Supported Fixes

C#

• Anti-forgery token validation disabled

• Arbitrary File Write via Archive Extraction (Zip Slip)

• Log Forging

• Path Traversal

• Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

• Sensitive Cookie Without 'HttpOnly' Flag

• Server-Side Request Forgery (SSRF)

• SQL Injection

• Use of Insufficiently Random Values

• XML External Entity (XXE) Injection

Java

• Arbitrary File Write via Archive Extraction (Zip Slip)

• Command Injection

• Cross-site Scripting (XSS)

• Improper Neutralization of CRLF Sequences in HTTP Headers

• Path Traversal

• Regular expression injection

• Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

• Sensitive Cookie Without 'HttpOnly' Flag

• Server-Side Request Forgery (SSRF)

• SQL Injection

• Trust Boundary Violation

• XML External Entity (XXE) Injection

JavaScript / TypeScript

• Allocation of Resources Without Limits or Throttling

• Command Injection

• Cross-site Scripting (XSS)

• Denial of Service (DoS) through Nested GraphQL Queries

• Indirect Command Injection via User Controlled Environment

• NoSQL Injection

• Open Redirect

• Path Traversal

• Privacy Leak

• Prototype Pollution

• Regular Expression Denial of Service (ReDoS)

• Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

• Server-Side Request Forgery (SSRF)

• SQL Injection

• Use of Hardcoded Credentials

Python

• Cross Site Scripting (XSS)

• Debug Mode Enabled

• Incomplete URL sanitization

• Jinja auto-escape is set to false

• Path Traversal

• Regular Expression Denial of Service (ReDoS)

• SQL Injection

C#

• ASP.NET MVC Bad Practices: Controller Action Without AntiForgery Validation

• Cookie Security: HTTPOnly not Set on Application Cookie

• Cookie Security: Session Cookie not Sent Over SSL

• Header Manipulation

• Insecure Randomness

• Insecure Randomness: Hardcoded Seed

• Log Forging

• Mass Assignment: Insecure Binder Configuration

• Null Dereference

• Object Model Violation: Just One of Equals() and GetHashCode() Defined

• Password Management: Password in Comment

• Path Manipulation

• Path Manipulation: Base Path Overwriting

• Path Manipulation: Zip Entry Overwrite

• Poor Error Handling: Overly Broad Catch

• Poor Logging Practice: Use of a System Output Stream

• SQL Injection

• System Information Leak

• System Information Leak: Internal

• Trust Boundary Violation

• XML Entity Expansion Injection

• XML External Entity Injection

Java

• Code Correctness: Class Does Not Implement Equivalence Method

• Code Correctness: Comparison of Boxed Primitive Types

• Code Correctness: Erroneous String Compare

• Command Injection

• Cookie Security: Cookie not Sent Over SSL

• Cookie Security: HTTPOnly not Set

• Cross-Site Scripting: Reflected

• Denial of Service: Regular Expression

• Denial of Service: StringBuilder

• Insecure Randomness

• J2EE Bad Practices: Leftover Debug Code

• Log Forging

• Log Forging (debug)

• Missing Check against Null

• Null Dereference

• Password Management: Password in Comment

• Path Manipulation

• Path Manipulation: Zip Entry Overwrite

• Poor Error Handling: Empty Catch Block

• Poor Error Handling: Overly Broad Catch

• Poor Logging Practice: Use of a System Output Stream

• Poor Style: Confusing Naming

• Poor Style: Non-final Public Static Field

• Poor Style: Value Never Read

• Portability Flaw: Locale Dependent Comparison

• Privacy Violation

• Race Condition: Format Flaw

• Server-Side Request Forgery

• SQL Injection

• System Information Leak

• System Information Leak: HTML Comment in JSP

• System Information Leak: Internal

• Trust Boundary Violation

• Unreleased Resource: Database

• Unreleased Resource: Files

• Unreleased Resource: Sockets

• Unreleased Resource: Streams

• Unreleased Resource: Synchronization

• Unreleased Resource: Unmanaged Object

• XML Entity Expansion Injection

• XML External Entity Injection

JavaScript / TypeScript

• Command Injection

• Cookie Security: Cookie not Sent Over SSL

• Credential Management: Hardcoded API Credentials

• Cross-Site Request Forgery

• Cross-Site Scripting: DOM

• Cross-Site Scripting: Self

• Hardcoded Domain in HTML

• Insecure Randomness

• Insecure Randomness: Hardcoded Seed

• Open Redirect

• Password Management: Hardcoded Password

• Password Management: Password in Comment

• Path Manipulation

• Privacy Violation: Autocomplete

• System Information Leak: External

• System Information Leak: Internal

PHP

• Insecure Randomness

Python

• Password Management: Password in Comment

• Path Manipulation

• SQL Injection

• System Information Leak: Internal

XML

• Password Management: Password in Comment

• Weak XML Schema: Unbounded Occurrences

C#

• Declaration Of Catch For Generic Exception

• Deserialization of Untrusted Data

• Heap Inspection

• HttpOnlyCookies

• Improper Exception Handling

• Improper Resource Shutdown or Release

• Improper Restriction of XXE Ref

• Information Exposure Through an Error Message

• Information Exposure via Headers

• Insecure Cookie

• Insufficient Logging of Exceptions

• Insufficient Logging of Sensitive Operations

• Just One of Equals and Hash code Defined

• Log Forging

• Missing HSTS Header

• Path Traversal

• Reflected XSS All Clients

• SQL Injection

• SSRF

• Stored XSS

• Trust Boundary Violation in Session Variables

• Unsafe Object Binding

• Unvalidated Arguments Of Public Methods

• Use of Insufficiently Random Values

• Value Shadowing

Java

• Absolute Path Traversal

• Command Injection

• Confusing Naming

• Declaration Of Catch For Generic Exception

• Detection of Error Condition Without Action

• HttpOnlyCookies

• Improper Resource Shutdown or Release

• Improper Restriction of Stored XXE Ref

• Improper Restriction of XXE Ref

• Information Exposure Through an Error Message

• Log Forging

• Password In Comment

• Portability Flaw Locale Dependent Comparison

• Race Condition Format Flaw

• ReDoS From Regex Injection

• Reflected XSS All Clients

• Relative Path Traversal

• SQL Injection

• SSRF

• Stored Log Forging

• Stored XSS

• Trust Boundary Violation in Session Variables

• Unchecked Input for Loop Condition

• Use of Non Cryptographic Random

• Use of Wrong Operator in String Comparison

JavaScript / TypeScript

• Absolute Path Traversal

• Client DOM Open Redirect

• Client DOM Stored Code Injection

• Client DOM Stored XSS

• Client DOM XSS

• Client Hardcoded Domain

• Client Insecure Randomness

• Client JQuery Deprecated Symbols

• Client Password In Comment

• Client Potential XSS

• Client Regex Injection

• Client Use Of Iframe Without Sandbox

• Command Injection

• Hardcoded password in Connection String

• JWT Use Of Hardcoded Secret

• Log Forging

• Missing CSP Header

• Missing HSTS Header

• Open Redirect

• Prototype Pollution

• Relative Path Traversal

• Server DoS by loop

• Server DoS by Loop

• SQL Injection

• SSRF

• Stored XSS

• Unchecked Input For Loop Condition

• Unprotected Cookie

• Unsafe Use Of Target blank

• Use of Deprecated or Obsolete Functions

• Use Of Hardcoded Password

• Use of Insufficiently Random Values

PHP

• Use of Non Cryptographic Random

Python

• Debug Enabled

• Improper Resource Shutdown or Release

• Log Forging

• Password in Comment

• Path Traversal

• ReDoS Injection

• Second Order SQL Injection

• SQL Injection

• XSS

SQL

• Default Definer Rights in Package or Object Definition

C#

• Composite format strings should be used correctly

• Creating cookies without the "HttpOnly" flag is security-sensitive

• Creating cookies without the "secure" flag is security-sensitive

• Extracting archives should not lead to zip slip vulnerabilities

• Fields that are only assigned in the constructor should be "readonly"

• I/O function calls should not be vulnerable to path injection attacks

• Logging should not be vulnerable to injection attacks

• Not specifying a timeout for regular expressions is security-sensitive

• Null pointers should not be dereferenced

• Sections of code should not be commented out

• Secure random number generators should not output predictable values

• Unassigned members should be removed

• Unread "private" fields should be removed

• Unused private types or members should be removed

Java

• Creating cookies without the "HttpOnly" flag is security-sensitive

• Creating cookies without the "secure" flag is security-sensitive

• Database queries should not be vulnerable to injection attacks

• Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks

• Extracting archives should not lead to zip slip vulnerabilities

• I/O function calls should not be vulnerable to path injection attacks

• Logging should not be vulnerable to injection attacks

• Public constants and fields initialized at declaration should be "static final" rather than merely "final"

• Regular expressions should not be vulnerable to Denial of Service attacks

• Strings and Boxed types should be compared using "equals()"

• Unused assignments should be removed

• Unused local variables should be removed

• Using pseudorandom number generators (PRNGs) is security-sensitive

JavaScript / TypeScript

• Creating cookies without the "secure" flag is security-sensitive

• Database queries should not be vulnerable to injection attacks

• Database queries should not be vulnerable to injection attacks

• DOM updates should not lead to cross-site scripting (XSS) attacks

• DOM updates should not lead to cross-site scripting (XSS) attacks

• DOM updates should not lead to open redirect vulnerabilities

• DOM updates should not lead to open redirect vulnerabilities

• Dynamically executing code is security-sensitive

• Hard-coded credentials are security-sensitive

• Hard-coded credentials are security-sensitive

• HTTP request redirections should not be open to forging attacks

• HTTP request redirections should not be open to forging attacks

• I/O function calls should not be vulnerable to path injection attacks

• I/O function calls should not be vulnerable to path injection attacks

• NoSQL operations should not be vulnerable to injection attacks

• NoSQL operations should not be vulnerable to injection attacks

• Regular expressions should not be vulnerable to Denial of Service attacks

• Regular expressions should not be vulnerable to Denial of Service attacks

• Unnecessary character escapes should be removed

• Unnecessary character escapes should be removed

• Using pseudorandom number generators (PRNGs) is security-sensitive

• Using pseudorandom number generators (PRNGs) is security-sensitive

• Using remote artifacts without integrity checks is security-sensitive

PHP

• Using pseudorandom number generators (PRNGs) is security-sensitive

Python

• Database queries should not be vulnerable to injection attacks

• Delivering code in production with debug features activated is security-sensitive

• Disabling auto-escaping in template engines is security-sensitive

• Formatting SQL queries is security-sensitive

• Logging should not be vulnerable to injection attacks

• Regular expressions should not be vulnerable to Denial of Service attacks

CPP

• Use of dangerous function

C#

• Arbitrary file access during archive extraction (”Zip Slip”)

• Deserialization of untrusted data

• Insecure randomness

• Log entries created from user input

• Uncontrolled data used in path expression

Java

• Arbitrary file access during archive extraction (”Zip Slip”)

• Cross-site scripting

• Executing a command with a relative path

• Failure to use secure cookies

• HTTP response splitting

• Log Injection

• Query built by concatenation with a possibly-untrusted string

• Query built from user-controlled sources

• Resolving XML external entity in user-controlled data

• Server-side request forgery

• Uncontrolled command line

• Uncontrolled data used in path expression

JavaScript / TypeScript

• Clear text transmission of sensitive cookie

• Client-side cross-site scripting

• Client-side URL redirect

• Database query built from user-controlled sources

• Hard-coded credentials

• Inclusion of functionality from an untrusted source

• Incomplete regular expression for hostnames

• Incomplete URL scheme check

• Incomplete URL substring sanitization

• Inefficient regular expression

• Insecure randomness

• Log injection

• Missing rate limiting

• Overly permissive regular expression range

• Prototype-polluting assignment

• Prototype-polluting function

• Reflected cross-site scripting

• Regular expression injection

• Server-side request forgery

• Server-side URL redirect

• Type confusion through parameter tampering

• Uncontrolled data used in path expression

• Useless regular-expression character escape

Python

• Flask app is run in debug mode

• Incomplete URL substring sanitization

• Jinja2 templating with autoescape=False

• Log Injection

• Regular expression injection

• SQL query built from user-controlled sources

• Uncontrolled data used in path expression

• XSS

Java

• java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly

• java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag

• java.lang.security.audit.crypto.weak-random.weak-random

• java.servlets.security.cookie-issecure-false.cookie-issecure-false

JavaScript / TypeScript

• html.security.audit.missing-integrity.missing-integrity

• javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape

• javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring

Python

• django.security.injection.tainted-sql-string.tainted-sql-string

• flask.security.injection.tainted-sql-string.tainted-sql-string

• lang.security.audit.formatted-sql-query.formatted-sql-query

• lang.security.audit.sqli.psycopg-sqli.psycopg-sqli

• python.django.security.django-no-csrf-token.django-no-csrf-token

• python.django.security.injection.open-redirect.open-redirect

• python.flask.security.audit.debug-enabled.debug-enabled

• sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query