# Supported Fixes A "**fix**" is defined as a code remediation that has been validated and tested by Mobb engineers. All fixes must meet the following criteria: * The fix addresses the security issue as identified by the SAST tool * The fix should be recognized by the SAST tool (The SAST tool should recognize the finding as fixed upon re-scan) Here are the categories of fixes that Mobb currently supports. If there is a category you'd like to see Mobb support that is not listed here, please email us at . If you'd like us to support a SAST tool that is not listed here, please tell us by submitting it [here](https://mobb.ai/partners). {% hint style="info" %} Since different SAST vendors often name issues differently, the issue names in parentheses are the Mobb normalized names. {% endhint %}
List of Supported Issue Types for Snyk **C#** * [Anti-forgery token validation disabled](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-93-anti-forgery-token-validation-disabled) * [Arbitrary File Write via Archive Extraction (Zip Slip)](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-9-arbitrary-file-write-via-archive-extraction-zip-slip) * Cross-site Scripting (XSS) * [Log Forging](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-36-log-forging) * [Path Traversal](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-10-path-traversal) * [Sensitive Cookie in HTTPS Session Without 'Secure' Attribute](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-126-sensitive-cookie-in-https-session-without-secure-attribute) * [Sensitive Cookie Without 'HttpOnly' Flag](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-150-sensitive-cookie-without-httponly-flag) * [Server-Side Request Forgery (SSRF)](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-144-server-side-request-forgery-ssrf) * [SQL Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-23-sql-injection) * [Use of Insufficiently Random Values](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-87-use-of-insufficiently-random-values) * [XML External Entity (XXE) Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-123-xml-external-entity-xxe-injection) **GO** * [Clear Text Logging](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/go-rules) * Command Injection * [Cross-site Scripting (XSS)](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/go-rules) * [Improper Certificate Validation](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/go-rules) * [Insecurely Generated Password](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/go-rules) * SQL Injection **Java** * [Arbitrary File Write via Archive Extraction (Zip Slip)](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-9-arbitrary-file-write-via-archive-extraction-zip-slip) * [Command Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-12-command-injection) * [Cross-site Scripting (XSS)](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-15-cross-site-scripting-xss) * [Improper Neutralization of CRLF Sequences in HTTP Headers](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-33-improper-neutralization-of-crlf-sequences-in-http-headers) * [Open Redirect](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/java-rules) * [Path Traversal](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-10-path-traversal) * [Regular expression injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-101-regular-expression-injection) * [Sensitive Cookie in HTTPS Session Without 'Secure' Attribute](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-126-sensitive-cookie-in-https-session-without-secure-attribute) * [Sensitive Cookie Without 'HttpOnly' Flag](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-150-sensitive-cookie-without-httponly-flag) * [Server-Side Request Forgery (SSRF)](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-144-server-side-request-forgery-ssrf) * [SQL Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-23-sql-injection) * [Trust Boundary Violation](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-113-trust-boundary-violation) * [XML External Entity (XXE) Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-123-xml-external-entity-xxe-injection) **JavaScript / TypeScript** * [Allocation of Resources Without Limits or Throttling](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/javascript-and-typescript-rules) * [Command Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-12-command-injection) * [Cross-site Scripting (XSS)](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-15-cross-site-scripting-xss) * [Denial of Service (DoS) through Nested GraphQL Queries](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-99-denial-of-service-dos-through-nested-graphql-queries) * [Indirect Command Injection via User Controlled Environment](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-13-indirect-command-injection-via-user-controlled-environment) * [NoSQL Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-149-nosql-injection) * [Open Redirect](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-121-open-redirect) * [Path Traversal](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-10-path-traversal) * [Privacy Leak](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-117-privacy-leak) * [Prototype Pollution](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/javascript-and-typescript-rules) * [Regular Expression Denial of Service (ReDoS)](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-102-regular-expression-denial-of-service-redos) * [Sensitive Cookie in HTTPS Session Without 'Secure' Attribute](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-126-sensitive-cookie-in-https-session-without-secure-attribute) * [Server-Side Request Forgery (SSRF)](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-144-server-side-request-forgery-ssrf) * [SQL Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-23-sql-injection) * [Use of Hardcoded Credentials](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-56-use-of-hardcoded-credentials) **Python** * [Arbitrary File Write via Archive Extraction (Tar Slip)](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/python-rules) * [Code Injection](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules) * [Command Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-12-command-injection) * Cross Site Scripting (XSS) * [Debug Mode Enabled](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-111-debug-mode-enabled) * [Incomplete URL sanitization](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/python-rules) * [Jinja auto-escape is set to false](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules/python-rules) * [Path Traversal](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/python-rules) * [Regular Expression Denial of Service (ReDoS)](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/python-rules) * [SQL Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-23-sql-injection)
List of Supported Issue Types for Fortify **CPP** * [Buffer Overflow](https://vulncat.fortify.com/en/detail?category=Buffer%20Overflow) * [String Termination Error](https://vulncat.fortify.com/en/detail?category=String%20Termination%20Error) **C#** * [ASP.NET MVC Bad Practices: Controller Action Without AntiForgery Validation](https://vulncat.fortify.com/en/detail?category=ASP.NET%20MVC%20Bad%20Practices\&subcategory=Controller%20Action%20Without%20AntiForgery%20Validation#C%23%2FVB.NET%2FASP.NET) * [Cookie Security: HTTPOnly not Set on Application Cookie](https://vulncat.fortify.com/en/detail?category=Cookie%20Security\&subcategory=HTTPOnly%20not%20Set%20on%20Application%20Cookie) * [Cookie Security: Session Cookie not Sent Over SSL](https://vulncat.fortify.com/en/detail?category=Cookie%20Security\&subcategory=Session%20Cookie%20not%20Sent%20Over%20SSL) * Cross-Site Scripting: Persistent * [Header Manipulation](https://vulncat.fortify.com/en/detail?category=Header%20Manipulation#C%23%2FVB.NET%2FASP.NET) * [Insecure Randomness](https://vulncat.fortify.com/en/detail?category=Insecure%20Randomness#C%23%2FVB.NET%2FASP.NET) * [Insecure Randomness: Hardcoded Seed](https://vulncat.fortify.com/en/detail?category=Insecure%20Randomness\&subcategory=Hardcoded%20Seed#C%23%2FVB.NET%2FASP.NET) * [Log Forging](https://vulncat.fortify.com/en/detail?category=Log%20Forging#C%23%2FVB.NET%2FASP.NET) * [Mass Assignment: Insecure Binder Configuration](https://vulncat.fortify.com/en/detail?category=Mass%20Assignment\&subcategory=Insecure%20Binder%20Configuration#C%23%2FVB.NET%2FASP.NET) * [Mass Assignment: Request Parameters Bound via Input Formatter](https://vulncat.fortify.com/en/detail?category=Mass%20Assignment\&subcategory=Request%20Parameters%20Bound%20via%20Input%20Formatter) * [Null Dereference](https://vulncat.fortify.com/en/detail?category=Null%20Dereference#C%23%2FVB.NET%2FASP.NET) * [Object Model Violation: Just One of Equals() and GetHashCode() Defined](https://vulncat.fortify.com/en/detail?category=Object%20Model%20Violation\&subcategory=Just%20One%20of%20Equals%28%29%20and%20GetHashCode%28%29%20Defined#C%23%2FVB.NET%2FASP.NET) * [Open Redirect](https://vulncat.fortify.com/en/detail?category=Open%20Redirect#C%23%2FVB.NET%2FASP.NET) * [Password Management: Password in Comment](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Password%20in%20Comment#C%23%2FVB.NET%2FASP.NET) * [Path Manipulation](https://vulncat.fortify.com/en/detail?category=Path%20Manipulation#C%23%2FVB.NET%2FASP.NET) * [Path Manipulation: Base Path Overwriting](https://vulncat.fortify.com/en/detail?category=Path%20Manipulation\&subcategory=Base%20Path%20Overwriting#C%23%2FVB.NET%2FASP.NET) * [Path Manipulation: Zip Entry Overwrite](https://vulncat.fortify.com/en/detail?category=Path%20Manipulation\&subcategory=Zip%20Entry%20Overwrite#C%23%2FVB.NET%2FASP.NET) * [Poor Error Handling: Overly Broad Catch](https://vulncat.fortify.com/en/detail?category=Poor%20Error%20Handling\&subcategory=Overly%20Broad%20Catch#C%23%2FVB.NET%2FASP.NET) * [Poor Logging Practice: Use of a System Output Stream](https://vulncat.fortify.com/en/detail?category=Poor%20Logging%20Practice\&subcategory=Use%20of%20a%20System%20Output%20Stream#C%23%2FVB.NET%2FASP.NET) * [SQL Injection](https://vulncat.fortify.com/en/detail?category=SQL%20Injection#C%23%2FVB.NET%2FASP.NET) * [System Information Leak](https://vulncat.fortify.com/en/detail?category=System%20Information%20Leak#C%23%2FVB.NET%2FASP.NET) * [System Information Leak: External](https://vulncat.fortify.com/en/detail?category=System%20Information%20Leak\&subcategory=External#C%23%2fVB.NET%2fASP.NET) * [System Information Leak: Internal](https://vulncat.fortify.com/en/detail?category=System%20Information%20Leak\&subcategory=Internal#C%23%2FVB.NET%2FASP.NET) * [Trust Boundary Violation](https://vulncat.fortify.com/en/detail?category=Trust%20Boundary%20Violation#C%23%2FVB.NET%2FASP.NET) * [XML Entity Expansion Injection](https://vulncat.fortify.com/en/detail?category=XML%20Entity%20Expansion%20Injection#C%23%2FVB.NET%2FASP.NET) * [XML External Entity Injection](https://vulncat.fortify.com/en/detail?category=XML%20External%20Entity%20Injection#C%23%2FVB.NET%2FASP.NET) **DOCKERFILE** **GO** * [Log Forging](https://vulncat.fortify.com/en/detail?category=Log%20Forging#Golang) **Java** * [Code Correctness: Class Does Not Implement Equivalence Method](https://vulncat.fortify.com/en/detail?category=Code%20Correctness\&subcategory=Class%20Does%20Not%20Implement%20Equivalence%20Method#Java%2FJSP) * [Code Correctness: Comparison of Boxed Primitive Types](https://vulncat.fortify.com/en/detail?category=Code%20Correctness\&subcategory=Comparison%20of%20Boxed%20Primitive%20Types#Java%2FJSP) * [Code Correctness: Erroneous String Compare](https://vulncat.fortify.com/en/detail?category=Code%20Correctness\&subcategory=Erroneous%20String%20Compare#Java%2FJSP) * [Command Injection](https://vulncat.fortify.com/en/detail?category=Command%20Injection#Java%2FJSP) * [Cookie Security: Cookie not Sent Over SSL](https://vulncat.fortify.com/en/detail?category=Cookie%20Security\&subcategory=Cookie%20not%20Sent%20Over%20SSL#Java%2FJSP) * [Cookie Security: HTTPOnly not Set](https://vulncat.fortify.com/en/detail?category=Cookie%20Security\&subcategory=HTTPOnly%20not%20Set#Java%2FJSP) * [Cross-Site Request Forgery](https://vulncat.fortify.com/en/detail?category=Cross-Site%20Reques%20Forgery) * [Cross-Site Scripting: Reflected](https://vulncat.fortify.com/en/detail?category=Cross-Site%20Scripting\&subcategory=Reflected#Java%2FJSP) * [Denial of Service](https://vulncat.fortify.com/en/detail?category=Denial%20of%20Service) * [Denial of Service: Regular Expression](https://vulncat.fortify.com/en/detail?category=Denial%20of%20Service\&subcategory=Regular%20Expression#Java%2FJSP) * [Denial of Service: StringBuilder](https://vulncat.fortify.com/en/detail?category=Denial%20of%20Service\&subcategory=StringBuilder#Java%2FJSP) * [HTML5: Missing Content Security Policy](https://vulncat.fortify.com/en/detail?category=HTML5\&subcategory=Missing%20Content%20Security%20Policy) * [HTTP Parameter Pollution](https://vulncat.fortify.com/en/detail?category=HTTP%20Parameter%20Pollution) * [Insecure Randomness](https://vulncat.fortify.com/en/detail?category=Insecure%20Randomness#Java%2fJSP) * [J2EE Bad Practices: Leftover Debug Code](https://vulncat.fortify.com/en/detail?category=J2EE%20Bad%20Practices\&subcategory=Leftover%20Debug%20Code#Java%2FJSP) * [J2EE Bad Practices: Threads](https://vulncat.fortify.com/en/detail?category=J2EE%20Bad%20Practices\&subcategory=Threads) * [Log Forging](https://vulncat.fortify.com/en/detail?category=Log%20Forging#Java%2FJSP) * [Log Forging (debug)](https://vulncat.fortify.com/en/detail?category=Log%20Forging%20%28debug%29#Java%2FJSP) * [Mass Assignment: Insecure Binder Configuration](https://vulncat.fortify.com/en/detail?category=Mass%20Assignment\&subcategory=Insecure%20Binder%20Configuration#Java%2fJSP) * [Missing Check against Null](https://vulncat.fortify.com/en/detail?category=Missing%20Check%20against%20Null#Java%2FJSP) * [Null Dereference](https://vulncat.fortify.com/en/detail?category=Null%20Dereference#Java%2FJSP) * [Open Redirect](https://vulncat.fortify.com/en/detail?category=Open%20Redirect) * [Password Management: Password in Comment](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Password%20in%20Comment#Java%2FJSP) * [Path Manipulation](https://vulncat.fortify.com/en/detail?category=Path%20Manipulation#Java%2FJSP) * [Path Manipulation: Zip Entry Overwrite](https://vulncat.fortify.com/en/detail?category=Path%20Manipulation\&subcategory=Zip%20Entry%20Overwrite#Java%2FJSP) * [Poor Error Handling: Empty Catch Block](https://vulncat.fortify.com/en/detail?category=Poor%20Error%20Handling\&subcategory=Empty%20Catch%20Block#Java%2FJSP) * [Poor Error Handling: Overly Broad Catch](https://vulncat.fortify.com/en/detail?category=Poor%20Error%20Handling\&subcategory=Overly%20Broad%20Catch#Java%2FJSP) * [Poor Logging Practice: Use of a System Output Stream](https://vulncat.fortify.com/en/detail?category=Poor%20Logging%20Practice\&subcategory=Use%20of%20a%20System%20Output%20Stream#Java%2FJSP) * [Poor Style: Confusing Naming](https://vulncat.fortify.com/en/detail?category=Poor%20Style\&subcategory=Confusing%20Naming#Java%2FJSP) * [Poor Style: Non-final Public Static Field](https://vulncat.fortify.com/en/detail?category=Poor%20Style\&subcategory=Non-final%20Public%20Static%20Field#Java%2FJSP) * [Poor Style: Value Never Read](https://vulncat.fortify.com/en/detail?category=Poor%20Style\&subcategory=Value%20Never%20Read#Java%2FJSP) * [Portability Flaw: Locale Dependent Comparison](https://vulncat.fortify.com/en/detail?category=Portability%20Flaw\&subcategory=Locale%20Dependent%20Comparison#Java%2FJSP) * [Privacy Violation](https://vulncat.fortify.com/en/detail?category=Privacy%20Violation#Java%2FJSP) * [Race Condition: Format Flaw](https://vulncat.fortify.com/en/detail?category=Race%20Condition\&subcategory=Format%20Flaw#Java%2FJSP) * [Server-Side Request Forgery](https://vulncat.fortify.com/en/detail?category=Server-Side%20Request%20Forgery#Java%2FJSP) * [Spring Security Misconfiguration: Default Permit](https://vulncat.fortify.com/en/detail?category=Spring%20Security%20Misconfiguration\&subcategory=Default%20Permit) * [SQL Injection](https://vulncat.fortify.com/en/detail?category=SQL%20Injection#Java%2FJSP) * [SQL Injection: Persistence](https://vulncat.fortify.com/en/detail?category=SQL%20Injection\&subcategory=Persistence#Java%2fJSP) * [System Information Leak](https://vulncat.fortify.com/en/detail?category=System%20Information%20Leak#Java%2FJSP) * [System Information Leak: HTML Comment in JSP](https://vulncat.fortify.com/en/detail?category=System%20Information%20Leak\&subcategory=HTML%20Comment%20in%20JSP#Java%2FJSP) * [System Information Leak: Internal](https://vulncat.fortify.com/en/detail?category=System%20Information%20Leak\&subcategory=Internal#Java%2FJSP) * [Trust Boundary Violation](https://vulncat.fortify.com/en/detail?category=Trust%20Boundary%20Violation#Java%2FJSP) * [Unreleased Resource: Database](https://vulncat.fortify.com/en/detail?category=Unreleased%20Resource\&subcategory=Database#Java%2FJSP) * [Unreleased Resource: Files](https://vulncat.fortify.com/en/detail?category=Unreleased%20Resource\&subcategory=Files#Java%2FJSP) * [Unreleased Resource: Sockets](https://vulncat.fortify.com/en/detail?category=Unreleased%20Resource\&subcategory=Sockets#Java%2FJSP) * [Unreleased Resource: Streams](https://vulncat.fortify.com/en/detail?category=Unreleased%20Resource\&subcategory=Streams#Java%2FJSP) * [Unreleased Resource: Synchronization](https://vulncat.fortify.com/en/detail?category=Unreleased%20Resource\&subcategory=Synchronization#Java%2FJSP) * [Unreleased Resource: Unmanaged Object](https://vulncat.fortify.com/en/detail?category=Unreleased%20Resource\&subcategory=Unmanaged%20Object#Java%2FJSP) * [XML Entity Expansion Injection](https://vulncat.fortify.com/en/detail?category=XML%20Entity%20Expansion%20Injection#Java%2FJSP) * [XML External Entity Injection](https://vulncat.fortify.com/en/detail?category=XML%20External%20Entity%20Injection#Java%2FJSP) **JavaScript / TypeScript** * [Command Injection](https://vulncat.fortify.com/en/detail?category=Command%20Injection#JavaScript%2FTypeScript) * [Cookie Security: Cookie not Sent Over SSL](https://vulncat.fortify.com/en/detail?category=Cookie%20Security\&subcategory=Cookie%20not%20Sent%20Over%20SSL#JavaScript%2FTypeScript) * [Credential Management: Hardcoded API Credentials](https://vulncat.fortify.com/en/detail?category=Credential%20Management\&subcategory=Hardcoded%20API%20Credentials#JavaScript%2FTypeScript) * [Cross-Site Scripting: DOM](https://vulncat.fortify.com/en/detail?category=Cross-Site%20Scripting\&subcategory=DOM#JavaScript%2FTypeScript) * [Cross-Site Scripting: Self](https://vulncat.fortify.com/en/detail?category=Cross-Site%20Scripting\&subcategory=Self#JavaScript%2FTypeScript) * [Hardcoded Domain in HTML](https://vulncat.fortify.com/en/detail?category=Hardcoded%20Domain%20in%20HTML#Universal) * [Insecure Randomness](https://vulncat.fortify.com/en/detail?category=Insecure%20Randomness#JavaScript%2FTypeScript) * [Insecure Randomness: Hardcoded Seed](https://vulncat.fortify.com/en/detail?category=Insecure%20Randomness\&subcategory=Hardcoded%20Seed#JavaScript%2FTypeScript) * [Key Management: Hardcoded Encryption Key](https://vulncat.fortify.com/en/detail?category=Key%20Management\&subcategory=Hardcoded%20Encryption%20Key#JavaScript%2FTypeScript) * [Open Redirect](https://vulncat.fortify.com/en/detail?category=Open%20Redirect#JavaScript%2FTypeScript) * [Password Management: Hardcoded Password](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Hardcoded%20Password#JavaScript%2FTypeScript) * [Password Management: Password in Comment](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Password%20in%20Comment#JavaScript%2FTypeScript) * [Path Manipulation](https://vulncat.fortify.com/en/detail?category=Path%20Manipulation#JavaScript%2FTypeScript) * [Privacy Violation: Autocomplete](https://vulncat.fortify.com/en/detail?category=Privacy%20Violation\&subcategory=Autocomplete#Universal) * [System Information Leak: External](https://vulncat.fortify.com/en/detail?category=System%20Information%20Leak\&subcategory=External#JavaScript%2FTypeScript) * [System Information Leak: Internal](https://vulncat.fortify.com/en/detail?category=System%20Information%20Leak\&subcategory=Internal#JavaScript%2FTypeScript) **PHP** * [Insecure Randomness](https://vulncat.fortify.com/en/detail?category=Insecure%20Randomness#PHP) **Python** * [Cross-Site Request Forgery](https://vulncat.fortify.com/en/detail?category=Cross-Site%20Request%20Forgery#Universal) * [Dynamic Code Evaluation: Code Injection](https://vulncat.fortify.com/en/detail?category=Dynamic%20Code%20Evaluation#Universal) * [Password Management: Password in Comment](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Password%20in%20Comment#Python) * [Path Manipulation](https://vulncat.fortify.com/en/detail?category=Path%20Manipulation#Python) * [SQL Injection](https://vulncat.fortify.com/en/detail?category=SQL%20Injection#Python) * [System Information Leak: Internal](https://vulncat.fortify.com/en/detail?category=System%20Information%20Leak\&subcategory=Internal#Python) **XML** * [Password Management: Password in Comment](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Password%20in%20Comment#Universal) * [Weak XML Schema: Unbounded Occurrences](https://vulncat.fortify.com/en/detail?category=Weak%20XML%20Schema\&subcategory=Unbounded%20Occurrences#Universal)
List of Supported Issue Types for Checkmarx **C#** * Declaration Of Catch For Generic Exception * Deserialization of Untrusted Data * Dynamic SQL Queries * [Heap Inspection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/244/17574178213563422629) * HttpOnlyCookies * Improper Exception Handling * Improper Resource Shutdown or Release * Improper Restriction of XXE Ref * Information Exposure Through an Error Message * Information Exposure via Headers * Insecure Cookie * Insufficient Logging of Exceptions * Insufficient Logging of Sensitive Operations * Just One of Equals and Hash code Defined * Log Forging * [Missing HSTS Header](https://deu.ast.checkmarx.net/resourceManagement/presets/description/346/15718905356648301922) * Path Traversal * Reflected XSS * Reflected XSS All Clients * SQL Injection * SSRF * Stored XSS * Trust Boundary Violation in Session Variables * Unsafe Object Binding * Unvalidated Arguments Of Public Methods * Use of Insufficiently Random Values * Value Shadowing **GO** * Command Injection * Log Forging * Privacy Violation * Second Order SQL Injection * SQL Injection * SSL Verification Bypass * Use of Cryptographically Weak PRNG **Java** * Absolute Path Traversal * Command Injection * Confusing Naming * Declaration Of Catch For Generic Exception * Detection of Error Condition Without Action * Frameable loging page * HttpOnlyCookies * Improper Resource Shutdown or Release * Improper Restriction of Stored XXE Ref * Improper Restriction of XXE Ref * Information Exposure Through an Error Message * Log Forging * [Open Redirect](https://deu.ast.checkmarx.net/resourceManagement/presets/description/601/5854466950125120303) * [Password In Comment](https://deu.ast.checkmarx.net/resourceManagement/presets/description/615/2940637487142405047) * Portability Flaw Locale Dependent Comparison * Privacy Violation * Race Condition Format Flaw * ReDoS From Regex Injection * Reflected XSS All Clients * Relative Path Traversal * SQL Injection * SQL Injection Evasion Attack * SSRF * Stored Absolute Path Traversal * Stored Log Forging * Stored XSS * Trust Boundary Violation in Session Variables * Unchecked Input for Loop Condition * [Unsafe Object Binding](https://deu.ast.checkmarx.net/resourceManagement/presets/description/915/18167789603095321044) * Use of Hard coded Cryptographic Key * Use of Non Cryptographic Random * Use of Wrong Operator in String Comparison **JavaScript / TypeScript** * Absolute Path Traversal * Client DOM Code Injection * Client DOM Open Redirect * [Client DOM Stored Code Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/94/17736946413799343054) * Client DOM Stored XSS * Client DOM XSS * Client Hardcoded Domain * Client Insecure Randomness * Client JQuery Deprecated Symbols * Client Password In Comment * Client Potential XSS * Client Regex Injection * Client Use Of Iframe Without Sandbox * Command Injection * Hardcoded password in Connection String * [HttpOnly Cookie Flag Not Set](https://deu.ast.checkmarx.net/resourceManagement/presets/description/1004/9800224272094099502) * Information Exposure Through an Error Message * JWT Use Of Hardcoded Secret * Log Forging * [Missing CSP Header](https://deu.ast.checkmarx.net/resourceManagement/presets/description/346/729519850006803664) * [Missing HSTS Header](https://deu.ast.checkmarx.net/resourceManagement/presets/description/346/15718905356648301922) * Open Redirect * Prototype Pollution * Relative Path Traversal * Secret\_Leak * Server DoS by loop * Server DoS by Loop * SQL Injection * SSRF * Stored XSS * Unchecked Input For Loop Condition * Unprotected Cookie * Unsafe Use Of Target blank * Use of Deprecated or Obsolete Functions * Use Of Hardcoded Password * Use of Insufficiently Random Values **PHP** * Use of Non Cryptographic Random **Python** * [Code Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/94/13646819717326216658) * Command Argument Injection * [Debug Enabled](https://deu.ast.checkmarx.net/resourceManagement/presets/description/11/15910406614565918143) * [Filtering Sensitive Logs](https://deu.ast.checkmarx.net/resourceManagement/presets/description/532/12553559161661395516) * [Improper Resource Shutdown or Release](https://deu.ast.checkmarx.net/resourceManagement/presets/description/404/4929335937220202619) * [Information Exposure Through an Error Message](https://deu.ast.checkmarx.net/resourceManagement/presets/description/209/10086633261638473115) * [Log Forging](https://deu.ast.checkmarx.net/resourceManagement/presets/description/117/4488286415414676575) * [Password in Comment](https://deu.ast.checkmarx.net/resourceManagement/presets/description/615/13336864677243390331) * [Path Traversal](https://deu.ast.checkmarx.net/resourceManagement/presets/description/22/4418167693267818286) * [Privacy Violation](https://deu.ast.checkmarx.net/resourceManagement/presets/description/359/15091406806124960160) * [ReDoS Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/400/5043137136712896099) * [Second Order SQL Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/89/631642030927601838) * [SQL Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/89/17810866942529238742) * [Stored Code Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/94/14606273189609098459) * [Stored Command Argument Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/88/6227086963064089467) * [Stored Command Argument Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/88/6227086963064089467) * [Unchecked Input for Loop Condition](https://deu.ast.checkmarx.net/resourceManagement/presets/description/606/12513885999564608658) * [XSS](https://deu.ast.checkmarx.net/resourceManagement/presets/description/79/11301225196674651062) **SQL** * [Default Definer Rights in Package or Object Definition](https://deu.ast.checkmarx.net/resourceManagement/presets/description/265/10300492436975582020) * [Second Order SQL Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/89/1186085178286193418)
List of Supported Issue Types for SonarQube **C#** * [Composite format strings should be used correctly](https://rules.sonarsource.com/csharp/RSPEC-3457/) * [Creating cookies without the "HttpOnly" flag is security-sensitive](https://rules.sonarsource.com/csharp/RSPEC-3330/) * [Creating cookies without the "secure" flag is security-sensitive](https://rules.sonarsource.com/csharp/RSPEC-2092/) * [Extracting archives should not lead to zip slip vulnerabilities](https://rules.sonarsource.com/csharp/type/Vulnerability/RSPEC-6096/) * [Fields that are only assigned in the constructor should be "readonly"](https://rules.sonarsource.com/csharp/RSPEC-2933/) * [Formatting SQL queries is security-sensitive](https://rules.sonarsource.com/csharp/RSPEC-2077/) * [I/O function calls should not be vulnerable to path injection attacks](https://rules.sonarsource.com/csharp/RSPEC-2083/) * [Logging should not be vulnerable to injection attacks](https://rules.sonarsource.com/csharp/type/Vulnerability/RSPEC-5145/) * [Logging templates should be constant](https://rules.sonarsource.com/csharp/RSPEC-2629/) * [Not specifying a timeout for regular expressions is security-sensitive](https://rules.sonarsource.com/csharp/RSPEC-6444/) * [Null pointers should not be dereferenced](https://rules.sonarsource.com/csharp/RSPEC-2259/) * [Sections of code should not be commented out](https://rules.sonarsource.com/csharp/RSPEC-125/) * [Secure random number generators should not output predictable values](https://rules.sonarsource.com/csharp/type/Vulnerability/RSPEC-4347/) * [Unassigned members should be removed](https://rules.sonarsource.com/csharp/RSPEC-3459/) * [Unread "private" fields should be removed](https://rules.sonarsource.com/csharp/RSPEC-4487/) * [Unused private types or members should be removed](https://rules.sonarsource.com/csharp/RSPEC-1144/) **DOCKERFILE** * [S6471 Running containers as a privileged user is security-sensitive](https://rules.sonarsource.com/docker/RSPEC-6471/) **GO** * Constructing arguments of system commands from user input is security-sensitive * Database queries should not be vulnerable to injection attacks * Formatting SQL queries is security-sensitive * [Using pseudorandom number generators (PRNGs) is security-sensitive](https://rules.sonarsource.com/go/impact/security/RSPEC-2245/) **Java** * ["Preconditions" and logging arguments should not require evaluation](https://next.sonarqube.com/sonarqube/coding_rules?languages=java\&open=java:S2629) * [Accessing files should not lead to filesystem oracle attacks](https://rules.sonarsource.com/java/RSPEC-6549/) * [Creating cookies without the "HttpOnly" flag is security-sensitive](https://rules.sonarsource.com/java/RSPEC-3330/) * [Creating cookies without the "secure" flag is security-sensitive](https://rules.sonarsource.com/java/RSPEC-2092/) * [Database queries should not be vulnerable to injection attacks](https://rules.sonarsource.com/java/RSPEC-3649/) * [Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks](https://rules.sonarsource.com/java/RSPEC-5131/) * [Extracting archives should not lead to zip slip vulnerabilities](https://rules.sonarsource.com/java/RSPEC-6096/) * [Format strings should be used correctly](https://rules.sonarsource.com/java/RSPEC-3457/) * [Generic exceptions should never be thrown](https://rules.sonarsource.com/java/RSPEC-112/) * [I/O function calls should not be vulnerable to path injection attacks](https://rules.sonarsource.com/java/RSPEC-2083/) * [javasecurity:S5146 HTTP request redirections should not be open to forging attacks](https://next.sonarqube.com/sonarqube/coding_rules?open=javasecurity%3AS5146\&rule_key=javasecurity%3AS5146) * [Logging should not be vulnerable to injection attacks](https://rules.sonarsource.com/java/RSPEC-5145/) * [Public constants and fields initialized at declaration should be "static final" rather than merely "final"](https://rules.sonarsource.com/java/RSPEC-1170/) * [Regular expressions should not be vulnerable to Denial of Service attacks](https://rules.sonarsource.com/java/RSPEC-2631/) * [Sections of code should not be commented out](https://rules.sonarsource.com/java/RSPEC-125/) * [Server-side requests should not be vulnerable to traversing attacks](https://rules.sonarsource.com/java/RSPEC-7044/) * [String literals should not be duplicated](https://rules.sonarsource.com/java/RSPEC-1192/) * [Strings and Boxed types should be compared using "equals()"](https://rules.sonarsource.com/java/RSPEC-4973/) * [Try-catch blocks should not be nested](https://rules.sonarsource.com/java/RSPEC-1141/) * [Unnecessary imports should be removed](https://rules.sonarsource.com/java/RSPEC-1128/) * [Unused "private" fields should be removed](https://rules.sonarsource.com/java/RSPEC-1068/) * [Unused assignments should be removed](https://rules.sonarsource.com/java/RSPEC-1854/) * [Unused local variables should be removed](https://rules.sonarsource.com/java/RSPEC-1481/) * [Using pseudorandom number generators (PRNGs) is security-sensitive](https://rules.sonarsource.com/java/RSPEC-2245/) **JavaScript / TypeScript** * [Creating cookies without the "secure" flag is security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-2092/) * [Database queries should not be vulnerable to injection attacks](https://rules.sonarsource.com/typescript/RSPEC-3649/) * [Database queries should not be vulnerable to injection attacks](https://rules.sonarsource.com/javascript/RSPEC-3649/) * [DOM updates should not lead to cross-site scripting (XSS) attacks](https://rules.sonarsource.com/javascript/RSPEC-5696/) * [DOM updates should not lead to cross-site scripting (XSS) attacks](https://rules.sonarsource.com/typescript/RSPEC-5696/) * [DOM updates should not lead to open redirect vulnerabilities](https://rules.sonarsource.com/javascript/RSPEC-6105/) * [DOM updates should not lead to open redirect vulnerabilities](https://rules.sonarsource.com/typescript/RSPEC-6105/) * [Dynamic code execution should not be vulnerable to injection attacks](https://rules.sonarsource.com/typescript/RSPEC-5334/) * [Dynamically executing code is security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-1523/) * [Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks](https://rules.sonarsource.com/typescript/RSPEC-5131/) * [Fields that are only assigned in the constructor should be "readonly"](https://rules.sonarsource.com/typescript/RSPEC-2933/) * [Formatting SQL queries is security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-2077/) * [Function returns should not be invariant](https://rules.sonarsource.com/javascript/RSPEC-3516/) * [Hard-coded credentials are security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-2068/) * [Hard-coded credentials are security-sensitive](https://rules.sonarsource.com/typescript/RSPEC-2068/) * [Hard-coded passwords are security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-2068) * [Hard-coded passwords are security-sensitive](https://rules.sonarsource.com/typescript/RSPEC-2068) * [Hard-coded secrets are security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-2068/) * [Hard-coded secrets are security-sensitive](https://rules.sonarsource.com/typescript/RSPEC-2068/) * [HTTP request redirections should not be open to forging attacks](https://rules.sonarsource.com/javascript/RSPEC-5146/) * [HTTP request redirections should not be open to forging attacks](https://rules.sonarsource.com/typescript/RSPEC-5146/) * [I/O function calls should not be vulnerable to path injection attacks](https://rules.sonarsource.com/javascript/RSPEC-2083/) * [I/O function calls should not be vulnerable to path injection attacks](https://rules.sonarsource.com/typescript/RSPEC-2083/) * [Jump statements should not occur in "finally" blocks](https://rules.sonarsource.com/javascript/RSPEC-1143/) * [Jump statements should not occur in "finally" blocks](https://rules.sonarsource.com/typescript/RSPEC-1143/) * [NoSQL operations should not be vulnerable to injection attacks](https://rules.sonarsource.com/typescript/RSPEC-5147/) * [NoSQL operations should not be vulnerable to injection attacks](https://rules.sonarsource.com/javascript/RSPEC-5147/) * [OS commands should not be vulnerable to command injection attacks](https://rules.sonarsource.com/typescript/RSPEC-2076/) * [Regular expressions should not be vulnerable to Denial of Service attacks](https://rules.sonarsource.com/javascript/RSPEC-2631/) * [Regular expressions should not be vulnerable to Denial of Service attacks](https://rules.sonarsource.com/typescript/RSPEC-2631/) * [Sections of code should not be commented out](https://rules.sonarsource.com/typescript/RSPEC-125/) * [Sections of code should not be commented out](https://rules.sonarsource.com/javascript/RSPEC-125/) * [Server-side requests should not be vulnerable to forging attacks](https://rules.sonarsource.com/typescript/RSPEC-5144/) * [Unnecessary character escapes should be removed](https://rules.sonarsource.com/javascript/RSPEC-6535/) * [Unnecessary character escapes should be removed](https://rules.sonarsource.com/typescript/RSPEC-6535/) * [Using pseudorandom number generators (PRNGs) is security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-2245/) * [Using pseudorandom number generators (PRNGs) is security-sensitive](https://rules.sonarsource.com/typescript/RSPEC-2245/) * [Using remote artifacts without integrity checks is security-sensitive](https://rules.sonarsource.com/html/type/Security%20Hotspot/RSPEC-5725/) * [Using shell interpreter when executing OS commands is security-sensitive](https://rules.sonarsource.com/typescript/RSPEC-4721/) * [Using slow regular expressions is security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-5852/) * [Using slow regular expressions is security-sensitive](https://rules.sonarsource.com/typescript/RSPEC-5852/) * [Variables should be declared explicitly](https://rules.sonarsource.com/javascript/RSPEC-2703/) * [Variables should be declared with "let" or "const"](https://rules.sonarsource.com/javascript/RSPEC-3504/) * [Variables should be declared with "let" or "const"](https://rules.sonarsource.com/typescript/RSPEC-3504/) **PHP** * [Using pseudorandom number generators (PRNGs) is security-sensitive](https://rules.sonarsource.com/php/type/Security%20Hotspot/RSPEC-2245/) **Python** * ["Exception" and "BaseException" should not be raised](https://next.sonarqube.com/sonarqube/coding_rules?languages=py\&open=python:S112) * [Constructing arguments of system commands from user input is security-sensitive](https://rules.sonarsource.com/python/RSPEC-6350/) * [Database queries should not be vulnerable to injection attacks](https://rules.sonarsource.com/python/RSPEC-3649/) * [Delivering code in production with debug features activated is security-sensitive](https://rules.sonarsource.com/python/RSPEC-4507/) * [Disabling auto-escaping in template engines is security-sensitive](https://rules.sonarsource.com/python/RSPEC-5247/) * [Disabling CSRF protections is security-sensitive](https://rules.sonarsource.com/python/RSPEC-4502/) * [Do not name local variables as builtin python functions](https://next.sonarqube.com/sonarqube/coding_rules?languages=py\&open=python:S5806) * [Do not use identity comparisons (is / is not) with cached types](https://rules.sonarsource.com/python/RSPEC-5795/) * [Dynamic code execution should not be vulnerable to injection attacks](https://rules.sonarsource.com/python/RSPEC-5334/) * [Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks](https://rules.sonarsource.com/python/RSPEC-5131/) * [Formatting SQL queries is security-sensitive](https://rules.sonarsource.com/python/RSPEC-2077/) * [Function parameters' default values should not be modified or assigned](https://rules.sonarsource.com/python/RSPEC-5717/) * [I/O function calls should not be vulnerable to path injection attacks](https://rules.sonarsource.com/python/RSPEC-2083/) * [Logging should not be vulnerable to injection attacks](https://rules.sonarsource.com/python/RSPEC-5145/) * [Loop boundaries should not be vulnerable to injection attacks](https://rules.sonarsource.com/python/RSPEC-6680/) * [Properly use string formatting: add all arguments to the format string, don't supply unused arguments](https://rules.sonarsource.com/python/RSPEC-3457/) * [python:S5443 Using publicly writable directories is security-sensitive](https://rules.sonarsource.com/python/RSPEC-5443/) * [python:S5754 "SystemExit" should be re-raised](https://next.sonarqube.com/sonarqube/coding_rules?languages=py\&open=python:S5754) * [Regular expressions should not be vulnerable to Denial of Service attacks](https://rules.sonarsource.com/python/RSPEC-2631/) * [Sections of code should not be commented out](https://rules.sonarsource.com/python/RSPEC-125/) * [String literals should not be duplicated](https://rules.sonarsource.com/python/RSPEC-1192/) * [The "print" statement should not be used](https://rules.sonarsource.com/python/RSPEC-2320/) * [Unused assignments should be removed](https://rules.sonarsource.com/python/RSPEC-1854/) * [Wildcard imports should not be used](https://rules.sonarsource.com/python/RSPEC-2208/) **YAML** * [Ensure whitespace in-between braces in template directives](https://rules.sonarsource.com/kubernetes/RSPEC-6893/)
List of Supported Issue Types for CodeQL **CPP** * [No space for zero terminator](https://codeql.github.com/codeql-query-help/cpp/cpp-no-space-for-terminator/) * [Use of dangerous function](https://codeql.github.com/codeql-query-help/cpp/cpp-dangerous-function-overflow/) **C#** * [Arbitrary file access during archive extraction (”Zip Slip”)](https://codeql.github.com/codeql-query-help/csharp/cs-zipslip/) * [Cookie "HttpOnly" attribute is not set to true](https://codeql.github.com/codeql-query-help/csharp/cs-web-cookie-httponly-not-set/) * [Cookie "Secure" attribute is not set to true](https://codeql.github.com/codeql-query-help/csharp/cs-web-cookie-secure-not-set/) * [Cross-site scripting](https://codeql.github.com/codeql-query-help/csharp/cs-web-xss/) * [Deserialization of untrusted data](https://codeql.github.com/codeql-query-help/csharp/cs-unsafe-deserialization-untrusted-input/) * [Exposure of private information](https://codeql.github.com/codeql-query-help/csharp/cs-exposure-of-sensitive-information/) * [Insecure randomness](https://codeql.github.com/codeql-query-help/csharp/cs-insecure-randomness/) * [Log entries created from user input](https://codeql.github.com/codeql-query-help/csharp/cs-log-forging/) * [Missing cross-site request forgery token validation](https://codeql.github.com/codeql-query-help/csharp/cs-web-missing-token-validation/) * SQL Injection * SQL Injection * [Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/csharp/cs-path-injection/) * [URL redirection from remote source](https://codeql.github.com/codeql-query-help/csharp/cs-web-unvalidated-url-redirection/) **GO** * [Clear-text logging of sensitive information](https://codeql.github.com/codeql-query-help/go/go-clear-text-logging/) * Command Injection * [Disabled TLS certificate check](https://codeql.github.com/codeql-query-help/go/go-disabled-certificate-check/) * [Incomplete regular expression for hostnames](https://codeql.github.com/codeql-query-help/go/go-incomplete-hostname-regexp/) * [Log entries created from user input](https://codeql.github.com/codeql-query-help/go/go-log-injection/) * [Open URL redirect](https://codeql.github.com/codeql-query-help/go/go-unvalidated-url-redirection/) * [Reflected cross-site scripting](https://codeql.github.com/codeql-query-help/go/go-reflected-xss/) * SQL Injection * Stored cross-site scripting * [Use of insufficient randomness as the key of a cryptographic algorithm](https://codeql.github.com/codeql-query-help/go/go-insecure-randomness/) **Java** * [Arbitrary file access during archive extraction (”Zip Slip”)](https://codeql.github.com/codeql-query-help/java/java-zipslip/) * [Building a command line with string concatenation](https://codeql.github.com/codeql-query-help/java/java-concatenated-command-line/) * [Cross-Site Request Forgery](https://codeql.github.com/codeql-query-help/java/java-spring-disabled-csrf-protection/) * [Cross-site scripting](https://codeql.github.com/codeql-query-help/java/java-xss/) * [Executing a command with a relative path](https://codeql.github.com/codeql-query-help/java/java-relative-path-command/) * [Failure to use secure cookies](https://codeql.github.com/codeql-query-help/java/java-insecure-cookie/) * [HTTP response splitting](https://codeql.github.com/codeql-query-help/java/java-http-response-splitting/) * [Information exposure through an error message](https://codeql.github.com/codeql-query-help/java/java-error-message-exposure/) * [Insecure randomness](https://codeql.github.com/codeql-query-help/java/java-insecure-randomness/) * [Insertion of sensitive information into log files](https://codeql.github.com/codeql-query-help/java/java-sensitive-log/) * [Log Injection](https://codeql.github.com/codeql-query-help/java/java-log-injection/) * [Partial path traversal vulnerability](https://codeql.github.com/codeql-query-help/java/java-partial-path-traversal/) * [Query built by concatenation with a possibly-untrusted string](https://codeql.github.com/codeql-query-help/java/java-concatenated-sql-query/) * [Query built from user-controlled sources](https://codeql.github.com/codeql-query-help/java/java-sql-injection/) * [Regular expression injection](https://codeql.github.com/codeql-query-help/java/java-regex-injection/) * [Resolving XML external entity in user-controlled data](https://codeql.github.com/codeql-query-help/java/java-xxe/) * [Server-side request forgery](https://codeql.github.com/codeql-query-help/java/java-ssrf/) * [Uncontrolled command line](https://codeql.github.com/codeql-query-help/java/java-command-line-injection/) * [Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/java/java-path-injection/) **JavaScript / TypeScript** * [Clear text transmission of sensitive cookie](https://codeql.github.com/codeql-query-help/javascript/js-clear-text-cookie/) * [Client-side cross-site scripting](https://codeql.github.com/codeql-query-help/javascript/js-xss/) * [Client-side URL redirect](https://codeql.github.com/codeql-query-help/javascript/js-client-side-unvalidated-url-redirection/) * [Cross-window communication with unrestricted target origin](https://codeql.github.com/codeql-query-help/javascript/js-cross-window-information-leak/) * [Database query built from user-controlled sources](https://codeql.github.com/codeql-query-help/javascript/js-sql-injection/) * [DOM text reinterpreted as HTML](https://codeql.github.com/codeql-query-help/javascript/js-xss-through-dom/) * [Hard-coded credentials](https://codeql.github.com/codeql-query-help/javascript/js-hardcoded-credentials/) * [Inclusion of functionality from an untrusted source](https://codeql.github.com/codeql-query-help/javascript/js-functionality-from-untrusted-source/) * [Incomplete regular expression for hostnames](https://codeql.github.com/codeql-query-help/javascript/js-incomplete-hostname-regexp/) * [Incomplete string escaping or encoding](https://codeql.github.com/codeql-query-help/javascript/js-incomplete-sanitization/) * [Incomplete URL scheme check](https://codeql.github.com/codeql-query-help/javascript/js-incomplete-url-scheme-check/) * [Incomplete URL substring sanitization](https://codeql.github.com/codeql-query-help/javascript/js-incomplete-url-substring-sanitization/) * [Indirect uncontrolled command line](https://codeql.github.com/codeql-query-help/javascript/js-indirect-command-line-injection/) * [Inefficient regular expression](https://codeql.github.com/codeql-query-help/javascript/js-redos/) * [Information exposure through a stack trace](https://codeql.github.com/codeql-query-help/javascript/js-stack-trace-exposure/) * [Insecure randomness](https://codeql.github.com/codeql-query-help/javascript/js-insecure-randomness/) * [Log injection](https://codeql.github.com/codeql-query-help/javascript/js-log-injection/) * [Loop bound injection](https://codeql.github.com/codeql-query-help/javascript/js-loop-bound-injection/) * [Missing rate limiting](https://codeql.github.com/codeql-query-help/javascript/js-missing-rate-limiting/) * [Overly permissive regular expression range](https://codeql.github.com/codeql-query-help/javascript/js-overly-large-range/) * [Prototype-polluting assignment](https://codeql.github.com/codeql-query-help/javascript/js-prototype-polluting-assignment/) * [Prototype-polluting function](https://codeql.github.com/codeql-query-help/javascript/js-prototype-pollution-utility/) * [Reflected cross-site scripting](https://codeql.github.com/codeql-query-help/javascript/js-reflected-xss/) * [Reflected cross-site scripting](https://codeql.github.com/codeql-query-help/javascript/js-xss-through-exception/) * [Regular expression injection](https://codeql.github.com/codeql-query-help/javascript/js-regex-injection/) * [Sensitive server cookie exposed to the client](https://codeql.github.com/codeql-query-help/javascript/js-client-exposed-cookie/) * [Server-side request forgery](https://codeql.github.com/codeql-query-help/javascript/js-request-forgery/) * [Server-side URL redirect](https://codeql.github.com/codeql-query-help/javascript/js-server-side-unvalidated-url-redirection/) * [Shell command built from environment values](https://codeql.github.com/codeql-query-help/javascript/js-shell-command-injection-from-environment/) * [Type confusion through parameter tampering](https://codeql.github.com/codeql-query-help/javascript/js-type-confusion-through-parameter-tampering/) * [Uncontrolled command line](https://codeql.github.com/codeql-query-help/javascript/js-command-line-injection/) * [Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/javascript/js-path-injection/) * [Unsafe HTML constructed from library input](https://codeql.github.com/codeql-query-help/javascript/js-html-constructed-from-input/) * [Unsafe jQuery plugin](https://codeql.github.com/codeql-query-help/javascript/js-unsafe-jquery-plugin/) * [Unsafe shell command constructed from library input](https://codeql.github.com/codeql-query-help/javascript/js-shell-command-constructed-from-input/) * [Untrusted data passed to external API](https://codeql.github.com/codeql-query-help/javascript-cwe/) * [Useless regular-expression character escape](https://codeql.github.com/codeql-query-help/javascript/js-useless-regexp-character-escape/) **Python** * [Arbitrary file write during tarfile extraction](https://codeql.github.com/codeql-query-help/python/py-tarslip/) * [Code injection](https://codeql.github.com/codeql-query-help/python/py-code-injection/) * [Flask app is run in debug mode](https://codeql.github.com/codeql-query-help/python/py-flask-debug/) * [Incomplete URL substring sanitization](https://codeql.github.com/codeql-query-help/python/py-incomplete-url-substring-sanitization/) * [Information exposure through an exception](https://codeql.github.com/codeql-query-help/python/py-stack-trace-exposure/) * [Jinja2 templating with autoescape=False](https://codeql.github.com/codeql-query-help/python/py-jinja2-autoescape-false/) * [Jinja2 templating with autoescape=False](https://codeql.github.com/codeql-query-help/python/py-jinja2-autoescape-false/) * [Log Injection](https://codeql.github.com/codeql-query-help/python/py-log-injection/) * [Overly permissive regular expression range](https://codeql.github.com/codeql-query-help/python/py-overly-large-range/) * [Regular expression injection](https://codeql.github.com/codeql-query-help/python/py-regex-injection/) * [SQL query built from user-controlled sources](https://codeql.github.com/codeql-query-help/python/py-sql-injection/) * [Uncontrolled command line](https://codeql.github.com/codeql-query-help/python/py-command-line-injection/) * [Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/python/py-path-injection/) * [Unsafe shell command constructed from library input](https://codeql.github.com/codeql-query-help/python/py-shell-command-constructed-from-input/) * [XSS](https://codeql.github.com/codeql-query-help/python/py-reflective-xss/) **YAML** * [Code Injection](https://codeql.github.com/codeql-query-help/actions/actions-code-injection-medium/) * [Code Injection](https://codeql.github.com/codeql-query-help/actions/actions-code-injection-critical/) * [Excessive Secrets Exposure](https://codeql.github.com/codeql-query-help/actions/actions-excessive-secrets-exposure/) * [Unpinned tag for a non-immutable Action in workflow](https://codeql.github.com/codeql-query-help/actions/actions-unpinned-tag/) * [Workflow does not contain permissions](https://codeql.github.com/codeql-query-help/actions/actions-missing-workflow-permissions/)
List of Supported Issue Types for Semgrep/Opengrep **C#** * [csharp/lang.best-practice.structured-logging.structured-logging](https://semgrep.dev/r?q=csharp.lang.best-practice.structured-logging.structured-logging) * [lang.security.sqli.csharp-sqli.csharp-sqli](https://semgrep.dev/r?q=lang.security.sqli.csharp-sqli.csharp-sqli) * [OS command injection](https://semgrep.dev/r/security_code_scan.SCS0001-1) * [security\_code\_scan.SCS0002-1](https://semgrep.dev/p/security-code-scan) * [Use of cryptographically weak Pseudo-Random Number Generator (PRNG)](https://semgrep.dev/r?q=gitlab.security_code_scan.SCS0005-1) **DOCKERFILE** * [security.missing-user-entrypoint.missing-user-entrypoint](https://semgrep.dev/r?q=security.missing-user-entrypoint.missing-user-entrypoint) * [security.missing-user.missing-user](https://semgrep.dev/r?q=security.missing-user.missing-user) **GO** * [Cookie Missing HTTP only](https://semgrep.dev/r/go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly) * [dgryski.semgrep-go.errnilcheck.err-nil-check](https://semgrep.dev/r?q=dgryski.semgrep-go.errnilcheck.err-nil-check) * [go.lang.security.audit.dangerous-exec-command.dangerous-exec-command](https://semgrep.dev/r?q=lang.security.audit.dangerous-exec-command.dangerous-exec-command) * [go.lang.security.injection.open-redirect.open-redirect](https://semgrep.dev/r?q=go.lang.security.injection.open-redirect.open-redirect) * [gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check](https://semgrep.dev/r?q=go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check) * [insecure-transport.go-stdlib.bypass-tls-verification.bypass-tls-verification](https://semgrep.dev/r?q=problem-based-packs.insecure-transport.go-stdlib.bypass-tls-verification.bypass-tls-verification) * [lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion](https://semgrep.dev/r?q=go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion) * [lang.security.audit.dangerous-exec-command.dangerous-exec-command](https://semgrep.dev/r?q=lang.security.audit.dangerous-exec-command.dangerous-exec-command) * [lang.security.audit.database.string-formatted-query](https://semgrep.dev/r?q=lang.security.audit.database.string-formatted-query) * [lang.security.audit.sqli.pgx-sqli.pgx-sqli](https://semgrep.dev/r?q=go.lang.security.audit.sqli.pgx-sqli.pgx-sqli) * [lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter](https://semgrep.dev/r?q=+go+lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter) * [lang.security.injection.tainted-sql-string](https://semgrep.dev/r?q=lang.security.injection.tainted-sql-string) * [OS command injection](https://semgrep.dev/r?q=gitlab.gosec.G204-1) **Java** * File Path Traversal in HttpServlet * [find\_sec\_bugs.FILE\_UPLOAD\_FILENAME-1](https://semgrep.dev/r?q=find_sec_bugs.FILE_UPLOAD_FILENAME-1) * [find\_sec\_bugs.HTTPONLY\_COOKIE-1](https://semgrep.dev/r?q=find_sec_bugs.HTTPONLY_COOKIE-1) * [find\_sec\_bugs.INSECURE\_COOKIE-1](https://semgrep.dev/r?q=find_sec_bugs.INSECURE_COOKIE-1) * [find\_sec\_bugs.PATH\_TRAVERSAL\_OUT-1.PATH\_TRAVERSAL\_OUT-1](https://semgrep.dev/r?q=find_sec_bugs.PATH_TRAVERSAL_OUT-1.PATH_TRAVERSAL_OUT-1) * [find\_sec\_bugs.PREDICTABLE\_RANDOM-1](https://semgrep.dev/r?q=find_sec_bugs.PREDICTABLE_RANDOM-1) * [find\_sec\_bugs.PT\_ABSOLUTE\_PATH\_TRAVERSAL-1](https://semgrep.dev/r?q=find_sec_bugs.PT_ABSOLUTE_PATH_TRAVERSAL-1) * [find\_sec\_bugs.PT\_RELATIVE\_PATH\_TRAVERSAL-1](https://semgrep.dev/r?q=find_sec_bugs.PT_RELATIVE_PATH_TRAVERSAL-1) * [find\_sec\_bugs.UNVALIDATED\_REDIRECT-1.URL\_REWRITING-1](https://semgrep.dev/r?q=find_sec_bugs.UNVALIDATED_REDIRECT-1.URL_REWRITING-1) * [find\_sec\_bugs.WEAK\_FILENAMEUTILS-1](https://semgrep.dev/r?q=find_sec_bugs.WEAK_FILENAMEUTILS-1) * [gitlab.find\_sec\_bugs.CUSTOM\_INJECTION-1](https://semgrep.dev/r?q=gitlab.find_sec_bugs.CUSTOM_INJECTION-1) * [gitlab.find\_sec\_bugs.CUSTOM\_INJECTION-2](https://semgrep.dev/r?q=gitlab.find_sec_bugs.CUSTOM_INJECTION-2) * [gitlab.find\_sec\_bugs.SQL\_INJECTION\_SPRING\_JDBC-1.SQL\_INJECTION\_JPA-1.SQL\_INJECTION\_JDO-1.SQL\_INJECTION\_JDBC-1.SQL\_NONCONSTANT\_STRING\_PASSED\_TO\_EXECUTE-1](https://semgrep.dev/r?q=gitlab.find_sec_bugs.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1) * [gitlab.find\_sec\_bugs.SQL\_INJECTION\_SPRING\_JDBC-1.SQL\_INJECTION\_JPA-1.SQL\_INJECTION\_JDO-1.SQL\_INJECTION\_JDBC-1.SQL\_NONCONSTANT\_STRING\_PASSED\_TO\_EXECUTE-1.SQL\_INJECTION-1.SQL\_INJECTION\_HIBERNATE-1.SQL\_INJECTION\_VERTX-1.SQL\_PREPARED\_STATEMENT\_GENERATED\_FROM\_NONCONSTANT\_STRING-1](https://semgrep.dev/r?q=gitlab.find_sec_bugs.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1.SQL_INJECTION-1.SQL_INJECTION_HIBERNATE-1.SQL_INJECTION_VERTX-1.SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING-1) * [java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly](https://semgrep.dev/r?q=java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly) * [java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly](https://semgrep.dev/r?q=java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly) * [java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag](https://semgrep.dev/r?q=java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag) * [java.lang.security.audit.crypto.weak-random.weak-random](https://semgrep.dev/r?q=java.lang.security.audit.crypto.weak-random.weak-random) * [java.lang.security.audit.formatted-sql-string.formatted-sql-string](https://semgrep.dev/r?q=java.lang.security.audit.formatted-sql-string.formatted-sql-string) * [java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli](https://semgrep.dev/r?q=java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli) * [java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request](https://semgrep.dev/r?q=java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request) * java.mobb.custom\_injection * [java.servlets.security.cookie-issecure-false.cookie-issecure-false](https://semgrep.dev/r?q=java.servlets.security.cookie-issecure-false.cookie-issecure-false) * java/mobb.pt\_find\_transitives * [lang.security.audit.command-injection-process-builder](https://semgrep.dev/r?q=lang.security.audit.command-injection-process-builder) * [lang.security.audit.command-injection-process-builder.command-injection-process-builder](https://semgrep.dev/r?q=lang.security.audit.command-injection-process-builder.command-injection-process-builder) * [lang.security.audit.unvalidated-redirect.unvalidated-redirect](https://semgrep.dev/r?q=java.lang.security.audit.unvalidated-redirect.unvalidated-redirect) * Path Traversal * Relative File Path Traversal in HttpServlet * [Server-Side-Request-Forgery (SSRF)](https://semgrep.dev/r?q=gitlab.find_sec_bugs.URLCONNECTION_SSRF_FD-1) * [spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect](https://semgrep.dev/r?q=java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect) * SQL Injection * Tainted File Path **JavaScript / TypeScript** * [ajinabraham.njsscan.crypto.crypto\_node.node\_insecure\_random\_generator](https://semgrep.dev/r?q=ajinabraham.njsscan.crypto.crypto_node.node_insecure_random_generator) * [browser.security.eval-detected.eval-detected](https://semgrep.dev/r?q=browser.security.eval-detected.eval-detected) * [browser.security.insecure-document-method.insecure-document-method](https://semgrep.dev/r?q=browser.security.insecure-document-method.insecure-document-method) * [detect-non-literal-regexp](https://semgrep.dev/r?q=detect-non-literal-regexp) * [Detected possible path traversal](https://semgrep.dev/r?q=eslint.detect-non-literal-fs-filename) * [Detected possible path traversal](https://semgrep.dev/r?q=lang.security.audit.detect-non-literal-fs-filename.detect-non-literal-fs-filename) * [Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.](https://semgrep.dev/r?q=lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal) * [eslint.detect-child-process](https://semgrep.dev/r?q=gitlab.eslint.detect-child-process) * [eslint.detect-eval-with-expression](https://semgrep.dev/r?q=eslint.detect-eval-with-expression) * [eslint.detect-non-literal-regexp](https://semgrep.dev/r?q=eslint.detect-non-literal-regexp) * [eslint.detect-object-injection](https://semgrep.dev/r?q=eslint.detect-object-injection) * [eslint.detect-pseudoRandomBytes](https://semgrep.dev/r?q=gitlab.eslint.detect-pseudoRandomBytes) * [eslint.react-dangerouslysetinnerhtml](https://semgrep.dev/r?q=gitlab.eslint.react-dangerouslysetinnerhtml) * [express.security.audit.express-open-redirect.express-open-redirect](https://semgrep.dev/r?q=express.security.audit.express-open-redirect.express-open-redirect) * [express.security.audit.possible-user-input-redirect.unknown-value-in-redirect](https://semgrep.dev/r?q=express.security.audit.possible-user-input-redirect.unknown-value-in-redirect) * [express.security.audit.xss.direct-response-write](https://semgrep.dev/r?q=express.security.audit.xss.direct-response-write) * [express.security.audit.xss.direct-response-write.direct-response-write](https://semgrep.dev/r?q=express.security.audit.xss.direct-response-write.direct-response-write) * [express.security.injection.tainted-sql-string](https://semgrep.dev/r?q=express.security.injection.tainted-sql-string) * [express.security.injection.tainted-sql-string.tainted-sql-string](https://semgrep.dev/r?q=express.security.injection.tainted-sql-string.tainted-sql-string) * [generic.secrets.gitleaks.generic-api-key](https://semgrep.dev/r/generic.secrets.gitleaks.generic-api-key) * [generic.secrets.gitleaks.generic-api-key.generic-api-key](https://semgrep.dev/r/generic.secrets.gitleaks.generic-api-key.generic-api-key) * [gitlab.eslint.detect-object-injection](https://semgrep.dev/r?q=gitlab.eslint.detect-object-injection) * [gitlab.nodejs\_scan.javascript-crypto-rule-node\_insecure\_random\_generator](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-crypto-rule-node_insecure_random_generator) * [gitlab.nodejs\_scan.javascript-crypto-rule-node\_insecure\_random\_generator](https://semgrep.dev/r?q=javascript-crypto-rule-node_insecure_random_generator) * [html.security.audit.missing-integrity.missing-integrity](https://semgrep.dev/r?q=html.security.audit.missing-integrity.missing-integrity) * * [javascript-database-rule-node\_knex\_sqli\_injection](https://semgrep.dev/r?q=javascript-database-rule-node_knex_sqli_injection) * [javascript-database-rule-node\_nosqli\_injection](https://semgrep.dev/r?q=javascript-database-rule-node_nosqli_injection) * [javascript-database-rule-node\_nosqli\_js\_injection](https://semgrep.dev/r?q=javascript-database-rule-node_nosqli_js_injection) * [javascript-database-rule-node\_sqli\_injection](https://semgrep.dev/r?q=javascript-database-rule-node_sqli_injection) * [javascript-dos-rule-regex\_dos](https://semgrep.dev/r?q=javascript-dos-rule-regex_dos) * [javascript-dos-rule-regex\_dos](https://semgrep.dev/r?q=javascript-dos-rule-regex_dos) * [javascript-jwt-rule-jwt\_express\_hardcoded](https://semgrep.dev/r?q=nodejs_scan.javascript-jwt-rule-jwt_express_hardcoded) * [javascript-jwt-rule-jwt\_express\_hardcoded](https://semgrep.dev/r?q=nodejs_scan.javascript-jwt-rule-jwt_express_hardcoded) * [javascript-redirect-rule-express\_open\_redirect](https://semgrep.dev/r?q=nodejs_scan.javascript-redirect-rule-express_open_redirect) * [javascript-redirect-rule-express\_open\_redirect](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-redirect-rule-express_open_redirect) * [javascript-redirect-rule-express\_open\_redirect2](https://semgrep.dev/r?q=nodejs_scan.javascript-redirect-rule-express_open_redirect2) * [javascript-xss-rule-express\_xss](https://semgrep.dev/r?q=javascript-xss-rule-express_xss) * [javascript.browser.security.insecure-innerhtml.insecure-innerhtml](https://semgrep.dev/r?q=javascript.browser.security.insecure-innerhtml.insecure-innerhtml) * [javascript.browser.security.raw-html-concat.raw-html-concat](https://semgrep.dev/r?q=javascript.browser.security.raw-html-concat.raw-html-concat) * [javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration](https://semgrep.dev/r?q=javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration) * [javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape](https://semgrep.dev/r?q=javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape) * [javascript.express.security.injection.raw-html-format.raw-html-format](https://semgrep.dev/r?q=javascript.express.security.injection.raw-html-format.raw-html-format) * [javascript.jquery.security.audit.jquery-insecure-selector.jquery-insecure-selector](https://semgrep.dev/r?q=javascript.jquery.security.audit.jquery-insecure-selector.jquery-insecure-selector) * [javascript.lang.security.audit.detect-non-literal-fs-filename.detect-non-literal-fs-filename](https://semgrep.dev/r?q=javascript.lang.security.audit.detect-non-literal-fs-filename.detect-non-literal-fs-filename) * [javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp](https://semgrep.dev/r?q=javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp) * javascript.lang.security.audit.detect-redos-mobb.detect-redos-mobb * javascript.lang.security.audit.prototype-pollution-loop-mobb.prototype-pollution-loop-mobb * [javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop](https://semgrep.dev/r?q=javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop) * [javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring](https://semgrep.dev/r?q=javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring) * [javascript.lang.security.detect-child-process.detect-child-process](https://semgrep.dev/r?q=lang.security.detect-child-process.detect-child-process) * javascript.mobb.log\_forging * javascript.mobb.system-information-leak-external * [jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret](https://semgrep.dev/r/jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret) * [lang.security.audit.sqli.node-knex-sqli.node-knex-sqli](https://semgrep.dev/r?q=lang.security.audit.sqli.node-knex-sqli.node-knex-sqli) * [lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli](https://semgrep.dev/r?q=lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli) * [mobb.security.audit.express-check-cmdi](https://semgrep.dev/r?q=mobb.express-check-cmdi) * [njsscan.dos.regex\_dos.regex\_dos](https://semgrep.dev/r?q=njsscan.dos.regex_dos.regex_dos) * [njsscan.dos.regex\_injection.regex\_injection\_dos](https://semgrep.dev/r?q=njsscan.dos.regex_injection.regex_injection_dos) * [njsscan.eval.eval\_node.eval\_nodejs](https://semgrep.dev/r?q=njsscan.eval.eval_node.eval_nodejs) * [njsscan.generic.hardcoded\_secrets.node\_password](https://semgrep.dev/r/njsscan.generic.hardcoded_secrets.node_password) * [njsscan.generic.hardcoded\_secrets.node\_secret](https://semgrep.dev/r/njsscan.generic.hardcoded_secrets.node_secret) * [njsscan.traversal.path\_traversal.generic\_path\_traversal](https://semgrep.dev/r?q=njsscan.traversal.path_traversal.generic_path_traversal) * [njsscan.xss.xss\_node.express\_xss](https://semgrep.dev/r?q=njsscan.xss.xss_node.express_xss) * [nodejs\_scan.javascript-crypto-rule-node\_insecure\_random\_generator](https://semgrep.dev/r?q=nodejs_scan.javascript-crypto-rule-node_insecure_random_generator) * [nodejs\_scan.javascript-database-rule-node\_knex\_sqli\_injection](https://semgrep.dev/r?q=nodejs_scan.javascript-database-rule-node_knex_sqli_injection) * [nodejs\_scan.javascript-database-rule-node\_nosqli\_injection](https://semgrep.dev/r?q=nodejs_scan.javascript-database-rule-node_nosqli_injection) * [nodejs\_scan.javascript-database-rule-node\_nosqli\_js\_injection](https://semgrep.dev/r?q=nodejs_scan.javascript-database-rule-node_nosqli_js_injection) * [nodejs\_scan.javascript-database-rule-node\_sqli\_injection](https://semgrep.dev/r?q=nodejs_scan.javascript-database-rule-node_sqli_injection) * [nodejs\_scan.javascript-dos-rule-regex\_dos](https://semgrep.dev/r?q=nodejs_scan.javascript-dos-rule-regex_dos) * [nodejs\_scan.javascript-eval-rule-eval\_nodejs](https://semgrep.dev/r?q=nodejs_scan.javascript-eval-rule-eval_nodejs) * [nodejs\_scan.javascript-exec-rule-shelljs\_os\_command\_exec](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-exec-rule-shelljs_os_command_exec) * [nodejs\_scan.javascript-exec-rule-shelljs\_os\_command\_exec](https://semgrep.dev/r?q=nodejs_scan.javascript-exec-rule-shelljs_os_command_exec) * [nodejs\_scan.javascript-jwt-rule-hardcoded\_jwt\_secret](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-jwt-rule-hardcoded_jwt_secret) * [nodejs\_scan.javascript-jwt-rule-jwt\_express\_hardcoded](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-jwt-rule-jwt_express_hardcoded) * [nodejs\_scan.javascript-redirect-rule-express\_open\_redirect](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-redirect-rule-express_open_redirect) * [nodejs\_scan.javascript-redirect-rule-express\_open\_redirect2](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-redirect-rule-express_open_redirect2) * [nodejs\_scan.javascript-xss-rule-express\_xss](https://semgrep.dev/r?q=nodejs_scan.javascript-xss-rule-express_xss) * [Please provide a new title that explains javascript.lang.correctness.missing-template-string-indicator.missing-template-string-indicator](https://semgrep.dev/r?q=javascript.lang.correctness.missing-template-string-indicator.missing-template-string-indicator) * [Possible writing outside of the destination, make sure that the target path is nested in the intended destination](https://semgrep.dev/r?q=express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal) * [pt using rendering templates](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-traversal-rule-express_lfr) * [pt using rendering templates](https://semgrep.dev/r?q=javascript-traversal-rule-express_lfr) * [pt using rendering templates](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-traversal-rule-express_lfr_warning) * [pt using rendering templates](https://semgrep.dev/r?q=javascript-traversal-rule-express_lfr_warning) * [react.security.audit.react-unsanitized-method.react-unsanitized-method](https://semgrep.dev/r?q=react.security.audit.react-unsanitized-method.react-unsanitized-method) * [secrets.gitleaks.generic-api-key](https://semgrep.dev/r/secrets.gitleaks.generic-api-key) * [secrets.gitleaks.generic-api-key.generic-api-key](https://semgrep.dev/r/secrets.gitleaks.generic-api-key.generic-api-key) * [SSRF](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-node_ssrf) * [SSRF](https://semgrep.dev/r?q=javascript-ssrf-rule-node_ssrf) * [SSRF](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-phantom_ssrf) * [SSRF](https://semgrep.dev/r?q=javascript-ssrf-rule-phantom_ssrf) * [SSRF](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-playwright_ssrf) * [SSRF](https://semgrep.dev/r?q=javascript-ssrf-rule-playwright_ssrf) * [SSRF](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-puppeteer_ssrf) * [SSRF](https://semgrep.dev/r?q=javascript-ssrf-rule-puppeteer_ssrf) * [SSRF](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-wkhtmltoimage_ssrf) * [SSRF](https://semgrep.dev/r?q=javascript-ssrf-rule-wkhtmltoimage_ssrf) * [SSRF](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-wkhtmltopdf_ssrf) * [SSRF](https://semgrep.dev/r?q=javascript-ssrf-rule-wkhtmltopdf_ssrf) * [SSRF](https://semgrep.dev/r?q=njsscan.ssrf.ssrf_node.node_ssrf) * [typescript.lang.correctness.useless-ternary.useless-ternary](https://semgrep.dev/r?q=typescript.lang.correctness.useless-ternary.useless-ternary) * [typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml](https://semgrep.dev/r?q=typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml) **Python** * [A missing encoding argument in open() can lead corrupted data](https://semgrep.dev/r/lang.best-practice.unspecified-open-encoding.unspecified-open-encoding) * [B113: request\_without\_timeout](https://semgrep.dev/r?q=gitlab.bandit.B113) * [B602: subprocess\_popen\_with\_shell\_equals\_true](https://semgrep.dev/r?q=bandit.B602) * [B603: subprocess\_without\_shell\_equals\_true](https://semgrep.dev/r?q=bandit.B603) * [B604: subprocess\_popen\_with\_shell\_equals\_true](https://semgrep.dev/r?q=bandit.B604) * [bandit.B201](https://semgrep.dev/r?q=bandit.B201) * [bandit.B307](https://semgrep.dev/r?q=bandit.B307) * [django.security.injection.code.user-eval-format-string.user-eval-format-string](https://semgrep.dev/r?q=django.security.injection.code.user-eval-format-string.user-eval-format-string) * [django.security.injection.code.user-eval.user-eval](https://semgrep.dev/r?q=django.security.injection.code.user-eval.user-eval) * [django.security.injection.code.user-exec-format-string.user-exec-format-string](https://semgrep.dev/r?q=django.security.injection.code.user-exec-format-string.user-exec-format-string) * [django.security.injection.code.user-exec.user-exec](https://semgrep.dev/r?q=django.security.injection.code.user-exec.user-exec) * [django.security.injection.path-traversal.path-traversal-open](https://semgrep.dev/r?q=django.security.injection.path-traversal.path-traversal-open) * [django.security.injection.path-traversal.path-traversal-open.path-traversal-open](https://semgrep.dev/r?q=django.security.injection.path-traversal.path-traversal-open.path-traversal-open) * [django.security.injection.tainted-sql-string.tainted-sql-string](https://semgrep.dev/r?q=django.security.injection.tainted-sql-string.tainted-sql-string) * [flask.security.injection.path-traversal-open](https://semgrep.dev/r?q=flask.security.injection.path-traversal-open) * [flask.security.injection.path-traversal-open.path-traversal-open](https://semgrep.dev/r?q=flask.security.injection.path-traversal-open.path-traversal-open) * [flask.security.injection.subprocess-injection](https://semgrep.dev/r?q=flask.security.injection.subprocess-injection) * [flask.security.injection.tainted-sql-string.tainted-sql-string](https://semgrep.dev/r?q=flask.security.injection.tainted-sql-string.tainted-sql-string) * [flask.security.injection.user-eval.eval-injection](https://semgrep.dev/r?q=flask.security.injection.user-eval.eval-injection) * [flask.security.injection.user-exec.exec-injection](https://semgrep.dev/r?q=flask.security.injection.user-exec.exec-injection) * [gitlab.bandit.B113](https://semgrep.dev/r?q=bandit.B113) * [lang.maintainability.is-function-without-parentheses.is-function-without-parentheses](https://semgrep.dev/r?q=lang.maintainability.is-function-without-parentheses.is-function-without-parentheses) * [lang.security.audit.dangerous-asyncio-create-exec-audit](https://semgrep.dev/r?q=lang.security.audit.dangerous-asyncio-create-exec-audit) * [lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit](https://semgrep.dev/r?q=lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit) * [lang.security.audit.eval-detected.eval-detected](https://semgrep.dev/r?q=lang.security.audit.eval-detected.eval-detected) * [lang.security.audit.exec-detected.exec-detected](https://semgrep.dev/r?q=lang.security.audit.exec-detected.exec-detected) * [lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure](https://semgrep.dev/r?q=python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure) * [lang.security.dangerous-subprocess-use](https://semgrep.dev/r?q=lang.security.dangerous-subprocess-use) * [Please provide a new title that explains bandit.B101](https://semgrep.dev/r/bandit.B101) * [Please provide a new title that explains lang.correctness.return-in-init.return-in-init](https://semgrep.dev/r/?q=python.lang.correctness.return-in-init.return-in-init) * [Possible cmdi attack](https://semgrep.dev/r?q=bandit.B603) * [possible os cmdi](https://semgrep.dev/r?q=bandit.B605) * [possible os cmdi](https://semgrep.dev/r?q=bandit.B606) * [possible os cmdi](https://semgrep.dev/r?q=bandit.B607) * [possible os cmdi](https://semgrep.dev/r?q=python_exec_rule-start-process-partial-path) * [possible os cmdi](https://semgrep.dev/r?q=python_exec_rule-start-process-path) * [possible os cmdi](https://semgrep.dev/r?q=python_exec_rule-subprocess-call-array) * [python.django.correctness.nontext-field-must-set-null-true.nontext-field-must-set-null-true](https://semgrep.dev/r?q=python.django.correctness.nontext-field-must-set-null-true.nontext-field-must-set-null-true) * [python.django.security.audit.avoid-mark-safe.avoid-mark-safe](https://semgrep.dev/r?q=python.django.security.audit.avoid-mark-safe.avoid-mark-safe) * [python.django.security.django-no-csrf-token.django-no-csrf-token](https://semgrep.dev/r?q=python.django.security.django-no-csrf-token.django-no-csrf-token) * [python.django.security.injection.open-redirect.open-redirect](https://semgrep.dev/r?q=python.django.security.injection.open-redirect.open-redirect) * [python.flask.security.audit.debug-enabled.debug-enabled](https://semgrep.dev/r?q=python.flask.security.audit.debug-enabled.debug-enabled) * [python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2](https://semgrep.dev/r?q=python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2) * [python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup](https://semgrep.dev/r?q=python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup) * [python.jinja2.security.audit.missing-autoescape-disabled.missing-autoescape-disabled](https://semgrep.dev/r?q=python.jinja2.security.audit.missing-autoescape-disabled.missing-autoescape-disabled) * [python.lang.correctness.exit.use-sys-exit](https://semgrep.dev/r?q=python.lang.correctness.exit.use-sys-exit) * [python.lang.maintainability.useless-ifelse.useless-if-body](https://semgrep.dev/r?q=python.lang.correctness.exit.use-sys-exit) * [python.lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit](https://semgrep.dev/r?q=python.lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit) * [python.lang.security.audit.exec-detected.exec-detected](https://semgrep.dev/r?q=python.lang.security.audit.exec-detected.exec-detected) * [python.lang.security.audit.formatted-sql-query.formatted-sql-query](https://semgrep.dev/r?q=python.lang.security.audit.formatted-sql-query.formatted-sql-query) * [python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli](https://semgrep.dev/r?q=python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli) * [python.lang.security.audit.subprocess-shell-true.subprocess-shell-true](https://semgrep.dev/r?q=lang.security.audit.subprocess-shell-true.subprocess-shell-true) * [python.lang.security.insecure-uuid-version.insecure-uuid-version](https://semgrep.dev/r?q=python.lang.security.insecure-uuid-version.insecure-uuid-version) * [python.requests.best-practice.use-raise-for-status.use-raise-for-status](https://semgrep.dev/r?q=python.requests.best-practice.use-raise-for-status.use-raise-for-status) * [python.requests.best-practice.use-timeout.use-timeout](https://semgrep.dev/r?q=python.requests.best-practice.use-timeout.use-timeout) * [python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text](https://semgrep.dev/r?q=python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text) * [python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query](https://semgrep.dev/r?q=python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query) * [python.tarfile-extractall-traversal.tarfile-extractall-traversal](https://semgrep.dev/r?q=python.tarfile-extractall-traversal.tarfile-extractall-traversal) * [python\_exec\_rule-subprocess-call-array](https://semgrep.dev/r?q=python_exec_rule-subprocess-call-array) * [sqli](https://semgrep.dev/r?q=bandit.B608) * [sqli](https://semgrep.dev/r?q=bandit.B610) * [sqli](https://semgrep.dev/r?q=bandit.B611) * [sqli](https://semgrep.dev/r?q=bandit.B611) * [sqli](https://semgrep.dev/r?q=bandit.B611-2) * [sqli](https://semgrep.dev/r?q=bandit.B612) * [sqli](https://semgrep.dev/r?q=django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute) * [The application may be vulnerable to a path traversal if it extracts untrusted archive files.](https://semgrep.dev/r?q=bandit.B202) * [The application was found calling the `exec` function with a non-literal variable](https://semgrep.dev/r?q=bandit.B102) * [XSS](https://semgrep.dev/r?q=bandit.B703) **YAML** * [An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.](https://semgrep.dev/r/github-actions.security.third-party-action-not-pinned-to-commit-sha.third-party-action-not-pinned-to-commit-sha) * [Please provide a new title that explains github-actions.security.third-party-action-not-pinned-to-commit-sha](https://semgrep.dev/r/github-actions.security.third-party-action-not-pinned-to-commit-sha) * [Service '$SERVICE' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security\_opt' to prevent this.](https://semgrep.dev/r/yaml.docker-compose.security.no-new-privileges.no-new-privileges) * [Service has a writable filesystem](https://semgrep.dev/r/yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service) * [Service port is exposed on all interfaces](https://semgrep.dev/r/trailofbits.yaml.docker-compose.port-all-interfaces.port-all-interfaces) * [yaml.github-actions.security.run-shell-injection.run-shell-injection](https://semgrep.dev/r?q=yaml.github-actions.security.run-shell-injection.run-shell-injection)
List of Supported Issue Types for Datadog **GO** * SQL Injection **Java** * [Avoid user-input file](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/java-security/spring-request-file-tainted/) * [Avoid using printStackTrace()](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/java-best-practices/avoid-printstacktrace/) * [Prefer SecureRandom over Random](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/java-security/avoid-random/) * [Prevent path traversal](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/java-security/path-traversal/) **JavaScript / TypeScript** * [Avoid setting insecure cookie settings](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/javascript-express/insecure-cookie/) * Command Injection * Path traversal * SQL Injection * SQL Injection **Python** * [Avoid SQL injections](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/python-security/variable-sql-statement-injection/) * [Do not use an empty list as a default parameter](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/python-security/no-empty-list-as-parameter/) * [no-exec](https://docs.datadoghq.com/security/default_rules/#command-injection) * Path Traversal