# Supported Fixes A "**fix**" is defined as a code remediation that has been validated and tested by Mobb engineers. All fixes must meet the following criteria: * The fix addresses the security issue as identified by the SAST tool * The fix should be recognized by the SAST tool (The SAST tool should recognize the finding as fixed upon re-scan) Here are the categories of fixes that Mobb currently supports. If there is a category you'd like to see Mobb support that is not listed here, please email us at . If you'd like us to support a SAST tool that is not listed here, please tell us by submitting it [here](https://mobb.ai/partners). {% hint style="info" %} Since different SAST vendors often name issues differently, the issue names in parentheses are the Mobb normalized names. {% endhint %}
List of Supported Issue Types for Snyk **C#** * [Anti-forgery token validation disabled](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-93-anti-forgery-token-validation-disabled) * [Arbitrary File Write via Archive Extraction (Zip Slip)](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-9-arbitrary-file-write-via-archive-extraction-zip-slip) * Cross-site Scripting (XSS) * [Log Forging](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-36-log-forging) * [Path Traversal](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-10-path-traversal) * [Sensitive Cookie in HTTPS Session Without 'Secure' Attribute](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-126-sensitive-cookie-in-https-session-without-secure-attribute) * [Sensitive Cookie Without 'HttpOnly' Flag](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-150-sensitive-cookie-without-httponly-flag) * [Server-Side Request Forgery (SSRF)](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-144-server-side-request-forgery-ssrf) * [SQL Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-23-sql-injection) * [Use of Insufficiently Random Values](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-87-use-of-insufficiently-random-values) * [XML External Entity (XXE) Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-123-xml-external-entity-xxe-injection) **GO** * [Clear Text Logging](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/go-rules) * Command Injection * [Cross-site Scripting (XSS)](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/go-rules) * [Improper Certificate Validation](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/go-rules) * [Insecurely Generated Password](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/go-rules) * SQL Injection **Java** * [Arbitrary File Write via Archive Extraction (Zip Slip)](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-9-arbitrary-file-write-via-archive-extraction-zip-slip) * [Command Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-12-command-injection) * [Cross-site Scripting (XSS)](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-15-cross-site-scripting-xss) * [Improper Neutralization of CRLF Sequences in HTTP Headers](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-33-improper-neutralization-of-crlf-sequences-in-http-headers) * [Open Redirect](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/java-rules) * [Path Traversal](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-10-path-traversal) * [Regular expression injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-101-regular-expression-injection) * [Sensitive Cookie in HTTPS Session Without 'Secure' Attribute](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-126-sensitive-cookie-in-https-session-without-secure-attribute) * [Sensitive Cookie Without 'HttpOnly' Flag](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-150-sensitive-cookie-without-httponly-flag) * [Server-Side Request Forgery (SSRF)](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-144-server-side-request-forgery-ssrf) * [SQL Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-23-sql-injection) * [Trust Boundary Violation](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-113-trust-boundary-violation) * [XML External Entity (XXE) Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-123-xml-external-entity-xxe-injection) **JavaScript / TypeScript** * [Allocation of Resources Without Limits or Throttling](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/javascript-and-typescript-rules) * [Command Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-12-command-injection) * [Cross-site Scripting (XSS)](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-15-cross-site-scripting-xss) * [Denial of Service (DoS) through Nested GraphQL Queries](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-99-denial-of-service-dos-through-nested-graphql-queries) * [Indirect Command Injection via User Controlled Environment](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-13-indirect-command-injection-via-user-controlled-environment) * [NoSQL Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-149-nosql-injection) * [Open Redirect](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-121-open-redirect) * [Path Traversal](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-10-path-traversal) * [Privacy Leak](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-117-privacy-leak) * [Prototype Pollution](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/javascript-and-typescript-rules) * [Regular Expression Denial of Service (ReDoS)](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-102-regular-expression-denial-of-service-redos) * [Sensitive Cookie in HTTPS Session Without 'Secure' Attribute](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-126-sensitive-cookie-in-https-session-without-secure-attribute) * [Server-Side Request Forgery (SSRF)](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-144-server-side-request-forgery-ssrf) * [SQL Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-23-sql-injection) * [Use of Hardcoded Credentials](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-56-use-of-hardcoded-credentials) **Python** * [Arbitrary File Write via Archive Extraction (Tar Slip)](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/python-rules) * [Code Injection](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules) * [Command Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-12-command-injection) * Cross Site Scripting (XSS) * [Debug Mode Enabled](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-111-debug-mode-enabled) * [Incomplete URL sanitization](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/python-rules) * [Jinja auto-escape is set to false](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules/python-rules) * [Path Traversal](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/python-rules) * [Regular Expression Denial of Service (ReDoS)](https://docs.snyk.io/scan-with-snyk/snyk-code/snyk-code-security-rules/python-rules) * [SQL Injection](https://docs.snyk.io/scan-using-snyk/snyk-code/snyk-code-security-rules#rule-23-sql-injection)
List of Supported Issue Types for Fortify **CPP** * [Buffer Overflow](https://vulncat.fortify.com/en/detail?category=Buffer%20Overflow) * [String Termination Error](https://vulncat.fortify.com/en/detail?category=String%20Termination%20Error) **C#** * [ASP.NET MVC Bad Practices: Controller Action Without AntiForgery Validation](https://vulncat.fortify.com/en/detail?category=ASP.NET%20MVC%20Bad%20Practices\&subcategory=Controller%20Action%20Without%20AntiForgery%20Validation#C%23%2FVB.NET%2FASP.NET) * [Cookie Security: HTTPOnly not Set on Application Cookie](https://vulncat.fortify.com/en/detail?category=Cookie%20Security\&subcategory=HTTPOnly%20not%20Set%20on%20Application%20Cookie) * [Cookie Security: Session Cookie not Sent Over SSL](https://vulncat.fortify.com/en/detail?category=Cookie%20Security\&subcategory=Session%20Cookie%20not%20Sent%20Over%20SSL) * Cross-Site Scripting: Persistent * [Header Manipulation](https://vulncat.fortify.com/en/detail?category=Header%20Manipulation#C%23%2FVB.NET%2FASP.NET) * [Insecure Randomness](https://vulncat.fortify.com/en/detail?category=Insecure%20Randomness#C%23%2FVB.NET%2FASP.NET) * [Insecure Randomness: Hardcoded Seed](https://vulncat.fortify.com/en/detail?category=Insecure%20Randomness\&subcategory=Hardcoded%20Seed#C%23%2FVB.NET%2FASP.NET) * [Log Forging](https://vulncat.fortify.com/en/detail?category=Log%20Forging#C%23%2FVB.NET%2FASP.NET) * [Mass Assignment: Insecure Binder Configuration](https://vulncat.fortify.com/en/detail?category=Mass%20Assignment\&subcategory=Insecure%20Binder%20Configuration#C%23%2FVB.NET%2FASP.NET) * [Mass Assignment: Request Parameters Bound via Input Formatter](https://vulncat.fortify.com/en/detail?category=Mass%20Assignment\&subcategory=Request%20Parameters%20Bound%20via%20Input%20Formatter) * [Null Dereference](https://vulncat.fortify.com/en/detail?category=Null%20Dereference#C%23%2FVB.NET%2FASP.NET) * [Object Model Violation: Just One of Equals() and GetHashCode() Defined](https://vulncat.fortify.com/en/detail?category=Object%20Model%20Violation\&subcategory=Just%20One%20of%20Equals%28%29%20and%20GetHashCode%28%29%20Defined#C%23%2FVB.NET%2FASP.NET) * [Open Redirect](https://vulncat.fortify.com/en/detail?category=Open%20Redirect#C%23%2FVB.NET%2FASP.NET) * [Password Management: Password in Comment](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Password%20in%20Comment#C%23%2FVB.NET%2FASP.NET) * [Path Manipulation](https://vulncat.fortify.com/en/detail?category=Path%20Manipulation#C%23%2FVB.NET%2FASP.NET) * [Path Manipulation: Base Path Overwriting](https://vulncat.fortify.com/en/detail?category=Path%20Manipulation\&subcategory=Base%20Path%20Overwriting#C%23%2FVB.NET%2FASP.NET) * [Path Manipulation: Zip Entry Overwrite](https://vulncat.fortify.com/en/detail?category=Path%20Manipulation\&subcategory=Zip%20Entry%20Overwrite#C%23%2FVB.NET%2FASP.NET) * [Poor Error Handling: Overly Broad Catch](https://vulncat.fortify.com/en/detail?category=Poor%20Error%20Handling\&subcategory=Overly%20Broad%20Catch#C%23%2FVB.NET%2FASP.NET) * [Poor Logging Practice: Use of a System Output Stream](https://vulncat.fortify.com/en/detail?category=Poor%20Logging%20Practice\&subcategory=Use%20of%20a%20System%20Output%20Stream#C%23%2FVB.NET%2FASP.NET) * [SQL Injection](https://vulncat.fortify.com/en/detail?category=SQL%20Injection#C%23%2FVB.NET%2FASP.NET) * [System Information Leak](https://vulncat.fortify.com/en/detail?category=System%20Information%20Leak#C%23%2FVB.NET%2FASP.NET) * [System Information Leak: External](https://vulncat.fortify.com/en/detail?category=System%20Information%20Leak\&subcategory=External#C%23%2fVB.NET%2fASP.NET) * [System Information Leak: Internal](https://vulncat.fortify.com/en/detail?category=System%20Information%20Leak\&subcategory=Internal#C%23%2FVB.NET%2FASP.NET) * [Trust Boundary Violation](https://vulncat.fortify.com/en/detail?category=Trust%20Boundary%20Violation#C%23%2FVB.NET%2FASP.NET) * [XML Entity Expansion Injection](https://vulncat.fortify.com/en/detail?category=XML%20Entity%20Expansion%20Injection#C%23%2FVB.NET%2FASP.NET) * [XML External Entity Injection](https://vulncat.fortify.com/en/detail?category=XML%20External%20Entity%20Injection#C%23%2FVB.NET%2FASP.NET) **DOCKERFILE** **GO** * [Log Forging](https://vulncat.fortify.com/en/detail?category=Log%20Forging#Golang) **Java** * [Code Correctness: Class Does Not Implement Equivalence Method](https://vulncat.fortify.com/en/detail?category=Code%20Correctness\&subcategory=Class%20Does%20Not%20Implement%20Equivalence%20Method#Java%2FJSP) * [Code Correctness: Comparison of Boxed Primitive Types](https://vulncat.fortify.com/en/detail?category=Code%20Correctness\&subcategory=Comparison%20of%20Boxed%20Primitive%20Types#Java%2FJSP) * [Code Correctness: Erroneous String Compare](https://vulncat.fortify.com/en/detail?category=Code%20Correctness\&subcategory=Erroneous%20String%20Compare#Java%2FJSP) * [Command Injection](https://vulncat.fortify.com/en/detail?category=Command%20Injection#Java%2FJSP) * [Cookie Security: Cookie not Sent Over SSL](https://vulncat.fortify.com/en/detail?category=Cookie%20Security\&subcategory=Cookie%20not%20Sent%20Over%20SSL#Java%2FJSP) * [Cookie Security: HTTPOnly not Set](https://vulncat.fortify.com/en/detail?category=Cookie%20Security\&subcategory=HTTPOnly%20not%20Set#Java%2FJSP) * [Cross-Site Request Forgery](https://vulncat.fortify.com/en/detail?category=Cross-Site%20Reques%20Forgery) * [Cross-Site Scripting: Reflected](https://vulncat.fortify.com/en/detail?category=Cross-Site%20Scripting\&subcategory=Reflected#Java%2FJSP) * [Denial of Service](https://vulncat.fortify.com/en/detail?category=Denial%20of%20Service) * [Denial of Service: Regular Expression](https://vulncat.fortify.com/en/detail?category=Denial%20of%20Service\&subcategory=Regular%20Expression#Java%2FJSP) * [Denial of Service: StringBuilder](https://vulncat.fortify.com/en/detail?category=Denial%20of%20Service\&subcategory=StringBuilder#Java%2FJSP) * [HTML5: Missing Content Security Policy](https://vulncat.fortify.com/en/detail?category=HTML5\&subcategory=Missing%20Content%20Security%20Policy) * [HTTP Parameter Pollution](https://vulncat.fortify.com/en/detail?category=HTTP%20Parameter%20Pollution) * [Insecure Randomness](https://vulncat.fortify.com/en/detail?category=Insecure%20Randomness#Java%2fJSP) * [J2EE Bad Practices: Leftover Debug Code](https://vulncat.fortify.com/en/detail?category=J2EE%20Bad%20Practices\&subcategory=Leftover%20Debug%20Code#Java%2FJSP) * [J2EE Bad Practices: Threads](https://vulncat.fortify.com/en/detail?category=J2EE%20Bad%20Practices\&subcategory=Threads) * [Log Forging](https://vulncat.fortify.com/en/detail?category=Log%20Forging#Java%2FJSP) * [Log Forging (debug)](https://vulncat.fortify.com/en/detail?category=Log%20Forging%20%28debug%29#Java%2FJSP) * [Mass Assignment: Insecure Binder Configuration](https://vulncat.fortify.com/en/detail?category=Mass%20Assignment\&subcategory=Insecure%20Binder%20Configuration#Java%2fJSP) * [Missing Check against Null](https://vulncat.fortify.com/en/detail?category=Missing%20Check%20against%20Null#Java%2FJSP) * [Null Dereference](https://vulncat.fortify.com/en/detail?category=Null%20Dereference#Java%2FJSP) * [Open Redirect](https://vulncat.fortify.com/en/detail?category=Open%20Redirect) * [Password Management: Password in Comment](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Password%20in%20Comment#Java%2FJSP) * [Path Manipulation](https://vulncat.fortify.com/en/detail?category=Path%20Manipulation#Java%2FJSP) * [Path Manipulation: Zip Entry Overwrite](https://vulncat.fortify.com/en/detail?category=Path%20Manipulation\&subcategory=Zip%20Entry%20Overwrite#Java%2FJSP) * [Poor Error Handling: Empty Catch Block](https://vulncat.fortify.com/en/detail?category=Poor%20Error%20Handling\&subcategory=Empty%20Catch%20Block#Java%2FJSP) * [Poor Error Handling: Overly Broad Catch](https://vulncat.fortify.com/en/detail?category=Poor%20Error%20Handling\&subcategory=Overly%20Broad%20Catch#Java%2FJSP) * [Poor Logging Practice: Use of a System Output Stream](https://vulncat.fortify.com/en/detail?category=Poor%20Logging%20Practice\&subcategory=Use%20of%20a%20System%20Output%20Stream#Java%2FJSP) * [Poor Style: Confusing Naming](https://vulncat.fortify.com/en/detail?category=Poor%20Style\&subcategory=Confusing%20Naming#Java%2FJSP) * [Poor Style: Non-final Public Static Field](https://vulncat.fortify.com/en/detail?category=Poor%20Style\&subcategory=Non-final%20Public%20Static%20Field#Java%2FJSP) * [Poor Style: Value Never Read](https://vulncat.fortify.com/en/detail?category=Poor%20Style\&subcategory=Value%20Never%20Read#Java%2FJSP) * [Portability Flaw: Locale Dependent Comparison](https://vulncat.fortify.com/en/detail?category=Portability%20Flaw\&subcategory=Locale%20Dependent%20Comparison#Java%2FJSP) * [Privacy Violation](https://vulncat.fortify.com/en/detail?category=Privacy%20Violation#Java%2FJSP) * [Race Condition: Format Flaw](https://vulncat.fortify.com/en/detail?category=Race%20Condition\&subcategory=Format%20Flaw#Java%2FJSP) * [Server-Side Request Forgery](https://vulncat.fortify.com/en/detail?category=Server-Side%20Request%20Forgery#Java%2FJSP) * [Spring Security Misconfiguration: Default Permit](https://vulncat.fortify.com/en/detail?category=Spring%20Security%20Misconfiguration\&subcategory=Default%20Permit) * [SQL Injection](https://vulncat.fortify.com/en/detail?category=SQL%20Injection#Java%2FJSP) * [SQL Injection: Persistence](https://vulncat.fortify.com/en/detail?category=SQL%20Injection\&subcategory=Persistence#Java%2fJSP) * [System Information Leak](https://vulncat.fortify.com/en/detail?category=System%20Information%20Leak#Java%2FJSP) * [System Information Leak: HTML Comment in JSP](https://vulncat.fortify.com/en/detail?category=System%20Information%20Leak\&subcategory=HTML%20Comment%20in%20JSP#Java%2FJSP) * [System Information Leak: Internal](https://vulncat.fortify.com/en/detail?category=System%20Information%20Leak\&subcategory=Internal#Java%2FJSP) * [Trust Boundary Violation](https://vulncat.fortify.com/en/detail?category=Trust%20Boundary%20Violation#Java%2FJSP) * [Unreleased Resource: Database](https://vulncat.fortify.com/en/detail?category=Unreleased%20Resource\&subcategory=Database#Java%2FJSP) * [Unreleased Resource: Files](https://vulncat.fortify.com/en/detail?category=Unreleased%20Resource\&subcategory=Files#Java%2FJSP) * [Unreleased Resource: Sockets](https://vulncat.fortify.com/en/detail?category=Unreleased%20Resource\&subcategory=Sockets#Java%2FJSP) * [Unreleased Resource: Streams](https://vulncat.fortify.com/en/detail?category=Unreleased%20Resource\&subcategory=Streams#Java%2FJSP) * [Unreleased Resource: Synchronization](https://vulncat.fortify.com/en/detail?category=Unreleased%20Resource\&subcategory=Synchronization#Java%2FJSP) * [Unreleased Resource: Unmanaged Object](https://vulncat.fortify.com/en/detail?category=Unreleased%20Resource\&subcategory=Unmanaged%20Object#Java%2FJSP) * [XML Entity Expansion Injection](https://vulncat.fortify.com/en/detail?category=XML%20Entity%20Expansion%20Injection#Java%2FJSP) * [XML External Entity Injection](https://vulncat.fortify.com/en/detail?category=XML%20External%20Entity%20Injection#Java%2FJSP) **JavaScript / TypeScript** * [Command Injection](https://vulncat.fortify.com/en/detail?category=Command%20Injection#JavaScript%2FTypeScript) * [Cookie Security: Cookie not Sent Over SSL](https://vulncat.fortify.com/en/detail?category=Cookie%20Security\&subcategory=Cookie%20not%20Sent%20Over%20SSL#JavaScript%2FTypeScript) * [Credential Management: Hardcoded API Credentials](https://vulncat.fortify.com/en/detail?category=Credential%20Management\&subcategory=Hardcoded%20API%20Credentials#JavaScript%2FTypeScript) * [Cross-Site Scripting: DOM](https://vulncat.fortify.com/en/detail?category=Cross-Site%20Scripting\&subcategory=DOM#JavaScript%2FTypeScript) * [Cross-Site Scripting: Self](https://vulncat.fortify.com/en/detail?category=Cross-Site%20Scripting\&subcategory=Self#JavaScript%2FTypeScript) * [Hardcoded Domain in HTML](https://vulncat.fortify.com/en/detail?category=Hardcoded%20Domain%20in%20HTML#Universal) * [Insecure Randomness](https://vulncat.fortify.com/en/detail?category=Insecure%20Randomness#JavaScript%2FTypeScript) * [Insecure Randomness: Hardcoded Seed](https://vulncat.fortify.com/en/detail?category=Insecure%20Randomness\&subcategory=Hardcoded%20Seed#JavaScript%2FTypeScript) * [Key Management: Hardcoded Encryption Key](https://vulncat.fortify.com/en/detail?category=Key%20Management\&subcategory=Hardcoded%20Encryption%20Key#JavaScript%2FTypeScript) * [Open Redirect](https://vulncat.fortify.com/en/detail?category=Open%20Redirect#JavaScript%2FTypeScript) * [Password Management: Hardcoded Password](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Hardcoded%20Password#JavaScript%2FTypeScript) * [Password Management: Password in Comment](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Password%20in%20Comment#JavaScript%2FTypeScript) * [Path Manipulation](https://vulncat.fortify.com/en/detail?category=Path%20Manipulation#JavaScript%2FTypeScript) * [Privacy Violation: Autocomplete](https://vulncat.fortify.com/en/detail?category=Privacy%20Violation\&subcategory=Autocomplete#Universal) * [System Information Leak: External](https://vulncat.fortify.com/en/detail?category=System%20Information%20Leak\&subcategory=External#JavaScript%2FTypeScript) * [System Information Leak: Internal](https://vulncat.fortify.com/en/detail?category=System%20Information%20Leak\&subcategory=Internal#JavaScript%2FTypeScript) **PHP** * [Insecure Randomness](https://vulncat.fortify.com/en/detail?category=Insecure%20Randomness#PHP) **Python** * [Cross-Site Request Forgery](https://vulncat.fortify.com/en/detail?category=Cross-Site%20Request%20Forgery#Universal) * [Dynamic Code Evaluation: Code Injection](https://vulncat.fortify.com/en/detail?category=Dynamic%20Code%20Evaluation#Universal) * [Password Management: Password in Comment](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Password%20in%20Comment#Python) * [Path Manipulation](https://vulncat.fortify.com/en/detail?category=Path%20Manipulation#Python) * [SQL Injection](https://vulncat.fortify.com/en/detail?category=SQL%20Injection#Python) * [System Information Leak: Internal](https://vulncat.fortify.com/en/detail?category=System%20Information%20Leak\&subcategory=Internal#Python) **XML** * [Password Management: Password in Comment](https://vulncat.fortify.com/en/detail?category=Password%20Management\&subcategory=Password%20in%20Comment#Universal) * [Weak XML Schema: Unbounded Occurrences](https://vulncat.fortify.com/en/detail?category=Weak%20XML%20Schema\&subcategory=Unbounded%20Occurrences#Universal)
List of Supported Issue Types for Checkmarx **C#** * Declaration Of Catch For Generic Exception * Deserialization of Untrusted Data * Dynamic SQL Queries * [Heap Inspection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/244/17574178213563422629) * HttpOnlyCookies * Improper Exception Handling * Improper Resource Shutdown or Release * Improper Restriction of XXE Ref * Information Exposure Through an Error Message * Information Exposure via Headers * Insecure Cookie * Insufficient Logging of Exceptions * Insufficient Logging of Sensitive Operations * Just One of Equals and Hash code Defined * Log Forging * [Missing HSTS Header](https://deu.ast.checkmarx.net/resourceManagement/presets/description/346/15718905356648301922) * Path Traversal * Reflected XSS * Reflected XSS All Clients * SQL Injection * SSRF * Stored XSS * Trust Boundary Violation in Session Variables * Unsafe Object Binding * Unvalidated Arguments Of Public Methods * Use of Insufficiently Random Values * Value Shadowing **GO** * Command Injection * Log Forging * Privacy Violation * Second Order SQL Injection * SQL Injection * SSL Verification Bypass * Use of Cryptographically Weak PRNG **Java** * Absolute Path Traversal * Command Injection * Confusing Naming * Declaration Of Catch For Generic Exception * Detection of Error Condition Without Action * Frameable loging page * HttpOnlyCookies * Improper Resource Shutdown or Release * Improper Restriction of Stored XXE Ref * Improper Restriction of XXE Ref * Information Exposure Through an Error Message * Log Forging * [Open Redirect](https://deu.ast.checkmarx.net/resourceManagement/presets/description/601/5854466950125120303) * [Password In Comment](https://deu.ast.checkmarx.net/resourceManagement/presets/description/615/2940637487142405047) * Portability Flaw Locale Dependent Comparison * Privacy Violation * Race Condition Format Flaw * ReDoS From Regex Injection * Reflected XSS All Clients * Relative Path Traversal * SQL Injection * SQL Injection Evasion Attack * SSRF * Stored Absolute Path Traversal * Stored Log Forging * Stored XSS * Trust Boundary Violation in Session Variables * Unchecked Input for Loop Condition * [Unsafe Object Binding](https://deu.ast.checkmarx.net/resourceManagement/presets/description/915/18167789603095321044) * Use of Hard coded Cryptographic Key * Use of Non Cryptographic Random * Use of Wrong Operator in String Comparison **JavaScript / TypeScript** * Absolute Path Traversal * Client DOM Code Injection * Client DOM Open Redirect * [Client DOM Stored Code Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/94/17736946413799343054) * Client DOM Stored XSS * Client DOM XSS * Client Hardcoded Domain * Client Insecure Randomness * Client JQuery Deprecated Symbols * Client Password In Comment * Client Potential XSS * Client Regex Injection * Client Use Of Iframe Without Sandbox * Command Injection * Hardcoded password in Connection String * [HttpOnly Cookie Flag Not Set](https://deu.ast.checkmarx.net/resourceManagement/presets/description/1004/9800224272094099502) * Information Exposure Through an Error Message * JWT Use Of Hardcoded Secret * Log Forging * [Missing CSP Header](https://deu.ast.checkmarx.net/resourceManagement/presets/description/346/729519850006803664) * [Missing HSTS Header](https://deu.ast.checkmarx.net/resourceManagement/presets/description/346/15718905356648301922) * Open Redirect * Prototype Pollution * Relative Path Traversal * Secret\_Leak * Server DoS by loop * Server DoS by Loop * SQL Injection * SSRF * Stored XSS * Unchecked Input For Loop Condition * Unprotected Cookie * Unsafe Use Of Target blank * Use of Deprecated or Obsolete Functions * Use Of Hardcoded Password * Use of Insufficiently Random Values **PHP** * Use of Non Cryptographic Random **Python** * [Code Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/94/13646819717326216658) * Command Argument Injection * [Debug Enabled](https://deu.ast.checkmarx.net/resourceManagement/presets/description/11/15910406614565918143) * [Filtering Sensitive Logs](https://deu.ast.checkmarx.net/resourceManagement/presets/description/532/12553559161661395516) * [Improper Resource Shutdown or Release](https://deu.ast.checkmarx.net/resourceManagement/presets/description/404/4929335937220202619) * [Information Exposure Through an Error Message](https://deu.ast.checkmarx.net/resourceManagement/presets/description/209/10086633261638473115) * [Log Forging](https://deu.ast.checkmarx.net/resourceManagement/presets/description/117/4488286415414676575) * [Password in Comment](https://deu.ast.checkmarx.net/resourceManagement/presets/description/615/13336864677243390331) * [Path Traversal](https://deu.ast.checkmarx.net/resourceManagement/presets/description/22/4418167693267818286) * [Privacy Violation](https://deu.ast.checkmarx.net/resourceManagement/presets/description/359/15091406806124960160) * [ReDoS Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/400/5043137136712896099) * [Second Order SQL Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/89/631642030927601838) * [SQL Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/89/17810866942529238742) * [Stored Code Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/94/14606273189609098459) * [Stored Command Argument Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/88/6227086963064089467) * [Stored Command Argument Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/88/6227086963064089467) * [Unchecked Input for Loop Condition](https://deu.ast.checkmarx.net/resourceManagement/presets/description/606/12513885999564608658) * [XSS](https://deu.ast.checkmarx.net/resourceManagement/presets/description/79/11301225196674651062) **SQL** * [Default Definer Rights in Package or Object Definition](https://deu.ast.checkmarx.net/resourceManagement/presets/description/265/10300492436975582020) * [Second Order SQL Injection](https://deu.ast.checkmarx.net/resourceManagement/presets/description/89/1186085178286193418)
List of Supported Issue Types for SonarQube **C#** * [Composite format strings should be used correctly](https://rules.sonarsource.com/csharp/RSPEC-3457/) * [Creating cookies without the "HttpOnly" flag is security-sensitive](https://rules.sonarsource.com/csharp/RSPEC-3330/) * [Creating cookies without the "secure" flag is security-sensitive](https://rules.sonarsource.com/csharp/RSPEC-2092/) * [Extracting archives should not lead to zip slip vulnerabilities](https://rules.sonarsource.com/csharp/type/Vulnerability/RSPEC-6096/) * [Fields that are only assigned in the constructor should be "readonly"](https://rules.sonarsource.com/csharp/RSPEC-2933/) * [Formatting SQL queries is security-sensitive](https://rules.sonarsource.com/csharp/RSPEC-2077/) * [I/O function calls should not be vulnerable to path injection attacks](https://rules.sonarsource.com/csharp/RSPEC-2083/) * [Logging should not be vulnerable to injection attacks](https://rules.sonarsource.com/csharp/type/Vulnerability/RSPEC-5145/) * [Logging templates should be constant](https://rules.sonarsource.com/csharp/RSPEC-2629/) * [Not specifying a timeout for regular expressions is security-sensitive](https://rules.sonarsource.com/csharp/RSPEC-6444/) * [Null pointers should not be dereferenced](https://rules.sonarsource.com/csharp/RSPEC-2259/) * [Sections of code should not be commented out](https://rules.sonarsource.com/csharp/RSPEC-125/) * [Secure random number generators should not output predictable values](https://rules.sonarsource.com/csharp/type/Vulnerability/RSPEC-4347/) * [Unassigned members should be removed](https://rules.sonarsource.com/csharp/RSPEC-3459/) * [Unread "private" fields should be removed](https://rules.sonarsource.com/csharp/RSPEC-4487/) * [Unused private types or members should be removed](https://rules.sonarsource.com/csharp/RSPEC-1144/) **DOCKERFILE** * [S6471 Running containers as a privileged user is security-sensitive](https://rules.sonarsource.com/docker/RSPEC-6471/) **GO** * Constructing arguments of system commands from user input is security-sensitive * Database queries should not be vulnerable to injection attacks * Formatting SQL queries is security-sensitive * [Using pseudorandom number generators (PRNGs) is security-sensitive](https://rules.sonarsource.com/go/impact/security/RSPEC-2245/) **Java** * ["Preconditions" and logging arguments should not require evaluation](https://next.sonarqube.com/sonarqube/coding_rules?languages=java\&open=java:S2629) * [Accessing files should not lead to filesystem oracle attacks](https://rules.sonarsource.com/java/RSPEC-6549/) * [Creating cookies without the "HttpOnly" flag is security-sensitive](https://rules.sonarsource.com/java/RSPEC-3330/) * [Creating cookies without the "secure" flag is security-sensitive](https://rules.sonarsource.com/java/RSPEC-2092/) * [Database queries should not be vulnerable to injection attacks](https://rules.sonarsource.com/java/RSPEC-3649/) * [Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks](https://rules.sonarsource.com/java/RSPEC-5131/) * [Extracting archives should not lead to zip slip vulnerabilities](https://rules.sonarsource.com/java/RSPEC-6096/) * [Format strings should be used correctly](https://rules.sonarsource.com/java/RSPEC-3457/) * [Generic exceptions should never be thrown](https://rules.sonarsource.com/java/RSPEC-112/) * [I/O function calls should not be vulnerable to path injection attacks](https://rules.sonarsource.com/java/RSPEC-2083/) * [javasecurity:S5146 HTTP request redirections should not be open to forging attacks](https://next.sonarqube.com/sonarqube/coding_rules?open=javasecurity%3AS5146\&rule_key=javasecurity%3AS5146) * [Logging should not be vulnerable to injection attacks](https://rules.sonarsource.com/java/RSPEC-5145/) * [Public constants and fields initialized at declaration should be "static final" rather than merely "final"](https://rules.sonarsource.com/java/RSPEC-1170/) * [Regular expressions should not be vulnerable to Denial of Service attacks](https://rules.sonarsource.com/java/RSPEC-2631/) * [Sections of code should not be commented out](https://rules.sonarsource.com/java/RSPEC-125/) * [Security - Nonconstant string passed to execute or addBatch method on an SQL statement](https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE) * [Server-side requests should not be vulnerable to traversing attacks](https://rules.sonarsource.com/java/RSPEC-7044/) * [String literals should not be duplicated](https://rules.sonarsource.com/java/RSPEC-1192/) * [Strings and Boxed types should be compared using "equals()"](https://rules.sonarsource.com/java/RSPEC-4973/) * [Try-catch blocks should not be nested](https://rules.sonarsource.com/java/RSPEC-1141/) * [Unnecessary imports should be removed](https://rules.sonarsource.com/java/RSPEC-1128/) * [Unused "private" fields should be removed](https://rules.sonarsource.com/java/RSPEC-1068/) * [Unused assignments should be removed](https://rules.sonarsource.com/java/RSPEC-1854/) * [Unused local variables should be removed](https://rules.sonarsource.com/java/RSPEC-1481/) * [Using pseudorandom number generators (PRNGs) is security-sensitive](https://rules.sonarsource.com/java/RSPEC-2245/) **JavaScript / TypeScript** * [Creating cookies without the "secure" flag is security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-2092/) * [Database queries should not be vulnerable to injection attacks](https://rules.sonarsource.com/typescript/RSPEC-3649/) * [Database queries should not be vulnerable to injection attacks](https://rules.sonarsource.com/javascript/RSPEC-3649/) * [DOM updates should not lead to cross-site scripting (XSS) attacks](https://rules.sonarsource.com/javascript/RSPEC-5696/) * [DOM updates should not lead to cross-site scripting (XSS) attacks](https://rules.sonarsource.com/typescript/RSPEC-5696/) * [DOM updates should not lead to open redirect vulnerabilities](https://rules.sonarsource.com/javascript/RSPEC-6105/) * [DOM updates should not lead to open redirect vulnerabilities](https://rules.sonarsource.com/typescript/RSPEC-6105/) * [Dynamic code execution should not be vulnerable to injection attacks](https://rules.sonarsource.com/typescript/RSPEC-5334/) * [Dynamically executing code is security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-1523/) * [Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks](https://rules.sonarsource.com/typescript/RSPEC-5131/) * [Fields that are only assigned in the constructor should be "readonly"](https://rules.sonarsource.com/typescript/RSPEC-2933/) * [Formatting SQL queries is security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-2077/) * [Function returns should not be invariant](https://rules.sonarsource.com/javascript/RSPEC-3516/) * [Hard-coded credentials are security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-2068/) * [Hard-coded credentials are security-sensitive](https://rules.sonarsource.com/typescript/RSPEC-2068/) * [Hard-coded passwords are security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-2068) * [Hard-coded passwords are security-sensitive](https://rules.sonarsource.com/typescript/RSPEC-2068) * [Hard-coded secrets are security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-2068/) * [Hard-coded secrets are security-sensitive](https://rules.sonarsource.com/typescript/RSPEC-2068/) * [HTTP request redirections should not be open to forging attacks](https://rules.sonarsource.com/javascript/RSPEC-5146/) * [HTTP request redirections should not be open to forging attacks](https://rules.sonarsource.com/typescript/RSPEC-5146/) * [I/O function calls should not be vulnerable to path injection attacks](https://rules.sonarsource.com/javascript/RSPEC-2083/) * [I/O function calls should not be vulnerable to path injection attacks](https://rules.sonarsource.com/typescript/RSPEC-2083/) * [Jump statements should not occur in "finally" blocks](https://rules.sonarsource.com/javascript/RSPEC-1143/) * [Jump statements should not occur in "finally" blocks](https://rules.sonarsource.com/typescript/RSPEC-1143/) * [NoSQL operations should not be vulnerable to injection attacks](https://rules.sonarsource.com/typescript/RSPEC-5147/) * [NoSQL operations should not be vulnerable to injection attacks](https://rules.sonarsource.com/javascript/RSPEC-5147/) * [OS commands should not be vulnerable to command injection attacks](https://rules.sonarsource.com/typescript/RSPEC-2076/) * [Regular expressions should not be vulnerable to Denial of Service attacks](https://rules.sonarsource.com/javascript/RSPEC-2631/) * [Regular expressions should not be vulnerable to Denial of Service attacks](https://rules.sonarsource.com/typescript/RSPEC-2631/) * [Sections of code should not be commented out](https://rules.sonarsource.com/typescript/RSPEC-125/) * [Sections of code should not be commented out](https://rules.sonarsource.com/javascript/RSPEC-125/) * [Server-side requests should not be vulnerable to forging attacks](https://rules.sonarsource.com/typescript/RSPEC-5144/) * [Unnecessary character escapes should be removed](https://rules.sonarsource.com/javascript/RSPEC-6535/) * [Unnecessary character escapes should be removed](https://rules.sonarsource.com/typescript/RSPEC-6535/) * [Using pseudorandom number generators (PRNGs) is security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-2245/) * [Using pseudorandom number generators (PRNGs) is security-sensitive](https://rules.sonarsource.com/typescript/RSPEC-2245/) * [Using remote artifacts without integrity checks is security-sensitive](https://rules.sonarsource.com/html/type/Security%20Hotspot/RSPEC-5725/) * [Using shell interpreter when executing OS commands is security-sensitive](https://rules.sonarsource.com/typescript/RSPEC-4721/) * [Using slow regular expressions is security-sensitive](https://rules.sonarsource.com/javascript/RSPEC-5852/) * [Using slow regular expressions is security-sensitive](https://rules.sonarsource.com/typescript/RSPEC-5852/) * [Variables should be declared explicitly](https://rules.sonarsource.com/javascript/RSPEC-2703/) * [Variables should be declared with "let" or "const"](https://rules.sonarsource.com/javascript/RSPEC-3504/) * [Variables should be declared with "let" or "const"](https://rules.sonarsource.com/typescript/RSPEC-3504/) **PHP** * [Using pseudorandom number generators (PRNGs) is security-sensitive](https://rules.sonarsource.com/php/type/Security%20Hotspot/RSPEC-2245/) **Python** * ["Exception" and "BaseException" should not be raised](https://next.sonarqube.com/sonarqube/coding_rules?languages=py\&open=python:S112) * [Constructing arguments of system commands from user input is security-sensitive](https://rules.sonarsource.com/python/RSPEC-6350/) * [Database queries should not be vulnerable to injection attacks](https://rules.sonarsource.com/python/RSPEC-3649/) * [Delivering code in production with debug features activated is security-sensitive](https://rules.sonarsource.com/python/RSPEC-4507/) * [Disabling auto-escaping in template engines is security-sensitive](https://rules.sonarsource.com/python/RSPEC-5247/) * [Disabling CSRF protections is security-sensitive](https://rules.sonarsource.com/python/RSPEC-4502/) * [Do not name local variables as builtin python functions](https://next.sonarqube.com/sonarqube/coding_rules?languages=py\&open=python:S5806) * [Do not use identity comparisons (is / is not) with cached types](https://rules.sonarsource.com/python/RSPEC-5795/) * [Dynamic code execution should not be vulnerable to injection attacks](https://rules.sonarsource.com/python/RSPEC-5334/) * [Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks](https://rules.sonarsource.com/python/RSPEC-5131/) * [Formatting SQL queries is security-sensitive](https://rules.sonarsource.com/python/RSPEC-2077/) * [Function parameters' default values should not be modified or assigned](https://rules.sonarsource.com/python/RSPEC-5717/) * [I/O function calls should not be vulnerable to path injection attacks](https://rules.sonarsource.com/python/RSPEC-2083/) * [Logging should not be vulnerable to injection attacks](https://rules.sonarsource.com/python/RSPEC-5145/) * [Loop boundaries should not be vulnerable to injection attacks](https://rules.sonarsource.com/python/RSPEC-6680/) * [Properly use string formatting: add all arguments to the format string, don't supply unused arguments](https://rules.sonarsource.com/python/RSPEC-3457/) * [python:S5443 Using publicly writable directories is security-sensitive](https://rules.sonarsource.com/python/RSPEC-5443/) * [python:S5754 "SystemExit" should be re-raised](https://next.sonarqube.com/sonarqube/coding_rules?languages=py\&open=python:S5754) * [Regular expressions should not be vulnerable to Denial of Service attacks](https://rules.sonarsource.com/python/RSPEC-2631/) * [Sections of code should not be commented out](https://rules.sonarsource.com/python/RSPEC-125/) * [String literals should not be duplicated](https://rules.sonarsource.com/python/RSPEC-1192/) * [The "print" statement should not be used](https://rules.sonarsource.com/python/RSPEC-2320/) * [Unused assignments should be removed](https://rules.sonarsource.com/python/RSPEC-1854/) * [Wildcard imports should not be used](https://rules.sonarsource.com/python/RSPEC-2208/) **YAML** * [Ensure whitespace in-between braces in template directives](https://rules.sonarsource.com/kubernetes/RSPEC-6893/)
List of Supported Issue Types for CodeQL **CPP** * [No space for zero terminator](https://codeql.github.com/codeql-query-help/cpp/cpp-no-space-for-terminator/) * [Use of dangerous function](https://codeql.github.com/codeql-query-help/cpp/cpp-dangerous-function-overflow/) **C#** * [Arbitrary file access during archive extraction (”Zip Slip”)](https://codeql.github.com/codeql-query-help/csharp/cs-zipslip/) * [Cookie "HttpOnly" attribute is not set to true](https://codeql.github.com/codeql-query-help/csharp/cs-web-cookie-httponly-not-set/) * [Cookie "Secure" attribute is not set to true](https://codeql.github.com/codeql-query-help/csharp/cs-web-cookie-secure-not-set/) * [Cross-site scripting](https://codeql.github.com/codeql-query-help/csharp/cs-web-xss/) * [Deserialization of untrusted data](https://codeql.github.com/codeql-query-help/csharp/cs-unsafe-deserialization-untrusted-input/) * [Exposure of private information](https://codeql.github.com/codeql-query-help/csharp/cs-exposure-of-sensitive-information/) * [Insecure randomness](https://codeql.github.com/codeql-query-help/csharp/cs-insecure-randomness/) * [Log entries created from user input](https://codeql.github.com/codeql-query-help/csharp/cs-log-forging/) * [Missing cross-site request forgery token validation](https://codeql.github.com/codeql-query-help/csharp/cs-web-missing-token-validation/) * SQL Injection * SQL Injection * [Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/csharp/cs-path-injection/) * [URL redirection from remote source](https://codeql.github.com/codeql-query-help/csharp/cs-web-unvalidated-url-redirection/) **GO** * [Bad redirect check](https://codeql.github.com/codeql-query-help/go/go-bad-redirect-check/) * [Clear-text logging of sensitive information](https://codeql.github.com/codeql-query-help/go/go-clear-text-logging/) * Command Injection * [Disabled TLS certificate check](https://codeql.github.com/codeql-query-help/go/go-disabled-certificate-check/) * [Incomplete regular expression for hostnames](https://codeql.github.com/codeql-query-help/go/go-incomplete-hostname-regexp/) * [Incorrect conversion between integer types](https://codeql.github.com/codeql-query-help/go/go-incorrect-integer-conversion/) * [Log entries created from user input](https://codeql.github.com/codeql-query-help/go/go-log-injection/) * [Open URL redirect](https://codeql.github.com/codeql-query-help/go/go-unvalidated-url-redirection/) * [Reflected cross-site scripting](https://codeql.github.com/codeql-query-help/go/go-reflected-xss/) * SQL Injection * Stored cross-site scripting * [Use of insufficient randomness as the key of a cryptographic algorithm](https://codeql.github.com/codeql-query-help/go/go-insecure-randomness/) **Java** * [Arbitrary file access during archive extraction (”Zip Slip”)](https://codeql.github.com/codeql-query-help/java/java-zipslip/) * [Building a command line with string concatenation](https://codeql.github.com/codeql-query-help/java/java-concatenated-command-line/) * [Cross-Site Request Forgery](https://codeql.github.com/codeql-query-help/java/java-spring-disabled-csrf-protection/) * [Cross-site scripting](https://codeql.github.com/codeql-query-help/java/java-xss/) * [Executing a command with a relative path](https://codeql.github.com/codeql-query-help/java/java-relative-path-command/) * [Failure to use secure cookies](https://codeql.github.com/codeql-query-help/java/java-insecure-cookie/) * [HTTP response splitting](https://codeql.github.com/codeql-query-help/java/java-http-response-splitting/) * [Improper validation of user-provided array index](https://codeql.github.com/codeql-query-help/java/java-improper-validation-of-array-index/) * [Information exposure through an error message](https://codeql.github.com/codeql-query-help/java/java-error-message-exposure/) * [Insecure randomness](https://codeql.github.com/codeql-query-help/java/java-insecure-randomness/) * [Insertion of sensitive information into log files](https://codeql.github.com/codeql-query-help/java/java-sensitive-log/) * [Log Injection](https://codeql.github.com/codeql-query-help/java/java-log-injection/) * [Partial path traversal vulnerability](https://codeql.github.com/codeql-query-help/java/java-partial-path-traversal/) * [Query built by concatenation with a possibly-untrusted string](https://codeql.github.com/codeql-query-help/java/java-concatenated-sql-query/) * [Query built from user-controlled sources](https://codeql.github.com/codeql-query-help/java/java-sql-injection/) * [Regular expression injection](https://codeql.github.com/codeql-query-help/java/java-regex-injection/) * [Resolving XML external entity in user-controlled data](https://codeql.github.com/codeql-query-help/java/java-xxe/) * [Server-side request forgery](https://codeql.github.com/codeql-query-help/java/java-ssrf/) * [Uncontrolled command line](https://codeql.github.com/codeql-query-help/java/java-command-line-injection/) * [Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/java/java-path-injection/) * [User-controlled data in numeric cast](https://codeql.github.com/codeql-query-help/java/java-tainted-numeric-cast/) **JavaScript / TypeScript** * [Bad HTML filtering regexp](https://codeql.github.com/codeql-query-help/javascript/js-bad-tag-filter/) * [Clear text transmission of sensitive cookie](https://codeql.github.com/codeql-query-help/javascript/js-clear-text-cookie/) * [Clear-text logging of sensitive information](https://codeql.github.com/codeql-query-help/javascript/js-clear-text-logging/) * [Client-side cross-site scripting](https://codeql.github.com/codeql-query-help/javascript/js-xss/) * [Client-side URL redirect](https://codeql.github.com/codeql-query-help/javascript/js-client-side-unvalidated-url-redirection/) * [Cross-window communication with unrestricted target origin](https://codeql.github.com/codeql-query-help/javascript/js-cross-window-information-leak/) * [Database query built from user-controlled sources](https://codeql.github.com/codeql-query-help/javascript/js-sql-injection/) * [DOM text reinterpreted as HTML](https://codeql.github.com/codeql-query-help/javascript/js-xss-through-dom/) * [Hard-coded credentials](https://codeql.github.com/codeql-query-help/javascript/js-hardcoded-credentials/) * [Inclusion of functionality from an untrusted source](https://codeql.github.com/codeql-query-help/javascript/js-functionality-from-untrusted-source/) * [Incomplete regular expression for hostnames](https://codeql.github.com/codeql-query-help/javascript/js-incomplete-hostname-regexp/) * [Incomplete string escaping or encoding](https://codeql.github.com/codeql-query-help/javascript/js-incomplete-sanitization/) * [Incomplete URL scheme check](https://codeql.github.com/codeql-query-help/javascript/js-incomplete-url-scheme-check/) * [Incomplete URL substring sanitization](https://codeql.github.com/codeql-query-help/javascript/js-incomplete-url-substring-sanitization/) * [Indirect uncontrolled command line](https://codeql.github.com/codeql-query-help/javascript/js-indirect-command-line-injection/) * [Inefficient regular expression](https://codeql.github.com/codeql-query-help/javascript/js-redos/) * [Information exposure through a stack trace](https://codeql.github.com/codeql-query-help/javascript/js-stack-trace-exposure/) * [Insecure randomness](https://codeql.github.com/codeql-query-help/javascript/js-insecure-randomness/) * [Log injection](https://codeql.github.com/codeql-query-help/javascript/js-log-injection/) * [Loop bound injection](https://codeql.github.com/codeql-query-help/javascript/js-loop-bound-injection/) * [Missing rate limiting](https://codeql.github.com/codeql-query-help/javascript/js-missing-rate-limiting/) * [Missing X-Frame-Options HTTP header](https://codeql.github.com/codeql-query-help/javascript-cwe/) * [Overly permissive regular expression range](https://codeql.github.com/codeql-query-help/javascript/js-overly-large-range/) * [Prototype-polluting assignment](https://codeql.github.com/codeql-query-help/javascript/js-prototype-polluting-assignment/) * [Prototype-polluting function](https://codeql.github.com/codeql-query-help/javascript/js-prototype-pollution-utility/) * [Reflected cross-site scripting](https://codeql.github.com/codeql-query-help/javascript/js-reflected-xss/) * [Reflected cross-site scripting](https://codeql.github.com/codeql-query-help/javascript/js-xss-through-exception/) * [Regular expression injection](https://codeql.github.com/codeql-query-help/javascript/js-regex-injection/) * [Sensitive server cookie exposed to the client](https://codeql.github.com/codeql-query-help/javascript/js-client-exposed-cookie/) * [Server-side request forgery](https://codeql.github.com/codeql-query-help/javascript/js-request-forgery/) * [Server-side URL redirect](https://codeql.github.com/codeql-query-help/javascript/js-server-side-unvalidated-url-redirection/) * [Shell command built from environment values](https://codeql.github.com/codeql-query-help/javascript/js-shell-command-injection-from-environment/) * [Type confusion through parameter tampering](https://codeql.github.com/codeql-query-help/javascript/js-type-confusion-through-parameter-tampering/) * [Uncontrolled command line](https://codeql.github.com/codeql-query-help/javascript/js-command-line-injection/) * [Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/javascript/js-path-injection/) * [Unsafe HTML constructed from library input](https://codeql.github.com/codeql-query-help/javascript/js-html-constructed-from-input/) * [Unsafe jQuery plugin](https://codeql.github.com/codeql-query-help/javascript/js-unsafe-jquery-plugin/) * [Unsafe shell command constructed from library input](https://codeql.github.com/codeql-query-help/javascript/js-shell-command-constructed-from-input/) * [Untrusted data passed to external API](https://codeql.github.com/codeql-query-help/javascript-cwe/) * [Useless regular-expression character escape](https://codeql.github.com/codeql-query-help/javascript/js-useless-regexp-character-escape/) **Python** * [Arbitrary file write during tarfile extraction](https://codeql.github.com/codeql-query-help/python/py-tarslip/) * [Code injection](https://codeql.github.com/codeql-query-help/python/py-code-injection/) * [Flask app is run in debug mode](https://codeql.github.com/codeql-query-help/python/py-flask-debug/) * [Full server-side request forgery](https://codeql.github.com/codeql-query-help/python/py-full-ssrf/) * [Incomplete URL substring sanitization](https://codeql.github.com/codeql-query-help/python/py-incomplete-url-substring-sanitization/) * [Information exposure through an exception](https://codeql.github.com/codeql-query-help/python/py-stack-trace-exposure/) * [Jinja2 templating with autoescape=False](https://codeql.github.com/codeql-query-help/python/py-jinja2-autoescape-false/) * [Jinja2 templating with autoescape=False](https://codeql.github.com/codeql-query-help/python/py-jinja2-autoescape-false/) * [Log Injection](https://codeql.github.com/codeql-query-help/python/py-log-injection/) * [Overly permissive regular expression range](https://codeql.github.com/codeql-query-help/python/py-overly-large-range/) * [Regular expression injection](https://codeql.github.com/codeql-query-help/python/py-regex-injection/) * [SQL query built from user-controlled sources](https://codeql.github.com/codeql-query-help/python/py-sql-injection/) * [Uncontrolled command line](https://codeql.github.com/codeql-query-help/python/py-command-line-injection/) * [Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/python/py-path-injection/) * [Unsafe shell command constructed from library input](https://codeql.github.com/codeql-query-help/python/py-shell-command-constructed-from-input/) * [XSS](https://codeql.github.com/codeql-query-help/python/py-reflective-xss/) **YAML** * [Code Injection](https://codeql.github.com/codeql-query-help/actions/actions-code-injection-medium/) * [Code Injection](https://codeql.github.com/codeql-query-help/actions/actions-code-injection-critical/) * [Excessive Secrets Exposure](https://codeql.github.com/codeql-query-help/actions/actions-excessive-secrets-exposure/) * [Unpinned tag for a non-immutable Action in workflow](https://codeql.github.com/codeql-query-help/actions/actions-unpinned-tag/) * [Workflow does not contain permissions](https://codeql.github.com/codeql-query-help/actions/actions-missing-workflow-permissions/)
List of Supported Issue Types for Semgrep/Opengrep **C#** * [csharp/lang.best-practice.structured-logging.structured-logging](https://semgrep.dev/r?q=csharp.lang.best-practice.structured-logging.structured-logging) * [lang.security.sqli.csharp-sqli.csharp-sqli](https://semgrep.dev/r?q=lang.security.sqli.csharp-sqli.csharp-sqli) * [OS command injection](https://semgrep.dev/r/security_code_scan.SCS0001-1) * [security\_code\_scan.SCS0002-1](https://semgrep.dev/p/security-code-scan) * [Use of cryptographically weak Pseudo-Random Number Generator (PRNG)](https://semgrep.dev/r?q=gitlab.security_code_scan.SCS0005-1) **DOCKERFILE** * [security.missing-user-entrypoint.missing-user-entrypoint](https://semgrep.dev/r?q=security.missing-user-entrypoint.missing-user-entrypoint) * [security.missing-user.missing-user](https://semgrep.dev/r?q=security.missing-user.missing-user) **GO** * [Cookie Missing HTTP only](https://semgrep.dev/r/go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly) * [dgryski.semgrep-go.errnilcheck.err-nil-check](https://semgrep.dev/r?q=dgryski.semgrep-go.errnilcheck.err-nil-check) * [go.lang.security.audit.dangerous-exec-command.dangerous-exec-command](https://semgrep.dev/r?q=lang.security.audit.dangerous-exec-command.dangerous-exec-command) * [go.lang.security.injection.open-redirect.open-redirect](https://semgrep.dev/r?q=go.lang.security.injection.open-redirect.open-redirect) * [gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check](https://semgrep.dev/r?q=go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check) * [insecure-transport.go-stdlib.bypass-tls-verification.bypass-tls-verification](https://semgrep.dev/r?q=problem-based-packs.insecure-transport.go-stdlib.bypass-tls-verification.bypass-tls-verification) * [lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion](https://semgrep.dev/r?q=go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion) * [lang.security.audit.dangerous-exec-command.dangerous-exec-command](https://semgrep.dev/r?q=lang.security.audit.dangerous-exec-command.dangerous-exec-command) * [lang.security.audit.database.string-formatted-query](https://semgrep.dev/r?q=lang.security.audit.database.string-formatted-query) * [lang.security.audit.sqli.pgx-sqli.pgx-sqli](https://semgrep.dev/r?q=go.lang.security.audit.sqli.pgx-sqli.pgx-sqli) * [lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter](https://semgrep.dev/r?q=+go+lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter) * [lang.security.injection.tainted-sql-string](https://semgrep.dev/r?q=lang.security.injection.tainted-sql-string) * [OS command injection](https://semgrep.dev/r?q=gitlab.gosec.G204-1) **Java** * File Path Traversal in HttpServlet * [find\_sec\_bugs.FILE\_UPLOAD\_FILENAME-1](https://semgrep.dev/r?q=find_sec_bugs.FILE_UPLOAD_FILENAME-1) * [find\_sec\_bugs.HTTPONLY\_COOKIE-1](https://semgrep.dev/r?q=find_sec_bugs.HTTPONLY_COOKIE-1) * [find\_sec\_bugs.INSECURE\_COOKIE-1](https://semgrep.dev/r?q=find_sec_bugs.INSECURE_COOKIE-1) * [find\_sec\_bugs.PATH\_TRAVERSAL\_OUT-1.PATH\_TRAVERSAL\_OUT-1](https://semgrep.dev/r?q=find_sec_bugs.PATH_TRAVERSAL_OUT-1.PATH_TRAVERSAL_OUT-1) * [find\_sec\_bugs.PREDICTABLE\_RANDOM-1](https://semgrep.dev/r?q=find_sec_bugs.PREDICTABLE_RANDOM-1) * [find\_sec\_bugs.PT\_ABSOLUTE\_PATH\_TRAVERSAL-1](https://semgrep.dev/r?q=find_sec_bugs.PT_ABSOLUTE_PATH_TRAVERSAL-1) * [find\_sec\_bugs.PT\_RELATIVE\_PATH\_TRAVERSAL-1](https://semgrep.dev/r?q=find_sec_bugs.PT_RELATIVE_PATH_TRAVERSAL-1) * [find\_sec\_bugs.UNVALIDATED\_REDIRECT-1.URL\_REWRITING-1](https://semgrep.dev/r?q=find_sec_bugs.UNVALIDATED_REDIRECT-1.URL_REWRITING-1) * [find\_sec\_bugs.WEAK\_FILENAMEUTILS-1](https://semgrep.dev/r?q=find_sec_bugs.WEAK_FILENAMEUTILS-1) * [gitlab.find\_sec\_bugs.CUSTOM\_INJECTION-1](https://semgrep.dev/r?q=gitlab.find_sec_bugs.CUSTOM_INJECTION-1) * [gitlab.find\_sec\_bugs.CUSTOM\_INJECTION-2](https://semgrep.dev/r?q=gitlab.find_sec_bugs.CUSTOM_INJECTION-2) * [gitlab.find\_sec\_bugs.SQL\_INJECTION\_SPRING\_JDBC-1.SQL\_INJECTION\_JPA-1.SQL\_INJECTION\_JDO-1.SQL\_INJECTION\_JDBC-1.SQL\_NONCONSTANT\_STRING\_PASSED\_TO\_EXECUTE-1](https://semgrep.dev/r?q=gitlab.find_sec_bugs.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1) * [gitlab.find\_sec\_bugs.SQL\_INJECTION\_SPRING\_JDBC-1.SQL\_INJECTION\_JPA-1.SQL\_INJECTION\_JDO-1.SQL\_INJECTION\_JDBC-1.SQL\_NONCONSTANT\_STRING\_PASSED\_TO\_EXECUTE-1.SQL\_INJECTION-1.SQL\_INJECTION\_HIBERNATE-1.SQL\_INJECTION\_VERTX-1.SQL\_PREPARED\_STATEMENT\_GENERATED\_FROM\_NONCONSTANT\_STRING-1](https://semgrep.dev/r?q=gitlab.find_sec_bugs.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1.SQL_INJECTION-1.SQL_INJECTION_HIBERNATE-1.SQL_INJECTION_VERTX-1.SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING-1) * [java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly](https://semgrep.dev/r?q=java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly) * [java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly](https://semgrep.dev/r?q=java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly) * [java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag](https://semgrep.dev/r?q=java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag) * [java.lang.security.audit.crypto.weak-random.weak-random](https://semgrep.dev/r?q=java.lang.security.audit.crypto.weak-random.weak-random) * [java.lang.security.audit.formatted-sql-string.formatted-sql-string](https://semgrep.dev/r?q=java.lang.security.audit.formatted-sql-string.formatted-sql-string) * [java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli](https://semgrep.dev/r?q=java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli) * [java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request](https://semgrep.dev/r?q=java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request) * java.mobb.custom\_injection * [java.servlets.security.cookie-issecure-false.cookie-issecure-false](https://semgrep.dev/r?q=java.servlets.security.cookie-issecure-false.cookie-issecure-false) * java/mobb.pt\_find\_transitives * [lang.security.audit.command-injection-process-builder](https://semgrep.dev/r?q=lang.security.audit.command-injection-process-builder) * [lang.security.audit.command-injection-process-builder.command-injection-process-builder](https://semgrep.dev/r?q=lang.security.audit.command-injection-process-builder.command-injection-process-builder) * [lang.security.audit.unvalidated-redirect.unvalidated-redirect](https://semgrep.dev/r?q=java.lang.security.audit.unvalidated-redirect.unvalidated-redirect) * Path Traversal * Relative File Path Traversal in HttpServlet * [Server-Side-Request-Forgery (SSRF)](https://semgrep.dev/r?q=gitlab.find_sec_bugs.URLCONNECTION_SSRF_FD-1) * [spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect](https://semgrep.dev/r?q=java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect) * SQL Injection * Tainted File Path **JavaScript / TypeScript** * [ajinabraham.njsscan.crypto.crypto\_node.node\_insecure\_random\_generator](https://semgrep.dev/r?q=ajinabraham.njsscan.crypto.crypto_node.node_insecure_random_generator) * [browser.security.eval-detected.eval-detected](https://semgrep.dev/r?q=browser.security.eval-detected.eval-detected) * [browser.security.insecure-document-method.insecure-document-method](https://semgrep.dev/r?q=browser.security.insecure-document-method.insecure-document-method) * [detect-non-literal-regexp](https://semgrep.dev/r?q=detect-non-literal-regexp) * [Detected possible path traversal](https://semgrep.dev/r?q=eslint.detect-non-literal-fs-filename) * [Detected possible path traversal](https://semgrep.dev/r?q=lang.security.audit.detect-non-literal-fs-filename.detect-non-literal-fs-filename) * [Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.](https://semgrep.dev/r?q=lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal) * [eslint.detect-child-process](https://semgrep.dev/r?q=gitlab.eslint.detect-child-process) * [eslint.detect-eval-with-expression](https://semgrep.dev/r?q=eslint.detect-eval-with-expression) * [eslint.detect-non-literal-regexp](https://semgrep.dev/r?q=eslint.detect-non-literal-regexp) * [eslint.detect-object-injection](https://semgrep.dev/r?q=eslint.detect-object-injection) * [eslint.detect-pseudoRandomBytes](https://semgrep.dev/r?q=gitlab.eslint.detect-pseudoRandomBytes) * [eslint.react-dangerouslysetinnerhtml](https://semgrep.dev/r?q=gitlab.eslint.react-dangerouslysetinnerhtml) * [express.security.audit.express-open-redirect.express-open-redirect](https://semgrep.dev/r?q=express.security.audit.express-open-redirect.express-open-redirect) * [express.security.audit.possible-user-input-redirect.unknown-value-in-redirect](https://semgrep.dev/r?q=express.security.audit.possible-user-input-redirect.unknown-value-in-redirect) * [express.security.audit.xss.direct-response-write](https://semgrep.dev/r?q=express.security.audit.xss.direct-response-write) * [express.security.audit.xss.direct-response-write.direct-response-write](https://semgrep.dev/r?q=express.security.audit.xss.direct-response-write.direct-response-write) * [express.security.injection.tainted-sql-string](https://semgrep.dev/r?q=express.security.injection.tainted-sql-string) * [express.security.injection.tainted-sql-string.tainted-sql-string](https://semgrep.dev/r?q=express.security.injection.tainted-sql-string.tainted-sql-string) * [generic.secrets.gitleaks.generic-api-key](https://semgrep.dev/r/generic.secrets.gitleaks.generic-api-key) * [generic.secrets.gitleaks.generic-api-key.generic-api-key](https://semgrep.dev/r/generic.secrets.gitleaks.generic-api-key.generic-api-key) * [gitlab.eslint.detect-object-injection](https://semgrep.dev/r?q=gitlab.eslint.detect-object-injection) * [gitlab.nodejs\_scan.javascript-crypto-rule-node\_insecure\_random\_generator](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-crypto-rule-node_insecure_random_generator) * [gitlab.nodejs\_scan.javascript-crypto-rule-node\_insecure\_random\_generator](https://semgrep.dev/r?q=javascript-crypto-rule-node_insecure_random_generator) * [html.security.audit.missing-integrity.missing-integrity](https://semgrep.dev/r?q=html.security.audit.missing-integrity.missing-integrity) * * [javascript-database-rule-node\_knex\_sqli\_injection](https://semgrep.dev/r?q=javascript-database-rule-node_knex_sqli_injection) * [javascript-database-rule-node\_nosqli\_injection](https://semgrep.dev/r?q=javascript-database-rule-node_nosqli_injection) * [javascript-database-rule-node\_nosqli\_js\_injection](https://semgrep.dev/r?q=javascript-database-rule-node_nosqli_js_injection) * [javascript-database-rule-node\_sqli\_injection](https://semgrep.dev/r?q=javascript-database-rule-node_sqli_injection) * [javascript-dos-rule-regex\_dos](https://semgrep.dev/r?q=javascript-dos-rule-regex_dos) * [javascript-dos-rule-regex\_dos](https://semgrep.dev/r?q=javascript-dos-rule-regex_dos) * [javascript-jwt-rule-jwt\_express\_hardcoded](https://semgrep.dev/r?q=nodejs_scan.javascript-jwt-rule-jwt_express_hardcoded) * [javascript-jwt-rule-jwt\_express\_hardcoded](https://semgrep.dev/r?q=nodejs_scan.javascript-jwt-rule-jwt_express_hardcoded) * [javascript-redirect-rule-express\_open\_redirect](https://semgrep.dev/r?q=nodejs_scan.javascript-redirect-rule-express_open_redirect) * [javascript-redirect-rule-express\_open\_redirect](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-redirect-rule-express_open_redirect) * [javascript-redirect-rule-express\_open\_redirect2](https://semgrep.dev/r?q=nodejs_scan.javascript-redirect-rule-express_open_redirect2) * [javascript-xss-rule-express\_xss](https://semgrep.dev/r?q=javascript-xss-rule-express_xss) * [javascript.browser.security.insecure-innerhtml.insecure-innerhtml](https://semgrep.dev/r?q=javascript.browser.security.insecure-innerhtml.insecure-innerhtml) * [javascript.browser.security.raw-html-concat.raw-html-concat](https://semgrep.dev/r?q=javascript.browser.security.raw-html-concat.raw-html-concat) * [javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration](https://semgrep.dev/r?q=javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration) * [javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape](https://semgrep.dev/r?q=javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape) * [javascript.express.security.injection.raw-html-format.raw-html-format](https://semgrep.dev/r?q=javascript.express.security.injection.raw-html-format.raw-html-format) * [javascript.jquery.security.audit.jquery-insecure-selector.jquery-insecure-selector](https://semgrep.dev/r?q=javascript.jquery.security.audit.jquery-insecure-selector.jquery-insecure-selector) * [javascript.lang.security.audit.detect-non-literal-fs-filename.detect-non-literal-fs-filename](https://semgrep.dev/r?q=javascript.lang.security.audit.detect-non-literal-fs-filename.detect-non-literal-fs-filename) * [javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp](https://semgrep.dev/r?q=javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp) * javascript.lang.security.audit.detect-redos-mobb.detect-redos-mobb * javascript.lang.security.audit.prototype-pollution-loop-mobb.prototype-pollution-loop-mobb * [javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop](https://semgrep.dev/r?q=javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop) * [javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring](https://semgrep.dev/r?q=javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring) * [javascript.lang.security.detect-child-process.detect-child-process](https://semgrep.dev/r?q=lang.security.detect-child-process.detect-child-process) * javascript.mobb.log\_forging * javascript.mobb.system-information-leak-external * [jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret](https://semgrep.dev/r/jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret) * [lang.security.audit.sqli.node-knex-sqli.node-knex-sqli](https://semgrep.dev/r?q=lang.security.audit.sqli.node-knex-sqli.node-knex-sqli) * [lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli](https://semgrep.dev/r?q=lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli) * [mobb.security.audit.express-check-cmdi](https://semgrep.dev/r?q=mobb.express-check-cmdi) * [njsscan.dos.regex\_dos.regex\_dos](https://semgrep.dev/r?q=njsscan.dos.regex_dos.regex_dos) * [njsscan.dos.regex\_injection.regex\_injection\_dos](https://semgrep.dev/r?q=njsscan.dos.regex_injection.regex_injection_dos) * [njsscan.eval.eval\_node.eval\_nodejs](https://semgrep.dev/r?q=njsscan.eval.eval_node.eval_nodejs) * [njsscan.generic.hardcoded\_secrets.node\_password](https://semgrep.dev/r/njsscan.generic.hardcoded_secrets.node_password) * [njsscan.generic.hardcoded\_secrets.node\_secret](https://semgrep.dev/r/njsscan.generic.hardcoded_secrets.node_secret) * [njsscan.traversal.path\_traversal.generic\_path\_traversal](https://semgrep.dev/r?q=njsscan.traversal.path_traversal.generic_path_traversal) * [njsscan.xss.xss\_node.express\_xss](https://semgrep.dev/r?q=njsscan.xss.xss_node.express_xss) * [nodejs\_scan.javascript-crypto-rule-node\_insecure\_random\_generator](https://semgrep.dev/r?q=nodejs_scan.javascript-crypto-rule-node_insecure_random_generator) * [nodejs\_scan.javascript-database-rule-node\_knex\_sqli\_injection](https://semgrep.dev/r?q=nodejs_scan.javascript-database-rule-node_knex_sqli_injection) * [nodejs\_scan.javascript-database-rule-node\_nosqli\_injection](https://semgrep.dev/r?q=nodejs_scan.javascript-database-rule-node_nosqli_injection) * [nodejs\_scan.javascript-database-rule-node\_nosqli\_js\_injection](https://semgrep.dev/r?q=nodejs_scan.javascript-database-rule-node_nosqli_js_injection) * [nodejs\_scan.javascript-database-rule-node\_sqli\_injection](https://semgrep.dev/r?q=nodejs_scan.javascript-database-rule-node_sqli_injection) * [nodejs\_scan.javascript-dos-rule-regex\_dos](https://semgrep.dev/r?q=nodejs_scan.javascript-dos-rule-regex_dos) * [nodejs\_scan.javascript-eval-rule-eval\_nodejs](https://semgrep.dev/r?q=nodejs_scan.javascript-eval-rule-eval_nodejs) * [nodejs\_scan.javascript-exec-rule-shelljs\_os\_command\_exec](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-exec-rule-shelljs_os_command_exec) * [nodejs\_scan.javascript-exec-rule-shelljs\_os\_command\_exec](https://semgrep.dev/r?q=nodejs_scan.javascript-exec-rule-shelljs_os_command_exec) * [nodejs\_scan.javascript-jwt-rule-hardcoded\_jwt\_secret](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-jwt-rule-hardcoded_jwt_secret) * [nodejs\_scan.javascript-jwt-rule-jwt\_express\_hardcoded](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-jwt-rule-jwt_express_hardcoded) * [nodejs\_scan.javascript-redirect-rule-express\_open\_redirect](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-redirect-rule-express_open_redirect) * [nodejs\_scan.javascript-redirect-rule-express\_open\_redirect2](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-redirect-rule-express_open_redirect2) * [nodejs\_scan.javascript-xss-rule-express\_xss](https://semgrep.dev/r?q=nodejs_scan.javascript-xss-rule-express_xss) * [Please provide a new title that explains javascript.lang.correctness.missing-template-string-indicator.missing-template-string-indicator](https://semgrep.dev/r?q=javascript.lang.correctness.missing-template-string-indicator.missing-template-string-indicator) * [Possible writing outside of the destination, make sure that the target path is nested in the intended destination](https://semgrep.dev/r?q=express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal) * [pt using rendering templates](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-traversal-rule-express_lfr) * [pt using rendering templates](https://semgrep.dev/r?q=javascript-traversal-rule-express_lfr) * [pt using rendering templates](https://semgrep.dev/r?q=gitlab.nodejs_scan.javascript-traversal-rule-express_lfr_warning) * [pt using rendering templates](https://semgrep.dev/r?q=javascript-traversal-rule-express_lfr_warning) * [react.security.audit.react-unsanitized-method.react-unsanitized-method](https://semgrep.dev/r?q=react.security.audit.react-unsanitized-method.react-unsanitized-method) * [secrets.gitleaks.generic-api-key](https://semgrep.dev/r/secrets.gitleaks.generic-api-key) * [secrets.gitleaks.generic-api-key.generic-api-key](https://semgrep.dev/r/secrets.gitleaks.generic-api-key.generic-api-key) * [SSRF](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-node_ssrf) * [SSRF](https://semgrep.dev/r?q=javascript-ssrf-rule-node_ssrf) * [SSRF](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-phantom_ssrf) * [SSRF](https://semgrep.dev/r?q=javascript-ssrf-rule-phantom_ssrf) * [SSRF](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-playwright_ssrf) * [SSRF](https://semgrep.dev/r?q=javascript-ssrf-rule-playwright_ssrf) * [SSRF](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-puppeteer_ssrf) * [SSRF](https://semgrep.dev/r?q=javascript-ssrf-rule-puppeteer_ssrf) * [SSRF](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-wkhtmltoimage_ssrf) * [SSRF](https://semgrep.dev/r?q=javascript-ssrf-rule-wkhtmltoimage_ssrf) * [SSRF](https://semgrep.dev/r?q=nodejs_scan.javascript-ssrf-rule-wkhtmltopdf_ssrf) * [SSRF](https://semgrep.dev/r?q=javascript-ssrf-rule-wkhtmltopdf_ssrf) * [SSRF](https://semgrep.dev/r?q=njsscan.ssrf.ssrf_node.node_ssrf) * [typescript.lang.correctness.useless-ternary.useless-ternary](https://semgrep.dev/r?q=typescript.lang.correctness.useless-ternary.useless-ternary) * [typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml](https://semgrep.dev/r?q=typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml) **Python** * [A missing encoding argument in open() can lead corrupted data](https://semgrep.dev/r/lang.best-practice.unspecified-open-encoding.unspecified-open-encoding) * [B113: request\_without\_timeout](https://semgrep.dev/r?q=gitlab.bandit.B113) * [B602: subprocess\_popen\_with\_shell\_equals\_true](https://semgrep.dev/r?q=bandit.B602) * [B603: subprocess\_without\_shell\_equals\_true](https://semgrep.dev/r?q=bandit.B603) * [B604: subprocess\_popen\_with\_shell\_equals\_true](https://semgrep.dev/r?q=bandit.B604) * [bandit.B201](https://semgrep.dev/r?q=bandit.B201) * [bandit.B307](https://semgrep.dev/r?q=bandit.B307) * [django.security.injection.code.user-eval-format-string.user-eval-format-string](https://semgrep.dev/r?q=django.security.injection.code.user-eval-format-string.user-eval-format-string) * [django.security.injection.code.user-eval.user-eval](https://semgrep.dev/r?q=django.security.injection.code.user-eval.user-eval) * [django.security.injection.code.user-exec-format-string.user-exec-format-string](https://semgrep.dev/r?q=django.security.injection.code.user-exec-format-string.user-exec-format-string) * [django.security.injection.code.user-exec.user-exec](https://semgrep.dev/r?q=django.security.injection.code.user-exec.user-exec) * [django.security.injection.path-traversal.path-traversal-open](https://semgrep.dev/r?q=django.security.injection.path-traversal.path-traversal-open) * [django.security.injection.path-traversal.path-traversal-open.path-traversal-open](https://semgrep.dev/r?q=django.security.injection.path-traversal.path-traversal-open.path-traversal-open) * [django.security.injection.tainted-sql-string.tainted-sql-string](https://semgrep.dev/r?q=django.security.injection.tainted-sql-string.tainted-sql-string) * [flask.security.injection.path-traversal-open](https://semgrep.dev/r?q=flask.security.injection.path-traversal-open) * [flask.security.injection.path-traversal-open.path-traversal-open](https://semgrep.dev/r?q=flask.security.injection.path-traversal-open.path-traversal-open) * [flask.security.injection.subprocess-injection](https://semgrep.dev/r?q=flask.security.injection.subprocess-injection) * [flask.security.injection.tainted-sql-string.tainted-sql-string](https://semgrep.dev/r?q=flask.security.injection.tainted-sql-string.tainted-sql-string) * [flask.security.injection.user-eval.eval-injection](https://semgrep.dev/r?q=flask.security.injection.user-eval.eval-injection) * [flask.security.injection.user-exec.exec-injection](https://semgrep.dev/r?q=flask.security.injection.user-exec.exec-injection) * [gitlab.bandit.B113](https://semgrep.dev/r?q=bandit.B113) * [lang.maintainability.is-function-without-parentheses.is-function-without-parentheses](https://semgrep.dev/r?q=lang.maintainability.is-function-without-parentheses.is-function-without-parentheses) * [lang.security.audit.dangerous-asyncio-create-exec-audit](https://semgrep.dev/r?q=lang.security.audit.dangerous-asyncio-create-exec-audit) * [lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit](https://semgrep.dev/r?q=lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit) * [lang.security.audit.eval-detected.eval-detected](https://semgrep.dev/r?q=lang.security.audit.eval-detected.eval-detected) * [lang.security.audit.exec-detected.exec-detected](https://semgrep.dev/r?q=lang.security.audit.exec-detected.exec-detected) * [lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure](https://semgrep.dev/r?q=python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure) * [lang.security.dangerous-subprocess-use](https://semgrep.dev/r?q=lang.security.dangerous-subprocess-use) * [Please provide a new title that explains bandit.B101](https://semgrep.dev/r/bandit.B101) * [Please provide a new title that explains lang.correctness.return-in-init.return-in-init](https://semgrep.dev/r/?q=python.lang.correctness.return-in-init.return-in-init) * [Possible cmdi attack](https://semgrep.dev/r?q=bandit.B603) * [possible os cmdi](https://semgrep.dev/r?q=bandit.B605) * [possible os cmdi](https://semgrep.dev/r?q=bandit.B606) * [possible os cmdi](https://semgrep.dev/r?q=bandit.B607) * [possible os cmdi](https://semgrep.dev/r?q=python_exec_rule-start-process-partial-path) * [possible os cmdi](https://semgrep.dev/r?q=python_exec_rule-start-process-path) * [possible os cmdi](https://semgrep.dev/r?q=python_exec_rule-subprocess-call-array) * [python.django.correctness.nontext-field-must-set-null-true.nontext-field-must-set-null-true](https://semgrep.dev/r?q=python.django.correctness.nontext-field-must-set-null-true.nontext-field-must-set-null-true) * [python.django.security.audit.avoid-mark-safe.avoid-mark-safe](https://semgrep.dev/r?q=python.django.security.audit.avoid-mark-safe.avoid-mark-safe) * [python.django.security.django-no-csrf-token.django-no-csrf-token](https://semgrep.dev/r?q=python.django.security.django-no-csrf-token.django-no-csrf-token) * [python.django.security.injection.open-redirect.open-redirect](https://semgrep.dev/r?q=python.django.security.injection.open-redirect.open-redirect) * [python.flask.security.audit.debug-enabled.debug-enabled](https://semgrep.dev/r?q=python.flask.security.audit.debug-enabled.debug-enabled) * [python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2](https://semgrep.dev/r?q=python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2) * [python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup](https://semgrep.dev/r?q=python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup) * [python.jinja2.security.audit.missing-autoescape-disabled.missing-autoescape-disabled](https://semgrep.dev/r?q=python.jinja2.security.audit.missing-autoescape-disabled.missing-autoescape-disabled) * [python.lang.correctness.exit.use-sys-exit](https://semgrep.dev/r?q=python.lang.correctness.exit.use-sys-exit) * [python.lang.maintainability.useless-ifelse.useless-if-body](https://semgrep.dev/r?q=python.lang.correctness.exit.use-sys-exit) * [python.lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit](https://semgrep.dev/r?q=python.lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit) * [python.lang.security.audit.exec-detected.exec-detected](https://semgrep.dev/r?q=python.lang.security.audit.exec-detected.exec-detected) * [python.lang.security.audit.formatted-sql-query.formatted-sql-query](https://semgrep.dev/r?q=python.lang.security.audit.formatted-sql-query.formatted-sql-query) * [python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli](https://semgrep.dev/r?q=python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli) * [python.lang.security.audit.subprocess-shell-true.subprocess-shell-true](https://semgrep.dev/r?q=lang.security.audit.subprocess-shell-true.subprocess-shell-true) * [python.lang.security.insecure-uuid-version.insecure-uuid-version](https://semgrep.dev/r?q=python.lang.security.insecure-uuid-version.insecure-uuid-version) * [python.requests.best-practice.use-raise-for-status.use-raise-for-status](https://semgrep.dev/r?q=python.requests.best-practice.use-raise-for-status.use-raise-for-status) * [python.requests.best-practice.use-timeout.use-timeout](https://semgrep.dev/r?q=python.requests.best-practice.use-timeout.use-timeout) * [python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text](https://semgrep.dev/r?q=python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text) * [python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query](https://semgrep.dev/r?q=python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query) * [python.tarfile-extractall-traversal.tarfile-extractall-traversal](https://semgrep.dev/r?q=python.tarfile-extractall-traversal.tarfile-extractall-traversal) * [python\_exec\_rule-subprocess-call-array](https://semgrep.dev/r?q=python_exec_rule-subprocess-call-array) * [sqli](https://semgrep.dev/r?q=bandit.B608) * [sqli](https://semgrep.dev/r?q=bandit.B610) * [sqli](https://semgrep.dev/r?q=bandit.B611) * [sqli](https://semgrep.dev/r?q=bandit.B611) * [sqli](https://semgrep.dev/r?q=bandit.B611-2) * [sqli](https://semgrep.dev/r?q=bandit.B612) * [sqli](https://semgrep.dev/r?q=django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute) * [The application may be vulnerable to a path traversal if it extracts untrusted archive files.](https://semgrep.dev/r?q=bandit.B202) * [The application was found calling the `exec` function with a non-literal variable](https://semgrep.dev/r?q=bandit.B102) * [XSS](https://semgrep.dev/r?q=bandit.B703) **YAML** * [An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.](https://semgrep.dev/r/github-actions.security.third-party-action-not-pinned-to-commit-sha.third-party-action-not-pinned-to-commit-sha) * [Please provide a new title that explains github-actions.security.third-party-action-not-pinned-to-commit-sha](https://semgrep.dev/r/github-actions.security.third-party-action-not-pinned-to-commit-sha) * [Service '$SERVICE' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security\_opt' to prevent this.](https://semgrep.dev/r/yaml.docker-compose.security.no-new-privileges.no-new-privileges) * [Service has a writable filesystem](https://semgrep.dev/r/yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service) * [Service port is exposed on all interfaces](https://semgrep.dev/r/trailofbits.yaml.docker-compose.port-all-interfaces.port-all-interfaces) * [yaml.github-actions.security.run-shell-injection.run-shell-injection](https://semgrep.dev/r?q=yaml.github-actions.security.run-shell-injection.run-shell-injection)
List of Supported Issue Types for Datadog **GO** * SQL Injection **Java** * [Avoid user-input file](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/java-security/spring-request-file-tainted/) * [Avoid using printStackTrace()](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/java-best-practices/avoid-printstacktrace/) * [Prefer SecureRandom over Random](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/java-security/avoid-random/) * [Prevent path traversal](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/java-security/path-traversal/) **JavaScript / TypeScript** * [Avoid setting insecure cookie settings](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/javascript-express/insecure-cookie/) * Command Injection * Path traversal * SQL Injection * SQL Injection **Python** * [Avoid SQL injections](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/python-security/variable-sql-statement-injection/) * [Do not use an empty list as a default parameter](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/python-security/no-empty-list-as-parameter/) * [no-exec](https://docs.datadoghq.com/security/default_rules/#command-injection) * Path Traversal
List of Supported Issue Types for Polaris **Java** * [Cross-Site Request Forgery](https://documentation.blackduck.com/bundle/coverity-docs-2025.12/page/sigma-checkers/topics/checkers/csrf_protection_disabled.html) * [Missing HttpOnly Attribute](https://documentation.blackduck.com/bundle/coverity-docs-2025.12/page/sigma-checkers/topics/checkers/missing_httponly_attribute.html) * [Missing Secure Attribute](https://documentation.blackduck.com/bundle/coverity-docs-2025.12/page/sigma-checkers/topics/checkers/missing_secure_attribute.html) * Null Pointer Dereference Exception * [Open Redirect](https://documentation.blackduck.com/bundle/coverity-docs-2025.12/page/sigma-checkers/topics/checkers/open_redirect.html) * Path Manipulation * Resource Leak * SQL Injection **JavaScript / TypeScript** * SQL Injection
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.mobb.ai/mobb-user-docs/supported-stable-fixes.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.