"javascript":{"":10}},"CWE-611: Improper Restriction of XML External Entity Reference":{"javascript":{"":6}},"CWE-732: Incorrect Permission Assignment for Critical Resource":{"javascript":{"":2}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"javascript":{"":18}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"javascript":{"":1}},"CWE-916: Use of Password Hash With Insufficient Computational Effort":{"javascript":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"javascript":{"":6}},"CWE-451: User Interface (UI) Misrepresentation of Critical Information":{"javascript":{"":1}},"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":{"javascript":{"":8}},"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine":{"javascript":{"":2}},"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":{"javascript":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"javascript":{"":21}},"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":{"javascript":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"javascript":{"":18},"typescript":{"":21}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"javascript":{"":37}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"javascript":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"javascript":{"":8}},"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":{"javascript":{"":3}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":6,"A01:2017: Injection":55,"A03:2021: Injection":110,"A05:2025: Injection":110,"A04:2021: Insecure Design":11,"A06:2025: Insecure Design":11,"A01:2021: Broken Access Control":42,"A01:2025: Broken Access Control":95,"A02:2017: Broken Authentication":11,"A05:2017: Broken Access Control":21,"A02:2021: Cryptographic Failures":14,"A04:2025: Cryptographic Failures":14,"A03:2017: Sensitive Data Exposure":14,"A07:2025: Authentication Failures":48,"A08:2017: Insecure Deserialization":1,"A02:2025: Security Misconfiguration":18,"A05:2021: Security Misconfiguration":18,"A06:2017: Security Misconfiguration":1,"A07:2017: Cross-Site Scripting (XSS)":39,"A04:2017: XML External Entities (XXE)":6,"A10:2021: Server-Side Request Forgery (SSRF)":55,"A08:2025: Software or Data Integrity Failures":2,"A08:2021: Software and Data Integrity Failures":2,"A09:2025: Security Logging & Alerting Failures":2,"A09:2021: Security Logging and Monitoring Failures":2,"A07:2021: Identification and Authentication Failures":48},"per_framework":{"":{"js":{"":1},"javascript":{"":5}},"A01:2017: Injection":{"javascript":{"":55}},"A03:2021: Injection":{"javascript":{"":89},"typescript":{"":21}},"A05:2025: Injection":{"javascript":{"":89},"typescript":{"":21}},"A04:2021: Insecure Design":{"ts":{"":1},"javascript":{"":9},"typescript":{"":1}},"A06:2025: Insecure Design":{"ts":{"":1},"javascript":{"":9},"typescript":{"":1}},"A01:2021: Broken Access Control":{"javascript":{"":42}},"A01:2025: Broken Access Control":{"javascript":{"":95}},"A02:2017: Broken Authentication":{"js":{"":3},"javascript":{"":8}},"A05:2017: Broken Access Control":{"javascript":{"":21}},"A02:2021: Cryptographic Failures":{"js":{"":1},"ts":{"":1},"javascript":{"":11},"typescript":{"":1}},"A04:2025: Cryptographic Failures":{"js":{"":1},"ts":{"":1},"javascript":{"":11},"typescript":{"":1}},"A03:2017: Sensitive Data Exposure":{"js":{"":1},"ts":{"":2},"javascript":{"":9},"typescript":{"":2}},"A07:2025: Authentication Failures":{"js":{"":30},"ts":{"":2},"javascript":{"":16}},"A08:2017: Insecure Deserialization":{"javascript":{"":1}},"A02:2025: Security Misconfiguration":{"javascript":{"":18}},"A05:2021: Security Misconfiguration":{"javascript":{"":18}},"A06:2017: Security Misconfiguration":{"javascript":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"javascript":{"":18},"typescript":{"":21}},"A04:2017: XML External Entities (XXE)":{"javascript":{"":6}},"A10:2021: Server-Side Request Forgery (SSRF)":{"javascript":{"":55}},"A08:2025: Software or Data Integrity Failures":{"javascript":{"":2}},"A08:2021: Software and Data Integrity Failures":{"javascript":{"":2}},"A09:2025: Security Logging & Alerting Failures":{"javascript":{"":2}},"A09:2021: Security Logging and Monitoring Failures":{"javascript":{"":2}},"A07:2021: Identification and Authentication Failures":{"js":{"":30},"ts":{"":2},"javascript":{"":16}}},"rules_with_no_owasp":["regexp-redos","cookies-default-express","session-cookie-default-express","intercom-settings-user-identifier-without-user-hash","dot-nestjs","create-de-cipher-no-iv"]}},"author":"Semgrep","counts":{"total_rules":316,"premium_rules":242},"username":"semgrep","languages":["JavaScript","TypeScript"],"description":"Default ruleset for JavaScript, curated by Semgrep.","id":"Rve","name":"javascript","visibility":"public","categories":[{"id":"V5W","slug":"languages-and-frameworks","name":"Languages and Frameworks","description":"Check your code for security problems and best practices in these languages and frameworks."}]},{"tags":["security","mcp","model-context-protocol","ai","llm"],"stats":{"cwe":{"totals":{"CWE-284: Improper Access Control":1,"CWE-346: Origin Validation Error":1,"CWE-918: Server-Side Request Forgery (SSRF)":5,"CWE-522: Insufficiently Protected Credentials":1,"CWE-319: Cleartext Transmission of Sensitive Information":1,"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":5,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":5},"per_framework":{"CWE-284: Improper Access Control":{"python":{"":1}},"CWE-346: Origin Validation Error":{"go":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"go":{"":1},"java":{"":1},"csharp":{"":1},"python":{"":1},"javascript":{"":1}},"CWE-522: Insufficiently Protected Credentials":{"python":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"python":{"":1}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"go":{"":1},"java":{"":1},"csharp":{"":1},"python":{"":1},"javascript":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"go":{"":1},"java":{"":1},"csharp":{"":1},"python":{"":1},"javascript":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2017: Injection":5,"A03:2021: Injection":5,"A05:2025: Injection":5,"A04:2021: Insecure Design":1,"A06:2025: Insecure Design":1,"A01:2021: Broken Access Control":5,"A02:2017: Broken Authentication":1,"A02:2021 – Cryptographic Failures":1,"A05:2021 – Security Misconfiguration":2,"A10:2021: Server-Side Request Forgery (SSRF)":5},"per_framework":{"A01:2017: Injection":{"go":{"":1},"java":{"":1},"csharp":{"":1},"python":{"":1},"javascript":{"":1}},"A03:2021: Injection":{"go":{"":1},"java":{"":1},"csharp":{"":1},"python":{"":1},"javascript":{"":1}},"A05:2025: Injection":{"go":{"":1},"java":{"":1},"csharp":{"":1},"python":{"":1},"javascript":{"":1}},"A04:2021: Insecure Design":{"python":{"":1}},"A06:2025: Insecure Design":{"python":{"":1}},"A01:2021: Broken Access Control":{"go":{"":1},"java":{"":1},"csharp":{"":1},"python":{"":1},"javascript":{"":1}},"A02:2017: Broken Authentication":{"python":{"":1}},"A02:2021 – Cryptographic Failures":{"python":{"":1}},"A05:2021 – Security Misconfiguration":{"go":{"":1},"python":{"":1}},"A10:2021: Server-Side Request Forgery (SSRF)":{"go":{"":1},"java":{"":1},"csharp":{"":1},"python":{"":1},"javascript":{"":1}}},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":19,"premium_rules":19},"username":"semgrep","languages":["Python","JavaScript","TypeScript"],"description":"Security rules for Model Context Protocol (MCP) implementations, covering Python, TypeScript, and JavaScript.","id":"d0yQ","name":"mcp","visibility":"public","categories":[]},{"tags":["security"],"stats":{"cwe":{"totals":{},"per_framework":{},"rules_with_no_cwe":[]},"owasp":{"totals":{},"per_framework":{},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":0,"premium_rules":0},"hidden":true,"username":"semgrep","languages":["C","C++"],"description":"Alpha ruleset for C/C++. Scan code for uses of functions listed on Microsoft's list of banned functions. These functions are error-prone and typically have a safer replacement function.","id":"DwNd","name":"cpp-alpha-audit-banned-functions","visibility":"public","categories":[]},{"tags":["security"],"stats":{"cwe":{"totals":{"CWE-384: Session Fixation":1,"CWE-287: Improper Authentication":8,"CWE-346: Origin Validation Error":6,"CWE-798: Use of Hard-coded Credentials":32,"CWE-326: Inadequate Encryption Strength":1,"CWE-502: Deserialization of Untrusted Data":1,"CWE-310: CWE CATEGORY: Cryptographic Issues":2,"CWE-918: Server-Side Request Forgery (SSRF)":55,"CWE-311: Missing Encryption of Sensitive Data":2,"CWE-522: Insufficiently Protected Credentials":7,"CWE-73: External Control of File Name or Path":1,"CWE-117: Improper Output Neutralization for Logs":2,"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":5,"CWE-1333: Inefficient Regular Expression Complexity":1,"CWE-306: Missing Authentication for Critical Function":2,"CWE-706: Use of Incorrectly-Resolved Name or Reference":2,"CWE-1204: Generation of Weak Initialization Vector (IV)":1,"CWE-345: Insufficient Verification of Data Authenticity":2,"CWE-319: Cleartext Transmission of Sensitive Information":3,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":8,"CWE-347: Improper Verification of Cryptographic Signature":1,"CWE-548: Exposure of Information Through Directory Listing":1,"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":7,"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":10,"CWE-611: Improper Restriction of XML External Entity Reference":6,"CWE-732: Incorrect Permission Assignment for Critical Resource":2,"CWE-94: Improper Control of Generation of Code ('Code Injection')":18,"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":1,"CWE-916: Use of Password Hash With Insufficient Computational Effort":1,"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":6,"CWE-451: User Interface (UI) Misrepresentation of Critical Information":1,"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":8,"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine":2,"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":1,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":21,"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":1,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":39,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":37,"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":2,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":8,"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":3},"per_framework":{"CWE-384: Session Fixation":{"javascript":{"":1}},"CWE-287: Improper Authentication":{"js":{"":7},"javascript":{"":1}},"CWE-346: Origin Validation Error":{"javascript":{"":6}},"CWE-798: Use of Hard-coded Credentials":{"js":{"":24},"javascript":{"":8}},"CWE-326: Inadequate Encryption Strength":{"javascript":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"javascript":{"":1}},"CWE-310: CWE CATEGORY: Cryptographic Issues":{"javascript":{"":2}},"CWE-918: Server-Side Request Forgery (SSRF)":{"javascript":{"":55}},"CWE-311: Missing Encryption of Sensitive Data":{"ts":{"":1},"typescript":{"":1}},"CWE-522: Insufficiently Protected Credentials":{"javascript":{"":7}},"CWE-73: External Control of File Name or Path":{"javascript":{"":1}},"CWE-117: Improper Output Neutralization for Logs":{"javascript":{"":2}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"javascript":{"":5}},"CWE-1333: Inefficient Regular Expression Complexity":{"javascript":{"":1}},"CWE-306: Missing Authentication for Critical Function":{"ts":{"":2}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":2}},"CWE-1204: Generation of Weak Initialization Vector (IV)":{"javascript":{"":1}},"CWE-345: Insufficient Verification of Data Authenticity":{"javascript":{"":2}},"CWE-319: Cleartext Transmission of Sensitive Information":{"ts":{"":1},"javascript":{"":1},"typescript":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"js":{"":1},"javascript":{"":7}},"CWE-347: Improper Verification of Cryptographic Signature":{"javascript":{"":1}},"CWE-548: Exposure of Information Through Directory Listing":{"javascript":{"":1}},"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":{"javascript":{"":7}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"javascript":{"":10}},"CWE-611: Improper Restriction of XML External Entity Reference":{"javascript":{"":6}},"CWE-732: Incorrect Permission Assignment for Critical Resource":{"javascript":{"":2}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"javascript":{"":18}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"javascript":{"":1}},"CWE-916: Use of Password Hash With Insufficient Computational Effort":{"javascript":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"javascript":{"":6}},"CWE-451: User Interface (UI) Misrepresentation of Critical Information":{"javascript":{"":1}},"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":{"javascript":{"":8}},"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine":{"javascript":{"":2}},"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":{"javascript":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"javascript":{"":21}},"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":{"javascript":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"javascript":{"":18},"typescript":{"":21}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"javascript":{"":37}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"javascript":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"javascript":{"":8}},"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":{"javascript":{"":3}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":6,"A01:2017: Injection":55,"A03:2021: Injection":110,"A05:2025: Injection":110,"A04:2021: Insecure Design":11,"A06:2025: Insecure Design":11,"A01:2021: Broken Access Control":42,"A01:2025: Broken Access Control":95,"A02:2017: Broken Authentication":11,"A05:2017: Broken Access Control":21,"A02:2021: Cryptographic Failures":14,"A04:2025: Cryptographic Failures":14,"A03:2017: Sensitive Data Exposure":14,"A07:2025: Authentication Failures":48,"A08:2017: Insecure Deserialization":1,"A02:2025: Security Misconfiguration":18,"A05:2021: Security Misconfiguration":18,"A06:2017: Security Misconfiguration":1,"A07:2017: Cross-Site Scripting (XSS)":39,"A04:2017: XML External Entities (XXE)":6,"A10:2021: Server-Side Request Forgery (SSRF)":55,"A08:2025: Software or Data Integrity Failures":2,"A08:2021: Software and Data Integrity Failures":2,"A09:2025: Security Logging & Alerting Failures":2,"A09:2021: Security Logging and Monitoring Failures":2,"A07:2021: Identification and Authentication Failures":48},"per_framework":{"":{"js":{"":1},"javascript":{"":5}},"A01:2017: Injection":{"javascript":{"":55}},"A03:2021: Injection":{"javascript":{"":89},"typescript":{"":21}},"A05:2025: Injection":{"javascript":{"":89},"typescript":{"":21}},"A04:2021: Insecure Design":{"ts":{"":1},"javascript":{"":9},"typescript":{"":1}},"A06:2025: Insecure Design":{"ts":{"":1},"javascript":{"":9},"typescript":{"":1}},"A01:2021: Broken Access Control":{"javascript":{"":42}},"A01:2025: Broken Access Control":{"javascript":{"":95}},"A02:2017: Broken Authentication":{"js":{"":3},"javascript":{"":8}},"A05:2017: Broken Access Control":{"javascript":{"":21}},"A02:2021: Cryptographic Failures":{"js":{"":1},"ts":{"":1},"javascript":{"":11},"typescript":{"":1}},"A04:2025: Cryptographic Failures":{"js":{"":1},"ts":{"":1},"javascript":{"":11},"typescript":{"":1}},"A03:2017: Sensitive Data Exposure":{"js":{"":1},"ts":{"":2},"javascript":{"":9},"typescript":{"":2}},"A07:2025: Authentication Failures":{"js":{"":30},"ts":{"":2},"javascript":{"":16}},"A08:2017: Insecure Deserialization":{"javascript":{"":1}},"A02:2025: Security Misconfiguration":{"javascript":{"":18}},"A05:2021: Security Misconfiguration":{"javascript":{"":18}},"A06:2017: Security Misconfiguration":{"javascript":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"javascript":{"":18},"typescript":{"":21}},"A04:2017: XML External Entities (XXE)":{"javascript":{"":6}},"A10:2021: Server-Side Request Forgery (SSRF)":{"javascript":{"":55}},"A08:2025: Software or Data Integrity Failures":{"javascript":{"":2}},"A08:2021: Software and Data Integrity Failures":{"javascript":{"":2}},"A09:2025: Security Logging & Alerting Failures":{"javascript":{"":2}},"A09:2021: Security Logging and Monitoring Failures":{"javascript":{"":2}},"A07:2021: Identification and Authentication Failures":{"js":{"":30},"ts":{"":2},"javascript":{"":16}}},"rules_with_no_owasp":["regexp-redos","cookies-default-express","session-cookie-default-express","intercom-settings-user-identifier-without-user-hash","dot-nestjs","create-de-cipher-no-iv"]}},"author":"Semgrep","counts":{"total_rules":316,"premium_rules":242},"username":"semgrep","languages":["javascript","typescript"],"description":"Default ruleset for TypeScript, curated by Semgrep.","id":"Nvz","name":"typescript","visibility":"public","categories":[]},{"tags":["semgrep","security","command injection","command","injection","eval","rce"],"stats":{"cwe":{"totals":{"CWE-155: Improper Neutralization of Wildcards or Matching Symbols":1,"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":10,"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":1,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":12},"per_framework":{"CWE-155: Improper Neutralization of Wildcards or Matching Symbols":{"python":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":10}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":12}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2017: Injection":13,"A03:2021: Injection":23,"A05:2025: Injection":23},"per_framework":{"A01:2017: Injection":{"python":{"":13}},"A03:2021: Injection":{"python":{"":23}},"A05:2025: Injection":{"python":{"":23}}},"rules_with_no_owasp":[]}},"author":"Vasilii Ermilov","counts":{"total_rules":24,"premium_rules":0},"hidden":true,"username":"inkz","languages":["Python"],"description":"Secure defaults for Command injection prevention","id":"RxY","name":"python-command-injection","visibility":"public","categories":[]},{"tags":["security"],"stats":{"cwe":{"totals":{"CWE-415: Double Free":2,"CWE-416: Use After Free":5,"CWE-114: Process Control":1,"CWE-328: Use of Weak Hash":1,"CWE-125: Out-of-bounds Read":7,"CWE-787: Out-of-bounds Write":4,"CWE-476: NULL Pointer Dereference":1,"CWE-326: Inadequate Encryption Strength":1,"CWE-295: Improper Certificate Validation":2,"CWE-467: Use of sizeof() on a Pointer Type":2,"CWE-918: Server-Side Request Forgery (SSRF)":1,"CWE-131: Incorrect Calculation of Buffer Size":1,"CWE-14: Compiler Removal of Code to Clear Buffers":1,"CWE-134: Use of Externally-Controlled Format String":1,"CWE-319: Cleartext Transmission of Sensitive Information":1,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":2,"CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition":2,"CWE-611: Improper Restriction of XML External Entity Reference":3,"CWE-732: Incorrect Permission Assignment for Critical Resource":1,"CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')":2,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":1,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":1,"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":2,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":1},"per_framework":{"CWE-415: Double Free":{"cpp":{"":2}},"CWE-416: Use After Free":{"cpp":{"":5}},"CWE-114: Process Control":{"cpp":{"":1}},"CWE-328: Use of Weak Hash":{"cpp":{"":1}},"CWE-125: Out-of-bounds Read":{"cpp":{"":7}},"CWE-787: Out-of-bounds Write":{"cpp":{"":4}},"CWE-476: NULL Pointer Dereference":{"cpp":{"":1}},"CWE-326: Inadequate Encryption Strength":{"cpp":{"":1}},"CWE-295: Improper Certificate Validation":{"cpp":{"":2}},"CWE-467: Use of sizeof() on a Pointer Type":{"cpp":{"":2}},"CWE-918: Server-Side Request Forgery (SSRF)":{"cpp":{"":1}},"CWE-131: Incorrect Calculation of Buffer Size":{"cpp":{"":1}},"CWE-14: Compiler Removal of Code to Clear Buffers":{"cpp":{"":1}},"CWE-134: Use of Externally-Controlled Format String":{"cpp":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"cpp":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"cpp":{"":2}},"CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition":{"cpp":{"":2}},"CWE-611: Improper Restriction of XML External Entity Reference":{"cpp":{"":3}},"CWE-732: Incorrect Permission Assignment for Critical Resource":{"cpp":{"":1}},"CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')":{"cpp":{"":2}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"cpp":{"":1}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"cpp":{"":1}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"cpp":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"cpp":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":29,"A01:2017: Injection":4,"A03:2021: Injection":4,"A05:2025: Injection":4,"A01:2021: Broken Access Control":1,"A01:2025: Broken Access Control":2,"A05:2017: Broken Access Control":1,"A02:2021: Cryptographic Failures":5,"A04:2025: Cryptographic Failures":5,"A03:2017: Sensitive Data Exposure":7,"A07:2025: Authentication Failures":2,"A02:2025: Security Misconfiguration":3,"A05:2021: Security Misconfiguration":3,"A04:2017: XML External Entities (XXE)":3,"A10:2021: Server-Side Request Forgery (SSRF)":1,"A10:2025: Mishandling of Exceptional Conditions":1,"A07:2021: Identification and Authentication Failures":2},"per_framework":{"":{"cpp":{"":29}},"A01:2017: Injection":{"cpp":{"":4}},"A03:2021: Injection":{"cpp":{"":4}},"A05:2025: Injection":{"cpp":{"":4}},"A01:2021: Broken Access Control":{"cpp":{"":1}},"A01:2025: Broken Access Control":{"cpp":{"":2}},"A05:2017: Broken Access Control":{"cpp":{"":1}},"A02:2021: Cryptographic Failures":{"cpp":{"":5}},"A04:2025: Cryptographic Failures":{"cpp":{"":5}},"A03:2017: Sensitive Data Exposure":{"cpp":{"":7}},"A07:2025: Authentication Failures":{"cpp":{"":2}},"A02:2025: Security Misconfiguration":{"cpp":{"":3}},"A05:2021: Security Misconfiguration":{"cpp":{"":3}},"A04:2017: XML External Entities (XXE)":{"cpp":{"":3}},"A10:2021: Server-Side Request Forgery (SSRF)":{"cpp":{"":1}},"A10:2025: Mishandling of Exceptional Conditions":{"cpp":{"":1}},"A07:2021: Identification and Authentication Failures":{"cpp":{"":2}}},"rules_with_no_owasp":["memset-removal","sizeof-pointer-type","sizeof-this","std-vector-invalidation","file-access-before-action","file-stat-before-action","world-writable-file","format-string-injection","dynamic-library-path","tainted-allocation-size","double-delete","double-free","negative-return-value-array-index","unvalidated-array-index","alloc-strlen","missing-nul-cpp-string-memcpy","narrow-to-wide-string-mismatch","readlink-null-terminator","return-c-str","snprintf-return-value-length","snprintf-return-value-snprintf","snprintf-source-size","std-string-npos","string-view-data-null-terminator","string-view-temporary-string","unbounded-copy-to-stack-buffer","wide-to-narrow-string-mismatch","local-variable-malloc-free","local-variable-new-delete"]}},"author":"Semgrep","counts":{"total_rules":46,"premium_rules":46},"hidden":true,"username":"semgrep","languages":["C","C++"],"description":"Alpha ruleset for C/C++. This ruleset is intended to produce low false positives, and safe for use in CI/CD pipelines.","id":"05dB","name":"cpp-alpha-ci","visibility":"public","categories":[]},{"tags":["flawfinder"],"stats":{"cwe":{"totals":{"CWE-20":7,"CWE-78":4,"CWE-120":23,"CWE-126":2,"CWE-134":4,"CWE-190":1,"CWE-250":1,"CWE-327":4,"CWE-362":5,"CWE-377":5,"CWE-676":4,"CWE-732":3,"CWE-807":1},"per_framework":{"CWE-20":{"c":{"":7}},"CWE-78":{"c":{"":4}},"CWE-120":{"c":{"":23}},"CWE-126":{"c":{"":2}},"CWE-134":{"c":{"":4}},"CWE-190":{"c":{"":1}},"CWE-250":{"c":{"":1}},"CWE-327":{"c":{"":4}},"CWE-362":{"c":{"":5}},"CWE-377":{"c":{"":5}},"CWE-676":{"c":{"":4}},"CWE-732":{"c":{"":3}},"CWE-807":{"c":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":1,"A1:2017-Injection":38,"A03:2021-Injection":37,"A5:2017-Broken Access Control":14,"A01:2021-Broken Access Control":14,"A02:2021-Cryptographic Failures":4,"A3:2017-Sensitive Data Exposure":4,"A6:2017-Security Misconfiguration":1,"A05:2021-Security Misconfiguration":1,"A06:2021-Vulnerable and Outdated Components":6,"A9:2017-Using Components with Known Vulnerabilities":6},"per_framework":{"":{"c":{"":1}},"A1:2017-Injection":{"c":{"":38}},"A03:2021-Injection":{"c":{"":37}},"A5:2017-Broken Access Control":{"c":{"":14}},"A01:2021-Broken Access Control":{"c":{"":14}},"A02:2021-Cryptographic Failures":{"c":{"":4}},"A3:2017-Sensitive Data Exposure":{"c":{"":4}},"A6:2017-Security Misconfiguration":{"c":{"":1}},"A05:2021-Security Misconfiguration":{"c":{"":1}},"A06:2021-Vulnerable and Outdated Components":{"c":{"":6}},"A9:2017-Using Components with Known Vulnerabilities":{"c":{"":6}}},"rules_with_no_owasp":["flawfinder.equal-1.mismatch-1.is_permutation-1"]}},"author":"Gitlab","counts":{"total_rules":64,"premium_rules":0},"hidden":false,"languages":["C","C++"],"description":"Use Semgrep as a universal linter to identify vulnerabilities in your code base with the flawfinder (https://dwheeler.com/flawfinder/) rule pack.","id":"8yl7","name":"flawfinder","visibility":"public","categories":[{"id":"aR8","slug":"ported-security-tools","name":"Ported Security Tools","description":"Select rules ported from open-source security tools. Start here if you're familiar with these tools."}]},{"stats":{"cwe":{"totals":{"CWE-416: Use After Free":4,"CWE-328: Use of Weak Hash":12,"CWE-489: Active Debug Code":7,"CWE-125: Out-of-bounds Read":6,"CWE-787: Out-of-bounds Write":2,"CWE-778: Insufficient Logging":1,"CWE-682: Incorrect Calculation":2,"CWE-862: Missing Authorization":1,"CWE-23: Relative Path Traversal":2,"CWE-284: Improper Access Control":2,"CWE-287: Improper Authentication":53,"CWE-346: Origin Validation Error":6,"CWE-377: Insecure Temporary File":1,"CWE-506: Embedded Malicious Code":1,"CWE-20: Improper Input Validation":2,"CWE-476: NULL Pointer Dereference":1,"CWE-477: Use of Obsolete Function":2,"CWE-501: Trust Boundary Violation":1,"CWE-272: Least Privilege Violation":11,"CWE-259: Use of Hard-coded Password":1,"CWE-269: Improper Privilege Management":2,"CWE-798: Use of Hard-coded Credentials":166,"CWE-190: Integer Overflow or Wraparound":1,"CWE-326: Inadequate Encryption Strength":18,"CWE-295: Improper Certificate Validation":5,"CWE-613: Insufficient Session Expiration":3,"CWE-341: Predictable from Observable State":1,"CWE-352: Cross-Site Request Forgery (CSRF)":4,"CWE-467: Use of sizeof() on a Pointer Type":1,"CWE-502: Deserialization of Untrusted Data":80,"CWE-780: Use of RSA Algorithm without OAEP":1,"CWE-300: Channel Accessible by Non-Endpoint":3,"CWE-310: CWE CATEGORY: Cryptographic Issues":1,"CWE-918: Server-Side Request Forgery (SSRF)":265,"CWE-321: Use of Hard-coded Cryptographic Key":1,"CWE-311: Missing Encryption of Sensitive Data":2,"CWE-522: Insufficiently Protected Credentials":13,"CWE-668: Exposure of Resource to Wrong Sphere":1,"CWE-73: External Control of File Name or Path":98,"CWE-250: Execution with Unnecessary Privileges":2,"CWE-117: Improper Output Neutralization for Logs":6,"CWE-323: Reusing a Nonce, Key Pair in Encryption":1,"CWE-673: External Influence of Sphere Definition":1,"CWE-494: Download of Code Without Integrity Check":5,"CWE-91: XML Injection (aka Blind XPath Injection)":1,"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":17,"CWE-305: Authentication Bypass by Primary Weakness":2,"CWE-1333: Inefficient Regular Expression Complexity":4,"CWE-329: Generation of Predictable IV with CBC Mode":2,"CWE-509: Replicating Malicious Code (Virus or Worm)":1,"CWE-841: Improper Enforcement of Behavioral Workflow":7,"CWE-1204: Generation of Weak Initialization Vector (IV)":1,"CWE-345: Insufficient Verification of Data Authenticity":2,"CWE-319: Cleartext Transmission of Sensitive Information":6,"CWE-837: Improper Enforcement of a Single, Unique Action":1,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":47,"CWE-347: Improper Verification of Cryptographic Signature":1,"CWE-532: Insertion of Sensitive Information into Log File":1,"CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition":2,"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":12,"CWE-358: Improperly Implemented Security Check for Standard":36,"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":14,"CWE-296: Improper Following of a Certificate's Chain of Trust":1,"CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')":1,"CWE-611: Improper Restriction of XML External Entity Reference":45,"CWE-732: Incorrect Permission Assignment for Critical Resource":7,"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":3,"CWE-94: Improper Control of Generation of Code ('Code Injection')":53,"CWE-337: Predictable Seed in Pseudo-Random Number Generator (PRNG)":2,"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":11,"CWE-454: External Initialization of Trusted Variables or Data Stores":3,"CWE-916: Use of Password Hash With Insufficient Computational Effort":3,"CWE-209: Generation of Error Message Containing Sensitive Information":1,"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":21,"CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax":34,"CWE-323: Nonces should be used for the present occasion and only once.":1,"CWE-688: Function Call With Incorrect Variable or Reference as Argument":1,"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":24,"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":1,"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine":1,"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":9,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":127,"CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')":1,"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":3,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":38,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":248,"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":21,"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":10,"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":5,"CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)":3,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":62,"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":3,"CWE-329: Not using a random initialization Vector (IV) with Cipher Block Chaining (CBC) Mode causes algorithms to be susceptible to dictionary attacks.":1},"per_framework":{"CWE-416: Use After Free":{"cpp":{"":4}},"CWE-328: Use of Weak Hash":{"go":{"":1},"cpp":{"":1},"php":{"":1},"java":{"":4},"ruby":{"":1},"python":{"":2},"clojure":{"":2}},"CWE-489: Active Debug Code":{"php":{"":1},"yaml":{"":1},"kotlin":{"":1},"python":{"":3},"generic":{"":1}},"CWE-125: Out-of-bounds Read":{"cpp":{"":6}},"CWE-787: Out-of-bounds Write":{"cpp":{"":1},"solidity":{"":1}},"CWE-778: Insufficient Logging":{"hcl":{"":1}},"CWE-682: Incorrect Calculation":{"solidity":{"":2}},"CWE-862: Missing Authorization":{"dockerfile":{"":1}},"CWE-23: Relative Path Traversal":{"php":{"":1},"java":{"":1}},"CWE-284: Improper Access Control":{"python":{"":1},"solidity":{"":1}},"CWE-287: Improper Authentication":{"go":{"":8},"js":{"":5},"ruby":{"":6},"rust":{"":10},"yaml":{"":1},"kotlin":{"":4},"python":{"":18},"javascript":{"":1}},"CWE-346: Origin Validation Error":{"java":{"":1},"javascript":{"":5}},"CWE-377: Insecure Temporary File":{"python":{"":1}},"CWE-506: Embedded Malicious Code":{"generic":{"":1}},"CWE-20: Improper Input Validation":{"solidity":{"":2}},"CWE-476: NULL Pointer Dereference":{"cpp":{"":1}},"CWE-477: Use of Obsolete Function":{"swift":{"":2}},"CWE-501: Trust Boundary Violation":{"java":{"":1}},"CWE-272: Least Privilege Violation":{"xml":{"":2},"swift":{"":9}},"CWE-259: Use of Hard-coded Password":{"swift":{"":1}},"CWE-269: Improper Privilege Management":{"yaml":{"":1},"dockerfile":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"go":{"":10},"js":{"":22},"py":{"":1},"php":{"":1},"java":{"":21},"ruby":{"":18},"rust":{"":12},"regex":{"":1},"swift":{"":7},"csharp":{"":10},"kotlin":{"":21},"python":{"":35},"javascript":{"":7}},"CWE-190: Integer Overflow or Wraparound":{"php":{"":1}},"CWE-326: Inadequate Encryption Strength":{"go":{"":1},"kt":{"":1},"cpp":{"":1},"hcl":{"":1},"java":{"":6},"ruby":{"":1},"swift":{"":2},"python":{"":2},"generic":{"":1},"terraform":{"":1},"javascript":{"":1}},"CWE-295: Improper Certificate Validation":{"cpp":{"":1},"xml":{"":1},"rust":{"":3}},"CWE-613: Insufficient Session Expiration":{"csharp":{"":1},"python":{"":2}},"CWE-341: Predictable from Observable State":{"solidity":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":1},"python":{"":3}},"CWE-467: Use of sizeof() on a Pointer Type":{"cpp":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"C#":{"":1},"go":{"":1},"java":{"":7},"swift":{"":2},"python":{"":68},"javascript":{"":1}},"CWE-780: Use of RSA Algorithm without OAEP":{"scala":{"":1}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":3}},"CWE-310: CWE CATEGORY: Cryptographic Issues":{"javascript":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"go":{"":5},"php":{"":1},"java":{"":11},"rust":{"":3},"csharp":{"":5},"kotlin":{"":2},"python":{"":234},"generic":{"":1},"javascript":{"":3}},"CWE-321: Use of Hard-coded Cryptographic Key":{"swift":{"":1}},"CWE-311: Missing Encryption of Sensitive Data":{"ruby":{"":1},"swift":{"":1}},"CWE-522: Insufficiently Protected Credentials":{"scala":{"":2},"python":{"":2},"generic":{"":9}},"CWE-668: Exposure of Resource to Wrong Sphere":{"python":{"":1}},"CWE-73: External Control of File Name or Path":{"python":{"":98}},"CWE-250: Execution with Unnecessary Privileges":{"yaml":{"":1},"dockerfile":{"":1}},"CWE-117: Improper Output Neutralization for Logs":{"python":{"":4},"javascript":{"":2}},"CWE-323: Reusing a Nonce, Key Pair in Encryption":{"java":{"":1}},"CWE-673: External Influence of Sphere Definition":{"python":{"":1}},"CWE-494: Download of Code Without Integrity Check":{"generic":{"":5}},"CWE-91: XML Injection (aka Blind XPath Injection)":{"java":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"java":{"":4},"csharp":{"":2},"python":{"":7},"javascript":{"":4}},"CWE-305: Authentication Bypass by Primary Weakness":{"swift":{"":2}},"CWE-1333: Inefficient Regular Expression Complexity":{"java":{"":1},"python":{"":3}},"CWE-329: Generation of Predictable IV with CBC Mode":{"php":{"":1},"java":{"":1}},"CWE-509: Replicating Malicious Code (Virus or Worm)":{"yaml":{"":1}},"CWE-841: Improper Enforcement of Behavioral Workflow":{"solidity":{"":7}},"CWE-1204: Generation of Weak Initialization Vector (IV)":{"javascript":{"":1}},"CWE-345: Insufficient Verification of Data Authenticity":{"csharp":{"":1},"javascript":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"xml":{"":3},"html":{"":1},"java":{"":1},"python":{"":1}},"CWE-837: Improper Enforcement of a Single, Unique Action":{"solidity":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"go":{"":4},"xml":{"":1},"java":{"":9},"swift":{"":5},"csharp":{"":1},"kotlin":{"":2},"python":{"":18},"clojure":{"":1},"javascript":{"":6}},"CWE-347: Improper Verification of Cryptographic Signature":{"javascript":{"":1}},"CWE-532: Insertion of Sensitive Information into Log File":{"java":{"":1}},"CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition":{"cpp":{"":2}},"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":{"java":{"":1},"python":{"":6},"javascript":{"":5}},"CWE-358: Improperly Implemented Security Check for Standard":{"python":{"":36}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"go":{"":1},"java":{"":6},"kotlin":{"":1},"javascript":{"":6}},"CWE-296: Improper Following of a Certificate's Chain of Trust":{"xml":{"":1}},"CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')":{"yaml":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"go":{"":2},"cpp":{"":1},"php":{"":2},"java":{"":26},"scala":{"":3},"swift":{"":1},"python":{"":6},"clojure":{"":1},"javascript":{"":3}},"CWE-732: Incorrect Permission Assignment for Critical Resource":{"cpp":{"":1},"hcl":{"":1},"generic":{"":4},"javascript":{"":1}},"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":{"csharp":{"":2},"python":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"yaml":{"":1},"csharp":{"":2},"kotlin":{"":1},"python":{"":33},"generic":{"":1},"terraform":{"":1},"javascript":{"":14}},"CWE-337: Predictable Seed in Pseudo-Random Number Generator (PRNG)":{"cpp":{"":2}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"go":{"":2},"java":{"":1},"csharp":{"":1},"python":{"":2},"generic":{"":4},"javascript":{"":1}},"CWE-454: External Initialization of Trusted Variables or Data Stores":{"python":{"":3}},"CWE-916: Use of Password Hash With Insufficient Computational Effort":{"swift":{"":3}},"CWE-209: Generation of Error Message Containing Sensitive Information":{"csharp":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"php":{"":1},"java":{"":4},"csharp":{"":2},"python":{"":9},"generic":{"":1},"javascript":{"":4}},"CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax":{"java":{"":2},"python":{"":32}},"CWE-323: Nonces should be used for the present occasion and only once.":{"swift":{"":1}},"CWE-688: Function Call With Incorrect Variable or Reference as Argument":{"solidity":{"":1}},"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":{"go":{"":4},"rust":{"":3},"csharp":{"":2},"kotlin":{"":5},"python":{"":3},"javascript":{"":7}},"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":{"csharp":{"":1}},"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine":{"javascript":{"":1}},"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":{"java":{"":3},"csharp":{"":2},"python":{"":3},"javascript":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"go":{"":5},"java":{"":3},"rust":{"":3},"csharp":{"":66},"python":{"":31},"javascript":{"":19}},"CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')":{"xml":{"":1}},"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":{"python":{"":1},"terraform":{"":1},"javascript":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":5},"java":{"":8},"csharp":{"":4},"kotlin":{"":1},"python":{"":3},"generic":{"":2},"javascript":{"":4},"typescript":{"":11}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":11},"java":{"":6},"rust":{"":12},"scala":{"":2},"swift":{"":1},"csharp":{"":34},"kotlin":{"":5},"python":{"":145},"javascript":{"":32}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"cpp":{"":2},"java":{"":2},"python":{"":17}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"java":{"":8},"python":{"":2}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"php":{"":1},"java":{"":2},"generic":{"":1},"javascript":{"":1}},"CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)":{"python":{"":3}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"go":{"":8},"cpp":{"":1},"java":{"":7},"rust":{"":6},"yaml":{"":1},"csharp":{"":3},"kotlin":{"":1},"python":{"":23},"generic":{"":7},"javascript":{"":5}},"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":{"javascript":{"":3}},"CWE-329: Not using a random initialization Vector (IV) with Cipher Block Chaining (CBC) Mode causes algorithms to be susceptible to dictionary attacks.":{"swift":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":74,"A01:2017: Injection":363,"A03:2021: Injection":481,"A05:2025: Injection":481,"A04:2021 Insecure Design":2,"A04:2021: Insecure Design":115,"A06:2025: Insecure Design":115,"LLM08:2023: Excessive Agency":1,"A01:2021: Broken Access Control":171,"A01:2025: Broken Access Control":426,"A02:2017: Broken Authentication":41,"A05:2017: Broken Access Control":127,"A02:2021: Cryptographic Failures":93,"A04:2025: Cryptographic Failures":93,"A03:2017: Sensitive Data Exposure":82,"A07:2025: Authentication Failures":232,"A05:2021-Security misconfiguration":36,"A08:2017: Insecure Deserialization":80,"A02:2021 – Cryptographic Failures":3,"A02:2025: Security Misconfiguration":94,"A05:2021: Security Misconfiguration":94,"A06:2017: Security Misconfiguration":5,"A07:2017: Cross-Site Scripting (XSS)":38,"A04:2017: XML External Entities (XXE)":47,"A05:2021 – Security Misconfiguration":1,"A10:2021: Server-Side Request Forgery (SSRF)":265,"A08:2025: Software or Data Integrity Failures":85,"A08:2021: Software and Data Integrity Failures":86,"A09:2025: Security Logging & Alerting Failures":8,"A10:2025: Mishandling of Exceptional Conditions":1,"A09:2021: Security Logging and Monitoring Failures":8,"A7:2021 Identification and Authentication Failures":1,"A07:2021 Identification and Authentication Failures":1,"A07:2021: Identification and Authentication Failures":232},"per_framework":{"":{"go":{"":1},"cpp":{"":15},"php":{"":1},"xml":{"":4},"java":{"":1},"rust":{"":3},"yaml":{"":1},"regex":{"":1},"swift":{"":13},"kotlin":{"":1},"python":{"":8},"generic":{"":6},"solidity":{"":15},"dockerfile":{"":1},"javascript":{"":3}},"A01:2017: Injection":{"go":{"":23},"cpp":{"":3},"java":{"":18},"rust":{"":21},"yaml":{"":2},"scala":{"":2},"swift":{"":1},"csharp":{"":39},"kotlin":{"":11},"python":{"":189},"generic":{"":8},"terraform":{"":1},"javascript":{"":45}},"A03:2021: Injection":{"go":{"":24},"cpp":{"":3},"php":{"":1},"java":{"":31},"rust":{"":18},"yaml":{"":3},"scala":{"":2},"swift":{"":1},"csharp":{"":45},"kotlin":{"":8},"python":{"":261},"generic":{"":11},"terraform":{"":1},"javascript":{"":61},"typescript":{"":11}},"A05:2025: Injection":{"go":{"":24},"cpp":{"":3},"php":{"":1},"java":{"":31},"rust":{"":18},"yaml":{"":3},"scala":{"":2},"swift":{"":1},"csharp":{"":45},"kotlin":{"":8},"python":{"":261},"generic":{"":11},"terraform":{"":1},"javascript":{"":61},"typescript":{"":11}},"A04:2021 Insecure Design":{"yaml":{"":2}},"A04:2021: Insecure Design":{"java":{"":1},"ruby":{"":1},"scala":{"":2},"swift":{"":1},"csharp":{"":1},"python":{"":100},"generic":{"":9}},"A06:2025: Insecure Design":{"java":{"":1},"ruby":{"":1},"scala":{"":2},"swift":{"":1},"csharp":{"":1},"python":{"":100},"generic":{"":9}},"LLM08:2023: Excessive Agency":{"yaml":{"":1}},"A01:2021: Broken Access Control":{"go":{"":7},"php":{"":1},"java":{"":13},"rust":{"":3},"csharp":{"":67},"kotlin":{"":1},"python":{"":44},"generic":{"":4},"javascript":{"":31}},"A01:2025: Broken Access Control":{"go":{"":10},"php":{"":2},"java":{"":22},"rust":{"":6},"csharp":{"":70},"kotlin":{"":3},"python":{"":276},"generic":{"":5},"javascript":{"":32}},"A02:2017: Broken Authentication":{"go":{"":8},"js":{"":3},"rust":{"":10},"scala":{"":2},"csharp":{"":1},"kotlin":{"":4},"python":{"":4},"generic":{"":9}},"A05:2017: Broken Access Control":{"go":{"":5},"java":{"":3},"rust":{"":3},"csharp":{"":66},"python":{"":31},"javascript":{"":19}},"A02:2021: Cryptographic Failures":{"go":{"":6},"kt":{"":1},"cpp":{"":4},"hcl":{"":1},"php":{"":2},"xml":{"":4},"html":{"":1},"java":{"":22},"ruby":{"":2},"scala":{"":1},"swift":{"":13},"csharp":{"":2},"kotlin":{"":2},"python":{"":20},"clojure":{"":2},"generic":{"":1},"terraform":{"":1},"javascript":{"":8}},"A04:2025: Cryptographic Failures":{"go":{"":6},"kt":{"":1},"cpp":{"":4},"hcl":{"":1},"php":{"":2},"xml":{"":4},"html":{"":1},"java":{"":22},"ruby":{"":2},"scala":{"":1},"swift":{"":13},"csharp":{"":2},"kotlin":{"":2},"python":{"":20},"clojure":{"":2},"generic":{"":1},"terraform":{"":1},"javascript":{"":8}},"A03:2017: Sensitive Data Exposure":{"go":{"":6},"kt":{"":1},"cpp":{"":3},"hcl":{"":1},"php":{"":1},"xml":{"":5},"html":{"":1},"java":{"":20},"ruby":{"":3},"swift":{"":8},"kotlin":{"":2},"python":{"":20},"clojure":{"":2},"generic":{"":1},"terraform":{"":1},"javascript":{"":7}},"A07:2025: Authentication Failures":{"go":{"":21},"js":{"":27},"py":{"":1},"cpp":{"":1},"php":{"":1},"xml":{"":1},"java":{"":22},"ruby":{"":24},"rust":{"":22},"swift":{"":8},"csharp":{"":11},"kotlin":{"":25},"python":{"":55},"javascript":{"":13}},"A05:2021-Security misconfiguration":{"python":{"":36}},"A08:2017: Insecure Deserialization":{"C#":{"":1},"go":{"":1},"java":{"":7},"swift":{"":2},"python":{"":68},"javascript":{"":1}},"A02:2021 – Cryptographic Failures":{"python":{"":3}},"A02:2025: Security Misconfiguration":{"go":{"":2},"cpp":{"":1},"hcl":{"":1},"php":{"":4},"java":{"":34},"yaml":{"":2},"scala":{"":3},"swift":{"":1},"csharp":{"":6},"python":{"":25},"clojure":{"":1},"generic":{"":1},"dockerfile":{"":1},"javascript":{"":12}},"A05:2021: Security Misconfiguration":{"go":{"":2},"cpp":{"":1},"hcl":{"":1},"php":{"":4},"java":{"":34},"yaml":{"":2},"scala":{"":3},"swift":{"":1},"csharp":{"":6},"python":{"":25},"clojure":{"":1},"generic":{"":1},"dockerfile":{"":1},"javascript":{"":12}},"A06:2017: Security Misconfiguration":{"php":{"":1},"yaml":{"":2},"csharp":{"":1},"python":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":5},"java":{"":8},"csharp":{"":4},"kotlin":{"":1},"python":{"":3},"generic":{"":2},"javascript":{"":4},"typescript":{"":11}},"A04:2017: XML External Entities (XXE)":{"go":{"":2},"cpp":{"":1},"php":{"":2},"java":{"":26},"scala":{"":3},"swift":{"":1},"python":{"":8},"clojure":{"":1},"javascript":{"":3}},"A05:2021 – Security Misconfiguration":{"python":{"":1}},"A10:2021: Server-Side Request Forgery (SSRF)":{"go":{"":5},"php":{"":1},"java":{"":11},"rust":{"":3},"csharp":{"":5},"kotlin":{"":2},"python":{"":234},"generic":{"":1},"javascript":{"":3}},"A08:2025: Software or Data Integrity Failures":{"C#":{"":1},"java":{"":7},"swift":{"":2},"csharp":{"":1},"python":{"":68},"generic":{"":5},"javascript":{"":1}},"A08:2021: Software and Data Integrity Failures":{"C#":{"":1},"go":{"":1},"java":{"":7},"swift":{"":2},"csharp":{"":1},"python":{"":68},"generic":{"":5},"javascript":{"":1}},"A09:2025: Security Logging & Alerting Failures":{"hcl":{"":1},"java":{"":1},"python":{"":4},"javascript":{"":2}},"A10:2025: Mishandling of Exceptional Conditions":{"cpp":{"":1}},"A09:2021: Security Logging and Monitoring Failures":{"hcl":{"":1},"java":{"":1},"python":{"":4},"javascript":{"":2}},"A7:2021 Identification and Authentication Failures":{"solidity":{"":1}},"A07:2021 Identification and Authentication Failures":{"yaml":{"":1}},"A07:2021: Identification and Authentication Failures":{"go":{"":21},"js":{"":27},"py":{"":1},"cpp":{"":1},"php":{"":1},"xml":{"":1},"java":{"":22},"ruby":{"":24},"rust":{"":22},"swift":{"":8},"csharp":{"":11},"kotlin":{"":25},"python":{"":55},"javascript":{"":13}}},"rules_with_no_owasp":["sizeof-this","std-return-data","std-vector-invalidation","file-access-before-action","file-stat-before-action","world-writable-file","negative-return-value-array-index","missing-nul-cpp-string-memcpy","narrow-to-wide-string-mismatch","readlink-null-terminator","return-c-str","std-string-npos","string-view-data-null-terminator","string-view-temporary-string","wide-to-narrow-string-mismatch","dockerfile-dockerd-socket-mount","detected-onfido-live-api-token","open-redirect","jax-rs-better-files-regex-injection-uri-params","cookies-default-express","dot-nestjs","create-de-cipher-no-iv","ktor-development-mode-conf","ktor-development-mode-gradle","ktor-development-mode-yaml","base-convert-loses-precision","tainted-dotenv-variable-django","tainted-regex-stdlib-django","tainted-dotenv-variable-fastapi","tainted-regex-stdlib-fastapi","debug-flask-passthrough-errors","active-debug-code-flask","tainted-dotenv-variable-flask","tainted-regex-stdlib-flask","reqwest-accept-invalid","rustls-dangerous","ssl-verify-none","skill-dangerous-command-wildcard","skill-network-bash-wildcard","skill-persistence-commands","skill-wildcard-all-tools","skill-preprocessing-encoding-network","balancer-readonly-reentrancy-getpooltokens","balancer-readonly-reentrancy-getrate","compound-borrowfresh-reentrancy","curve-readonly-reentrancy","encode-packed-collision","erc677-reentrancy","erc721-reentrancy","erc777-reentrancy","incorrect-use-of-blockhash","keeper-network-oracle-manipulation","no-bidi-characters","proxy-storage-collision","redacted-cartel-custom-approval-bug","rigoblock-missing-access-control","superfluid-ctx-injection","keychain-acl-allows-biometry-changes","keychain-accessible-always","insecure-biometrics","keychain-passcode-fallback","ATS-local-networking","ATS-consider-pinning","ATS-CA-pins","ATS-minimum-tls-version","swift-named-persistent-pasteboards","swift-forbidden-ios-apis","swift-webview-config-allows-js","swift-webview-config-base-url","swift-webview-config-allows-file-access","swift-webview-config-fraudulent-site-warning","swift-webview-config-https-upgrade","swift-webview-config-allows-js-open-windows","swift-webview-config-allows-universal-file-access"]}},"author":"Semgrep","counts":{"total_rules":1687,"premium_rules":1540},"hidden":true,"username":"semgrep","description":"This ruleset is intended to produce low false positives, and safe for use in CI/CD pipelines.","id":"6PB","name":"r2c-ci","visibility":"public","categories":[{"id":"MPe","slug":"quick-start","name":"Getting Started","description":"These rulesets cover a wide range of use cases. Start here to get up and running quickly."}]},{"tags":["semgrep","security","react","reactjs","typescript"],"stats":{"cwe":{"totals":{"CWE-319: Cleartext Transmission of Sensitive Information":1,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":4},"per_framework":{"CWE-319: Cleartext Transmission of Sensitive Information":{"typescript":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"typescript":{"":4}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A03:2021: Injection":4,"A05:2025: Injection":4,"A02:2021: Cryptographic Failures":1,"A04:2025: Cryptographic Failures":1,"A03:2017: Sensitive Data Exposure":1,"A07:2017: Cross-Site Scripting (XSS)":4},"per_framework":{"A03:2021: Injection":{"typescript":{"":4}},"A05:2025: Injection":{"typescript":{"":4}},"A02:2021: Cryptographic Failures":{"typescript":{"":1}},"A04:2025: Cryptographic Failures":{"typescript":{"":1}},"A03:2017: Sensitive Data Exposure":{"typescript":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"typescript":{"":4}}},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":5,"premium_rules":1},"username":"semgrep","languages":["TypeScript"],"description":"React security rules.","id":"jJJ","name":"react","visibility":"public","categories":[{"id":"V5W","slug":"languages-and-frameworks","name":"Languages and Frameworks","description":"Check your code for security problems and best practices in these languages and frameworks."}]},{"tags":["semgrep","security","ruby","rails","ruby on rails","xss","erb"],"stats":{"cwe":{"totals":{"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":14},"per_framework":{"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"ruby":{"":7},"generic":{"":7}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A03:2021: Injection":14,"A05:2025: Injection":14,"A07:2017: Cross-Site Scripting (XSS)":14},"per_framework":{"A03:2021: Injection":{"ruby":{"":7},"generic":{"":7}},"A05:2025: Injection":{"ruby":{"":7},"generic":{"":7}},"A07:2017: Cross-Site Scripting (XSS)":{"ruby":{"":7},"generic":{"":7}}},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":14,"premium_rules":0},"hidden":true,"username":"semgrep","languages":["Ruby"],"description":"Secure defaults for XSS prevention for Ruby on Rails","id":"1Xv","name":"ruby-on-rails-xss","visibility":"public","categories":[]},{"tags":["security"],"stats":{"cwe":{"totals":{"CWE-328: Use of Weak Hash":1,"CWE-287: Improper Authentication":10,"CWE-798: Use of Hard-coded Credentials":12,"CWE-295: Improper Certificate Validation":3,"CWE-918: Server-Side Request Forgery (SSRF)":3,"CWE-242: Use of Inherently Dangerous Function":1,"CWE-807: Reliance on Untrusted Inputs in a Security Decision":4,"CWE-94: Improper Control of Generation of Code ('Code Injection')":1,"CWE-921: Storage of Sensitive Data in a Mechanism without Access Control":1,"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":3,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":3,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":12,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":6},"per_framework":{"CWE-328: Use of Weak Hash":{"rust":{"":1}},"CWE-287: Improper Authentication":{"rust":{"":10}},"CWE-798: Use of Hard-coded Credentials":{"rust":{"":12}},"CWE-295: Improper Certificate Validation":{"rust":{"":3}},"CWE-918: Server-Side Request Forgery (SSRF)":{"rust":{"":3}},"CWE-242: Use of Inherently Dangerous Function":{"rust":{"":1}},"CWE-807: Reliance on Untrusted Inputs in a Security Decision":{"rust":{"":4}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"bash":{"":1}},"CWE-921: Storage of Sensitive Data in a Mechanism without Access Control":{"rust":{"":1}},"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":{"rust":{"":3}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"rust":{"":3}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"rust":{"":12}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"rust":{"":6}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":10,"A01:2017: Injection":21,"A03:2021: Injection":19,"A05:2025: Injection":19,"A01:2021: Broken Access Control":3,"A01:2025: Broken Access Control":6,"A02:2017: Broken Authentication":10,"A05:2017: Broken Access Control":3,"A07:2025: Authentication Failures":22,"A10:2021: Server-Side Request Forgery (SSRF)":3,"A07:2021: Identification and Authentication Failures":22},"per_framework":{"":{"rust":{"":10}},"A01:2017: Injection":{"rust":{"":21}},"A03:2021: Injection":{"bash":{"":1},"rust":{"":18}},"A05:2025: Injection":{"bash":{"":1},"rust":{"":18}},"A01:2021: Broken Access Control":{"rust":{"":3}},"A01:2025: Broken Access Control":{"rust":{"":6}},"A02:2017: Broken Authentication":{"rust":{"":10}},"A05:2017: Broken Access Control":{"rust":{"":3}},"A07:2025: Authentication Failures":{"rust":{"":22}},"A10:2021: Server-Side Request Forgery (SSRF)":{"rust":{"":3}},"A07:2021: Identification and Authentication Failures":{"rust":{"":22}}},"rules_with_no_owasp":["args-os","args","current-exe","insecure-hashes","reqwest-accept-invalid","reqwest-set-sensitive","rustls-dangerous","ssl-verify-none","temp-dir","unsafe-usage"]}},"author":"Semgrep","counts":{"total_rules":60,"premium_rules":49},"username":"semgrep","languages":["Rust"],"description":"General purpose ruleset for Rust. Includes audit-oriented rules, which might lead to false positives.","id":"dg0X","name":"rust","visibility":"public","categories":[]},{"tags":["node","node.js","nodejs","nextjs"],"stats":{"cwe":{"totals":{"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":6},"per_framework":{"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"typescript":{"":6}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A03:2021: Injection":6,"A05:2025: Injection":6,"A07:2017: Cross-Site Scripting (XSS)":6},"per_framework":{"A03:2021: Injection":{"typescript":{"":6}},"A05:2025: Injection":{"typescript":{"":6}},"A07:2017: Cross-Site Scripting (XSS)":{"typescript":{"":6}}},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":6,"premium_rules":6},"username":"semgrep","languages":["JavaScript","TypeScript"],"description":"Default ruleset for Next.js, curated by Semgrep.","id":"NxnG","name":"nextjs","visibility":"public","categories":[]},{"tags":["flask"],"stats":{"cwe":{"totals":{"CWE-489: Active Debug Code":3,"CWE-798: Use of Hard-coded Credentials":2,"CWE-613: Insufficient Session Expiration":2,"CWE-352: Cross-Site Request Forgery (CSRF)":2,"CWE-502: Deserialization of Untrusted Data":12,"CWE-704: Incorrect Type Conversion or Cast":2,"CWE-918: Server-Side Request Forgery (SSRF)":51,"CWE-668: Exposure of Resource to Wrong Sphere":2,"CWE-73: External Control of File Name or Path":16,"CWE-117: Improper Output Neutralization for Logs":2,"CWE-673: External Influence of Sphere Definition":1,"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":3,"CWE-1333: Inefficient Regular Expression Complexity":1,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":1,"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":3,"CWE-358: Improperly Implemented Security Check for Standard":36,"CWE-611: Improper Restriction of XML External Entity Reference":2,"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":1,"CWE-94: Improper Control of Generation of Code ('Code Injection')":6,"CWE-1236: Improper Neutralization of Formula Elements in a CSV File":1,"CWE-454: External Initialization of Trusted Variables or Data Stores":2,"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":5,"CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax":6,"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":1,"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":1,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":9,"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":1,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":3,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":29,"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":3,"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":1,"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":2,"CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)":1,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":7},"per_framework":{"CWE-489: Active Debug Code":{"python":{"":3}},"CWE-798: Use of Hard-coded Credentials":{"python":{"":2}},"CWE-613: Insufficient Session Expiration":{"python":{"":2}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"python":{"":2}},"CWE-502: Deserialization of Untrusted Data":{"python":{"":12}},"CWE-704: Incorrect Type Conversion or Cast":{"python":{"":2}},"CWE-918: Server-Side Request Forgery (SSRF)":{"python":{"":51}},"CWE-668: Exposure of Resource to Wrong Sphere":{"python":{"":2}},"CWE-73: External Control of File Name or Path":{"python":{"":16}},"CWE-117: Improper Output Neutralization for Logs":{"python":{"":2}},"CWE-673: External Influence of Sphere Definition":{"python":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"python":{"":3}},"CWE-1333: Inefficient Regular Expression Complexity":{"python":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"python":{"":1}},"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":{"python":{"":3}},"CWE-358: Improperly Implemented Security Check for Standard":{"python":{"":36}},"CWE-611: Improper Restriction of XML External Entity Reference":{"python":{"":2}},"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":{"python":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"python":{"":6}},"CWE-1236: Improper Neutralization of Formula Elements in a CSV File":{"python":{"":1}},"CWE-454: External Initialization of Trusted Variables or Data Stores":{"python":{"":2}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"python":{"":5}},"CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax":{"python":{"":6}},"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":{"python":{"":1}},"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":{"python":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"python":{"":9}},"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":{"python":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"python":{"":3}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"python":{"":29}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"python":{"":3}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"python":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":2}},"CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)":{"python":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":7}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":6,"A01:2017: Injection":43,"A03:2021: Injection":62,"A05:2025: Injection":62,"A04:2021: Insecure Design":16,"A06:2025: Insecure Design":16,"A01:2021: Broken Access Control":16,"A01:2025: Broken Access Control":67,"A02:2017: Broken Authentication":2,"A05:2017: Broken Access Control":9,"A07:2025: Authentication Failures":4,"A05:2021-Security misconfiguration":36,"A08:2017: Insecure Deserialization":12,"A02:2021 – Cryptographic Failures":1,"A02:2025: Security Misconfiguration":12,"A05:2021: Security Misconfiguration":12,"A06:2017: Security Misconfiguration":1,"A07:2017: Cross-Site Scripting (XSS)":3,"A04:2017: XML External Entities (XXE)":3,"A10:2021: Server-Side Request Forgery (SSRF)":51,"A08:2025: Software or Data Integrity Failures":12,"A08:2021: Software and Data Integrity Failures":12,"A09:2025: Security Logging & Alerting Failures":2,"A09:2021: Security Logging and Monitoring Failures":2,"A07:2021: Identification and Authentication Failures":4},"per_framework":{"":{"python":{"":6}},"A01:2017: Injection":{"python":{"":43}},"A03:2021: Injection":{"python":{"":62}},"A05:2025: Injection":{"python":{"":62}},"A04:2021: Insecure Design":{"python":{"":16}},"A06:2025: Insecure Design":{"python":{"":16}},"A01:2021: Broken Access Control":{"python":{"":16}},"A01:2025: Broken Access Control":{"python":{"":67}},"A02:2017: Broken Authentication":{"python":{"":2}},"A05:2017: Broken Access Control":{"python":{"":9}},"A07:2025: Authentication Failures":{"python":{"":4}},"A05:2021-Security misconfiguration":{"python":{"":36}},"A08:2017: Insecure Deserialization":{"python":{"":12}},"A02:2021 – Cryptographic Failures":{"python":{"":1}},"A02:2025: Security Misconfiguration":{"python":{"":12}},"A05:2021: Security Misconfiguration":{"python":{"":12}},"A06:2017: Security Misconfiguration":{"python":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"python":{"":3}},"A04:2017: XML External Entities (XXE)":{"python":{"":3}},"A10:2021: Server-Side Request Forgery (SSRF)":{"python":{"":51}},"A08:2025: Software or Data Integrity Failures":{"python":{"":12}},"A08:2021: Software and Data Integrity Failures":{"python":{"":12}},"A09:2025: Security Logging & Alerting Failures":{"python":{"":2}},"A09:2021: Security Logging and Monitoring Failures":{"python":{"":2}},"A07:2021: Identification and Authentication Failures":{"python":{"":4}}},"rules_with_no_owasp":["debug-flask-passthrough-errors","active-debug-code-flask","tainted-dotenv-variable-flask","tainted-environ-variable-flask","tainted-regex-stdlib-flask","nan-injection"]}},"author":"Semgrep","counts":{"total_rules":220,"premium_rules":202},"username":"semgrep","languages":["python"],"description":"Default ruleset for Flask, curated by Semgrep.","id":"39p","name":"flask","visibility":"public","categories":[{"id":"V5W","slug":"languages-and-frameworks","name":"Languages and Frameworks","description":"Check your code for security problems and best practices in these languages and frameworks."}]},{"tags":["security","findsecbugs","xxe","deserialization","owasp","xss","injection"],"stats":{"cwe":{"totals":{"CWE-15":5,"CWE-20":12,"CWE-22":15,"CWE-74":3,"CWE-77":3,"CWE-78":3,"CWE-79":12,"CWE-88":3,"CWE-89":7,"CWE-90":3,"CWE-93":2,"CWE-94":8,"CWE-113":8,"CWE-134":3,"CWE-176":2,"CWE-180":2,"CWE-182":4,"CWE-200":1,"CWE-209":2,"CWE-259":7,"CWE-269":3,"CWE-287":3,"CWE-295":9,"CWE-297":3,"CWE-306":4,"CWE-319":2,"CWE-326":19,"CWE-327":15,"CWE-330":2,"CWE-352":2,"CWE-353":1,"CWE-501":2,"CWE-502":5,"CWE-539":1,"CWE-552":5,"CWE-601":3,"CWE-611":15,"CWE-614":6,"CWE-643":2,"CWE-696":1,"CWE-704":3,"CWE-732":5,"CWE-780":3,"CWE-917":6,"CWE-918":4,"CWE-942":5,"CWE-943":2,"CWE-1004":3,"CWE-287: Improper Authentication":1,"CWE-276: Incorrect Default Permissions":1,"CWE-326: Inadequate Encryption Strength":5,"CWE-295: Improper Certificate Validation":2,"CWE-183: Permissive List of Allowed Inputs":1,"CWE-352: Cross-Site Request Forgery (CSRF)":1,"CWE-502: Deserialization of Untrusted Data":1,"CWE-704: Incorrect Type Conversion or Cast":1,"CWE-321: Use of Hard-coded Cryptographic Key":4,"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":1,"CWE-329: Generation of Predictable IV with CBC Mode":1,"CWE-319: Cleartext Transmission of Sensitive Information":1,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":2,"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":2,"CWE-297: Improper Validation of Certificate with Host Mismatch":1,"CWE-611: Improper Restriction of XML External Entity Reference":3,"CWE-94: Improper Control of Generation of Code ('Code Injection')":4,"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":1,"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":1,"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":1,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":2,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":2,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":4,"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":2,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":1,"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":1},"per_framework":{"CWE-15":{"java":{"":2},"scala":{"":2},"kotlin":{"":1}},"CWE-20":{"java":{"":6},"scala":{"":6}},"CWE-22":{"java":{"":6},"scala":{"":6},"kotlin":{"":3}},"CWE-74":{"java":{"":2},"kotlin":{"":1}},"CWE-77":{"java":{"":1},"scala":{"":1},"kotlin":{"":1}},"CWE-78":{"java":{"":1},"scala":{"":1},"kotlin":{"":1}},"CWE-79":{"java":{"":5},"scala":{"":5},"kotlin":{"":2}},"CWE-88":{"java":{"":1},"scala":{"":1},"kotlin":{"":1}},"CWE-89":{"java":{"":3},"scala":{"":3},"kotlin":{"":1}},"CWE-90":{"java":{"":1},"scala":{"":1},"kotlin":{"":1}},"CWE-93":{"java":{"":1},"scala":{"":1}},"CWE-94":{"java":{"":2},"scala":{"":4},"kotlin":{"":2}},"CWE-113":{"java":{"":3},"scala":{"":3},"kotlin":{"":2}},"CWE-134":{"java":{"":1},"scala":{"":1},"kotlin":{"":1}},"CWE-176":{"java":{"":1},"scala":{"":1}},"CWE-180":{"java":{"":1},"kotlin":{"":1}},"CWE-182":{"java":{"":1},"scala":{"":2},"kotlin":{"":1}},"CWE-200":{"scala":{"":1}},"CWE-209":{"java":{"":1},"scala":{"":1}},"CWE-259":{"java":{"":2},"scala":{"":3},"kotlin":{"":2}},"CWE-269":{"java":{"":1},"scala":{"":1},"kotlin":{"":1}},"CWE-287":{"java":{"":1},"scala":{"":1},"kotlin":{"":1}},"CWE-295":{"java":{"":5},"scala":{"":2},"kotlin":{"":2}},"CWE-297":{"java":{"":1},"scala":{"":1},"kotlin":{"":1}},"CWE-306":{"java":{"":2},"kotlin":{"":2}},"CWE-319":{"java":{"":1},"scala":{"":1}},"CWE-326":{"java":{"":5},"scala":{"":8},"kotlin":{"":6}},"CWE-327":{"java":{"":7},"scala":{"":2},"kotlin":{"":6}},"CWE-330":{"java":{"":1},"scala":{"":1}},"CWE-352":{"java":{"":1},"kotlin":{"":1}},"CWE-353":{"scala":{"":1}},"CWE-501":{"java":{"":1},"scala":{"":1}},"CWE-502":{"java":{"":2},"scala":{"":2},"kotlin":{"":1}},"CWE-539":{"scala":{"":1}},"CWE-552":{"java":{"":3},"scala":{"":1},"kotlin":{"":1}},"CWE-601":{"java":{"":1},"scala":{"":1},"kotlin":{"":1}},"CWE-611":{"java":{"":5},"scala":{"":7},"kotlin":{"":3}},"CWE-614":{"java":{"":3},"scala":{"":2},"kotlin":{"":1}},"CWE-643":{"java":{"":1},"kotlin":{"":1}},"CWE-696":{"scala":{"":1}},"CWE-704":{"java":{"":1},"scala":{"":1},"kotlin":{"":1}},"CWE-732":{"java":{"":2},"scala":{"":2},"kotlin":{"":1}},"CWE-780":{"java":{"":1},"scala":{"":1},"kotlin":{"":1}},"CWE-917":{"java":{"":3},"scala":{"":1},"kotlin":{"":2}},"CWE-918":{"java":{"":1},"scala":{"":2},"kotlin":{"":1}},"CWE-942":{"java":{"":3},"scala":{"":1},"kotlin":{"":1}},"CWE-943":{"java":{"":1},"scala":{"":1}},"CWE-1004":{"java":{"":1},"scala":{"":1},"kotlin":{"":1}},"CWE-287: Improper Authentication":{"java":{"":1}},"CWE-276: Incorrect Default Permissions":{"java":{"":1}},"CWE-326: Inadequate Encryption Strength":{"java":{"":5}},"CWE-295: Improper Certificate Validation":{"java":{"":2}},"CWE-183: Permissive List of Allowed Inputs":{"java":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":1}},"CWE-704: Incorrect Type Conversion or Cast":{"java":{"":1}},"CWE-321: Use of Hard-coded Cryptographic Key":{"java":{"":4}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"java":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"java":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"java":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"java":{"":2}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"java":{"":2}},"CWE-297: Improper Validation of Certificate with Host Mismatch":{"java":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":3}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"java":{"":4}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"java":{"":1}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"java":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"java":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"java":{"":2}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"java":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"java":{"":4}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"java":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":1}},"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":{"java":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":121,"A1:2017-Injection":52,"A03:2021-Injection":51,"A01:2017: Injection":6,"A03:2021: Injection":14,"A05:2025: Injection":14,"A04:2021-Insecure Design":4,"A04:2021: Insecure Design":1,"A06:2025: Insecure Design":1,"A2:2017-Broken Authentication":9,"A5:2017-Broken Access Control":19,"A01:2021-Broken Access Control":19,"A01:2021: Broken Access Control":7,"A01:2025: Broken Access Control":7,"A02:2017: Broken Authentication":1,"A02:2021-Cryptographic Failures":28,"A05:2017: Broken Access Control":2,"A3:2017-Sensitive Data Exposure":28,"A02:2021: Cryptographic Failures":9,"A04:2025: Cryptographic Failures":9,"A8:2017-Insecure Deserialization":2,"A03:2017: Sensitive Data Exposure":11,"A07:2025: Authentication Failures":4,"A6:2017-Security Misconfiguration":11,"A05:2021-Security Misconfiguration":7,"A08:2017: Insecure Deserialization":1,"A7:2017-Cross-Site Scripting (XSS)":2,"A02:2025: Security Misconfiguration":5,"A05:2021: Security Misconfiguration":5,"A07:2017: Cross-Site Scripting (XSS)":2,"A10:2021-Server-Side Request Forgery":2,"A04:2017: XML External Entities (XXE)":3,"A08:2021-Software and Data Integrity Failures":2,"A08:2025: Software or Data Integrity Failures":1,"A08:2021: Software and Data Integrity Failures":1,"A07:2021-Identification and Authentication Failures":9,"A07:2021: Identification and Authentication Failures":4},"per_framework":{"":{"java":{"":44},"scala":{"":74},"kotlin":{"":3}},"A1:2017-Injection":{"java":{"":22},"scala":{"":3},"kotlin":{"":27}},"A03:2021-Injection":{"java":{"":21},"scala":{"":4},"kotlin":{"":26}},"A01:2017: Injection":{"java":{"":6}},"A03:2021: Injection":{"java":{"":14}},"A05:2025: Injection":{"java":{"":14}},"A04:2021-Insecure Design":{"java":{"":2},"kotlin":{"":2}},"A04:2021: Insecure Design":{"java":{"":1}},"A06:2025: Insecure Design":{"java":{"":1}},"A2:2017-Broken Authentication":{"java":{"":4},"scala":{"":1},"kotlin":{"":4}},"A5:2017-Broken Access Control":{"java":{"":8},"scala":{"":6},"kotlin":{"":5}},"A01:2021-Broken Access Control":{"java":{"":8},"scala":{"":6},"kotlin":{"":5}},"A01:2021: Broken Access Control":{"java":{"":7}},"A01:2025: Broken Access Control":{"java":{"":7}},"A02:2017: Broken Authentication":{"java":{"":1}},"A02:2021-Cryptographic Failures":{"java":{"":14},"scala":{"":2},"kotlin":{"":12}},"A05:2017: Broken Access Control":{"java":{"":2}},"A3:2017-Sensitive Data Exposure":{"java":{"":14},"scala":{"":2},"kotlin":{"":12}},"A02:2021: Cryptographic Failures":{"java":{"":9}},"A04:2025: Cryptographic Failures":{"java":{"":9}},"A8:2017-Insecure Deserialization":{"java":{"":1},"kotlin":{"":1}},"A03:2017: Sensitive Data Exposure":{"java":{"":11}},"A07:2025: Authentication Failures":{"java":{"":4}},"A6:2017-Security Misconfiguration":{"java":{"":6},"kotlin":{"":5}},"A05:2021-Security Misconfiguration":{"java":{"":4},"kotlin":{"":3}},"A08:2017: Insecure Deserialization":{"java":{"":1}},"A7:2017-Cross-Site Scripting (XSS)":{"java":{"":1},"scala":{"":1}},"A02:2025: Security Misconfiguration":{"java":{"":5}},"A05:2021: Security Misconfiguration":{"java":{"":5}},"A07:2017: Cross-Site Scripting (XSS)":{"java":{"":2}},"A10:2021-Server-Side Request Forgery":{"java":{"":1},"kotlin":{"":1}},"A04:2017: XML External Entities (XXE)":{"java":{"":3}},"A08:2021-Software and Data Integrity Failures":{"java":{"":1},"kotlin":{"":1}},"A08:2025: Software or Data Integrity Failures":{"java":{"":1}},"A08:2021: Software and Data Integrity Failures":{"java":{"":1}},"A07:2021-Identification and Authentication Failures":{"java":{"":4},"scala":{"":1},"kotlin":{"":4}},"A07:2021: Identification and Authentication Failures":{"java":{"":4}}},"rules_with_no_owasp":["find_sec_bugs.UNENCRYPTED_SOCKET-1.UNENCRYPTED_SERVER_SOCKET-1","find_sec_bugs.PT_RELATIVE_PATH_TRAVERSAL-1","find_sec_bugs.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1.SQL_INJECTION-1.SQL_INJECTION_HIBERNATE-1.SQL_INJECTION_VERTX-1.SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING-1","find_sec_bugs.XPATH_INJECTION-1","find_sec_bugs.XXE_XPATH-1.XXE_DOCUMENT-1","find_sec_bugs.HTTPONLY_COOKIE-1","find_sec_bugs.COOKIE_PERSISTENT-1","find_sec_bugs.COOKIE_USAGE-1","find_sec_bugs.HRS_REQUEST_PARAMETER_TO_COOKIE-1","find_sec_bugs.TRUST_BOUNDARY_VIOLATION-1","find_sec_bugs.PERMISSIVE_CORS-1","find_sec_bugs.SPRING_CSRF_PROTECTION_DISABLED-1","find_sec_bugs.SERVLET_PARAMETER-1.SERVLET_CONTENT_TYPE-1.SERVLET_SERVER_NAME-1.SERVLET_SESSION_ID-1.SERVLET_QUERY_STRING-1.SERVLET_HEADER-1.SERVLET_HEADER_REFERER-1.SERVLET_HEADER_USER_AGENT-1","find_sec_bugs.JAXRS_ENDPOINT-1","find_sec_bugs.WEAK_HOSTNAME_VERIFIER-1.WEAK_TRUST_MANAGER-1","find_sec_bugs.STRUTS_FORM_VALIDATION-1","find_sec_bugs.AWS_QUERY_INJECTION-1","find_sec_bugs.BEAN_PROPERTY_INJECTION-1","find_sec_bugs.CRLF_INJECTION_LOGS-1","find_sec_bugs.CUSTOM_INJECTION-1","find_sec_bugs.CUSTOM_INJECTION-2","find_sec_bugs.REQUESTDISPATCHER_FILE_DISCLOSURE-1.STRUTS_FILE_DISCLOSURE-1.SPRING_FILE_DISCLOSURE-1","find_sec_bugs.PATH_TRAVERSAL_IN-1","find_sec_bugs.LDAP_ENTRY_POISONING-1","find_sec_bugs.OVERLY_PERMISSIVE_FILE_PERMISSION-2","find_sec_bugs.PREDICTABLE_RANDOM-1","find_sec_bugs.XSS_REQUEST_WRAPPER-1","find_sec_bugs.XSS_REQUEST_PARAMETER_TO_SEND_ERROR-1","find_sec_bugs.XSS_SERVLET-1","find_sec_bugs.XSS_SERVLET-2.XSS_SERVLET_PARAMETER-1","find_sec_bugs.XXE_SAXPARSER-1","find_sec_bugs.XXE_DTD_TRANSFORM_FACTORY-1.XXE_XSLT_TRANSFORM_FACTORY-1","find_sec_bugs.XXE_XMLSTREAMREADER-1","find_sec_bugs_scala.PREDICTABLE_RANDOM-1.PREDICTABLE_RANDOM_SCALA-1","find_sec_bugs.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1","find_sec_bugs.PATH_TRAVERSAL_OUT-1.PATH_TRAVERSAL_OUT-1","find_sec_bugs.IMPROPER_UNICODE-1","find_sec_bugs.HARD_CODE_KEY-1","find_sec_bugs.HARD_CODE_KEY-4","find_sec_bugs.HARD_CODE_KEY-2","find_sec_bugs.HARD_CODE_KEY-3","find_sec_bugs.INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE-1","find_sec_bugs.RPC_ENABLED_EXTENSIONS-1","find_sec_bugs_scala.SCALA_PLAY_SSRF-1","find_sec_bugs_kotlin.ECB_MODE-1","find_sec_bugs_kotlin.WEAK_HOSTNAME_VERIFIER-1.WEAK_TRUST_MANAGER-1","find_sec_bugs_scala.AWS_QUERY_INJECTION-1","find_sec_bugs_scala.BAD_HEXA_CONVERSION-1","find_sec_bugs_scala.BEAN_PROPERTY_INJECTION-1","find_sec_bugs_scala.BLOWFISH_KEY_SIZE-1","find_sec_bugs_scala.CIPHER_INTEGRITY-1","find_sec_bugs_scala.COMMAND_INJECTION-1.SCALA_COMMAND_INJECTION-1","find_sec_bugs_scala.COOKIE_PERSISTENT-1","find_sec_bugs_scala.COOKIE_USAGE-1","find_sec_bugs_scala.CRLF_INJECTION_LOGS-1","find_sec_bugs_scala.CUSTOM_INJECTION-1","find_sec_bugs_scala.CUSTOM_INJECTION-2","find_sec_bugs_scala.CUSTOM_MESSAGE_DIGEST-1","find_sec_bugs_scala.DANGEROUS_PERMISSION_COMBINATION-1","find_sec_bugs_scala.DEFAULT_HTTP_CLIENT-1","find_sec_bugs_scala.DES_USAGE-1","find_sec_bugs_scala.DMI_CONSTANT_DB_PASSWORD-1.HARD_CODE_PASSWORD-3","find_sec_bugs_scala.DMI_EMPTY_DB_PASSWORD-1.HARD_CODE_PASSWORD-2","find_sec_bugs_scala.ECB_MODE-1","find_sec_bugs_scala.EL_INJECTION-1","find_sec_bugs_scala.EXTERNAL_CONFIG_CONTROL-1","find_sec_bugs_scala.FORMAT_STRING_MANIPULATION-1","find_sec_bugs_scala.HARD_CODE_PASSWORD-1","find_sec_bugs_scala.HAZELCAST_SYMMETRIC_ENCRYPTION-1","find_sec_bugs_scala.HRS_REQUEST_PARAMETER_TO_COOKIE-1","find_sec_bugs_scala.HRS_REQUEST_PARAMETER_TO_HTTP_HEADER-1","find_sec_bugs_scala.HTTPONLY_COOKIE-1","find_sec_bugs_scala.HTTP_PARAMETER_POLLUTION-1","find_sec_bugs_scala.HTTP_RESPONSE_SPLITTING-1","find_sec_bugs_scala.IMPROPER_UNICODE-1","find_sec_bugs_scala.INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE-1","find_sec_bugs_scala.INSECURE_COOKIE-1","find_sec_bugs_scala.JAXRS_ENDPOINT-1","find_sec_bugs_scala.LDAP_ANONYMOUS-1","find_sec_bugs_scala.LDAP_ENTRY_POISONING-1","find_sec_bugs_scala.LDAP_INJECTION-1","find_sec_bugs_scala.MALICIOUS_XSLT-1","find_sec_bugs_scala.MODIFICATION_AFTER_VALIDATION-1","find_sec_bugs_scala.NORMALIZATION_AFTER_VALIDATION-1","find_sec_bugs_scala.NULL_CIPHER-1","find_sec_bugs_scala.OGNL_INJECTION-1","find_sec_bugs_scala.OVERLY_PERMISSIVE_FILE_PERMISSION-1","find_sec_bugs_scala.OVERLY_PERMISSIVE_FILE_PERMISSION-2","find_sec_bugs_scala.PADDING_ORACLE-1","find_sec_bugs_scala.PERMISSIVE_CORS-1","find_sec_bugs_scala.PERMISSIVE_CORS-2","find_sec_bugs_scala.REQUESTDISPATCHER_FILE_DISCLOSURE-1.STRUTS_FILE_DISCLOSURE-1.SPRING_FILE_DISCLOSURE-1","find_sec_bugs_scala.RPC_ENABLED_EXTENSIONS-1","find_sec_bugs_scala.RSA_KEY_SIZE-1","find_sec_bugs_scala.SAML_IGNORE_COMMENTS-1","find_sec_bugs_scala.SCALA_SENSITIVE_DATA_EXPOSURE-1","find_sec_bugs_scala.SCALA_XSS_MVC_API-1","find_sec_bugs_scala.SERVLET_PARAMETER-1.SERVLET_CONTENT_TYPE-1.SERVLET_SERVER_NAME-1.SERVLET_SESSION_ID-1.SERVLET_QUERY_STRING-1.SERVLET_HEADER-1.SERVLET_HEADER_REFERER-1.SERVLET_HEADER_USER_AGENT-1","find_sec_bugs_scala.SMTP_HEADER_INJECTION-1","find_sec_bugs_scala.SSL_CONTEXT-1","find_sec_bugs_scala.STRUTS_FORM_VALIDATION-1","find_sec_bugs_scala.TDES_USAGE-1","find_sec_bugs_scala.TEMPLATE_INJECTION_PEBBLE-1.TEMPLATE_INJECTION_FREEMARKER-1.TEMPLATE_INJECTION_VELOCITY-1","find_sec_bugs_scala.TRUST_BOUNDARY_VIOLATION-1","find_sec_bugs_scala.UNVALIDATED_REDIRECT-1.URL_REWRITING-1","find_sec_bugs_scala.URLCONNECTION_SSRF_FD-1","find_sec_bugs_scala.WEAK_HOSTNAME_VERIFIER-1.WEAK_TRUST_MANAGER-1","find_sec_bugs_scala.WEAK_MESSAGE_DIGEST_MD5-1.WEAK_MESSAGE_DIGEST_SHA1-1","find_sec_bugs_scala.WICKET_XSS1-1","find_sec_bugs_scala.XML_DECODER-1","find_sec_bugs_scala.XPATH_INJECTION-1","find_sec_bugs_scala.XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER-1","find_sec_bugs_scala.XSS_REQUEST_WRAPPER-1","find_sec_bugs_scala.XSS_SERVLET-1","find_sec_bugs_scala.XXE_DOCUMENT-1","find_sec_bugs_scala.XXE_DTD_TRANSFORM_FACTORY-1.XXE_XSLT_TRANSFORM_FACTORY-1","find_sec_bugs_scala.XXE_SAXPARSER-1","find_sec_bugs_scala.XXE_XMLREADER-1","find_sec_bugs_scala.XXE_XMLSTREAMREADER-1","find_sec_bugs_scala.XXE_XPATH-1","find_sec_bugs_kotlin.OGNL_INJECTION-1"]}},"author":"Semgrep, Gitlab","counts":{"total_rules":286,"premium_rules":1},"hidden":false,"username":"semgrep","languages":["Java"],"description":"Use Semgrep as a universal linter to identify vulnerabilities and code smells in your code base with the FindSecBugs (https://find-sec-bugs.github.io/) rule pack.","id":"QyQ","name":"findsecbugs","visibility":"public","categories":[{"id":"aR8","slug":"ported-security-tools","name":"Ported Security Tools","description":"Select rules ported from open-source security tools. Start here if you're familiar with these tools."}]},{"tags":["security","correctness"],"stats":{"cwe":{"totals":{"cwe-73":1,"cwe-78":3,"cwe-200":3,"cwe-276":2,"cwe-295":4,"cwe-321":1,"cwe-326":1,"cwe-327":6,"cwe-329":1,"cwe-330":1,"cwe-353":1,"cwe-489":1,"cwe-502":2,"cwe-532":1,"cwe-611":3,"cwe-649":1,"cwe-749":2,"cwe-757":1,"cwe-780":1,"cwe-798":4,"cwe-919":2,"cwe-1204":1},"per_framework":{"cwe-73":{"java":{"":1}},"cwe-78":{"java":{"":3}},"cwe-200":{"java":{"":3}},"cwe-276":{"java":{"":2}},"cwe-295":{"java":{"":4}},"cwe-321":{"java":{"":1}},"cwe-326":{"java":{"":1}},"cwe-327":{"java":{"":6}},"cwe-329":{"java":{"":1}},"cwe-330":{"java":{"":1}},"cwe-353":{"java":{"":1}},"cwe-489":{"java":{"":1}},"cwe-502":{"java":{"":2}},"cwe-532":{"java":{"":1}},"cwe-611":{"java":{"":3}},"cwe-649":{"java":{"":1}},"cwe-749":{"java":{"":2}},"cwe-757":{"java":{"":1}},"cwe-780":{"java":{"":1}},"cwe-798":{"java":{"":4}},"cwe-919":{"java":{"":2}},"cwe-1204":{"java":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":43},"per_framework":{"":{"java":{"":43}}},"rules_with_no_owasp":["rsa_no_oeap","android_hidden_ui","android_logging","hardcoded_password","hardcoded_username","hardcoded_api_key","hardcoded_secret","world_writeable","android_safetynet_api","android_prevent_screenshot","android_root_detection","android_detect_tapjacking","android_certificate_transparency","android_certificate_pinning","aes_ecb_mode","aes_ecb_mode_default","aes_hardcoded_key","cbc_padding_oracle","cbc_static_iv","java_insecure_random","insecure_sslv3","sha1_hash","weak_cipher","weak_hash","weak_iv","object_deserialization","sqlite_injection","accept_self_signed_certificate","default_http_client_tls","webview_allow_file_from_url","webview_debugging","webview_external_storage","webview_set_allow_file_access","ignore_ssl_certificate_errors","xmlinputfactory_xxe_enabled","xmlinputfactory_xxe","world_readable","weak_key_size","jackson_deserialization","command_injection","command_injection_warning","webview_javascript_interface","xml_decoder_xxe"]}},"author":"Mobile Security Framework","counts":{"total_rules":43,"premium_rules":0},"username":"MobSF","languages":["Java"],"description":"Written by the MobSF team. See https://github.com/MobSF/mobsfscan for more.","id":"Kod","name":"mobsfscan","visibility":"public","categories":[]},{"tags":["security","SCS","Security Code Scan","security_code_scan","securitycodescan"],"stats":{"cwe":{"totals":{"CWE-22":1,"CWE-78":1,"CWE-79":1,"CWE-89":1,"CWE-90":1,"CWE-295":1,"CWE-327":3,"CWE-338":1,"CWE-352":1,"CWE-502":1,"CWE-521":1,"CWE-554":1,"CWE-601":1,"CWE-611":2,"CWE-614":1,"CWE-643":1,"CWE-1004":1},"per_framework":{"CWE-22":{"csharp":{"":1}},"CWE-78":{"csharp":{"":1}},"CWE-79":{"csharp":{"":1}},"CWE-89":{"csharp":{"":1}},"CWE-90":{"csharp":{"":1}},"CWE-295":{"csharp":{"":1}},"CWE-327":{"csharp":{"":3}},"CWE-338":{"csharp":{"":1}},"CWE-352":{"csharp":{"":1}},"CWE-502":{"csharp":{"":1}},"CWE-521":{"csharp":{"":1}},"CWE-554":{"csharp":{"":1}},"CWE-601":{"csharp":{"":1}},"CWE-611":{"csharp":{"":2}},"CWE-614":{"csharp":{"":1}},"CWE-643":{"csharp":{"":1}},"CWE-1004":{"csharp":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":20},"per_framework":{"":{"csharp":{"":20}}},"rules_with_no_owasp":["security_code_scan.SCS0011-1","security_code_scan.SCS0032-1.SCS0033-1.SCS0034-1","security_code_scan.SCS0018-1","security_code_scan.SCS0017-1","security_code_scan.SCS0029-1","security_code_scan.SCS0027-1","security_code_scan.SCS0009-1","security_code_scan.SCS0008-1","security_code_scan.SCS0004-1","security_code_scan.SCS0010-1","security_code_scan.SCS0013-1","security_code_scan.SCS0006-1","security_code_scan.SCS0005-1","security_code_scan.SCS0016-1","security_code_scan.SCS0001-1","security_code_scan.SCS0026-1.SCS0031-1","security_code_scan.SCS0002-1","security_code_scan.SCS0003-1","security_code_scan.SCS0007-1","security_code_scan.SCS0028-1"]}},"author":"Gitlab","counts":{"total_rules":20,"premium_rules":0},"hidden":false,"languages":["C#"],"description":"Use Semgrep as a universal linter to identify vulnerabilities and code smells in your code base with the Security Code Scan (https://security-code-scan.github.io/) rule pack.","id":"b7Be","name":"security-code-scan","visibility":"public","categories":[{"id":"aR8","slug":"ported-security-tools","name":"Ported Security Tools","description":"Select rules ported from open-source security tools. Start here if you're familiar with these tools."}]},{"tags":["semgrep","security","command injection","command","injection","eval","rce"],"stats":{"cwe":{"totals":{"CWE-94: Improper Control of Generation of Code ('Code Injection')":4,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":1},"per_framework":{"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"go":{"":4}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"go":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2017: Injection":1,"A03:2021: Injection":5,"A05:2025: Injection":5},"per_framework":{"A01:2017: Injection":{"go":{"":1}},"A03:2021: Injection":{"go":{"":5}},"A05:2025: Injection":{"go":{"":5}}},"rules_with_no_owasp":[]}},"author":"Vasilii Ermilov","counts":{"total_rules":5,"premium_rules":0},"hidden":true,"username":"inkz","languages":["Go"],"description":"Secure defaults for Command injection prevention","id":"qQR","name":"go-command-injection","visibility":"public","categories":[]},{"tags":["security"],"stats":{"cwe":{"totals":{"CWE-328: Use of Weak Hash":3,"CWE-489: Active Debug Code":1,"CWE-287: Improper Authentication":8,"CWE-346: Origin Validation Error":1,"CWE-115: Misinterpretation of Input":1,"CWE-798: Use of Hard-coded Credentials":11,"CWE-326: Inadequate Encryption Strength":1,"CWE-352: Cross-Site Request Forgery (CSRF)":4,"CWE-502: Deserialization of Untrusted Data":1,"CWE-300: Channel Accessible by Non-Endpoint":3,"CWE-918: Server-Side Request Forgery (SSRF)":6,"CWE-289: Authentication Bypass by Alternate Name":1,"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":2,"CWE-322: Key Exchange without Entity Authentication":1,"CWE-345: Insufficient Verification of Data Authenticity":1,"CWE-319: Cleartext Transmission of Sensitive Information":1,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":8,"CWE-548: Exposure of Information Through Directory Listing":1,"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":1,"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":1,"CWE-611: Improper Restriction of XML External Entity Reference":2,"CWE-913: Improper Control of Dynamically-Managed Code Resources":1,"CWE-94: Improper Control of Generation of Code ('Code Injection')":1,"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":2,"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":2,"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":4,"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":1,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":6,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":8,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":21,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":8},"per_framework":{"CWE-328: Use of Weak Hash":{"go":{"":3}},"CWE-489: Active Debug Code":{"go":{"":1}},"CWE-287: Improper Authentication":{"go":{"":8}},"CWE-346: Origin Validation Error":{"go":{"":1}},"CWE-115: Misinterpretation of Input":{"go":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"go":{"":11}},"CWE-326: Inadequate Encryption Strength":{"go":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"go":{"":4}},"CWE-502: Deserialization of Untrusted Data":{"go":{"":1}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":3}},"CWE-918: Server-Side Request Forgery (SSRF)":{"go":{"":6}},"CWE-289: Authentication Bypass by Alternate Name":{"go":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"go":{"":2}},"CWE-322: Key Exchange without Entity Authentication":{"go":{"":1}},"CWE-345: Insufficient Verification of Data Authenticity":{"go":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"go":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"go":{"":8}},"CWE-548: Exposure of Information Through Directory Listing":{"go":{"":1}},"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":{"go":{"":1}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"go":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"go":{"":2}},"CWE-913: Improper Control of Dynamically-Managed Code Resources":{"go":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"go":{"":1}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"go":{"":2}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"go":{"":2}},"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":{"go":{"":4}},"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":{"go":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"go":{"":6}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":8}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":21}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"go":{"":8}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":3,"A01:2017: Injection":33,"A03:2021: Injection":38,"A05:2025: Injection":38,"A01:2021: Broken Access Control":14,"A01:2025: Broken Access Control":18,"A02:2017: Broken Authentication":8,"A05:2017: Broken Access Control":9,"A02:2021: Cryptographic Failures":15,"A04:2025: Cryptographic Failures":15,"A03:2017: Sensitive Data Exposure":13,"A07:2025: Authentication Failures":22,"A08:2017: Insecure Deserialization":1,"A02:2025: Security Misconfiguration":7,"A05:2021: Security Misconfiguration":7,"A06:2017: Security Misconfiguration":1,"A07:2017: Cross-Site Scripting (XSS)":8,"A04:2017: XML External Entities (XXE)":2,"A05:2021 – Security Misconfiguration":1,"A10:2017: Insufficient Logging & Monitoring":1,"A10:2021: Server-Side Request Forgery (SSRF)":6,"A08:2025: Software or Data Integrity Failures":1,"A08:2021: Software and Data Integrity Failures":2,"A09:2025: Security Logging & Alerting Failures":1,"A09:2021: Security Logging and Monitoring Failures":1,"A07:2021: Identification and Authentication Failures":22},"per_framework":{"":{"go":{"":3}},"A01:2017: Injection":{"go":{"":33}},"A03:2021: Injection":{"go":{"":38}},"A05:2025: Injection":{"go":{"":38}},"A01:2021: Broken Access Control":{"go":{"":14}},"A01:2025: Broken Access Control":{"go":{"":18}},"A02:2017: Broken Authentication":{"go":{"":8}},"A05:2017: Broken Access Control":{"go":{"":9}},"A02:2021: Cryptographic Failures":{"go":{"":15}},"A04:2025: Cryptographic Failures":{"go":{"":15}},"A03:2017: Sensitive Data Exposure":{"go":{"":13}},"A07:2025: Authentication Failures":{"go":{"":22}},"A08:2017: Insecure Deserialization":{"go":{"":1}},"A02:2025: Security Misconfiguration":{"go":{"":7}},"A05:2021: Security Misconfiguration":{"go":{"":7}},"A06:2017: Security Misconfiguration":{"go":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":8}},"A04:2017: XML External Entities (XXE)":{"go":{"":2}},"A05:2021 – Security Misconfiguration":{"go":{"":1}},"A10:2017: Insufficient Logging & Monitoring":{"go":{"":1}},"A10:2021: Server-Side Request Forgery (SSRF)":{"go":{"":6}},"A08:2025: Software or Data Integrity Failures":{"go":{"":1}},"A08:2021: Software and Data Integrity Failures":{"go":{"":2}},"A09:2025: Security Logging & Alerting Failures":{"go":{"":1}},"A09:2021: Security Logging and Monitoring Failures":{"go":{"":1}},"A07:2021: Identification and Authentication Failures":{"go":{"":22}}},"rules_with_no_owasp":["handler-assignment-from-multiple-sources","open-redirect","reverseproxy-director"]}},"author":"Semgrep","counts":{"total_rules":113,"premium_rules":71},"username":"semgrep","languages":["GoLang","Go"],"description":"Default ruleset for Go, curated by Semgrep.","id":"49z","name":"golang","visibility":"public","categories":[]},{"tags":["semgrep","security","frontend","javascript"],"stats":{"cwe":{"totals":{"CWE-345: Insufficient Verification of Data Authenticity":2,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":3,"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":1},"per_framework":{"CWE-345: Insufficient Verification of Data Authenticity":{"javascript":{"":2}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"regex":{"":1},"javascript":{"":2}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"javascript":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A03:2021: Injection":4,"A05:2025: Injection":4,"A07:2017: Cross-Site Scripting (XSS)":3,"A08:2025: Software or Data Integrity Failures":2,"A08:2021: Software and Data Integrity Failures":2},"per_framework":{"A03:2021: Injection":{"regex":{"":1},"javascript":{"":3}},"A05:2025: Injection":{"regex":{"":1},"javascript":{"":3}},"A07:2017: Cross-Site Scripting (XSS)":{"regex":{"":1},"javascript":{"":2}},"A08:2025: Software or Data Integrity Failures":{"javascript":{"":2}},"A08:2021: Software and Data Integrity Failures":{"javascript":{"":2}}},"rules_with_no_owasp":[]}},"author":"Vasilii Ermilov","counts":{"total_rules":6,"premium_rules":0},"hidden":true,"username":"inkz","languages":["JavaScript","TypeScript"],"description":"Most common clientside JavaScript XSS vulnerabilities","id":"nb2","name":"clientside-js","visibility":"public","categories":[]},{"tags":["CI","cookies","correctness","crypto","csrf","injection","security","spring","xss","xxe","logic","logic bugs","runtime errors","slower","ruby"],"stats":{"cwe":{"totals":{"":21,"CWE-369: Divide By Zero":1,"CWE-328: Use of Weak Hash":2,"CWE-489: Active Debug Code":1,"CWE-521: Weak Password Requirements":1,"CWE-798: Use of Hard-coded Credentials":5,"CWE-326: Inadequate Encryption Strength":5,"CWE-295: Improper Certificate Validation":5,"CWE-183: Permissive List of Allowed Inputs":1,"CWE-352: Cross-Site Request Forgery (CSRF)":2,"CWE-400: Uncontrolled Resource Consumption":1,"CWE-502: Deserialization of Untrusted Data":5,"CWE-300: Channel Accessible by Non-Endpoint":2,"CWE-918: Server-Side Request Forgery (SSRF)":1,"CWE-311: Missing Encryption of Sensitive Data":1,"CWE-522: Insufficiently Protected Credentials":2,"CWE-523: Unprotected Transport of Credentials":1,"CWE-322: Key Exchange without Entity Authentication":1,"CWE-329: Generation of Predictable IV with CBC Mode":1,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":15,"CWE-532: Insertion of Sensitive Information into Log File":1,"CWE-1021: Improper Restriction of Rendered UI Layers or Frames":1,"CWE-297: Improper Validation of Certificate with Host Mismatch":1,"CWE-611: Improper Restriction of XML External Entity Reference":2,"CWE-913: Improper Control of Dynamically-Managed Code Resources":1,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":6,"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":2,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":6,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":1,"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":1,"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":5,"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":2,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":2,"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":2},"per_framework":{"":{"go":{"":3},"java":{"":2},"python":{"":12},"generic":{"":2},"dockerfile":{"":1},"javascript":{"":1}},"CWE-369: Divide By Zero":{"ruby":{"":1}},"CWE-328: Use of Weak Hash":{"go":{"":2}},"CWE-489: Active Debug Code":{"go":{"":1}},"CWE-521: Weak Password Requirements":{"python":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"go":{"":1},"ruby":{"":1},"python":{"":1},"javascript":{"":2}},"CWE-326: Inadequate Encryption Strength":{"java":{"":3},"python":{"":2}},"CWE-295: Improper Certificate Validation":{"java":{"":2},"ruby":{"":1},"python":{"":2}},"CWE-183: Permissive List of Allowed Inputs":{"java":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":1},"ruby":{"":1}},"CWE-400: Uncontrolled Resource Consumption":{"go":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":1},"ruby":{"":1},"python":{"":2},"javascript":{"":1}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":2}},"CWE-918: Server-Side Request Forgery (SSRF)":{"python":{"":1}},"CWE-311: Missing Encryption of Sensitive Data":{"ruby":{"":1}},"CWE-522: Insufficiently Protected Credentials":{"ruby":{"":2}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-322: Key Exchange without Entity Authentication":{"go":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"java":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"go":{"":5},"java":{"":1},"ruby":{"":1},"python":{"":6},"javascript":{"":2}},"CWE-532: Insertion of Sensitive Information into Log File":{"python":{"":1}},"CWE-1021: Improper Restriction of Rendered UI Layers or Frames":{"ruby":{"":1}},"CWE-297: Improper Validation of Certificate with Host Mismatch":{"java":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":1},"python":{"":1}},"CWE-913: Improper Control of Dynamically-Managed Code Resources":{"go":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"go":{"":1},"java":{"":2},"ruby":{"":1},"python":{"":2}},"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":{"ruby":{"":1},"python":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":1},"java":{"":1},"ruby":{"":1},"generic":{"":1},"typescript":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"python":{"":1}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"python":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":5}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":2}},"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":{"python":{"":2}}},"rules_with_no_cwe":["hardcoded-eq-true-or-false","useless-if-body","useless-if-conditional","eqeq","no-string-eqeq","eqeq-is-bad","default-mutable-dict","default-mutable-list","string-is-comparison","is-not-is-not","dict-del-while-iterate","list-modify-while-iterate","return-in-init","yield-in-init","tempfile-without-flush","no-strings-as-booleans","useless-eqeq","useless-if-conditional","alias-must-be-unique","copy-from-own-alias","multiple-cmd-instructions"]},"owasp":{"totals":{"":23,"A01:2017: Injection":3,"A03:2021: Injection":18,"A05:2025: Injection":18,"A04:2021: Insecure Design":5,"A06:2025: Insecure Design":5,"A01:2021: Broken Access Control":9,"A01:2025: Broken Access Control":10,"A02:2017: Broken Authentication":3,"A05:2017: Broken Access Control":6,"A02:2021: Cryptographic Failures":25,"A04:2025: Cryptographic Failures":25,"A03:2017: Sensitive Data Exposure":28,"A07:2025: Authentication Failures":14,"A08:2017: Insecure Deserialization":5,"A02:2025: Security Misconfiguration":3,"A05:2021: Security Misconfiguration":3,"A06:2017: Security Misconfiguration":1,"A07:2017: Cross-Site Scripting (XSS)":6,"A04:2017: XML External Entities (XXE)":3,"A10:2021: Server-Side Request Forgery (SSRF)":1,"A08:2025: Software or Data Integrity Failures":7,"A08:2021: Software and Data Integrity Failures":7,"A09:2025: Security Logging & Alerting Failures":1,"A09:2021: Security Logging and Monitoring Failures":1,"A07:2021: Identification and Authentication Failures":14},"per_framework":{"":{"go":{"":4},"java":{"":2},"ruby":{"":1},"python":{"":12},"generic":{"":2},"dockerfile":{"":1},"javascript":{"":1}},"A01:2017: Injection":{"python":{"":3}},"A03:2021: Injection":{"go":{"":1},"java":{"":1},"ruby":{"":1},"python":{"":12},"generic":{"":1},"typescript":{"":2}},"A05:2025: Injection":{"go":{"":1},"java":{"":1},"ruby":{"":1},"python":{"":12},"generic":{"":1},"typescript":{"":2}},"A04:2021: Insecure Design":{"java":{"":1},"ruby":{"":4}},"A06:2025: Insecure Design":{"java":{"":1},"ruby":{"":4}},"A01:2021: Broken Access Control":{"go":{"":2},"java":{"":3},"ruby":{"":2},"python":{"":2}},"A01:2025: Broken Access Control":{"go":{"":2},"java":{"":3},"ruby":{"":2},"python":{"":3}},"A02:2017: Broken Authentication":{"ruby":{"":2},"python":{"":1}},"A05:2017: Broken Access Control":{"go":{"":1},"java":{"":2},"ruby":{"":1},"python":{"":2}},"A02:2021: Cryptographic Failures":{"go":{"":8},"java":{"":5},"ruby":{"":1},"python":{"":9},"javascript":{"":2}},"A04:2025: Cryptographic Failures":{"go":{"":8},"java":{"":5},"ruby":{"":1},"python":{"":9},"javascript":{"":2}},"A03:2017: Sensitive Data Exposure":{"go":{"":7},"java":{"":6},"ruby":{"":3},"python":{"":10},"javascript":{"":2}},"A07:2025: Authentication Failures":{"go":{"":3},"java":{"":3},"ruby":{"":2},"python":{"":4},"javascript":{"":2}},"A08:2017: Insecure Deserialization":{"java":{"":1},"ruby":{"":1},"python":{"":2},"javascript":{"":1}},"A02:2025: Security Misconfiguration":{"java":{"":1},"python":{"":2}},"A05:2021: Security Misconfiguration":{"java":{"":1},"python":{"":2}},"A06:2017: Security Misconfiguration":{"go":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":1},"java":{"":1},"ruby":{"":1},"generic":{"":1},"typescript":{"":2}},"A04:2017: XML External Entities (XXE)":{"java":{"":1},"python":{"":2}},"A10:2021: Server-Side Request Forgery (SSRF)":{"python":{"":1}},"A08:2025: Software or Data Integrity Failures":{"java":{"":1},"ruby":{"":2},"python":{"":3},"javascript":{"":1}},"A08:2021: Software and Data Integrity Failures":{"java":{"":1},"ruby":{"":2},"python":{"":3},"javascript":{"":1}},"A09:2025: Security Logging & Alerting Failures":{"python":{"":1}},"A09:2021: Security Logging and Monitoring Failures":{"python":{"":1}},"A07:2021: Identification and Authentication Failures":{"go":{"":3},"java":{"":3},"ruby":{"":2},"python":{"":4},"javascript":{"":2}}},"rules_with_no_owasp":["hardcoded-eq-true-or-false","useless-if-body","useless-if-conditional","potential-dos-via-decompression-bomb","eqeq","no-string-eqeq","eqeq-is-bad","default-mutable-dict","default-mutable-list","string-is-comparison","is-not-is-not","dict-del-while-iterate","list-modify-while-iterate","return-in-init","yield-in-init","tempfile-without-flush","no-strings-as-booleans","useless-eqeq","useless-if-conditional","divide-by-zero","alias-must-be-unique","copy-from-own-alias","multiple-cmd-instructions"]}},"author":"Semgrep","counts":{"total_rules":107,"premium_rules":0},"hidden":true,"username":"semgrep","languages":["Go","Java","JavaScript","Python","Ruby"],"description":"Use recommended rulesets specific to your project. Auto config is not a ruleset but a mode that scans for languages and frameworks and then uses the Semgrep Registry to select recommended rules. Semgrep will send a list of languages, frameworks, and your project URL to the Registry when using auto mode (but code is never uploaded).","id":"EGe","name":"auto","visibility":"public","categories":[]},{"tags":["javascript","security","xss","owasp","injection","jwt"],"stats":{"cwe":{"totals":{"":14,"cwe-20":1,"cwe-22":5,"cwe-23":3,"cwe-78":2,"cwe-79":3,"cwe-80":2,"cwe-89":2,"cwe-94":8,"cwe-95":1,"cwe-116":1,"cwe-119":1,"cwe-185":1,"cwe-208":1,"cwe-209":2,"cwe-272":3,"cwe-295":2,"cwe-319":2,"cwe-327":7,"cwe-346":3,"cwe-400":3,"cwe-502":4,"cwe-522":8,"cwe-599":1,"cwe-601":2,"cwe-611":4,"cwe-613":1,"cwe-614":1,"cwe-643":1,"cwe-644":1,"cwe-693":4,"cwe-706":1,"cwe-757":1,"cwe-776":1,"cwe-798":5,"cwe-807":1,"cwe-918":6,"cwe-943":2,"cwe-1004":1,"cwe-1275":1},"per_framework":{"":{"javascript":{"":14}},"cwe-20":{"javascript":{"":1}},"cwe-22":{"javascript":{"":5}},"cwe-23":{"javascript":{"":3}},"cwe-78":{"javascript":{"":2}},"cwe-79":{"javascript":{"":3}},"cwe-80":{"javascript":{"":2}},"cwe-89":{"javascript":{"":2}},"cwe-94":{"javascript":{"":8}},"cwe-95":{"javascript":{"":1}},"cwe-116":{"javascript":{"":1}},"cwe-119":{"javascript":{"":1}},"cwe-185":{"javascript":{"":1}},"cwe-208":{"javascript":{"":1}},"cwe-209":{"javascript":{"":2}},"cwe-272":{"javascript":{"":3}},"cwe-295":{"javascript":{"":2}},"cwe-319":{"javascript":{"":2}},"cwe-327":{"javascript":{"":7}},"cwe-346":{"javascript":{"":3}},"cwe-400":{"javascript":{"":3}},"cwe-502":{"javascript":{"":4}},"cwe-522":{"javascript":{"":8}},"cwe-599":{"javascript":{"":1}},"cwe-601":{"javascript":{"":2}},"cwe-611":{"javascript":{"":4}},"cwe-613":{"javascript":{"":1}},"cwe-614":{"javascript":{"":1}},"cwe-643":{"javascript":{"":1}},"cwe-644":{"javascript":{"":1}},"cwe-693":{"javascript":{"":4}},"cwe-706":{"javascript":{"":1}},"cwe-757":{"javascript":{"":1}},"cwe-776":{"javascript":{"":1}},"cwe-798":{"javascript":{"":5}},"cwe-807":{"javascript":{"":1}},"cwe-918":{"javascript":{"":6}},"cwe-943":{"javascript":{"":2}},"cwe-1004":{"javascript":{"":1}},"cwe-1275":{"javascript":{"":1}}},"rules_with_no_cwe":["anti_csrf_control","helmet_header_check_csp","helmet_header_check_expect_ct","helmet_header_check_crossdomain","helmet_header_feature_policy","helmet_header_frame_guard","helmet_header_dns_prefetch","helmet_header_x_powered_by","helmet_header_hsts","helmet_header_ienoopen","helmet_header_nosniff","helmet_header_referrer_policy","helmet_header_xss_filter","rate_limit_control"]},"owasp":{"totals":{"":113},"per_framework":{"":{"javascript":{"":113}}},"rules_with_no_owasp":["express_open_redirect2","handlebars_safestring","node_nosqli_injection","anti_csrf_control","helmet_header_check_csp","helmet_header_check_expect_ct","node_sha1","node_aes_ecb","node_aes_noiv","node_weak_crypto","node_insecure_random_generator","node_curl_ssl_verify_disable","node_nosqli_js_injection","sequelize_tls_cert_validation","sequelize_weak_tls","node_sqli_injection","node_knex_sqli_injection","express_bodyparser","layer7_object_dos","regex_dos","electron_disable_websecurity","electron_allow_http","vm2_code_injection","vm2_context_injection","vm_runincontext_injection","vm_runinnewcontext_injection","vm_compilefunction_injection","vm_code_injection","yaml_deserialize","server_side_template_injection","generic_os_command_exec","shelljs_os_command_exec","node_error_disclosure","generic_error_disclosure","hardcoded_passport_secret","node_password","node_username","node_api_key","node_secret","node_logic_bypass","helmet_header_check_crossdomain","helmet_header_feature_policy","helmet_header_frame_guard","helmet_header_dns_prefetch","helmet_header_x_powered_by","helmet_header_hsts","helmet_header_ienoopen","helmet_header_nosniff","helmet_header_referrer_policy","helmet_header_xss_filter","rate_limit_control","cookie_session_default","cookie_session_no_secure","cookie_session_no_samesite","cookie_session_no_httponly","cookie_session_no_domain","cookie_session_no_path","cookie_session_no_maxage","generic_cors","express_cors","express_open_redirect","express_lfr_warning","helmet_feature_disabled","header_xss_lusca","header_xss_generic","host_header_injection","jwt_exposed_credentials","hardcoded_jwt_secret","node_jwt_none_algorithm","jwt_not_revoked","buffer_noassert","generic_header_injection","node_ssrf","phantom_ssrf","playwright_ssrf","puppeteer_ssrf","wkhtmltoimage_ssrf","wkhtmltopdf_ssrf","zip_path_overwrite","zip_path_overwrite2","admzip_path_overwrite","tar_path_overwrite","express_lfr","xxe_xml2json","xss_disable_mustache_escape","express_xss","xss_serialize_javascript","handlebars_noescape","squirrelly_autoescape","node_md5","node_timing_attack","node_tls_reject","sequelize_tls","electron_blink_integration","electron_nodejs_integration","electron_context_isolation","electron_experimental_features","serializetojs_deserialize","node_deserialize","grpc_insecure_connection","eval_nodejs","eval_require","sandbox_code_injection","jwt_exposed_data","jwt_express_hardcoded","join_resolve_path_traversal","node_entity_expansion","node_xpath_injection","xxe_expat","node_xxe","xxe_sax","regex_injection_dos","generic_path_traversal"]}},"author":"Ajin Abraham","counts":{"total_rules":113,"premium_rules":0},"hidden":true,"username":"ajinabraham","languages":["JavaScript"],"description":"Rules from the preeminent Node.js security scanner, NodeJSScan.","id":"D6o","name":"nodejsscan","visibility":"public","categories":[{"id":"aR8","slug":"ported-security-tools","name":"Ported Security Tools","description":"Select rules ported from open-source security tools. Start here if you're familiar with these tools."}]},{"tags":["security","correctness"],"stats":{"cwe":{"totals":{"":3,"CWE-697":1,"CWE-833: Deadlock":1,"CWE-172: Encoding Error":2,"CWE-667: Improper Locking":4,"CWE-284: Improper Access Control":2,"CWE-665: Improper Initialization":2,"CWE-476: NULL Pointer Dereference":1,"CWE-798: Use of Hard-coded Credentials":10,"CWE-295: Improper Certificate Validation":24,"CWE-427: Uncontrolled Search Path Element":1,"CWE-352: Cross-Site Request Forgery (CSRF)":3,"CWE-502: Deserialization of Untrusted Data":14,"CWE-330: Use of Insufficiently Random Values":1,"CWE-311: Missing Encryption of Sensitive Data":1,"CWE-460: Improper Cleanup on Thrown Exception":1,"CWE-73: External Control of File Name or Path":1,"CWE-250: Execution with Unnecessary Privileges":4,"CWE-437: Incomplete Model of Endpoint Features":1,"CWE-676: Use of Potentially Dangerous Function":7,"CWE-1327: Binding to an Unrestricted IP Address":1,"CWE-253: Incorrect Check of Function Return Value":1,"CWE-494: Download of Code Without Integrity Check":1,"CWE-681: Incorrect Conversion between Numeric Types":1,"CWE-686: Function Call With Incorrect Argument Type":1,"CWE-755: Improper Handling of Exceptional Conditions":1,"CWE-345: Insufficient Verification of Data Authenticity":3,"CWE-319: Cleartext Transmission of Sensitive Information":13,"CWE-1284: Improper Validation of Specified Quantity in Input":1,"CWE-611: Improper Restriction of XML External Entity Reference":1,"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":5,"CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')":1,"CWE-688: Function Call With Incorrect Variable or Reference as Argument":1,"CWE-758: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior":1,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":1,"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":1,"CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')":2},"per_framework":{"":{"java":{"":1},"python":{"":2}},"CWE-697":{"swift":{"":1}},"CWE-833: Deadlock":{"go":{"":1}},"CWE-172: Encoding Error":{"go":{"":2}},"CWE-667: Improper Locking":{"go":{"":4}},"CWE-284: Improper Access Control":{"hcl":{"":2}},"CWE-665: Improper Initialization":{"go":{"":2}},"CWE-476: NULL Pointer Dereference":{"go":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"hcl":{"":2},"ruby":{"":1},"yaml":{"":7}},"CWE-295: Improper Certificate Validation":{"hcl":{"":3},"java":{"":1},"ruby":{"":4},"yaml":{"":7},"regex":{"":3},"generic":{"":6}},"CWE-427: Uncontrolled Search Path Element":{"go":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"js":{"":3}},"CWE-502: Deserialization of Untrusted Data":{"ruby":{"":4},"python":{"":10}},"CWE-330: Use of Insufficiently Random Values":{"python":{"":1}},"CWE-311: Missing Encryption of Sensitive Data":{"ruby":{"":1}},"CWE-460: Improper Cleanup on Thrown Exception":{"ruby":{"":1}},"CWE-73: External Control of File Name or Path":{"generic":{"":1}},"CWE-250: Execution with Unnecessary Privileges":{"hcl":{"":2},"generic":{"":2}},"CWE-437: Incomplete Model of Endpoint Features":{"go":{"":1}},"CWE-676: Use of Potentially Dangerous Function":{"python":{"":7}},"CWE-1327: Binding to an Unrestricted IP Address":{"yaml":{"":1}},"CWE-253: Incorrect Check of Function Return Value":{"go":{"":1}},"CWE-494: Download of Code Without Integrity Check":{"generic":{"":1}},"CWE-681: Incorrect Conversion between Numeric Types":{"go":{"":1}},"CWE-686: Function Call With Incorrect Argument Type":{"js":{"":1}},"CWE-755: Improper Handling of Exceptional Conditions":{"rust":{"":1}},"CWE-345: Insufficient Verification of Data Authenticity":{"ruby":{"":3}},"CWE-319: Cleartext Transmission of Sensitive Information":{"yaml":{"":9},"generic":{"":4}},"CWE-1284: Improper Validation of Specified Quantity in Input":{"go":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"python":{"":1}},"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":{"js":{"":5}},"CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')":{"ruby":{"":1}},"CWE-688: Function Call With Incorrect Variable or Reference as Argument":{"go":{"":1}},"CWE-758: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior":{"python":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"python":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":1}},"CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')":{"go":{"":2}}},"rules_with_no_cwe":["gc-call","pytorch-tensor","numpy-in-pytorch-modules"]},"owasp":{"totals":{"":120},"per_framework":{"":{"go":{"":18},"js":{"":9},"hcl":{"":9},"java":{"":2},"ruby":{"":15},"rust":{"":1},"yaml":{"":24},"regex":{"":3},"swift":{"":1},"python":{"":24},"generic":{"":14}}},"rules_with_no_owasp":["scikit-joblib-load","get-url-validate-certs-disabled","rpm-key-unencrypted-url","rpm-key-validate-certs-disabled","port-all-interfaces","aws-secret-key","azure-principal-secret","gcp-credentials-json","jfrog-hardcoded-credential","pypi-publish-password","rubygems-publish-key","vault-token","apt-key-unencrypted-url","unarchive-unencrypted-url","unarchive-validate-certs-disabled","wrm-cert-validation-ignore","yum-unencrypted-url","yum-validate-certs-disabled","zypper-repository-unencrypted-url","zypper-unencrypted-url","dnf-unencrypted-url","missing-runlock-on-rwmutex","insecure-url-host-hassuffix-check","marshal-load-method","gc-call","invalid-usage-of-modified-variable","iterate-over-empty-map","racy-append-to-slice","racy-write-to-map","servercodec-readrequestbody-unhandled-nil","string-to-int-signedness-cast","sync-mutex-value-copied","container-user-root","curl-insecure","curl-unencrypted-url","gpg-insecure-flags","installer-allow-untrusted","apt-key-validate-certs-disabled","apt-unencrypted-url","mongodb-insecure-transport","mysql-insecure-sslmode","node-disable-certificate-validation","pickles-in-keras","pickles-in-tensorflow","action-dispatch-insecure-ssl","action-mailer-insecure-tls","active-record-encrypts-misorder","faraday-disable-verification","global-timeout","dnf-validate-certs-disabled","get-url-unencrypted-url","rails-params-json","unmarshal-tag-is-dash","rails-cache-store-marshal","rails-cookie-attributes","rest-client-disable-verification","ruby-saml-skip-validation","yaml-unsafe-load","active-record-hardcoded-encryption-key","unmarshal-tag-is-omitempty","pytorch-classes-load-library","pytorch-package","pytorch-tensor","insecure-rails-cookie-session-store","postgres-insecure-sslmode","amqp-unencrypted-transport","container-privileged","tls-hostname-verification-disabled","openssl-insecure-flags","ssh-disable-host-key-checking","tar-insecure-flags","wget-no-check-certificate","wget-unencrypted-url","eth-rpc-tracetransaction","eth-txreceipt-status","hanging-goroutine","nil-check-after-call","unsafe-dll-loading","waitgroup-add-called-inside-goroutine","waitgroup-wait-inside-loop","schema-directives","use-of-graphql-upload","v3-potentially-bad-cors","v3-bad-cors","v3-no-cors","v3-csrf-prevention","v4-csrf-prevention","mongo-hostname-verification-disabled","automatic-memory-pinning","lxml-in-pandas","msgpack-numpy","numpy-distutils","numpy-f2py-compile","numpy-in-pytorch-datasets","numpy-in-pytorch-modules","numpy-load-library","onnx-session-options","pandas-eval","pickles-in-keras-deprecation","pickles-in-numpy","pickles-in-pandas","pickles-in-pytorch-distributed","pickles-in-pytorch","tarfile-extractall-traversal","tensorflow-load-library","waiting-with-pytorch-distributed","panic-in-function-returning-result","redis-unencrypted-transport","docker-hardcoded-password","docker-privileged-mode","podman-tls-verify-disabled","aws-oidc-role-policy-duplicate-condition","aws-oidc-role-policy-missing-sub","vault-hardcoded-token","vault-skip-tls-verify","json-create-deserialization","missing-unlock-before-return","root-user","v3-express-bad-cors","v3-express-no-cors"]}},"author":"Trail of Bits","counts":{"total_rules":120,"premium_rules":0},"username":"trailofbits","languages":["Go","Python"],"description":"Written by the Trail of Bits security experts. See https://github.com/trailofbits/semgrep-rules for more.","id":"7q4","name":"trailofbits","visibility":"public","categories":[]},{"stats":{"cwe":{"totals":{"CWE-798: Use of Hard-coded Credentials":1,"CWE-613: Insufficient Session Expiration":2,"CWE-352: Cross-Site Request Forgery (CSRF)":2,"CWE-502: Deserialization of Untrusted Data":8,"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":10,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":5,"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":12,"CWE-732: Incorrect Permission Assignment for Critical Resource":2,"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":13,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":2,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":5},"per_framework":{"CWE-798: Use of Hard-coded Credentials":{"python":{"":1}},"CWE-613: Insufficient Session Expiration":{"python":{"":2}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"python":{"":2}},"CWE-502: Deserialization of Untrusted Data":{"python":{"":8}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"csharp":{"":2},"python":{"":3},"javascript":{"":5}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"python":{"":5}},"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":{"csharp":{"":1},"python":{"":4},"javascript":{"":7}},"CWE-732: Incorrect Permission Assignment for Critical Resource":{"javascript":{"":2}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"csharp":{"":2},"python":{"":5},"javascript":{"":6}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"python":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":5}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":2,"A01:2017: Injection":5,"A03:2021: Injection":7,"A05:2025: Injection":7,"A01:2021: Broken Access Control":14,"A01:2025: Broken Access Control":14,"A02:2017: Broken Authentication":2,"A02:2021: Cryptographic Failures":5,"A04:2025: Cryptographic Failures":5,"A03:2017: Sensitive Data Exposure":5,"A07:2025: Authentication Failures":3,"A08:2017: Insecure Deserialization":8,"A02:2025: Security Misconfiguration":23,"A05:2021: Security Misconfiguration":23,"A07:2017: Cross-Site Scripting (XSS)":2,"A08:2025: Software or Data Integrity Failures":8,"A08:2021: Software and Data Integrity Failures":8,"A07:2021: Identification and Authentication Failures":3},"per_framework":{"":{"javascript":{"":2}},"A01:2017: Injection":{"python":{"":5}},"A03:2021: Injection":{"python":{"":7}},"A05:2025: Injection":{"python":{"":7}},"A01:2021: Broken Access Control":{"csharp":{"":1},"python":{"":6},"javascript":{"":7}},"A01:2025: Broken Access Control":{"csharp":{"":1},"python":{"":6},"javascript":{"":7}},"A02:2017: Broken Authentication":{"python":{"":2}},"A02:2021: Cryptographic Failures":{"python":{"":5}},"A04:2025: Cryptographic Failures":{"python":{"":5}},"A03:2017: Sensitive Data Exposure":{"python":{"":5}},"A07:2025: Authentication Failures":{"python":{"":3}},"A08:2017: Insecure Deserialization":{"python":{"":8}},"A02:2025: Security Misconfiguration":{"csharp":{"":4},"python":{"":8},"javascript":{"":11}},"A05:2021: Security Misconfiguration":{"csharp":{"":4},"python":{"":8},"javascript":{"":11}},"A07:2017: Cross-Site Scripting (XSS)":{"python":{"":2}},"A08:2025: Software or Data Integrity Failures":{"python":{"":8}},"A08:2021: Software and Data Integrity Failures":{"python":{"":8}},"A07:2021: Identification and Authentication Failures":{"python":{"":3}}},"rules_with_no_owasp":["cookies-default-express","session-cookie-default-express"]}},"author":"Semgrep","counts":{"total_rules":62,"premium_rules":61},"username":"semgrep","description":"This ruleset helps enforcing secure defaults, to mitigate common security concerns and minimize the need for developers to manually implement security measures. By providing protection out-of-the-box, secure defaults reduce the risk of vulnerabilities due to human error, and eliminate entire classes of vulnerabilities by construction.","id":"y6qO","name":"secure-defaults","visibility":"public","categories":[{"id":"MPe","slug":"quick-start","name":"Getting Started","description":"These rulesets cover a wide range of use cases. Start here to get up and running quickly."}]},{"tags":["security","semgrep","wordpress","php"],"stats":{"cwe":{"totals":{"CWE-285: Improper Authorization":2,"CWE-352: Cross-Site Request Forgery (CSRF)":1,"CWE-502: Deserialization of Untrusted Data":1,"CWE-918: Server-Side Request Forgery (SSRF)":1,"CWE-73: External Control of File Name or Path":1,"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":1,"CWE-94: Improper Control of Generation of Code ('Code Injection')":1,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":2,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":1,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":1,"CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')":2,"CWE-73: The software allows user input to control or influence paths of file names that are used in filesystem operations.":2},"per_framework":{"CWE-285: Improper Authorization":{"php":{"":2}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"php":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"php":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"php":{"":1}},"CWE-73: External Control of File Name or Path":{"php":{"":1}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"php":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"php":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"php":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"php":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"php":{"":1}},"CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')":{"php":{"":2}},"CWE-73: The software allows user input to control or influence paths of file names that are used in filesystem operations.":{"php":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A03:2021: Injection":4,"A05:2025: Injection":4,"A01:2021: Broken Access Control":5,"A01:2025: Broken Access Control":5,"A02:2025: Security Misconfiguration":2,"A05:2021: Security Misconfiguration":2,"A10:2021: Server-Side Request Forgery (SSRF)":1,"A08:2025: Software or Data Integrity Failures":2,"A08:2021: Software and Data Integrity Failures":2},"per_framework":{"A03:2021: Injection":{"php":{"":4}},"A05:2025: Injection":{"php":{"":4}},"A01:2021: Broken Access Control":{"php":{"":5}},"A01:2025: Broken Access Control":{"php":{"":5}},"A02:2025: Security Misconfiguration":{"php":{"":2}},"A05:2021: Security Misconfiguration":{"php":{"":2}},"A10:2021: Server-Side Request Forgery (SSRF)":{"php":{"":1}},"A08:2025: Software or Data Integrity Failures":{"php":{"":2}},"A08:2021: Software and Data Integrity Failures":{"php":{"":2}}},"rules_with_no_owasp":[]}},"author":"p3n7a90n","counts":{"total_rules":12,"premium_rules":0},"username":"p3n7a90n","description":"Wordpress audit ruleset, ported from WPScan","id":"9oGY","name":"wordpress","visibility":"public","categories":[]},{"tags":["semgrep","security","headless","javascript","puppeteer","phantomjs","playwright","chrome-remote-interface"],"stats":{"cwe":{"totals":{"CWE-918: Server-Side Request Forgery (SSRF)":13,"CWE-94: Improper Control of Generation of Code ('Code Injection')":2},"per_framework":{"CWE-918: Server-Side Request Forgery (SSRF)":{"javascript":{"":13}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"javascript":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A03:2021: Injection":2,"A05:2025: Injection":2,"A01:2025: Broken Access Control":13,"A10:2021: Server-Side Request Forgery (SSRF)":13},"per_framework":{"A03:2021: Injection":{"javascript":{"":2}},"A05:2025: Injection":{"javascript":{"":2}},"A01:2025: Broken Access Control":{"javascript":{"":13}},"A10:2021: Server-Side Request Forgery (SSRF)":{"javascript":{"":13}}},"rules_with_no_owasp":[]}},"author":"Vasilii Ermilov","counts":{"total_rules":15,"premium_rules":0},"username":"inkz","languages":["JavaScript","TypeScript"],"description":"Insecure usage of most popular headless browser APIs","id":"JzW","name":"headless-browser","visibility":"public","categories":[]},{"tags":["semgrep","security","https","ssl","encryption"],"stats":{"cwe":{"totals":{"CWE-326: Inadequate Encryption Strength":1,"CWE-319: Cleartext Transmission of Sensitive Information":52},"per_framework":{"CWE-326: Inadequate Encryption Strength":{"python":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"go":{"":9},"java":{"":14},"ruby":{"":5},"python":{"":16},"javascript":{"":8}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A02:2021: Cryptographic Failures":18,"A04:2025: Cryptographic Failures":18,"A03:2017: Sensitive Data Exposure":53},"per_framework":{"A02:2021: Cryptographic Failures":{"python":{"":17},"javascript":{"":1}},"A04:2025: Cryptographic Failures":{"python":{"":17},"javascript":{"":1}},"A03:2017: Sensitive Data Exposure":{"go":{"":9},"java":{"":14},"ruby":{"":5},"python":{"":17},"javascript":{"":8}}},"rules_with_no_owasp":[]}},"author":"Colleen Dai","counts":{"total_rules":53,"premium_rules":0},"hidden":true,"username":"colleend","languages":["java","javascript","go","python","ruby"],"description":"Ensure your code communicates over encrypted channels instead of plaintext.","id":"P95p","name":"insecure-transport-jsnode","visibility":"public","categories":[]},{"tags":["security"],"stats":{"cwe":{"totals":{"CWE-328: Use of Weak Hash":4,"CWE-489: Active Debug Code":2,"CWE-23: Relative Path Traversal":1,"CWE-346: Origin Validation Error":1,"CWE-501: Trust Boundary Violation":3,"CWE-798: Use of Hard-coded Credentials":22,"CWE-326: Inadequate Encryption Strength":6,"CWE-352: Cross-Site Request Forgery (CSRF)":1,"CWE-502: Deserialization of Untrusted Data":17,"CWE-918: Server-Side Request Forgery (SSRF)":18,"CWE-323: Reusing a Nonce, Key Pair in Encryption":1,"CWE-91: XML Injection (aka Blind XPath Injection)":1,"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":4,"CWE-1333: Inefficient Regular Expression Complexity":1,"CWE-329: Generation of Predictable IV with CBC Mode":1,"CWE-345: Insufficient Verification of Data Authenticity":1,"CWE-319: Cleartext Transmission of Sensitive Information":2,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":10,"CWE-532: Insertion of Sensitive Information into Log File":1,"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":1,"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":11,"CWE-297: Improper Validation of Certificate with Host Mismatch":1,"CWE-611: Improper Restriction of XML External Entity Reference":45,"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":2,"CWE-454: External Initialization of Trusted Variables or Data Stores":1,"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":3,"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":4,"CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax":2,"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":7,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":10,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":17,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":19,"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":4,"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":25,"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":3,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":11,"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":1},"per_framework":{"CWE-328: Use of Weak Hash":{"java":{"":4}},"CWE-489: Active Debug Code":{"java":{"":2}},"CWE-23: Relative Path Traversal":{"java":{"":1}},"CWE-346: Origin Validation Error":{"java":{"":1}},"CWE-501: Trust Boundary Violation":{"java":{"":3}},"CWE-798: Use of Hard-coded Credentials":{"java":{"":22}},"CWE-326: Inadequate Encryption Strength":{"java":{"":6}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":17}},"CWE-918: Server-Side Request Forgery (SSRF)":{"java":{"":18}},"CWE-323: Reusing a Nonce, Key Pair in Encryption":{"java":{"":1}},"CWE-91: XML Injection (aka Blind XPath Injection)":{"java":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"java":{"":4}},"CWE-1333: Inefficient Regular Expression Complexity":{"java":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"java":{"":1}},"CWE-345: Insufficient Verification of Data Authenticity":{"java":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"java":{"":2}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"java":{"":10}},"CWE-532: Insertion of Sensitive Information into Log File":{"java":{"":1}},"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":{"java":{"":1}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"java":{"":11}},"CWE-297: Improper Validation of Certificate with Host Mismatch":{"java":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":45}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"java":{"":2}},"CWE-454: External Initialization of Trusted Variables or Data Stores":{"java":{"":1}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"java":{"":3}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"java":{"":4}},"CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax":{"java":{"":2}},"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":{"java":{"":7}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"java":{"":10}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"java":{"":17}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"java":{"":19}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"java":{"":4}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"java":{"":25}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"java":{"":3}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":11}},"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":{"java":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":1,"A01:2017: Injection":38,"A03:2021: Injection":69,"A05:2025: Injection":69,"A04:2021: Insecure Design":3,"A06:2025: Insecure Design":3,"A01:2021: Broken Access Control":26,"A01:2025: Broken Access Control":42,"A05:2017: Broken Access Control":10,"A02:2021: Cryptographic Failures":23,"A04:2025: Cryptographic Failures":23,"A8:2017 Insecure Deserialization":1,"A03:2017: Sensitive Data Exposure":22,"A07:2025: Authentication Failures":24,"A08:2017: Insecure Deserialization":16,"A02:2025: Security Misconfiguration":55,"A05:2021: Security Misconfiguration":55,"A06:2017: Security Misconfiguration":2,"A07:2017: Cross-Site Scripting (XSS)":17,"A04:2017: XML External Entities (XXE)":45,"A10:2004: Insecure Configuration Management":2,"A10:2021: Server-Side Request Forgery (SSRF)":18,"A8:2021 Software and Data Integrity Failures":1,"A08:2025: Software or Data Integrity Failures":17,"A08:2021: Software and Data Integrity Failures":17,"A09:2025: Security Logging & Alerting Failures":1,"A09:2021: Security Logging and Monitoring Failures":1,"A07:2021: Identification and Authentication Failures":24},"per_framework":{"":{"java":{"":1}},"A01:2017: Injection":{"java":{"":38}},"A03:2021: Injection":{"java":{"":69}},"A05:2025: Injection":{"java":{"":69}},"A04:2021: Insecure Design":{"java":{"":3}},"A06:2025: Insecure Design":{"java":{"":3}},"A01:2021: Broken Access Control":{"java":{"":26}},"A01:2025: Broken Access Control":{"java":{"":42}},"A05:2017: Broken Access Control":{"java":{"":10}},"A02:2021: Cryptographic Failures":{"java":{"":23}},"A04:2025: Cryptographic Failures":{"java":{"":23}},"A8:2017 Insecure Deserialization":{"java":{"":1}},"A03:2017: Sensitive Data Exposure":{"java":{"":22}},"A07:2025: Authentication Failures":{"java":{"":24}},"A08:2017: Insecure Deserialization":{"java":{"":16}},"A02:2025: Security Misconfiguration":{"java":{"":55}},"A05:2021: Security Misconfiguration":{"java":{"":55}},"A06:2017: Security Misconfiguration":{"java":{"":2}},"A07:2017: Cross-Site Scripting (XSS)":{"java":{"":17}},"A04:2017: XML External Entities (XXE)":{"java":{"":45}},"A10:2004: Insecure Configuration Management":{"java":{"":2}},"A10:2021: Server-Side Request Forgery (SSRF)":{"java":{"":18}},"A8:2021 Software and Data Integrity Failures":{"java":{"":1}},"A08:2025: Software or Data Integrity Failures":{"java":{"":17}},"A08:2021: Software and Data Integrity Failures":{"java":{"":17}},"A09:2025: Security Logging & Alerting Failures":{"java":{"":1}},"A09:2021: Security Logging and Monitoring Failures":{"java":{"":1}},"A07:2021: Identification and Authentication Failures":{"java":{"":24}}},"rules_with_no_owasp":["jax-rs-better-files-regex-injection-uri-params"]}},"author":"Semgrep","counts":{"total_rules":239,"premium_rules":179},"username":"semgrep","languages":["Java"],"description":"Default ruleset for Java, curated by Semgrep.","id":"Gv2","name":"java","visibility":"public","categories":[{"id":"V5W","slug":"languages-and-frameworks","name":"Languages and Frameworks","description":"Check your code for security problems and best practices in these languages and frameworks."}]},{"stats":{"cwe":{"totals":{"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":320},"per_framework":{"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":21},"cpp":{"":1},"php":{"":8},"java":{"":19},"ruby":{"":8},"rust":{"":12},"scala":{"":3},"swift":{"":1},"csharp":{"":35},"kotlin":{"":6},"python":{"":169},"javascript":{"":37}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2017: Injection":320,"A03:2021: Injection":320,"A05:2025: Injection":320},"per_framework":{"A01:2017: Injection":{"go":{"":21},"cpp":{"":1},"php":{"":8},"java":{"":19},"ruby":{"":8},"rust":{"":12},"scala":{"":3},"swift":{"":1},"csharp":{"":35},"kotlin":{"":6},"python":{"":169},"javascript":{"":37}},"A03:2021: Injection":{"go":{"":21},"cpp":{"":1},"php":{"":8},"java":{"":19},"ruby":{"":8},"rust":{"":12},"scala":{"":3},"swift":{"":1},"csharp":{"":35},"kotlin":{"":6},"python":{"":169},"javascript":{"":37}},"A05:2025: Injection":{"go":{"":21},"cpp":{"":1},"php":{"":8},"java":{"":19},"ruby":{"":8},"rust":{"":12},"scala":{"":3},"swift":{"":1},"csharp":{"":35},"kotlin":{"":6},"python":{"":169},"javascript":{"":37}}},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":320,"premium_rules":273},"username":"semgrep","description":"Find SQL Injection vulnerabilities in your code base.","id":"YxX","name":"sql-injection","visibility":"public","categories":[{"id":"VJd","slug":"enforce-secure-guardrails","name":"Enforce Secure Guardrails","description":"Use Semgrep to ensure your code enforces secure defaults and framework protections, which can proactively eradicate entire classes of vulnerabilities. Avoid playing bug whack-a-mole and scale your security program."}]},{"tags":["owasp","flask","security"],"stats":{"cwe":{"totals":{"CWE-668: Exposure of Resource to Wrong Sphere":1,"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":1},"per_framework":{"CWE-668: Exposure of Resource to Wrong Sphere":{"python":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"python":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2021: Broken Access Control":1,"A01:2025: Broken Access Control":1,"A02:2025: Security Misconfiguration":1,"A05:2021: Security Misconfiguration":1},"per_framework":{"A01:2021: Broken Access Control":{"python":{"":1}},"A01:2025: Broken Access Control":{"python":{"":1}},"A02:2025: Security Misconfiguration":{"python":{"":1}},"A05:2021: Security Misconfiguration":{"python":{"":1}}},"rules_with_no_owasp":[]}},"author":"Drew Dennison","counts":{"total_rules":2,"premium_rules":0},"hidden":true,"username":"DrewDennison","languages":["Python"],"description":"Rules for OWASP security checks for python","id":"0X5","name":"owasp-flask","visibility":"public","categories":[]},{"stats":{"cwe":{"totals":{"CWE-79:Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":1,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":82},"per_framework":{"CWE-79:Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"swift":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":8},"php":{"":5},"java":{"":17},"ruby":{"":3},"scala":{"":1},"swift":{"":1},"csharp":{"":4},"kotlin":{"":1},"python":{"":11},"generic":{"":3},"javascript":{"":12},"typescript":{"":16}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A03:2021: Injection":83,"A05:2025: Injection":83,"A07:2017: Cross-Site Scripting (XSS)":83},"per_framework":{"A03:2021: Injection":{"go":{"":8},"php":{"":5},"java":{"":17},"ruby":{"":3},"scala":{"":1},"swift":{"":2},"csharp":{"":4},"kotlin":{"":1},"python":{"":11},"generic":{"":3},"javascript":{"":12},"typescript":{"":16}},"A05:2025: Injection":{"go":{"":8},"php":{"":5},"java":{"":17},"ruby":{"":3},"scala":{"":1},"swift":{"":2},"csharp":{"":4},"kotlin":{"":1},"python":{"":11},"generic":{"":3},"javascript":{"":12},"typescript":{"":16}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":8},"php":{"":5},"java":{"":17},"ruby":{"":3},"scala":{"":1},"swift":{"":2},"csharp":{"":4},"kotlin":{"":1},"python":{"":11},"generic":{"":3},"javascript":{"":12},"typescript":{"":16}}},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":83,"premium_rules":48},"username":"semgrep","description":"Find XSS vulnerabilities in your code base.","id":"k52","name":"xss","visibility":"public","categories":[{"id":"VJd","slug":"enforce-secure-guardrails","name":"Enforce Secure Guardrails","description":"Use Semgrep to ensure your code enforces secure defaults and framework protections, which can proactively eradicate entire classes of vulnerabilities. Avoid playing bug whack-a-mole and scale your security program."}]},{"tags":["semgrep","security","laravel","php"],"stats":{"cwe":{"totals":{"CWE-352: Cross-Site Request Forgery (CSRF)":3,"CWE-918: Server-Side Request Forgery (SSRF)":1,"CWE-611: Improper Restriction of XML External Entity Reference":2,"CWE-94: Improper Control of Generation of Code ('Code Injection')":1,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":2,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":1,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":3,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":2},"per_framework":{"CWE-352: Cross-Site Request Forgery (CSRF)":{"php":{"":2},"generic":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"php":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"php":{"":2}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"php":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"php":{"":2}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"php":{"":1}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"php":{"":3}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"php":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2017: Injection":6,"A03:2021: Injection":7,"A05:2025: Injection":7,"A01:2021: Broken Access Control":3,"A01:2025: Broken Access Control":4,"A02:2025: Security Misconfiguration":4,"A05:2021: Security Misconfiguration":4,"A06:2017: Security Misconfiguration":2,"A07:2017: Cross-Site Scripting (XSS)":1,"A04:2017: XML External Entities (XXE)":2,"A10:2021: Server-Side Request Forgery (SSRF)":1},"per_framework":{"A01:2017: Injection":{"php":{"":6}},"A03:2021: Injection":{"php":{"":7}},"A05:2025: Injection":{"php":{"":7}},"A01:2021: Broken Access Control":{"php":{"":2},"generic":{"":1}},"A01:2025: Broken Access Control":{"php":{"":3},"generic":{"":1}},"A02:2025: Security Misconfiguration":{"php":{"":4}},"A05:2021: Security Misconfiguration":{"php":{"":4}},"A06:2017: Security Misconfiguration":{"php":{"":2}},"A07:2017: Cross-Site Scripting (XSS)":{"php":{"":1}},"A04:2017: XML External Entities (XXE)":{"php":{"":2}},"A10:2021: Server-Side Request Forgery (SSRF)":{"php":{"":1}}},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":15,"premium_rules":15},"description":"PHP Laravel framework ruleset by Semgrep","id":"P9DN","name":"php-laravel","visibility":"public","categories":[]},{"tags":["secrets","gitleaks"],"stats":{"cwe":{"totals":{"CWE-798: Use of Hard-coded Credentials":175},"per_framework":{"CWE-798: Use of Hard-coded Credentials":{"regex":{"":175}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A07:2025: Authentication Failures":175,"A07:2021: Identification and Authentication Failures":175},"per_framework":{"A07:2025: Authentication Failures":{"regex":{"":175}},"A07:2021: Identification and Authentication Failures":{"regex":{"":175}}},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":175,"premium_rules":0},"username":"semgrep","description":"Rules for detecting secrets checked into version control, ported from gitleaks (https://github.com/zricethezav/gitleaks).","id":"4xWE","name":"gitleaks","visibility":"public","categories":[{"id":"aR8","slug":"ported-security-tools","name":"Ported Security Tools","description":"Select rules ported from open-source security tools. Start here if you're familiar with these tools."}]},{"tags":["gosec"],"stats":{"cwe":{"totals":{"CWE-15":5,"CWE-20":21,"CWE-22":22,"CWE-23":2,"CWE-73":1,"CWE-74":3,"CWE-77":3,"CWE-78":22,"CWE-79":18,"CWE-88":3,"CWE-89":17,"CWE-90":4,"CWE-93":2,"CWE-94":17,"CWE-95":5,"CWE-113":8,"CWE-116":1,"CWE-118":1,"CWE-119":2,"CWE-120":23,"CWE-126":2,"CWE-134":7,"CWE-155":1,"CWE-176":2,"CWE-180":2,"CWE-182":4,"CWE-185":2,"CWE-190":3,"CWE-200":3,"CWE-208":2,"CWE-209":3,"CWE-242":1,"CWE-250":1,"CWE-259":8,"CWE-269":3,"CWE-272":3,"CWE-276":1,"CWE-287":3,"CWE-295":16,"CWE-297":3,"CWE-305":2,"CWE-306":4,"CWE-310":1,"CWE-311":1,"CWE-319":7,"CWE-322":2,"CWE-326":24,"CWE-327":53,"CWE-328":2,"CWE-330":3,"CWE-338":4,"CWE-346":2,"CWE-352":3,"CWE-353":1,"CWE-362":5,"CWE-377":7,"CWE-378":1,"CWE-400":4,"CWE-409":1,"CWE-489":4,"CWE-501":2,"CWE-502":17,"CWE-521":1,"CWE-522":7,"CWE-539":1,"CWE-552":6,"CWE-554":1,"CWE-599":1,"CWE-601":6,"CWE-611":25,"CWE-613":1,"CWE-614":8,"CWE-643":3,"CWE-644":1,"CWE-676":5,"CWE-693":5,"CWE-696":1,"CWE-704":3,"CWE-706":1,"CWE-732":11,"CWE-749":1,"CWE-754":1,"CWE-757":3,"CWE-770":1,"CWE-780":3,"CWE-798":1,"CWE-807":1,"CWE-917":6,"CWE-918":11,"CWE-939":1,"CWE-942":5,"CWE-943":4,"CWE-1004":5,"CWE-1104":1,"CWE-1275":1,"CWE-377: Insecure Temporary File":1,"CWE-326: Inadequate Encryption Strength":1,"CWE-321: Use of Hard-coded Cryptographic Key":4,"CWE-611: Improper Restriction of XML External Entity Reference":1,"CWE-94: Improper Control of Generation of Code ('Code Injection')":1,"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":1,"CWE-88: Improper Neutralization of Argument Delimiters in a Command":1,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":1,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":1},"per_framework":{"CWE-15":{"java":{"":2},"scala":{"":2},"kotlin":{"":1}},"CWE-20":{"c":{"":7},"java":{"":6},"scala":{"":7},"javascript":{"":1}},"CWE-22":{"go":{"":2},"java":{"":7},"scala":{"":6},"csharp":{"":1},"kotlin":{"":3},"python":{"":1},"javascript":{"":1},"typescript":{"":1}},"CWE-23":{"javascript":{"":2}},"CWE-73":{"java":{"":1}},"CWE-74":{"java":{"":2},"kotlin":{"":1}},"CWE-77":{"java":{"":1},"scala":{"":1},"kotlin":{"":1}},"CWE-78":{"c":{"":4},"go":{"":1},"java":{"":1},"scala":{"":1},"csharp":{"":1},"kotlin":{"":1},"python":{"":12},"javascript":{"":1}},"CWE-79":{"go":{"":1},"java":{"":5},"scala":{"":5},"csharp":{"":1},"kotlin":{"":2},"python":{"":2},"javascript":{"":1},"typescript":{"":1}},"CWE-88":{"java":{"":1},"scala":{"":1},"kotlin":{"":1}},"CWE-89":{"go":{"":2},"java":{"":3},"scala":{"":3},"csharp":{"":1},"kotlin":{"":1},"python":{"":5},"javascript":{"":2}},"CWE-90":{"java":{"":1},"scala":{"":1},"csharp":{"":1},"kotlin":{"":1}},"CWE-93":{"java":{"":1},"scala":{"":1}},"CWE-94":{"java":{"":2},"scala":{"":4},"kotlin":{"":2},"python":{"":1},"javascript":{"":8}},"CWE-95":{"python":{"":1},"javascript":{"":4}},"CWE-113":{"java":{"":3},"scala":{"":3},"kotlin":{"":2}},"CWE-116":{"python":{"":1}},"CWE-118":{"go":{"":1}},"CWE-119":{"javascript":{"":2}},"CWE-120":{"c":{"":23}},"CWE-126":{"c":{"":2}},"CWE-134":{"c":{"":4},"java":{"":1},"scala":{"":1},"kotlin":{"":1}},"CWE-155":{"python":{"":1}},"CWE-176":{"java":{"":1},"scala":{"":1}},"CWE-180":{"java":{"":1},"kotlin":{"":1}},"CWE-182":{"java":{"":1},"scala":{"":2},"kotlin":{"":1}},"CWE-185":{"javascript":{"":2}},"CWE-190":{"c":{"":1},"go":{"":2}},"CWE-200":{"go":{"":1},"scala":{"":1},"python":{"":1}},"CWE-208":{"javascript":{"":2}},"CWE-209":{"java":{"":1},"scala":{"":2}},"CWE-242":{"go":{"":1}},"CWE-250":{"c":{"":1}},"CWE-259":{"go":{"":1},"java":{"":2},"scala":{"":3},"kotlin":{"":2}},"CWE-269":{"java":{"":1},"scala":{"":1},"kotlin":{"":1}},"CWE-272":{"javascript":{"":3}},"CWE-276":{"go":{"":1}},"CWE-287":{"java":{"":1},"scala":{"":1},"kotlin":{"":1}},"CWE-295":{"java":{"":6},"scala":{"":2},"csharp":{"":1},"kotlin":{"":2},"python":{"":2},"generic":{"":1},"javascript":{"":2}},"CWE-297":{"java":{"":1},"scala":{"":1},"kotlin":{"":1}},"CWE-305":{"swift":{"":2}},"CWE-306":{"java":{"":2},"kotlin":{"":2}},"CWE-310":{"go":{"":1}},"CWE-311":{"swift":{"":1}},"CWE-319":{"java":{"":1},"scala":{"":1},"python":{"":3},"javascript":{"":2}},"CWE-322":{"go":{"":1},"python":{"":1}},"CWE-326":{"go":{"":1},"java":{"":5},"scala":{"":8},"kotlin":{"":6},"python":{"":4}},"CWE-327":{"c":{"":4},"go":{"":5},"java":{"":7},"scala":{"":2},"csharp":{"":3},"kotlin":{"":6},"python":{"":22},"javascript":{"":4}},"CWE-328":{"javascript":{"":2}},"CWE-330":{"java":{"":1},"scala":{"":1},"python":{"":1}},"CWE-338":{"go":{"":1},"csharp":{"":1},"javascript":{"":2}},"CWE-346":{"javascript":{"":2}},"CWE-352":{"java":{"":1},"csharp":{"":1},"kotlin":{"":1}},"CWE-353":{"scala":{"":1}},"CWE-362":{"c":{"":5}},"CWE-377":{"c":{"":5},"python":{"":2}},"CWE-378":{"go":{"":1}},"CWE-400":{"go":{"":2},"python":{"":1},"javascript":{"":1}},"CWE-409":{"go":{"":1}},"CWE-489":{"go":{"":1},"java":{"":1},"kotlin":{"":1},"python":{"":1}},"CWE-501":{"java":{"":1},"scala":{"":1}},"CWE-502":{"java":{"":3},"scala":{"":2},"csharp":{"":1},"kotlin":{"":1},"python":{"":6},"javascript":{"":4}},"CWE-521":{"csharp":{"":1}},"CWE-522":{"javascript":{"":7}},"CWE-539":{"scala":{"":1}},"CWE-552":{"go":{"":1},"java":{"":3},"scala":{"":1},"kotlin":{"":1}},"CWE-554":{"csharp":{"":1}},"CWE-599":{"javascript":{"":1}},"CWE-601":{"java":{"":1},"scala":{"":1},"csharp":{"":1},"kotlin":{"":1},"javascript":{"":2}},"CWE-611":{"java":{"":5},"scala":{"":7},"csharp":{"":2},"kotlin":{"":3},"python":{"":8}},"CWE-613":{"javascript":{"":1}},"CWE-614":{"java":{"":3},"scala":{"":2},"csharp":{"":1},"kotlin":{"":1},"javascript":{"":1}},"CWE-643":{"java":{"":1},"csharp":{"":1},"kotlin":{"":1}},"CWE-644":{"javascript":{"":1}},"CWE-676":{"c":{"":4},"generic":{"":1}},"CWE-693":{"javascript":{"":5}},"CWE-696":{"scala":{"":1}},"CWE-704":{"java":{"":1},"scala":{"":1},"kotlin":{"":1}},"CWE-706":{"javascript":{"":1}},"CWE-732":{"c":{"":3},"go":{"":2},"java":{"":2},"scala":{"":2},"kotlin":{"":1},"python":{"":1}},"CWE-749":{"java":{"":1}},"CWE-754":{"python":{"":1}},"CWE-757":{"swift":{"":2},"javascript":{"":1}},"CWE-770":{"javascript":{"":1}},"CWE-780":{"java":{"":1},"scala":{"":1},"kotlin":{"":1}},"CWE-798":{"javascript":{"":1}},"CWE-807":{"c":{"":1}},"CWE-917":{"java":{"":3},"scala":{"":1},"kotlin":{"":2}},"CWE-918":{"go":{"":1},"java":{"":1},"scala":{"":2},"kotlin":{"":1},"javascript":{"":6}},"CWE-939":{"python":{"":1}},"CWE-942":{"java":{"":3},"scala":{"":1},"kotlin":{"":1}},"CWE-943":{"java":{"":1},"scala":{"":1},"javascript":{"":2}},"CWE-1004":{"java":{"":1},"scala":{"":1},"csharp":{"":1},"kotlin":{"":1},"javascript":{"":1}},"CWE-1104":{"python":{"":1}},"CWE-1275":{"javascript":{"":1}},"CWE-377: Insecure Temporary File":{"python":{"":1}},"CWE-326: Inadequate Encryption Strength":{"python":{"":1}},"CWE-321: Use of Hard-coded Cryptographic Key":{"java":{"":4}},"CWE-611: Improper Restriction of XML External Entity Reference":{"python":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"javascript":{"":1}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"go":{"":1}},"CWE-88: Improper Neutralization of Argument Delimiters in a Command":{"go":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"python":{"":1}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"java":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":153,"A1:2017-Injection":146,"A03:2021-Injection":153,"A04:2021-Insecure Design":4,"A3: Sensitive Data Exposure":1,"A2:2017-Broken Authentication":21,"A5:2017-Broken Access Control":49,"A01:2021-Broken Access Control":49,"A7: Cross-Site Scripting (XSS)":1,"A02:2021-Cryptographic Failures":87,"A3:2017-Sensitive Data Exposure":92,"A4: XML External Entities (XXE)":1,"A8:2017-Insecure Deserialization":13,"A6:2017-Security Misconfiguration":41,"A05:2021-Security Misconfiguration":37,"A7:2017-Cross-Site Scripting (XSS)":7,"A4:2017-XML External Entities (XXE)":8,"A10:2021-Server-Side Request Forgery":4,"A06:2021-Vulnerable and Outdated Components":10,"A08:2021-Software and Data Integrity Failures":12,"A07:2021-Identification and Authentication Failures":22,"A9:2017-Using Components with Known Vulnerabilities":11},"per_framework":{"":{"c":{"":1},"go":{"":5},"java":{"":46},"scala":{"":76},"csharp":{"":20},"kotlin":{"":3},"python":{"":1},"javascript":{"":1}},"A1:2017-Injection":{"c":{"":38},"go":{"":6},"java":{"":23},"scala":{"":3},"kotlin":{"":27},"python":{"":20},"javascript":{"":29}},"A03:2021-Injection":{"c":{"":37},"go":{"":5},"java":{"":22},"scala":{"":4},"kotlin":{"":26},"python":{"":30},"javascript":{"":28},"typescript":{"":1}},"A04:2021-Insecure Design":{"java":{"":2},"kotlin":{"":2}},"A3: Sensitive Data Exposure":{"python":{"":1}},"A2:2017-Broken Authentication":{"go":{"":1},"java":{"":4},"scala":{"":1},"swift":{"":2},"kotlin":{"":4},"python":{"":2},"javascript":{"":7}},"A5:2017-Broken Access Control":{"c":{"":14},"go":{"":7},"java":{"":9},"scala":{"":6},"kotlin":{"":5},"python":{"":4},"javascript":{"":3},"typescript":{"":1}},"A01:2021-Broken Access Control":{"c":{"":14},"go":{"":7},"java":{"":9},"scala":{"":6},"kotlin":{"":5},"python":{"":4},"javascript":{"":3},"typescript":{"":1}},"A7: Cross-Site Scripting (XSS)":{"python":{"":1}},"A02:2021-Cryptographic Failures":{"c":{"":4},"go":{"":8},"java":{"":15},"scala":{"":2},"swift":{"":1},"kotlin":{"":12},"python":{"":27},"javascript":{"":18}},"A3:2017-Sensitive Data Exposure":{"c":{"":4},"go":{"":9},"java":{"":15},"scala":{"":2},"swift":{"":1},"kotlin":{"":12},"python":{"":31},"javascript":{"":18}},"A4: XML External Entities (XXE)":{"python":{"":1}},"A8:2017-Insecure Deserialization":{"java":{"":1},"kotlin":{"":1},"python":{"":7},"javascript":{"":4}},"A6:2017-Security Misconfiguration":{"c":{"":1},"go":{"":4},"java":{"":7},"swift":{"":2},"kotlin":{"":6},"python":{"":4},"generic":{"":1},"javascript":{"":16}},"A05:2021-Security Misconfiguration":{"c":{"":1},"go":{"":4},"java":{"":5},"swift":{"":2},"kotlin":{"":4},"python":{"":4},"generic":{"":1},"javascript":{"":16}},"A7:2017-Cross-Site Scripting (XSS)":{"java":{"":1},"scala":{"":1},"python":{"":3},"javascript":{"":1},"typescript":{"":1}},"A4:2017-XML External Entities (XXE)":{"python":{"":8}},"A10:2021-Server-Side Request Forgery":{"go":{"":1},"java":{"":1},"kotlin":{"":1},"javascript":{"":1}},"A06:2021-Vulnerable and Outdated Components":{"c":{"":6},"go":{"":1},"generic":{"":1},"javascript":{"":2}},"A08:2021-Software and Data Integrity Failures":{"java":{"":1},"kotlin":{"":1},"python":{"":6},"javascript":{"":4}},"A07:2021-Identification and Authentication Failures":{"go":{"":1},"java":{"":4},"scala":{"":1},"swift":{"":2},"kotlin":{"":4},"python":{"":3},"javascript":{"":7}},"A9:2017-Using Components with Known Vulnerabilities":{"c":{"":6},"go":{"":1},"python":{"":1},"generic":{"":1},"javascript":{"":2}}},"rules_with_no_owasp":["bar","asdf","eslint.detect-object-injection","security_code_scan.SCS0011-1","security_code_scan.SCS0032-1.SCS0033-1.SCS0034-1","security_code_scan.SCS0018-1","security_code_scan.SCS0017-1","security_code_scan.SCS0029-1","find_sec_bugs.UNENCRYPTED_SOCKET-1.UNENCRYPTED_SERVER_SOCKET-1","find_sec_bugs.PT_RELATIVE_PATH_TRAVERSAL-1","find_sec_bugs.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1.SQL_INJECTION-1.SQL_INJECTION_HIBERNATE-1.SQL_INJECTION_VERTX-1.SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING-1","find_sec_bugs.XPATH_INJECTION-1","find_sec_bugs.XXE_XPATH-1.XXE_DOCUMENT-1","security_code_scan.SCS0027-1","flawfinder.equal-1.mismatch-1.is_permutation-1","find_sec_bugs.HTTPONLY_COOKIE-1","find_sec_bugs.COOKIE_PERSISTENT-1","find_sec_bugs.COOKIE_USAGE-1","find_sec_bugs.HRS_REQUEST_PARAMETER_TO_COOKIE-1","find_sec_bugs.TRUST_BOUNDARY_VIOLATION-1","find_sec_bugs.PERMISSIVE_CORS-1","find_sec_bugs.SPRING_CSRF_PROTECTION_DISABLED-1","find_sec_bugs.SERVLET_PARAMETER-1.SERVLET_CONTENT_TYPE-1.SERVLET_SERVER_NAME-1.SERVLET_SESSION_ID-1.SERVLET_QUERY_STRING-1.SERVLET_HEADER-1.SERVLET_HEADER_REFERER-1.SERVLET_HEADER_USER_AGENT-1","find_sec_bugs.JAXRS_ENDPOINT-1","find_sec_bugs.WEAK_HOSTNAME_VERIFIER-1.WEAK_TRUST_MANAGER-1","find_sec_bugs.STRUTS_FORM_VALIDATION-1","find_sec_bugs.AWS_QUERY_INJECTION-1","find_sec_bugs.BEAN_PROPERTY_INJECTION-1","find_sec_bugs.CRLF_INJECTION_LOGS-1","find_sec_bugs.CUSTOM_INJECTION-1","find_sec_bugs.CUSTOM_INJECTION-2","find_sec_bugs.REQUESTDISPATCHER_FILE_DISCLOSURE-1.STRUTS_FILE_DISCLOSURE-1.SPRING_FILE_DISCLOSURE-1","find_sec_bugs.PATH_TRAVERSAL_IN-1","find_sec_bugs.LDAP_ENTRY_POISONING-1","find_sec_bugs.OVERLY_PERMISSIVE_FILE_PERMISSION-2","find_sec_bugs.PREDICTABLE_RANDOM-1","find_sec_bugs.XSS_REQUEST_WRAPPER-1","find_sec_bugs.XSS_REQUEST_PARAMETER_TO_SEND_ERROR-1","find_sec_bugs.XSS_SERVLET-1","find_sec_bugs.XSS_SERVLET-2.XSS_SERVLET_PARAMETER-1","find_sec_bugs.XXE_SAXPARSER-1","find_sec_bugs.XXE_DTD_TRANSFORM_FACTORY-1.XXE_XSLT_TRANSFORM_FACTORY-1","find_sec_bugs.XXE_XMLSTREAMREADER-1","find_sec_bugs_scala.PREDICTABLE_RANDOM-1.PREDICTABLE_RANDOM_SCALA-1","gosec.G112-1","gosec.G113-1","gosec.G201-1","security_code_scan.SCS0009-1","security_code_scan.SCS0008-1","security_code_scan.SCS0004-1","security_code_scan.SCS0010-1","security_code_scan.SCS0013-1","security_code_scan.SCS0006-1","security_code_scan.SCS0005-1","security_code_scan.SCS0016-1","security_code_scan.SCS0001-1","security_code_scan.SCS0026-1.SCS0031-1","security_code_scan.SCS0002-1","security_code_scan.SCS0003-1","security_code_scan.SCS0007-1","gosec.G104-1.G107-1","find_sec_bugs.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1","find_sec_bugs.PATH_TRAVERSAL_OUT-1.PATH_TRAVERSAL_OUT-1","find_sec_bugs.IMPROPER_UNICODE-1","find_sec_bugs.HARD_CODE_KEY-1","find_sec_bugs.HARD_CODE_KEY-4","find_sec_bugs.HARD_CODE_KEY-2","find_sec_bugs.HARD_CODE_KEY-3","find_sec_bugs.INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE-1","find_sec_bugs.RPC_ENABLED_EXTENSIONS-1","bandit.B108-1","security_code_scan.SCS0028-1","find_sec_bugs_scala.SCALA_PLAY_SSRF-1","find_sec_bugs_kotlin.ECB_MODE-1","find_sec_bugs_kotlin.WEAK_HOSTNAME_VERIFIER-1.WEAK_TRUST_MANAGER-1","find_sec_bugs_scala.AWS_QUERY_INJECTION-1","find_sec_bugs_scala.BAD_HEXA_CONVERSION-1","find_sec_bugs_scala.BEAN_PROPERTY_INJECTION-1","find_sec_bugs_scala.BLOWFISH_KEY_SIZE-1","find_sec_bugs_scala.CIPHER_INTEGRITY-1","find_sec_bugs_scala.COMMAND_INJECTION-1.SCALA_COMMAND_INJECTION-1","find_sec_bugs_scala.COOKIE_PERSISTENT-1","find_sec_bugs_scala.COOKIE_USAGE-1","find_sec_bugs_scala.CRLF_INJECTION_LOGS-1","find_sec_bugs_scala.CUSTOM_INJECTION-1","find_sec_bugs_scala.CUSTOM_INJECTION-2","find_sec_bugs_scala.CUSTOM_MESSAGE_DIGEST-1","find_sec_bugs_scala.DANGEROUS_PERMISSION_COMBINATION-1","find_sec_bugs_scala.DEFAULT_HTTP_CLIENT-1","find_sec_bugs_scala.DES_USAGE-1","find_sec_bugs_scala.DMI_CONSTANT_DB_PASSWORD-1.HARD_CODE_PASSWORD-3","find_sec_bugs_scala.DMI_EMPTY_DB_PASSWORD-1.HARD_CODE_PASSWORD-2","find_sec_bugs_scala.ECB_MODE-1","find_sec_bugs_scala.EL_INJECTION-1","find_sec_bugs_scala.EXTERNAL_CONFIG_CONTROL-1","find_sec_bugs_scala.FORMAT_STRING_MANIPULATION-1","find_sec_bugs_scala.HARD_CODE_PASSWORD-1","find_sec_bugs_scala.HAZELCAST_SYMMETRIC_ENCRYPTION-1","find_sec_bugs_scala.HRS_REQUEST_PARAMETER_TO_COOKIE-1","find_sec_bugs_scala.HRS_REQUEST_PARAMETER_TO_HTTP_HEADER-1","find_sec_bugs_scala.HTTPONLY_COOKIE-1","find_sec_bugs_scala.HTTP_PARAMETER_POLLUTION-1","find_sec_bugs_scala.HTTP_RESPONSE_SPLITTING-1","find_sec_bugs_scala.IMPROPER_UNICODE-1","find_sec_bugs_scala.INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE-1","find_sec_bugs_scala.INSECURE_COOKIE-1","find_sec_bugs_scala.JAXRS_ENDPOINT-1","find_sec_bugs_scala.LDAP_ANONYMOUS-1","find_sec_bugs_scala.LDAP_ENTRY_POISONING-1","find_sec_bugs_scala.LDAP_INJECTION-1","find_sec_bugs_scala.MALICIOUS_XSLT-1","find_sec_bugs_scala.MODIFICATION_AFTER_VALIDATION-1","find_sec_bugs_scala.NORMALIZATION_AFTER_VALIDATION-1","find_sec_bugs_scala.NULL_CIPHER-1","find_sec_bugs_scala.OGNL_INJECTION-1","find_sec_bugs_scala.OVERLY_PERMISSIVE_FILE_PERMISSION-1","find_sec_bugs_scala.OVERLY_PERMISSIVE_FILE_PERMISSION-2","find_sec_bugs_scala.PADDING_ORACLE-1","find_sec_bugs_scala.PERMISSIVE_CORS-1","find_sec_bugs_scala.PERMISSIVE_CORS-2","find_sec_bugs_scala.REQUESTDISPATCHER_FILE_DISCLOSURE-1.STRUTS_FILE_DISCLOSURE-1.SPRING_FILE_DISCLOSURE-1","find_sec_bugs_scala.RPC_ENABLED_EXTENSIONS-1","find_sec_bugs_scala.RSA_KEY_SIZE-1","find_sec_bugs_scala.SAML_IGNORE_COMMENTS-1","find_sec_bugs_scala.SCALA_SENSITIVE_DATA_EXPOSURE-1","find_sec_bugs_scala.SCALA_XSS_MVC_API-1","find_sec_bugs_scala.SERVLET_PARAMETER-1.SERVLET_CONTENT_TYPE-1.SERVLET_SERVER_NAME-1.SERVLET_SESSION_ID-1.SERVLET_QUERY_STRING-1.SERVLET_HEADER-1.SERVLET_HEADER_REFERER-1.SERVLET_HEADER_USER_AGENT-1","find_sec_bugs_scala.SMTP_HEADER_INJECTION-1","find_sec_bugs_scala.SSL_CONTEXT-1","find_sec_bugs_scala.STRUTS_FORM_VALIDATION-1","find_sec_bugs_scala.TDES_USAGE-1","find_sec_bugs_scala.TEMPLATE_INJECTION_PEBBLE-1.TEMPLATE_INJECTION_FREEMARKER-1.TEMPLATE_INJECTION_VELOCITY-1","find_sec_bugs_scala.TRUST_BOUNDARY_VIOLATION-1","find_sec_bugs_scala.UNVALIDATED_REDIRECT-1.URL_REWRITING-1","find_sec_bugs_scala.URLCONNECTION_SSRF_FD-1","find_sec_bugs_scala.WEAK_HOSTNAME_VERIFIER-1.WEAK_TRUST_MANAGER-1","find_sec_bugs_scala.WEAK_MESSAGE_DIGEST_MD5-1.WEAK_MESSAGE_DIGEST_SHA1-1","find_sec_bugs_scala.WICKET_XSS1-1","find_sec_bugs_scala.XML_DECODER-1","find_sec_bugs_scala.XPATH_INJECTION-1","find_sec_bugs_scala.XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER-1","find_sec_bugs_scala.XSS_REQUEST_WRAPPER-1","find_sec_bugs_scala.XSS_SERVLET-1","find_sec_bugs_scala.XXE_DOCUMENT-1","find_sec_bugs_scala.XXE_DTD_TRANSFORM_FACTORY-1.XXE_XSLT_TRANSFORM_FACTORY-1","find_sec_bugs_scala.XXE_SAXPARSER-1","find_sec_bugs_scala.XXE_XMLREADER-1","find_sec_bugs_scala.XXE_XMLSTREAMREADER-1","find_sec_bugs_scala.XXE_XPATH-1","java_deserialization_rule-JacksonUnsafeDeserialization","scala_unsafe_rule-InformationExposureVariant2","scala_xss_rule-XSSServletParameter","find_sec_bugs_kotlin.OGNL_INJECTION-1"]}},"author":"Gitlab","counts":{"total_rules":544,"premium_rules":0},"hidden":false,"languages":["Java","C","C++","Python","JavaScript","TypeScript"],"description":"Leverage all Gitlab provided rules with the gitlab rulepack.","id":"gLwn","name":"gitlab","visibility":"public","categories":[]},{"tags":["semgrep","best-practices","correctness","performance","maintainability","python","java","go","javascript","ocaml"],"stats":{"cwe":{"totals":{"":124,"CWE-276: Incorrect Default Permissions":1},"per_framework":{"":{"go":{"":8},"java":{"":4},"ocaml":{"":15},"python":{"":89},"javascript":{"":8}},"CWE-276: Incorrect Default Permissions":{"go":{"":1}}},"rules_with_no_cwe":["deprecated-pervasives","ocamllint-length-list-zero","ocamllint-length-more-than-zero","ocamllint-bool-true","ocamllint-bool-false","ocamllint-useless-else","ocamllint-backwards-if","hashtbl-find-outside-try","list-find-outside-try","ocamllint-str-first-chars","ocamllint-str-string-after","ocamllint-str-last-chars","ocamllint-useless-sprintf","ocamllint-ref-incr","ocamllint-ref-decr","useless-if-conditional","useless-if-body","integer-overflow-int16","integer-overflow-int32","eqeq-is-bad","hardcoded-eq-true-or-false","channel-guarded-with-mutex","hidden-goroutine","flask-deprecated-apis","flask-duplicate-handler-name","avoid-accessing-request-in-wrong-handler","use-jsonify","flask-class-method-get-side-effects","bokeh-deprecated-apis","use-click-secho","delete-where-no-execute","bad-operator-in-filter","len-all-count","batch-import","use-raise-for-status","use-timeout","python37-compatibility-importlib","python37-compatibility-importlib2","python37-compatibility-importlib3","python37-compatibility-httpconn","python37-compatibility-httpsconn","python37-compatibility-textiowrapper","python37-compatibility-ipv6network1","python37-compatibility-ipv6network2","python37-compatibility-ipv4network1","python37-compatibility-ipv4network2","python37-compatibility-locale1","python37-compatibility-math1","python37-compatibility-multiprocess1","python37-compatibility-multiprocess2","python37-compatibility-os1","python37-compatibility-os2-ok2","python37-compatibility-pdb","python36-compatibility-ssl","python36-compatibility-Popen1","python36-compatibility-Popen2","useless-if-conditional","useless-if-body","code-after-unconditional-return","return-not-in-function","useless-assignment-keyed","useless-inner-function","writing-to-file-in-read-mode","use-sys-exit","pdb-remove","list-modify-while-iterate","uncaught-executor-exceptions","raise-not-base-exception","return-in-init","yield-in-init","file-object-redefined-before-close","baseclass-attribute-override","unchecked-subprocess-call","tempfile-insecure","tempfile-without-flush","dict-del-while-iterate","is-not-is-not","default-mutable-dict","string-concat-in-list","identical-is-comparison","string-is-comparison","default-mutable-list","no-strings-as-booleans","useless-eqeq","pass-body-fn","pass-body-range","python-debugger-found","missing-hash-with-eq","arbitrary-sleep","manual-defaultdict-dict-create","manual-defaultdict-set-create","manual-defaultdict-list-create","manual-counter-create","hardcoded-tmp-path","open-never-closed","attr-mutable-initializer","django-compat-2_0-signals-weak","django-compat-2_0-check-aggregate-support","django-compat-2_0-extra-forms","django-compat-2_0-assignment-tag","django-compat-2_0-assert-redirects-helper","no-null-string-field","string-field-must-set-null-true","use-decimalfield-for-money","django-db-model-save-super","nontext-field-must-set-null-true","access-foreign-keys","use-earliest-or-latest","use-count-method","use-onetoonefield","use-django-environ","use-json-response","no-string-eqeq","hardcoded-conditional","eqeq","assignment-comparison","useless-assignment","no-replaceall","eqeq-is-bad","assigned-undefined","javascript-alert","javascript-debugger","javascript-confirm","javascript-prompt"]},"owasp":{"totals":{"":125},"per_framework":{"":{"go":{"":9},"java":{"":4},"ocaml":{"":15},"python":{"":89},"javascript":{"":8}}},"rules_with_no_owasp":["deprecated-pervasives","ocamllint-length-list-zero","ocamllint-length-more-than-zero","ocamllint-bool-true","ocamllint-bool-false","ocamllint-useless-else","ocamllint-backwards-if","hashtbl-find-outside-try","list-find-outside-try","ocamllint-str-first-chars","ocamllint-str-string-after","ocamllint-str-last-chars","ocamllint-useless-sprintf","ocamllint-ref-incr","ocamllint-ref-decr","useless-if-conditional","useless-if-body","incorrect-default-permission","integer-overflow-int16","integer-overflow-int32","eqeq-is-bad","hardcoded-eq-true-or-false","channel-guarded-with-mutex","hidden-goroutine","flask-deprecated-apis","flask-duplicate-handler-name","avoid-accessing-request-in-wrong-handler","use-jsonify","flask-class-method-get-side-effects","bokeh-deprecated-apis","use-click-secho","delete-where-no-execute","bad-operator-in-filter","len-all-count","batch-import","use-raise-for-status","use-timeout","python37-compatibility-importlib","python37-compatibility-importlib2","python37-compatibility-importlib3","python37-compatibility-httpconn","python37-compatibility-httpsconn","python37-compatibility-textiowrapper","python37-compatibility-ipv6network1","python37-compatibility-ipv6network2","python37-compatibility-ipv4network1","python37-compatibility-ipv4network2","python37-compatibility-locale1","python37-compatibility-math1","python37-compatibility-multiprocess1","python37-compatibility-multiprocess2","python37-compatibility-os1","python37-compatibility-os2-ok2","python37-compatibility-pdb","python36-compatibility-ssl","python36-compatibility-Popen1","python36-compatibility-Popen2","useless-if-conditional","useless-if-body","code-after-unconditional-return","return-not-in-function","useless-assignment-keyed","useless-inner-function","writing-to-file-in-read-mode","use-sys-exit","pdb-remove","list-modify-while-iterate","uncaught-executor-exceptions","raise-not-base-exception","return-in-init","yield-in-init","file-object-redefined-before-close","baseclass-attribute-override","unchecked-subprocess-call","tempfile-insecure","tempfile-without-flush","dict-del-while-iterate","is-not-is-not","default-mutable-dict","string-concat-in-list","identical-is-comparison","string-is-comparison","default-mutable-list","no-strings-as-booleans","useless-eqeq","pass-body-fn","pass-body-range","python-debugger-found","missing-hash-with-eq","arbitrary-sleep","manual-defaultdict-dict-create","manual-defaultdict-set-create","manual-defaultdict-list-create","manual-counter-create","hardcoded-tmp-path","open-never-closed","attr-mutable-initializer","django-compat-2_0-signals-weak","django-compat-2_0-check-aggregate-support","django-compat-2_0-extra-forms","django-compat-2_0-assignment-tag","django-compat-2_0-assert-redirects-helper","no-null-string-field","string-field-must-set-null-true","use-decimalfield-for-money","django-db-model-save-super","nontext-field-must-set-null-true","access-foreign-keys","use-earliest-or-latest","use-count-method","use-onetoonefield","use-django-environ","use-json-response","no-string-eqeq","hardcoded-conditional","eqeq","assignment-comparison","useless-assignment","no-replaceall","eqeq-is-bad","assigned-undefined","javascript-alert","javascript-debugger","javascript-confirm","javascript-prompt"]}},"author":"Semgrep","counts":{"total_rules":125,"premium_rules":0},"username":"semgrep","languages":["JavaScript","Java","Python","Go","OCaml"],"description":"A collection of opinionated rules for best practices in popular languages. Recommended for users who want really strict coding standards.","id":"o3R","name":"r2c-best-practices","visibility":"public","categories":[]},{"tags":["semgrep","rce","reverse_shell"],"stats":{"cwe":{"totals":{"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":1},"per_framework":{"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2017: Injection":1,"A03:2021: Injection":1,"A05:2025: Injection":1},"per_framework":{"A01:2017: Injection":{"java":{"":1}},"A03:2021: Injection":{"java":{"":1}},"A05:2025: Injection":{"java":{"":1}}},"rules_with_no_owasp":[]}},"author":"Kurt Boberg","counts":{"total_rules":1,"premium_rules":0},"hidden":true,"username":"chgg-kboberg","languages":["java","bash"],"description":"Rulset for reverse shells, by Kurt Boberg","id":"d82X","name":"reverse-shells","visibility":"public","categories":[]},{"tags":["security","audit","xxe","injection","deserialization","xss","jwt","csrf","crypto"],"stats":{"cwe":{"totals":{"CWE-415: Double Free":1,"CWE-369: Divide By Zero":1,"CWE-416: Use After Free":1,"CWE-328: Use of Weak Hash":6,"CWE-489: Active Debug Code":6,"CWE-287: Improper Authentication":1,"CWE-377: Insecure Temporary File":1,"CWE-501: Trust Boundary Violation":1,"CWE-16: CWE CATEGORY: Configuration":3,"CWE-521: Weak Password Requirements":2,"CWE-269: Improper Privilege Management":1,"CWE-276: Incorrect Default Permissions":1,"CWE-798: Use of Hard-coded Credentials":6,"CWE-326: Inadequate Encryption Strength":10,"CWE-295: Improper Certificate Validation":6,"CWE-183: Permissive List of Allowed Inputs":1,"CWE-352: Cross-Site Request Forgery (CSRF)":6,"CWE-400: Uncontrolled Resource Consumption":1,"CWE-502: Deserialization of Untrusted Data":13,"CWE-704: Incorrect Type Conversion or Cast":1,"CWE-300: Channel Accessible by Non-Endpoint":2,"CWE-330: Use of Insufficiently Random Values":1,"CWE-242: Use of Inherently Dangerous Function":1,"CWE-311: Missing Encryption of Sensitive Data":1,"CWE-523: Unprotected Transport of Credentials":1,"CWE-668: Exposure of Resource to Wrong Sphere":2,"CWE-73: External Control of File Name or Path":1,"CWE-676: Use of Potentially Dangerous Function":5,"CWE-116: Improper Encoding or Escaping of Output":1,"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":1,"CWE-134: Use of Externally-Controlled Format String":1,"CWE-322: Key Exchange without Entity Authentication":2,"CWE-329: Generation of Predictable IV with CBC Mode":1,"CWE-319: Cleartext Transmission of Sensitive Information":6,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":17,"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":4,"CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')":1,"CWE-1021: Improper Restriction of Rendered UI Layers or Frames":1,"CWE-297: Improper Validation of Certificate with Host Mismatch":1,"CWE-611: Improper Restriction of XML External Entity Reference":7,"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":1,"CWE-913: Improper Control of Dynamically-Managed Code Resources":2,"CWE-939: Improper Authorization in Handler for Custom URL Scheme":1,"CWE-155: Improper Neutralization of Wildcards or Matching Symbols":1,"CWE-94: Improper Control of Generation of Code ('Code Injection')":7,"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":5,"CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls":1,"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":1,"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":3,"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":2,"CWE-774: Allocation of File Descriptors or Handles Without Limits or Throttling":1,"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer":1,"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":1,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":6,"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":4,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":26,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":9,"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":3,"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":1,"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":8,"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":3,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":8,"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":2,"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":2},"per_framework":{"CWE-415: Double Free":{"c":{"":1}},"CWE-369: Divide By Zero":{"ruby":{"":1}},"CWE-416: Use After Free":{"c":{"":1}},"CWE-328: Use of Weak Hash":{"go":{"":2},"java":{"":2},"ruby":{"":2}},"CWE-489: Active Debug Code":{"go":{"":1},"python":{"":5}},"CWE-287: Improper Authentication":{"java":{"":1}},"CWE-377: Insecure Temporary File":{"go":{"":1}},"CWE-501: Trust Boundary Violation":{"java":{"":1}},"CWE-16: CWE CATEGORY: Configuration":{"generic":{"":3}},"CWE-521: Weak Password Requirements":{"python":{"":2}},"CWE-269: Improper Privilege Management":{"dockerfile":{"":1}},"CWE-276: Incorrect Default Permissions":{"java":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"go":{"":1},"ruby":{"":1},"python":{"":2},"javascript":{"":2}},"CWE-326: Inadequate Encryption Strength":{"java":{"":5},"python":{"":3},"generic":{"":2}},"CWE-295: Improper Certificate Validation":{"java":{"":2},"ruby":{"":1},"python":{"":3}},"CWE-183: Permissive List of Allowed Inputs":{"java":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":2},"ruby":{"":1},"python":{"":2},"javascript":{"":1}},"CWE-400: Uncontrolled Resource Consumption":{"go":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":2},"ruby":{"":1},"python":{"":9},"javascript":{"":1}},"CWE-704: Incorrect Type Conversion or Cast":{"java":{"":1}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":2}},"CWE-330: Use of Insufficiently Random Values":{"java":{"":1}},"CWE-242: Use of Inherently Dangerous Function":{"go":{"":1}},"CWE-311: Missing Encryption of Sensitive Data":{"ruby":{"":1}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-668: Exposure of Resource to Wrong Sphere":{"python":{"":2}},"CWE-73: External Control of File Name or Path":{"python":{"":1}},"CWE-676: Use of Potentially Dangerous Function":{"c":{"":5}},"CWE-116: Improper Encoding or Escaping of Output":{"javascript":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"java":{"":1}},"CWE-134: Use of Externally-Controlled Format String":{"c":{"":1}},"CWE-322: Key Exchange without Entity Authentication":{"go":{"":1},"python":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"java":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"go":{"":1},"java":{"":1},"python":{"":2},"generic":{"":1},"typescript":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"go":{"":5},"java":{"":3},"python":{"":7},"javascript":{"":2}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"java":{"":2},"python":{"":1},"javascript":{"":1}},"CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')":{"generic":{"":1}},"CWE-1021: Improper Restriction of Rendered UI Layers or Frames":{"ruby":{"":1}},"CWE-297: Improper Validation of Certificate with Host Mismatch":{"java":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":3},"python":{"":1},"javascript":{"":3}},"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":{"hcl":{"":1}},"CWE-913: Improper Control of Dynamically-Managed Code Resources":{"go":{"":2}},"CWE-939: Improper Authorization in Handler for Custom URL Scheme":{"python":{"":1}},"CWE-155: Improper Neutralization of Wildcards or Matching Symbols":{"python":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"go":{"":1},"java":{"":3},"ruby":{"":3}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"go":{"":1},"hcl":{"":2},"java":{"":1},"python":{"":1}},"CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls":{"json":{"":1}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"java":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"java":{"":1},"python":{"":2}},"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":{"go":{"":1},"javascript":{"":1}},"CWE-774: Allocation of File Descriptors or Handles Without Limits or Throttling":{"c":{"":1}},"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer":{"javascript":{"":1}},"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":{"java":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"go":{"":1},"java":{"":2},"ruby":{"":1},"python":{"":1},"generic":{"":1}},"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":{"ruby":{"":3},"python":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":5},"java":{"":3},"regex":{"":4},"python":{"":6},"generic":{"":5},"javascript":{"":1},"typescript":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":1},"java":{"":3},"python":{"":5}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"java":{"":3}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"python":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":7},"javascript":{"":1}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":3}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":2},"python":{"":4},"javascript":{"":2}},"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":{"java":{"":1},"generic":{"":1}},"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":{"python":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":12,"A01:2017: Injection":23,"A03:2021: Injection":72,"A05:2025: Injection":72,"A04:2021: Insecure Design":6,"A06:2025: Insecure Design":6,"A01:2021: Broken Access Control":29,"A01:2025: Broken Access Control":29,"A02:2017: Broken Authentication":2,"A05:2017: Broken Access Control":7,"A02:2021: Cryptographic Failures":46,"A04:2025: Cryptographic Failures":46,"A03:2017: Sensitive Data Exposure":47,"A07:2025: Authentication Failures":18,"A08:2017: Insecure Deserialization":13,"A02:2025: Security Misconfiguration":20,"A05:2021: Security Misconfiguration":20,"A06:2017: Security Misconfiguration":5,"A07:2017: Cross-Site Scripting (XSS)":26,"A04:2017: XML External Entities (XXE)":8,"A08:2025: Software or Data Integrity Failures":17,"A08:2021: Software and Data Integrity Failures":17,"A07:2021: Identification and Authentication Failures":18},"per_framework":{"":{"c":{"":8},"go":{"":2},"ruby":{"":1},"javascript":{"":1}},"A01:2017: Injection":{"c":{"":1},"go":{"":1},"java":{"":8},"python":{"":11},"javascript":{"":2}},"A03:2021: Injection":{"c":{"":1},"go":{"":7},"java":{"":17},"ruby":{"":3},"regex":{"":4},"python":{"":27},"generic":{"":6},"javascript":{"":5},"typescript":{"":2}},"A05:2025: Injection":{"c":{"":1},"go":{"":7},"java":{"":17},"ruby":{"":3},"regex":{"":4},"python":{"":27},"generic":{"":6},"javascript":{"":5},"typescript":{"":2}},"A04:2021: Insecure Design":{"java":{"":2},"ruby":{"":2},"python":{"":1},"dockerfile":{"":1}},"A06:2025: Insecure Design":{"java":{"":2},"ruby":{"":2},"python":{"":1},"dockerfile":{"":1}},"A01:2021: Broken Access Control":{"go":{"":5},"hcl":{"":2},"java":{"":8},"json":{"":1},"ruby":{"":2},"python":{"":7},"generic":{"":2},"javascript":{"":2}},"A01:2025: Broken Access Control":{"go":{"":5},"hcl":{"":2},"java":{"":8},"json":{"":1},"ruby":{"":2},"python":{"":7},"generic":{"":2},"javascript":{"":2}},"A02:2017: Broken Authentication":{"java":{"":1},"python":{"":1}},"A05:2017: Broken Access Control":{"go":{"":1},"java":{"":2},"ruby":{"":1},"python":{"":1},"generic":{"":1},"javascript":{"":1}},"A02:2021: Cryptographic Failures":{"go":{"":10},"java":{"":13},"ruby":{"":2},"python":{"":14},"generic":{"":3},"javascript":{"":3},"typescript":{"":1}},"A04:2025: Cryptographic Failures":{"go":{"":10},"java":{"":13},"ruby":{"":2},"python":{"":14},"generic":{"":3},"javascript":{"":3},"typescript":{"":1}},"A03:2017: Sensitive Data Exposure":{"go":{"":8},"java":{"":14},"ruby":{"":4},"python":{"":15},"generic":{"":3},"javascript":{"":2},"typescript":{"":1}},"A07:2025: Authentication Failures":{"go":{"":3},"java":{"":4},"ruby":{"":2},"python":{"":7},"javascript":{"":2}},"A08:2017: Insecure Deserialization":{"java":{"":2},"ruby":{"":1},"python":{"":9},"javascript":{"":1}},"A02:2025: Security Misconfiguration":{"hcl":{"":1},"java":{"":5},"python":{"":8},"generic":{"":3},"javascript":{"":3}},"A05:2021: Security Misconfiguration":{"hcl":{"":1},"java":{"":5},"python":{"":8},"generic":{"":3},"javascript":{"":3}},"A06:2017: Security Misconfiguration":{"go":{"":1},"python":{"":1},"generic":{"":3}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":5},"java":{"":3},"regex":{"":4},"python":{"":6},"generic":{"":5},"javascript":{"":1},"typescript":{"":2}},"A04:2017: XML External Entities (XXE)":{"java":{"":3},"python":{"":2},"javascript":{"":3}},"A08:2025: Software or Data Integrity Failures":{"java":{"":2},"ruby":{"":4},"python":{"":10},"javascript":{"":1}},"A08:2021: Software and Data Integrity Failures":{"java":{"":2},"ruby":{"":4},"python":{"":10},"javascript":{"":1}},"A07:2021: Identification and Authentication Failures":{"go":{"":3},"java":{"":4},"ruby":{"":2},"python":{"":7},"javascript":{"":2}}},"rules_with_no_owasp":["insecure-use-gets-fn","insecure-use-printf-fn","insecure-use-scanf-fn","insecure-use-strcat-fn","insecure-use-string-copy-fn","insecure-use-strtok-fn","use-after-free","random-fd-exhaustion","use-of-unsafe-block","potential-dos-via-decompression-bomb","detect-buffer-noassert","divide-by-zero"]}},"author":"Semgrep","counts":{"total_rules":225,"premium_rules":0},"username":"semgrep","languages":["Ruby","JavaScript","Go","Java","C"],"description":"Scan code for potential security issues that require additional review. Recommended for teams looking to set up guardrails or to flag troublesome spots for further review.","id":"2gD","name":"r2c-security-audit","visibility":"public","categories":[{"id":"MPe","slug":"quick-start","name":"Getting Started","description":"These rulesets cover a wide range of use cases. Start here to get up and running quickly."}]},{"tags":["semgrep","correctness","logic","python","django","flask","java","javascript","go","ocaml"],"stats":{"cwe":{"totals":{"":43,"CWE-276: Incorrect Default Permissions":1},"per_framework":{"":{"go":{"":4},"java":{"":4},"python":{"":32},"javascript":{"":3}},"CWE-276: Incorrect Default Permissions":{"go":{"":1}}},"rules_with_no_cwe":["integer-overflow-int16","integer-overflow-int32","eqeq-is-bad","hardcoded-eq-true-or-false","flask-duplicate-handler-name","avoid-accessing-request-in-wrong-handler","delete-where-no-execute","bad-operator-in-filter","writing-to-file-in-read-mode","use-sys-exit","pdb-remove","list-modify-while-iterate","uncaught-executor-exceptions","raise-not-base-exception","return-in-init","yield-in-init","file-object-redefined-before-close","baseclass-attribute-override","unchecked-subprocess-call","tempfile-insecure","tempfile-without-flush","dict-del-while-iterate","is-not-is-not","default-mutable-dict","string-concat-in-list","identical-is-comparison","string-is-comparison","default-mutable-list","no-strings-as-booleans","useless-eqeq","attr-mutable-initializer","no-null-string-field","string-field-must-set-null-true","use-decimalfield-for-money","django-db-model-save-super","nontext-field-must-set-null-true","no-string-eqeq","hardcoded-conditional","eqeq","assignment-comparison","useless-assignment","no-replaceall","eqeq-is-bad"]},"owasp":{"totals":{"":44},"per_framework":{"":{"go":{"":5},"java":{"":4},"python":{"":32},"javascript":{"":3}}},"rules_with_no_owasp":["incorrect-default-permission","integer-overflow-int16","integer-overflow-int32","eqeq-is-bad","hardcoded-eq-true-or-false","flask-duplicate-handler-name","avoid-accessing-request-in-wrong-handler","delete-where-no-execute","bad-operator-in-filter","writing-to-file-in-read-mode","use-sys-exit","pdb-remove","list-modify-while-iterate","uncaught-executor-exceptions","raise-not-base-exception","return-in-init","yield-in-init","file-object-redefined-before-close","baseclass-attribute-override","unchecked-subprocess-call","tempfile-insecure","tempfile-without-flush","dict-del-while-iterate","is-not-is-not","default-mutable-dict","string-concat-in-list","identical-is-comparison","string-is-comparison","default-mutable-list","no-strings-as-booleans","useless-eqeq","attr-mutable-initializer","no-null-string-field","string-field-must-set-null-true","use-decimalfield-for-money","django-db-model-save-super","nontext-field-must-set-null-true","no-string-eqeq","hardcoded-conditional","eqeq","assignment-comparison","useless-assignment","no-replaceall","eqeq-is-bad"]}},"author":"Semgrep","counts":{"total_rules":44,"premium_rules":0},"username":"semgrep","languages":["JavaScript","Java","Python","Go","OCaml"],"description":"Find common bugs, errors, and logic issues in popular languages.","id":"zZW","name":"r2c-bug-scan","visibility":"public","categories":[]},{"tags":["security","audit","xxe","injection","deserialization","xss","jwt","csrf","crypto"],"stats":{"cwe":{"totals":{"CWE-415: Double Free":1,"CWE-369: Divide By Zero":1,"CWE-416: Use After Free":1,"CWE-328: Use of Weak Hash":6,"CWE-489: Active Debug Code":6,"CWE-287: Improper Authentication":1,"CWE-377: Insecure Temporary File":1,"CWE-501: Trust Boundary Violation":1,"CWE-16: CWE CATEGORY: Configuration":3,"CWE-521: Weak Password Requirements":2,"CWE-269: Improper Privilege Management":1,"CWE-276: Incorrect Default Permissions":1,"CWE-798: Use of Hard-coded Credentials":6,"CWE-326: Inadequate Encryption Strength":10,"CWE-295: Improper Certificate Validation":6,"CWE-183: Permissive List of Allowed Inputs":1,"CWE-352: Cross-Site Request Forgery (CSRF)":6,"CWE-400: Uncontrolled Resource Consumption":1,"CWE-502: Deserialization of Untrusted Data":13,"CWE-704: Incorrect Type Conversion or Cast":1,"CWE-300: Channel Accessible by Non-Endpoint":2,"CWE-330: Use of Insufficiently Random Values":1,"CWE-242: Use of Inherently Dangerous Function":1,"CWE-311: Missing Encryption of Sensitive Data":1,"CWE-523: Unprotected Transport of Credentials":1,"CWE-668: Exposure of Resource to Wrong Sphere":2,"CWE-73: External Control of File Name or Path":1,"CWE-676: Use of Potentially Dangerous Function":5,"CWE-116: Improper Encoding or Escaping of Output":1,"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":1,"CWE-134: Use of Externally-Controlled Format String":1,"CWE-322: Key Exchange without Entity Authentication":2,"CWE-329: Generation of Predictable IV with CBC Mode":1,"CWE-319: Cleartext Transmission of Sensitive Information":6,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":17,"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":4,"CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')":1,"CWE-1021: Improper Restriction of Rendered UI Layers or Frames":1,"CWE-297: Improper Validation of Certificate with Host Mismatch":1,"CWE-611: Improper Restriction of XML External Entity Reference":7,"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":1,"CWE-913: Improper Control of Dynamically-Managed Code Resources":2,"CWE-939: Improper Authorization in Handler for Custom URL Scheme":1,"CWE-155: Improper Neutralization of Wildcards or Matching Symbols":1,"CWE-94: Improper Control of Generation of Code ('Code Injection')":7,"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":5,"CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls":1,"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":1,"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":3,"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":2,"CWE-774: Allocation of File Descriptors or Handles Without Limits or Throttling":1,"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer":1,"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":1,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":6,"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":4,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":26,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":9,"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":3,"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":1,"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":8,"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":3,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":8,"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":2,"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":2},"per_framework":{"CWE-415: Double Free":{"c":{"":1}},"CWE-369: Divide By Zero":{"ruby":{"":1}},"CWE-416: Use After Free":{"c":{"":1}},"CWE-328: Use of Weak Hash":{"go":{"":2},"java":{"":2},"ruby":{"":2}},"CWE-489: Active Debug Code":{"go":{"":1},"python":{"":5}},"CWE-287: Improper Authentication":{"java":{"":1}},"CWE-377: Insecure Temporary File":{"go":{"":1}},"CWE-501: Trust Boundary Violation":{"java":{"":1}},"CWE-16: CWE CATEGORY: Configuration":{"generic":{"":3}},"CWE-521: Weak Password Requirements":{"python":{"":2}},"CWE-269: Improper Privilege Management":{"dockerfile":{"":1}},"CWE-276: Incorrect Default Permissions":{"java":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"go":{"":1},"ruby":{"":1},"python":{"":2},"javascript":{"":2}},"CWE-326: Inadequate Encryption Strength":{"java":{"":5},"python":{"":3},"generic":{"":2}},"CWE-295: Improper Certificate Validation":{"java":{"":2},"ruby":{"":1},"python":{"":3}},"CWE-183: Permissive List of Allowed Inputs":{"java":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"java":{"":2},"ruby":{"":1},"python":{"":2},"javascript":{"":1}},"CWE-400: Uncontrolled Resource Consumption":{"go":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"java":{"":2},"ruby":{"":1},"python":{"":9},"javascript":{"":1}},"CWE-704: Incorrect Type Conversion or Cast":{"java":{"":1}},"CWE-300: Channel Accessible by Non-Endpoint":{"go":{"":2}},"CWE-330: Use of Insufficiently Random Values":{"java":{"":1}},"CWE-242: Use of Inherently Dangerous Function":{"go":{"":1}},"CWE-311: Missing Encryption of Sensitive Data":{"ruby":{"":1}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-668: Exposure of Resource to Wrong Sphere":{"python":{"":2}},"CWE-73: External Control of File Name or Path":{"python":{"":1}},"CWE-676: Use of Potentially Dangerous Function":{"c":{"":5}},"CWE-116: Improper Encoding or Escaping of Output":{"javascript":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"java":{"":1}},"CWE-134: Use of Externally-Controlled Format String":{"c":{"":1}},"CWE-322: Key Exchange without Entity Authentication":{"go":{"":1},"python":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"java":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"go":{"":1},"java":{"":1},"python":{"":2},"generic":{"":1},"typescript":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"go":{"":5},"java":{"":3},"python":{"":7},"javascript":{"":2}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"java":{"":2},"python":{"":1},"javascript":{"":1}},"CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')":{"generic":{"":1}},"CWE-1021: Improper Restriction of Rendered UI Layers or Frames":{"ruby":{"":1}},"CWE-297: Improper Validation of Certificate with Host Mismatch":{"java":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"java":{"":3},"python":{"":1},"javascript":{"":3}},"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":{"hcl":{"":1}},"CWE-913: Improper Control of Dynamically-Managed Code Resources":{"go":{"":2}},"CWE-939: Improper Authorization in Handler for Custom URL Scheme":{"python":{"":1}},"CWE-155: Improper Neutralization of Wildcards or Matching Symbols":{"python":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"go":{"":1},"java":{"":3},"ruby":{"":3}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"go":{"":1},"hcl":{"":2},"java":{"":1},"python":{"":1}},"CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls":{"json":{"":1}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"java":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"java":{"":1},"python":{"":2}},"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":{"go":{"":1},"javascript":{"":1}},"CWE-774: Allocation of File Descriptors or Handles Without Limits or Throttling":{"c":{"":1}},"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer":{"javascript":{"":1}},"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":{"java":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"go":{"":1},"java":{"":2},"ruby":{"":1},"python":{"":1},"generic":{"":1}},"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":{"ruby":{"":3},"python":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":5},"java":{"":3},"regex":{"":4},"python":{"":6},"generic":{"":5},"javascript":{"":1},"typescript":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":1},"java":{"":3},"python":{"":5}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"java":{"":3}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"python":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":7},"javascript":{"":1}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":3}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":2},"python":{"":4},"javascript":{"":2}},"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')":{"java":{"":1},"generic":{"":1}},"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":{"python":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":12,"A01:2017: Injection":23,"A03:2021: Injection":72,"A05:2025: Injection":72,"A04:2021: Insecure Design":6,"A06:2025: Insecure Design":6,"A01:2021: Broken Access Control":29,"A01:2025: Broken Access Control":29,"A02:2017: Broken Authentication":2,"A05:2017: Broken Access Control":7,"A02:2021: Cryptographic Failures":46,"A04:2025: Cryptographic Failures":46,"A03:2017: Sensitive Data Exposure":47,"A07:2025: Authentication Failures":18,"A08:2017: Insecure Deserialization":13,"A02:2025: Security Misconfiguration":20,"A05:2021: Security Misconfiguration":20,"A06:2017: Security Misconfiguration":5,"A07:2017: Cross-Site Scripting (XSS)":26,"A04:2017: XML External Entities (XXE)":8,"A08:2025: Software or Data Integrity Failures":17,"A08:2021: Software and Data Integrity Failures":17,"A07:2021: Identification and Authentication Failures":18},"per_framework":{"":{"c":{"":8},"go":{"":2},"ruby":{"":1},"javascript":{"":1}},"A01:2017: Injection":{"c":{"":1},"go":{"":1},"java":{"":8},"python":{"":11},"javascript":{"":2}},"A03:2021: Injection":{"c":{"":1},"go":{"":7},"java":{"":17},"ruby":{"":3},"regex":{"":4},"python":{"":27},"generic":{"":6},"javascript":{"":5},"typescript":{"":2}},"A05:2025: Injection":{"c":{"":1},"go":{"":7},"java":{"":17},"ruby":{"":3},"regex":{"":4},"python":{"":27},"generic":{"":6},"javascript":{"":5},"typescript":{"":2}},"A04:2021: Insecure Design":{"java":{"":2},"ruby":{"":2},"python":{"":1},"dockerfile":{"":1}},"A06:2025: Insecure Design":{"java":{"":2},"ruby":{"":2},"python":{"":1},"dockerfile":{"":1}},"A01:2021: Broken Access Control":{"go":{"":5},"hcl":{"":2},"java":{"":8},"json":{"":1},"ruby":{"":2},"python":{"":7},"generic":{"":2},"javascript":{"":2}},"A01:2025: Broken Access Control":{"go":{"":5},"hcl":{"":2},"java":{"":8},"json":{"":1},"ruby":{"":2},"python":{"":7},"generic":{"":2},"javascript":{"":2}},"A02:2017: Broken Authentication":{"java":{"":1},"python":{"":1}},"A05:2017: Broken Access Control":{"go":{"":1},"java":{"":2},"ruby":{"":1},"python":{"":1},"generic":{"":1},"javascript":{"":1}},"A02:2021: Cryptographic Failures":{"go":{"":10},"java":{"":13},"ruby":{"":2},"python":{"":14},"generic":{"":3},"javascript":{"":3},"typescript":{"":1}},"A04:2025: Cryptographic Failures":{"go":{"":10},"java":{"":13},"ruby":{"":2},"python":{"":14},"generic":{"":3},"javascript":{"":3},"typescript":{"":1}},"A03:2017: Sensitive Data Exposure":{"go":{"":8},"java":{"":14},"ruby":{"":4},"python":{"":15},"generic":{"":3},"javascript":{"":2},"typescript":{"":1}},"A07:2025: Authentication Failures":{"go":{"":3},"java":{"":4},"ruby":{"":2},"python":{"":7},"javascript":{"":2}},"A08:2017: Insecure Deserialization":{"java":{"":2},"ruby":{"":1},"python":{"":9},"javascript":{"":1}},"A02:2025: Security Misconfiguration":{"hcl":{"":1},"java":{"":5},"python":{"":8},"generic":{"":3},"javascript":{"":3}},"A05:2021: Security Misconfiguration":{"hcl":{"":1},"java":{"":5},"python":{"":8},"generic":{"":3},"javascript":{"":3}},"A06:2017: Security Misconfiguration":{"go":{"":1},"python":{"":1},"generic":{"":3}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":5},"java":{"":3},"regex":{"":4},"python":{"":6},"generic":{"":5},"javascript":{"":1},"typescript":{"":2}},"A04:2017: XML External Entities (XXE)":{"java":{"":3},"python":{"":2},"javascript":{"":3}},"A08:2025: Software or Data Integrity Failures":{"java":{"":2},"ruby":{"":4},"python":{"":10},"javascript":{"":1}},"A08:2021: Software and Data Integrity Failures":{"java":{"":2},"ruby":{"":4},"python":{"":10},"javascript":{"":1}},"A07:2021: Identification and Authentication Failures":{"go":{"":3},"java":{"":4},"ruby":{"":2},"python":{"":7},"javascript":{"":2}}},"rules_with_no_owasp":["insecure-use-gets-fn","insecure-use-printf-fn","insecure-use-scanf-fn","insecure-use-strcat-fn","insecure-use-string-copy-fn","insecure-use-strtok-fn","use-after-free","random-fd-exhaustion","use-of-unsafe-block","potential-dos-via-decompression-bomb","detect-buffer-noassert","divide-by-zero"]}},"author":"Semgrep","counts":{"total_rules":225,"premium_rules":0},"username":"semgrep","languages":["Ruby","JavaScript","Go","Java","C"],"description":"Scan code for potential security issues that require additional review. Recommended for teams looking to set up guardrails or to flag troublesome spots for further review.","id":"r0R","name":"security-audit","visibility":"public","categories":[]},{"tags":["owasp","sf","owasp sf","security","correctness","A1: Injection","A2: Broken Authentication","A3: Sensitive Data Exposure","A6: Security Misconfiguration","A7: Cross-site Scripting (XSS)","A8: Insecure Deserialization"],"stats":{"cwe":{"totals":{"":5,"CWE-798: Use of Hard-coded Credentials":1,"CWE-502: Deserialization of Untrusted Data":1,"CWE-523: Unprotected Transport of Credentials":1,"CWE-73: External Control of File Name or Path":1,"CWE-319: Cleartext Transmission of Sensitive Information":1,"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":1,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":2,"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":1},"per_framework":{"":{"go":{"":2},"python":{"":2},"javascript":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"python":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"python":{"":1}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-73: External Control of File Name or Path":{"python":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"go":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"python":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"python":{"":2}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":1}}},"rules_with_no_cwe":["eqeq-is-bad","eqeq-is-bad","hardcoded-eq-true-or-false","useless-eqeq","use-sys-exit"]},"owasp":{"totals":{"":5,"A03:2021: Injection":3,"A05:2025: Injection":3,"A04:2021: Insecure Design":1,"A06:2025: Insecure Design":1,"A02:2017: Broken Authentication":1,"A02:2021: Cryptographic Failures":2,"A04:2025: Cryptographic Failures":2,"A03:2017: Sensitive Data Exposure":1,"A07:2025: Authentication Failures":1,"A08:2017: Insecure Deserialization":1,"A02:2025: Security Misconfiguration":1,"A05:2021: Security Misconfiguration":1,"A07:2017: Cross-Site Scripting (XSS)":2,"A08:2025: Software or Data Integrity Failures":1,"A08:2021: Software and Data Integrity Failures":1,"A07:2021: Identification and Authentication Failures":1},"per_framework":{"":{"go":{"":2},"python":{"":2},"javascript":{"":1}},"A03:2021: Injection":{"python":{"":3}},"A05:2025: Injection":{"python":{"":3}},"A04:2021: Insecure Design":{"python":{"":1}},"A06:2025: Insecure Design":{"python":{"":1}},"A02:2017: Broken Authentication":{"python":{"":1}},"A02:2021: Cryptographic Failures":{"go":{"":1},"python":{"":1}},"A04:2025: Cryptographic Failures":{"go":{"":1},"python":{"":1}},"A03:2017: Sensitive Data Exposure":{"go":{"":1}},"A07:2025: Authentication Failures":{"python":{"":1}},"A08:2017: Insecure Deserialization":{"python":{"":1}},"A02:2025: Security Misconfiguration":{"python":{"":1}},"A05:2021: Security Misconfiguration":{"python":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"python":{"":2}},"A08:2025: Software or Data Integrity Failures":{"python":{"":1}},"A08:2021: Software and Data Integrity Failures":{"python":{"":1}},"A07:2021: Identification and Authentication Failures":{"python":{"":1}}},"rules_with_no_owasp":["eqeq-is-bad","eqeq-is-bad","hardcoded-eq-true-or-false","useless-eqeq","use-sys-exit"]}},"author":"Grayson Hardaway","counts":{"total_rules":14,"premium_rules":0},"hidden":true,"username":"minusworld","languages":["Python","JavaScript","Go"],"description":"Ruleset for OWASP SF","id":"KvX","name":"owasp-sf","visibility":"public","categories":[]},{"tags":["semgrep","configuration","github actions"],"stats":{"cwe":{"totals":{"":1},"per_framework":{"":{"yaml":{"":1}}},"rules_with_no_cwe":["semgrep-github-action-push-without-branches"]},"owasp":{"totals":{"":1},"per_framework":{"":{"yaml":{"":1}}},"rules_with_no_owasp":["semgrep-github-action-push-without-branches"]}},"author":"Semgrep","counts":{"total_rules":1,"premium_rules":0},"username":"semgrep","languages":["yaml"],"description":"Collection of rules preventing semgrep misconfigurations","id":"x8Yj","name":"semgrep-misconfigurations","visibility":"public","categories":[]},{"tags":["security"],"stats":{"cwe":{"totals":{"CWE-415: Double Free":2,"CWE-416: Use After Free":6,"CWE-114: Process Control":1,"CWE-328: Use of Weak Hash":1,"CWE-125: Out-of-bounds Read":7,"CWE-787: Out-of-bounds Write":4,"CWE-476: NULL Pointer Dereference":1,"CWE-326: Inadequate Encryption Strength":1,"CWE-295: Improper Certificate Validation":2,"CWE-467: Use of sizeof() on a Pointer Type":2,"CWE-918: Server-Side Request Forgery (SSRF)":1,"CWE-131: Incorrect Calculation of Buffer Size":1,"CWE-676: Use of Potentially Dangerous Function":1,"CWE-14: Compiler Removal of Code to Clear Buffers":1,"CWE-134: Use of Externally-Controlled Format String":1,"CWE-319: Cleartext Transmission of Sensitive Information":1,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":2,"CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition":2,"CWE-611: Improper Restriction of XML External Entity Reference":4,"CWE-732: Incorrect Permission Assignment for Critical Resource":1,"CWE-337: Predictable Seed in Pseudo-Random Number Generator (PRNG)":2,"CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')":2,"CWE-774: Allocation of File Descriptors or Handles Without Limits or Throttling":1,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":1,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":1,"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":2,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":2},"per_framework":{"CWE-415: Double Free":{"cpp":{"":2}},"CWE-416: Use After Free":{"cpp":{"":6}},"CWE-114: Process Control":{"cpp":{"":1}},"CWE-328: Use of Weak Hash":{"cpp":{"":1}},"CWE-125: Out-of-bounds Read":{"cpp":{"":7}},"CWE-787: Out-of-bounds Write":{"cpp":{"":4}},"CWE-476: NULL Pointer Dereference":{"cpp":{"":1}},"CWE-326: Inadequate Encryption Strength":{"cpp":{"":1}},"CWE-295: Improper Certificate Validation":{"cpp":{"":2}},"CWE-467: Use of sizeof() on a Pointer Type":{"cpp":{"":2}},"CWE-918: Server-Side Request Forgery (SSRF)":{"cpp":{"":1}},"CWE-131: Incorrect Calculation of Buffer Size":{"cpp":{"":1}},"CWE-676: Use of Potentially Dangerous Function":{"c":{"":1}},"CWE-14: Compiler Removal of Code to Clear Buffers":{"cpp":{"":1}},"CWE-134: Use of Externally-Controlled Format String":{"cpp":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"cpp":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"cpp":{"":2}},"CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition":{"cpp":{"":2}},"CWE-611: Improper Restriction of XML External Entity Reference":{"cpp":{"":4}},"CWE-732: Incorrect Permission Assignment for Critical Resource":{"cpp":{"":1}},"CWE-337: Predictable Seed in Pseudo-Random Number Generator (PRNG)":{"cpp":{"":2}},"CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')":{"cpp":{"":2}},"CWE-774: Allocation of File Descriptors or Handles Without Limits or Throttling":{"c":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"cpp":{"":1}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"cpp":{"":1}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"cpp":{"":2}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"cpp":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":32,"A01:2017: Injection":5,"A03:2021: Injection":5,"A05:2025: Injection":5,"A01:2021: Broken Access Control":1,"A01:2025: Broken Access Control":2,"A05:2017: Broken Access Control":1,"A02:2021: Cryptographic Failures":7,"A04:2025: Cryptographic Failures":7,"A03:2017: Sensitive Data Exposure":7,"A07:2025: Authentication Failures":2,"A02:2025: Security Misconfiguration":4,"A05:2021: Security Misconfiguration":4,"A04:2017: XML External Entities (XXE)":4,"A10:2021: Server-Side Request Forgery (SSRF)":1,"A10:2025: Mishandling of Exceptional Conditions":1,"A07:2021: Identification and Authentication Failures":2},"per_framework":{"":{"c":{"":2},"cpp":{"":30}},"A01:2017: Injection":{"cpp":{"":5}},"A03:2021: Injection":{"cpp":{"":5}},"A05:2025: Injection":{"cpp":{"":5}},"A01:2021: Broken Access Control":{"cpp":{"":1}},"A01:2025: Broken Access Control":{"cpp":{"":2}},"A05:2017: Broken Access Control":{"cpp":{"":1}},"A02:2021: Cryptographic Failures":{"cpp":{"":7}},"A04:2025: Cryptographic Failures":{"cpp":{"":7}},"A03:2017: Sensitive Data Exposure":{"cpp":{"":7}},"A07:2025: Authentication Failures":{"cpp":{"":2}},"A02:2025: Security Misconfiguration":{"cpp":{"":4}},"A05:2021: Security Misconfiguration":{"cpp":{"":4}},"A04:2017: XML External Entities (XXE)":{"cpp":{"":4}},"A10:2021: Server-Side Request Forgery (SSRF)":{"cpp":{"":1}},"A10:2025: Mishandling of Exceptional Conditions":{"cpp":{"":1}},"A07:2021: Identification and Authentication Failures":{"cpp":{"":2}}},"rules_with_no_owasp":["insecure-use-gets-fn","random-fd-exhaustion","memset-removal","sizeof-pointer-type","sizeof-this","std-return-data","std-vector-invalidation","file-access-before-action","file-stat-before-action","world-writable-file","format-string-injection","dynamic-library-path","tainted-allocation-size","double-delete","double-free","negative-return-value-array-index","unvalidated-array-index","alloc-strlen","missing-nul-cpp-string-memcpy","narrow-to-wide-string-mismatch","readlink-null-terminator","return-c-str","snprintf-return-value-length","snprintf-return-value-snprintf","snprintf-source-size","std-string-npos","string-view-data-null-terminator","string-view-temporary-string","unbounded-copy-to-stack-buffer","wide-to-narrow-string-mismatch","local-variable-malloc-free","local-variable-new-delete"]}},"author":"Semgrep","counts":{"total_rules":53,"premium_rules":51},"username":"semgrep","languages":["C","C++"],"description":"Default ruleset for C and C++, curated by Semgrep.","id":"l0YG","name":"c","visibility":"public","categories":[]},{"tags":["semgrep","security","typescript","javascript"],"stats":{"cwe":{"totals":{"CWE-94: Improper Control of Generation of Code ('Code Injection')":2,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":6,"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":2},"per_framework":{"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"javascript":{"":2}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"javascript":{"":5},"typescript":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"javascript":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A03:2021: Injection":10,"A05:2025: Injection":10,"A07:2017: Cross-Site Scripting (XSS)":6},"per_framework":{"A03:2021: Injection":{"javascript":{"":9},"typescript":{"":1}},"A05:2025: Injection":{"javascript":{"":9},"typescript":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"javascript":{"":5},"typescript":{"":1}}},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":10,"premium_rules":0},"hidden":true,"username":"semgrep","languages":["TypeScript","JavaScript"],"description":"electron desktop app","id":"8JE","name":"electron-desktop-app","visibility":"public","categories":[]},{"tags":["security","ci","security","dockerfile"],"stats":{"cwe":{"totals":{},"per_framework":{},"rules_with_no_cwe":[]},"owasp":{"totals":{},"per_framework":{},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":0,"premium_rules":0},"username":"semgrep","languages":["generic"],"description":"Security checks for lockfiles.","id":"0oNr","name":"lockfiles","visibility":"public","categories":[]},{"tags":["semgrep","security","react","reactjs","typescript"],"stats":{"cwe":{"totals":{"CWE-319: Cleartext Transmission of Sensitive Information":1,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":17},"per_framework":{"CWE-319: Cleartext Transmission of Sensitive Information":{"typescript":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"typescript":{"":17}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A03:2021: Injection":17,"A05:2025: Injection":17,"A02:2021: Cryptographic Failures":1,"A04:2025: Cryptographic Failures":1,"A03:2017: Sensitive Data Exposure":1,"A07:2017: Cross-Site Scripting (XSS)":17},"per_framework":{"A03:2021: Injection":{"typescript":{"":17}},"A05:2025: Injection":{"typescript":{"":17}},"A02:2021: Cryptographic Failures":{"typescript":{"":1}},"A04:2025: Cryptographic Failures":{"typescript":{"":1}},"A03:2017: Sensitive Data Exposure":{"typescript":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"typescript":{"":17}}},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":18,"premium_rules":16},"username":"semgrep","languages":["TypeScript"],"description":"React rules available to team tier customers, this rule-pack would be the most recommended due to higher accuracy of sources.","id":"wprn","name":"react-team-tier","visibility":"public","categories":[]},{"tags":["security","supply_chain","trojan source"],"stats":{"cwe":{"totals":{"CWE-94: Improper Control of Generation of Code ('Code Injection')":1},"per_framework":{"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"bash":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A03:2021: Injection":1,"A05:2025: Injection":1},"per_framework":{"A03:2021: Injection":{"bash":{"":1}},"A05:2025: Injection":{"bash":{"":1}}},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":1,"premium_rules":0},"username":"semgrep","languages":["generic"],"description":"Use Semgrep to scan for supply chain-related issues.","id":"qNqB","name":"supply-chain","visibility":"public","categories":[]},{"tags":["security"],"stats":{"cwe":{"totals":{},"per_framework":{},"rules_with_no_cwe":[]},"owasp":{"totals":{},"per_framework":{},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":0,"premium_rules":0},"hidden":true,"username":"semgrep","languages":["C","C++"],"description":"Alpha ruleset for C/C++. Scan code for potential security issues that require additional review. Recommended for security engineers or consultants who don't mind false positives and are looking to flag troublesome spots for further review.","id":"WOZL","name":"cpp-alpha-audit","visibility":"public","categories":[]},{"tags":["security","terraform","hcl"],"stats":{"cwe":{"totals":{"CWE-1390: Weak Authentication":1,"CWE-778: Insufficient Logging":5,"CWE-287: Improper Authentication":1,"CWE-262: Not Using Password Aging":2,"CWE-693: Protection Mechanism Failure":1,"CWE-798: Use of Hard-coded Credentials":1,"CWE-326: Inadequate Encryption Strength":18,"CWE-295: Improper Certificate Validation":1,"CWE-918: Server-Side Request Forgery (SSRF)":1,"CWE-320: CWE CATEGORY: Key Management Errors":8,"CWE-311: Missing Encryption of Sensitive Data":4,"CWE-522: Insufficiently Protected Credentials":1,"CWE-250: Execution with Unnecessary Privileges":1,"CWE-1220: Insufficient Granularity of Access Control":4,"CWE-345: Insufficient Verification of Data Authenticity":1,"CWE-319: Cleartext Transmission of Sensitive Information":3,"CWE-732: Incorrect Permission Assignment for Critical Resource":7,"CWE-94: Improper Control of Generation of Code ('Code Injection')":1,"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":1,"CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')":1,"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":1},"per_framework":{"CWE-1390: Weak Authentication":{"hcl":{"":1}},"CWE-778: Insufficient Logging":{"hcl":{"":5}},"CWE-287: Improper Authentication":{"hcl":{"":1}},"CWE-262: Not Using Password Aging":{"hcl":{"":2}},"CWE-693: Protection Mechanism Failure":{"hcl":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"hcl":{"":1}},"CWE-326: Inadequate Encryption Strength":{"hcl":{"":16},"terraform":{"":2}},"CWE-295: Improper Certificate Validation":{"hcl":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"hcl":{"":1}},"CWE-320: CWE CATEGORY: Key Management Errors":{"hcl":{"":8}},"CWE-311: Missing Encryption of Sensitive Data":{"hcl":{"":4}},"CWE-522: Insufficiently Protected Credentials":{"hcl":{"":1}},"CWE-250: Execution with Unnecessary Privileges":{"hcl":{"":1}},"CWE-1220: Insufficient Granularity of Access Control":{"hcl":{"":4}},"CWE-345: Insufficient Verification of Data Authenticity":{"hcl":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"hcl":{"":3}},"CWE-732: Incorrect Permission Assignment for Critical Resource":{"hcl":{"":7}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"terraform":{"":1}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"hcl":{"":1}},"CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')":{"hcl":{"":1}},"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":{"terraform":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":3,"A01:2017: Injection":1,"A03:2021: Injection":1,"A05:2025: Injection":1,"A04:2021: Insecure Design":6,"A06:2025: Insecure Design":6,"A01:2021: Broken Access Control":5,"A01:2025: Broken Access Control":6,"A02:2017: Broken Authentication":2,"A05:2017: Broken Access Control":2,"A02:2021: Cryptographic Failures":21,"A04:2025: Cryptographic Failures":21,"A03:2017: Sensitive Data Exposure":34,"A05:2017: Sensitive Data Exposure":1,"A07:2025: Authentication Failures":4,"A02:2025: Security Misconfiguration":8,"A05:2021: Security Misconfiguration":8,"A06:2017: Security Misconfiguration":1,"A10:2017: Insufficient Logging & Monitoring":2,"A10:2021: Server-Side Request Forgery (SSRF)":1,"A08:2025: Software or Data Integrity Failures":1,"A08:2021: Software and Data Integrity Failures":1,"A09:2025: Security Logging & Alerting Failures":4,"A09:2021 Security Logging and Monitoring Failures":1,"A09:2021: Security Logging and Monitoring Failures":4,"A07:2021: Identification and Authentication Failures":4},"per_framework":{"":{"hcl":{"":3}},"A01:2017: Injection":{"terraform":{"":1}},"A03:2021: Injection":{"terraform":{"":1}},"A05:2025: Injection":{"terraform":{"":1}},"A04:2021: Insecure Design":{"hcl":{"":6}},"A06:2025: Insecure Design":{"hcl":{"":6}},"A01:2021: Broken Access Control":{"hcl":{"":5}},"A01:2025: Broken Access Control":{"hcl":{"":6}},"A02:2017: Broken Authentication":{"hcl":{"":2}},"A05:2017: Broken Access Control":{"hcl":{"":2}},"A02:2021: Cryptographic Failures":{"hcl":{"":19},"terraform":{"":2}},"A04:2025: Cryptographic Failures":{"hcl":{"":19},"terraform":{"":2}},"A03:2017: Sensitive Data Exposure":{"hcl":{"":32},"terraform":{"":2}},"A05:2017: Sensitive Data Exposure":{"hcl":{"":1}},"A07:2025: Authentication Failures":{"hcl":{"":4}},"A02:2025: Security Misconfiguration":{"hcl":{"":8}},"A05:2021: Security Misconfiguration":{"hcl":{"":8}},"A06:2017: Security Misconfiguration":{"hcl":{"":1}},"A10:2017: Insufficient Logging & Monitoring":{"hcl":{"":2}},"A10:2021: Server-Side Request Forgery (SSRF)":{"hcl":{"":1}},"A08:2025: Software or Data Integrity Failures":{"hcl":{"":1}},"A08:2021: Software and Data Integrity Failures":{"hcl":{"":1}},"A09:2025: Security Logging & Alerting Failures":{"hcl":{"":4}},"A09:2021 Security Logging and Monitoring Failures":{"hcl":{"":1}},"A09:2021: Security Logging and Monitoring Failures":{"hcl":{"":4}},"A07:2021: Identification and Authentication Failures":{"hcl":{"":4}}},"rules_with_no_owasp":["keyvault-ensure-key-expires","keyvault-ensure-secret-expires","keyvault-purge-enabled"]}},"author":"Semgrep","counts":{"total_rules":63,"premium_rules":0},"username":"semgrep","languages":["terraform"],"description":"Default ruleset for Terraform, curated by Semgrep.","id":"bKE","name":"terraform","visibility":"public","categories":[{"id":"aGe","slug":"configuration-files","name":"Configuration Files [Beta]","description":"Scan your configuration files using Semgrep's generic pattern matching."}]},{"tags":["security"],"stats":{"cwe":{"totals":{"CWE-328: Use of Weak Hash":1,"CWE-489: Active Debug Code":1,"CWE-23: Relative Path Traversal":1,"CWE-284: Improper Access Control":1,"CWE-798: Use of Hard-coded Credentials":1,"CWE-190: Integer Overflow or Wraparound":1,"CWE-352: Cross-Site Request Forgery (CSRF)":2,"CWE-502: Deserialization of Untrusted Data":1,"CWE-918: Server-Side Request Forgery (SSRF)":7,"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":1,"CWE-329: Generation of Predictable IV with CBC Mode":1,"CWE-319: Cleartext Transmission of Sensitive Information":1,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":1,"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":1,"CWE-611: Improper Restriction of XML External Entity Reference":4,"CWE-94: Improper Control of Generation of Code ('Code Injection')":4,"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":1,"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":1,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":2,"CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')":1,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":5,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":8,"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":1,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":5},"per_framework":{"CWE-328: Use of Weak Hash":{"php":{"":1}},"CWE-489: Active Debug Code":{"php":{"":1}},"CWE-23: Relative Path Traversal":{"php":{"":1}},"CWE-284: Improper Access Control":{"php":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"php":{"":1}},"CWE-190: Integer Overflow or Wraparound":{"php":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"php":{"":2}},"CWE-502: Deserialization of Untrusted Data":{"php":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"php":{"":7}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"php":{"":1}},"CWE-329: Generation of Predictable IV with CBC Mode":{"php":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"php":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"php":{"":1}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"php":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"php":{"":4}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"php":{"":4}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"php":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"php":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"php":{"":2}},"CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')":{"php":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"php":{"":5}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"php":{"":8}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"php":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"php":{"":5}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":1,"A01:2017: Injection":13,"A03:2021: Injection":24,"A05:2025: Injection":24,"A01:2021: Broken Access Control":6,"A01:2025: Broken Access Control":12,"A05:2017: Broken Access Control":1,"A02:2021: Cryptographic Failures":4,"A04:2025: Cryptographic Failures":4,"A03:2017: Sensitive Data Exposure":3,"A07:2025: Authentication Failures":1,"A08:2017: Insecure Deserialization":1,"A02:2025: Security Misconfiguration":9,"A05:2021: Security Misconfiguration":9,"A06:2017: Security Misconfiguration":3,"A07:2017: Cross-Site Scripting (XSS)":5,"A04:2017: XML External Entities (XXE)":4,"A10:2021: Server-Side Request Forgery (SSRF)":7,"A08:2025: Software or Data Integrity Failures":1,"A08:2021: Software and Data Integrity Failures":1,"A07:2021: Identification and Authentication Failures":1},"per_framework":{"":{"php":{"":1}},"A01:2017: Injection":{"php":{"":13}},"A03:2021: Injection":{"php":{"":24}},"A05:2025: Injection":{"php":{"":24}},"A01:2021: Broken Access Control":{"php":{"":6}},"A01:2025: Broken Access Control":{"php":{"":12}},"A05:2017: Broken Access Control":{"php":{"":1}},"A02:2021: Cryptographic Failures":{"php":{"":4}},"A04:2025: Cryptographic Failures":{"php":{"":4}},"A03:2017: Sensitive Data Exposure":{"php":{"":3}},"A07:2025: Authentication Failures":{"php":{"":1}},"A08:2017: Insecure Deserialization":{"php":{"":1}},"A02:2025: Security Misconfiguration":{"php":{"":9}},"A05:2021: Security Misconfiguration":{"php":{"":9}},"A06:2017: Security Misconfiguration":{"php":{"":3}},"A07:2017: Cross-Site Scripting (XSS)":{"php":{"":5}},"A04:2017: XML External Entities (XXE)":{"php":{"":4}},"A10:2021: Server-Side Request Forgery (SSRF)":{"php":{"":7}},"A08:2025: Software or Data Integrity Failures":{"php":{"":1}},"A08:2021: Software and Data Integrity Failures":{"php":{"":1}},"A07:2021: Identification and Authentication Failures":{"php":{"":1}}},"rules_with_no_owasp":["base-convert-loses-precision"]}},"author":"Semgrep","counts":{"total_rules":53,"premium_rules":29},"username":"semgrep","languages":["PHP"],"description":"Default ruleset for PHP, curated by Semgrep.","id":"1ZXw","name":"php","visibility":"public","categories":[]},{"tags":["ai","genai","semgrep","llms"],"stats":{"cwe":{"totals":{"":26,"CWE-77: Command Injection":10,"CWE-778: Insufficient Logging":6,"CWE-426: Untrusted Search Path":1,"CWE-862: Missing Authorization":3,"CWE-252: Unchecked Return Value":5,"CWE-285: Improper Authorization":1,"CWE-798: Use of Hard-coded Credentials":26,"CWE-295: Improper Certificate Validation":1,"CWE-352: Cross-Site Request Forgery (CSRF)":1,"CWE-918: Server-Side Request Forgery (SSRF)":1,"CWE-330: Use of Insufficiently Random Values":1,"CWE-522: Insufficiently Protected Credentials":1,"CWE-835: Loop with Unreachable Exit Condition":1,"CWE-94: Improper Control of Generation of Code":1,"CWE-116: Improper Encoding or Escaping of Output":2,"CWE-1188: Initialization with an Insecure Default":17,"CWE-345: Insufficient Verification of Data Authenticity":1,"CWE-1287: Improper Validation of Specified Type of Input":2,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":1,"CWE-347: Improper Verification of Cryptographic Signature":1,"CWE-532: Insertion of Sensitive Information into Log File":1,"CWE-639: Authorization Bypass Through User-Controlled Key":1,"CWE-201: Insertion of Sensitive Information Into Sent Data":1,"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":1,"CWE-754: Improper Check for Unusual or Exceptional Conditions":6,"CWE-770: Allocation of Resources Without Limits or Throttling":2,"CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')":1,"CWE-829: Inclusion of Functionality from Untrusted Control Sphere":1,"CWE-94: Improper Control of Generation of Code ('Code Injection')":3,"CWE-307: Improper Restriction of Excessive Authentication Attempts":1,"CWE-923: Improper Restriction of Communication Channel to Intended Endpoints":1,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":2,"CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory":2,"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":4,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":3},"per_framework":{"":{"go":{"":2},"js":{"":6},"dart":{"":1},"swift":{"":2},"csharp":{"":1},"kotlin":{"":1},"python":{"":9},"generic":{"":4}},"CWE-77: Command Injection":{"python":{"":5},"javascript":{"":5}},"CWE-778: Insufficient Logging":{"python":{"":3},"javascript":{"":3}},"CWE-426: Untrusted Search Path":{"bash":{"":1}},"CWE-862: Missing Authorization":{"generic":{"":3}},"CWE-252: Unchecked Return Value":{"python":{"":3},"javascript":{"":2}},"CWE-285: Improper Authorization":{"generic":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"go":{"":4},"java":{"":4},"ruby":{"":3},"python":{"":7},"generic":{"":1},"javascript":{"":7}},"CWE-295: Improper Certificate Validation":{"generic":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"generic":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"python":{"":1}},"CWE-330: Use of Insufficiently Random Values":{"generic":{"":1}},"CWE-522: Insufficiently Protected Credentials":{"python":{"":1}},"CWE-835: Loop with Unreachable Exit Condition":{"generic":{"":1}},"CWE-94: Improper Control of Generation of Code":{"generic":{"":1}},"CWE-116: Improper Encoding or Escaping of Output":{"python":{"":1},"generic":{"":1}},"CWE-1188: Initialization with an Insecure Default":{"python":{"":9},"javascript":{"":8}},"CWE-345: Insufficient Verification of Data Authenticity":{"generic":{"":1}},"CWE-1287: Improper Validation of Specified Type of Input":{"bash":{"":1},"python":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"generic":{"":1}},"CWE-347: Improper Verification of Cryptographic Signature":{"generic":{"":1}},"CWE-532: Insertion of Sensitive Information into Log File":{"generic":{"":1}},"CWE-639: Authorization Bypass Through User-Controlled Key":{"generic":{"":1}},"CWE-201: Insertion of Sensitive Information Into Sent Data":{"generic":{"":1}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"generic":{"":1}},"CWE-754: Improper Check for Unusual or Exceptional Conditions":{"python":{"":5},"javascript":{"":1}},"CWE-770: Allocation of Resources Without Limits or Throttling":{"python":{"":1},"javascript":{"":1}},"CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')":{"python":{"":1}},"CWE-829: Inclusion of Functionality from Untrusted Control Sphere":{"generic":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"python":{"":2},"javascript":{"":1}},"CWE-307: Improper Restriction of Excessive Authentication Attempts":{"generic":{"":1}},"CWE-923: Improper Restriction of Communication Channel to Intended Endpoints":{"generic":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"bash":{"":1},"python":{"":1}},"CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory":{"python":{"":1},"generic":{"":1}},"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":{"python":{"":2},"generic":{"":1},"javascript":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"bash":{"":2},"python":{"":1}}},"rules_with_no_cwe":["detect-gemini","detect-generic-ai-anthprop","detect-generic-ai-api","detect-generic-ai-gem","detect-openai","detect-gemini","detect-anthropic","detect-gemini","detect-gemini","detect-mistral","detect-openai","detect-promptfoo","detect-vercel-ai","detect-openai","detect-huggingface","detect-langchain","detect-mistral","detect-openai","detect-tensorflow","detect-apple-core-ml","detect-gemini","detect-anthropic","detect-pytorch","detect-generic-ai-oai","detect-gemini","detect-langchain-with-model"]},"owasp":{"totals":{"":128,"A01:2021: Broken Access Control":4,"A02:2021: Cryptographic Failures":3,"A08:2021: Software and Data Integrity Failures":1,"A09:2021: Security Logging and Monitoring Failures":1,"A07:2021: Identification and Authentication Failures":2},"per_framework":{"":{"go":{"":6},"js":{"":6},"bash":{"":5},"dart":{"":1},"java":{"":4},"ruby":{"":3},"swift":{"":2},"csharp":{"":1},"kotlin":{"":1},"python":{"":54},"generic":{"":16},"javascript":{"":29}},"A01:2021: Broken Access Control":{"generic":{"":4}},"A02:2021: Cryptographic Failures":{"generic":{"":3}},"A08:2021: Software and Data Integrity Failures":{"generic":{"":1}},"A09:2021: Security Logging and Monitoring Failures":{"generic":{"":1}},"A07:2021: Identification and Authentication Failures":{"generic":{"":2}}},"rules_with_no_owasp":["detect-gemini","detect-generic-ai-anthprop","detect-generic-ai-api","detect-generic-ai-gem","detect-openai","detect-gemini","detect-anthropic","detect-gemini","detect-gemini","detect-mistral","detect-openai","detect-promptfoo","detect-vercel-ai","agent-unbounded-loop-python","ai-config-hidden-unicode-generic","anthropic-hardcoded-api-key-go","anthropic-hardcoded-api-key-java","anthropic-hardcoded-api-key-javascript","anthropic-hardcoded-api-key-python","anthropic-hardcoded-api-key-ruby","anthropic-missing-max-tokens-javascript","anthropic-missing-max-tokens-python","anthropic-missing-metadata-user-id-javascript","claude-settings-auto-enable-mcp-generic","claude-settings-bypass-permissions-generic","anthropic-missing-metadata-user-id-python","claude-settings-env-url-override-generic","anthropic-missing-refusal-check-javascript","anthropic-missing-refusal-check-python","cohere-no-error-handling","anthropic-missing-system-prompt-javascript","anthropic-missing-system-prompt-python","anthropic-no-error-handling-javascript","anthropic-no-error-handling","anthropic-user-input-in-system-prompt-js","gemini-no-error-handling","anthropic-user-input-in-system-prompt-python","detect-openai","detect-huggingface","detect-langchain","detect-mistral","detect-openai","detect-tensorflow","detect-apple-core-ml","detect-gemini","detect-anthropic","detect-pytorch","cohere-hardcoded-api-key-javascript","hooks-dns-exfiltration-generic","cohere-hardcoded-api-key-python","cohere-missing-safety-mode-javascript","hooks-relative-script-path-bash","cohere-missing-safety-mode-python","hooks-stop-missing-active-check-generic","cohere-safety-mode-off-javascript","hooks-unconditional-allow-generic","hooks-unquoted-variable-bash-taint","cohere-safety-mode-off-python","hooks-unquoted-variable-bash-eval","hooks-wget-pipe-bash-generic","cohere-user-input-in-system-prompt-js","huggingface-no-error-handling","ide-settings-executable-path-generic","langchain-dangerous-exec-python","cohere-user-input-in-system-prompt-python","gemini-hardcoded-api-key-go","gemini-hardcoded-api-key-java","gemini-hardcoded-api-key-javascript","gemini-hardcoded-api-key-python","mcp-command-injection-python","gemini-missing-safety-settings-javascript","mcp-credential-in-response-python","gemini-missing-safety-settings-python","mcp-hardcoded-config-secret-generic","mcp-ssrf-python","mcp-tool-poisoning-generic","gemini-missing-system-instruction-javascript","mcp-unsanitized-return-python","gemini-missing-system-instruction-python","mistral-missing-moderation","gemini-user-input-in-system-prompt-js","gemini-user-input-in-system-prompt-python","mistral-no-error-handling","hooks-no-input-validation-bash","hooks-no-input-validation-python","hooks-path-traversal-bash","hooks-path-traversal-python","hooks-sensitive-file-access-bash","hooks-sensitive-file-access-python","openai-missing-moderation","openai-missing-moderation-check","huggingface-hardcoded-api-key-javascript","huggingface-hardcoded-api-key-python","llm-api-key-in-source-go","llm-api-key-in-source-java","llm-api-key-in-source-javascript","llm-api-key-in-source-python","llm-api-key-in-source-ruby","llm-output-to-exec-javascript","llm-output-to-exec-python","mistral-hardcoded-api-key-javascript","mistral-hardcoded-api-key-python","mistral-missing-safe-prompt-javascript","mistral-missing-safe-prompt-python","mistral-user-input-in-system-prompt-js","mistral-user-input-in-system-prompt-python","openai-hardcoded-api-key-go","openai-hardcoded-api-key-java","openai-hardcoded-api-key-javascript","openai-hardcoded-api-key-python","openai-hardcoded-api-key-ruby","openai-missing-max-tokens-javascript","openai-missing-max-tokens-python","openai-missing-refusal-check-javascript","openai-missing-refusal-check-python","openai-missing-safety-identifier-javascript","openai-missing-safety-identifier-python","openai-missing-system-message-js","openai-missing-system-message-python","openai-missing-user-parameter-javascript","openai-missing-user-parameter-python","openai-no-error-handling-javascript","openai-no-error-handling","openai-user-input-in-system-prompt-js","openai-user-input-in-system-prompt-python","detect-generic-ai-oai","detect-gemini","detect-langchain-with-model"]}},"author":"Semgrep","counts":{"total_rules":140,"premium_rules":1},"username":"semgrep","languages":["swift","csharp","Kotlin","Go","Python"],"description":"Shadow AI detection rules curated by Semgrep.","id":"1Gdx","name":"shadow-ai","visibility":"public","categories":[]},{"tags":["security","ai","best-practices"],"stats":{"cwe":{"totals":{"CWE-426: Untrusted Search Path":1,"CWE-862: Missing Authorization":3,"CWE-252: Unchecked Return Value":1,"CWE-798: Use of Hard-coded Credentials":1,"CWE-918: Server-Side Request Forgery (SSRF)":1,"CWE-522: Insufficiently Protected Credentials":1,"CWE-835: Loop with Unreachable Exit Condition":1,"CWE-94: Improper Control of Generation of Code":1,"CWE-116: Improper Encoding or Escaping of Output":2,"CWE-1188: Initialization with an Insecure Default":1,"CWE-201: Insertion of Sensitive Information Into Sent Data":1,"CWE-754: Improper Check for Unusual or Exceptional Conditions":4,"CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')":1,"CWE-829: Inclusion of Functionality from Untrusted Control Sphere":1,"CWE-94: Improper Control of Generation of Code ('Code Injection')":1,"CWE-923: Improper Restriction of Communication Channel to Intended Endpoints":1,"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":2,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":3},"per_framework":{"CWE-426: Untrusted Search Path":{"bash":{"":1}},"CWE-862: Missing Authorization":{"generic":{"":3}},"CWE-252: Unchecked Return Value":{"python":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"generic":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"python":{"":1}},"CWE-522: Insufficiently Protected Credentials":{"python":{"":1}},"CWE-835: Loop with Unreachable Exit Condition":{"generic":{"":1}},"CWE-94: Improper Control of Generation of Code":{"generic":{"":1}},"CWE-116: Improper Encoding or Escaping of Output":{"python":{"":1},"generic":{"":1}},"CWE-1188: Initialization with an Insecure Default":{"python":{"":1}},"CWE-201: Insertion of Sensitive Information Into Sent Data":{"generic":{"":1}},"CWE-754: Improper Check for Unusual or Exceptional Conditions":{"python":{"":4}},"CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')":{"python":{"":1}},"CWE-829: Inclusion of Functionality from Untrusted Control Sphere":{"generic":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"python":{"":1}},"CWE-923: Improper Restriction of Communication Channel to Intended Endpoints":{"generic":{"":1}},"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":{"python":{"":1},"generic":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"bash":{"":2},"python":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":27},"per_framework":{"":{"bash":{"":3},"python":{"":13},"generic":{"":11}}},"rules_with_no_owasp":["agent-unbounded-loop-python","ai-config-hidden-unicode-generic","claude-settings-auto-enable-mcp-generic","claude-settings-bypass-permissions-generic","claude-settings-env-url-override-generic","cohere-no-error-handling","gemini-no-error-handling","hooks-dns-exfiltration-generic","hooks-relative-script-path-bash","hooks-stop-missing-active-check-generic","hooks-unconditional-allow-generic","hooks-unquoted-variable-bash-eval","hooks-unquoted-variable-bash-taint","hooks-wget-pipe-bash-generic","huggingface-no-error-handling","ide-settings-executable-path-generic","langchain-dangerous-exec-python","mcp-command-injection-python","mcp-credential-in-response-python","mcp-hardcoded-config-secret-generic","mcp-ssrf-python","mcp-tool-poisoning-generic","mcp-unsanitized-return-python","mistral-missing-moderation","mistral-no-error-handling","openai-missing-moderation-check","openai-missing-moderation"]}},"author":"Semgrep","counts":{"total_rules":27,"premium_rules":0},"username":"semgrep","languages":["python","javascript","typescript","go","java","ruby"],"description":"Best practices for building AI-powered applications, covering security, reliability, and safe integration patterns.","id":"Zkyp","name":"ai-best-practices","visibility":"public","categories":[]},{"tags":["semgrep","security","command injection","command","injection","eval","rce"],"stats":{"cwe":{"totals":{"CWE-94: Improper Control of Generation of Code ('Code Injection')":5},"per_framework":{"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"ruby":{"":5}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A03:2021: Injection":5,"A05:2025: Injection":5},"per_framework":{"A03:2021: Injection":{"ruby":{"":5}},"A05:2025: Injection":{"ruby":{"":5}}},"rules_with_no_owasp":[]}},"author":"Vasilii Ermilov","counts":{"total_rules":5,"premium_rules":0},"hidden":true,"username":"inkz","languages":["ruby"],"description":"Secure defaults for Command injection prevention","id":"zQk","name":"ruby-command-injection","visibility":"public","categories":[]},{"tags":["owasp","security","correctness","A1: Injection","A2: Broken Authentication","A3: Sensitive Data Exposure","A6: Security Misconfiguration","A7: Cross-site Scripting (XSS)","A8: Insecure Deserialization"],"stats":{"cwe":{"totals":{"":5,"CWE-798: Use of Hard-coded Credentials":1,"CWE-502: Deserialization of Untrusted Data":1,"CWE-523: Unprotected Transport of Credentials":1,"CWE-73: External Control of File Name or Path":1,"CWE-319: Cleartext Transmission of Sensitive Information":1,"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":1,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":2,"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":1},"per_framework":{"":{"go":{"":2},"python":{"":2},"javascript":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"python":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"python":{"":1}},"CWE-523: Unprotected Transport of Credentials":{"python":{"":1}},"CWE-73: External Control of File Name or Path":{"python":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"go":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"python":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"python":{"":2}},"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')":{"python":{"":1}}},"rules_with_no_cwe":["eqeq-is-bad","eqeq-is-bad","hardcoded-eq-true-or-false","useless-eqeq","use-sys-exit"]},"owasp":{"totals":{"":5,"A03:2021: Injection":3,"A05:2025: Injection":3,"A04:2021: Insecure Design":1,"A06:2025: Insecure Design":1,"A02:2017: Broken Authentication":1,"A02:2021: Cryptographic Failures":2,"A04:2025: Cryptographic Failures":2,"A03:2017: Sensitive Data Exposure":1,"A07:2025: Authentication Failures":1,"A08:2017: Insecure Deserialization":1,"A02:2025: Security Misconfiguration":1,"A05:2021: Security Misconfiguration":1,"A07:2017: Cross-Site Scripting (XSS)":2,"A08:2025: Software or Data Integrity Failures":1,"A08:2021: Software and Data Integrity Failures":1,"A07:2021: Identification and Authentication Failures":1},"per_framework":{"":{"go":{"":2},"python":{"":2},"javascript":{"":1}},"A03:2021: Injection":{"python":{"":3}},"A05:2025: Injection":{"python":{"":3}},"A04:2021: Insecure Design":{"python":{"":1}},"A06:2025: Insecure Design":{"python":{"":1}},"A02:2017: Broken Authentication":{"python":{"":1}},"A02:2021: Cryptographic Failures":{"go":{"":1},"python":{"":1}},"A04:2025: Cryptographic Failures":{"go":{"":1},"python":{"":1}},"A03:2017: Sensitive Data Exposure":{"go":{"":1}},"A07:2025: Authentication Failures":{"python":{"":1}},"A08:2017: Insecure Deserialization":{"python":{"":1}},"A02:2025: Security Misconfiguration":{"python":{"":1}},"A05:2021: Security Misconfiguration":{"python":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"python":{"":2}},"A08:2025: Software or Data Integrity Failures":{"python":{"":1}},"A08:2021: Software and Data Integrity Failures":{"python":{"":1}},"A07:2021: Identification and Authentication Failures":{"python":{"":1}}},"rules_with_no_owasp":["eqeq-is-bad","eqeq-is-bad","hardcoded-eq-true-or-false","useless-eqeq","use-sys-exit"]}},"author":"Grayson Hardaway","counts":{"total_rules":14,"premium_rules":0},"hidden":true,"username":"minusworld","languages":["Python","JavaScript","Go"],"description":"Ruleset accompanying Semgrep OWASP presentation.","id":"pDL","name":"r2c-owasp-presentation","visibility":"public","categories":[]},{"tags":["secrets"],"stats":{"cwe":{"totals":{"CWE-798: Use of Hard-coded Credentials":1},"per_framework":{"CWE-798: Use of Hard-coded Credentials":{"kotlin":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A07:2025: Authentication Failures":1,"A07:2021: Identification and Authentication Failures":1},"per_framework":{"A07:2025: Authentication Failures":{"kotlin":{"":1}},"A07:2021: Identification and Authentication Failures":{"kotlin":{"":1}}},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":1,"premium_rules":1},"hidden":true,"username":"semgrep","languages":["generic","regex","javascript","typescript","python","java","go"],"description":"This is a placeholder for Semgrep Secrets","id":"YX7o","name":"secrets-default","visibility":"public","categories":[]},{"tags":["node","node.js","nodejs"],"stats":{"cwe":{"totals":{"CWE-384: Session Fixation":1,"CWE-287: Improper Authentication":6,"CWE-346: Origin Validation Error":6,"CWE-798: Use of Hard-coded Credentials":19,"CWE-326: Inadequate Encryption Strength":1,"CWE-502: Deserialization of Untrusted Data":1,"CWE-918: Server-Side Request Forgery (SSRF)":54,"CWE-522: Insufficiently Protected Credentials":7,"CWE-73: External Control of File Name or Path":1,"CWE-117: Improper Output Neutralization for Logs":2,"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":5,"CWE-1333: Inefficient Regular Expression Complexity":1,"CWE-706: Use of Incorrectly-Resolved Name or Reference":2,"CWE-319: Cleartext Transmission of Sensitive Information":1,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":4,"CWE-548: Exposure of Information Through Directory Listing":1,"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":7,"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":6,"CWE-611: Improper Restriction of XML External Entity Reference":6,"CWE-732: Incorrect Permission Assignment for Critical Resource":2,"CWE-94: Improper Control of Generation of Code ('Code Injection')":16,"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":1,"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":6,"CWE-451: User Interface (UI) Misrepresentation of Critical Information":1,"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":7,"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine":2,"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":1,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":21,"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":1,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":16,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":33,"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":1,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":6,"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":3},"per_framework":{"CWE-384: Session Fixation":{"javascript":{"":1}},"CWE-287: Improper Authentication":{"js":{"":6}},"CWE-346: Origin Validation Error":{"javascript":{"":6}},"CWE-798: Use of Hard-coded Credentials":{"js":{"":14},"javascript":{"":5}},"CWE-326: Inadequate Encryption Strength":{"javascript":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"javascript":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"javascript":{"":54}},"CWE-522: Insufficiently Protected Credentials":{"javascript":{"":7}},"CWE-73: External Control of File Name or Path":{"javascript":{"":1}},"CWE-117: Improper Output Neutralization for Logs":{"javascript":{"":2}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"javascript":{"":5}},"CWE-1333: Inefficient Regular Expression Complexity":{"javascript":{"":1}},"CWE-706: Use of Incorrectly-Resolved Name or Reference":{"javascript":{"":2}},"CWE-319: Cleartext Transmission of Sensitive Information":{"javascript":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"javascript":{"":4}},"CWE-548: Exposure of Information Through Directory Listing":{"javascript":{"":1}},"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":{"javascript":{"":7}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"javascript":{"":6}},"CWE-611: Improper Restriction of XML External Entity Reference":{"javascript":{"":6}},"CWE-732: Incorrect Permission Assignment for Critical Resource":{"javascript":{"":2}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"javascript":{"":16}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"javascript":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"javascript":{"":6}},"CWE-451: User Interface (UI) Misrepresentation of Critical Information":{"javascript":{"":1}},"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":{"javascript":{"":7}},"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine":{"javascript":{"":2}},"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":{"javascript":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"javascript":{"":21}},"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":{"javascript":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"javascript":{"":10},"typescript":{"":6}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"javascript":{"":33}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"javascript":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"javascript":{"":6}},"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":{"javascript":{"":3}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":4,"A01:2017: Injection":48,"A03:2021: Injection":78,"A05:2025: Injection":78,"A04:2021: Insecure Design":9,"A06:2025: Insecure Design":9,"A01:2021: Broken Access Control":38,"A01:2025: Broken Access Control":90,"A02:2017: Broken Authentication":11,"A05:2017: Broken Access Control":21,"A02:2021: Cryptographic Failures":5,"A04:2025: Cryptographic Failures":5,"A03:2017: Sensitive Data Exposure":6,"A07:2025: Authentication Failures":32,"A08:2017: Insecure Deserialization":1,"A02:2025: Security Misconfiguration":17,"A05:2021: Security Misconfiguration":17,"A06:2017: Security Misconfiguration":1,"A07:2017: Cross-Site Scripting (XSS)":16,"A04:2017: XML External Entities (XXE)":6,"A10:2021: Server-Side Request Forgery (SSRF)":54,"A08:2025: Software or Data Integrity Failures":1,"A08:2021: Software and Data Integrity Failures":1,"A09:2025: Security Logging & Alerting Failures":2,"A09:2021: Security Logging and Monitoring Failures":2,"A07:2021: Identification and Authentication Failures":32},"per_framework":{"":{"javascript":{"":4}},"A01:2017: Injection":{"javascript":{"":48}},"A03:2021: Injection":{"javascript":{"":72},"typescript":{"":6}},"A05:2025: Injection":{"javascript":{"":72},"typescript":{"":6}},"A04:2021: Insecure Design":{"javascript":{"":9}},"A06:2025: Insecure Design":{"javascript":{"":9}},"A01:2021: Broken Access Control":{"javascript":{"":38}},"A01:2025: Broken Access Control":{"javascript":{"":90}},"A02:2017: Broken Authentication":{"js":{"":3},"javascript":{"":8}},"A05:2017: Broken Access Control":{"javascript":{"":21}},"A02:2021: Cryptographic Failures":{"javascript":{"":5}},"A04:2025: Cryptographic Failures":{"javascript":{"":5}},"A03:2017: Sensitive Data Exposure":{"javascript":{"":6}},"A07:2025: Authentication Failures":{"js":{"":20},"javascript":{"":12}},"A08:2017: Insecure Deserialization":{"javascript":{"":1}},"A02:2025: Security Misconfiguration":{"javascript":{"":17}},"A05:2021: Security Misconfiguration":{"javascript":{"":17}},"A06:2017: Security Misconfiguration":{"javascript":{"":1}},"A07:2017: Cross-Site Scripting (XSS)":{"javascript":{"":10},"typescript":{"":6}},"A04:2017: XML External Entities (XXE)":{"javascript":{"":6}},"A10:2021: Server-Side Request Forgery (SSRF)":{"javascript":{"":54}},"A08:2025: Software or Data Integrity Failures":{"javascript":{"":1}},"A08:2021: Software and Data Integrity Failures":{"javascript":{"":1}},"A09:2025: Security Logging & Alerting Failures":{"javascript":{"":2}},"A09:2021: Security Logging and Monitoring Failures":{"javascript":{"":2}},"A07:2021: Identification and Authentication Failures":{"js":{"":20},"javascript":{"":12}}},"rules_with_no_owasp":["regexp-redos","cookies-default-express","session-cookie-default-express","dot-nestjs"]}},"author":"Semgrep","counts":{"total_rules":248,"premium_rules":212},"username":"semgrep","languages":["JavaScript","TypeScript"],"description":"Default ruleset for Node.js, curated by Semgrep.","id":"4E9","name":"nodejs","visibility":"public","categories":[]},{"tags":["best-practice","compatibility","correctness","performance","portability"],"stats":{"cwe":{"totals":{"":26,"CWE-242: Use of Inherently Dangerous Function (4.12)":1},"per_framework":{"":{"ocaml":{"":26}},"CWE-242: Use of Inherently Dangerous Function (4.12)":{"ocaml":{"":1}}},"rules_with_no_cwe":["ocamllint-bool-false","ocamllint-bool-true","bad-reraise","hashtbl-find-outside-try","ocamllint-backwards-if","ocamllint-useless-else","list-find-outside-try","ocamllint-ref-decr","ocamllint-ref-incr","ocamllint-str-first-chars","ocamllint-str-last-chars","ocamllint-str-string-after","ocamllint-useless-sprintf","deprecated-pervasives","physical-equal","physical-not-equal","useless-compare","useless-equal","ocamllint-useless-if","useless-let","ocamllint-length-list-zero","ocamllint-length-more-than-zero","broken-input-line","prefer-read-in-binary-mode","prefer-write-in-binary-mode","not-portable-tmp-string"]},"owasp":{"totals":{"":27},"per_framework":{"":{"ocaml":{"":27}}},"rules_with_no_owasp":["ocamllint-bool-false","ocamllint-bool-true","bad-reraise","hashtbl-find-outside-try","ocamllint-backwards-if","ocamllint-useless-else","list-find-outside-try","ocamllint-ref-decr","ocamllint-ref-incr","ocamllint-str-first-chars","ocamllint-str-last-chars","ocamllint-str-string-after","ocamllint-useless-sprintf","deprecated-pervasives","physical-equal","physical-not-equal","useless-compare","useless-equal","ocamllint-useless-if","useless-let","ocamllint-length-list-zero","ocamllint-length-more-than-zero","broken-input-line","prefer-read-in-binary-mode","prefer-write-in-binary-mode","not-portable-tmp-string","ocamllint-unsafe"]}},"author":"Semgrep","counts":{"total_rules":27,"premium_rules":0},"username":"semgrep","languages":["OCaml"],"description":"Default ruleset for OCaml","id":"W4g","name":"ocaml","visibility":"public","categories":[]},{"tags":["yaml","semgrep","meta","metalinter","semgrep-rules","rules","patterns","correctness","performance"],"stats":{"cwe":{"totals":{"":6},"per_framework":{"":{"yaml":{"":6}}},"rules_with_no_cwe":["empty-message","duplicate-id","duplicate-pattern","missing-language-field","missing-message-field","unsatisfiable-rule"]},"owasp":{"totals":{"":6},"per_framework":{"":{"yaml":{"":6}}},"rules_with_no_owasp":["empty-message","duplicate-id","duplicate-pattern","missing-language-field","missing-message-field","unsatisfiable-rule"]}},"author":"Semgrep","counts":{"total_rules":6,"premium_rules":0},"username":"semgrep","languages":["yaml"],"description":"Rules for linting Semgrep rule YAML files for errors or performance problems","id":"LNX","name":"semgrep-rule-lints","visibility":"public","categories":[]},{"tags":["security"],"stats":{"cwe":{"totals":{"CWE-477: Use of Obsolete Function":100},"per_framework":{"CWE-477: Use of Obsolete Function":{"cpp":{"":100}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":100},"per_framework":{"":{"cpp":{"":100}}},"rules_with_no_owasp":["microsoft-banned-list-_fstrcat","microsoft-banned-list-_fstrcpy","microsoft-banned-list-_fstrncat","microsoft-banned-list-_fstrncpy","microsoft-banned-list-_ftccat","microsoft-banned-list-_ftccpy","microsoft-banned-list-_ftcscat","microsoft-banned-list-_ftcscpy","microsoft-banned-list-_getts","microsoft-banned-list-_gettws","microsoft-banned-list-_getws","microsoft-banned-list-_makepath","microsoft-banned-list-_mbccat","microsoft-banned-list-_mbscat","microsoft-banned-list-_snprintf","microsoft-banned-list-_sntprintf","microsoft-banned-list-_sntscanf","microsoft-banned-list-_snwprintf","microsoft-banned-list-_splitpath","microsoft-banned-list-_stprintf","microsoft-banned-list-_stscanf","microsoft-banned-list-_tccat","microsoft-banned-list-_tccpy","microsoft-banned-list-_tcscat","microsoft-banned-list-_tcscpy","microsoft-banned-list-_tcsncat","microsoft-banned-list-_tcsncpy","microsoft-banned-list-_tmakepath","microsoft-banned-list-_tscanf","microsoft-banned-list-_tsplitpath","microsoft-banned-list-_vsnprintf","microsoft-banned-list-_vsntprintf","microsoft-banned-list-_vsnwprintf","microsoft-banned-list-_vstprintf","microsoft-banned-list-_wmakepath","microsoft-banned-list-_wsplitpath","microsoft-banned-list-gets","microsoft-banned-list-lstrcat","microsoft-banned-list-lstrcata","microsoft-banned-list-lstrcatn","microsoft-banned-list-lstrcatna","microsoft-banned-list-lstrcatnw","microsoft-banned-list-lstrcatw","microsoft-banned-list-lstrcpy","microsoft-banned-list-lstrcpya","microsoft-banned-list-lstrcpyn","microsoft-banned-list-lstrcpyna","microsoft-banned-list-lstrcpynw","microsoft-banned-list-lstrcpyw","microsoft-banned-list-lstrncat","microsoft-banned-list-makepath","microsoft-banned-list-nsprintf","microsoft-banned-list-oemtocharw","microsoft-banned-list-snscanf","microsoft-banned-list-snwscanf","microsoft-banned-list-sprintf","microsoft-banned-list-sprintfa","microsoft-banned-list-sprintfw","microsoft-banned-list-strcat","microsoft-banned-list-strcata","microsoft-banned-list-strcatbuff","microsoft-banned-list-strcatbuffa","microsoft-banned-list-strcatbuffw","microsoft-banned-list-strcatchainw","microsoft-banned-list-strcatn","microsoft-banned-list-strcatna","microsoft-banned-list-strcatnw","microsoft-banned-list-strcatw","microsoft-banned-list-strcpy","microsoft-banned-list-strcpya","microsoft-banned-list-strcpyn","microsoft-banned-list-strcpyna","microsoft-banned-list-strcpynw","microsoft-banned-list-strcpyw","microsoft-banned-list-strncat","microsoft-banned-list-strncata","microsoft-banned-list-strncatw","microsoft-banned-list-strncpy","microsoft-banned-list-strncpya","microsoft-banned-list-strncpyw","microsoft-banned-list-swprintf","microsoft-banned-list-ualstrcpyw","microsoft-banned-list-vsnprintf","microsoft-banned-list-vsprintf","microsoft-banned-list-vswprintf","microsoft-banned-list-wcscat","microsoft-banned-list-wcscpy","microsoft-banned-list-wcsncat","microsoft-banned-list-wcsncpy","microsoft-banned-list-wnsprintf","microsoft-banned-list-wnsprintfa","microsoft-banned-list-wsprintf","microsoft-banned-list-wsprintfa","microsoft-banned-list-wsprintfw","microsoft-banned-list-wvnsprintf","microsoft-banned-list-wvnsprintfa","microsoft-banned-list-wvnsprintfw","microsoft-banned-list-wvsprintf","microsoft-banned-list-wvsprintfa","microsoft-banned-list-wvsprintfw"]}},"author":"Semgrep","counts":{"total_rules":100,"premium_rules":100},"username":"semgrep","languages":["C","C++"],"description":"Scan code for uses of functions listed on Microsoft's list of banned functions. These functions are error-prone and typically have a safer replacement function.","id":"qqGe","name":"c-audit-banned-functions","visibility":"public","categories":[]},{"tags":["security"],"stats":{"cwe":{"totals":{"CWE-680: Integer Overflow to Buffer Overflow":1,"CWE-611: Improper Restriction of XML External Entity Reference":1,"CWE-337: Predictable Seed in Pseudo-Random Number Generator (PRNG)":2,"CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')":1,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":1},"per_framework":{"CWE-680: Integer Overflow to Buffer Overflow":{"cpp":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"cpp":{"":1}},"CWE-337: Predictable Seed in Pseudo-Random Number Generator (PRNG)":{"cpp":{"":2}},"CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')":{"cpp":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"cpp":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":2,"A01:2017: Injection":1,"A03:2021: Injection":1,"A05:2025: Injection":1,"A02:2021: Cryptographic Failures":2,"A04:2025: Cryptographic Failures":2,"A02:2025: Security Misconfiguration":1,"A05:2021: Security Misconfiguration":1,"A04:2017: XML External Entities (XXE)":1},"per_framework":{"":{"cpp":{"":2}},"A01:2017: Injection":{"cpp":{"":1}},"A03:2021: Injection":{"cpp":{"":1}},"A05:2025: Injection":{"cpp":{"":1}},"A02:2021: Cryptographic Failures":{"cpp":{"":2}},"A04:2025: Cryptographic Failures":{"cpp":{"":2}},"A02:2025: Security Misconfiguration":{"cpp":{"":1}},"A05:2021: Security Misconfiguration":{"cpp":{"":1}},"A04:2017: XML External Entities (XXE)":{"cpp":{"":1}}},"rules_with_no_owasp":["integer-overflow-allocation","string-buffer-overflow"]}},"author":"Semgrep","counts":{"total_rules":6,"premium_rules":6},"username":"semgrep","languages":["C","C++"],"description":"Scan C++ code for potential security issues that require additional review. Recommended for security engineers or consultants who don't mind false positives and are looking to flag troublesome spots for further review.","id":"lxyG","name":"cpp-audit","visibility":"public","categories":[]},{"tags":["llm","genai"],"stats":{"cwe":{"totals":{"CWE-918: Server-Side Request Forgery (SSRF)":56,"CWE-1104: Use of Unmaintained Third Party Components":2,"CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere":126,"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":2},"per_framework":{"CWE-918: Server-Side Request Forgery (SSRF)":{"java":{"":15},"csharp":{"":15},"python":{"":12},"javascript":{"":14}},"CWE-1104: Use of Unmaintained Third Party Components":{"java":{"":1},"kotlin":{"":1}},"CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere":{"go":{"":20},"cpp":{"":1},"php":{"":18},"dart":{"":2},"java":{"":8},"ruby":{"":25},"rust":{"":1},"swift":{"":3},"csharp":{"":5},"kotlin":{"":5},"python":{"":21},"javascript":{"":17}},"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":{"python":{"":1},"javascript":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2017: Injection":2,"A03:2021: Injection":2,"A05:2025: Injection":2,"A01:2021: Broken Access Control":126,"A01:2025: Broken Access Control":182,"A03:2025: Software Supply Chain Failures":2,"A06:2021: Vulnerable and Outdated Components":2,"A10:2021: Server-Side Request Forgery (SSRF)":56},"per_framework":{"A01:2017: Injection":{"python":{"":1},"javascript":{"":1}},"A03:2021: Injection":{"python":{"":1},"javascript":{"":1}},"A05:2025: Injection":{"python":{"":1},"javascript":{"":1}},"A01:2021: Broken Access Control":{"go":{"":20},"cpp":{"":1},"php":{"":18},"dart":{"":2},"java":{"":8},"ruby":{"":25},"rust":{"":1},"swift":{"":3},"csharp":{"":5},"kotlin":{"":5},"python":{"":21},"javascript":{"":17}},"A01:2025: Broken Access Control":{"go":{"":20},"cpp":{"":1},"php":{"":18},"dart":{"":2},"java":{"":23},"ruby":{"":25},"rust":{"":1},"swift":{"":3},"csharp":{"":20},"kotlin":{"":5},"python":{"":33},"javascript":{"":31}},"A03:2025: Software Supply Chain Failures":{"java":{"":1},"kotlin":{"":1}},"A06:2021: Vulnerable and Outdated Components":{"java":{"":1},"kotlin":{"":1}},"A10:2021: Server-Side Request Forgery (SSRF)":{"java":{"":15},"csharp":{"":15},"python":{"":12},"javascript":{"":14}}},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":186,"premium_rules":186},"hidden":true,"username":"semgrep","languages":["python","ruby","javascript","typescript","go","java","csharp","php","kotlin","swift","rust","c++"],"description":"Find all usage of popular LLMs in your codebase, curated by Semgrep.","id":"w10n","name":"shadow-ai-pro","visibility":"public","categories":[]},{"tags":["secrets"],"stats":{"cwe":{"totals":{"CWE-798: Use of Hard-coded Credentials":2},"per_framework":{"CWE-798: Use of Hard-coded Credentials":{"regex":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A07:2025: Authentication Failures":2,"A07:2021: Identification and Authentication Failures":2},"per_framework":{"A07:2025: Authentication Failures":{"regex":{"":2}},"A07:2021: Identification and Authentication Failures":{"regex":{"":2}}},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":2,"premium_rules":2},"hidden":true,"username":"semgrep","languages":["yaml"],"description":"This rulepack powers the AI-powered Semgrep Generic Secrets feature, part of the\nSemgrep Secrets product https://semgrep.dev/products/semgrep-secrets.\nIf you are interested in trialing Semgrep Secrets reach out to sales@semgrep.com.\n","id":"jkyl","name":"semgrep-secrets-ai","visibility":"public","categories":[]},{"tags":["security"],"stats":{"cwe":{"totals":{"CWE-346: Origin Validation Error":16,"CWE-502: Deserialization of Untrusted Data":64,"CWE-918: Server-Side Request Forgery (SSRF)":80,"CWE-73: External Control of File Name or Path":22,"CWE-91: XML Injection (aka Blind XPath Injection)":16,"CWE-1333: Inefficient Regular Expression Complexity":16,"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":75,"CWE-611: Improper Restriction of XML External Entity Reference":16,"CWE-94: Improper Control of Generation of Code ('Code Injection')":32,"CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax":32,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":75,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":48,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":48},"per_framework":{"CWE-346: Origin Validation Error":{"scala":{"":16}},"CWE-502: Deserialization of Untrusted Data":{"scala":{"":64}},"CWE-918: Server-Side Request Forgery (SSRF)":{"scala":{"":80}},"CWE-73: External Control of File Name or Path":{"scala":{"":22}},"CWE-91: XML Injection (aka Blind XPath Injection)":{"scala":{"":16}},"CWE-1333: Inefficient Regular Expression Complexity":{"scala":{"":16}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"scala":{"":75}},"CWE-611: Improper Restriction of XML External Entity Reference":{"scala":{"":16}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"scala":{"":32}},"CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax":{"scala":{"":32}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"scala":{"":75}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"scala":{"":48}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"scala":{"":48}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":16,"A01:2017: Injection":112,"A03:2021: Injection":251,"A05:2025: Injection":251,"A04:2021: Insecure Design":22,"A06:2025: Insecure Design":22,"A01:2021: Broken Access Control":75,"A01:2025: Broken Access Control":155,"A07:2025: Authentication Failures":16,"A08:2017: Insecure Deserialization":64,"A02:2025: Security Misconfiguration":16,"A05:2021: Security Misconfiguration":16,"A07:2017: Cross-Site Scripting (XSS)":75,"A04:2017: XML External Entities (XXE)":16,"A10:2021: Server-Side Request Forgery (SSRF)":80,"A08:2025: Software or Data Integrity Failures":64,"A08:2021: Software and Data Integrity Failures":64,"A07:2021: Identification and Authentication Failures":16},"per_framework":{"":{"scala":{"":16}},"A01:2017: Injection":{"scala":{"":112}},"A03:2021: Injection":{"scala":{"":251}},"A05:2025: Injection":{"scala":{"":251}},"A04:2021: Insecure Design":{"scala":{"":22}},"A06:2025: Insecure Design":{"scala":{"":22}},"A01:2021: Broken Access Control":{"scala":{"":75}},"A01:2025: Broken Access Control":{"scala":{"":155}},"A07:2025: Authentication Failures":{"scala":{"":16}},"A08:2017: Insecure Deserialization":{"scala":{"":64}},"A02:2025: Security Misconfiguration":{"scala":{"":16}},"A05:2021: Security Misconfiguration":{"scala":{"":16}},"A07:2017: Cross-Site Scripting (XSS)":{"scala":{"":75}},"A04:2017: XML External Entities (XXE)":{"scala":{"":16}},"A10:2021: Server-Side Request Forgery (SSRF)":{"scala":{"":80}},"A08:2025: Software or Data Integrity Failures":{"scala":{"":64}},"A08:2021: Software and Data Integrity Failures":{"scala":{"":64}},"A07:2021: Identification and Authentication Failures":{"scala":{"":16}}},"rules_with_no_owasp":["akka-http-better-files-regex-injection-uri-params","akka-http-better-files-regex-injection","http4s-better-files-regex-injection-uri-params","db-anorm-better-files-regex-injection-stored","file-better-files-better-files-regex-injection-stored","file-scala-xml-better-files-regex-injection-stored","net-scala-xml-better-files-regex-injection","net-scalaj-http-better-files-regex-injection","web-pekko-http-spray-json-better-files-regex-injection","web-play-ws-better-files-regex-injection","web-scalaj-http-better-files-regex-injection","web-twirl-api-better-files-regex-injection","pekko-http-better-files-regex-injection-uri-params","play-better-files-regex-injection-uri-params","play-better-files-regex-injection","zio-http-better-files-regex-injection-uri-params"]}},"author":"Semgrep","counts":{"total_rules":540,"premium_rules":540},"hidden":true,"username":"semgrep","languages":["Scala"],"description":"Alpha ruleset for Scala, curated by Semgrep.","id":"eKkd","name":"scala-alpha","visibility":"public","categories":[]},{"tags":["semgrep","security","docker","dockerfile","configuration","infrastructure","infrastructure as code"],"stats":{"cwe":{"totals":{"":1,"CWE-862: Missing Authorization":1,"CWE-269: Improper Privilege Management":3,"CWE-427: Uncontrolled Search Path Element":1,"CWE-250: Execution with Unnecessary Privileges":2},"per_framework":{"":{"dockerfile":{"":1}},"CWE-862: Missing Authorization":{"dockerfile":{"":1}},"CWE-269: Improper Privilege Management":{"dockerfile":{"":3}},"CWE-427: Uncontrolled Search Path Element":{"dockerfile":{"":1}},"CWE-250: Execution with Unnecessary Privileges":{"dockerfile":{"":2}}},"rules_with_no_cwe":["missing-zypper-no-confirm-switch"]},"owasp":{"totals":{"":3,"A04:2021: Insecure Design":3,"A06:2025: Insecure Design":3,"A02:2025: Security Misconfiguration":1,"A05:2021: Security Misconfiguration":1},"per_framework":{"":{"dockerfile":{"":3}},"A04:2021: Insecure Design":{"dockerfile":{"":3}},"A06:2025: Insecure Design":{"dockerfile":{"":3}},"A02:2025: Security Misconfiguration":{"dockerfile":{"":1}},"A05:2021: Security Misconfiguration":{"dockerfile":{"":1}}},"rules_with_no_owasp":["dockerfile-pip-extra-index-url","dockerfile-dockerd-socket-mount","missing-zypper-no-confirm-switch"]}},"author":"Semgrep","counts":{"total_rules":7,"premium_rules":0},"username":"semgrep","languages":["generic","dockerfile"],"description":"Selected rules from Hadolint, a Dockerfile linter, rewritten in Semgrep.","id":"bEZ","name":"docker","visibility":"public","categories":[]},{"tags":["secrets"],"stats":{"cwe":{"totals":{"CWE-287: Improper Authentication":24,"CWE-798: Use of Hard-coded Credentials":1147,"CWE-1394: Use of Default Cryptographic Key":2},"per_framework":{"CWE-287: Improper Authentication":{"go":{"":5},"java":{"":5},"python":{"":5},"terraform":{"":4},"javascript":{"":5}},"CWE-798: Use of Hard-coded Credentials":{"go":{"":11},"js":{"":8},"xml":{"":3},"bash":{"":44},"java":{"":11},"json":{"":4},"yaml":{"":86},"regex":{"":856},"kotlin":{"":1},"python":{"":64},"generic":{"":2},"terraform":{"":40},"javascript":{"":17}},"CWE-1394: Use of Default Cryptographic Key":{"go":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":2,"A02:2017: Broken Authentication":24,"A07:2025: Authentication Failures":1168,"A07:2021: Identification and Authentication Failures":1171},"per_framework":{"":{"go":{"":2}},"A02:2017: Broken Authentication":{"go":{"":5},"java":{"":5},"python":{"":5},"terraform":{"":4},"javascript":{"":5}},"A07:2025: Authentication Failures":{"go":{"":16},"js":{"":8},"xml":{"":3},"bash":{"":44},"java":{"":16},"json":{"":4},"yaml":{"":86},"regex":{"":853},"kotlin":{"":1},"python":{"":69},"generic":{"":2},"terraform":{"":44},"javascript":{"":22}},"A07:2021: Identification and Authentication Failures":{"go":{"":16},"js":{"":8},"xml":{"":3},"bash":{"":44},"java":{"":16},"json":{"":4},"yaml":{"":86},"regex":{"":856},"kotlin":{"":1},"python":{"":69},"generic":{"":2},"terraform":{"":44},"javascript":{"":22}}},"rules_with_no_owasp":["aes-static-key","chacha-static-key"]}},"author":"Semgrep","counts":{"total_rules":1173,"premium_rules":1173},"hidden":true,"username":"semgrep","languages":["generic","regex","javascript","typescript","python","java","kotlin","go"],"description":"This rulepack powers the Semgrep Secrets product https://semgrep.dev/products/semgrep-secrets. If you are interested in trialing Semgrep Secrets reach out to sales@semgrep.com.","id":"65dL","name":"semgrep-secrets","visibility":"public","categories":[]},{"tags":["security","secret","secrets","tokens","oauth","password","generic","text"],"stats":{"cwe":{"totals":{"CWE-287: Improper Authentication":50,"CWE-259: Use of Hard-coded Password":1,"CWE-798: Use of Hard-coded Credentials":212,"CWE-326: Inadequate Encryption Strength":1,"CWE-321: Use of Hard-coded Cryptographic Key":1,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":2,"CWE-323: Nonces should be used for the present occasion and only once.":1,"CWE-329: Not using a random initialization Vector (IV) with Cipher Block Chaining (CBC) Mode causes algorithms to be susceptible to dictionary attacks.":1},"per_framework":{"CWE-287: Improper Authentication":{"go":{"":6},"js":{"":6},"ruby":{"":6},"rust":{"":10},"kotlin":{"":4},"python":{"":18}},"CWE-259: Use of Hard-coded Password":{"swift":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"go":{"":11},"js":{"":24},"py":{"":1},"hcl":{"":1},"php":{"":1},"java":{"":22},"ruby":{"":18},"rust":{"":12},"yaml":{"":1},"regex":{"":34},"swift":{"":7},"csharp":{"":10},"kotlin":{"":22},"python":{"":37},"generic":{"":4},"javascript":{"":7}},"CWE-326: Inadequate Encryption Strength":{"hcl":{"":1}},"CWE-321: Use of Hard-coded Cryptographic Key":{"swift":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"python":{"":2}},"CWE-323: Nonces should be used for the present occasion and only once.":{"swift":{"":1}},"CWE-329: Not using a random initialization Vector (IV) with Cipher Block Chaining (CBC) Mode causes algorithms to be susceptible to dictionary attacks.":{"swift":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":1,"A02:2017: Broken Authentication":23,"A02:2021: Cryptographic Failures":6,"A04:2025: Cryptographic Failures":6,"A03:2017: Sensitive Data Exposure":3,"A07:2025: Authentication Failures":262,"A07:2021: Identification and Authentication Failures":262},"per_framework":{"":{"regex":{"":1}},"A02:2017: Broken Authentication":{"go":{"":6},"js":{"":3},"rust":{"":10},"kotlin":{"":4}},"A02:2021: Cryptographic Failures":{"hcl":{"":1},"swift":{"":3},"python":{"":2}},"A04:2025: Cryptographic Failures":{"hcl":{"":1},"swift":{"":3},"python":{"":2}},"A03:2017: Sensitive Data Exposure":{"hcl":{"":1},"python":{"":2}},"A07:2025: Authentication Failures":{"go":{"":17},"js":{"":30},"py":{"":1},"hcl":{"":1},"php":{"":1},"java":{"":22},"ruby":{"":24},"rust":{"":22},"yaml":{"":1},"regex":{"":33},"swift":{"":8},"csharp":{"":10},"kotlin":{"":26},"python":{"":55},"generic":{"":4},"javascript":{"":7}},"A07:2021: Identification and Authentication Failures":{"go":{"":17},"js":{"":30},"py":{"":1},"hcl":{"":1},"php":{"":1},"java":{"":22},"ruby":{"":24},"rust":{"":22},"yaml":{"":1},"regex":{"":33},"swift":{"":8},"csharp":{"":10},"kotlin":{"":26},"python":{"":55},"generic":{"":4},"javascript":{"":7}}},"rules_with_no_owasp":["detected-onfido-live-api-token"]}},"author":"Semgrep","counts":{"total_rules":269,"premium_rules":218},"username":"semgrep","languages":["generic","regex","javascript","typescript","csharp","go","java","python","ruby","swift","terraform"],"description":"Rules for detecting secrets checked into version control","id":"y3R","name":"secrets","visibility":"public","categories":[{"id":"VJd","slug":"enforce-secure-guardrails","name":"Enforce Secure Guardrails","description":"Use Semgrep to ensure your code enforces secure defaults and framework protections, which can proactively eradicate entire classes of vulnerabilities. Avoid playing bug whack-a-mole and scale your security program."}]},{"tags":["security","bandit","owasp"],"stats":{"cwe":{"totals":{"CWE-22":1,"CWE-78":9,"CWE-79":2,"CWE-89":5,"CWE-94":1,"CWE-95":1,"CWE-116":1,"CWE-155":1,"CWE-200":1,"CWE-295":2,"CWE-319":3,"CWE-322":1,"CWE-326":4,"CWE-327":22,"CWE-330":1,"CWE-377":2,"CWE-400":1,"CWE-489":1,"CWE-502":6,"CWE-611":8,"CWE-732":1,"CWE-754":1,"CWE-939":1,"CWE-1104":1,"CWE-377: Insecure Temporary File":1,"CWE-326: Inadequate Encryption Strength":1,"CWE-295: Improper Certificate Validation":1,"CWE-502: Deserialization of Untrusted Data":1,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":1,"CWE-611: Improper Restriction of XML External Entity Reference":2,"CWE-939: Improper Authorization in Handler for Custom URL Scheme":1,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":2,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":1,"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":1,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":1},"per_framework":{"CWE-22":{"python":{"":1}},"CWE-78":{"python":{"":9}},"CWE-79":{"python":{"":2}},"CWE-89":{"python":{"":5}},"CWE-94":{"python":{"":1}},"CWE-95":{"python":{"":1}},"CWE-116":{"python":{"":1}},"CWE-155":{"python":{"":1}},"CWE-200":{"python":{"":1}},"CWE-295":{"python":{"":2}},"CWE-319":{"python":{"":3}},"CWE-322":{"python":{"":1}},"CWE-326":{"python":{"":4}},"CWE-327":{"python":{"":22}},"CWE-330":{"python":{"":1}},"CWE-377":{"python":{"":2}},"CWE-400":{"python":{"":1}},"CWE-489":{"python":{"":1}},"CWE-502":{"python":{"":6}},"CWE-611":{"python":{"":8}},"CWE-732":{"python":{"":1}},"CWE-754":{"python":{"":1}},"CWE-939":{"python":{"":1}},"CWE-1104":{"python":{"":1}},"CWE-377: Insecure Temporary File":{"python":{"":1}},"CWE-326: Inadequate Encryption Strength":{"python":{"":1}},"CWE-295: Improper Certificate Validation":{"python":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"python":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"python":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"python":{"":2}},"CWE-939: Improper Authorization in Handler for Custom URL Scheme":{"python":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"python":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"python":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":1,"A1:2017-Injection":17,"A03:2021-Injection":27,"A01:2017: Injection":3,"A03:2021: Injection":4,"A05:2025: Injection":4,"A3: Sensitive Data Exposure":1,"A2:2017-Broken Authentication":2,"A5:2017-Broken Access Control":4,"A01:2021-Broken Access Control":4,"A7: Cross-Site Scripting (XSS)":1,"A02:2021-Cryptographic Failures":27,"A3:2017-Sensitive Data Exposure":31,"A4: XML External Entities (XXE)":1,"A02:2021: Cryptographic Failures":1,"A04:2025: Cryptographic Failures":1,"A8:2017-Insecure Deserialization":7,"A03:2017: Sensitive Data Exposure":2,"A07:2025: Authentication Failures":1,"A6:2017-Security Misconfiguration":4,"A05:2021-Security Misconfiguration":4,"A08:2017: Insecure Deserialization":1,"A7:2017-Cross-Site Scripting (XSS)":3,"A02:2025: Security Misconfiguration":1,"A05:2021: Security Misconfiguration":1,"A4:2017-XML External Entities (XXE)":8,"A07:2017: Cross-Site Scripting (XSS)":1,"A04:2017: XML External Entities (XXE)":1,"A08:2021-Software and Data Integrity Failures":6,"A08:2025: Software or Data Integrity Failures":1,"A08:2021: Software and Data Integrity Failures":1,"A07:2021-Identification and Authentication Failures":3,"A9:2017-Using Components with Known Vulnerabilities":1,"A07:2021: Identification and Authentication Failures":1},"per_framework":{"":{"python":{"":1}},"A1:2017-Injection":{"python":{"":17}},"A03:2021-Injection":{"python":{"":27}},"A01:2017: Injection":{"python":{"":3}},"A03:2021: Injection":{"python":{"":4}},"A05:2025: Injection":{"python":{"":4}},"A3: Sensitive Data Exposure":{"python":{"":1}},"A2:2017-Broken Authentication":{"python":{"":2}},"A5:2017-Broken Access Control":{"python":{"":4}},"A01:2021-Broken Access Control":{"python":{"":4}},"A7: Cross-Site Scripting (XSS)":{"python":{"":1}},"A02:2021-Cryptographic Failures":{"python":{"":27}},"A3:2017-Sensitive Data Exposure":{"python":{"":31}},"A4: XML External Entities (XXE)":{"python":{"":1}},"A02:2021: Cryptographic Failures":{"python":{"":1}},"A04:2025: Cryptographic Failures":{"python":{"":1}},"A8:2017-Insecure Deserialization":{"python":{"":7}},"A03:2017: Sensitive Data Exposure":{"python":{"":2}},"A07:2025: Authentication Failures":{"python":{"":1}},"A6:2017-Security Misconfiguration":{"python":{"":4}},"A05:2021-Security Misconfiguration":{"python":{"":4}},"A08:2017: Insecure Deserialization":{"python":{"":1}},"A7:2017-Cross-Site Scripting (XSS)":{"python":{"":3}},"A02:2025: Security Misconfiguration":{"python":{"":1}},"A05:2021: Security Misconfiguration":{"python":{"":1}},"A4:2017-XML External Entities (XXE)":{"python":{"":8}},"A07:2017: Cross-Site Scripting (XSS)":{"python":{"":1}},"A04:2017: XML External Entities (XXE)":{"python":{"":1}},"A08:2021-Software and Data Integrity Failures":{"python":{"":6}},"A08:2025: Software or Data Integrity Failures":{"python":{"":1}},"A08:2021: Software and Data Integrity Failures":{"python":{"":1}},"A07:2021-Identification and Authentication Failures":{"python":{"":3}},"A9:2017-Using Components with Known Vulnerabilities":{"python":{"":1}},"A07:2021: Identification and Authentication Failures":{"python":{"":1}}},"rules_with_no_owasp":["bandit.B108-1"]}},"author":"Gitlab, Semgrep","counts":{"total_rules":90,"premium_rules":0},"hidden":false,"languages":["Python"],"description":"Use Semgrep as a universal linter to identify vulnerabilities in your code base with the bandit (https://github.com/PyCQA/bandit) rule pack.","id":"dOd","name":"bandit","visibility":"public","categories":[]},{"tags":["yaml","semgrep","meta","metalinter","semgrep-rules","rules","patterns","correctness","performance"],"stats":{"cwe":{"totals":{"":24},"per_framework":{"":{"yaml":{"":24}}},"rules_with_no_cwe":["duplicate-id","duplicate-pattern","unsatisfiable-rule","empty-message","missing-message-field","missing-language-field","metadata-confidence","metadata-confidence-incorrect-value","metadata-likelihood-incorrect-value","metadata-likelihood","metadata-impact-incorrect-value","metadata-impact","metadata-subcategory-incorrect-value","metadata-subcategory","metadata-technology","metadata-incorrect-option","metadata-category","metadata-deepsemgrep","metadata-license","multi-line-message","message-whitespace-check","slow-pattern-top-ellipsis","missing-deconstructed-value","metadata-cwe-prohibited-or-discouraged"]},"owasp":{"totals":{"":24},"per_framework":{"":{"yaml":{"":24}}},"rules_with_no_owasp":["duplicate-id","duplicate-pattern","unsatisfiable-rule","empty-message","missing-message-field","missing-language-field","metadata-confidence","metadata-confidence-incorrect-value","metadata-likelihood-incorrect-value","metadata-likelihood","metadata-impact-incorrect-value","metadata-impact","metadata-subcategory-incorrect-value","metadata-subcategory","metadata-technology","metadata-incorrect-option","metadata-category","metadata-deepsemgrep","metadata-license","multi-line-message","message-whitespace-check","slow-pattern-top-ellipsis","missing-deconstructed-value","metadata-cwe-prohibited-or-discouraged"]}},"author":"Semgrep","counts":{"total_rules":24,"premium_rules":0},"username":"semgrep","languages":["yaml"],"description":"Rules for linting Semgrep rule YAML files for errors or performance problems in CI","id":"kkyo","name":"semgrep-rule-ci","visibility":"public","categories":[]},{"tags":["security","eslint","correctness"],"stats":{"cwe":{"totals":{"CWE-22":1,"CWE-79":2,"CWE-95":3,"CWE-119":1,"CWE-185":1,"CWE-208":1,"CWE-338":1,"CWE-770":1,"CWE-94: Improper Control of Generation of Code ('Code Injection')":1},"per_framework":{"CWE-22":{"typescript":{"":1}},"CWE-79":{"javascript":{"":1},"typescript":{"":1}},"CWE-95":{"javascript":{"":3}},"CWE-119":{"javascript":{"":1}},"CWE-185":{"javascript":{"":1}},"CWE-208":{"javascript":{"":1}},"CWE-338":{"javascript":{"":1}},"CWE-770":{"javascript":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"javascript":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":1,"A1:2017-Injection":4,"A03:2021-Injection":5,"A5:2017-Broken Access Control":1,"A01:2021-Broken Access Control":1,"A02:2021-Cryptographic Failures":2,"A3:2017-Sensitive Data Exposure":2,"A7:2017-Cross-Site Scripting (XSS)":2,"A06:2021-Vulnerable and Outdated Components":2,"A9:2017-Using Components with Known Vulnerabilities":2},"per_framework":{"":{"javascript":{"":1}},"A1:2017-Injection":{"javascript":{"":4}},"A03:2021-Injection":{"javascript":{"":4},"typescript":{"":1}},"A5:2017-Broken Access Control":{"typescript":{"":1}},"A01:2021-Broken Access Control":{"typescript":{"":1}},"A02:2021-Cryptographic Failures":{"javascript":{"":2}},"A3:2017-Sensitive Data Exposure":{"javascript":{"":2}},"A7:2017-Cross-Site Scripting (XSS)":{"javascript":{"":1},"typescript":{"":1}},"A06:2021-Vulnerable and Outdated Components":{"javascript":{"":2}},"A9:2017-Using Components with Known Vulnerabilities":{"javascript":{"":2}}},"rules_with_no_owasp":["eslint.detect-object-injection"]}},"author":"Gitlab","counts":{"total_rules":12,"premium_rules":0},"hidden":false,"languages":["JavaScript","TypeScript"],"description":"Use Semgrep as a universal linter to identify vulnerabilities and code smells in your code base with the eslint rule pack.","id":"LwJJ","name":"eslint","visibility":"public","categories":[{"id":"aR8","slug":"ported-security-tools","name":"Ported Security Tools","description":"Select rules ported from open-source security tools. Start here if you're familiar with these tools."}]},{"tags":["security"],"stats":{"cwe":{"totals":{"CWE-369: Divide By Zero":1,"CWE-328: Use of Weak Hash":3,"CWE-284: Improper Access Control":1,"CWE-287: Improper Authentication":6,"CWE-185: Incorrect Regular Expression":1,"CWE-276: Incorrect Default Permissions":1,"CWE-798: Use of Hard-coded Credentials":18,"CWE-326: Inadequate Encryption Strength":1,"CWE-295: Improper Certificate Validation":1,"CWE-502: Deserialization of Untrusted Data":2,"CWE-918: Server-Side Request Forgery (SSRF)":1,"CWE-311: Missing Encryption of Sensitive Data":1,"CWE-73: External Control of File Name or Path":1,"CWE-1333: Inefficient Regular Expression Complexity":1,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":1,"CWE-639: Authorization Bypass Through User-Controlled Key":1,"CWE-540: Inclusion of Sensitive Information in Source Code":1,"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":2,"CWE-650: Trusting HTTP Permission Methods on the Server Side":1,"CWE-94: Improper Control of Generation of Code ('Code Injection')":4,"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":1,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":4,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":3,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":8,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":1},"per_framework":{"CWE-369: Divide By Zero":{"ruby":{"":1}},"CWE-328: Use of Weak Hash":{"ruby":{"":3}},"CWE-284: Improper Access Control":{"ruby":{"":1}},"CWE-287: Improper Authentication":{"ruby":{"":6}},"CWE-185: Incorrect Regular Expression":{"ruby":{"":1}},"CWE-276: Incorrect Default Permissions":{"ruby":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"ruby":{"":18}},"CWE-326: Inadequate Encryption Strength":{"ruby":{"":1}},"CWE-295: Improper Certificate Validation":{"ruby":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"ruby":{"":2}},"CWE-918: Server-Side Request Forgery (SSRF)":{"ruby":{"":1}},"CWE-311: Missing Encryption of Sensitive Data":{"ruby":{"":1}},"CWE-73: External Control of File Name or Path":{"ruby":{"":1}},"CWE-1333: Inefficient Regular Expression Complexity":{"ruby":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"ruby":{"":1}},"CWE-639: Authorization Bypass Through User-Controlled Key":{"ruby":{"":1}},"CWE-540: Inclusion of Sensitive Information in Source Code":{"ruby":{"":1}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"ruby":{"":2}},"CWE-650: Trusting HTTP Permission Methods on the Server Side":{"ruby":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"ruby":{"":4}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"ruby":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"ruby":{"":4}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"ruby":{"":3}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"ruby":{"":8}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"ruby":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":1,"A01:2017: Injection":9,"A03:2021: Injection":16,"A05:2025: Injection":16,"A04:2021: Insecure Design":3,"A06:2025: Insecure Design":3,"A01:2021: Broken Access Control":12,"A01:2025: Broken Access Control":13,"A05:2017: Broken Access Control":7,"A02:2021: Cryptographic Failures":5,"A04:2025: Cryptographic Failures":5,"A03:2017: Sensitive Data Exposure":8,"A07:2025: Authentication Failures":25,"A08:2017: Insecure Deserialization":2,"A07:2017: Cross-Site Scripting (XSS)":3,"A10:2021: Server-Side Request Forgery (SSRF)":1,"A08:2025: Software or Data Integrity Failures":2,"A08:2021: Software and Data Integrity Failures":2,"A07:2021: Identification and Authentication Failures":25},"per_framework":{"":{"ruby":{"":1}},"A01:2017: Injection":{"ruby":{"":9}},"A03:2021: Injection":{"ruby":{"":16}},"A05:2025: Injection":{"ruby":{"":16}},"A04:2021: Insecure Design":{"ruby":{"":3}},"A06:2025: Insecure Design":{"ruby":{"":3}},"A01:2021: Broken Access Control":{"ruby":{"":12}},"A01:2025: Broken Access Control":{"ruby":{"":13}},"A05:2017: Broken Access Control":{"ruby":{"":7}},"A02:2021: Cryptographic Failures":{"ruby":{"":5}},"A04:2025: Cryptographic Failures":{"ruby":{"":5}},"A03:2017: Sensitive Data Exposure":{"ruby":{"":8}},"A07:2025: Authentication Failures":{"ruby":{"":25}},"A08:2017: Insecure Deserialization":{"ruby":{"":2}},"A07:2017: Cross-Site Scripting (XSS)":{"ruby":{"":3}},"A10:2021: Server-Side Request Forgery (SSRF)":{"ruby":{"":1}},"A08:2025: Software or Data Integrity Failures":{"ruby":{"":2}},"A08:2021: Software and Data Integrity Failures":{"ruby":{"":2}},"A07:2021: Identification and Authentication Failures":{"ruby":{"":25}}},"rules_with_no_owasp":["divide-by-zero"]}},"author":"Semgrep","counts":{"total_rules":66,"premium_rules":22},"username":"semgrep","languages":["Ruby"],"description":"Default ruleset for Ruby, curated by Semgrep.","id":"9G8","name":"ruby","visibility":"public","categories":[{"id":"V5W","slug":"languages-and-frameworks","name":"Languages and Frameworks","description":"Check your code for security problems and best practices in these languages and frameworks."}]},{"tags":["security","eslint","correctness"],"stats":{"cwe":{"totals":{"CWE-22":1,"CWE-79":2,"CWE-95":3,"CWE-119":1,"CWE-185":1,"CWE-208":1,"CWE-338":1,"CWE-770":1,"CWE-94: Improper Control of Generation of Code ('Code Injection')":1},"per_framework":{"CWE-22":{"typescript":{"":1}},"CWE-79":{"javascript":{"":1},"typescript":{"":1}},"CWE-95":{"javascript":{"":3}},"CWE-119":{"javascript":{"":1}},"CWE-185":{"javascript":{"":1}},"CWE-208":{"javascript":{"":1}},"CWE-338":{"javascript":{"":1}},"CWE-770":{"javascript":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"javascript":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":1,"A1:2017-Injection":4,"A03:2021-Injection":5,"A5:2017-Broken Access Control":1,"A01:2021-Broken Access Control":1,"A02:2021-Cryptographic Failures":2,"A3:2017-Sensitive Data Exposure":2,"A7:2017-Cross-Site Scripting (XSS)":2,"A06:2021-Vulnerable and Outdated Components":2,"A9:2017-Using Components with Known Vulnerabilities":2},"per_framework":{"":{"javascript":{"":1}},"A1:2017-Injection":{"javascript":{"":4}},"A03:2021-Injection":{"javascript":{"":4},"typescript":{"":1}},"A5:2017-Broken Access Control":{"typescript":{"":1}},"A01:2021-Broken Access Control":{"typescript":{"":1}},"A02:2021-Cryptographic Failures":{"javascript":{"":2}},"A3:2017-Sensitive Data Exposure":{"javascript":{"":2}},"A7:2017-Cross-Site Scripting (XSS)":{"javascript":{"":1},"typescript":{"":1}},"A06:2021-Vulnerable and Outdated Components":{"javascript":{"":2}},"A9:2017-Using Components with Known Vulnerabilities":{"javascript":{"":2}}},"rules_with_no_owasp":["eslint.detect-object-injection"]}},"author":"Gitlab","counts":{"total_rules":12,"premium_rules":0},"hidden":false,"languages":["JavaScript","TypeScript"],"description":"Use Semgrep as a universal linter to identify vulnerabilities and code smells in your code base with the eslint rule pack.","id":"rGA","name":"gitlab-eslint","visibility":"public","categories":[]},{"tags":["security"],"stats":{"cwe":{"totals":{},"per_framework":{},"rules_with_no_cwe":[]},"owasp":{"totals":{},"per_framework":{},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":0,"premium_rules":0},"hidden":true,"username":"semgrep","description":"Test pinned rules.","id":"z9ll","name":"test-pinned-version","visibility":"public","categories":[]},{"tags":["security"],"stats":{"cwe":{"totals":{"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":1},"per_framework":{"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"java":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2017: Injection":1,"A03:2021: Injection":1,"A05:2025: Injection":1},"per_framework":{"A01:2017: Injection":{"java":{"":1}},"A03:2021: Injection":{"java":{"":1}},"A05:2025: Injection":{"java":{"":1}}},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":1,"premium_rules":1},"hidden":true,"username":"semgrep","description":"Test pinned rules.","id":"pk50","name":"test-pinned-version@dev","visibility":"public","categories":[]},{"tags":["security"],"stats":{"cwe":{"totals":{},"per_framework":{},"rules_with_no_cwe":[]},"owasp":{"totals":{},"per_framework":{},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":0,"premium_rules":0},"hidden":true,"username":"semgrep","description":"Test pinned rules.","id":"2Rdq","name":"test-pinned-version@v2024.04.11.1","visibility":"public","categories":[]},{"tags":["security"],"stats":{"cwe":{"totals":{},"per_framework":{},"rules_with_no_cwe":[]},"owasp":{"totals":{},"per_framework":{},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":0,"premium_rules":0},"hidden":true,"username":"semgrep","description":"Test pinned rules.","id":"X8y4","name":"test-pinned-version@v2024.04.11.2","visibility":"public","categories":[]},{"tags":["gosec"],"stats":{"cwe":{"totals":{"CWE-328: Use of Weak Hash":2,"CWE-377: Insecure Temporary File":1,"CWE-400: Uncontrolled Resource Consumption":1,"CWE-242: Use of Inherently Dangerous Function":1,"CWE-322: Key Exchange without Entity Authentication":1,"CWE-319: Cleartext Transmission of Sensitive Information":1,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":6,"CWE-913: Improper Control of Dynamically-Managed Code Resources":1,"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":1,"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":1,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":1,"CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')":1,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":4,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":1},"per_framework":{"CWE-328: Use of Weak Hash":{"go":{"":2}},"CWE-377: Insecure Temporary File":{"go":{"":1}},"CWE-400: Uncontrolled Resource Consumption":{"go":{"":1}},"CWE-242: Use of Inherently Dangerous Function":{"go":{"":1}},"CWE-322: Key Exchange without Entity Authentication":{"go":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"go":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"go":{"":6}},"CWE-913: Improper Control of Dynamically-Managed Code Resources":{"go":{"":1}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"go":{"":1}},"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)":{"go":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"go":{"":1}},"CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')":{"go":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"go":{"":4}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"go":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":2,"A01:2017: Injection":1,"A03:2021: Injection":6,"A05:2025: Injection":6,"A01:2021: Broken Access Control":4,"A01:2025: Broken Access Control":4,"A05:2017: Broken Access Control":1,"A02:2021: Cryptographic Failures":11,"A04:2025: Cryptographic Failures":11,"A03:2017: Sensitive Data Exposure":9,"A07:2017: Cross-Site Scripting (XSS)":4},"per_framework":{"":{"go":{"":2}},"A01:2017: Injection":{"go":{"":1}},"A03:2021: Injection":{"go":{"":6}},"A05:2025: Injection":{"go":{"":6}},"A01:2021: Broken Access Control":{"go":{"":4}},"A01:2025: Broken Access Control":{"go":{"":4}},"A05:2017: Broken Access Control":{"go":{"":1}},"A02:2021: Cryptographic Failures":{"go":{"":11}},"A04:2025: Cryptographic Failures":{"go":{"":11}},"A03:2017: Sensitive Data Exposure":{"go":{"":9}},"A07:2017: Cross-Site Scripting (XSS)":{"go":{"":4}}},"rules_with_no_owasp":["use-of-unsafe-block","potential-dos-via-decompression-bomb"]}},"author":"Gitlab, Semgrep","counts":{"total_rules":23,"premium_rules":0},"hidden":false,"languages":["Go"],"description":"Use Semgrep as a universal linter to identify vulnerabilities in your code base with the gosec (https://github.com/securego/gosec) rule pack.","id":"PwW","name":"gosec","visibility":"public","categories":[{"id":"aR8","slug":"ported-security-tools","name":"Ported Security Tools","description":"Select rules ported from open-source security tools. Start here if you're familiar with these tools."}]},{"tags":["security"],"stats":{"cwe":{"totals":{"CWE-328: Use of Weak Hash":2,"CWE-489: Active Debug Code":2,"CWE-310: Cryptographic Issues":1,"CWE-798: Use of Hard-coded Credentials":1,"CWE-326: Inadequate Encryption Strength":5,"CWE-352: Cross-Site Request Forgery (CSRF)":4,"CWE-502: Deserialization of Untrusted Data":68,"CWE-918: Server-Side Request Forgery (SSRF)":286,"CWE-522: Insufficiently Protected Credentials":1,"CWE-73: External Control of File Name or Path":108,"CWE-117: Improper Output Neutralization for Logs":4,"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":7,"CWE-1333: Inefficient Regular Expression Complexity":3,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":22,"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":6,"CWE-358: Improperly Implemented Security Check for Standard":36,"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":2,"CWE-611: Improper Restriction of XML External Entity Reference":6,"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":1,"CWE-94: Improper Control of Generation of Code ('Code Injection')":35,"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":1,"CWE-454: External Initialization of Trusted Variables or Data Stores":6,"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":10,"CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax":34,"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":3,"CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere":21,"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":3,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":31,"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":1,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":3,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":158,"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":18,"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":3,"CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)":3,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":21},"per_framework":{"CWE-328: Use of Weak Hash":{"python":{"":2}},"CWE-489: Active Debug Code":{"python":{"":2}},"CWE-310: Cryptographic Issues":{"python":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"python":{"":1}},"CWE-326: Inadequate Encryption Strength":{"python":{"":5}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"python":{"":4}},"CWE-502: Deserialization of Untrusted Data":{"python":{"":68}},"CWE-918: Server-Side Request Forgery (SSRF)":{"python":{"":286}},"CWE-522: Insufficiently Protected Credentials":{"python":{"":1}},"CWE-73: External Control of File Name or Path":{"python":{"":108}},"CWE-117: Improper Output Neutralization for Logs":{"python":{"":4}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"python":{"":7}},"CWE-1333: Inefficient Regular Expression Complexity":{"python":{"":3}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"python":{"":22}},"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":{"python":{"":6}},"CWE-358: Improperly Implemented Security Check for Standard":{"python":{"":36}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"python":{"":2}},"CWE-611: Improper Restriction of XML External Entity Reference":{"python":{"":6}},"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":{"python":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"python":{"":35}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"python":{"":1}},"CWE-454: External Initialization of Trusted Variables or Data Stores":{"python":{"":6}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"python":{"":10}},"CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax":{"python":{"":34}},"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":{"python":{"":3}},"CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere":{"python":{"":21}},"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":{"python":{"":3}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"python":{"":31}},"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":{"python":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"python":{"":3}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"python":{"":158}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"python":{"":18}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"python":{"":3}},"CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)":{"python":{"":3}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":21}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":11,"A01:2017: Injection":201,"A03:2021: Injection":276,"A05:2025: Injection":276,"A6:2017 misconfiguration":1,"A04:2021: Insecure Design":109,"A06:2025: Insecure Design":109,"A01:2021: Broken Access Control":65,"A01:2025: Broken Access Control":349,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":31,"A02:2021: Cryptographic Failures":28,"A04:2025: Cryptographic Failures":28,"A03:2017: Sensitive Data Exposure":28,"A07:2025: Authentication Failures":1,"A05:2021-Security misconfiguration":36,"A08:2017: Insecure Deserialization":68,"A02:2025: Security Misconfiguration":27,"A05:2021: Security Misconfiguration":27,"A07:2017: Cross-Site Scripting (XSS)":3,"A04:2017: XML External Entities (XXE)":9,"A10:2021: Server-Side Request Forgery (SSRF)":286,"A08:2025: Software or Data Integrity Failures":68,"A08:2021: Software and Data Integrity Failures":68,"A09:2025: Security Logging & Alerting Failures":4,"A09:2021: Security Logging and Monitoring Failures":4,"A07:2021: Identification and Authentication Failures":1},"per_framework":{"":{"python":{"":11}},"A01:2017: Injection":{"python":{"":201}},"A03:2021: Injection":{"python":{"":276}},"A05:2025: Injection":{"python":{"":276}},"A6:2017 misconfiguration":{"python":{"":1}},"A04:2021: Insecure Design":{"python":{"":109}},"A06:2025: Insecure Design":{"python":{"":109}},"A01:2021: Broken Access Control":{"python":{"":65}},"A01:2025: Broken Access Control":{"python":{"":349}},"A02:2017: Broken Authentication":{"python":{"":1}},"A05:2017: Broken Access Control":{"python":{"":31}},"A02:2021: Cryptographic Failures":{"python":{"":28}},"A04:2025: Cryptographic Failures":{"python":{"":28}},"A03:2017: Sensitive Data Exposure":{"python":{"":28}},"A07:2025: Authentication Failures":{"python":{"":1}},"A05:2021-Security misconfiguration":{"python":{"":36}},"A08:2017: Insecure Deserialization":{"python":{"":68}},"A02:2025: Security Misconfiguration":{"python":{"":27}},"A05:2021: Security Misconfiguration":{"python":{"":27}},"A07:2017: Cross-Site Scripting (XSS)":{"python":{"":3}},"A04:2017: XML External Entities (XXE)":{"python":{"":9}},"A10:2021: Server-Side Request Forgery (SSRF)":{"python":{"":286}},"A08:2025: Software or Data Integrity Failures":{"python":{"":68}},"A08:2021: Software and Data Integrity Failures":{"python":{"":68}},"A09:2025: Security Logging & Alerting Failures":{"python":{"":4}},"A09:2021: Security Logging and Monitoring Failures":{"python":{"":4}},"A07:2021: Identification and Authentication Failures":{"python":{"":1}}},"rules_with_no_owasp":["tainted-dotenv-variable-django","tainted-environ-variable-django","tainted-regex-stdlib-django","tainted-dotenv-variable-fastapi","tainted-environ-variable-fastapi","tainted-regex-stdlib-fastapi","debug-flask-passthrough-errors","active-debug-code-flask","tainted-dotenv-variable-flask","tainted-environ-variable-flask","tainted-regex-stdlib-flask"]}},"author":"Semgrep","counts":{"total_rules":915,"premium_rules":894},"hidden":true,"username":"semgrep","languages":["python"],"description":"Alpha ruleset for Python. This ruleset is intended to produce low false positives, and safe for use in CI/CD pipelines.","id":"owJ6","name":"python-alpha-ci","visibility":"public","categories":[]},{"stats":{"cwe":{"totals":{"CWE-287: Improper Authentication":2,"CWE-798: Use of Hard-coded Credentials":12,"CWE-522: Insufficiently Protected Credentials":2,"CWE-345: Insufficient Verification of Data Authenticity":4,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":6,"CWE-347: Improper Verification of Cryptographic Signature":1},"per_framework":{"CWE-287: Improper Authentication":{"python":{"":1},"javascript":{"":1}},"CWE-798: Use of Hard-coded Credentials":{"go":{"":1},"js":{"":2},"java":{"":1},"csharp":{"":2},"kotlin":{"":2},"python":{"":1},"javascript":{"":3}},"CWE-522: Insufficiently Protected Credentials":{"scala":{"":1},"python":{"":1}},"CWE-345: Insufficient Verification of Data Authenticity":{"go":{"":1},"java":{"":1},"csharp":{"":1},"javascript":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"go":{"":1},"java":{"":1},"kotlin":{"":1},"python":{"":1},"javascript":{"":2}},"CWE-347: Improper Verification of Cryptographic Signature":{"javascript":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A04:2021: Insecure Design":2,"A06:2025: Insecure Design":2,"A02:2017: Broken Authentication":3,"A02:2021: Cryptographic Failures":6,"A04:2025: Cryptographic Failures":6,"A03:2017: Sensitive Data Exposure":6,"A07:2025: Authentication Failures":14,"A02:2025: Security Misconfiguration":1,"A05:2021: Security Misconfiguration":1,"A08:2025: Software or Data Integrity Failures":3,"A08:2021: Software and Data Integrity Failures":3,"A07:2021: Identification and Authentication Failures":14},"per_framework":{"A04:2021: Insecure Design":{"scala":{"":1},"python":{"":1}},"A06:2025: Insecure Design":{"scala":{"":1},"python":{"":1}},"A02:2017: Broken Authentication":{"scala":{"":1},"python":{"":2}},"A02:2021: Cryptographic Failures":{"go":{"":1},"java":{"":1},"kotlin":{"":1},"python":{"":1},"javascript":{"":2}},"A04:2025: Cryptographic Failures":{"go":{"":1},"java":{"":1},"kotlin":{"":1},"python":{"":1},"javascript":{"":2}},"A03:2017: Sensitive Data Exposure":{"go":{"":1},"java":{"":1},"kotlin":{"":1},"python":{"":1},"javascript":{"":2}},"A07:2025: Authentication Failures":{"go":{"":1},"js":{"":2},"java":{"":1},"csharp":{"":2},"kotlin":{"":2},"python":{"":2},"javascript":{"":4}},"A02:2025: Security Misconfiguration":{"javascript":{"":1}},"A05:2021: Security Misconfiguration":{"javascript":{"":1}},"A08:2025: Software or Data Integrity Failures":{"go":{"":1},"java":{"":1},"csharp":{"":1}},"A08:2021: Software and Data Integrity Failures":{"go":{"":1},"java":{"":1},"csharp":{"":1}},"A07:2021: Identification and Authentication Failures":{"go":{"":1},"js":{"":2},"java":{"":1},"csharp":{"":2},"kotlin":{"":2},"python":{"":2},"javascript":{"":4}}},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":25,"premium_rules":9},"username":"semgrep","description":"Avoid common JWT security mistakes.","id":"Aq8","name":"jwt","visibility":"public","categories":[{"id":"VJd","slug":"enforce-secure-guardrails","name":"Enforce Secure Guardrails","description":"Use Semgrep to ensure your code enforces secure defaults and framework protections, which can proactively eradicate entire classes of vulnerabilities. Avoid playing bug whack-a-mole and scale your security program."}]},{"tags":["security"],"stats":{"cwe":{"totals":{"CWE-346: Origin Validation Error":1,"CWE-693: Protection Mechanism Failure":2,"CWE-798: Use of Hard-coded Credentials":1,"CWE-352: Cross-Site Request Forgery (CSRF)":1,"CWE-400: Uncontrolled Resource Consumption":1,"CWE-319: Cleartext Transmission of Sensitive Information":2,"CWE-94: Improper Control of Generation of Code ('Code Injection')":2,"CWE-79: Improper Neutralization of Input During Web Page Generation":2,"CWE-77: Improper Neutralization of Special Elements used in a Command (Command Injection)":1,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":1},"per_framework":{"CWE-346: Origin Validation Error":{"elixir":{"":1}},"CWE-693: Protection Mechanism Failure":{"elixir":{"":2}},"CWE-798: Use of Hard-coded Credentials":{"elixir":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"elixir":{"":1}},"CWE-400: Uncontrolled Resource Consumption":{"elixir":{"":1}},"CWE-319: Cleartext Transmission of Sensitive Information":{"elixir":{"":2}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"elixir":{"":2}},"CWE-79: Improper Neutralization of Input During Web Page Generation":{"elixir":{"":2}},"CWE-77: Improper Neutralization of Special Elements used in a Command (Command Injection)":{"elixir":{"":1}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"elixir":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A03:2021: Injection":6,"A05:2025: Injection":6,"A02:2021: Cryptographic Failures":2,"A04:2025: Cryptographic Failures":2,"A02:2025: Security Misconfiguration":6,"A05:2021: Security Misconfiguration":6},"per_framework":{"A03:2021: Injection":{"elixir":{"":6}},"A05:2025: Injection":{"elixir":{"":6}},"A02:2021: Cryptographic Failures":{"elixir":{"":2}},"A04:2025: Cryptographic Failures":{"elixir":{"":2}},"A02:2025: Security Misconfiguration":{"elixir":{"":6}},"A05:2021: Security Misconfiguration":{"elixir":{"":6}}},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":14,"premium_rules":14},"username":"semgrep","languages":["Elixir"],"description":"Default ruleset for Elixir, curated by Semgrep.","id":"K8NL","name":"elixir","visibility":"public","categories":[]},{"tags":["security","bandit","owasp"],"stats":{"cwe":{"totals":{"CWE-22":1,"CWE-78":9,"CWE-79":2,"CWE-89":5,"CWE-94":1,"CWE-95":1,"CWE-116":1,"CWE-155":1,"CWE-200":1,"CWE-295":2,"CWE-319":3,"CWE-322":1,"CWE-326":4,"CWE-327":22,"CWE-330":1,"CWE-377":2,"CWE-400":1,"CWE-489":1,"CWE-502":6,"CWE-611":8,"CWE-732":1,"CWE-754":1,"CWE-939":1,"CWE-1104":1,"CWE-377: Insecure Temporary File":1,"CWE-326: Inadequate Encryption Strength":1,"CWE-295: Improper Certificate Validation":1,"CWE-502: Deserialization of Untrusted Data":1,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":1,"CWE-611: Improper Restriction of XML External Entity Reference":2,"CWE-939: Improper Authorization in Handler for Custom URL Scheme":1,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":2,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":1,"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":1,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":1},"per_framework":{"CWE-22":{"python":{"":1}},"CWE-78":{"python":{"":9}},"CWE-79":{"python":{"":2}},"CWE-89":{"python":{"":5}},"CWE-94":{"python":{"":1}},"CWE-95":{"python":{"":1}},"CWE-116":{"python":{"":1}},"CWE-155":{"python":{"":1}},"CWE-200":{"python":{"":1}},"CWE-295":{"python":{"":2}},"CWE-319":{"python":{"":3}},"CWE-322":{"python":{"":1}},"CWE-326":{"python":{"":4}},"CWE-327":{"python":{"":22}},"CWE-330":{"python":{"":1}},"CWE-377":{"python":{"":2}},"CWE-400":{"python":{"":1}},"CWE-489":{"python":{"":1}},"CWE-502":{"python":{"":6}},"CWE-611":{"python":{"":8}},"CWE-732":{"python":{"":1}},"CWE-754":{"python":{"":1}},"CWE-939":{"python":{"":1}},"CWE-1104":{"python":{"":1}},"CWE-377: Insecure Temporary File":{"python":{"":1}},"CWE-326: Inadequate Encryption Strength":{"python":{"":1}},"CWE-295: Improper Certificate Validation":{"python":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"python":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"python":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"python":{"":2}},"CWE-939: Improper Authorization in Handler for Custom URL Scheme":{"python":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"python":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"python":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":1,"A1:2017-Injection":17,"A03:2021-Injection":27,"A01:2017: Injection":3,"A03:2021: Injection":4,"A05:2025: Injection":4,"A3: Sensitive Data Exposure":1,"A2:2017-Broken Authentication":2,"A5:2017-Broken Access Control":4,"A01:2021-Broken Access Control":4,"A7: Cross-Site Scripting (XSS)":1,"A02:2021-Cryptographic Failures":27,"A3:2017-Sensitive Data Exposure":31,"A4: XML External Entities (XXE)":1,"A02:2021: Cryptographic Failures":1,"A04:2025: Cryptographic Failures":1,"A8:2017-Insecure Deserialization":7,"A03:2017: Sensitive Data Exposure":2,"A07:2025: Authentication Failures":1,"A6:2017-Security Misconfiguration":4,"A05:2021-Security Misconfiguration":4,"A08:2017: Insecure Deserialization":1,"A7:2017-Cross-Site Scripting (XSS)":3,"A02:2025: Security Misconfiguration":1,"A05:2021: Security Misconfiguration":1,"A4:2017-XML External Entities (XXE)":8,"A07:2017: Cross-Site Scripting (XSS)":1,"A04:2017: XML External Entities (XXE)":1,"A08:2021-Software and Data Integrity Failures":6,"A08:2025: Software or Data Integrity Failures":1,"A08:2021: Software and Data Integrity Failures":1,"A07:2021-Identification and Authentication Failures":3,"A9:2017-Using Components with Known Vulnerabilities":1,"A07:2021: Identification and Authentication Failures":1},"per_framework":{"":{"python":{"":1}},"A1:2017-Injection":{"python":{"":17}},"A03:2021-Injection":{"python":{"":27}},"A01:2017: Injection":{"python":{"":3}},"A03:2021: Injection":{"python":{"":4}},"A05:2025: Injection":{"python":{"":4}},"A3: Sensitive Data Exposure":{"python":{"":1}},"A2:2017-Broken Authentication":{"python":{"":2}},"A5:2017-Broken Access Control":{"python":{"":4}},"A01:2021-Broken Access Control":{"python":{"":4}},"A7: Cross-Site Scripting (XSS)":{"python":{"":1}},"A02:2021-Cryptographic Failures":{"python":{"":27}},"A3:2017-Sensitive Data Exposure":{"python":{"":31}},"A4: XML External Entities (XXE)":{"python":{"":1}},"A02:2021: Cryptographic Failures":{"python":{"":1}},"A04:2025: Cryptographic Failures":{"python":{"":1}},"A8:2017-Insecure Deserialization":{"python":{"":7}},"A03:2017: Sensitive Data Exposure":{"python":{"":2}},"A07:2025: Authentication Failures":{"python":{"":1}},"A6:2017-Security Misconfiguration":{"python":{"":4}},"A05:2021-Security Misconfiguration":{"python":{"":4}},"A08:2017: Insecure Deserialization":{"python":{"":1}},"A7:2017-Cross-Site Scripting (XSS)":{"python":{"":3}},"A02:2025: Security Misconfiguration":{"python":{"":1}},"A05:2021: Security Misconfiguration":{"python":{"":1}},"A4:2017-XML External Entities (XXE)":{"python":{"":8}},"A07:2017: Cross-Site Scripting (XSS)":{"python":{"":1}},"A04:2017: XML External Entities (XXE)":{"python":{"":1}},"A08:2021-Software and Data Integrity Failures":{"python":{"":6}},"A08:2025: Software or Data Integrity Failures":{"python":{"":1}},"A08:2021: Software and Data Integrity Failures":{"python":{"":1}},"A07:2021-Identification and Authentication Failures":{"python":{"":3}},"A9:2017-Using Components with Known Vulnerabilities":{"python":{"":1}},"A07:2021: Identification and Authentication Failures":{"python":{"":1}}},"rules_with_no_owasp":["bandit.B108-1"]}},"author":"Gitlab, Semgrep","counts":{"total_rules":90,"premium_rules":0},"hidden":false,"languages":["Python"],"description":"Use Semgrep as a universal linter to identify vulnerabilities in your code base with the bandit (https://github.com/PyCQA/bandit) rule pack.","id":"yKd","name":"gitlab-bandit","visibility":"public","categories":[]},{"tags":["semgrep","security","react","reactjs","best practice","typescript"],"stats":{"cwe":{"totals":{"":11,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":2},"per_framework":{"":{"javascript":{"":1},"typescript":{"":10}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"typescript":{"":2}}},"rules_with_no_cwe":["define-styled-components-on-module-level","react-find-dom","react-legacy-component","react-props-in-state","react-props-spreading","calling-set-state-on-current-state","mui-snackbar-message","i18next-key-format","jsx-label-not-i18n","jsx-not-internationalized","useselect-label-not-i18n"]},"owasp":{"totals":{"":11,"A03:2021: Injection":2,"A05:2025: Injection":2,"A07:2017: Cross-Site Scripting (XSS)":2},"per_framework":{"":{"javascript":{"":1},"typescript":{"":10}},"A03:2021: Injection":{"typescript":{"":2}},"A05:2025: Injection":{"typescript":{"":2}},"A07:2017: Cross-Site Scripting (XSS)":{"typescript":{"":2}}},"rules_with_no_owasp":["define-styled-components-on-module-level","react-find-dom","react-legacy-component","react-props-in-state","react-props-spreading","calling-set-state-on-current-state","mui-snackbar-message","i18next-key-format","jsx-label-not-i18n","jsx-not-internationalized","useselect-label-not-i18n"]}},"author":"Semgrep","counts":{"total_rules":13,"premium_rules":0},"username":"semgrep","languages":["TypeScript"],"description":"React rules which contain best practices and general code-smells, should not be run in CI/CD.","id":"kWlo","name":"react-best-practices","visibility":"public","categories":[]},{"tags":["security","semgrep","ruby","rails"],"stats":{"cwe":{"totals":{"CWE-284: Improper Access Control":1,"CWE-185: Incorrect Regular Expression":1,"CWE-73: External Control of File Name or Path":1,"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":1,"CWE-1333: Inefficient Regular Expression Complexity":1,"CWE-639: Authorization Bypass Through User-Controlled Key":1,"CWE-540: Inclusion of Sensitive Information in Source Code":2,"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":1,"CWE-650: Trusting HTTP Permission Methods on the Server Side":1,"CWE-94: Improper Control of Generation of Code ('Code Injection')":2,"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":1,"CWE-1022: Use of Web Link to Untrusted Target with window.opener Access":1,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":2,"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":2,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":1},"per_framework":{"CWE-284: Improper Access Control":{"ruby":{"":1}},"CWE-185: Incorrect Regular Expression":{"ruby":{"":1}},"CWE-73: External Control of File Name or Path":{"ruby":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"ruby":{"":1}},"CWE-1333: Inefficient Regular Expression Complexity":{"ruby":{"":1}},"CWE-639: Authorization Bypass Through User-Controlled Key":{"ruby":{"":1}},"CWE-540: Inclusion of Sensitive Information in Source Code":{"ruby":{"":1},"yaml":{"":1}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"ruby":{"":1}},"CWE-650: Trusting HTTP Permission Methods on the Server Side":{"ruby":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"ruby":{"":2}},"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor":{"ruby":{"":1}},"CWE-1022: Use of Web Link to Untrusted Target with window.opener Access":{"generic":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"ruby":{"":1},"generic":{"":1}},"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes":{"ruby":{"":2}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"ruby":{"":1}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":1,"A01:2017: Injection":1,"A03:2021: Injection":3,"A05:2025: Injection":3,"A04:2021: Insecure Design":2,"A06:2025: Insecure Design":2,"A01:2021: Broken Access Control":9,"A01:2025: Broken Access Control":9,"A05:2017: Broken Access Control":5,"A03:2017: Sensitive Data Exposure":1,"A02:2025: Security Misconfiguration":1,"A05:2021: Security Misconfiguration":1,"A08:2025: Software or Data Integrity Failures":2,"A08:2021: Software and Data Integrity Failures":2},"per_framework":{"":{"generic":{"":1}},"A01:2017: Injection":{"ruby":{"":1}},"A03:2021: Injection":{"ruby":{"":3}},"A05:2025: Injection":{"ruby":{"":3}},"A04:2021: Insecure Design":{"ruby":{"":2}},"A06:2025: Insecure Design":{"ruby":{"":2}},"A01:2021: Broken Access Control":{"ruby":{"":7},"yaml":{"":1},"generic":{"":1}},"A01:2025: Broken Access Control":{"ruby":{"":7},"yaml":{"":1},"generic":{"":1}},"A05:2017: Broken Access Control":{"ruby":{"":4},"generic":{"":1}},"A03:2017: Sensitive Data Exposure":{"ruby":{"":1}},"A02:2025: Security Misconfiguration":{"ruby":{"":1}},"A05:2021: Security Misconfiguration":{"ruby":{"":1}},"A08:2025: Software or Data Integrity Failures":{"ruby":{"":2}},"A08:2021: Software and Data Integrity Failures":{"ruby":{"":2}}},"rules_with_no_owasp":["check-reverse-tabnabbing"]}},"author":"Semgrep","counts":{"total_rules":19,"premium_rules":0},"username":"semgrep","description":"Brakeman ruleset curated by Semgrep.","id":"BYR2","name":"brakeman","visibility":"public","categories":[{"id":"aR8","slug":"ported-security-tools","name":"Ported Security Tools","description":"Select rules ported from open-source security tools. Start here if you're familiar with these tools."}]},{"tags":["security"],"stats":{"cwe":{"totals":{"CWE-780: Use of RSA Algorithm without OAEP":1,"CWE-918: Server-Side Request Forgery (SSRF)":1,"CWE-522: Insufficiently Protected Credentials":2,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":1,"CWE-611: Improper Restriction of XML External Entity Reference":3,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":1,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":3},"per_framework":{"CWE-780: Use of RSA Algorithm without OAEP":{"scala":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"scala":{"":1}},"CWE-522: Insufficiently Protected Credentials":{"scala":{"":2}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"kt":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"scala":{"":3}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"scala":{"":1}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"scala":{"":3}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2017: Injection":3,"A03:2021: Injection":4,"A05:2025: Injection":4,"A04:2021: Insecure Design":2,"A06:2025: Insecure Design":2,"A01:2025: Broken Access Control":1,"A02:2017: Broken Authentication":2,"A02:2021: Cryptographic Failures":2,"A04:2025: Cryptographic Failures":2,"A03:2017: Sensitive Data Exposure":1,"A02:2025: Security Misconfiguration":3,"A05:2021: Security Misconfiguration":3,"A07:2017: Cross-Site Scripting (XSS)":1,"A04:2017: XML External Entities (XXE)":3,"A10:2021: Server-Side Request Forgery (SSRF)":1},"per_framework":{"A01:2017: Injection":{"scala":{"":3}},"A03:2021: Injection":{"scala":{"":4}},"A05:2025: Injection":{"scala":{"":4}},"A04:2021: Insecure Design":{"scala":{"":2}},"A06:2025: Insecure Design":{"scala":{"":2}},"A01:2025: Broken Access Control":{"scala":{"":1}},"A02:2017: Broken Authentication":{"scala":{"":2}},"A02:2021: Cryptographic Failures":{"kt":{"":1},"scala":{"":1}},"A04:2025: Cryptographic Failures":{"kt":{"":1},"scala":{"":1}},"A03:2017: Sensitive Data Exposure":{"kt":{"":1}},"A02:2025: Security Misconfiguration":{"scala":{"":3}},"A05:2021: Security Misconfiguration":{"scala":{"":3}},"A07:2017: Cross-Site Scripting (XSS)":{"scala":{"":1}},"A04:2017: XML External Entities (XXE)":{"scala":{"":3}},"A10:2021: Server-Side Request Forgery (SSRF)":{"scala":{"":1}}},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":12,"premium_rules":0},"username":"semgrep","languages":["Scala"],"description":"Default ruleset for Scala, curated by Semgrep.","id":"Ab4L","name":"scala","visibility":"public","categories":[]},{"tags":["django"],"stats":{"cwe":{"totals":{"CWE-20: Improper Input Validation":1,"CWE-521: Weak Password Requirements":2,"CWE-352: Cross-Site Request Forgery (CSRF)":2,"CWE-502: Deserialization of Untrusted Data":13,"CWE-704: Incorrect Type Conversion or Cast":1,"CWE-918: Server-Side Request Forgery (SSRF)":51,"CWE-73: External Control of File Name or Path":16,"CWE-117: Improper Output Neutralization for Logs":1,"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":2,"CWE-1333: Inefficient Regular Expression Complexity":1,"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":1,"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":2,"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":2,"CWE-611: Improper Restriction of XML External Entity Reference":2,"CWE-94: Improper Control of Generation of Code ('Code Injection')":6,"CWE-1236: Improper Neutralization of Formula Elements in a CSV File":1,"CWE-454: External Initialization of Trusted Variables or Data Stores":2,"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":1,"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":2,"CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax":6,"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":1,"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":1,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":11,"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":1,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":4,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":34,"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":3,"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":1,"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":4,"CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)":1,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":5,"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":2},"per_framework":{"CWE-20: Improper Input Validation":{"python":{"":1}},"CWE-521: Weak Password Requirements":{"python":{"":2}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"python":{"":1},"generic":{"":1}},"CWE-502: Deserialization of Untrusted Data":{"python":{"":13}},"CWE-704: Incorrect Type Conversion or Cast":{"python":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"python":{"":51}},"CWE-73: External Control of File Name or Path":{"python":{"":16}},"CWE-117: Improper Output Neutralization for Logs":{"python":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"python":{"":2}},"CWE-1333: Inefficient Regular Expression Complexity":{"python":{"":1}},"CWE-327: Use of a Broken or Risky Cryptographic Algorithm":{"python":{"":1}},"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":{"python":{"":2}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"python":{"":2}},"CWE-611: Improper Restriction of XML External Entity Reference":{"python":{"":2}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"python":{"":6}},"CWE-1236: Improper Neutralization of Formula Elements in a CSV File":{"python":{"":1}},"CWE-454: External Initialization of Trusted Variables or Data Stores":{"python":{"":2}},"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":{"python":{"":1}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"python":{"":2}},"CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax":{"python":{"":6}},"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":{"python":{"":1}},"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":{"python":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"python":{"":11}},"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":{"python":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"python":{"":4}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"python":{"":34}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"python":{"":3}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"python":{"":1}},"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')":{"python":{"":4}},"CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)":{"python":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":5}},"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')":{"python":{"":2}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":6,"A01:2017: Injection":45,"A03:2021: Injection":69,"A05:2025: Injection":69,"A04:2021: Insecure Design":16,"A06:2025: Insecure Design":16,"A01:2021: Broken Access Control":16,"A01:2025: Broken Access Control":67,"A05:2017: Broken Access Control":11,"A07:2025: Authentication Failures":2,"A08:2017: Insecure Deserialization":13,"A02:2021 – Cryptographic Failures":1,"A02:2025: Security Misconfiguration":7,"A05:2021: Security Misconfiguration":7,"A07:2017: Cross-Site Scripting (XSS)":4,"A04:2017: XML External Entities (XXE)":3,"A10:2021: Server-Side Request Forgery (SSRF)":51,"A08:2025: Software or Data Integrity Failures":13,"A08:2021: Software and Data Integrity Failures":13,"A09:2025: Security Logging & Alerting Failures":1,"A09:2021: Security Logging and Monitoring Failures":1,"A07:2021: Identification and Authentication Failures":2},"per_framework":{"":{"python":{"":5},"generic":{"":1}},"A01:2017: Injection":{"python":{"":45}},"A03:2021: Injection":{"python":{"":69}},"A05:2025: Injection":{"python":{"":69}},"A04:2021: Insecure Design":{"python":{"":16}},"A06:2025: Insecure Design":{"python":{"":16}},"A01:2021: Broken Access Control":{"python":{"":16}},"A01:2025: Broken Access Control":{"python":{"":67}},"A05:2017: Broken Access Control":{"python":{"":11}},"A07:2025: Authentication Failures":{"python":{"":2}},"A08:2017: Insecure Deserialization":{"python":{"":13}},"A02:2021 – Cryptographic Failures":{"python":{"":1}},"A02:2025: Security Misconfiguration":{"python":{"":7}},"A05:2021: Security Misconfiguration":{"python":{"":7}},"A07:2017: Cross-Site Scripting (XSS)":{"python":{"":4}},"A04:2017: XML External Entities (XXE)":{"python":{"":3}},"A10:2021: Server-Side Request Forgery (SSRF)":{"python":{"":51}},"A08:2025: Software or Data Integrity Failures":{"python":{"":13}},"A08:2021: Software and Data Integrity Failures":{"python":{"":13}},"A09:2025: Security Logging & Alerting Failures":{"python":{"":1}},"A09:2021: Security Logging and Monitoring Failures":{"python":{"":1}},"A07:2021: Identification and Authentication Failures":{"python":{"":2}}},"rules_with_no_owasp":["tainted-dotenv-variable-django","tainted-environ-variable-django","tainted-regex-stdlib-django","django-no-csrf-token","django-using-request-post-after-is-valid","nan-injection"]}},"author":"Semgrep","counts":{"total_rules":183,"premium_rules":155},"username":"semgrep","languages":["python"],"description":"Default ruleset for Django, curated by Semgrep. Please upgrade to Semgrep > 1.81.0 to use this ruleset.","id":"7PW","name":"django","visibility":"public","categories":[]},{"tags":["semgrep","security","scala","play"],"stats":{"cwe":{"totals":{"CWE-489: Active Debug Code":1,"CWE-352: Cross-Site Request Forgery (CSRF)":1,"CWE-780: Use of RSA Algorithm without OAEP":1,"CWE-918: Server-Side Request Forgery (SSRF)":4,"CWE-330: Use of Insufficiently Random Values":1,"CWE-522: Insufficiently Protected Credentials":1,"CWE-611: Improper Restriction of XML External Entity Reference":3,"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":1,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":1,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":2,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":4,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":3},"per_framework":{"CWE-489: Active Debug Code":{"generic":{"":1}},"CWE-352: Cross-Site Request Forgery (CSRF)":{"generic":{"":1}},"CWE-780: Use of RSA Algorithm without OAEP":{"scala":{"":1}},"CWE-918: Server-Side Request Forgery (SSRF)":{"scala":{"":4}},"CWE-330: Use of Insufficiently Random Values":{"scala":{"":1}},"CWE-522: Insufficiently Protected Credentials":{"scala":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"scala":{"":3}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"generic":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"scala":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"scala":{"":1},"generic":{"":1}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"scala":{"":4}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"scala":{"":3}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"A01:2017: Injection":7,"A03:2021: Injection":9,"A05:2025: Injection":9,"A04:2021: Insecure Design":1,"A06:2025: Insecure Design":1,"A01:2021: Broken Access Control":2,"A01:2025: Broken Access Control":6,"A02:2017: Broken Authentication":1,"A05:2017: Broken Access Control":1,"A02:2021: Cryptographic Failures":2,"A04:2025: Cryptographic Failures":2,"A02:2025: Security Misconfiguration":4,"A05:2021: Security Misconfiguration":5,"A07:2017: Cross-Site Scripting (XSS)":2,"A04:2017: XML External Entities (XXE)":3,"A10:2021: Server-Side Request Forgery (SSRF)":4},"per_framework":{"A01:2017: Injection":{"scala":{"":7}},"A03:2021: Injection":{"scala":{"":8},"generic":{"":1}},"A05:2025: Injection":{"scala":{"":8},"generic":{"":1}},"A04:2021: Insecure Design":{"scala":{"":1}},"A06:2025: Insecure Design":{"scala":{"":1}},"A01:2021: Broken Access Control":{"scala":{"":1},"generic":{"":1}},"A01:2025: Broken Access Control":{"scala":{"":5},"generic":{"":1}},"A02:2017: Broken Authentication":{"scala":{"":1}},"A05:2017: Broken Access Control":{"scala":{"":1}},"A02:2021: Cryptographic Failures":{"scala":{"":2}},"A04:2025: Cryptographic Failures":{"scala":{"":2}},"A02:2025: Security Misconfiguration":{"scala":{"":3},"generic":{"":1}},"A05:2021: Security Misconfiguration":{"scala":{"":3},"generic":{"":2}},"A07:2017: Cross-Site Scripting (XSS)":{"scala":{"":1},"generic":{"":1}},"A04:2017: XML External Entities (XXE)":{"scala":{"":3}},"A10:2021: Server-Side Request Forgery (SSRF)":{"scala":{"":4}}},"rules_with_no_owasp":[]}},"author":"Semgrep","counts":{"total_rules":23,"premium_rules":0},"description":"Play framework ruleset by Semgrep","id":"Rezg","name":"play","visibility":"public","categories":[]},{"tags":["fastapi"],"stats":{"cwe":{"totals":{"CWE-502: Deserialization of Untrusted Data":11,"CWE-918: Server-Side Request Forgery (SSRF)":49,"CWE-73: External Control of File Name or Path":16,"CWE-117: Improper Output Neutralization for Logs":1,"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":2,"CWE-1333: Inefficient Regular Expression Complexity":1,"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":1,"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":1,"CWE-611: Improper Restriction of XML External Entity Reference":2,"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":1,"CWE-94: Improper Control of Generation of Code ('Code Injection')":6,"CWE-454: External Initialization of Trusted Variables or Data Stores":2,"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":2,"CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax":6,"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":1,"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":1,"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":9,"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":1,"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":1,"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":29,"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":3,"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":1,"CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)":1,"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":4},"per_framework":{"CWE-502: Deserialization of Untrusted Data":{"python":{"":11}},"CWE-918: Server-Side Request Forgery (SSRF)":{"python":{"":49}},"CWE-73: External Control of File Name or Path":{"python":{"":16}},"CWE-117: Improper Output Neutralization for Logs":{"python":{"":1}},"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag":{"python":{"":2}},"CWE-1333: Inefficient Regular Expression Complexity":{"python":{"":1}},"CWE-1275: Sensitive Cookie with Improper SameSite Attribute":{"python":{"":1}},"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')":{"python":{"":1}},"CWE-611: Improper Restriction of XML External Entity Reference":{"python":{"":2}},"CWE-942: Permissive Cross-domain Policy with Untrusted Domains":{"python":{"":1}},"CWE-94: Improper Control of Generation of Code ('Code Injection')":{"python":{"":6}},"CWE-454: External Initialization of Trusted Variables or Data Stores":{"python":{"":2}},"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute":{"python":{"":2}},"CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax":{"python":{"":6}},"CWE-943: Improper Neutralization of Special Elements in Data Query Logic":{"python":{"":1}},"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')":{"python":{"":1}},"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":{"python":{"":9}},"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')":{"python":{"":1}},"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":{"python":{"":1}},"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":{"python":{"":29}},"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')":{"python":{"":3}},"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')":{"python":{"":1}},"CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)":{"python":{"":1}},"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":{"python":{"":4}}},"rules_with_no_cwe":[]},"owasp":{"totals":{"":3,"A01:2017: Injection":38,"A03:2021: Injection":52,"A05:2025: Injection":52,"A04:2021: Insecure Design":16,"A06:2025: Insecure Design":16,"A01:2021: Broken Access Control":11,"A01:2025: Broken Access Control":60,"A05:2017: Broken Access Control":9,"A08:2017: Insecure Deserialization":11,"A02:2025: Security Misconfiguration":8,"A05:2021: Security Misconfiguration":8,"A07:2017: Cross-Site Scripting (XSS)":1,"A04:2017: XML External Entities (XXE)":3,"A10:2021: Server-Side Request Forgery (SSRF)":49,"A08:2025: Software or Data Integrity Failures":11,"A08:2021: Software and Data Integrity Failures":11,"A09:2025: Security Logging & Alerting Failures":1,"A09:2021: Security Logging and Monitoring Failures":1},"per_framework":{"":{"python":{"":3}},"A01:2017: Injection":{"python":{"":38}},"A03:2021: Injection":{"python":{"":52}},"A05:2025: Injection":{"python":{"":52}},"A04:2021: Insecure Design":{"python":{"":16}},"A06:2025: Insecure Design":{"python":{"":16}},"A01:2021: Broken Access Control":{"python":{"":11}},"A01:2025: Broken Access Control":{"python":{"":60}},"A05:2017: Broken Access Control":{"python":{"":9}},"A08:2017: Insecure Deserialization":{"python":{"":11}},"A02:2025: Security Misconfiguration":{"python":{"":8}},"A05:2021: Security Misconfiguration":{"python":{"":8}},"A07:2017: Cross-Site Scripting (XSS)":{"python":{"":1}},"A04:2017: XML External Entities (XXE)":{"python":{"":3}},"A10:2021: Server-Side Request Forgery (SSRF)":{"python":{"":49}},"A08:2025: Software or Data Integrity Failures":{"python":{"":11}},"A08:2021: Software and Data Integrity Failures":{"python":{"":11}},"A09:2025: Security Logging & Alerting Failures":{"python":{"":1}},"A09:2021: Security Logging and Monitoring Failures":{"python":{"":1}}},"rules_with_no_owasp":["tainted-dotenv-variable-fastapi","tainted-environ-variable-fastapi","tainted-regex-stdlib-fastapi"]}},"author":"Semgrep","counts":{"total_rules":152,"premium_rules":151},"username":"semgrep","languages":["python"],"description":"Default ruleset for FastAPI, curated by Semgrep.","id":"96Qz","name":"fastapi","visibility":"public","categories":[]}]