Supported Fixes

C#

• Anti-forgery token validation disabled

• Arbitrary File Write via Archive Extraction (Zip Slip)

• Log Forging

• Path Traversal

• Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

• Sensitive Cookie Without 'HttpOnly' Flag

• Server-Side Request Forgery (SSRF)

• SQL Injection

• Use of Insufficiently Random Values

• XML External Entity (XXE) Injection

GO

• Clear Text Logging

• Improper Certificate Validation

• Insecurely Generated Password

Java

• Arbitrary File Write via Archive Extraction (Zip Slip)

• Command Injection

• Cross-site Scripting (XSS)

• Improper Neutralization of CRLF Sequences in HTTP Headers

• Open Redirect

• Path Traversal

• Regular expression injection

• Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

• Sensitive Cookie Without 'HttpOnly' Flag

• Server-Side Request Forgery (SSRF)

• SQL Injection

• Trust Boundary Violation

• XML External Entity (XXE) Injection

JavaScript / TypeScript

• Allocation of Resources Without Limits or Throttling

• Command Injection

• Cross-site Scripting (XSS)

• Denial of Service (DoS) through Nested GraphQL Queries

• Indirect Command Injection via User Controlled Environment

• NoSQL Injection

• Open Redirect

• Path Traversal

• Privacy Leak

• Prototype Pollution

• Regular Expression Denial of Service (ReDoS)

• Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

• Server-Side Request Forgery (SSRF)

• SQL Injection

PHP

• Hardcoded Credential

• Hardcoded Credential Test

• Hardcoded Non Crypto Secret

• Hardcoded Password

• Hardcoded Password Test

Python

• Arbitrary File Write via Archive Extraction (Tar Slip)

• Command Injection

• Cross Site Scripting (XSS)

• Debug Mode Enabled

• Incomplete URL sanitization

• Jinja auto-escape is set to false

• Path Traversal

• Regular Expression Denial of Service (ReDoS)

• SQL Injection

C#

• ASP.NET MVC Bad Practices: Controller Action Without AntiForgery Validation

• Cookie Security: HTTPOnly not Set on Application Cookie

• Cookie Security: Session Cookie not Sent Over SSL

• Header Manipulation

• Insecure Randomness

• Insecure Randomness: Hardcoded Seed

• Log Forging

• Mass Assignment: Insecure Binder Configuration

• Null Dereference

• Object Model Violation: Just One of Equals() and GetHashCode() Defined

• Password Management: Password in Comment

• Path Manipulation

• Path Manipulation: Base Path Overwriting

• Path Manipulation: Zip Entry Overwrite

• Poor Error Handling: Overly Broad Catch

• Poor Logging Practice: Use of a System Output Stream

• SQL Injection

• System Information Leak

• System Information Leak: Internal

• Trust Boundary Violation

• XML Entity Expansion Injection

• XML External Entity Injection

GO

• Log Forging

Java

• Code Correctness: Class Does Not Implement Equivalence Method

• Code Correctness: Comparison of Boxed Primitive Types

• Code Correctness: Erroneous String Compare

• Command Injection

• Cookie Security: Cookie not Sent Over SSL

• Cookie Security: HTTPOnly not Set

• Cross-Site Scripting: Reflected

• Denial of Service: Regular Expression

• Denial of Service: StringBuilder

• Insecure Randomness

• J2EE Bad Practices: Leftover Debug Code

• J2EE Bad Practices: Threads

• Log Forging

• Log Forging (debug)

• Missing Check against Null

• Null Dereference

• Open Redirect

• Password Management: Password in Comment

• Path Manipulation

• Path Manipulation: Zip Entry Overwrite

• Poor Error Handling: Empty Catch Block

• Poor Error Handling: Overly Broad Catch

• Poor Logging Practice: Use of a System Output Stream

• Poor Style: Confusing Naming

• Poor Style: Non-final Public Static Field

• Poor Style: Value Never Read

• Portability Flaw: Locale Dependent Comparison

• Privacy Violation

• Race Condition: Format Flaw

• Server-Side Request Forgery

• SQL Injection

• System Information Leak

• System Information Leak: HTML Comment in JSP

• System Information Leak: Internal

• Trust Boundary Violation

• Unreleased Resource: Database

• Unreleased Resource: Files

• Unreleased Resource: Sockets

• Unreleased Resource: Streams

• Unreleased Resource: Synchronization

• Unreleased Resource: Unmanaged Object

• Weak Cryptographic Hash

• XML Entity Expansion Injection

• XML External Entity Injection

JavaScript / TypeScript

• Command Injection

• Cookie Security: Cookie not Sent Over SSL

• Cross-Site Scripting: DOM

• Cross-Site Scripting: Self

• Hardcoded Domain in HTML

• Insecure Randomness

• Insecure Randomness: Hardcoded Seed

• Open Redirect

• Password Management: Password in Comment

• Path Manipulation

• Privacy Violation: Autocomplete

• System Information Leak: External

• System Information Leak: Internal

PHP

• Insecure Randomness

• Key Management: Hardcoded Encryption Key

• Password Management: Hardcoded Password

• Weak Cryptographic Hash: Hardcoded Salt

Python

• Cross-Site Request Forgery

• Password Management: Password in Comment

• Path Manipulation

• SQL Injection

• System Information Leak: Internal

• Weak Cryptographic Hash

XML

• Password Management: Password in Comment

• Weak XML Schema: Unbounded Occurrences

YAML

• Password Management: Hardcoded Password

C#

• Declaration Of Catch For Generic Exception

• Deserialization of Untrusted Data

• Heap Inspection

• HttpOnlyCookies

• Improper Exception Handling

• Improper Resource Shutdown or Release

• Improper Restriction of XXE Ref

• Information Exposure Through an Error Message

• Information Exposure via Headers

• Insecure Cookie

• Insufficient Logging of Exceptions

• Insufficient Logging of Sensitive Operations

• Just One of Equals and Hash code Defined

• Log Forging

• Missing HSTS Header

• Path Traversal

• Reflected XSS All Clients

• SQL Injection

• SSRF

• Stored XSS

• Trust Boundary Violation in Session Variables

• Unsafe Object Binding

• Unvalidated Arguments Of Public Methods

• Use of Insufficiently Random Values

• Value Shadowing

GO

• Log Forging

• Privacy Violation

• SSL Verification Bypass

• Use of Cryptographically Weak PRNG

Java

• Absolute Path Traversal

• Command Injection

• Confusing Naming

• Declaration Of Catch For Generic Exception

• Detection of Error Condition Without Action

• Frameable loging page

• HttpOnlyCookies

• Improper Resource Shutdown or Release

• Improper Restriction of Stored XXE Ref

• Improper Restriction of XXE Ref

• Information Exposure Through an Error Message

• Log Forging

• Open Redirect

• Password In Comment

• Portability Flaw Locale Dependent Comparison

• Privacy Violation

• Race Condition Format Flaw

• ReDoS From Regex Injection

• Reflected XSS All Clients

• Relative Path Traversal

• Reversible One Way Hash

• SQL Injection

• SQL Injection Evasion Attack

• SSRF

• Stored Absolute Path Traversal

• Stored Log Forging

• Stored XSS

• Trust Boundary Violation in Session Variables

• Unchecked Input for Loop Condition

• Unsafe Object Binding

• Use Of Broken Or Risky Cryptographic Algorithm

• Use of Hard coded Cryptographic Key

• Use of Non Cryptographic Random

• Use of Wrong Operator in String Comparison

JavaScript / TypeScript

• Absolute Path Traversal

• Client DOM Open Redirect

• Client DOM Stored Code Injection

• Client DOM Stored XSS

• Client DOM XSS

• Client Hardcoded Domain

• Client Insecure Randomness

• Client JQuery Deprecated Symbols

• Client Password In Comment

• Client Potential XSS

• Client Regex Injection

• Client Use Of Iframe Without Sandbox

• Client Weak Cryptographic Hash

• Command Injection

• Log Forging

• Missing CSP Header

• Missing HSTS Header

• Open Redirect

• Prototype Pollution

• Relative Path Traversal

• Server DoS by loop

• Server DoS by Loop

• SQL Injection

• SSRF

• Stored XSS

• Unchecked Input For Loop Condition

• Unprotected Cookie

• Unsafe Use Of Target blank

• Use Of Broken Or Risky Cryptographic Algorithm

• Use of Deprecated or Obsolete Functions

• Use of Insufficiently Random Values

PHP

• Hardcoded Salt

• Use of Hardcoded Cryptographic IV

• Use Of Hardcoded Password

• Use of Non Cryptographic Random

Python

• Debug Enabled

• Filtering Sensitive Logs

• Improper Resource Shutdown or Release

• Information Exposure Through an Error Message

• Log Forging

• Password in Comment

• Path Traversal

• Privacy Violation

• ReDoS Injection

• Reversible One Way Hash

• Second Order SQL Injection

• SQL Injection

• Unchecked Input for Loop Condition

• Use Of Broken Or Risky Cryptographic Algorithm

• XSS

SQL

• Default Definer Rights in Package or Object Definition

• Second Order SQL Injection

C#

• Composite format strings should be used correctly

• Creating cookies without the "HttpOnly" flag is security-sensitive

• Creating cookies without the "secure" flag is security-sensitive

• Extracting archives should not lead to zip slip vulnerabilities

• Fields that are only assigned in the constructor should be "readonly"

• I/O function calls should not be vulnerable to path injection attacks

• Logging should not be vulnerable to injection attacks

• Not specifying a timeout for regular expressions is security-sensitive

• Null pointers should not be dereferenced

• Sections of code should not be commented out

• Secure random number generators should not output predictable values

• Unassigned members should be removed

• Unread "private" fields should be removed

• Unused private types or members should be removed

GO

• Using pseudorandom number generators (PRNGs) is security-sensitive

Java

• "Preconditions" and logging arguments should not require evaluation

• Creating cookies without the "HttpOnly" flag is security-sensitive

• Creating cookies without the "secure" flag is security-sensitive

• Database queries should not be vulnerable to injection attacks

• Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks

• Extracting archives should not lead to zip slip vulnerabilities

• Format strings should be used correctly

• Generic exceptions should never be thrown

• I/O function calls should not be vulnerable to path injection attacks

• javasecurity:S5146 HTTP request redirections should not be open to forging attacks

• Logging should not be vulnerable to injection attacks

• Public constants and fields initialized at declaration should be "static final" rather than merely "final"

• Regular expressions should not be vulnerable to Denial of Service attacks

• Sections of code should not be commented out

• Server-side requests should not be vulnerable to traversing attacks

• String literals should not be duplicated

• Strings and Boxed types should be compared using "equals()"

• Try-catch blocks should not be nested

• Unnecessary imports should be removed

• Unused "private" fields should be removed

• Unused assignments should be removed

• Unused local variables should be removed

• Using pseudorandom number generators (PRNGs) is security-sensitive

• Using weak hashing algorithms is security-sensitive

JavaScript / TypeScript

• Creating cookies without the "secure" flag is security-sensitive

• Database queries should not be vulnerable to injection attacks

• Database queries should not be vulnerable to injection attacks

• DOM updates should not lead to cross-site scripting (XSS) attacks

• DOM updates should not lead to cross-site scripting (XSS) attacks

• DOM updates should not lead to open redirect vulnerabilities

• DOM updates should not lead to open redirect vulnerabilities

• Dynamically executing code is security-sensitive

• Fields that are only assigned in the constructor should be "readonly"

• Formatting SQL queries is security-sensitive

• Function returns should not be invariant

• HTTP request redirections should not be open to forging attacks

• HTTP request redirections should not be open to forging attacks

• I/O function calls should not be vulnerable to path injection attacks

• I/O function calls should not be vulnerable to path injection attacks

• Jump statements should not occur in "finally" blocks

• Jump statements should not occur in "finally" blocks

• NoSQL operations should not be vulnerable to injection attacks

• NoSQL operations should not be vulnerable to injection attacks

• Regular expressions should not be vulnerable to Denial of Service attacks

• Regular expressions should not be vulnerable to Denial of Service attacks

• Sections of code should not be commented out

• Sections of code should not be commented out

• Unnecessary character escapes should be removed

• Unnecessary character escapes should be removed

• Using pseudorandom number generators (PRNGs) is security-sensitive

• Using pseudorandom number generators (PRNGs) is security-sensitive

• Using remote artifacts without integrity checks is security-sensitive

• Using slow regular expressions is security-sensitive

• Using slow regular expressions is security-sensitive

• Using weak hashing algorithms is security-sensitive

• Variables should be declared explicitly

• Variables should be declared with "let" or "const"

• Variables should be declared with "let" or "const"

PHP

• Credentials should not be hard-coded

• Hard-coded credentials are security-sensitive

• Hard-coded secrets are security-sensitive

• Using pseudorandom number generators (PRNGs) is security-sensitive

Python

• "Exception" and "BaseException" should not be raised

• Database queries should not be vulnerable to injection attacks

• Delivering code in production with debug features activated is security-sensitive

• Disabling auto-escaping in template engines is security-sensitive

• Do not name local variables as builtin python functions

• Do not use identity comparisons (is / is not) with cached types

• Formatting SQL queries is security-sensitive

• Function parameters' default values should not be modified or assigned

• Logging should not be vulnerable to injection attacks

• Loop boundaries should not be vulnerable to injection attacks

• Properly use string formatting: add all arguments to the format string, don't supply unused arguments

• python:S5443 Using publicly writable directories is security-sensitive

• python:S5754 "SystemExit" should be re-raised

• Regular expressions should not be vulnerable to Denial of Service attacks

• Sections of code should not be commented out

• String literals should not be duplicated

• The "print" statement should not be used

• Unused assignments should be removed

• Using weak hashing algorithms is security-sensitive

• Wildcard imports should not be used

YAML

• Credentials should not be hard-coded

• Ensure whitespace in-between braces in template directives

CPP

• Use of dangerous function

C#

• Arbitrary file access during archive extraction (”Zip Slip”)

• Deserialization of untrusted data

• Insecure randomness

• Log entries created from user input

• Uncontrolled data used in path expression

GO

• Clear-text logging of sensitive information

• Disabled TLS certificate check

• Incomplete regular expression for hostnames

• Log entries created from user input

Java

• Arbitrary file access during archive extraction (”Zip Slip”)

• Cross-site scripting

• Executing a command with a relative path

• Failure to use secure cookies

• HTTP response splitting

• Log Injection

• Query built by concatenation with a possibly-untrusted string

• Query built from user-controlled sources

• Resolving XML external entity in user-controlled data

• Server-side request forgery

• Uncontrolled command line

• Uncontrolled data used in path expression

• Use of a broken or risky cryptographic algorithm

• Use of a potentially broken or risky cryptographic algorithm

• Use of a potentially broken or risky cryptographic algorithm

JavaScript / TypeScript

• Clear text transmission of sensitive cookie

• Client-side cross-site scripting

• Client-side URL redirect

• Database query built from user-controlled sources

• Inclusion of functionality from an untrusted source

• Incomplete regular expression for hostnames

• Incomplete URL scheme check

• Incomplete URL substring sanitization

• Inefficient regular expression

• Insecure randomness

• Insecure randomness

• Log injection

• Missing rate limiting

• Overly permissive regular expression range

• Prototype-polluting assignment

• Prototype-polluting function

• Reflected cross-site scripting

• Regular expression injection

• Server-side request forgery

• Server-side URL redirect

• Type confusion through parameter tampering

• Uncontrolled data used in path expression

• Use of a broken or weak cryptographic algorithm

• Useless regular-expression character escape

Python

• Arbitrary file write during tarfile extraction

• Flask app is run in debug mode

• Incomplete URL substring sanitization

• Information exposure through an exception

• Jinja2 templating with autoescape=False

• Log Injection

• Overly permissive regular expression range

• Regular expression injection

• SQL query built from user-controlled sources

• Uncontrolled data used in path expression

• Use of a broken or weak cryptographic algorithm

• Use of a broken or weak cryptographic hashing algorithm on sensitive data

• XSS

GO

• Cookie Missing HTTP only

• go.lang.security.audit.dangerous-exec-command.dangerous-exec-command

• go.lang.security.injection.open-redirect.open-redirect

• gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check

• insecure-transport.go-stdlib.bypass-tls-verification.bypass-tls-verification

• lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion

• lang.security.audit.crypto.use_of_weak_crypto.use-of-md5

• lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1

• lang.security.audit.dangerous-exec-command.dangerous-exec-command

• lang.security.audit.sqli.pgx-sqli.pgx-sqli

• lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter

Java

• java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly

• java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag

• java.lang.security.audit.crypto.weak-random.weak-random

• java.servlets.security.cookie-issecure-false.cookie-issecure-false

• lang.security.audit.crypto.use-of-md5.use-of-md5

• lang.security.audit.crypto.use-of-sha1.use-of-sha1

• lang.security.audit.sqli.jdbc-sqli.jdbc-sqli

• lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request

• lang.security.audit.unvalidated-redirect.unvalidated-redirect

• spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect

JavaScript / TypeScript

• html.security.audit.missing-integrity.missing-integrity

• javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape

• javascript.lang.security.audit.detect-redos-mobb.detect-redos-mobb

• javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring

• lang.security.audit.sqli.node-knex-sqli.node-knex-sqli

• lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli

• mobb.security.audit.express-check-cmdi

Python

• django.security.injection.tainted-sql-string.tainted-sql-string

• flask.security.injection.tainted-sql-string.tainted-sql-string

• python.django.security.django-no-csrf-token.django-no-csrf-token

• python.django.security.injection.open-redirect.open-redirect

• python.flask.security.audit.debug-enabled.debug-enabled

• python.lang.security.audit.formatted-sql-query.formatted-sql-query

• python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli

• python.lang.security.audit.subprocess-shell-true.subprocess-shell-true

• python.lang.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5

• python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1

• python.lang.security.insecure-uuid-version.insecure-uuid-version

• python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text

• python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query

• python.tarfile-extractall-traversal.tarfile-extractall-traversal

YAML

• yaml.github-actions.security.run-shell-injection.run-shell-injection

Java

• Avoid user-input file

• Avoid using printStackTrace()

• MD2, MD4, and MD5 are weak hash functions

• Prefer SecureRandom over Random

• Prevent path traversal

• SHA-1 is a weak hash function

JavaScript / TypeScript

• Avoid setting insecure cookie settings

• Do not use weak hash functions

Python

• Avoid SQL injections

• Do not use an empty list as a default parameter