CodeQL documentation

CodeQL CWE coverage

An overview of the coverage of MITRE’s Common Weakness Enumeration (CWE) for the latest release of CodeQL.

About CWEs

The CWE categorization contains several types of entity, collectively known as CWEs. The CWEs that we consider in this report are only those of the types:

  • Weakness Class
  • Weakness Base
  • Weakness Variant
  • Compound Element

Other types of CWE do not correspond directly to weaknesses, so are omitted.

The CWE categorization includes relationships between entities, in particular a parent-child relationship. These relationships are associated with Views (another kind of CWE entity). For the purposes of coverage claims, we use the “Research View.”

Every security query is associated with one or more CWEs, which are the most precise CWEs that are covered by that query. Overall coverage is claimed for the most-precise CWEs, as well as for any of their ancestors in the View.

Overview

CWE Language Query id Query name
CWE‑11 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE‑12 C# cs/web/missing-global-error-handler Missing global error handler
CWE‑13 C# cs/password-in-configuration Password in configuration file
CWE‑14 C++ cpp/memset-may-be-deleted Call to memset may be deleted
CWE‑20 Java java/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑20 Java java/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑20 Java java/improper-validation-of-array-construction Improper validation of user-provided size used for array construction
CWE‑20 Java java/improper-validation-of-array-construction-code-specified Improper validation of code-specified size used for array construction
CWE‑20 Java java/improper-validation-of-array-construction-local Improper validation of local user-provided size used for array construction
CWE‑20 Java java/improper-validation-of-array-index Improper validation of user-provided array index
CWE‑20 Java java/improper-validation-of-array-index-code-specified Improper validation of code-specified array index
CWE‑20 Java java/improper-validation-of-array-index-local Improper validation of local user-provided array index
CWE‑20 C++ cpp/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑20 C++ cpp/count-untrusted-data-external-api-ir Frequency counts for external APIs that are used with untrusted data
CWE‑20 C++ cpp/untrusted-data-to-external-api-ir Untrusted data passed to external API
CWE‑20 C++ cpp/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑20 C++ cpp/uncontrolled-process-operation Uncontrolled process operation
CWE‑20 C++ cpp/unclear-array-index-validation Unclear validation of array index
CWE‑20 C++ cpp/late-check-of-function-argument Late Check Of Function Argument
CWE‑20 C# csharp/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑20 C# cs/serialization-check-bypass Serialization check bypass
CWE‑20 C# csharp/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑20 C# cs/xml/missing-validation Missing XML validation
CWE‑20 C# cs/assembly-path-injection Assembly path injection
CWE‑20 Python py/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE‑20 Python py/incomplete-url-substring-sanitization Incomplete URL substring sanitization
CWE‑20 Python python/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑20 Python python/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑20 JavaScript js/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑20 JavaScript js/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE‑20 JavaScript js/incomplete-url-scheme-check Incomplete URL scheme check
CWE‑20 JavaScript js/incomplete-url-substring-sanitization Incomplete URL substring sanitization
CWE‑20 JavaScript js/incorrect-suffix-check Incorrect suffix check
CWE‑20 JavaScript js/regex/missing-regexp-anchor Missing regular expression anchor
CWE‑20 JavaScript js/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑20 JavaScript js/useless-regexp-character-escape Useless regular-expression character escape
CWE‑20 JavaScript js/double-escaping Double escaping or unescaping
CWE‑20 JavaScript js/incomplete-html-attribute-sanitization Incomplete HTML attribute sanitization
CWE‑20 JavaScript js/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑20 JavaScript js/incomplete-sanitization Incomplete string escaping or encoding
CWE‑20 JavaScript js/missing-postmessageorigin-verification Missing MessageEvent.origin verification in postMessage handlers
CWE‑20 Go go/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑20 Go go/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE‑20 Go go/incomplete-url-scheme-check Incomplete URL scheme check
CWE‑20 Go go/regex/missing-regexp-anchor Missing regular expression anchor
CWE‑20 Go go/suspicious-character-in-regex Suspicious characters in a regular expression
CWE‑20 Go go/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑20 Go go/untrusted-data-to-unknown-external-api Untrusted data passed to unknown external API
CWE‑22 Java java/path-injection Uncontrolled data used in path expression
CWE‑22 Java java/path-injection-local Local-user-controlled data in path expression
CWE‑22 Java java/zipslip Arbitrary file write during archive extraction ("Zip Slip")
CWE‑22 Java java/openstream-called-on-tainted-url openStream called on URLs created from remote source
CWE‑22 C++ cpp/path-injection Uncontrolled data used in path expression
CWE‑22 C# cs/path-injection Uncontrolled data used in path expression
CWE‑22 C# cs/zipslip Arbitrary file write during zip extraction ("Zip Slip")
CWE‑22 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑22 Python py/path-injection Uncontrolled data used in path expression
CWE‑22 Python py/tarslip Arbitrary file write during tarfile extraction
CWE‑22 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑22 JavaScript js/zipslip Arbitrary file write during zip extraction ("Zip Slip")
CWE‑22 Go go/path-injection Uncontrolled data used in path expression
CWE‑22 Go go/unsafe-unzip-symlink Arbitrary file write extracting an archive containing symbolic links
CWE‑22 Go go/zipslip Arbitrary file write during zip extraction ("zip slip")
CWE‑23 Java java/path-injection Uncontrolled data used in path expression
CWE‑23 Java java/path-injection-local Local-user-controlled data in path expression
CWE‑23 C++ cpp/path-injection Uncontrolled data used in path expression
CWE‑23 C# cs/path-injection Uncontrolled data used in path expression
CWE‑23 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑23 Python py/path-injection Uncontrolled data used in path expression
CWE‑23 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑23 Go go/path-injection Uncontrolled data used in path expression
CWE‑36 Java java/path-injection Uncontrolled data used in path expression
CWE‑36 Java java/path-injection-local Local-user-controlled data in path expression
CWE‑36 Java java/openstream-called-on-tainted-url openStream called on URLs created from remote source
CWE‑36 C++ cpp/path-injection Uncontrolled data used in path expression
CWE‑36 C# cs/path-injection Uncontrolled data used in path expression
CWE‑36 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑36 Python py/path-injection Uncontrolled data used in path expression
CWE‑36 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑36 Go go/path-injection Uncontrolled data used in path expression
CWE‑73 Java java/path-injection Uncontrolled data used in path expression
CWE‑73 Java java/path-injection-local Local-user-controlled data in path expression
CWE‑73 C++ cpp/path-injection Uncontrolled data used in path expression
CWE‑73 C# cs/path-injection Uncontrolled data used in path expression
CWE‑73 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑73 Python py/path-injection Uncontrolled data used in path expression
CWE‑73 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑73 JavaScript js/template-object-injection Template Object Injection
CWE‑73 Go go/path-injection Uncontrolled data used in path expression
CWE‑74 Java java/relative-path-command Executing a command with a relative path
CWE‑74 Java java/command-line-injection Uncontrolled command line
CWE‑74 Java java/command-line-injection-local Local-user-controlled command line
CWE‑74 Java java/concatenated-command-line Building a command line with string concatenation
CWE‑74 Java java/xss Cross-site scripting
CWE‑74 Java java/xss-local Cross-site scripting from local source
CWE‑74 Java java/sql-injection Query built from user-controlled sources
CWE‑74 Java java/sql-injection-local Query built from local-user-controlled sources
CWE‑74 Java java/concatenated-sql-query Query built without neutralizing special characters
CWE‑74 Java java/ldap-injection LDAP query built from user-controlled sources
CWE‑74 Java java/insecure-bean-validation Insecure Bean Validation
CWE‑74 Java java/netty-http-response-splitting Disabled Netty HTTP header validation
CWE‑74 Java java/http-response-splitting HTTP response splitting
CWE‑74 Java java/http-response-splitting-local HTTP response splitting from local source
CWE‑74 Java java/tainted-format-string Use of externally-controlled format string
CWE‑74 Java java/tainted-format-string-local Use of externally-controlled format string from local source
CWE‑74 Java java/xml/xpath-injection XPath injection
CWE‑74 Java java/jndi-injection JNDI lookup with user-controlled name
CWE‑74 Java java/xslt-injection XSLT transformation with user-controlled stylesheet
CWE‑74 Java java/command-line-injection Uncontrolled command line
CWE‑74 Java java/groovy-injection Groovy Language injection
CWE‑74 Java java/android-insecure-dex-loading Insecure loading of an Android Dex File
CWE‑74 Java java/javaee-expression-injection Jakarta Expression Language injection
CWE‑74 Java java/jexl-expression-injection Expression language injection (JEXL)
CWE‑74 Java java/mvel-expression-injection Expression language injection (MVEL)
CWE‑74 Java java/unsafe-eval ScriptEngine evaluation
CWE‑74 Java java/spel-expression-injection Expression language injection (Spring)
CWE‑74 Java java/spring-view-manipulation-implicit Spring Implicit View Manipulation
CWE‑74 Java java/spring-view-manipulation Spring View Manipulation
CWE‑74 Java java/xquery-injection XQuery query built from user-controlled sources
CWE‑74 Java java/android/unsafe-android-webview-fetch Unsafe resource fetching in Android webview
CWE‑74 Java java/ognl-injection OGNL Expression Language statement with user-controlled input
CWE‑74 C++ cpp/non-constant-format Non-constant format string
CWE‑74 C++ cpp/command-line-injection Uncontrolled data used in OS command
CWE‑74 C++ cpp/cgi-xss CGI script vulnerable to cross-site scripting
CWE‑74 C++ cpp/sql-injection Uncontrolled data in SQL query
CWE‑74 C++ cpp/tainted-format-string Uncontrolled format string
CWE‑74 C++ cpp/tainted-format-string-through-global Uncontrolled format string (through global variable)
CWE‑74 C# cs/web/disabled-header-checking Header checking disabled
CWE‑74 C# cs/path-injection Uncontrolled data used in path expression
CWE‑74 C# cs/command-line-injection Uncontrolled command line
CWE‑74 C# cs/stored-command-line-injection Uncontrolled command line from stored user input
CWE‑74 C# cs/web/stored-xss Stored cross-site scripting
CWE‑74 C# cs/web/xss Cross-site scripting
CWE‑74 C# cs/second-order-sql-injection SQL query built from stored user-controlled sources
CWE‑74 C# cs/sql-injection SQL query built from user-controlled sources
CWE‑74 C# cs/ldap-injection LDAP query built from user-controlled sources
CWE‑74 C# cs/stored-ldap-injection LDAP query built from stored user-controlled sources
CWE‑74 C# cs/xml-injection XML injection
CWE‑74 C# cs/code-injection Improper control of generation of code
CWE‑74 C# cs/resource-injection Resource injection
CWE‑74 C# cs/uncontrolled-format-string Uncontrolled format string
CWE‑74 C# cs/xml/stored-xpath-injection Stored XPath injection
CWE‑74 C# cs/xml/xpath-injection XPath injection
CWE‑74 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑74 Python py/path-injection Uncontrolled data used in path expression
CWE‑74 Python py/command-line-injection Uncontrolled command line
CWE‑74 Python py/jinja2/autoescape-false Jinja2 templating with autoescape=False
CWE‑74 Python py/reflective-xss Reflected server-side cross-site scripting
CWE‑74 Python py/sql-injection SQL query built from user-controlled sources
CWE‑74 Python py/code-injection Code injection
CWE‑74 Python py/template-injection Server Side Template Injection
CWE‑74 Python py/xslt-injection XSLT query built from user-controlled sources
CWE‑74 Python py/xpath-injection XPath query built from user-controlled sources
CWE‑74 JavaScript js/enabling-electron-renderer-node-integration Enabling Node.js integration for Electron web content renderers
CWE‑74 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑74 JavaScript js/template-object-injection Template Object Injection
CWE‑74 JavaScript js/command-line-injection Uncontrolled command line
CWE‑74 JavaScript js/indirect-command-line-injection Indirect uncontrolled command line
CWE‑74 JavaScript js/shell-command-injection-from-environment Shell command built from environment values
CWE‑74 JavaScript js/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑74 JavaScript js/xss-through-exception Exception text reinterpreted as HTML
CWE‑74 JavaScript js/reflected-xss Reflected cross-site scripting
CWE‑74 JavaScript js/stored-xss Stored cross-site scripting
CWE‑74 JavaScript js/html-constructed-from-input Unsafe HTML constructed from library input
CWE‑74 JavaScript js/unsafe-jquery-plugin Unsafe jQuery plugin
CWE‑74 JavaScript js/xss Client-side cross-site scripting
CWE‑74 JavaScript js/xss-through-dom DOM text reinterpreted as HTML
CWE‑74 JavaScript js/sql-injection Database query built from user-controlled sources
CWE‑74 JavaScript js/code-injection Code injection
CWE‑74 JavaScript js/bad-code-sanitization Improper code sanitization
CWE‑74 JavaScript js/unsafe-dynamic-method-access Unsafe dynamic method access
CWE‑74 JavaScript js/incomplete-html-attribute-sanitization Incomplete HTML attribute sanitization
CWE‑74 JavaScript js/unsafe-html-expansion Unsafe expansion of self-closing HTML tag
CWE‑74 JavaScript js/tainted-format-string Use of externally-controlled format string
CWE‑74 JavaScript js/client-side-unvalidated-url-redirection Client-side URL redirect
CWE‑74 JavaScript js/xpath-injection XPath injection
CWE‑74 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑74 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑74 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑74 JavaScript javascript/ldap-injection LDAP query built from user-controlled sources
CWE‑74 JavaScript js/actions/injection Expression injection in Actions
CWE‑74 JavaScript js/actions/pull-request-target Checkout of untrusted code in trusted context
CWE‑74 Go go/path-injection Uncontrolled data used in path expression
CWE‑74 Go go/command-injection Command built from user-controlled sources
CWE‑74 Go go/stored-command Command built from stored data
CWE‑74 Go go/reflected-xss Reflected cross-site scripting
CWE‑74 Go go/stored-xss Stored cross-site scripting
CWE‑74 Go go/sql-injection Database query built from user-controlled sources
CWE‑74 Go go/unsafe-quoting Potentially unsafe quoting
CWE‑74 Go go/xml/xpath-injection XPath injection
CWE‑74 Go go/html-template-escaping-passthrough HTML template escaping passthrough
CWE‑77 Java java/relative-path-command Executing a command with a relative path
CWE‑77 Java java/command-line-injection Uncontrolled command line
CWE‑77 Java java/command-line-injection-local Local-user-controlled command line
CWE‑77 Java java/concatenated-command-line Building a command line with string concatenation
CWE‑77 Java java/command-line-injection Uncontrolled command line
CWE‑77 Java java/ognl-injection OGNL Expression Language statement with user-controlled input
CWE‑77 C++ cpp/command-line-injection Uncontrolled data used in OS command
CWE‑77 C# cs/command-line-injection Uncontrolled command line
CWE‑77 C# cs/stored-command-line-injection Uncontrolled command line from stored user input
CWE‑77 Python py/command-line-injection Uncontrolled command line
CWE‑77 JavaScript js/command-line-injection Uncontrolled command line
CWE‑77 JavaScript js/indirect-command-line-injection Indirect uncontrolled command line
CWE‑77 JavaScript js/shell-command-injection-from-environment Shell command built from environment values
CWE‑77 JavaScript js/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑77 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑77 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑77 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑77 Go go/command-injection Command built from user-controlled sources
CWE‑77 Go go/stored-command Command built from stored data
CWE‑77 Go go/unsafe-quoting Potentially unsafe quoting
CWE‑78 Java java/relative-path-command Executing a command with a relative path
CWE‑78 Java java/command-line-injection Uncontrolled command line
CWE‑78 Java java/command-line-injection-local Local-user-controlled command line
CWE‑78 Java java/concatenated-command-line Building a command line with string concatenation
CWE‑78 Java java/command-line-injection Uncontrolled command line
CWE‑78 C++ cpp/command-line-injection Uncontrolled data used in OS command
CWE‑78 C# cs/command-line-injection Uncontrolled command line
CWE‑78 C# cs/stored-command-line-injection Uncontrolled command line from stored user input
CWE‑78 Python py/command-line-injection Uncontrolled command line
CWE‑78 JavaScript js/command-line-injection Uncontrolled command line
CWE‑78 JavaScript js/indirect-command-line-injection Indirect uncontrolled command line
CWE‑78 JavaScript js/shell-command-injection-from-environment Shell command built from environment values
CWE‑78 JavaScript js/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑78 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑78 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑78 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑78 Go go/command-injection Command built from user-controlled sources
CWE‑78 Go go/stored-command Command built from stored data
CWE‑78 Go go/unsafe-quoting Potentially unsafe quoting
CWE‑79 Java java/xss Cross-site scripting
CWE‑79 Java java/xss-local Cross-site scripting from local source
CWE‑79 Java java/android/unsafe-android-webview-fetch Unsafe resource fetching in Android webview
CWE‑79 C++ cpp/cgi-xss CGI script vulnerable to cross-site scripting
CWE‑79 C# cs/web/stored-xss Stored cross-site scripting
CWE‑79 C# cs/web/xss Cross-site scripting
CWE‑79 Python py/jinja2/autoescape-false Jinja2 templating with autoescape=False
CWE‑79 Python py/reflective-xss Reflected server-side cross-site scripting
CWE‑79 JavaScript js/xss-through-exception Exception text reinterpreted as HTML
CWE‑79 JavaScript js/reflected-xss Reflected cross-site scripting
CWE‑79 JavaScript js/stored-xss Stored cross-site scripting
CWE‑79 JavaScript js/html-constructed-from-input Unsafe HTML constructed from library input
CWE‑79 JavaScript js/unsafe-jquery-plugin Unsafe jQuery plugin
CWE‑79 JavaScript js/xss Client-side cross-site scripting
CWE‑79 JavaScript js/xss-through-dom DOM text reinterpreted as HTML
CWE‑79 JavaScript js/code-injection Code injection
CWE‑79 JavaScript js/bad-code-sanitization Improper code sanitization
CWE‑79 JavaScript js/incomplete-html-attribute-sanitization Incomplete HTML attribute sanitization
CWE‑79 JavaScript js/unsafe-html-expansion Unsafe expansion of self-closing HTML tag
CWE‑79 JavaScript js/client-side-unvalidated-url-redirection Client-side URL redirect
CWE‑79 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑79 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑79 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑79 Go go/reflected-xss Reflected cross-site scripting
CWE‑79 Go go/stored-xss Stored cross-site scripting
CWE‑79 Go go/html-template-escaping-passthrough HTML template escaping passthrough
CWE‑88 Java java/relative-path-command Executing a command with a relative path
CWE‑88 Java java/command-line-injection Uncontrolled command line
CWE‑88 Java java/command-line-injection-local Local-user-controlled command line
CWE‑88 Java java/concatenated-command-line Building a command line with string concatenation
CWE‑88 Java java/command-line-injection Uncontrolled command line
CWE‑88 C++ cpp/command-line-injection Uncontrolled data used in OS command
CWE‑88 C# cs/command-line-injection Uncontrolled command line
CWE‑88 C# cs/stored-command-line-injection Uncontrolled command line from stored user input
CWE‑88 Python py/command-line-injection Uncontrolled command line
CWE‑88 JavaScript js/command-line-injection Uncontrolled command line
CWE‑88 JavaScript js/indirect-command-line-injection Indirect uncontrolled command line
CWE‑88 JavaScript js/shell-command-injection-from-environment Shell command built from environment values
CWE‑88 JavaScript js/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑89 Java java/sql-injection Query built from user-controlled sources
CWE‑89 Java java/sql-injection-local Query built from local-user-controlled sources
CWE‑89 Java java/concatenated-sql-query Query built without neutralizing special characters
CWE‑89 C++ cpp/sql-injection Uncontrolled data in SQL query
CWE‑89 C# cs/second-order-sql-injection SQL query built from stored user-controlled sources
CWE‑89 C# cs/sql-injection SQL query built from user-controlled sources
CWE‑89 Python py/sql-injection SQL query built from user-controlled sources
CWE‑89 JavaScript js/sql-injection Database query built from user-controlled sources
CWE‑89 Go go/sql-injection Database query built from user-controlled sources
CWE‑89 Go go/unsafe-quoting Potentially unsafe quoting
CWE‑90 Java java/ldap-injection LDAP query built from user-controlled sources
CWE‑90 C# cs/ldap-injection LDAP query built from user-controlled sources
CWE‑90 C# cs/stored-ldap-injection LDAP query built from stored user-controlled sources
CWE‑90 JavaScript javascript/ldap-injection LDAP query built from user-controlled sources
CWE‑91 Java java/xml/xpath-injection XPath injection
CWE‑91 Java java/xquery-injection XQuery query built from user-controlled sources
CWE‑91 C# cs/xml-injection XML injection
CWE‑91 C# cs/xml/stored-xpath-injection Stored XPath injection
CWE‑91 C# cs/xml/xpath-injection XPath injection
CWE‑91 Python py/xslt-injection XSLT query built from user-controlled sources
CWE‑91 Python py/xpath-injection XPath query built from user-controlled sources
CWE‑91 JavaScript js/xpath-injection XPath injection
CWE‑91 Go go/xml/xpath-injection XPath injection
CWE‑93 Java java/netty-http-response-splitting Disabled Netty HTTP header validation
CWE‑93 Java java/http-response-splitting HTTP response splitting
CWE‑93 Java java/http-response-splitting-local HTTP response splitting from local source
CWE‑93 C# cs/web/disabled-header-checking Header checking disabled
CWE‑94 Java java/insecure-bean-validation Insecure Bean Validation
CWE‑94 Java java/groovy-injection Groovy Language injection
CWE‑94 Java java/android-insecure-dex-loading Insecure loading of an Android Dex File
CWE‑94 Java java/javaee-expression-injection Jakarta Expression Language injection
CWE‑94 Java java/jexl-expression-injection Expression language injection (JEXL)
CWE‑94 Java java/mvel-expression-injection Expression language injection (MVEL)
CWE‑94 Java java/unsafe-eval ScriptEngine evaluation
CWE‑94 Java java/spel-expression-injection Expression language injection (Spring)
CWE‑94 Java java/spring-view-manipulation-implicit Spring Implicit View Manipulation
CWE‑94 Java java/spring-view-manipulation Spring View Manipulation
CWE‑94 C# cs/code-injection Improper control of generation of code
CWE‑94 Python py/code-injection Code injection
CWE‑94 JavaScript js/enabling-electron-renderer-node-integration Enabling Node.js integration for Electron web content renderers
CWE‑94 JavaScript js/template-object-injection Template Object Injection
CWE‑94 JavaScript js/code-injection Code injection
CWE‑94 JavaScript js/bad-code-sanitization Improper code sanitization
CWE‑94 JavaScript js/unsafe-dynamic-method-access Unsafe dynamic method access
CWE‑94 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑94 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑94 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑94 JavaScript js/actions/injection Expression injection in Actions
CWE‑94 JavaScript js/actions/pull-request-target Checkout of untrusted code in trusted context
CWE‑94 Go go/unsafe-quoting Potentially unsafe quoting
CWE‑95 C# cs/code-injection Improper control of generation of code
CWE‑95 Python py/code-injection Code injection
CWE‑96 C# cs/code-injection Improper control of generation of code
CWE‑99 C# cs/path-injection Uncontrolled data used in path expression
CWE‑99 C# cs/resource-injection Resource injection
CWE‑99 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑99 Python py/path-injection Uncontrolled data used in path expression
CWE‑99 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑99 Go go/path-injection Uncontrolled data used in path expression
CWE‑112 C# cs/xml/missing-validation Missing XML validation
CWE‑113 Java java/netty-http-response-splitting Disabled Netty HTTP header validation
CWE‑113 Java java/http-response-splitting HTTP response splitting
CWE‑113 Java java/http-response-splitting-local HTTP response splitting from local source
CWE‑113 C# cs/web/disabled-header-checking Header checking disabled
CWE‑114 C++ cpp/uncontrolled-process-operation Uncontrolled process operation
CWE‑114 C# cs/assembly-path-injection Assembly path injection
CWE‑116 Java java/log-injection Log Injection
CWE‑116 C# cs/web/stored-xss Stored cross-site scripting
CWE‑116 C# cs/web/xss Cross-site scripting
CWE‑116 C# cs/log-forging Log entries created from user input
CWE‑116 C# cs/inappropriate-encoding Inappropriate encoding
CWE‑116 Python py/reflective-xss Reflected server-side cross-site scripting
CWE‑116 Python py/code-injection Code injection
CWE‑116 JavaScript js/identity-replacement Replacement of a substring with itself
CWE‑116 JavaScript js/xss-through-exception Exception text reinterpreted as HTML
CWE‑116 JavaScript js/reflected-xss Reflected cross-site scripting
CWE‑116 JavaScript js/stored-xss Stored cross-site scripting
CWE‑116 JavaScript js/html-constructed-from-input Unsafe HTML constructed from library input
CWE‑116 JavaScript js/unsafe-jquery-plugin Unsafe jQuery plugin
CWE‑116 JavaScript js/xss Client-side cross-site scripting
CWE‑116 JavaScript js/xss-through-dom DOM text reinterpreted as HTML
CWE‑116 JavaScript js/code-injection Code injection
CWE‑116 JavaScript js/bad-code-sanitization Improper code sanitization
CWE‑116 JavaScript js/double-escaping Double escaping or unescaping
CWE‑116 JavaScript js/incomplete-html-attribute-sanitization Incomplete HTML attribute sanitization
CWE‑116 JavaScript js/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑116 JavaScript js/incomplete-sanitization Incomplete string escaping or encoding
CWE‑116 JavaScript js/unsafe-html-expansion Unsafe expansion of self-closing HTML tag
CWE‑116 JavaScript js/log-injection Log injection
CWE‑116 JavaScript js/client-side-unvalidated-url-redirection Client-side URL redirect
CWE‑116 Go go/reflected-xss Reflected cross-site scripting
CWE‑116 Go go/stored-xss Stored cross-site scripting
CWE‑117 Java java/log-injection Log Injection
CWE‑117 C# cs/log-forging Log entries created from user input
CWE‑117 JavaScript js/log-injection Log injection
CWE‑118 C++ cpp/offset-use-before-range-check Array offset used before range check
CWE‑118 C++ cpp/late-negative-test Pointer offset used before it is checked
CWE‑118 C++ cpp/missing-negativity-test Unchecked return value used as offset
CWE‑118 C++ cpp/overflow-calculated Buffer not sufficient for string
CWE‑118 C++ cpp/overflow-destination Copy function using source size
CWE‑118 C++ cpp/static-buffer-overflow Static array access may cause overflow
CWE‑118 C++ cpp/allocation-too-small Not enough memory allocated for pointer type
CWE‑118 C++ cpp/suspicious-allocation-size Not enough memory allocated for array of pointer type
CWE‑118 C++ cpp/use-after-free Potential use after free
CWE‑118 C++ cpp/upcast-array-pointer-arithmetic Upcast array used in pointer arithmetic
CWE‑118 C++ cpp/return-stack-allocated-memory Returning stack-allocated memory
CWE‑118 C++ cpp/bad-strncpy-size Possibly wrong buffer size in string copy
CWE‑118 C++ cpp/unsafe-strncat Potentially unsafe call to strncat
CWE‑118 C++ cpp/unsafe-strcat Potentially unsafe use of strcat
CWE‑118 C++ cpp/overflow-buffer Call to memory access function may overflow buffer
CWE‑118 C++ cpp/badly-bounded-write Badly bounded write
CWE‑118 C++ cpp/overrunning-write Potentially overrunning write
CWE‑118 C++ cpp/overrunning-write-with-float Potentially overrunning write with float to string conversion
CWE‑118 C++ cpp/unbounded-write Unbounded write
CWE‑118 C++ cpp/unterminated-variadic-call Unterminated variadic call
CWE‑118 C++ cpp/no-space-for-terminator No space for zero terminator
CWE‑118 C++ cpp/openssl-heartbleed Use of a version of OpenSSL with Heartbleed
CWE‑118 C++ cpp/memory-unsafe-function-scan Scanf function without a specified length
CWE‑118 C++ cpp/access-memory-location-after-end-buffer-strlen Access Of Memory Location After End Of Buffer
CWE‑118 C++ cpp/access-memory-location-after-end-buffer-strncat Access Of Memory Location After The End Of A Buffer Using Strncat
CWE‑118 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic
CWE‑118 Go go/wrong-usage-of-unsafe Wrong usage of package unsafe
CWE‑119 C++ cpp/offset-use-before-range-check Array offset used before range check
CWE‑119 C++ cpp/late-negative-test Pointer offset used before it is checked
CWE‑119 C++ cpp/missing-negativity-test Unchecked return value used as offset
CWE‑119 C++ cpp/overflow-calculated Buffer not sufficient for string
CWE‑119 C++ cpp/overflow-destination Copy function using source size
CWE‑119 C++ cpp/static-buffer-overflow Static array access may cause overflow
CWE‑119 C++ cpp/allocation-too-small Not enough memory allocated for pointer type
CWE‑119 C++ cpp/suspicious-allocation-size Not enough memory allocated for array of pointer type
CWE‑119 C++ cpp/use-after-free Potential use after free
CWE‑119 C++ cpp/upcast-array-pointer-arithmetic Upcast array used in pointer arithmetic
CWE‑119 C++ cpp/return-stack-allocated-memory Returning stack-allocated memory
CWE‑119 C++ cpp/bad-strncpy-size Possibly wrong buffer size in string copy
CWE‑119 C++ cpp/unsafe-strncat Potentially unsafe call to strncat
CWE‑119 C++ cpp/unsafe-strcat Potentially unsafe use of strcat
CWE‑119 C++ cpp/overflow-buffer Call to memory access function may overflow buffer
CWE‑119 C++ cpp/badly-bounded-write Badly bounded write
CWE‑119 C++ cpp/overrunning-write Potentially overrunning write
CWE‑119 C++ cpp/overrunning-write-with-float Potentially overrunning write with float to string conversion
CWE‑119 C++ cpp/unbounded-write Unbounded write
CWE‑119 C++ cpp/unterminated-variadic-call Unterminated variadic call
CWE‑119 C++ cpp/no-space-for-terminator No space for zero terminator
CWE‑119 C++ cpp/openssl-heartbleed Use of a version of OpenSSL with Heartbleed
CWE‑119 C++ cpp/memory-unsafe-function-scan Scanf function without a specified length
CWE‑119 C++ cpp/access-memory-location-after-end-buffer-strlen Access Of Memory Location After End Of Buffer
CWE‑119 C++ cpp/access-memory-location-after-end-buffer-strncat Access Of Memory Location After The End Of A Buffer Using Strncat
CWE‑119 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic
CWE‑119 Go go/wrong-usage-of-unsafe Wrong usage of package unsafe
CWE‑120 C++ cpp/offset-use-before-range-check Array offset used before range check
CWE‑120 C++ cpp/overflow-calculated Buffer not sufficient for string
CWE‑120 C++ cpp/unsafe-strcat Potentially unsafe use of strcat
CWE‑120 C++ cpp/badly-bounded-write Badly bounded write
CWE‑120 C++ cpp/overrunning-write Potentially overrunning write
CWE‑120 C++ cpp/overrunning-write-with-float Potentially overrunning write with float to string conversion
CWE‑120 C++ cpp/unbounded-write Unbounded write
CWE‑120 C++ cpp/no-space-for-terminator No space for zero terminator
CWE‑120 C++ cpp/memory-unsafe-function-scan Scanf function without a specified length
CWE‑120 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic
CWE‑121 C++ cpp/overflow-buffer Call to memory access function may overflow buffer
CWE‑121 C++ cpp/unterminated-variadic-call Unterminated variadic call
CWE‑122 C++ cpp/allocation-too-small Not enough memory allocated for pointer type
CWE‑122 C++ cpp/suspicious-allocation-size Not enough memory allocated for array of pointer type
CWE‑122 C++ cpp/overflow-buffer Call to memory access function may overflow buffer
CWE‑122 C++ cpp/no-space-for-terminator No space for zero terminator
CWE‑122 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic
CWE‑125 C++ cpp/offset-use-before-range-check Array offset used before range check
CWE‑125 C++ cpp/overflow-buffer Call to memory access function may overflow buffer
CWE‑125 Go go/wrong-usage-of-unsafe Wrong usage of package unsafe
CWE‑126 C++ cpp/overflow-buffer Call to memory access function may overflow buffer
CWE‑126 Go go/wrong-usage-of-unsafe Wrong usage of package unsafe
CWE‑128 C++ cpp/signed-overflow-check Signed overflow check
CWE‑128 C++ cpp/multiplication-overflow-in-alloc Multiplication result may overflow and be used in allocation
CWE‑129 Java java/improper-validation-of-array-construction Improper validation of user-provided size used for array construction
CWE‑129 Java java/improper-validation-of-array-construction-code-specified Improper validation of code-specified size used for array construction
CWE‑129 Java java/improper-validation-of-array-construction-local Improper validation of local user-provided size used for array construction
CWE‑129 Java java/improper-validation-of-array-index Improper validation of user-provided array index
CWE‑129 Java java/improper-validation-of-array-index-code-specified Improper validation of code-specified array index
CWE‑129 Java java/improper-validation-of-array-index-local Improper validation of local user-provided array index
CWE‑129 C++ cpp/unclear-array-index-validation Unclear validation of array index
CWE‑131 C++ cpp/overflow-calculated Buffer not sufficient for string
CWE‑131 C++ cpp/overflow-destination Copy function using source size
CWE‑131 C++ cpp/static-buffer-overflow Static array access may cause overflow
CWE‑131 C++ cpp/allocation-too-small Not enough memory allocated for pointer type
CWE‑131 C++ cpp/suspicious-allocation-size Not enough memory allocated for array of pointer type
CWE‑131 C++ cpp/no-space-for-terminator No space for zero terminator
CWE‑134 Java java/tainted-format-string Use of externally-controlled format string
CWE‑134 Java java/tainted-format-string-local Use of externally-controlled format string from local source
CWE‑134 C++ cpp/non-constant-format Non-constant format string
CWE‑134 C++ cpp/tainted-format-string Uncontrolled format string
CWE‑134 C++ cpp/tainted-format-string-through-global Uncontrolled format string (through global variable)
CWE‑134 C# cs/uncontrolled-format-string Uncontrolled format string
CWE‑134 JavaScript js/tainted-format-string Use of externally-controlled format string
CWE‑170 C++ cpp/improper-null-termination Potential improper null termination
CWE‑170 C++ cpp/user-controlled-null-termination-tainted User-controlled data may not be null terminated
CWE‑183 JavaScript js/angular/insecure-url-whitelist Insecure URL whitelist
CWE‑185 JavaScript js/angular/insecure-url-whitelist Insecure URL whitelist
CWE‑190 Java java/implicit-cast-in-compound-assignment Implicit narrowing conversion in compound assignment
CWE‑190 Java java/integer-multiplication-cast-to-long Result of multiplication cast to wider type
CWE‑190 Java java/tainted-arithmetic User-controlled data in arithmetic expression
CWE‑190 Java java/tainted-arithmetic-local Local-user-controlled data in arithmetic expression
CWE‑190 Java java/uncontrolled-arithmetic Uncontrolled data in arithmetic expression
CWE‑190 Java java/extreme-value-arithmetic Use of extreme values in arithmetic expression
CWE‑190 Java java/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑190 C++ cpp/ambiguously-signed-bit-field Ambiguously signed bit-field member
CWE‑190 C++ cpp/bad-addition-overflow-check Bad check for overflow of integer addition
CWE‑190 C++ cpp/integer-multiplication-cast-to-long Multiplication result converted to larger type
CWE‑190 C++ cpp/signed-overflow-check Signed overflow check
CWE‑190 C++ cpp/overflowing-snprintf Potentially overflowing call to snprintf
CWE‑190 C++ cpp/tainted-arithmetic User-controlled data in arithmetic expression
CWE‑190 C++ cpp/uncontrolled-arithmetic Uncontrolled data in arithmetic expression
CWE‑190 C++ cpp/arithmetic-with-extreme-values Use of extreme values in arithmetic expression
CWE‑190 C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑190 C++ cpp/integer-overflow-tainted Potential integer arithmetic overflow
CWE‑190 C++ cpp/uncontrolled-allocation-size Overflow in uncontrolled allocation size
CWE‑190 C++ cpp/multiplication-overflow-in-alloc Multiplication result may overflow and be used in allocation
CWE‑190 C++ cpp/signed-bit-field Possible signed bit-field member
CWE‑190 C# cs/loss-of-precision Possible loss of precision
CWE‑190 Go go/allocation-size-overflow Size computation for allocation may overflow
CWE‑190 Go go/incorrect-integer-conversion Incorrect conversion between integer types
CWE‑191 Java java/tainted-arithmetic User-controlled data in arithmetic expression
CWE‑191 Java java/tainted-arithmetic-local Local-user-controlled data in arithmetic expression
CWE‑191 Java java/uncontrolled-arithmetic Uncontrolled data in arithmetic expression
CWE‑191 Java java/extreme-value-arithmetic Use of extreme values in arithmetic expression
CWE‑191 C++ cpp/tainted-arithmetic User-controlled data in arithmetic expression
CWE‑191 C++ cpp/uncontrolled-arithmetic Uncontrolled data in arithmetic expression
CWE‑191 C++ cpp/arithmetic-with-extreme-values Use of extreme values in arithmetic expression
CWE‑191 C++ cpp/unsigned-difference-expression-compared-zero Unsigned difference expression compared to zero
CWE‑193 Java java/index-out-of-bounds Array index out of bounds
CWE‑193 C# cs/index-out-of-bounds Off-by-one comparison against container length
CWE‑193 JavaScript js/index-out-of-bounds Off-by-one comparison against length
CWE‑193 Go go/index-out-of-bounds Off-by-one comparison against length
CWE‑197 Java java/implicit-cast-in-compound-assignment Implicit narrowing conversion in compound assignment
CWE‑197 Java java/integer-multiplication-cast-to-long Result of multiplication cast to wider type
CWE‑197 Java java/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑197 Java java/tainted-numeric-cast User-controlled data in numeric cast
CWE‑197 Java java/tainted-numeric-cast-local Local-user-controlled data in numeric cast
CWE‑197 C++ cpp/integer-multiplication-cast-to-long Multiplication result converted to larger type
CWE‑197 C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑197 C++ cpp/integer-overflow-tainted Potential integer arithmetic overflow
CWE‑197 C# cs/loss-of-precision Possible loss of precision
CWE‑197 JavaScript js/shift-out-of-range Shift out of range
CWE‑197 Go go/shift-out-of-range Shift out of range
CWE‑200 Java java/stack-trace-exposure Information exposure through a stack trace
CWE‑200 C++ cpp/system-data-exposure Exposure of system data to an unauthorized control sphere
CWE‑200 C++ cpp/private-cleartext-write Exposure of private information
CWE‑200 C# cs/web/persistent-cookie Cookie security: persistent cookie
CWE‑200 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE‑200 C# cs/sensitive-data-transmission Information exposure through transmitted data
CWE‑200 C# cs/information-exposure-through-exception Information exposure through an exception
CWE‑200 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE‑200 C# cs/exposure-of-sensitive-information Exposure of private information
CWE‑200 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing
CWE‑200 Python py/stack-trace-exposure Information exposure through an exception
CWE‑200 Python py/flask-debug Flask app is run in debug mode
CWE‑200 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑200 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑200 JavaScript js/unsafe-external-link Potentially unsafe external link
CWE‑200 JavaScript js/file-access-to-http File data in outbound network request
CWE‑200 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑200 JavaScript js/cross-window-information-leak Cross-window communication with unrestricted target origin
CWE‑200 JavaScript js/stack-trace-exposure Information exposure through a stack trace
CWE‑200 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑200 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑200 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑200 Go go/stack-trace-exposure Information exposure through a stack trace
CWE‑200 Go go/clear-text-logging Clear-text logging of sensitive information
CWE‑201 C# cs/sensitive-data-transmission Information exposure through transmitted data
CWE‑201 JavaScript js/cross-window-information-leak Cross-window communication with unrestricted target origin
CWE‑209 Java java/stack-trace-exposure Information exposure through a stack trace
CWE‑209 C# cs/information-exposure-through-exception Information exposure through an exception
CWE‑209 Python py/stack-trace-exposure Information exposure through an exception
CWE‑209 JavaScript js/stack-trace-exposure Information exposure through a stack trace
CWE‑209 Go go/stack-trace-exposure Information exposure through a stack trace
CWE‑215 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE‑215 Python py/flask-debug Flask app is run in debug mode
CWE‑221 Java java/overly-general-catch Overly-general catch clause
CWE‑221 C# cs/catch-of-all-exceptions Generic catch clause
CWE‑221 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑221 Python py/catch-base-exception Except block handles 'BaseException'
CWE‑221 JavaScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑227 Java java/ejb/container-interference EJB interferes with container operation
CWE‑227 Java java/ejb/file-io EJB uses file input/output
CWE‑227 Java java/ejb/graphics EJB uses graphics
CWE‑227 Java java/ejb/native-code EJB uses native code
CWE‑227 Java java/ejb/reflection EJB uses reflection
CWE‑227 Java java/ejb/security-configuration-access EJB accesses security configuration
CWE‑227 Java java/ejb/substitution-in-serialization EJB uses substitution in serialization
CWE‑227 Java java/ejb/socket-or-stream-handler-factory EJB sets socket factory or URL stream handler factory
CWE‑227 Java java/ejb/server-socket EJB uses server socket
CWE‑227 Java java/ejb/non-final-static-field EJB uses non-final static field
CWE‑227 Java java/ejb/synchronization EJB uses synchronization
CWE‑227 Java java/ejb/this EJB uses 'this' as argument or result
CWE‑227 Java java/ejb/threads EJB uses threads
CWE‑227 Java java/missing-call-to-super-clone Missing super clone
CWE‑227 Java java/inconsistent-equals-and-hashcode Inconsistent equals and hashCode
CWE‑227 Java java/unreleased-lock Unreleased lock
CWE‑227 Java java/missing-super-finalize Finalizer inconsistency
CWE‑227 Java java/missing-format-argument Missing format argument
CWE‑227 Java java/unused-format-argument Unused format argument
CWE‑227 Java java/empty-finalizer Empty body of finalizer
CWE‑227 C++ cpp/overflowing-snprintf Potentially overflowing call to snprintf
CWE‑227 C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE‑227 C++ cpp/wrong-type-format-argument Wrong type of arguments to formatting function
CWE‑227 C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE‑227 C++ cpp/ignore-return-value-sal SAL requires inspecting return value
CWE‑227 C++ cpp/hresult-boolean-conversion Cast between HRESULT and a Boolean type
CWE‑227 C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE‑227 C++ cpp/twice-locked Mutex locked twice
CWE‑227 C++ cpp/unreleased-lock Lock may not be released
CWE‑227 C# cs/inconsistent-equals-and-gethashcode Inconsistent Equals(object) and GetHashCode()
CWE‑227 C# cs/invalid-dynamic-call Bad dynamic call
CWE‑227 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑227 Python py/equals-hash-mismatch Inconsistent equality and hashing
CWE‑227 Python py/call/wrong-named-class-argument Wrong name for an argument in a class instantiation
CWE‑227 Python py/call/wrong-number-class-arguments Wrong number of arguments in a class instantiation
CWE‑227 Python py/super-not-enclosing-class First argument to super() is not enclosing class
CWE‑227 Python py/call/wrong-named-argument Wrong name for an argument in a call
CWE‑227 Python py/percent-format/wrong-arguments Wrong number of arguments for format
CWE‑227 Python py/call/wrong-arguments Wrong number of arguments in a call
CWE‑227 JavaScript js/superfluous-trailing-arguments Superfluous trailing arguments
CWE‑227 JavaScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑228 C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE‑228 C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE‑233 C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE‑233 C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE‑234 C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE‑234 C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE‑242 C++ cpp/dangerous-function-overflow Use of dangerous function
CWE‑247 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑247 Go go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑248 Java java/uncaught-number-format-exception Missing catch of NumberFormatException
CWE‑248 C# cs/web/missing-global-error-handler Missing global error handler
CWE‑250 JavaScript js/remote-property-injection Remote property injection
CWE‑252 Java java/inconsistent-call-on-result Inconsistent operation on return value
CWE‑252 Java java/return-value-ignored Method result ignored
CWE‑252 C++ cpp/return-value-ignored Return value of a function is ignored
CWE‑252 C++ cpp/inconsistent-call-on-result Inconsistent operation on return value
CWE‑252 C++ cpp/ignore-return-value-sal SAL requires inspecting return value
CWE‑252 C# cs/unchecked-return-value Unchecked return value
CWE‑252 Python py/ignored-return-value Ignored return value
CWE‑253 C++ cpp/overflowing-snprintf Potentially overflowing call to snprintf
CWE‑253 C++ cpp/hresult-boolean-conversion Cast between HRESULT and a Boolean type
CWE‑256 Java java/credentials-in-properties Cleartext Credentials in Properties File
CWE‑256 Java java/password-in-configuration Password in configuration file
CWE‑256 C# cs/password-in-configuration Password in configuration file
CWE‑256 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑258 C# cs/empty-password-in-configuration Empty password in configuration file
CWE‑259 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑259 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑259 Python py/hardcoded-credentials Hard-coded credentials
CWE‑259 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑259 Go go/hardcoded-credentials Hard-coded credentials
CWE‑260 Java java/credentials-in-properties Cleartext Credentials in Properties File
CWE‑260 Java java/password-in-configuration Password in configuration file
CWE‑260 C# cs/empty-password-in-configuration Empty password in configuration file
CWE‑260 C# cs/password-in-configuration Password in configuration file
CWE‑260 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑269 C++ cpp/drop-linux-privileges-outoforder LinuxPrivilegeDroppingOutoforder
CWE‑269 JavaScript js/remote-property-injection Remote property injection
CWE‑271 C++ cpp/drop-linux-privileges-outoforder LinuxPrivilegeDroppingOutoforder
CWE‑273 C++ cpp/drop-linux-privileges-outoforder LinuxPrivilegeDroppingOutoforder
CWE‑284 Java java/unsafe-hostname-verification Unsafe hostname verification
CWE‑284 Java java/socket-auth-race-condition Race condition in socket authentication
CWE‑284 Java java/world-writable-file-read Reading from a world writable file
CWE‑284 Java java/hardcoded-credential-api-call Hard-coded credential in API call
CWE‑284 Java java/hardcoded-credential-comparison Hard-coded credential comparison
CWE‑284 Java java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE‑284 Java java/hardcoded-password-field Hard-coded password field
CWE‑284 Java java/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑284 Java java/tainted-permissions-check User-controlled data used in permissions check
CWE‑284 Java java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑284 Java java/unvalidated-cors-origin-set CORS is derived from untrusted input
CWE‑284 Java java/credentials-in-properties Cleartext Credentials in Properties File
CWE‑284 Java java/password-in-configuration Password in configuration file
CWE‑284 C++ cpp/user-controlled-bypass Authentication bypass by spoofing
CWE‑284 C++ cpp/world-writable-file-creation File created without restricting permissions
CWE‑284 C++ cpp/unsafe-dacl-security-descriptor Setting a DACL to NULL in a SECURITY_DESCRIPTOR
CWE‑284 C++ cpp/drop-linux-privileges-outoforder LinuxPrivilegeDroppingOutoforder
CWE‑284 C# cs/empty-password-in-configuration Empty password in configuration file
CWE‑284 C# cs/password-in-configuration Password in configuration file
CWE‑284 C# cs/web/broad-cookie-domain Cookie security: overly broad domain
CWE‑284 C# cs/web/broad-cookie-path Cookie security: overly broad path
CWE‑284 C# cs/session-reuse Failure to abandon session
CWE‑284 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑284 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑284 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑284 Python py/overly-permissive-file Overly permissive file permissions
CWE‑284 Python py/hardcoded-credentials Hard-coded credentials
CWE‑284 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑284 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑284 JavaScript js/remote-property-injection Remote property injection
CWE‑284 JavaScript js/host-header-forgery-in-email-generation Host header poisoning in email generation
CWE‑284 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑284 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑284 JavaScript js/user-controlled-bypass User-controlled bypass of security check
CWE‑284 JavaScript js/different-kinds-comparison-bypass Comparison of user-controlled data of different kinds
CWE‑284 Go go/email-injection Email content injection
CWE‑284 Go go/hardcoded-credentials Hard-coded credentials
CWE‑284 Go go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑285 Java java/world-writable-file-read Reading from a world writable file
CWE‑285 C++ cpp/world-writable-file-creation File created without restricting permissions
CWE‑285 C++ cpp/unsafe-dacl-security-descriptor Setting a DACL to NULL in a SECURITY_DESCRIPTOR
CWE‑285 C# cs/empty-password-in-configuration Empty password in configuration file
CWE‑285 Python py/overly-permissive-file Overly permissive file permissions
CWE‑285 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑287 Java java/hardcoded-credential-api-call Hard-coded credential in API call
CWE‑287 Java java/hardcoded-credential-comparison Hard-coded credential comparison
CWE‑287 Java java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE‑287 Java java/hardcoded-password-field Hard-coded password field
CWE‑287 Java java/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑287 Java java/tainted-permissions-check User-controlled data used in permissions check
CWE‑287 Java java/credentials-in-properties Cleartext Credentials in Properties File
CWE‑287 Java java/password-in-configuration Password in configuration file
CWE‑287 C++ cpp/user-controlled-bypass Authentication bypass by spoofing
CWE‑287 C# cs/empty-password-in-configuration Empty password in configuration file
CWE‑287 C# cs/password-in-configuration Password in configuration file
CWE‑287 C# cs/web/broad-cookie-domain Cookie security: overly broad domain
CWE‑287 C# cs/web/broad-cookie-path Cookie security: overly broad path
CWE‑287 C# cs/session-reuse Failure to abandon session
CWE‑287 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑287 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑287 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑287 Python py/hardcoded-credentials Hard-coded credentials
CWE‑287 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑287 JavaScript js/host-header-forgery-in-email-generation Host header poisoning in email generation
CWE‑287 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑287 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑287 JavaScript js/user-controlled-bypass User-controlled bypass of security check
CWE‑287 JavaScript js/different-kinds-comparison-bypass Comparison of user-controlled data of different kinds
CWE‑287 Go go/email-injection Email content injection
CWE‑287 Go go/hardcoded-credentials Hard-coded credentials
CWE‑287 Go go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑290 Java java/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑290 Java java/tainted-permissions-check User-controlled data used in permissions check
CWE‑290 C++ cpp/user-controlled-bypass Authentication bypass by spoofing
CWE‑290 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑290 JavaScript js/user-controlled-bypass User-controlled bypass of security check
CWE‑290 JavaScript js/different-kinds-comparison-bypass Comparison of user-controlled data of different kinds
CWE‑290 Go go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑295 Java java/unsafe-hostname-verification Unsafe hostname verification
CWE‑295 Java java/jxbrowser/disabled-certificate-validation JxBrowser with disabled certificate validation
CWE‑295 Java java/disabled-certificate-revocation-checking Disabled ceritificate revocation checking
CWE‑295 Python py/paramiko-missing-host-key-validation Accepting unknown SSH host keys when using Paramiko
CWE‑295 Python py/request-without-cert-validation Request without certificate validation
CWE‑295 Go go/disabled-certificate-check Disabled TLS certificate check
CWE‑297 Java java/unsafe-hostname-verification Unsafe hostname verification
CWE‑299 Java java/disabled-certificate-revocation-checking Disabled ceritificate revocation checking
CWE‑300 Java java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑307 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑311 Java java/cleartext-storage-in-class Cleartext storage of sensitive information using storable class
CWE‑311 Java java/cleartext-storage-in-cookie Cleartext storage of sensitive information in cookie
CWE‑311 Java java/cleartext-storage-in-properties Cleartext storage of sensitive information using 'Properties' class
CWE‑311 Java java/non-https-url Failure to use HTTPS URLs
CWE‑311 Java java/non-ssl-connection Failure to use SSL
CWE‑311 Java java/non-ssl-socket-factory Failure to use SSL socket factories
CWE‑311 Java java/insecure-cookie Failure to use secure cookies
CWE‑311 Java java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑311 Java java/android/cleartext-storage-shared-prefs Cleartext storage of sensitive information using SharedPreferences on Android
CWE‑311 C++ cpp/cleartext-storage-buffer Cleartext storage of sensitive information in buffer
CWE‑311 C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE‑311 C++ cpp/cleartext-storage-database Cleartext storage of sensitive information in an SQLite database
CWE‑311 C# cs/password-in-configuration Password in configuration file
CWE‑311 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE‑311 C# cs/web/requiressl-not-set 'requireSSL' attribute is not set to true
CWE‑311 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑311 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑311 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑311 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑311 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑311 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑311 JavaScript js/insecure-cookie Failure to set secure cookies
CWE‑311 Go go/clear-text-logging Clear-text logging of sensitive information
CWE‑312 Java java/cleartext-storage-in-class Cleartext storage of sensitive information using storable class
CWE‑312 Java java/cleartext-storage-in-cookie Cleartext storage of sensitive information in cookie
CWE‑312 Java java/cleartext-storage-in-properties Cleartext storage of sensitive information using 'Properties' class
CWE‑312 Java java/android/cleartext-storage-shared-prefs Cleartext storage of sensitive information using SharedPreferences on Android
CWE‑312 C++ cpp/cleartext-storage-buffer Cleartext storage of sensitive information in buffer
CWE‑312 C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE‑312 C++ cpp/cleartext-storage-database Cleartext storage of sensitive information in an SQLite database
CWE‑312 C# cs/password-in-configuration Password in configuration file
CWE‑312 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE‑312 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑312 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑312 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑312 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑312 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑312 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑312 Go go/clear-text-logging Clear-text logging of sensitive information
CWE‑313 Java java/cleartext-storage-in-properties Cleartext storage of sensitive information using 'Properties' class
CWE‑313 C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE‑313 C++ cpp/cleartext-storage-database Cleartext storage of sensitive information in an SQLite database
CWE‑313 C# cs/password-in-configuration Password in configuration file
CWE‑313 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑315 Java java/cleartext-storage-in-cookie Cleartext storage of sensitive information in cookie
CWE‑315 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE‑315 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑315 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑315 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑315 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑315 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑315 Go go/clear-text-logging Clear-text logging of sensitive information
CWE‑319 Java java/non-https-url Failure to use HTTPS URLs
CWE‑319 Java java/non-ssl-connection Failure to use SSL
CWE‑319 Java java/non-ssl-socket-factory Failure to use SSL socket factories
CWE‑319 Java java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑319 C# cs/web/requiressl-not-set 'requireSSL' attribute is not set to true
CWE‑321 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑321 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑321 Python py/hardcoded-credentials Hard-coded credentials
CWE‑321 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑321 Go go/hardcoded-credentials Hard-coded credentials
CWE‑326 Java java/insufficient-key-size Weak encryption: Insufficient key size
CWE‑326 Python py/weak-crypto-key Use of weak cryptographic key
CWE‑327 Java java/weak-cryptographic-algorithm Use of a broken or risky cryptographic algorithm
CWE‑327 Java java/potentially-weak-cryptographic-algorithm Use of a potentially broken or risky cryptographic algorithm
CWE‑327 Java java/unsafe-tls-version Unsafe TLS version
CWE‑327 C++ cpp/weak-cryptographic-algorithm Use of a broken or risky cryptographic algorithm
CWE‑327 C++ cpp/openssl-heartbleed Use of a version of OpenSSL with Heartbleed
CWE‑327 C# cs/ecb-encryption Encryption using ECB
CWE‑327 C# cs/inadequate-rsa-padding Weak encryption: inadequate RSA padding
CWE‑327 C# cs/insufficient-key-size Weak encryption: Insufficient key size
CWE‑327 C# cs/weak-encryption Weak encryption
CWE‑327 C# cs/adding-cert-to-root-store Do not add certificates to the system root store.
CWE‑327 C# cs/insecure-sql-connection Insecure SQL connection
CWE‑327 Python py/weak-cryptographic-algorithm Use of a broken or weak cryptographic algorithm
CWE‑327 Python py/insecure-default-protocol Default version of SSL/TLS may be insecure
CWE‑327 Python py/insecure-protocol Use of insecure SSL/TLS version
CWE‑327 JavaScript js/biased-cryptographic-random Creating biased random numbers from a cryptographically secure source.
CWE‑327 JavaScript js/weak-cryptographic-algorithm Use of a broken or weak cryptographic algorithm
CWE‑327 JavaScript js/insufficient-password-hash Use of password hash with insufficient computational effort
CWE‑327 Go go/insecure-tls Insecure TLS configuration
CWE‑327 Go go/weak-crypto-algorithm Use of a weak cryptographic algorithm
CWE‑330 Java java/random-used-once Random used only once
CWE‑330 Java java/jhipster-prng Detect JHipster Generator Vulnerability CVE-2019-16303
CWE‑330 Java java/hardcoded-credential-api-call Hard-coded credential in API call
CWE‑330 Java java/hardcoded-credential-comparison Hard-coded credential comparison
CWE‑330 Java java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE‑330 Java java/hardcoded-password-field Hard-coded password field
CWE‑330 C# cs/random-used-once Random used only once
CWE‑330 C# cs/insecure-randomness Insecure randomness
CWE‑330 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑330 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑330 Python py/hardcoded-credentials Hard-coded credentials
CWE‑330 JavaScript js/insecure-randomness Insecure randomness
CWE‑330 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑330 Go go/insecure-randomness Use of insufficient randomness as the key of a cryptographic algorithm
CWE‑330 Go go/hardcoded-credentials Hard-coded credentials
CWE‑335 Java java/random-used-once Random used only once
CWE‑335 C# cs/random-used-once Random used only once
CWE‑338 Java java/jhipster-prng Detect JHipster Generator Vulnerability CVE-2019-16303
CWE‑338 C# cs/insecure-randomness Insecure randomness
CWE‑338 JavaScript js/insecure-randomness Insecure randomness
CWE‑338 Go go/insecure-randomness Use of insufficient randomness as the key of a cryptographic algorithm
CWE‑344 Java java/hardcoded-credential-api-call Hard-coded credential in API call
CWE‑344 Java java/hardcoded-credential-comparison Hard-coded credential comparison
CWE‑344 Java java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE‑344 Java java/hardcoded-password-field Hard-coded password field
CWE‑344 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑344 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑344 Python py/hardcoded-credentials Hard-coded credentials
CWE‑344 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑344 Go go/hardcoded-credentials Hard-coded credentials
CWE‑345 Java java/spring-disabled-csrf-protection Disabled Spring CSRF protection
CWE‑345 Java java/unvalidated-cors-origin-set CORS is derived from untrusted input
CWE‑345 Java java/missing-jwt-signature-check Missing JWT signature check
CWE‑345 Java java/ip-address-spoofing IP address spoofing
CWE‑345 Java java/jsonp-injection JSONP Injection
CWE‑345 C# cs/web/missing-token-validation Missing cross-site request forgery token validation
CWE‑345 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑345 JavaScript js/missing-token-validation Missing CSRF middleware
CWE‑345 JavaScript js/jwt-missing-verification JWT missing secret or public key verification
CWE‑345 Go go/constant-oauth2-state Use of constant state value in OAuth 2.0 URL
CWE‑346 Java java/unvalidated-cors-origin-set CORS is derived from untrusted input
CWE‑346 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑347 Java java/missing-jwt-signature-check Missing JWT signature check
CWE‑347 JavaScript js/jwt-missing-verification JWT missing secret or public key verification
CWE‑348 Java java/ip-address-spoofing IP address spoofing
CWE‑350 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑350 Go go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑352 Java java/spring-disabled-csrf-protection Disabled Spring CSRF protection
CWE‑352 Java java/jsonp-injection JSONP Injection
CWE‑352 C# cs/web/missing-token-validation Missing cross-site request forgery token validation
CWE‑352 JavaScript js/missing-token-validation Missing CSRF middleware
CWE‑352 Go go/constant-oauth2-state Use of constant state value in OAuth 2.0 URL
CWE‑359 C++ cpp/private-cleartext-write Exposure of private information
CWE‑359 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE‑359 C# cs/exposure-of-sensitive-information Exposure of private information
CWE‑359 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑359 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑359 JavaScript js/cross-window-information-leak Cross-window communication with unrestricted target origin
CWE‑359 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑359 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑359 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑359 Go go/clear-text-logging Clear-text logging of sensitive information
CWE‑362 Java java/toctou-race-condition Time-of-check time-of-use race condition
CWE‑362 Java java/socket-auth-race-condition Race condition in socket authentication
CWE‑362 C++ cpp/toctou-race-condition Time-of-check time-of-use filesystem race condition
CWE‑362 C# cs/unsafe-sync-on-field Futile synchronization on field
CWE‑362 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context
CWE‑362 C# cs/thread-unsafe-icryptotransform-field-in-class Thread-unsafe use of a static ICryptoTransform field
CWE‑362 C# cs/thread-unsafe-icryptotransform-captured-in-lambda Thread-unsafe capturing of an ICryptoTransform object
CWE‑366 C# cs/unsafe-sync-on-field Futile synchronization on field
CWE‑367 Java java/toctou-race-condition Time-of-check time-of-use race condition
CWE‑367 C++ cpp/toctou-race-condition Time-of-check time-of-use filesystem race condition
CWE‑369 Go go/divide-by-zero Divide by zero
CWE‑377 Python py/insecure-temporary-file Insecure temporary file
CWE‑382 Java java/ejb/container-interference EJB interferes with container operation
CWE‑382 Java java/jvm-exit Forcible JVM termination
CWE‑383 Java java/ejb/threads EJB uses threads
CWE‑384 C# cs/session-reuse Failure to abandon session
CWE‑390 C# cs/empty-catch-block Poor error handling: empty catch block
CWE‑390 Python py/empty-except Empty except
CWE‑391 Java java/discarded-exception Discarded exception
CWE‑391 Java java/ignored-error-status-of-call Ignored error status of call
CWE‑391 C# cs/empty-catch-block Poor error handling: empty catch block
CWE‑395 C# cs/catch-nullreferenceexception Poor error handling: catch of NullReferenceException
CWE‑396 Java java/overly-general-catch Overly-general catch clause
CWE‑396 C# cs/catch-of-all-exceptions Generic catch clause
CWE‑396 Python py/catch-base-exception Except block handles 'BaseException'
CWE‑398 Java java/deprecated-call Deprecated method or constructor invocation
CWE‑398 Java java/dead-class Dead class
CWE‑398 Java java/dead-enum-constant Dead enum constant
CWE‑398 Java java/dead-field Dead field
CWE‑398 Java java/dead-function Dead method
CWE‑398 Java java/lines-of-dead-code Lines of dead code in files
CWE‑398 Java java/unused-parameter Useless parameter
CWE‑398 Java java/useless-null-check Useless null check
CWE‑398 Java java/useless-type-test Useless type test
CWE‑398 Java java/useless-upcast Useless upcast
CWE‑398 Java java/empty-container Container contents are never initialized
CWE‑398 Java java/unused-container Container contents are never accessed
CWE‑398 Java java/constant-comparison Useless comparison test
CWE‑398 Java java/dereferenced-value-is-always-null Dereferenced variable is always null
CWE‑398 Java java/dereferenced-expr-may-be-null Dereferenced expression may be null
CWE‑398 Java java/dereferenced-value-may-be-null Dereferenced variable may be null
CWE‑398 Java java/empty-synchronized-block Empty synchronized block
CWE‑398 Java java/unreachable-catch-clause Unreachable catch clause
CWE‑398 Java java/potentially-dangerous-function Use of a potentially dangerous function
CWE‑398 Java java/todo-comment TODO/FIXME comments
CWE‑398 Java java/unused-reference-type Unused classes and interfaces
CWE‑398 Java java/overwritten-assignment-to-local Assigned value is overwritten
CWE‑398 Java java/useless-assignment-to-local Useless assignment to local variable
CWE‑398 Java java/unused-initialized-local Local variable is initialized but not used
CWE‑398 Java java/local-variable-is-never-read Unread local variable
CWE‑398 Java java/unused-field Unused field
CWE‑398 Java java/unused-label Unused label
CWE‑398 Java java/unused-local-variable Unused local variable
CWE‑398 Java java/switch-fall-through Unterminated switch case
CWE‑398 Java java/redundant-cast Unnecessary cast
CWE‑398 Java java/unused-import Unnecessary import
CWE‑398 C++ cpp/unused-local-variable Unused local variable
CWE‑398 C++ cpp/unused-static-function Unused static function
CWE‑398 C++ cpp/unused-static-variable Unused static variable
CWE‑398 C++ cpp/dead-code-condition Branching condition always evaluates to same value
CWE‑398 C++ cpp/dead-code-function Function is never called
CWE‑398 C++ cpp/dead-code-goto Dead code due to goto or break statement
CWE‑398 C++ cpp/inconsistent-nullness-testing Inconsistent null check of pointer
CWE‑398 C++ cpp/missing-null-test Returned pointer not checked
CWE‑398 C++ cpp/unused-variable Variable is assigned a value that is never read
CWE‑398 C++ cpp/fixme-comment FIXME comment
CWE‑398 C++ cpp/todo-comment TODO comment
CWE‑398 C++ cpp/inconsistent-null-check Inconsistent nullness check
CWE‑398 C++ cpp/redundant-null-check-simple Redundant null check due to previous dereference
CWE‑398 C++ cpp/useless-expression Expression has no effect
CWE‑398 C++ cpp/bad-strncpy-size Possibly wrong buffer size in string copy
CWE‑398 C++ cpp/suspicious-call-to-memset Suspicious call to memset
CWE‑398 C++ cpp/unsafe-strncat Potentially unsafe call to strncat
CWE‑398 C++ cpp/unsafe-strcat Potentially unsafe use of strcat
CWE‑398 C++ cpp/dangerous-function-overflow Use of dangerous function
CWE‑398 C++ cpp/dangerous-cin Dangerous use of 'cin'
CWE‑398 C++ cpp/potentially-dangerous-function Use of potentially dangerous function
CWE‑398 C++ cpp/redundant-null-check-param Redundant null check or missing null check of parameter
CWE‑398 C++ cpp/incorrect-allocation-error-handling Incorrect allocation-error handling
CWE‑398 C# cs/call-to-obsolete-method Call to obsolete method
CWE‑398 C# cs/todo-comment TODO comment
CWE‑398 C# cs/dereferenced-value-is-always-null Dereferenced variable is always null
CWE‑398 C# cs/dereferenced-value-may-be-null Dereferenced variable may be null
CWE‑398 C# cs/unused-reftype Dead reference types
CWE‑398 C# cs/useless-assignment-to-local Useless assignment to local variable
CWE‑398 C# cs/unused-field Unused field
CWE‑398 C# cs/unused-method Unused method
CWE‑398 C# cs/useless-cast-to-self Cast to same type
CWE‑398 C# cs/useless-is-before-as Useless 'is' before 'as'
CWE‑398 C# cs/coalesce-of-identical-expressions Useless ?? expression
CWE‑398 C# cs/useless-type-test Useless type test
CWE‑398 C# cs/useless-upcast Useless upcast
CWE‑398 C# cs/empty-collection Container contents are never initialized
CWE‑398 C# cs/unused-collection Container contents are never accessed
CWE‑398 C# cs/empty-lock-statement Empty lock statement
CWE‑398 C# cs/linq/useless-select Redundant Select
CWE‑398 Python py/unreachable-except Unreachable 'except' block
CWE‑398 Python py/comparison-of-constants Comparison of constants
CWE‑398 Python py/comparison-of-identical-expressions Comparison of identical values
CWE‑398 Python py/comparison-missing-self Maybe missing 'self' in comparison
CWE‑398 Python py/duplicate-key-dict-literal Duplicate key in dict literal
CWE‑398 Python py/redundant-comparison Redundant comparison
CWE‑398 Python py/import-deprecated-module Import of deprecated module
CWE‑398 Python py/constant-conditional-expression Constant in conditional expression or statement
CWE‑398 Python py/redundant-assignment Redundant assignment
CWE‑398 Python py/ineffectual-statement Statement has no effect
CWE‑398 Python py/unreachable-statement Unreachable code
CWE‑398 Python py/multiple-definition Variable defined multiple times
CWE‑398 Python py/unused-local-variable Unused local variable
CWE‑398 Python py/unused-global-variable Unused global variable
CWE‑398 JavaScript js/todo-comment TODO comment
CWE‑398 JavaScript js/eval-like-call Call to eval-like DOM function
CWE‑398 JavaScript js/variable-initialization-conflict Conflicting variable initialization
CWE‑398 JavaScript js/function-declaration-conflict Conflicting function declarations
CWE‑398 JavaScript js/useless-assignment-to-global Useless assignment to global variable
CWE‑398 JavaScript js/useless-assignment-to-local Useless assignment to local variable
CWE‑398 JavaScript js/overwritten-property Overwritten property
CWE‑398 JavaScript js/comparison-of-identical-expressions Comparison of identical values
CWE‑398 JavaScript js/comparison-with-nan Comparison with NaN
CWE‑398 JavaScript js/duplicate-condition Duplicate 'if' condition
CWE‑398 JavaScript js/duplicate-property Duplicate property
CWE‑398 JavaScript js/duplicate-switch-case Duplicate switch case
CWE‑398 JavaScript js/useless-expression Expression has no effect
CWE‑398 JavaScript js/comparison-between-incompatible-types Comparison between inconvertible types
CWE‑398 JavaScript js/redundant-operation Identical operands
CWE‑398 JavaScript js/redundant-assignment Self assignment
CWE‑398 JavaScript js/call-to-non-callable Invocation of non-function
CWE‑398 JavaScript js/property-access-on-non-object Property access on null or undefined
CWE‑398 JavaScript js/unneeded-defensive-code Unneeded defensive code
CWE‑398 JavaScript js/useless-type-test Useless type test
CWE‑398 JavaScript js/eval-call Use of eval
CWE‑398 JavaScript js/node/assignment-to-exports-variable Assignment to exports variable
CWE‑398 JavaScript js/regex/unmatchable-caret Unmatchable caret in regular expression
CWE‑398 JavaScript js/regex/unmatchable-dollar Unmatchable dollar in regular expression
CWE‑398 JavaScript js/useless-assignment-in-return Return statement assigns local variable
CWE‑398 JavaScript js/unreachable-statement Unreachable statement
CWE‑398 JavaScript js/trivial-conditional Useless conditional
CWE‑398 Go go/comparison-of-identical-expressions Comparison of identical values
CWE‑398 Go go/useless-assignment-to-field Useless assignment to field
CWE‑398 Go go/useless-assignment-to-local Useless assignment to local variable
CWE‑398 Go go/duplicate-branches Duplicate 'if' branches
CWE‑398 Go go/duplicate-condition Duplicate 'if' condition
CWE‑398 Go go/duplicate-switch-case Duplicate switch case
CWE‑398 Go go/useless-expression Expression has no effect
CWE‑398 Go go/redundant-operation Identical operands
CWE‑398 Go go/redundant-assignment Self assignment
CWE‑398 Go go/unreachable-statement Unreachable statement
CWE‑400 Java java/input-resource-leak Potential input resource leak
CWE‑400 Java java/database-resource-leak Potential database resource leak
CWE‑400 Java java/output-resource-leak Potential output resource leak
CWE‑400 C++ cpp/catch-missing-free Leaky catch
CWE‑400 C++ cpp/descriptor-may-not-be-closed Open descriptor may not be closed
CWE‑400 C++ cpp/descriptor-never-closed Open descriptor never closed
CWE‑400 C++ cpp/file-may-not-be-closed Open file may not be closed
CWE‑400 C++ cpp/file-never-closed Open file is not closed
CWE‑400 C++ cpp/memory-may-not-be-freed Memory may not be freed
CWE‑400 C++ cpp/memory-never-freed Memory is never freed
CWE‑400 C++ cpp/new-free-mismatch Mismatching new/free or malloc/delete
CWE‑400 C++ cpp/alloca-in-loop Call to alloca in a loop
CWE‑400 C++ cpp/memory-leak-on-failed-call-to-realloc Memory leak on failed call to realloc
CWE‑400 C# cs/redos Denial of Service from comparison of user input against expensive regex
CWE‑400 C# cs/regex-injection Regular expression injection
CWE‑400 Python py/file-not-closed File is not always closed
CWE‑400 Python py/regex-injection Regular expression injection
CWE‑400 JavaScript js/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE‑400 JavaScript js/redos Inefficient regular expression
CWE‑400 JavaScript js/resource-exhaustion-from-deep-object-traversal Resources exhaustion from deep object traversal
CWE‑400 JavaScript js/remote-property-injection Remote property injection
CWE‑400 JavaScript js/regex-injection Regular expression injection
CWE‑400 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑400 JavaScript js/xml-bomb XML internal entity expansion
CWE‑400 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑400 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑400 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑400 JavaScript js/resource-exhaustion Resource exhaustion
CWE‑401 C++ cpp/catch-missing-free Leaky catch
CWE‑401 C++ cpp/memory-may-not-be-freed Memory may not be freed
CWE‑401 C++ cpp/memory-never-freed Memory is never freed
CWE‑401 C++ cpp/new-free-mismatch Mismatching new/free or malloc/delete
CWE‑401 C++ cpp/memory-leak-on-failed-call-to-realloc Memory leak on failed call to realloc
CWE‑404 Java java/missing-super-finalize Finalizer inconsistency
CWE‑404 Java java/input-resource-leak Potential input resource leak
CWE‑404 Java java/database-resource-leak Potential database resource leak
CWE‑404 Java java/output-resource-leak Potential output resource leak
CWE‑404 Java java/empty-finalizer Empty body of finalizer
CWE‑404 Java java/disabled-certificate-revocation-checking Disabled ceritificate revocation checking
CWE‑404 C++ cpp/catch-missing-free Leaky catch
CWE‑404 C++ cpp/descriptor-may-not-be-closed Open descriptor may not be closed
CWE‑404 C++ cpp/descriptor-never-closed Open descriptor never closed
CWE‑404 C++ cpp/file-may-not-be-closed Open file may not be closed
CWE‑404 C++ cpp/file-never-closed Open file is not closed
CWE‑404 C++ cpp/memory-may-not-be-freed Memory may not be freed
CWE‑404 C++ cpp/memory-never-freed Memory is never freed
CWE‑404 C++ cpp/new-free-mismatch Mismatching new/free or malloc/delete
CWE‑404 C++ cpp/memory-leak-on-failed-call-to-realloc Memory leak on failed call to realloc
CWE‑404 C++ cpp/resource-not-released-in-destructor Resource not released in destructor
CWE‑404 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution
CWE‑404 C# cs/member-not-disposed Missing Dispose call
CWE‑404 C# cs/missing-dispose-method Missing Dispose method
CWE‑404 C# cs/local-not-disposed Missing Dispose call on local IDisposable
CWE‑404 Python py/file-not-closed File is not always closed
CWE‑405 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑405 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑405 C# cs/insecure-xml-read XML is read insecurely
CWE‑405 JavaScript js/xml-bomb XML internal entity expansion
CWE‑409 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑409 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑409 C# cs/insecure-xml-read XML is read insecurely
CWE‑409 JavaScript js/xml-bomb XML internal entity expansion
CWE‑413 Java java/unsynchronized-getter Inconsistent synchronization of getter and setter
CWE‑416 C++ cpp/use-after-free Potential use after free
CWE‑420 Java java/socket-auth-race-condition Race condition in socket authentication
CWE‑421 Java java/socket-auth-race-condition Race condition in socket authentication
CWE‑428 C++ cpp/unsafe-create-process-call NULL application name with an unquoted path in call to CreateProcess
CWE‑434 C# cs/web/file-upload Use of file upload
CWE‑434 JavaScript js/http-to-file-access Network data written to file
CWE‑435 C++ cpp/memset-may-be-deleted Call to memset may be deleted
CWE‑441 Java java/ssrf Server Side Request Forgery (SSRF)
CWE‑441 JavaScript js/request-forgery Uncontrolled data used in network request
CWE‑441 Go go/request-forgery Uncontrolled data used in network request
CWE‑451 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑451 JavaScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑456 C++ cpp/initialization-not-run Initialization code not run
CWE‑457 Java java/unassigned-field Field is never assigned a non-null value
CWE‑457 C++ cpp/global-use-before-init Global variable may be used before initialization
CWE‑457 C++ cpp/not-initialised Variable not initialized before use
CWE‑457 C++ cpp/uninitialized-local Potentially uninitialized local variable
CWE‑457 C++ cpp/conditionally-uninitialized-variable Conditionally uninitialized variable
CWE‑457 C# cs/unassigned-field Field is never assigned a non-default value
CWE‑459 Java java/missing-super-finalize Finalizer inconsistency
CWE‑459 Java java/empty-finalizer Empty body of finalizer
CWE‑459 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution
CWE‑459 C# cs/member-not-disposed Missing Dispose call
CWE‑459 C# cs/missing-dispose-method Missing Dispose method
CWE‑459 C# cs/local-not-disposed Missing Dispose call on local IDisposable
CWE‑460 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution
CWE‑460 C# cs/local-not-disposed Missing Dispose call on local IDisposable
CWE‑467 C++ cpp/suspicious-sizeof Suspicious 'sizeof' use
CWE‑468 C++ cpp/suspicious-pointer-scaling Suspicious pointer scaling
CWE‑468 C++ cpp/incorrect-pointer-scaling-char Suspicious pointer scaling to char
CWE‑468 C++ cpp/suspicious-pointer-scaling-void Suspicious pointer scaling to void
CWE‑468 C++ cpp/suspicious-add-sizeof Suspicious add with sizeof
CWE‑471 C# cs/web/html-hidden-input Use of HTMLInputHidden
CWE‑472 C# cs/web/html-hidden-input Use of HTMLInputHidden
CWE‑476 Java java/dereferenced-value-is-always-null Dereferenced variable is always null
CWE‑476 Java java/dereferenced-expr-may-be-null Dereferenced expression may be null
CWE‑476 Java java/dereferenced-value-may-be-null Dereferenced variable may be null
CWE‑476 C++ cpp/inconsistent-nullness-testing Inconsistent null check of pointer
CWE‑476 C++ cpp/missing-null-test Returned pointer not checked
CWE‑476 C++ cpp/inconsistent-null-check Inconsistent nullness check
CWE‑476 C++ cpp/redundant-null-check-simple Redundant null check due to previous dereference
CWE‑476 C++ cpp/redundant-null-check-param Redundant null check or missing null check of parameter
CWE‑476 C# cs/dereferenced-value-is-always-null Dereferenced variable is always null
CWE‑476 C# cs/dereferenced-value-may-be-null Dereferenced variable may be null
CWE‑476 JavaScript js/call-to-non-callable Invocation of non-function
CWE‑476 JavaScript js/property-access-on-non-object Property access on null or undefined
CWE‑477 Java java/deprecated-call Deprecated method or constructor invocation
CWE‑477 C# cs/call-to-obsolete-method Call to obsolete method
CWE‑477 Python py/import-deprecated-module Import of deprecated module
CWE‑478 Java java/missing-default-in-switch Missing default case in switch
CWE‑478 Java java/missing-case-in-switch Missing enum case in switch
CWE‑478 C++ cpp/missing-case-in-switch Missing enum case in switch
CWE‑480 Java java/assignment-in-boolean-expression Assignment in Boolean expression
CWE‑480 Java java/reference-equality-on-strings Reference equality test on strings
CWE‑480 C++ cpp/assign-where-compare-meant Assignment where comparison was intended
CWE‑480 C++ cpp/compare-where-assign-meant Comparison where assignment was intended
CWE‑480 C++ cpp/incorrect-not-operator-usage Incorrect 'not' operator usage
CWE‑480 C++ cpp/logical-operator-applied-to-flag Short-circuiting operator applied to flag
CWE‑480 C++ cpp/operator-precedence-logic-error-when-use-bool-type Operator Precedence Logic Error When Use Bool Type
CWE‑480 C# cs/non-short-circuit Potentially dangerous use of non-short-circuit logic
CWE‑480 JavaScript js/useless-expression Expression has no effect
CWE‑480 JavaScript js/redundant-operation Identical operands
CWE‑480 JavaScript js/redundant-assignment Self assignment
CWE‑480 JavaScript js/deletion-of-non-property Deleting non-property
CWE‑480 Go go/useless-expression Expression has no effect
CWE‑480 Go go/redundant-operation Identical operands
CWE‑480 Go go/redundant-assignment Self assignment
CWE‑481 Java java/assignment-in-boolean-expression Assignment in Boolean expression
CWE‑481 C++ cpp/assign-where-compare-meant Assignment where comparison was intended
CWE‑482 C++ cpp/compare-where-assign-meant Comparison where assignment was intended
CWE‑483 JavaScript js/misleading-indentation-of-dangling-else Misleading indentation of dangling 'else'
CWE‑483 JavaScript js/misleading-indentation-after-control-statement Misleading indentation after control statement
CWE‑484 Java java/switch-fall-through Unterminated switch case
CWE‑485 Java java/missing-call-to-super-clone Missing super clone
CWE‑485 Java java/cleartext-storage-in-class Cleartext storage of sensitive information using storable class
CWE‑485 Java java/abstract-to-concrete-cast Cast from abstract to concrete collection
CWE‑485 Java java/internal-representation-exposure Exposing internal representation
CWE‑485 Java java/struts-development-mode Apache Struts development mode enabled
CWE‑485 Java java/android/unsafe-android-webview-fetch Unsafe resource fetching in Android webview
CWE‑485 C# cs/class-name-comparison Erroneous class compare
CWE‑485 C# cs/web/debug-code ASP.NET: leftover debug code
CWE‑485 C# cs/cast-from-abstract-to-concrete-collection Cast from abstract to concrete collection
CWE‑485 C# cs/expose-implementation Exposing internal representation
CWE‑485 Python py/flask-debug Flask app is run in debug mode
CWE‑485 JavaScript js/alert-call Invocation of alert
CWE‑485 JavaScript js/debugger-statement Use of debugger statement
CWE‑486 C# cs/class-name-comparison Erroneous class compare
CWE‑489 Java java/struts-development-mode Apache Struts development mode enabled
CWE‑489 C# cs/web/debug-code ASP.NET: leftover debug code
CWE‑489 Python py/flask-debug Flask app is run in debug mode
CWE‑489 JavaScript js/alert-call Invocation of alert
CWE‑489 JavaScript js/debugger-statement Use of debugger statement
CWE‑494 Java java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑497 Java java/stack-trace-exposure Information exposure through a stack trace
CWE‑497 C++ cpp/system-data-exposure Exposure of system data to an unauthorized control sphere
CWE‑497 C# cs/information-exposure-through-exception Information exposure through an exception
CWE‑497 Python py/stack-trace-exposure Information exposure through an exception
CWE‑497 Go go/stack-trace-exposure Information exposure through a stack trace
CWE‑499 Java java/cleartext-storage-in-class Cleartext storage of sensitive information using storable class
CWE‑502 Java java/unsafe-deserialization Deserialization of user-controlled data
CWE‑502 Java java/unsafe-deserialization-spring-exporter-in-configuration-class Unsafe deserialization with Spring's remote service exporters.
CWE‑502 Java java/unsafe-deserialization-spring-exporter-in-xml-configuration Unsafe deserialization with Spring's remote service exporters.
CWE‑502 C# cs/deserialized-delegate Deserialized delegate
CWE‑502 C# cs/unsafe-deserialization Unsafe deserializer
CWE‑502 C# cs/unsafe-deserialization-untrusted-input Deserialization of untrusted data
CWE‑502 Python py/unsafe-deserialization Deserializing untrusted input
CWE‑502 JavaScript js/unsafe-deserialization Deserialization of user-controlled data
CWE‑506 JavaScript js/hardcoded-data-interpreted-as-code Hard-coded data interpreted as code
CWE‑521 C# cs/empty-password-in-configuration Empty password in configuration file
CWE‑522 Java java/credentials-in-properties Cleartext Credentials in Properties File
CWE‑522 Java java/password-in-configuration Password in configuration file
CWE‑522 C# cs/empty-password-in-configuration Empty password in configuration file
CWE‑522 C# cs/password-in-configuration Password in configuration file
CWE‑522 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑538 C# cs/web/persistent-cookie Cookie security: persistent cookie
CWE‑538 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing
CWE‑539 C# cs/web/persistent-cookie Cookie security: persistent cookie
CWE‑543 Java java/lazy-initialization Incorrect lazy initialization of a static field
CWE‑546 Java java/todo-comment TODO/FIXME comments
CWE‑546 C++ cpp/fixme-comment FIXME comment
CWE‑546 C++ cpp/todo-comment TODO comment
CWE‑546 C# cs/todo-comment TODO comment
CWE‑546 JavaScript js/todo-comment TODO comment
CWE‑548 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing
CWE‑552 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing
CWE‑555 Java java/credentials-in-properties Cleartext Credentials in Properties File
CWE‑555 Java java/password-in-configuration Password in configuration file
CWE‑561 Java java/dead-class Dead class
CWE‑561 Java java/dead-enum-constant Dead enum constant
CWE‑561 Java java/dead-field Dead field
CWE‑561 Java java/dead-function Dead method
CWE‑561 Java java/lines-of-dead-code Lines of dead code in files
CWE‑561 Java java/unused-parameter Useless parameter
CWE‑561 Java java/useless-null-check Useless null check
CWE‑561 Java java/useless-type-test Useless type test
CWE‑561 Java java/useless-upcast Useless upcast
CWE‑561 Java java/empty-container Container contents are never initialized
CWE‑561 Java java/unused-container Container contents are never accessed
CWE‑561 Java java/constant-comparison Useless comparison test
CWE‑561 Java java/unreachable-catch-clause Unreachable catch clause
CWE‑561 Java java/unused-reference-type Unused classes and interfaces
CWE‑561 Java java/useless-assignment-to-local Useless assignment to local variable
CWE‑561 Java java/local-variable-is-never-read Unread local variable
CWE‑561 Java java/unused-field Unused field
CWE‑561 Java java/unused-label Unused label
CWE‑561 Java java/redundant-cast Unnecessary cast
CWE‑561 Java java/unused-import Unnecessary import
CWE‑561 C++ cpp/unused-static-function Unused static function
CWE‑561 C++ cpp/dead-code-condition Branching condition always evaluates to same value
CWE‑561 C++ cpp/dead-code-function Function is never called
CWE‑561 C++ cpp/dead-code-goto Dead code due to goto or break statement
CWE‑561 C++ cpp/useless-expression Expression has no effect
CWE‑561 C++ cpp/incorrect-allocation-error-handling Incorrect allocation-error handling
CWE‑561 C# cs/unused-reftype Dead reference types
CWE‑561 C# cs/unused-field Unused field
CWE‑561 C# cs/unused-method Unused method
CWE‑561 C# cs/useless-cast-to-self Cast to same type
CWE‑561 C# cs/useless-is-before-as Useless 'is' before 'as'
CWE‑561 C# cs/coalesce-of-identical-expressions Useless ?? expression
CWE‑561 C# cs/useless-type-test Useless type test
CWE‑561 C# cs/useless-upcast Useless upcast
CWE‑561 C# cs/empty-collection Container contents are never initialized
CWE‑561 C# cs/unused-collection Container contents are never accessed
CWE‑561 C# cs/linq/useless-select Redundant Select
CWE‑561 Python py/unreachable-except Unreachable 'except' block
CWE‑561 Python py/comparison-of-constants Comparison of constants
CWE‑561 Python py/comparison-of-identical-expressions Comparison of identical values
CWE‑561 Python py/comparison-missing-self Maybe missing 'self' in comparison
CWE‑561 Python py/duplicate-key-dict-literal Duplicate key in dict literal
CWE‑561 Python py/redundant-comparison Redundant comparison
CWE‑561 Python py/constant-conditional-expression Constant in conditional expression or statement
CWE‑561 Python py/ineffectual-statement Statement has no effect
CWE‑561 Python py/unreachable-statement Unreachable code
CWE‑561 JavaScript js/comparison-of-identical-expressions Comparison of identical values
CWE‑561 JavaScript js/comparison-with-nan Comparison with NaN
CWE‑561 JavaScript js/duplicate-condition Duplicate 'if' condition
CWE‑561 JavaScript js/duplicate-switch-case Duplicate switch case
CWE‑561 JavaScript js/useless-expression Expression has no effect
CWE‑561 JavaScript js/comparison-between-incompatible-types Comparison between inconvertible types
CWE‑561 JavaScript js/redundant-operation Identical operands
CWE‑561 JavaScript js/redundant-assignment Self assignment
CWE‑561 JavaScript js/unneeded-defensive-code Unneeded defensive code
CWE‑561 JavaScript js/useless-type-test Useless type test
CWE‑561 JavaScript js/regex/unmatchable-caret Unmatchable caret in regular expression
CWE‑561 JavaScript js/regex/unmatchable-dollar Unmatchable dollar in regular expression
CWE‑561 JavaScript js/unreachable-statement Unreachable statement
CWE‑561 JavaScript js/trivial-conditional Useless conditional
CWE‑561 Go go/comparison-of-identical-expressions Comparison of identical values
CWE‑561 Go go/duplicate-branches Duplicate 'if' branches
CWE‑561 Go go/duplicate-condition Duplicate 'if' condition
CWE‑561 Go go/duplicate-switch-case Duplicate switch case
CWE‑561 Go go/useless-expression Expression has no effect
CWE‑561 Go go/redundant-operation Identical operands
CWE‑561 Go go/redundant-assignment Self assignment
CWE‑561 Go go/unreachable-statement Unreachable statement
CWE‑563 Java java/overwritten-assignment-to-local Assigned value is overwritten
CWE‑563 Java java/unused-initialized-local Local variable is initialized but not used
CWE‑563 Java java/unused-local-variable Unused local variable
CWE‑563 C++ cpp/unused-local-variable Unused local variable
CWE‑563 C++ cpp/unused-static-variable Unused static variable
CWE‑563 C++ cpp/unused-variable Variable is assigned a value that is never read
CWE‑563 C# cs/useless-assignment-to-local Useless assignment to local variable
CWE‑563 Python py/redundant-assignment Redundant assignment
CWE‑563 Python py/multiple-definition Variable defined multiple times
CWE‑563 Python py/unused-local-variable Unused local variable
CWE‑563 Python py/unused-global-variable Unused global variable
CWE‑563 JavaScript js/variable-initialization-conflict Conflicting variable initialization
CWE‑563 JavaScript js/function-declaration-conflict Conflicting function declarations
CWE‑563 JavaScript js/useless-assignment-to-global Useless assignment to global variable
CWE‑563 JavaScript js/useless-assignment-to-local Useless assignment to local variable
CWE‑563 JavaScript js/overwritten-property Overwritten property
CWE‑563 JavaScript js/duplicate-property Duplicate property
CWE‑563 JavaScript js/node/assignment-to-exports-variable Assignment to exports variable
CWE‑563 JavaScript js/useless-assignment-in-return Return statement assigns local variable
CWE‑563 Go go/useless-assignment-to-field Useless assignment to field
CWE‑563 Go go/useless-assignment-to-local Useless assignment to local variable
CWE‑564 Java java/sql-injection Query built from user-controlled sources
CWE‑564 Java java/sql-injection-local Query built from local-user-controlled sources
CWE‑564 Java java/concatenated-sql-query Query built without neutralizing special characters
CWE‑567 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context
CWE‑568 Java java/missing-super-finalize Finalizer inconsistency
CWE‑568 Java java/empty-finalizer Empty body of finalizer
CWE‑570 Java java/constant-comparison Useless comparison test
CWE‑570 C++ cpp/incorrect-allocation-error-handling Incorrect allocation-error handling
CWE‑570 Python py/comparison-of-constants Comparison of constants
CWE‑570 Python py/comparison-of-identical-expressions Comparison of identical values
CWE‑570 Python py/comparison-missing-self Maybe missing 'self' in comparison
CWE‑570 Python py/redundant-comparison Redundant comparison
CWE‑570 Python py/constant-conditional-expression Constant in conditional expression or statement
CWE‑570 JavaScript js/comparison-of-identical-expressions Comparison of identical values
CWE‑570 JavaScript js/comparison-with-nan Comparison with NaN
CWE‑570 JavaScript js/comparison-between-incompatible-types Comparison between inconvertible types
CWE‑570 JavaScript js/unneeded-defensive-code Unneeded defensive code
CWE‑570 JavaScript js/useless-type-test Useless type test
CWE‑570 JavaScript js/trivial-conditional Useless conditional
CWE‑570 Go go/comparison-of-identical-expressions Comparison of identical values
CWE‑571 Java java/constant-comparison Useless comparison test
CWE‑571 Python py/comparison-of-constants Comparison of constants
CWE‑571 Python py/comparison-of-identical-expressions Comparison of identical values
CWE‑571 Python py/comparison-missing-self Maybe missing 'self' in comparison
CWE‑571 Python py/redundant-comparison Redundant comparison
CWE‑571 Python py/constant-conditional-expression Constant in conditional expression or statement
CWE‑571 JavaScript js/comparison-of-identical-expressions Comparison of identical values
CWE‑571 JavaScript js/comparison-with-nan Comparison with NaN
CWE‑571 JavaScript js/comparison-between-incompatible-types Comparison between inconvertible types
CWE‑571 JavaScript js/unneeded-defensive-code Unneeded defensive code
CWE‑571 JavaScript js/useless-type-test Useless type test
CWE‑571 JavaScript js/trivial-conditional Useless conditional
CWE‑571 Go go/comparison-of-identical-expressions Comparison of identical values
CWE‑572 Java java/call-to-thread-run Direct call to a run() method
CWE‑573 Java java/ejb/container-interference EJB interferes with container operation
CWE‑573 Java java/ejb/file-io EJB uses file input/output
CWE‑573 Java java/ejb/graphics EJB uses graphics
CWE‑573 Java java/ejb/native-code EJB uses native code
CWE‑573 Java java/ejb/reflection EJB uses reflection
CWE‑573 Java java/ejb/security-configuration-access EJB accesses security configuration
CWE‑573 Java java/ejb/substitution-in-serialization EJB uses substitution in serialization
CWE‑573 Java java/ejb/socket-or-stream-handler-factory EJB sets socket factory or URL stream handler factory
CWE‑573 Java java/ejb/server-socket EJB uses server socket
CWE‑573 Java java/ejb/non-final-static-field EJB uses non-final static field
CWE‑573 Java java/ejb/synchronization EJB uses synchronization
CWE‑573 Java java/ejb/this EJB uses 'this' as argument or result
CWE‑573 Java java/ejb/threads EJB uses threads
CWE‑573 Java java/missing-call-to-super-clone Missing super clone
CWE‑573 Java java/inconsistent-equals-and-hashcode Inconsistent equals and hashCode
CWE‑573 Java java/unreleased-lock Unreleased lock
CWE‑573 Java java/missing-super-finalize Finalizer inconsistency
CWE‑573 Java java/missing-format-argument Missing format argument
CWE‑573 Java java/unused-format-argument Unused format argument
CWE‑573 Java java/empty-finalizer Empty body of finalizer
CWE‑573 C++ cpp/overflowing-snprintf Potentially overflowing call to snprintf
CWE‑573 C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE‑573 C++ cpp/wrong-type-format-argument Wrong type of arguments to formatting function
CWE‑573 C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE‑573 C++ cpp/ignore-return-value-sal SAL requires inspecting return value
CWE‑573 C++ cpp/hresult-boolean-conversion Cast between HRESULT and a Boolean type
CWE‑573 C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE‑573 C++ cpp/twice-locked Mutex locked twice
CWE‑573 C++ cpp/unreleased-lock Lock may not be released
CWE‑573 C# cs/inconsistent-equals-and-gethashcode Inconsistent Equals(object) and GetHashCode()
CWE‑573 C# cs/invalid-dynamic-call Bad dynamic call
CWE‑573 Python py/equals-hash-mismatch Inconsistent equality and hashing
CWE‑573 Python py/call/wrong-named-class-argument Wrong name for an argument in a class instantiation
CWE‑573 Python py/call/wrong-number-class-arguments Wrong number of arguments in a class instantiation
CWE‑573 Python py/super-not-enclosing-class First argument to super() is not enclosing class
CWE‑573 Python py/call/wrong-named-argument Wrong name for an argument in a call
CWE‑573 Python py/percent-format/wrong-arguments Wrong number of arguments for format
CWE‑573 Python py/call/wrong-arguments Wrong number of arguments in a call
CWE‑573 JavaScript js/superfluous-trailing-arguments Superfluous trailing arguments
CWE‑574 Java java/ejb/synchronization EJB uses synchronization
CWE‑575 Java java/ejb/graphics EJB uses graphics
CWE‑576 Java java/ejb/file-io EJB uses file input/output
CWE‑577 Java java/ejb/socket-or-stream-handler-factory EJB sets socket factory or URL stream handler factory
CWE‑577 Java java/ejb/server-socket EJB uses server socket
CWE‑578 Java java/ejb/container-interference EJB interferes with container operation
CWE‑580 Java java/missing-call-to-super-clone Missing super clone
CWE‑581 Java java/inconsistent-equals-and-hashcode Inconsistent equals and hashCode
CWE‑581 C# cs/inconsistent-equals-and-gethashcode Inconsistent Equals(object) and GetHashCode()
CWE‑581 Python py/equals-hash-mismatch Inconsistent equality and hashing
CWE‑582 Java java/static-array Array constant vulnerable to change
CWE‑582 C# cs/static-array Array constant vulnerable to change
CWE‑584 Java java/abnormal-finally-completion Finally block may not complete normally
CWE‑584 Python py/exit-from-finally 'break' or 'return' statement in finally
CWE‑584 JavaScript js/exit-from-finally Jump from finally
CWE‑585 Java java/empty-synchronized-block Empty synchronized block
CWE‑585 C# cs/empty-lock-statement Empty lock statement
CWE‑592 Java java/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑592 Java java/tainted-permissions-check User-controlled data used in permissions check
CWE‑592 C++ cpp/user-controlled-bypass Authentication bypass by spoofing
CWE‑592 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑592 JavaScript js/user-controlled-bypass User-controlled bypass of security check
CWE‑592 JavaScript js/different-kinds-comparison-bypass Comparison of user-controlled data of different kinds
CWE‑592 Go go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑595 Java java/reference-equality-with-object Reference equality test on java.lang.Object
CWE‑595 Java java/reference-equality-of-boxed-types Reference equality test of boxed types
CWE‑595 Java java/reference-equality-on-strings Reference equality test on strings
CWE‑595 C# cs/reference-equality-with-object Reference equality test on System.Object
CWE‑595 C# cs/reference-equality-on-valuetypes Call to ReferenceEquals(...) on value type expressions
CWE‑597 Java java/reference-equality-on-strings Reference equality test on strings
CWE‑601 Java java/unvalidated-url-redirection URL redirection from remote source
CWE‑601 Java java/unvalidated-url-redirection-local URL redirection from local source
CWE‑601 C# cs/web/unvalidated-url-redirection URL redirection from remote source
CWE‑601 Python py/url-redirection URL redirection from remote source
CWE‑601 JavaScript js/client-side-unvalidated-url-redirection Client-side URL redirect
CWE‑601 JavaScript js/server-side-unvalidated-url-redirection Server-side URL redirect
CWE‑601 Go go/bad-redirect-check Bad redirect check
CWE‑601 Go go/unvalidated-url-redirection Open URL redirect
CWE‑609 Java java/unsafe-double-checked-locking Double-checked locking is not thread-safe
CWE‑609 Java java/unsafe-double-checked-locking-init-order Race condition in double-checked locking object initialization
CWE‑609 Java java/lazy-initialization Incorrect lazy initialization of a static field
CWE‑609 C# cs/unsafe-double-checked-lock Double-checked lock is not thread-safe
CWE‑610 Java java/path-injection Uncontrolled data used in path expression
CWE‑610 Java java/path-injection-local Local-user-controlled data in path expression
CWE‑610 Java java/unvalidated-url-redirection URL redirection from remote source
CWE‑610 Java java/unvalidated-url-redirection-local URL redirection from local source
CWE‑610 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑610 Java java/ssrf Server Side Request Forgery (SSRF)
CWE‑610 C++ cpp/path-injection Uncontrolled data used in path expression
CWE‑610 C# cs/path-injection Uncontrolled data used in path expression
CWE‑610 C# cs/web/unvalidated-url-redirection URL redirection from remote source
CWE‑610 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑610 C# cs/insecure-xml-read XML is read insecurely
CWE‑610 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑610 Python py/path-injection Uncontrolled data used in path expression
CWE‑610 Python py/url-redirection URL redirection from remote source
CWE‑610 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑610 JavaScript js/template-object-injection Template Object Injection
CWE‑610 JavaScript js/client-side-unvalidated-url-redirection Client-side URL redirect
CWE‑610 JavaScript js/server-side-unvalidated-url-redirection Server-side URL redirect
CWE‑610 JavaScript js/xxe XML external entity expansion
CWE‑610 JavaScript js/request-forgery Uncontrolled data used in network request
CWE‑610 Go go/path-injection Uncontrolled data used in path expression
CWE‑610 Go go/bad-redirect-check Bad redirect check
CWE‑610 Go go/unvalidated-url-redirection Open URL redirect
CWE‑610 Go go/request-forgery Uncontrolled data used in network request
CWE‑611 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑611 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑611 C# cs/insecure-xml-read XML is read insecurely
CWE‑611 JavaScript js/xxe XML external entity expansion
CWE‑614 Java java/insecure-cookie Failure to use secure cookies
CWE‑614 C# cs/web/requiressl-not-set 'requireSSL' attribute is not set to true
CWE‑614 JavaScript js/insecure-cookie Failure to set secure cookies
CWE‑625 JavaScript js/angular/insecure-url-whitelist Insecure URL whitelist
CWE‑628 Java java/missing-format-argument Missing format argument
CWE‑628 Java java/unused-format-argument Unused format argument
CWE‑628 C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE‑628 C++ cpp/wrong-type-format-argument Wrong type of arguments to formatting function
CWE‑628 C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE‑628 C# cs/invalid-dynamic-call Bad dynamic call
CWE‑628 Python py/call/wrong-named-class-argument Wrong name for an argument in a class instantiation
CWE‑628 Python py/call/wrong-number-class-arguments Wrong number of arguments in a class instantiation
CWE‑628 Python py/super-not-enclosing-class First argument to super() is not enclosing class
CWE‑628 Python py/call/wrong-named-argument Wrong name for an argument in a call
CWE‑628 Python py/percent-format/wrong-arguments Wrong number of arguments for format
CWE‑628 Python py/call/wrong-arguments Wrong number of arguments in a call
CWE‑628 JavaScript js/superfluous-trailing-arguments Superfluous trailing arguments
CWE‑639 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑640 JavaScript js/host-header-forgery-in-email-generation Host header poisoning in email generation
CWE‑640 Go go/email-injection Email content injection
CWE‑642 Java java/path-injection Uncontrolled data used in path expression
CWE‑642 Java java/path-injection-local Local-user-controlled data in path expression
CWE‑642 C++ cpp/path-injection Uncontrolled data used in path expression
CWE‑642 C# cs/web/html-hidden-input Use of HTMLInputHidden
CWE‑642 C# cs/path-injection Uncontrolled data used in path expression
CWE‑642 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑642 Python py/path-injection Uncontrolled data used in path expression
CWE‑642 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑642 JavaScript js/template-object-injection Template Object Injection
CWE‑642 Go go/path-injection Uncontrolled data used in path expression
CWE‑643 Java java/xml/xpath-injection XPath injection
CWE‑643 C# cs/xml/stored-xpath-injection Stored XPath injection
CWE‑643 C# cs/xml/xpath-injection XPath injection
CWE‑643 Python py/xslt-injection XSLT query built from user-controlled sources
CWE‑643 Python py/xpath-injection XPath query built from user-controlled sources
CWE‑643 JavaScript js/xpath-injection XPath injection
CWE‑643 Go go/xml/xpath-injection XPath injection
CWE‑652 Java java/xquery-injection XQuery query built from user-controlled sources
CWE‑657 Java java/hardcoded-credential-api-call Hard-coded credential in API call
CWE‑657 Java java/hardcoded-credential-comparison Hard-coded credential comparison
CWE‑657 Java java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE‑657 Java java/hardcoded-password-field Hard-coded password field
CWE‑657 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑657 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑657 Python py/hardcoded-credentials Hard-coded credentials
CWE‑657 JavaScript js/remote-property-injection Remote property injection
CWE‑657 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑657 Go go/hardcoded-credentials Hard-coded credentials
CWE‑662 Java java/ejb/synchronization EJB uses synchronization
CWE‑662 Java java/wait-on-condition-interface Wait on condition
CWE‑662 Java java/call-to-thread-run Direct call to a run() method
CWE‑662 Java java/unsafe-double-checked-locking Double-checked locking is not thread-safe
CWE‑662 Java java/unsafe-double-checked-locking-init-order Race condition in double-checked locking object initialization
CWE‑662 Java java/unsafe-sync-on-field Futile synchronization on field
CWE‑662 Java java/inconsistent-field-synchronization Inconsistent synchronization for field
CWE‑662 Java java/lazy-initialization Incorrect lazy initialization of a static field
CWE‑662 Java java/non-sync-override Non-synchronized override of synchronized method
CWE‑662 Java java/notify-instead-of-notify-all notify instead of notifyAll
CWE‑662 Java java/sleep-with-lock-held Sleep with lock held
CWE‑662 Java java/sync-on-boxed-types Synchronization on boxed types or strings
CWE‑662 Java java/unsynchronized-getter Inconsistent synchronization of getter and setter
CWE‑662 Java java/inconsistent-sync-writeobject Inconsistent synchronization for writeObject()
CWE‑662 Java java/unreleased-lock Unreleased lock
CWE‑662 Java java/wait-with-two-locks Wait with two locks held
CWE‑662 Java java/lock-order-inconsistency Lock order inconsistency
CWE‑662 C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE‑662 C++ cpp/twice-locked Mutex locked twice
CWE‑662 C++ cpp/unreleased-lock Lock may not be released
CWE‑662 C# cs/unsafe-sync-on-field Futile synchronization on field
CWE‑662 C# cs/inconsistent-lock-sequence Inconsistent lock sequence
CWE‑662 C# cs/lock-this Locking the 'this' object in a lock statement
CWE‑662 C# cs/locked-wait A lock is held during a wait
CWE‑662 C# cs/unsynchronized-getter Inconsistently synchronized property
CWE‑662 C# cs/unsafe-double-checked-lock Double-checked lock is not thread-safe
CWE‑662 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context
CWE‑664 Java java/ejb/synchronization EJB uses synchronization
CWE‑664 Java java/implicit-cast-in-compound-assignment Implicit narrowing conversion in compound assignment
CWE‑664 Java java/integer-multiplication-cast-to-long Result of multiplication cast to wider type
CWE‑664 Java java/missing-call-to-super-clone Missing super clone
CWE‑664 Java java/wait-on-condition-interface Wait on condition
CWE‑664 Java java/call-to-thread-run Direct call to a run() method
CWE‑664 Java java/unsafe-double-checked-locking Double-checked locking is not thread-safe
CWE‑664 Java java/unsafe-double-checked-locking-init-order Race condition in double-checked locking object initialization
CWE‑664 Java java/unsafe-sync-on-field Futile synchronization on field
CWE‑664 Java java/inconsistent-field-synchronization Inconsistent synchronization for field
CWE‑664 Java java/lazy-initialization Incorrect lazy initialization of a static field
CWE‑664 Java java/non-sync-override Non-synchronized override of synchronized method
CWE‑664 Java java/notify-instead-of-notify-all notify instead of notifyAll
CWE‑664 Java java/sleep-with-lock-held Sleep with lock held
CWE‑664 Java java/sync-on-boxed-types Synchronization on boxed types or strings
CWE‑664 Java java/unsynchronized-getter Inconsistent synchronization of getter and setter
CWE‑664 Java java/inconsistent-sync-writeobject Inconsistent synchronization for writeObject()
CWE‑664 Java java/unreleased-lock Unreleased lock
CWE‑664 Java java/wait-with-two-locks Wait with two locks held
CWE‑664 Java java/missing-super-finalize Finalizer inconsistency
CWE‑664 Java java/input-resource-leak Potential input resource leak
CWE‑664 Java java/database-resource-leak Potential database resource leak
CWE‑664 Java java/output-resource-leak Potential output resource leak
CWE‑664 Java java/impossible-array-cast Impossible array cast
CWE‑664 Java java/path-injection Uncontrolled data used in path expression
CWE‑664 Java java/path-injection-local Local-user-controlled data in path expression
CWE‑664 Java java/zipslip Arbitrary file write during archive extraction ("Zip Slip")
CWE‑664 Java java/insecure-bean-validation Insecure Bean Validation
CWE‑664 Java java/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑664 Java java/stack-trace-exposure Information exposure through a stack trace
CWE‑664 Java java/unsafe-hostname-verification Unsafe hostname verification
CWE‑664 Java java/cleartext-storage-in-class Cleartext storage of sensitive information using storable class
CWE‑664 Java java/cleartext-storage-in-cookie Cleartext storage of sensitive information in cookie
CWE‑664 Java java/cleartext-storage-in-properties Cleartext storage of sensitive information using 'Properties' class
CWE‑664 Java java/socket-auth-race-condition Race condition in socket authentication
CWE‑664 Java java/unsafe-deserialization Deserialization of user-controlled data
CWE‑664 Java java/unvalidated-url-redirection URL redirection from remote source
CWE‑664 Java java/unvalidated-url-redirection-local URL redirection from local source
CWE‑664 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑664 Java java/tainted-numeric-cast User-controlled data in numeric cast
CWE‑664 Java java/tainted-numeric-cast-local Local-user-controlled data in numeric cast
CWE‑664 Java java/world-writable-file-read Reading from a world writable file
CWE‑664 Java java/hardcoded-credential-api-call Hard-coded credential in API call
CWE‑664 Java java/hardcoded-credential-comparison Hard-coded credential comparison
CWE‑664 Java java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE‑664 Java java/hardcoded-password-field Hard-coded password field
CWE‑664 Java java/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑664 Java java/tainted-permissions-check User-controlled data used in permissions check
CWE‑664 Java java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑664 Java java/lock-order-inconsistency Lock order inconsistency
CWE‑664 Java java/empty-finalizer Empty body of finalizer
CWE‑664 Java java/unassigned-field Field is never assigned a non-null value
CWE‑664 Java java/overly-general-catch Overly-general catch clause
CWE‑664 Java java/abstract-to-concrete-cast Cast from abstract to concrete collection
CWE‑664 Java java/internal-representation-exposure Exposing internal representation
CWE‑664 Java java/static-array Array constant vulnerable to change
CWE‑664 Java java/openstream-called-on-tainted-url openStream called on URLs created from remote source
CWE‑664 Java java/groovy-injection Groovy Language injection
CWE‑664 Java java/android-insecure-dex-loading Insecure loading of an Android Dex File
CWE‑664 Java java/javaee-expression-injection Jakarta Expression Language injection
CWE‑664 Java java/jexl-expression-injection Expression language injection (JEXL)
CWE‑664 Java java/mvel-expression-injection Expression language injection (MVEL)
CWE‑664 Java java/unsafe-eval ScriptEngine evaluation
CWE‑664 Java java/spel-expression-injection Expression language injection (Spring)
CWE‑664 Java java/spring-view-manipulation-implicit Spring Implicit View Manipulation
CWE‑664 Java java/spring-view-manipulation Spring View Manipulation
CWE‑664 Java java/disabled-certificate-revocation-checking Disabled ceritificate revocation checking
CWE‑664 Java java/android/cleartext-storage-shared-prefs Cleartext storage of sensitive information using SharedPreferences on Android
CWE‑664 Java java/unvalidated-cors-origin-set CORS is derived from untrusted input
CWE‑664 Java java/struts-development-mode Apache Struts development mode enabled
CWE‑664 Java java/unsafe-deserialization-spring-exporter-in-configuration-class Unsafe deserialization with Spring's remote service exporters.
CWE‑664 Java java/unsafe-deserialization-spring-exporter-in-xml-configuration Unsafe deserialization with Spring's remote service exporters.
CWE‑664 Java java/credentials-in-properties Cleartext Credentials in Properties File
CWE‑664 Java java/password-in-configuration Password in configuration file
CWE‑664 Java java/android/unsafe-android-webview-fetch Unsafe resource fetching in Android webview
CWE‑664 Java java/ssrf Server Side Request Forgery (SSRF)
CWE‑664 C++ cpp/catch-missing-free Leaky catch
CWE‑664 C++ cpp/descriptor-may-not-be-closed Open descriptor may not be closed
CWE‑664 C++ cpp/descriptor-never-closed Open descriptor never closed
CWE‑664 C++ cpp/file-may-not-be-closed Open file may not be closed
CWE‑664 C++ cpp/file-never-closed Open file is not closed
CWE‑664 C++ cpp/global-use-before-init Global variable may be used before initialization
CWE‑664 C++ cpp/initialization-not-run Initialization code not run
CWE‑664 C++ cpp/memory-may-not-be-freed Memory may not be freed
CWE‑664 C++ cpp/memory-never-freed Memory is never freed
CWE‑664 C++ cpp/new-free-mismatch Mismatching new/free or malloc/delete
CWE‑664 C++ cpp/not-initialised Variable not initialized before use
CWE‑664 C++ cpp/use-after-free Potential use after free
CWE‑664 C++ cpp/bad-addition-overflow-check Bad check for overflow of integer addition
CWE‑664 C++ cpp/integer-multiplication-cast-to-long Multiplication result converted to larger type
CWE‑664 C++ cpp/upcast-array-pointer-arithmetic Upcast array used in pointer arithmetic
CWE‑664 C++ cpp/alloca-in-loop Call to alloca in a loop
CWE‑664 C++ cpp/improper-null-termination Potential improper null termination
CWE‑664 C++ cpp/return-stack-allocated-memory Returning stack-allocated memory
CWE‑664 C++ cpp/uninitialized-local Potentially uninitialized local variable
CWE‑664 C++ cpp/self-assignment-check Self assignment check
CWE‑664 C++ cpp/path-injection Uncontrolled data used in path expression
CWE‑664 C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑664 C++ cpp/integer-overflow-tainted Potential integer arithmetic overflow
CWE‑664 C++ cpp/user-controlled-bypass Authentication bypass by spoofing
CWE‑664 C++ cpp/cleartext-storage-buffer Cleartext storage of sensitive information in buffer
CWE‑664 C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE‑664 C++ cpp/cleartext-storage-database Cleartext storage of sensitive information in an SQLite database
CWE‑664 C++ cpp/unsafe-create-process-call NULL application name with an unquoted path in call to CreateProcess
CWE‑664 C++ cpp/conditionally-uninitialized-variable Conditionally uninitialized variable
CWE‑664 C++ cpp/system-data-exposure Exposure of system data to an unauthorized control sphere
CWE‑664 C++ cpp/incorrect-string-type-conversion Cast from char to wchar_t
CWE‑664 C++ cpp/world-writable-file-creation File created without restricting permissions
CWE‑664 C++ cpp/unsafe-dacl-security-descriptor Setting a DACL to NULL in a SECURITY_DESCRIPTOR
CWE‑664 C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE‑664 C++ cpp/twice-locked Mutex locked twice
CWE‑664 C++ cpp/unreleased-lock Lock may not be released
CWE‑664 C++ cpp/drop-linux-privileges-outoforder LinuxPrivilegeDroppingOutoforder
CWE‑664 C++ cpp/private-cleartext-write Exposure of private information
CWE‑664 C++ cpp/memory-leak-on-failed-call-to-realloc Memory leak on failed call to realloc
CWE‑664 C++ cpp/resource-not-released-in-destructor Resource not released in destructor
CWE‑664 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution
CWE‑664 C# cs/member-not-disposed Missing Dispose call
CWE‑664 C# cs/missing-dispose-method Missing Dispose method
CWE‑664 C# cs/local-not-disposed Missing Dispose call on local IDisposable
CWE‑664 C# cs/class-name-comparison Erroneous class compare
CWE‑664 C# cs/web/debug-code ASP.NET: leftover debug code
CWE‑664 C# cs/web/html-hidden-input Use of HTMLInputHidden
CWE‑664 C# cs/cast-from-abstract-to-concrete-collection Cast from abstract to concrete collection
CWE‑664 C# cs/expose-implementation Exposing internal representation
CWE‑664 C# cs/static-array Array constant vulnerable to change
CWE‑664 C# cs/unsafe-sync-on-field Futile synchronization on field
CWE‑664 C# cs/inconsistent-lock-sequence Inconsistent lock sequence
CWE‑664 C# cs/lock-this Locking the 'this' object in a lock statement
CWE‑664 C# cs/locked-wait A lock is held during a wait
CWE‑664 C# cs/unsynchronized-getter Inconsistently synchronized property
CWE‑664 C# cs/unsafe-double-checked-lock Double-checked lock is not thread-safe
CWE‑664 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context
CWE‑664 C# cs/empty-password-in-configuration Empty password in configuration file
CWE‑664 C# cs/password-in-configuration Password in configuration file
CWE‑664 C# cs/unassigned-field Field is never assigned a non-default value
CWE‑664 C# cs/web/file-upload Use of file upload
CWE‑664 C# cs/catch-of-all-exceptions Generic catch clause
CWE‑664 C# cs/loss-of-precision Possible loss of precision
CWE‑664 C# cs/web/broad-cookie-domain Cookie security: overly broad domain
CWE‑664 C# cs/web/broad-cookie-path Cookie security: overly broad path
CWE‑664 C# cs/web/persistent-cookie Cookie security: persistent cookie
CWE‑664 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE‑664 C# cs/path-injection Uncontrolled data used in path expression
CWE‑664 C# cs/zipslip Arbitrary file write during zip extraction ("Zip Slip")
CWE‑664 C# cs/code-injection Improper control of generation of code
CWE‑664 C# cs/sensitive-data-transmission Information exposure through transmitted data
CWE‑664 C# cs/information-exposure-through-exception Information exposure through an exception
CWE‑664 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE‑664 C# cs/exposure-of-sensitive-information Exposure of private information
CWE‑664 C# cs/session-reuse Failure to abandon session
CWE‑664 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑664 C# cs/deserialized-delegate Deserialized delegate
CWE‑664 C# cs/unsafe-deserialization Unsafe deserializer
CWE‑664 C# cs/unsafe-deserialization-untrusted-input Deserialization of untrusted data
CWE‑664 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing
CWE‑664 C# cs/web/unvalidated-url-redirection URL redirection from remote source
CWE‑664 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑664 C# cs/insecure-xml-read XML is read insecurely
CWE‑664 C# cs/redos Denial of Service from comparison of user input against expensive regex
CWE‑664 C# cs/regex-injection Regular expression injection
CWE‑664 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑664 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑664 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑664 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑664 Python py/catch-base-exception Except block handles 'BaseException'
CWE‑664 Python py/implicit-string-concatenation-in-list Implicit string concatenation in a list
CWE‑664 Python py/file-not-closed File is not always closed
CWE‑664 Python py/path-injection Uncontrolled data used in path expression
CWE‑664 Python py/tarslip Arbitrary file write during tarfile extraction
CWE‑664 Python py/code-injection Code injection
CWE‑664 Python py/stack-trace-exposure Information exposure through an exception
CWE‑664 Python py/flask-debug Flask app is run in debug mode
CWE‑664 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑664 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑664 Python py/insecure-temporary-file Insecure temporary file
CWE‑664 Python py/unsafe-deserialization Deserializing untrusted input
CWE‑664 Python py/url-redirection URL redirection from remote source
CWE‑664 Python py/overly-permissive-file Overly permissive file permissions
CWE‑664 Python py/hardcoded-credentials Hard-coded credentials
CWE‑664 Python py/regex-injection Regular expression injection
CWE‑664 JavaScript js/alert-call Invocation of alert
CWE‑664 JavaScript js/unsafe-external-link Potentially unsafe external link
CWE‑664 JavaScript js/enabling-electron-renderer-node-integration Enabling Node.js integration for Electron web content renderers
CWE‑664 JavaScript js/implicit-operand-conversion Implicit operand conversion
CWE‑664 JavaScript js/shift-out-of-range Shift out of range
CWE‑664 JavaScript js/debugger-statement Use of debugger statement
CWE‑664 JavaScript js/invalid-prototype-value Invalid prototype value
CWE‑664 JavaScript js/property-assignment-on-primitive Assignment to property of primitive value
CWE‑664 JavaScript js/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE‑664 JavaScript js/redos Inefficient regular expression
CWE‑664 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑664 JavaScript js/zipslip Arbitrary file write during zip extraction ("Zip Slip")
CWE‑664 JavaScript js/template-object-injection Template Object Injection
CWE‑664 JavaScript js/code-injection Code injection
CWE‑664 JavaScript js/bad-code-sanitization Improper code sanitization
CWE‑664 JavaScript js/unsafe-dynamic-method-access Unsafe dynamic method access
CWE‑664 JavaScript js/file-access-to-http File data in outbound network request
CWE‑664 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑664 JavaScript js/cross-window-information-leak Cross-window communication with unrestricted target origin
CWE‑664 JavaScript js/stack-trace-exposure Information exposure through a stack trace
CWE‑664 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑664 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑664 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑664 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑664 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑664 JavaScript js/resource-exhaustion-from-deep-object-traversal Resources exhaustion from deep object traversal
CWE‑664 JavaScript js/remote-property-injection Remote property injection
CWE‑664 JavaScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑664 JavaScript js/unsafe-deserialization Deserialization of user-controlled data
CWE‑664 JavaScript js/client-side-unvalidated-url-redirection Client-side URL redirect
CWE‑664 JavaScript js/server-side-unvalidated-url-redirection Server-side URL redirect
CWE‑664 JavaScript js/xxe XML external entity expansion
CWE‑664 JavaScript js/host-header-forgery-in-email-generation Host header poisoning in email generation
CWE‑664 JavaScript js/regex-injection Regular expression injection
CWE‑664 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑664 JavaScript js/xml-bomb XML internal entity expansion
CWE‑664 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑664 JavaScript js/user-controlled-bypass User-controlled bypass of security check
CWE‑664 JavaScript js/different-kinds-comparison-bypass Comparison of user-controlled data of different kinds
CWE‑664 JavaScript js/insecure-download Download of sensitive file through insecure connection
CWE‑664 JavaScript js/type-confusion-through-parameter-tampering Type confusion through parameter tampering
CWE‑664 JavaScript js/http-to-file-access Network data written to file
CWE‑664 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑664 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑664 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑664 JavaScript js/request-forgery Uncontrolled data used in network request
CWE‑664 JavaScript js/actions/injection Expression injection in Actions
CWE‑664 JavaScript js/actions/pull-request-target Checkout of untrusted code in trusted context
CWE‑664 JavaScript js/resource-exhaustion Resource exhaustion
CWE‑664 Go go/shift-out-of-range Shift out of range
CWE‑664 Go go/path-injection Uncontrolled data used in path expression
CWE‑664 Go go/unsafe-unzip-symlink Arbitrary file write extracting an archive containing symbolic links
CWE‑664 Go go/zipslip Arbitrary file write during zip extraction ("zip slip")
CWE‑664 Go go/unsafe-quoting Potentially unsafe quoting
CWE‑664 Go go/stack-trace-exposure Information exposure through a stack trace
CWE‑664 Go go/clear-text-logging Clear-text logging of sensitive information
CWE‑664 Go go/bad-redirect-check Bad redirect check
CWE‑664 Go go/unvalidated-url-redirection Open URL redirect
CWE‑664 Go go/email-injection Email content injection
CWE‑664 Go go/incorrect-integer-conversion Incorrect conversion between integer types
CWE‑664 Go go/hardcoded-credentials Hard-coded credentials
CWE‑664 Go go/request-forgery Uncontrolled data used in network request
CWE‑664 Go go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑665 Java java/unassigned-field Field is never assigned a non-null value
CWE‑665 C++ cpp/global-use-before-init Global variable may be used before initialization
CWE‑665 C++ cpp/initialization-not-run Initialization code not run
CWE‑665 C++ cpp/not-initialised Variable not initialized before use
CWE‑665 C++ cpp/alloca-in-loop Call to alloca in a loop
CWE‑665 C++ cpp/improper-null-termination Potential improper null termination
CWE‑665 C++ cpp/uninitialized-local Potentially uninitialized local variable
CWE‑665 C++ cpp/conditionally-uninitialized-variable Conditionally uninitialized variable
CWE‑665 C# cs/unassigned-field Field is never assigned a non-default value
CWE‑665 Python py/implicit-string-concatenation-in-list Implicit string concatenation in a list
CWE‑665 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑665 JavaScript js/resource-exhaustion Resource exhaustion
CWE‑666 C++ cpp/use-after-free Potential use after free
CWE‑666 C++ cpp/return-stack-allocated-memory Returning stack-allocated memory
CWE‑666 C++ cpp/self-assignment-check Self assignment check
CWE‑667 Java java/unsafe-double-checked-locking Double-checked locking is not thread-safe
CWE‑667 Java java/unsafe-double-checked-locking-init-order Race condition in double-checked locking object initialization
CWE‑667 Java java/lazy-initialization Incorrect lazy initialization of a static field
CWE‑667 Java java/sleep-with-lock-held Sleep with lock held
CWE‑667 Java java/unsynchronized-getter Inconsistent synchronization of getter and setter
CWE‑667 Java java/unreleased-lock Unreleased lock
CWE‑667 Java java/wait-with-two-locks Wait with two locks held
CWE‑667 Java java/lock-order-inconsistency Lock order inconsistency
CWE‑667 C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE‑667 C++ cpp/twice-locked Mutex locked twice
CWE‑667 C++ cpp/unreleased-lock Lock may not be released
CWE‑667 C# cs/locked-wait A lock is held during a wait
CWE‑667 C# cs/unsafe-double-checked-lock Double-checked lock is not thread-safe
CWE‑668 Java java/path-injection Uncontrolled data used in path expression
CWE‑668 Java java/path-injection-local Local-user-controlled data in path expression
CWE‑668 Java java/zipslip Arbitrary file write during archive extraction ("Zip Slip")
CWE‑668 Java java/stack-trace-exposure Information exposure through a stack trace
CWE‑668 Java java/world-writable-file-read Reading from a world writable file
CWE‑668 Java java/static-array Array constant vulnerable to change
CWE‑668 Java java/openstream-called-on-tainted-url openStream called on URLs created from remote source
CWE‑668 Java java/credentials-in-properties Cleartext Credentials in Properties File
CWE‑668 Java java/password-in-configuration Password in configuration file
CWE‑668 C++ cpp/path-injection Uncontrolled data used in path expression
CWE‑668 C++ cpp/unsafe-create-process-call NULL application name with an unquoted path in call to CreateProcess
CWE‑668 C++ cpp/system-data-exposure Exposure of system data to an unauthorized control sphere
CWE‑668 C++ cpp/world-writable-file-creation File created without restricting permissions
CWE‑668 C++ cpp/unsafe-dacl-security-descriptor Setting a DACL to NULL in a SECURITY_DESCRIPTOR
CWE‑668 C++ cpp/private-cleartext-write Exposure of private information
CWE‑668 C# cs/web/html-hidden-input Use of HTMLInputHidden
CWE‑668 C# cs/static-array Array constant vulnerable to change
CWE‑668 C# cs/empty-password-in-configuration Empty password in configuration file
CWE‑668 C# cs/password-in-configuration Password in configuration file
CWE‑668 C# cs/web/persistent-cookie Cookie security: persistent cookie
CWE‑668 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE‑668 C# cs/path-injection Uncontrolled data used in path expression
CWE‑668 C# cs/zipslip Arbitrary file write during zip extraction ("Zip Slip")
CWE‑668 C# cs/sensitive-data-transmission Information exposure through transmitted data
CWE‑668 C# cs/information-exposure-through-exception Information exposure through an exception
CWE‑668 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE‑668 C# cs/exposure-of-sensitive-information Exposure of private information
CWE‑668 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing
CWE‑668 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑668 Python py/path-injection Uncontrolled data used in path expression
CWE‑668 Python py/tarslip Arbitrary file write during tarfile extraction
CWE‑668 Python py/stack-trace-exposure Information exposure through an exception
CWE‑668 Python py/flask-debug Flask app is run in debug mode
CWE‑668 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑668 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑668 Python py/insecure-temporary-file Insecure temporary file
CWE‑668 Python py/overly-permissive-file Overly permissive file permissions
CWE‑668 JavaScript js/unsafe-external-link Potentially unsafe external link
CWE‑668 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑668 JavaScript js/zipslip Arbitrary file write during zip extraction ("Zip Slip")
CWE‑668 JavaScript js/template-object-injection Template Object Injection
CWE‑668 JavaScript js/file-access-to-http File data in outbound network request
CWE‑668 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑668 JavaScript js/cross-window-information-leak Cross-window communication with unrestricted target origin
CWE‑668 JavaScript js/stack-trace-exposure Information exposure through a stack trace
CWE‑668 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑668 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑668 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑668 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑668 Go go/path-injection Uncontrolled data used in path expression
CWE‑668 Go go/unsafe-unzip-symlink Arbitrary file write extracting an archive containing symbolic links
CWE‑668 Go go/zipslip Arbitrary file write during zip extraction ("zip slip")
CWE‑668 Go go/stack-trace-exposure Information exposure through a stack trace
CWE‑668 Go go/clear-text-logging Clear-text logging of sensitive information
CWE‑669 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑669 Java java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑669 C# cs/web/file-upload Use of file upload
CWE‑669 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑669 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑669 C# cs/insecure-xml-read XML is read insecurely
CWE‑669 JavaScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑669 JavaScript js/xxe XML external entity expansion
CWE‑669 JavaScript js/insecure-download Download of sensitive file through insecure connection
CWE‑669 JavaScript js/http-to-file-access Network data written to file
CWE‑670 Java java/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE‑670 Java java/assignment-in-boolean-expression Assignment in Boolean expression
CWE‑670 Java java/reference-equality-on-strings Reference equality test on strings
CWE‑670 Java java/switch-fall-through Unterminated switch case
CWE‑670 C++ cpp/assign-where-compare-meant Assignment where comparison was intended
CWE‑670 C++ cpp/compare-where-assign-meant Comparison where assignment was intended
CWE‑670 C++ cpp/incorrect-not-operator-usage Incorrect 'not' operator usage
CWE‑670 C++ cpp/logical-operator-applied-to-flag Short-circuiting operator applied to flag
CWE‑670 C++ cpp/unsafe-use-of-this Unsafe use of this in constructor
CWE‑670 C++ cpp/operator-precedence-logic-error-when-use-bool-type Operator Precedence Logic Error When Use Bool Type
CWE‑670 C# cs/non-short-circuit Potentially dangerous use of non-short-circuit logic
CWE‑670 Python py/asserts-tuple Asserting a tuple
CWE‑670 JavaScript js/useless-expression Expression has no effect
CWE‑670 JavaScript js/redundant-operation Identical operands
CWE‑670 JavaScript js/redundant-assignment Self assignment
CWE‑670 JavaScript js/unclear-operator-precedence Unclear precedence of nested operators
CWE‑670 JavaScript js/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE‑670 JavaScript js/deletion-of-non-property Deleting non-property
CWE‑670 JavaScript js/misleading-indentation-of-dangling-else Misleading indentation of dangling 'else'
CWE‑670 JavaScript js/misleading-indentation-after-control-statement Misleading indentation after control statement
CWE‑670 Go go/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE‑670 Go go/useless-expression Expression has no effect
CWE‑670 Go go/redundant-operation Identical operands
CWE‑670 Go go/redundant-assignment Self assignment
CWE‑671 Java java/hardcoded-credential-api-call Hard-coded credential in API call
CWE‑671 Java java/hardcoded-credential-comparison Hard-coded credential comparison
CWE‑671 Java java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE‑671 Java java/hardcoded-password-field Hard-coded password field
CWE‑671 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑671 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑671 Python py/hardcoded-credentials Hard-coded credentials
CWE‑671 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑671 Go go/hardcoded-credentials Hard-coded credentials
CWE‑672 C++ cpp/use-after-free Potential use after free
CWE‑672 C++ cpp/return-stack-allocated-memory Returning stack-allocated memory
CWE‑674 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑674 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑674 C# cs/insecure-xml-read XML is read insecurely
CWE‑674 JavaScript js/xml-bomb XML internal entity expansion
CWE‑675 Java java/unreleased-lock Unreleased lock
CWE‑675 C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE‑675 C++ cpp/twice-locked Mutex locked twice
CWE‑675 C++ cpp/unreleased-lock Lock may not be released
CWE‑676 Java java/potentially-dangerous-function Use of a potentially dangerous function
CWE‑676 C++ cpp/bad-strncpy-size Possibly wrong buffer size in string copy
CWE‑676 C++ cpp/suspicious-call-to-memset Suspicious call to memset
CWE‑676 C++ cpp/unsafe-strncat Potentially unsafe call to strncat
CWE‑676 C++ cpp/unsafe-strcat Potentially unsafe use of strcat
CWE‑676 C++ cpp/dangerous-function-overflow Use of dangerous function
CWE‑676 C++ cpp/dangerous-cin Dangerous use of 'cin'
CWE‑676 C++ cpp/potentially-dangerous-function Use of potentially dangerous function
CWE‑676 JavaScript js/eval-like-call Call to eval-like DOM function
CWE‑676 JavaScript js/eval-call Use of eval
CWE‑681 Java java/implicit-cast-in-compound-assignment Implicit narrowing conversion in compound assignment
CWE‑681 Java java/integer-multiplication-cast-to-long Result of multiplication cast to wider type
CWE‑681 Java java/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑681 Java java/tainted-numeric-cast User-controlled data in numeric cast
CWE‑681 Java java/tainted-numeric-cast-local Local-user-controlled data in numeric cast
CWE‑681 C++ cpp/bad-addition-overflow-check Bad check for overflow of integer addition
CWE‑681 C++ cpp/integer-multiplication-cast-to-long Multiplication result converted to larger type
CWE‑681 C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑681 C++ cpp/integer-overflow-tainted Potential integer arithmetic overflow
CWE‑681 C# cs/loss-of-precision Possible loss of precision
CWE‑681 JavaScript js/shift-out-of-range Shift out of range
CWE‑681 Go go/shift-out-of-range Shift out of range
CWE‑681 Go go/incorrect-integer-conversion Incorrect conversion between integer types
CWE‑682 Java java/implicit-cast-in-compound-assignment Implicit narrowing conversion in compound assignment
CWE‑682 Java java/integer-multiplication-cast-to-long Result of multiplication cast to wider type
CWE‑682 Java java/index-out-of-bounds Array index out of bounds
CWE‑682 Java java/tainted-arithmetic User-controlled data in arithmetic expression
CWE‑682 Java java/tainted-arithmetic-local Local-user-controlled data in arithmetic expression
CWE‑682 Java java/uncontrolled-arithmetic Uncontrolled data in arithmetic expression
CWE‑682 Java java/extreme-value-arithmetic Use of extreme values in arithmetic expression
CWE‑682 Java java/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑682 C++ cpp/overflow-calculated Buffer not sufficient for string
CWE‑682 C++ cpp/overflow-destination Copy function using source size
CWE‑682 C++ cpp/static-buffer-overflow Static array access may cause overflow
CWE‑682 C++ cpp/allocation-too-small Not enough memory allocated for pointer type
CWE‑682 C++ cpp/suspicious-allocation-size Not enough memory allocated for array of pointer type
CWE‑682 C++ cpp/ambiguously-signed-bit-field Ambiguously signed bit-field member
CWE‑682 C++ cpp/bad-addition-overflow-check Bad check for overflow of integer addition
CWE‑682 C++ cpp/integer-multiplication-cast-to-long Multiplication result converted to larger type
CWE‑682 C++ cpp/signed-overflow-check Signed overflow check
CWE‑682 C++ cpp/overflowing-snprintf Potentially overflowing call to snprintf
CWE‑682 C++ cpp/suspicious-sizeof Suspicious 'sizeof' use
CWE‑682 C++ cpp/no-space-for-terminator No space for zero terminator
CWE‑682 C++ cpp/tainted-arithmetic User-controlled data in arithmetic expression
CWE‑682 C++ cpp/uncontrolled-arithmetic Uncontrolled data in arithmetic expression
CWE‑682 C++ cpp/arithmetic-with-extreme-values Use of extreme values in arithmetic expression
CWE‑682 C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑682 C++ cpp/integer-overflow-tainted Potential integer arithmetic overflow
CWE‑682 C++ cpp/uncontrolled-allocation-size Overflow in uncontrolled allocation size
CWE‑682 C++ cpp/unsigned-difference-expression-compared-zero Unsigned difference expression compared to zero
CWE‑682 C++ cpp/suspicious-pointer-scaling Suspicious pointer scaling
CWE‑682 C++ cpp/incorrect-pointer-scaling-char Suspicious pointer scaling to char
CWE‑682 C++ cpp/suspicious-pointer-scaling-void Suspicious pointer scaling to void
CWE‑682 C++ cpp/suspicious-add-sizeof Suspicious add with sizeof
CWE‑682 C++ cpp/multiplication-overflow-in-alloc Multiplication result may overflow and be used in allocation
CWE‑682 C++ cpp/signed-bit-field Possible signed bit-field member
CWE‑682 C# cs/loss-of-precision Possible loss of precision
CWE‑682 C# cs/index-out-of-bounds Off-by-one comparison against container length
CWE‑682 JavaScript js/index-out-of-bounds Off-by-one comparison against length
CWE‑682 Go go/index-out-of-bounds Off-by-one comparison against length
CWE‑682 Go go/allocation-size-overflow Size computation for allocation may overflow
CWE‑682 Go go/incorrect-integer-conversion Incorrect conversion between integer types
CWE‑682 Go go/divide-by-zero Divide by zero
CWE‑684 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑684 JavaScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑685 Java java/missing-format-argument Missing format argument
CWE‑685 Java java/unused-format-argument Unused format argument
CWE‑685 C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE‑685 C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE‑685 Python py/call/wrong-number-class-arguments Wrong number of arguments in a class instantiation
CWE‑685 Python py/percent-format/wrong-arguments Wrong number of arguments for format
CWE‑685 Python py/call/wrong-arguments Wrong number of arguments in a call
CWE‑685 JavaScript js/superfluous-trailing-arguments Superfluous trailing arguments
CWE‑686 C++ cpp/wrong-type-format-argument Wrong type of arguments to formatting function
CWE‑687 Python py/super-not-enclosing-class First argument to super() is not enclosing class
CWE‑691 Java java/ejb/container-interference EJB interferes with container operation
CWE‑691 Java java/ejb/synchronization EJB uses synchronization
CWE‑691 Java java/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE‑691 Java java/assignment-in-boolean-expression Assignment in Boolean expression
CWE‑691 Java java/reference-equality-on-strings Reference equality test on strings
CWE‑691 Java java/wait-on-condition-interface Wait on condition
CWE‑691 Java java/call-to-thread-run Direct call to a run() method
CWE‑691 Java java/unsafe-double-checked-locking Double-checked locking is not thread-safe
CWE‑691 Java java/unsafe-double-checked-locking-init-order Race condition in double-checked locking object initialization
CWE‑691 Java java/unsafe-sync-on-field Futile synchronization on field
CWE‑691 Java java/inconsistent-field-synchronization Inconsistent synchronization for field
CWE‑691 Java java/lazy-initialization Incorrect lazy initialization of a static field
CWE‑691 Java java/non-sync-override Non-synchronized override of synchronized method
CWE‑691 Java java/notify-instead-of-notify-all notify instead of notifyAll
CWE‑691 Java java/sleep-with-lock-held Sleep with lock held
CWE‑691 Java java/sync-on-boxed-types Synchronization on boxed types or strings
CWE‑691 Java java/unsynchronized-getter Inconsistent synchronization of getter and setter
CWE‑691 Java java/inconsistent-sync-writeobject Inconsistent synchronization for writeObject()
CWE‑691 Java java/unreleased-lock Unreleased lock
CWE‑691 Java java/wait-with-two-locks Wait with two locks held
CWE‑691 Java java/non-short-circuit-evaluation Dangerous non-short-circuit logic
CWE‑691 Java java/constant-loop-condition Constant loop condition
CWE‑691 Java java/insecure-bean-validation Insecure Bean Validation
CWE‑691 Java java/toctou-race-condition Time-of-check time-of-use race condition
CWE‑691 Java java/socket-auth-race-condition Race condition in socket authentication
CWE‑691 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑691 Java java/lock-order-inconsistency Lock order inconsistency
CWE‑691 Java java/unreachable-exit-in-loop Loop with unreachable exit condition
CWE‑691 Java java/switch-fall-through Unterminated switch case
CWE‑691 Java java/overly-general-catch Overly-general catch clause
CWE‑691 Java java/uncaught-number-format-exception Missing catch of NumberFormatException
CWE‑691 Java java/jvm-exit Forcible JVM termination
CWE‑691 Java java/abnormal-finally-completion Finally block may not complete normally
CWE‑691 Java java/groovy-injection Groovy Language injection
CWE‑691 Java java/android-insecure-dex-loading Insecure loading of an Android Dex File
CWE‑691 Java java/javaee-expression-injection Jakarta Expression Language injection
CWE‑691 Java java/jexl-expression-injection Expression language injection (JEXL)
CWE‑691 Java java/mvel-expression-injection Expression language injection (MVEL)
CWE‑691 Java java/unsafe-eval ScriptEngine evaluation
CWE‑691 Java java/spel-expression-injection Expression language injection (Spring)
CWE‑691 Java java/spring-view-manipulation-implicit Spring Implicit View Manipulation
CWE‑691 Java java/spring-view-manipulation Spring View Manipulation
CWE‑691 Java java/android/unsafe-android-webview-fetch Unsafe resource fetching in Android webview
CWE‑691 C++ cpp/assign-where-compare-meant Assignment where comparison was intended
CWE‑691 C++ cpp/compare-where-assign-meant Comparison where assignment was intended
CWE‑691 C++ cpp/incorrect-not-operator-usage Incorrect 'not' operator usage
CWE‑691 C++ cpp/logical-operator-applied-to-flag Short-circuiting operator applied to flag
CWE‑691 C++ cpp/inconsistent-loop-direction Inconsistent direction of for loop
CWE‑691 C++ cpp/unsafe-use-of-this Unsafe use of this in constructor
CWE‑691 C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑691 C++ cpp/toctou-race-condition Time-of-check time-of-use filesystem race condition
CWE‑691 C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE‑691 C++ cpp/twice-locked Mutex locked twice
CWE‑691 C++ cpp/unreleased-lock Lock may not be released
CWE‑691 C++ cpp/infinite-loop-with-unsatisfiable-exit-condition Infinite loop with unsatisfiable exit condition
CWE‑691 C++ cpp/errors-after-refactoring Errors After Refactoring
CWE‑691 C++ cpp/errors-when-using-bit-operations Errors When Using Bit Operations
CWE‑691 C++ cpp/operator-precedence-logic-error-when-use-bool-type Operator Precedence Logic Error When Use Bool Type
CWE‑691 C# cs/catch-nullreferenceexception Poor error handling: catch of NullReferenceException
CWE‑691 C# cs/constant-condition Constant condition
CWE‑691 C# cs/unsafe-sync-on-field Futile synchronization on field
CWE‑691 C# cs/inconsistent-lock-sequence Inconsistent lock sequence
CWE‑691 C# cs/lock-this Locking the 'this' object in a lock statement
CWE‑691 C# cs/locked-wait A lock is held during a wait
CWE‑691 C# cs/unsynchronized-getter Inconsistently synchronized property
CWE‑691 C# cs/unsafe-double-checked-lock Double-checked lock is not thread-safe
CWE‑691 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context
CWE‑691 C# cs/catch-of-all-exceptions Generic catch clause
CWE‑691 C# cs/non-short-circuit Potentially dangerous use of non-short-circuit logic
CWE‑691 C# cs/thread-unsafe-icryptotransform-field-in-class Thread-unsafe use of a static ICryptoTransform field
CWE‑691 C# cs/thread-unsafe-icryptotransform-captured-in-lambda Thread-unsafe capturing of an ICryptoTransform object
CWE‑691 C# cs/linq/inconsistent-enumeration Bad multiple iteration
CWE‑691 C# cs/code-injection Improper control of generation of code
CWE‑691 C# cs/web/missing-global-error-handler Missing global error handler
CWE‑691 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑691 C# cs/insecure-xml-read XML is read insecurely
CWE‑691 Python py/catch-base-exception Except block handles 'BaseException'
CWE‑691 Python py/code-injection Code injection
CWE‑691 Python py/asserts-tuple Asserting a tuple
CWE‑691 Python py/exit-from-finally 'break' or 'return' statement in finally
CWE‑691 JavaScript js/enabling-electron-renderer-node-integration Enabling Node.js integration for Electron web content renderers
CWE‑691 JavaScript js/useless-expression Expression has no effect
CWE‑691 JavaScript js/redundant-operation Identical operands
CWE‑691 JavaScript js/redundant-assignment Self assignment
CWE‑691 JavaScript js/unclear-operator-precedence Unclear precedence of nested operators
CWE‑691 JavaScript js/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE‑691 JavaScript js/deletion-of-non-property Deleting non-property
CWE‑691 JavaScript js/exit-from-finally Jump from finally
CWE‑691 JavaScript js/template-object-injection Template Object Injection
CWE‑691 JavaScript js/code-injection Code injection
CWE‑691 JavaScript js/bad-code-sanitization Improper code sanitization
CWE‑691 JavaScript js/unsafe-dynamic-method-access Unsafe dynamic method access
CWE‑691 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑691 JavaScript js/xml-bomb XML internal entity expansion
CWE‑691 JavaScript js/loop-bound-injection Loop bound injection
CWE‑691 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑691 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑691 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑691 JavaScript js/misleading-indentation-of-dangling-else Misleading indentation of dangling 'else'
CWE‑691 JavaScript js/inconsistent-loop-direction Inconsistent direction of for loop
CWE‑691 JavaScript js/misleading-indentation-after-control-statement Misleading indentation after control statement
CWE‑691 JavaScript js/actions/injection Expression injection in Actions
CWE‑691 JavaScript js/actions/pull-request-target Checkout of untrusted code in trusted context
CWE‑691 Go go/inconsistent-loop-direction Inconsistent direction of for loop
CWE‑691 Go go/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE‑691 Go go/useless-expression Expression has no effect
CWE‑691 Go go/redundant-operation Identical operands
CWE‑691 Go go/redundant-assignment Self assignment
CWE‑691 Go go/unsafe-quoting Potentially unsafe quoting
CWE‑693 Java java/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑693 Java java/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑693 Java java/improper-validation-of-array-construction Improper validation of user-provided size used for array construction
CWE‑693 Java java/improper-validation-of-array-construction-code-specified Improper validation of code-specified size used for array construction
CWE‑693 Java java/improper-validation-of-array-construction-local Improper validation of local user-provided size used for array construction
CWE‑693 Java java/improper-validation-of-array-index Improper validation of user-provided array index
CWE‑693 Java java/improper-validation-of-array-index-code-specified Improper validation of code-specified array index
CWE‑693 Java java/improper-validation-of-array-index-local Improper validation of local user-provided array index
CWE‑693 Java java/unsafe-hostname-verification Unsafe hostname verification
CWE‑693 Java java/cleartext-storage-in-class Cleartext storage of sensitive information using storable class
CWE‑693 Java java/cleartext-storage-in-cookie Cleartext storage of sensitive information in cookie
CWE‑693 Java java/cleartext-storage-in-properties Cleartext storage of sensitive information using 'Properties' class
CWE‑693 Java java/non-https-url Failure to use HTTPS URLs
CWE‑693 Java java/non-ssl-connection Failure to use SSL
CWE‑693 Java java/non-ssl-socket-factory Failure to use SSL socket factories
CWE‑693 Java java/weak-cryptographic-algorithm Use of a broken or risky cryptographic algorithm
CWE‑693 Java java/potentially-weak-cryptographic-algorithm Use of a potentially broken or risky cryptographic algorithm
CWE‑693 Java java/spring-disabled-csrf-protection Disabled Spring CSRF protection
CWE‑693 Java java/socket-auth-race-condition Race condition in socket authentication
CWE‑693 Java java/insecure-cookie Failure to use secure cookies
CWE‑693 Java java/world-writable-file-read Reading from a world writable file
CWE‑693 Java java/hardcoded-credential-api-call Hard-coded credential in API call
CWE‑693 Java java/hardcoded-credential-comparison Hard-coded credential comparison
CWE‑693 Java java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE‑693 Java java/hardcoded-password-field Hard-coded password field
CWE‑693 Java java/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑693 Java java/tainted-permissions-check User-controlled data used in permissions check
CWE‑693 Java java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑693 Java java/jxbrowser/disabled-certificate-validation JxBrowser with disabled certificate validation
CWE‑693 Java java/disabled-certificate-revocation-checking Disabled ceritificate revocation checking
CWE‑693 Java java/android/cleartext-storage-shared-prefs Cleartext storage of sensitive information using SharedPreferences on Android
CWE‑693 Java java/insufficient-key-size Weak encryption: Insufficient key size
CWE‑693 Java java/unsafe-tls-version Unsafe TLS version
CWE‑693 Java java/unvalidated-cors-origin-set CORS is derived from untrusted input
CWE‑693 Java java/missing-jwt-signature-check Missing JWT signature check
CWE‑693 Java java/ip-address-spoofing IP address spoofing
CWE‑693 Java java/jsonp-injection JSONP Injection
CWE‑693 Java java/credentials-in-properties Cleartext Credentials in Properties File
CWE‑693 Java java/password-in-configuration Password in configuration file
CWE‑693 C++ cpp/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑693 C++ cpp/count-untrusted-data-external-api-ir Frequency counts for external APIs that are used with untrusted data
CWE‑693 C++ cpp/untrusted-data-to-external-api-ir Untrusted data passed to external API
CWE‑693 C++ cpp/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑693 C++ cpp/uncontrolled-process-operation Uncontrolled process operation
CWE‑693 C++ cpp/unclear-array-index-validation Unclear validation of array index
CWE‑693 C++ cpp/user-controlled-bypass Authentication bypass by spoofing
CWE‑693 C++ cpp/cleartext-storage-buffer Cleartext storage of sensitive information in buffer
CWE‑693 C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE‑693 C++ cpp/cleartext-storage-database Cleartext storage of sensitive information in an SQLite database
CWE‑693 C++ cpp/weak-cryptographic-algorithm Use of a broken or risky cryptographic algorithm
CWE‑693 C++ cpp/openssl-heartbleed Use of a version of OpenSSL with Heartbleed
CWE‑693 C++ cpp/world-writable-file-creation File created without restricting permissions
CWE‑693 C++ cpp/unsafe-dacl-security-descriptor Setting a DACL to NULL in a SECURITY_DESCRIPTOR
CWE‑693 C++ cpp/tainted-permissions-check Untrusted input for a condition
CWE‑693 C++ cpp/late-check-of-function-argument Late Check Of Function Argument
CWE‑693 C++ cpp/drop-linux-privileges-outoforder LinuxPrivilegeDroppingOutoforder
CWE‑693 C# cs/empty-password-in-configuration Empty password in configuration file
CWE‑693 C# cs/password-in-configuration Password in configuration file
CWE‑693 C# cs/web/broad-cookie-domain Cookie security: overly broad domain
CWE‑693 C# cs/web/broad-cookie-path Cookie security: overly broad path
CWE‑693 C# cs/ecb-encryption Encryption using ECB
CWE‑693 C# cs/inadequate-rsa-padding Weak encryption: inadequate RSA padding
CWE‑693 C# cs/insufficient-key-size Weak encryption: Insufficient key size
CWE‑693 C# cs/weak-encryption Weak encryption
CWE‑693 C# csharp/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑693 C# cs/serialization-check-bypass Serialization check bypass
CWE‑693 C# csharp/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑693 C# cs/xml/missing-validation Missing XML validation
CWE‑693 C# cs/assembly-path-injection Assembly path injection
CWE‑693 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE‑693 C# cs/adding-cert-to-root-store Do not add certificates to the system root store.
CWE‑693 C# cs/insecure-sql-connection Insecure SQL connection
CWE‑693 C# cs/web/missing-token-validation Missing cross-site request forgery token validation
CWE‑693 C# cs/session-reuse Failure to abandon session
CWE‑693 C# cs/web/requiressl-not-set 'requireSSL' attribute is not set to true
CWE‑693 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑693 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑693 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑693 Python py/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE‑693 Python py/incomplete-url-substring-sanitization Incomplete URL substring sanitization
CWE‑693 Python python/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑693 Python python/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑693 Python py/paramiko-missing-host-key-validation Accepting unknown SSH host keys when using Paramiko
CWE‑693 Python py/request-without-cert-validation Request without certificate validation
CWE‑693 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑693 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑693 Python py/weak-crypto-key Use of weak cryptographic key
CWE‑693 Python py/weak-cryptographic-algorithm Use of a broken or weak cryptographic algorithm
CWE‑693 Python py/insecure-default-protocol Default version of SSL/TLS may be insecure
CWE‑693 Python py/insecure-protocol Use of insecure SSL/TLS version
CWE‑693 Python py/overly-permissive-file Overly permissive file permissions
CWE‑693 Python py/hardcoded-credentials Hard-coded credentials
CWE‑693 JavaScript js/angular/insecure-url-whitelist Insecure URL whitelist
CWE‑693 JavaScript js/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑693 JavaScript js/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE‑693 JavaScript js/incomplete-url-scheme-check Incomplete URL scheme check
CWE‑693 JavaScript js/incomplete-url-substring-sanitization Incomplete URL substring sanitization
CWE‑693 JavaScript js/incorrect-suffix-check Incorrect suffix check
CWE‑693 JavaScript js/regex/missing-regexp-anchor Missing regular expression anchor
CWE‑693 JavaScript js/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑693 JavaScript js/useless-regexp-character-escape Useless regular-expression character escape
CWE‑693 JavaScript js/double-escaping Double escaping or unescaping
CWE‑693 JavaScript js/incomplete-html-attribute-sanitization Incomplete HTML attribute sanitization
CWE‑693 JavaScript js/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑693 JavaScript js/incomplete-sanitization Incomplete string escaping or encoding
CWE‑693 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑693 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑693 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑693 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑693 JavaScript js/biased-cryptographic-random Creating biased random numbers from a cryptographically secure source.
CWE‑693 JavaScript js/weak-cryptographic-algorithm Use of a broken or weak cryptographic algorithm
CWE‑693 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑693 JavaScript js/missing-token-validation Missing CSRF middleware
CWE‑693 JavaScript js/remote-property-injection Remote property injection
CWE‑693 JavaScript js/host-header-forgery-in-email-generation Host header poisoning in email generation
CWE‑693 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑693 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑693 JavaScript js/user-controlled-bypass User-controlled bypass of security check
CWE‑693 JavaScript js/different-kinds-comparison-bypass Comparison of user-controlled data of different kinds
CWE‑693 JavaScript js/insufficient-password-hash Use of password hash with insufficient computational effort
CWE‑693 JavaScript js/missing-postmessageorigin-verification Missing MessageEvent.origin verification in postMessage handlers
CWE‑693 JavaScript js/jwt-missing-verification JWT missing secret or public key verification
CWE‑693 JavaScript js/insecure-cookie Failure to set secure cookies
CWE‑693 Go go/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑693 Go go/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE‑693 Go go/incomplete-url-scheme-check Incomplete URL scheme check
CWE‑693 Go go/regex/missing-regexp-anchor Missing regular expression anchor
CWE‑693 Go go/suspicious-character-in-regex Suspicious characters in a regular expression
CWE‑693 Go go/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑693 Go go/untrusted-data-to-unknown-external-api Untrusted data passed to unknown external API
CWE‑693 Go go/disabled-certificate-check Disabled TLS certificate check
CWE‑693 Go go/clear-text-logging Clear-text logging of sensitive information
CWE‑693 Go go/insecure-tls Insecure TLS configuration
CWE‑693 Go go/constant-oauth2-state Use of constant state value in OAuth 2.0 URL
CWE‑693 Go go/email-injection Email content injection
CWE‑693 Go go/hardcoded-credentials Hard-coded credentials
CWE‑693 Go go/weak-crypto-algorithm Use of a weak cryptographic algorithm
CWE‑693 Go go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑695 Java java/ejb/file-io EJB uses file input/output
CWE‑695 Java java/ejb/graphics EJB uses graphics
CWE‑695 Java java/ejb/synchronization EJB uses synchronization
CWE‑695 Java java/ejb/threads EJB uses threads
CWE‑697 Java java/missing-default-in-switch Missing default case in switch
CWE‑697 Java java/reference-equality-with-object Reference equality test on java.lang.Object
CWE‑697 Java java/reference-equality-of-boxed-types Reference equality test of boxed types
CWE‑697 Java java/reference-equality-on-strings Reference equality test on strings
CWE‑697 Java java/missing-case-in-switch Missing enum case in switch
CWE‑697 C++ cpp/missing-case-in-switch Missing enum case in switch
CWE‑697 C# cs/class-name-comparison Erroneous class compare
CWE‑697 C# cs/reference-equality-with-object Reference equality test on System.Object
CWE‑697 C# cs/reference-equality-on-valuetypes Call to ReferenceEquals(...) on value type expressions
CWE‑697 JavaScript js/angular/insecure-url-whitelist Insecure URL whitelist
CWE‑703 Java java/inconsistent-call-on-result Inconsistent operation on return value
CWE‑703 Java java/return-value-ignored Method result ignored
CWE‑703 Java java/stack-trace-exposure Information exposure through a stack trace
CWE‑703 Java java/discarded-exception Discarded exception
CWE‑703 Java java/overly-general-catch Overly-general catch clause
CWE‑703 Java java/ignored-error-status-of-call Ignored error status of call
CWE‑703 Java java/uncaught-number-format-exception Missing catch of NumberFormatException
CWE‑703 Java java/android/nfe-local-android-dos Local Android DoS Caused By NumberFormatException
CWE‑703 C++ cpp/return-value-ignored Return value of a function is ignored
CWE‑703 C++ cpp/inconsistent-call-on-result Inconsistent operation on return value
CWE‑703 C++ cpp/overflowing-snprintf Potentially overflowing call to snprintf
CWE‑703 C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE‑703 C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE‑703 C++ cpp/ignore-return-value-sal SAL requires inspecting return value
CWE‑703 C++ cpp/hresult-boolean-conversion Cast between HRESULT and a Boolean type
CWE‑703 C++ cpp/drop-linux-privileges-outoforder LinuxPrivilegeDroppingOutoforder
CWE‑703 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution
CWE‑703 C# cs/local-not-disposed Missing Dispose call on local IDisposable
CWE‑703 C# cs/unchecked-return-value Unchecked return value
CWE‑703 C# cs/catch-nullreferenceexception Poor error handling: catch of NullReferenceException
CWE‑703 C# cs/empty-catch-block Poor error handling: empty catch block
CWE‑703 C# cs/catch-of-all-exceptions Generic catch clause
CWE‑703 C# cs/information-exposure-through-exception Information exposure through an exception
CWE‑703 C# cs/web/missing-global-error-handler Missing global error handler
CWE‑703 Python py/catch-base-exception Except block handles 'BaseException'
CWE‑703 Python py/empty-except Empty except
CWE‑703 Python py/ignored-return-value Ignored return value
CWE‑703 Python py/stack-trace-exposure Information exposure through an exception
CWE‑703 JavaScript js/stack-trace-exposure Information exposure through a stack trace
CWE‑703 JavaScript js/unvalidated-dynamic-method-call Unvalidated dynamic method call
CWE‑703 Go go/stack-trace-exposure Information exposure through a stack trace
CWE‑704 Java java/implicit-cast-in-compound-assignment Implicit narrowing conversion in compound assignment
CWE‑704 Java java/integer-multiplication-cast-to-long Result of multiplication cast to wider type
CWE‑704 Java java/impossible-array-cast Impossible array cast
CWE‑704 Java java/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑704 Java java/tainted-numeric-cast User-controlled data in numeric cast
CWE‑704 Java java/tainted-numeric-cast-local Local-user-controlled data in numeric cast
CWE‑704 C++ cpp/bad-addition-overflow-check Bad check for overflow of integer addition
CWE‑704 C++ cpp/integer-multiplication-cast-to-long Multiplication result converted to larger type
CWE‑704 C++ cpp/upcast-array-pointer-arithmetic Upcast array used in pointer arithmetic
CWE‑704 C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑704 C++ cpp/integer-overflow-tainted Potential integer arithmetic overflow
CWE‑704 C++ cpp/incorrect-string-type-conversion Cast from char to wchar_t
CWE‑704 C# cs/loss-of-precision Possible loss of precision
CWE‑704 JavaScript js/implicit-operand-conversion Implicit operand conversion
CWE‑704 JavaScript js/shift-out-of-range Shift out of range
CWE‑704 JavaScript js/invalid-prototype-value Invalid prototype value
CWE‑704 JavaScript js/property-assignment-on-primitive Assignment to property of primitive value
CWE‑704 JavaScript js/type-confusion-through-parameter-tampering Type confusion through parameter tampering
CWE‑704 Go go/shift-out-of-range Shift out of range
CWE‑704 Go go/incorrect-integer-conversion Incorrect conversion between integer types
CWE‑705 Java java/ejb/container-interference EJB interferes with container operation
CWE‑705 Java java/overly-general-catch Overly-general catch clause
CWE‑705 Java java/uncaught-number-format-exception Missing catch of NumberFormatException
CWE‑705 Java java/jvm-exit Forcible JVM termination
CWE‑705 Java java/abnormal-finally-completion Finally block may not complete normally
CWE‑705 C# cs/catch-nullreferenceexception Poor error handling: catch of NullReferenceException
CWE‑705 C# cs/catch-of-all-exceptions Generic catch clause
CWE‑705 C# cs/web/missing-global-error-handler Missing global error handler
CWE‑705 Python py/catch-base-exception Except block handles 'BaseException'
CWE‑705 Python py/exit-from-finally 'break' or 'return' statement in finally
CWE‑705 JavaScript js/exit-from-finally Jump from finally
CWE‑706 Java java/path-injection Uncontrolled data used in path expression
CWE‑706 Java java/path-injection-local Local-user-controlled data in path expression
CWE‑706 Java java/zipslip Arbitrary file write during archive extraction ("Zip Slip")
CWE‑706 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑706 Java java/openstream-called-on-tainted-url openStream called on URLs created from remote source
CWE‑706 C++ cpp/path-injection Uncontrolled data used in path expression
CWE‑706 C# cs/path-injection Uncontrolled data used in path expression
CWE‑706 C# cs/zipslip Arbitrary file write during zip extraction ("Zip Slip")
CWE‑706 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑706 C# cs/insecure-xml-read XML is read insecurely
CWE‑706 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑706 Python py/path-injection Uncontrolled data used in path expression
CWE‑706 Python py/tarslip Arbitrary file write during tarfile extraction
CWE‑706 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑706 JavaScript js/zipslip Arbitrary file write during zip extraction ("Zip Slip")
CWE‑706 JavaScript js/xxe XML external entity expansion
CWE‑706 Go go/path-injection Uncontrolled data used in path expression
CWE‑706 Go go/unsafe-unzip-symlink Arbitrary file write extracting an archive containing symbolic links
CWE‑706 Go go/zipslip Arbitrary file write during zip extraction ("zip slip")
CWE‑707 Java java/relative-path-command Executing a command with a relative path
CWE‑707 Java java/command-line-injection Uncontrolled command line
CWE‑707 Java java/command-line-injection-local Local-user-controlled command line
CWE‑707 Java java/concatenated-command-line Building a command line with string concatenation
CWE‑707 Java java/xss Cross-site scripting
CWE‑707 Java java/xss-local Cross-site scripting from local source
CWE‑707 Java java/sql-injection Query built from user-controlled sources
CWE‑707 Java java/sql-injection-local Query built from local-user-controlled sources
CWE‑707 Java java/concatenated-sql-query Query built without neutralizing special characters
CWE‑707 Java java/ldap-injection LDAP query built from user-controlled sources
CWE‑707 Java java/insecure-bean-validation Insecure Bean Validation
CWE‑707 Java java/netty-http-response-splitting Disabled Netty HTTP header validation
CWE‑707 Java java/http-response-splitting HTTP response splitting
CWE‑707 Java java/http-response-splitting-local HTTP response splitting from local source
CWE‑707 Java java/tainted-format-string Use of externally-controlled format string
CWE‑707 Java java/tainted-format-string-local Use of externally-controlled format string from local source
CWE‑707 Java java/xml/xpath-injection XPath injection
CWE‑707 Java java/jndi-injection JNDI lookup with user-controlled name
CWE‑707 Java java/xslt-injection XSLT transformation with user-controlled stylesheet
CWE‑707 Java java/command-line-injection Uncontrolled command line
CWE‑707 Java java/groovy-injection Groovy Language injection
CWE‑707 Java java/android-insecure-dex-loading Insecure loading of an Android Dex File
CWE‑707 Java java/javaee-expression-injection Jakarta Expression Language injection
CWE‑707 Java java/jexl-expression-injection Expression language injection (JEXL)
CWE‑707 Java java/mvel-expression-injection Expression language injection (MVEL)
CWE‑707 Java java/unsafe-eval ScriptEngine evaluation
CWE‑707 Java java/spel-expression-injection Expression language injection (Spring)
CWE‑707 Java java/spring-view-manipulation-implicit Spring Implicit View Manipulation
CWE‑707 Java java/spring-view-manipulation Spring View Manipulation
CWE‑707 Java java/log-injection Log Injection
CWE‑707 Java java/xquery-injection XQuery query built from user-controlled sources
CWE‑707 Java java/android/unsafe-android-webview-fetch Unsafe resource fetching in Android webview
CWE‑707 Java java/ognl-injection OGNL Expression Language statement with user-controlled input
CWE‑707 C++ cpp/non-constant-format Non-constant format string
CWE‑707 C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE‑707 C++ cpp/improper-null-termination Potential improper null termination
CWE‑707 C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE‑707 C++ cpp/command-line-injection Uncontrolled data used in OS command
CWE‑707 C++ cpp/cgi-xss CGI script vulnerable to cross-site scripting
CWE‑707 C++ cpp/sql-injection Uncontrolled data in SQL query
CWE‑707 C++ cpp/tainted-format-string Uncontrolled format string
CWE‑707 C++ cpp/tainted-format-string-through-global Uncontrolled format string (through global variable)
CWE‑707 C++ cpp/user-controlled-null-termination-tainted User-controlled data may not be null terminated
CWE‑707 C# cs/web/disabled-header-checking Header checking disabled
CWE‑707 C# cs/path-injection Uncontrolled data used in path expression
CWE‑707 C# cs/command-line-injection Uncontrolled command line
CWE‑707 C# cs/stored-command-line-injection Uncontrolled command line from stored user input
CWE‑707 C# cs/web/stored-xss Stored cross-site scripting
CWE‑707 C# cs/web/xss Cross-site scripting
CWE‑707 C# cs/second-order-sql-injection SQL query built from stored user-controlled sources
CWE‑707 C# cs/sql-injection SQL query built from user-controlled sources
CWE‑707 C# cs/ldap-injection LDAP query built from user-controlled sources
CWE‑707 C# cs/stored-ldap-injection LDAP query built from stored user-controlled sources
CWE‑707 C# cs/xml-injection XML injection
CWE‑707 C# cs/code-injection Improper control of generation of code
CWE‑707 C# cs/resource-injection Resource injection
CWE‑707 C# cs/log-forging Log entries created from user input
CWE‑707 C# cs/uncontrolled-format-string Uncontrolled format string
CWE‑707 C# cs/xml/stored-xpath-injection Stored XPath injection
CWE‑707 C# cs/xml/xpath-injection XPath injection
CWE‑707 C# cs/inappropriate-encoding Inappropriate encoding
CWE‑707 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑707 Python py/path-injection Uncontrolled data used in path expression
CWE‑707 Python py/command-line-injection Uncontrolled command line
CWE‑707 Python py/jinja2/autoescape-false Jinja2 templating with autoescape=False
CWE‑707 Python py/reflective-xss Reflected server-side cross-site scripting
CWE‑707 Python py/sql-injection SQL query built from user-controlled sources
CWE‑707 Python py/code-injection Code injection
CWE‑707 Python py/template-injection Server Side Template Injection
CWE‑707 Python py/xslt-injection XSLT query built from user-controlled sources
CWE‑707 Python py/xpath-injection XPath query built from user-controlled sources
CWE‑707 JavaScript js/enabling-electron-renderer-node-integration Enabling Node.js integration for Electron web content renderers
CWE‑707 JavaScript js/identity-replacement Replacement of a substring with itself
CWE‑707 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑707 JavaScript js/template-object-injection Template Object Injection
CWE‑707 JavaScript js/command-line-injection Uncontrolled command line
CWE‑707 JavaScript js/indirect-command-line-injection Indirect uncontrolled command line
CWE‑707 JavaScript js/shell-command-injection-from-environment Shell command built from environment values
CWE‑707 JavaScript js/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑707 JavaScript js/xss-through-exception Exception text reinterpreted as HTML
CWE‑707 JavaScript js/reflected-xss Reflected cross-site scripting
CWE‑707 JavaScript js/stored-xss Stored cross-site scripting
CWE‑707 JavaScript js/html-constructed-from-input Unsafe HTML constructed from library input
CWE‑707 JavaScript js/unsafe-jquery-plugin Unsafe jQuery plugin
CWE‑707 JavaScript js/xss Client-side cross-site scripting
CWE‑707 JavaScript js/xss-through-dom DOM text reinterpreted as HTML
CWE‑707 JavaScript js/sql-injection Database query built from user-controlled sources
CWE‑707 JavaScript js/code-injection Code injection
CWE‑707 JavaScript js/bad-code-sanitization Improper code sanitization
CWE‑707 JavaScript js/unsafe-dynamic-method-access Unsafe dynamic method access
CWE‑707 JavaScript js/double-escaping Double escaping or unescaping
CWE‑707 JavaScript js/incomplete-html-attribute-sanitization Incomplete HTML attribute sanitization
CWE‑707 JavaScript js/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑707 JavaScript js/incomplete-sanitization Incomplete string escaping or encoding
CWE‑707 JavaScript js/unsafe-html-expansion Unsafe expansion of self-closing HTML tag
CWE‑707 JavaScript js/log-injection Log injection
CWE‑707 JavaScript js/tainted-format-string Use of externally-controlled format string
CWE‑707 JavaScript js/client-side-unvalidated-url-redirection Client-side URL redirect
CWE‑707 JavaScript js/xpath-injection XPath injection
CWE‑707 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑707 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑707 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑707 JavaScript javascript/ldap-injection LDAP query built from user-controlled sources
CWE‑707 JavaScript js/actions/injection Expression injection in Actions
CWE‑707 JavaScript js/actions/pull-request-target Checkout of untrusted code in trusted context
CWE‑707 Go go/path-injection Uncontrolled data used in path expression
CWE‑707 Go go/command-injection Command built from user-controlled sources
CWE‑707 Go go/stored-command Command built from stored data
CWE‑707 Go go/reflected-xss Reflected cross-site scripting
CWE‑707 Go go/stored-xss Stored cross-site scripting
CWE‑707 Go go/sql-injection Database query built from user-controlled sources
CWE‑707 Go go/unsafe-quoting Potentially unsafe quoting
CWE‑707 Go go/xml/xpath-injection XPath injection
CWE‑707 Go go/html-template-escaping-passthrough HTML template escaping passthrough
CWE‑710 Java java/deprecated-call Deprecated method or constructor invocation
CWE‑710 Java java/dead-class Dead class
CWE‑710 Java java/dead-enum-constant Dead enum constant
CWE‑710 Java java/dead-field Dead field
CWE‑710 Java java/dead-function Dead method
CWE‑710 Java java/lines-of-dead-code Lines of dead code in files
CWE‑710 Java java/unused-parameter Useless parameter
CWE‑710 Java java/ejb/container-interference EJB interferes with container operation
CWE‑710 Java java/ejb/file-io EJB uses file input/output
CWE‑710 Java java/ejb/graphics EJB uses graphics
CWE‑710 Java java/ejb/native-code EJB uses native code
CWE‑710 Java java/ejb/reflection EJB uses reflection
CWE‑710 Java java/ejb/security-configuration-access EJB accesses security configuration
CWE‑710 Java java/ejb/substitution-in-serialization EJB uses substitution in serialization
CWE‑710 Java java/ejb/socket-or-stream-handler-factory EJB sets socket factory or URL stream handler factory
CWE‑710 Java java/ejb/server-socket EJB uses server socket
CWE‑710 Java java/ejb/non-final-static-field EJB uses non-final static field
CWE‑710 Java java/ejb/synchronization EJB uses synchronization
CWE‑710 Java java/ejb/this EJB uses 'this' as argument or result
CWE‑710 Java java/ejb/threads EJB uses threads
CWE‑710 Java java/useless-null-check Useless null check
CWE‑710 Java java/useless-type-test Useless type test
CWE‑710 Java java/useless-upcast Useless upcast
CWE‑710 Java java/missing-call-to-super-clone Missing super clone
CWE‑710 Java java/empty-container Container contents are never initialized
CWE‑710 Java java/unused-container Container contents are never accessed
CWE‑710 Java java/inconsistent-equals-and-hashcode Inconsistent equals and hashCode
CWE‑710 Java java/constant-comparison Useless comparison test
CWE‑710 Java java/unreleased-lock Unreleased lock
CWE‑710 Java java/missing-super-finalize Finalizer inconsistency
CWE‑710 Java java/missing-format-argument Missing format argument
CWE‑710 Java java/unused-format-argument Unused format argument
CWE‑710 Java java/dereferenced-value-is-always-null Dereferenced variable is always null
CWE‑710 Java java/dereferenced-expr-may-be-null Dereferenced expression may be null
CWE‑710 Java java/dereferenced-value-may-be-null Dereferenced variable may be null
CWE‑710 Java java/empty-synchronized-block Empty synchronized block
CWE‑710 Java java/unreachable-catch-clause Unreachable catch clause
CWE‑710 Java java/potentially-dangerous-function Use of a potentially dangerous function
CWE‑710 Java java/hardcoded-credential-api-call Hard-coded credential in API call
CWE‑710 Java java/hardcoded-credential-comparison Hard-coded credential comparison
CWE‑710 Java java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE‑710 Java java/hardcoded-password-field Hard-coded password field
CWE‑710 Java java/todo-comment TODO/FIXME comments
CWE‑710 Java java/unused-reference-type Unused classes and interfaces
CWE‑710 Java java/overwritten-assignment-to-local Assigned value is overwritten
CWE‑710 Java java/useless-assignment-to-local Useless assignment to local variable
CWE‑710 Java java/empty-finalizer Empty body of finalizer
CWE‑710 Java java/unused-initialized-local Local variable is initialized but not used
CWE‑710 Java java/local-variable-is-never-read Unread local variable
CWE‑710 Java java/unused-field Unused field
CWE‑710 Java java/unused-label Unused label
CWE‑710 Java java/unused-local-variable Unused local variable
CWE‑710 Java java/switch-fall-through Unterminated switch case
CWE‑710 Java java/redundant-cast Unnecessary cast
CWE‑710 Java java/unused-import Unnecessary import
CWE‑710 C++ cpp/unused-local-variable Unused local variable
CWE‑710 C++ cpp/unused-static-function Unused static function
CWE‑710 C++ cpp/unused-static-variable Unused static variable
CWE‑710 C++ cpp/dead-code-condition Branching condition always evaluates to same value
CWE‑710 C++ cpp/dead-code-function Function is never called
CWE‑710 C++ cpp/dead-code-goto Dead code due to goto or break statement
CWE‑710 C++ cpp/inconsistent-nullness-testing Inconsistent null check of pointer
CWE‑710 C++ cpp/missing-null-test Returned pointer not checked
CWE‑710 C++ cpp/unused-variable Variable is assigned a value that is never read
CWE‑710 C++ cpp/fixme-comment FIXME comment
CWE‑710 C++ cpp/todo-comment TODO comment
CWE‑710 C++ cpp/inconsistent-null-check Inconsistent nullness check
CWE‑710 C++ cpp/redundant-null-check-simple Redundant null check due to previous dereference
CWE‑710 C++ cpp/overflowing-snprintf Potentially overflowing call to snprintf
CWE‑710 C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE‑710 C++ cpp/wrong-type-format-argument Wrong type of arguments to formatting function
CWE‑710 C++ cpp/useless-expression Expression has no effect
CWE‑710 C++ cpp/pointer-overflow-check Pointer overflow check
CWE‑710 C++ cpp/bad-strncpy-size Possibly wrong buffer size in string copy
CWE‑710 C++ cpp/suspicious-call-to-memset Suspicious call to memset
CWE‑710 C++ cpp/unsafe-strncat Potentially unsafe call to strncat
CWE‑710 C++ cpp/unsafe-strcat Potentially unsafe use of strcat
CWE‑710 C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE‑710 C++ cpp/ignore-return-value-sal SAL requires inspecting return value
CWE‑710 C++ cpp/memset-may-be-deleted Call to memset may be deleted
CWE‑710 C++ cpp/hresult-boolean-conversion Cast between HRESULT and a Boolean type
CWE‑710 C++ cpp/dangerous-function-overflow Use of dangerous function
CWE‑710 C++ cpp/dangerous-cin Dangerous use of 'cin'
CWE‑710 C++ cpp/potentially-dangerous-function Use of potentially dangerous function
CWE‑710 C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE‑710 C++ cpp/twice-locked Mutex locked twice
CWE‑710 C++ cpp/unreleased-lock Lock may not be released
CWE‑710 C++ cpp/redundant-null-check-param Redundant null check or missing null check of parameter
CWE‑710 C++ cpp/incorrect-allocation-error-handling Incorrect allocation-error handling
CWE‑710 C# cs/call-to-obsolete-method Call to obsolete method
CWE‑710 C# cs/inconsistent-equals-and-gethashcode Inconsistent Equals(object) and GetHashCode()
CWE‑710 C# cs/todo-comment TODO comment
CWE‑710 C# cs/dereferenced-value-is-always-null Dereferenced variable is always null
CWE‑710 C# cs/dereferenced-value-may-be-null Dereferenced variable may be null
CWE‑710 C# cs/unused-reftype Dead reference types
CWE‑710 C# cs/useless-assignment-to-local Useless assignment to local variable
CWE‑710 C# cs/unused-field Unused field
CWE‑710 C# cs/unused-method Unused method
CWE‑710 C# cs/captured-foreach-variable Capturing a foreach variable
CWE‑710 C# cs/useless-cast-to-self Cast to same type
CWE‑710 C# cs/useless-is-before-as Useless 'is' before 'as'
CWE‑710 C# cs/coalesce-of-identical-expressions Useless ?? expression
CWE‑710 C# cs/useless-type-test Useless type test
CWE‑710 C# cs/useless-upcast Useless upcast
CWE‑710 C# cs/empty-collection Container contents are never initialized
CWE‑710 C# cs/unused-collection Container contents are never accessed
CWE‑710 C# cs/invalid-dynamic-call Bad dynamic call
CWE‑710 C# cs/empty-lock-statement Empty lock statement
CWE‑710 C# cs/linq/useless-select Redundant Select
CWE‑710 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑710 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑710 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑710 Python py/equals-hash-mismatch Inconsistent equality and hashing
CWE‑710 Python py/call/wrong-named-class-argument Wrong name for an argument in a class instantiation
CWE‑710 Python py/call/wrong-number-class-arguments Wrong number of arguments in a class instantiation
CWE‑710 Python py/unreachable-except Unreachable 'except' block
CWE‑710 Python py/super-not-enclosing-class First argument to super() is not enclosing class
CWE‑710 Python py/comparison-of-constants Comparison of constants
CWE‑710 Python py/comparison-of-identical-expressions Comparison of identical values
CWE‑710 Python py/comparison-missing-self Maybe missing 'self' in comparison
CWE‑710 Python py/duplicate-key-dict-literal Duplicate key in dict literal
CWE‑710 Python py/call/wrong-named-argument Wrong name for an argument in a call
CWE‑710 Python py/percent-format/wrong-arguments Wrong number of arguments for format
CWE‑710 Python py/call/wrong-arguments Wrong number of arguments in a call
CWE‑710 Python py/redundant-comparison Redundant comparison
CWE‑710 Python py/import-deprecated-module Import of deprecated module
CWE‑710 Python py/hardcoded-credentials Hard-coded credentials
CWE‑710 Python py/constant-conditional-expression Constant in conditional expression or statement
CWE‑710 Python py/redundant-assignment Redundant assignment
CWE‑710 Python py/ineffectual-statement Statement has no effect
CWE‑710 Python py/unreachable-statement Unreachable code
CWE‑710 Python py/multiple-definition Variable defined multiple times
CWE‑710 Python py/unused-local-variable Unused local variable
CWE‑710 Python py/unused-global-variable Unused global variable
CWE‑710 JavaScript js/todo-comment TODO comment
CWE‑710 JavaScript js/conflicting-html-attribute Conflicting HTML element attributes
CWE‑710 JavaScript js/malformed-html-id Malformed id attribute
CWE‑710 JavaScript js/eval-like-call Call to eval-like DOM function
CWE‑710 JavaScript js/variable-initialization-conflict Conflicting variable initialization
CWE‑710 JavaScript js/function-declaration-conflict Conflicting function declarations
CWE‑710 JavaScript js/useless-assignment-to-global Useless assignment to global variable
CWE‑710 JavaScript js/useless-assignment-to-local Useless assignment to local variable
CWE‑710 JavaScript js/overwritten-property Overwritten property
CWE‑710 JavaScript js/comparison-of-identical-expressions Comparison of identical values
CWE‑710 JavaScript js/comparison-with-nan Comparison with NaN
CWE‑710 JavaScript js/duplicate-condition Duplicate 'if' condition
CWE‑710 JavaScript js/duplicate-property Duplicate property
CWE‑710 JavaScript js/duplicate-switch-case Duplicate switch case
CWE‑710 JavaScript js/useless-expression Expression has no effect
CWE‑710 JavaScript js/comparison-between-incompatible-types Comparison between inconvertible types
CWE‑710 JavaScript js/redundant-operation Identical operands
CWE‑710 JavaScript js/redundant-assignment Self assignment
CWE‑710 JavaScript js/call-to-non-callable Invocation of non-function
CWE‑710 JavaScript js/property-access-on-non-object Property access on null or undefined
CWE‑710 JavaScript js/unneeded-defensive-code Unneeded defensive code
CWE‑710 JavaScript js/useless-type-test Useless type test
CWE‑710 JavaScript js/conditional-comment Conditional comments
CWE‑710 JavaScript js/eval-call Use of eval
CWE‑710 JavaScript js/non-standard-language-feature Use of platform-specific language features
CWE‑710 JavaScript js/for-in-comprehension Use of for-in comprehension blocks
CWE‑710 JavaScript js/superfluous-trailing-arguments Superfluous trailing arguments
CWE‑710 JavaScript js/yield-outside-generator Yield in non-generator function
CWE‑710 JavaScript js/node/assignment-to-exports-variable Assignment to exports variable
CWE‑710 JavaScript js/regex/unmatchable-caret Unmatchable caret in regular expression
CWE‑710 JavaScript js/regex/unmatchable-dollar Unmatchable dollar in regular expression
CWE‑710 JavaScript js/remote-property-injection Remote property injection
CWE‑710 JavaScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑710 JavaScript js/hardcoded-data-interpreted-as-code Hard-coded data interpreted as code
CWE‑710 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑710 JavaScript js/http-to-file-access Network data written to file
CWE‑710 JavaScript js/useless-assignment-in-return Return statement assigns local variable
CWE‑710 JavaScript js/unreachable-statement Unreachable statement
CWE‑710 JavaScript js/trivial-conditional Useless conditional
CWE‑710 Go go/comparison-of-identical-expressions Comparison of identical values
CWE‑710 Go go/useless-assignment-to-field Useless assignment to field
CWE‑710 Go go/useless-assignment-to-local Useless assignment to local variable
CWE‑710 Go go/duplicate-branches Duplicate 'if' branches
CWE‑710 Go go/duplicate-condition Duplicate 'if' condition
CWE‑710 Go go/duplicate-switch-case Duplicate switch case
CWE‑710 Go go/useless-expression Expression has no effect
CWE‑710 Go go/redundant-operation Identical operands
CWE‑710 Go go/redundant-assignment Self assignment
CWE‑710 Go go/unreachable-statement Unreachable statement
CWE‑710 Go go/hardcoded-credentials Hard-coded credentials
CWE‑732 Java java/world-writable-file-read Reading from a world writable file
CWE‑732 C++ cpp/world-writable-file-creation File created without restricting permissions
CWE‑732 C++ cpp/unsafe-dacl-security-descriptor Setting a DACL to NULL in a SECURITY_DESCRIPTOR
CWE‑732 Python py/overly-permissive-file Overly permissive file permissions
CWE‑733 C++ cpp/memset-may-be-deleted Call to memset may be deleted
CWE‑749 Java java/android/unsafe-android-webview-fetch Unsafe resource fetching in Android webview
CWE‑754 Java java/inconsistent-call-on-result Inconsistent operation on return value
CWE‑754 Java java/return-value-ignored Method result ignored
CWE‑754 C++ cpp/return-value-ignored Return value of a function is ignored
CWE‑754 C++ cpp/inconsistent-call-on-result Inconsistent operation on return value
CWE‑754 C++ cpp/overflowing-snprintf Potentially overflowing call to snprintf
CWE‑754 C++ cpp/ignore-return-value-sal SAL requires inspecting return value
CWE‑754 C++ cpp/hresult-boolean-conversion Cast between HRESULT and a Boolean type
CWE‑754 C++ cpp/drop-linux-privileges-outoforder LinuxPrivilegeDroppingOutoforder
CWE‑754 C# cs/unchecked-return-value Unchecked return value
CWE‑754 Python py/ignored-return-value Ignored return value
CWE‑754 JavaScript js/unvalidated-dynamic-method-call Unvalidated dynamic method call
CWE‑755 Java java/stack-trace-exposure Information exposure through a stack trace
CWE‑755 Java java/overly-general-catch Overly-general catch clause
CWE‑755 Java java/android/nfe-local-android-dos Local Android DoS Caused By NumberFormatException
CWE‑755 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution
CWE‑755 C# cs/local-not-disposed Missing Dispose call on local IDisposable
CWE‑755 C# cs/catch-nullreferenceexception Poor error handling: catch of NullReferenceException
CWE‑755 C# cs/empty-catch-block Poor error handling: empty catch block
CWE‑755 C# cs/catch-of-all-exceptions Generic catch clause
CWE‑755 C# cs/information-exposure-through-exception Information exposure through an exception
CWE‑755 C# cs/web/missing-global-error-handler Missing global error handler
CWE‑755 Python py/catch-base-exception Except block handles 'BaseException'
CWE‑755 Python py/empty-except Empty except
CWE‑755 Python py/stack-trace-exposure Information exposure through an exception
CWE‑755 JavaScript js/stack-trace-exposure Information exposure through a stack trace
CWE‑755 Go go/stack-trace-exposure Information exposure through a stack trace
CWE‑756 C# cs/web/missing-global-error-handler Missing global error handler
CWE‑758 C++ cpp/pointer-overflow-check Pointer overflow check
CWE‑758 C++ cpp/memset-may-be-deleted Call to memset may be deleted
CWE‑758 C# cs/captured-foreach-variable Capturing a foreach variable
CWE‑758 JavaScript js/conflicting-html-attribute Conflicting HTML element attributes
CWE‑758 JavaScript js/malformed-html-id Malformed id attribute
CWE‑758 JavaScript js/conditional-comment Conditional comments
CWE‑758 JavaScript js/non-standard-language-feature Use of platform-specific language features
CWE‑758 JavaScript js/for-in-comprehension Use of for-in comprehension blocks
CWE‑758 JavaScript js/yield-outside-generator Yield in non-generator function
CWE‑764 Java java/unreleased-lock Unreleased lock
CWE‑764 C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE‑764 C++ cpp/twice-locked Mutex locked twice
CWE‑764 C++ cpp/unreleased-lock Lock may not be released
CWE‑770 C++ cpp/alloca-in-loop Call to alloca in a loop
CWE‑770 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑770 JavaScript js/resource-exhaustion Resource exhaustion
CWE‑772 Java java/input-resource-leak Potential input resource leak
CWE‑772 Java java/database-resource-leak Potential database resource leak
CWE‑772 Java java/output-resource-leak Potential output resource leak
CWE‑772 C++ cpp/catch-missing-free Leaky catch
CWE‑772 C++ cpp/descriptor-may-not-be-closed Open descriptor may not be closed
CWE‑772 C++ cpp/descriptor-never-closed Open descriptor never closed
CWE‑772 C++ cpp/file-may-not-be-closed Open file may not be closed
CWE‑772 C++ cpp/file-never-closed Open file is not closed
CWE‑772 C++ cpp/memory-may-not-be-freed Memory may not be freed
CWE‑772 C++ cpp/memory-never-freed Memory is never freed
CWE‑772 C++ cpp/new-free-mismatch Mismatching new/free or malloc/delete
CWE‑772 C++ cpp/memory-leak-on-failed-call-to-realloc Memory leak on failed call to realloc
CWE‑772 Python py/file-not-closed File is not always closed
CWE‑775 C++ cpp/descriptor-may-not-be-closed Open descriptor may not be closed
CWE‑775 C++ cpp/descriptor-never-closed Open descriptor never closed
CWE‑775 C++ cpp/file-may-not-be-closed Open file may not be closed
CWE‑775 C++ cpp/file-never-closed Open file is not closed
CWE‑776 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑776 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑776 C# cs/insecure-xml-read XML is read insecurely
CWE‑776 JavaScript js/xml-bomb XML internal entity expansion
CWE‑780 C# cs/inadequate-rsa-padding Weak encryption: inadequate RSA padding
CWE‑783 Java java/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE‑783 C++ cpp/operator-precedence-logic-error-when-use-bool-type Operator Precedence Logic Error When Use Bool Type
CWE‑783 JavaScript js/unclear-operator-precedence Unclear precedence of nested operators
CWE‑783 JavaScript js/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE‑783 Go go/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE‑787 C++ cpp/allocation-too-small Not enough memory allocated for pointer type
CWE‑787 C++ cpp/suspicious-allocation-size Not enough memory allocated for array of pointer type
CWE‑787 C++ cpp/overflow-buffer Call to memory access function may overflow buffer
CWE‑787 C++ cpp/badly-bounded-write Badly bounded write
CWE‑787 C++ cpp/overrunning-write Potentially overrunning write
CWE‑787 C++ cpp/overrunning-write-with-float Potentially overrunning write with float to string conversion
CWE‑787 C++ cpp/unbounded-write Unbounded write
CWE‑787 C++ cpp/unterminated-variadic-call Unterminated variadic call
CWE‑787 C++ cpp/no-space-for-terminator No space for zero terminator
CWE‑787 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic
CWE‑788 C++ cpp/allocation-too-small Not enough memory allocated for pointer type
CWE‑788 C++ cpp/suspicious-allocation-size Not enough memory allocated for array of pointer type
CWE‑788 C++ cpp/overflow-buffer Call to memory access function may overflow buffer
CWE‑788 C++ cpp/unterminated-variadic-call Unterminated variadic call
CWE‑788 C++ cpp/no-space-for-terminator No space for zero terminator
CWE‑788 C++ cpp/openssl-heartbleed Use of a version of OpenSSL with Heartbleed
CWE‑788 C++ cpp/access-memory-location-after-end-buffer-strlen Access Of Memory Location After End Of Buffer
CWE‑788 C++ cpp/access-memory-location-after-end-buffer-strncat Access Of Memory Location After The End Of A Buffer Using Strncat
CWE‑788 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic
CWE‑788 Go go/wrong-usage-of-unsafe Wrong usage of package unsafe
CWE‑798 Java java/hardcoded-credential-api-call Hard-coded credential in API call
CWE‑798 Java java/hardcoded-credential-comparison Hard-coded credential comparison
CWE‑798 Java java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE‑798 Java java/hardcoded-password-field Hard-coded password field
CWE‑798 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑798 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑798 Python py/hardcoded-credentials Hard-coded credentials
CWE‑798 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑798 Go go/hardcoded-credentials Hard-coded credentials
CWE‑799 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑805 C++ cpp/badly-bounded-write Badly bounded write
CWE‑805 C++ cpp/overrunning-write Potentially overrunning write
CWE‑805 C++ cpp/overrunning-write-with-float Potentially overrunning write with float to string conversion
CWE‑805 C++ cpp/unbounded-write Unbounded write
CWE‑807 Java java/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑807 Java java/tainted-permissions-check User-controlled data used in permissions check
CWE‑807 C++ cpp/tainted-permissions-check Untrusted input for a condition
CWE‑807 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑807 JavaScript js/user-controlled-bypass User-controlled bypass of security check
CWE‑807 JavaScript js/different-kinds-comparison-bypass Comparison of user-controlled data of different kinds
CWE‑807 Go go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑820 Java java/lazy-initialization Incorrect lazy initialization of a static field
CWE‑820 Java java/non-sync-override Non-synchronized override of synchronized method
CWE‑820 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context
CWE‑821 Java java/ejb/synchronization EJB uses synchronization
CWE‑821 Java java/call-to-thread-run Direct call to a run() method
CWE‑823 C++ cpp/late-negative-test Pointer offset used before it is checked
CWE‑823 C++ cpp/missing-negativity-test Unchecked return value used as offset
CWE‑825 C++ cpp/use-after-free Potential use after free
CWE‑825 C++ cpp/return-stack-allocated-memory Returning stack-allocated memory
CWE‑826 C++ cpp/self-assignment-check Self assignment check
CWE‑827 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑827 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑827 C# cs/insecure-xml-read XML is read insecurely
CWE‑827 JavaScript js/xxe XML external entity expansion
CWE‑829 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑829 Java java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑829 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑829 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑829 C# cs/insecure-xml-read XML is read insecurely
CWE‑829 JavaScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑829 JavaScript js/xxe XML external entity expansion
CWE‑829 JavaScript js/insecure-download Download of sensitive file through insecure connection
CWE‑833 Java java/sleep-with-lock-held Sleep with lock held
CWE‑833 Java java/unreleased-lock Unreleased lock
CWE‑833 Java java/wait-with-two-locks Wait with two locks held
CWE‑833 Java java/lock-order-inconsistency Lock order inconsistency
CWE‑833 C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE‑833 C++ cpp/twice-locked Mutex locked twice
CWE‑833 C++ cpp/unreleased-lock Lock may not be released
CWE‑833 C# cs/locked-wait A lock is held during a wait
CWE‑834 Java java/constant-loop-condition Constant loop condition
CWE‑834 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑834 Java java/unreachable-exit-in-loop Loop with unreachable exit condition
CWE‑834 C++ cpp/inconsistent-loop-direction Inconsistent direction of for loop
CWE‑834 C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑834 C++ cpp/infinite-loop-with-unsatisfiable-exit-condition Infinite loop with unsatisfiable exit condition
CWE‑834 C# cs/constant-condition Constant condition
CWE‑834 C# cs/linq/inconsistent-enumeration Bad multiple iteration
CWE‑834 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑834 C# cs/insecure-xml-read XML is read insecurely
CWE‑834 JavaScript js/xml-bomb XML internal entity expansion
CWE‑834 JavaScript js/loop-bound-injection Loop bound injection
CWE‑834 JavaScript js/inconsistent-loop-direction Inconsistent direction of for loop
CWE‑834 Go go/inconsistent-loop-direction Inconsistent direction of for loop
CWE‑835 Java java/constant-loop-condition Constant loop condition
CWE‑835 Java java/unreachable-exit-in-loop Loop with unreachable exit condition
CWE‑835 C++ cpp/inconsistent-loop-direction Inconsistent direction of for loop
CWE‑835 C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑835 C++ cpp/infinite-loop-with-unsatisfiable-exit-condition Infinite loop with unsatisfiable exit condition
CWE‑835 C# cs/constant-condition Constant condition
CWE‑835 JavaScript js/inconsistent-loop-direction Inconsistent direction of for loop
CWE‑835 Go go/inconsistent-loop-direction Inconsistent direction of for loop
CWE‑838 C# cs/inappropriate-encoding Inappropriate encoding
CWE‑843 C++ cpp/upcast-array-pointer-arithmetic Upcast array used in pointer arithmetic
CWE‑843 JavaScript js/type-confusion-through-parameter-tampering Type confusion through parameter tampering
CWE‑862 C# cs/empty-password-in-configuration Empty password in configuration file
CWE‑862 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑909 C++ cpp/initialization-not-run Initialization code not run
CWE‑912 JavaScript js/hardcoded-data-interpreted-as-code Hard-coded data interpreted as code
CWE‑912 JavaScript js/http-to-file-access Network data written to file
CWE‑913 Java java/insecure-bean-validation Insecure Bean Validation
CWE‑913 Java java/unsafe-deserialization Deserialization of user-controlled data
CWE‑913 Java java/groovy-injection Groovy Language injection
CWE‑913 Java java/android-insecure-dex-loading Insecure loading of an Android Dex File
CWE‑913 Java java/javaee-expression-injection Jakarta Expression Language injection
CWE‑913 Java java/jexl-expression-injection Expression language injection (JEXL)
CWE‑913 Java java/mvel-expression-injection Expression language injection (MVEL)
CWE‑913 Java java/unsafe-eval ScriptEngine evaluation
CWE‑913 Java java/spel-expression-injection Expression language injection (Spring)
CWE‑913 Java java/spring-view-manipulation-implicit Spring Implicit View Manipulation
CWE‑913 Java java/spring-view-manipulation Spring View Manipulation
CWE‑913 Java java/unsafe-deserialization-spring-exporter-in-configuration-class Unsafe deserialization with Spring's remote service exporters.
CWE‑913 Java java/unsafe-deserialization-spring-exporter-in-xml-configuration Unsafe deserialization with Spring's remote service exporters.
CWE‑913 C# cs/code-injection Improper control of generation of code
CWE‑913 C# cs/deserialized-delegate Deserialized delegate
CWE‑913 C# cs/unsafe-deserialization Unsafe deserializer
CWE‑913 C# cs/unsafe-deserialization-untrusted-input Deserialization of untrusted data
CWE‑913 Python py/code-injection Code injection
CWE‑913 Python py/unsafe-deserialization Deserializing untrusted input
CWE‑913 JavaScript js/enabling-electron-renderer-node-integration Enabling Node.js integration for Electron web content renderers
CWE‑913 JavaScript js/template-object-injection Template Object Injection
CWE‑913 JavaScript js/code-injection Code injection
CWE‑913 JavaScript js/bad-code-sanitization Improper code sanitization
CWE‑913 JavaScript js/unsafe-dynamic-method-access Unsafe dynamic method access
CWE‑913 JavaScript js/unsafe-deserialization Deserialization of user-controlled data
CWE‑913 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑913 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑913 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑913 JavaScript js/actions/injection Expression injection in Actions
CWE‑913 JavaScript js/actions/pull-request-target Checkout of untrusted code in trusted context
CWE‑913 Go go/unsafe-quoting Potentially unsafe quoting
CWE‑915 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑915 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑915 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑916 JavaScript js/insufficient-password-hash Use of password hash with insufficient computational effort
CWE‑917 Java java/ognl-injection OGNL Expression Language statement with user-controlled input
CWE‑918 Java java/ssrf Server Side Request Forgery (SSRF)
CWE‑918 JavaScript js/request-forgery Uncontrolled data used in network request
CWE‑918 Go go/request-forgery Uncontrolled data used in network request
CWE‑922 Java java/cleartext-storage-in-class Cleartext storage of sensitive information using storable class
CWE‑922 Java java/cleartext-storage-in-cookie Cleartext storage of sensitive information in cookie
CWE‑922 Java java/cleartext-storage-in-properties Cleartext storage of sensitive information using 'Properties' class
CWE‑922 Java java/android/cleartext-storage-shared-prefs Cleartext storage of sensitive information using SharedPreferences on Android
CWE‑922 C++ cpp/cleartext-storage-buffer Cleartext storage of sensitive information in buffer
CWE‑922 C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE‑922 C++ cpp/cleartext-storage-database Cleartext storage of sensitive information in an SQLite database
CWE‑922 C# cs/password-in-configuration Password in configuration file
CWE‑922 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE‑922 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑922 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑922 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑922 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑922 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑922 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑922 Go go/clear-text-logging Clear-text logging of sensitive information
CWE‑923 Java java/unsafe-hostname-verification Unsafe hostname verification
CWE‑923 Java java/socket-auth-race-condition Race condition in socket authentication
CWE‑923 Java java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑923 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑923 Go go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑943 Java java/sql-injection Query built from user-controlled sources
CWE‑943 Java java/sql-injection-local Query built from local-user-controlled sources
CWE‑943 Java java/concatenated-sql-query Query built without neutralizing special characters
CWE‑943 Java java/ldap-injection LDAP query built from user-controlled sources
CWE‑943 Java java/xml/xpath-injection XPath injection
CWE‑943 Java java/xquery-injection XQuery query built from user-controlled sources
CWE‑943 C++ cpp/sql-injection Uncontrolled data in SQL query
CWE‑943 C# cs/second-order-sql-injection SQL query built from stored user-controlled sources
CWE‑943 C# cs/sql-injection SQL query built from user-controlled sources
CWE‑943 C# cs/ldap-injection LDAP query built from user-controlled sources
CWE‑943 C# cs/stored-ldap-injection LDAP query built from stored user-controlled sources
CWE‑943 C# cs/xml/stored-xpath-injection Stored XPath injection
CWE‑943 C# cs/xml/xpath-injection XPath injection
CWE‑943 Python py/sql-injection SQL query built from user-controlled sources
CWE‑943 Python py/xslt-injection XSLT query built from user-controlled sources
CWE‑943 Python py/xpath-injection XPath query built from user-controlled sources
CWE‑943 JavaScript js/sql-injection Database query built from user-controlled sources
CWE‑943 JavaScript js/xpath-injection XPath injection
CWE‑943 JavaScript javascript/ldap-injection LDAP query built from user-controlled sources
CWE‑943 Go go/sql-injection Database query built from user-controlled sources
CWE‑943 Go go/unsafe-quoting Potentially unsafe quoting
CWE‑943 Go go/xml/xpath-injection XPath injection
CWE‑1004 Java java/tomcat-disabled-httponly Tomcat config disables 'HttpOnly' flag (XSS risk)
CWE‑1004 Java java/sensitive-cookie-not-httponly Sensitive cookies without the HttpOnly response header set
CWE‑1004 JavaScript js/cookie-httponly-not-set 'HttpOnly' attribute is not set to true
CWE‑1022 JavaScript js/unsafe-external-link Potentially unsafe external link
CWE‑1104 Java java/maven/dependency-upon-bintray Depending upon JCenter/Bintray as an artifact repository