CodeQL documentation

CWE coverage for C#

An overview of CWE coverage for C# in the latest release of CodeQL.

Overview

CWE Language Query id Query name
CWE-11 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE-12 C# cs/web/missing-global-error-handler Missing global error handler
CWE-13 C# cs/password-in-configuration Password in configuration file
CWE-20 C# cs/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE-20 C# cs/serialization-check-bypass Serialization check bypass
CWE-20 C# cs/untrusted-data-to-external-api Untrusted data passed to external API
CWE-20 C# cs/xml/missing-validation Missing XML validation
CWE-20 C# cs/assembly-path-injection Assembly path injection
CWE-22 C# cs/path-injection Uncontrolled data used in path expression
CWE-22 C# cs/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE-22 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE-23 C# cs/path-injection Uncontrolled data used in path expression
CWE-23 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE-36 C# cs/path-injection Uncontrolled data used in path expression
CWE-36 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE-73 C# cs/path-injection Uncontrolled data used in path expression
CWE-73 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE-74 C# cs/path-injection Uncontrolled data used in path expression
CWE-74 C# cs/command-line-injection Uncontrolled command line
CWE-74 C# cs/web/xss Cross-site scripting
CWE-74 C# cs/sql-injection SQL query built from user-controlled sources
CWE-74 C# cs/ldap-injection LDAP query built from user-controlled sources
CWE-74 C# cs/xml-injection XML injection
CWE-74 C# cs/code-injection Improper control of generation of code
CWE-74 C# cs/resource-injection Resource injection
CWE-74 C# cs/uncontrolled-format-string Uncontrolled format string
CWE-74 C# cs/xml/xpath-injection XPath injection
CWE-74 C# cs/web/disabled-header-checking Header checking disabled
CWE-74 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE-77 C# cs/command-line-injection Uncontrolled command line
CWE-78 C# cs/command-line-injection Uncontrolled command line
CWE-79 C# cs/web/xss Cross-site scripting
CWE-88 C# cs/command-line-injection Uncontrolled command line
CWE-89 C# cs/sql-injection SQL query built from user-controlled sources
CWE-90 C# cs/ldap-injection LDAP query built from user-controlled sources
CWE-91 C# cs/xml-injection XML injection
CWE-91 C# cs/xml/xpath-injection XPath injection
CWE-93 C# cs/web/disabled-header-checking Header checking disabled
CWE-94 C# cs/code-injection Improper control of generation of code
CWE-95 C# cs/code-injection Improper control of generation of code
CWE-96 C# cs/code-injection Improper control of generation of code
CWE-99 C# cs/path-injection Uncontrolled data used in path expression
CWE-99 C# cs/resource-injection Resource injection
CWE-99 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE-112 C# cs/xml/missing-validation Missing XML validation
CWE-113 C# cs/web/disabled-header-checking Header checking disabled
CWE-114 C# cs/assembly-path-injection Assembly path injection
CWE-116 C# cs/web/xss Cross-site scripting
CWE-116 C# cs/log-forging Log entries created from user input
CWE-116 C# cs/inappropriate-encoding Inappropriate encoding
CWE-117 C# cs/log-forging Log entries created from user input
CWE-118 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic
CWE-119 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic
CWE-120 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic
CWE-122 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic
CWE-134 C# cs/uncontrolled-format-string Uncontrolled format string
CWE-190 C# cs/loss-of-precision Possible loss of precision
CWE-193 C# cs/index-out-of-bounds Off-by-one comparison against container length
CWE-197 C# cs/loss-of-precision Possible loss of precision
CWE-200 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE-200 C# cs/sensitive-data-transmission Information exposure through transmitted data
CWE-200 C# cs/information-exposure-through-exception Information exposure through an exception
CWE-200 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE-200 C# cs/exposure-of-sensitive-information Exposure of private information
CWE-200 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing
CWE-200 C# cs/web/persistent-cookie Cookie security: persistent cookie
CWE-201 C# cs/sensitive-data-transmission Information exposure through transmitted data
CWE-209 C# cs/information-exposure-through-exception Information exposure through an exception
CWE-215 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE-221 C# cs/catch-of-all-exceptions Generic catch clause
CWE-221 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE-227 C# cs/inconsistent-equals-and-gethashcode Inconsistent Equals(object) and GetHashCode()
CWE-227 C# cs/invalid-dynamic-call Bad dynamic call
CWE-227 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE-247 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE-248 C# cs/web/missing-global-error-handler Missing global error handler
CWE-252 C# cs/unchecked-return-value Unchecked return value
CWE-256 C# cs/password-in-configuration Password in configuration file
CWE-258 C# cs/empty-password-in-configuration Empty password in configuration file
CWE-259 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE-259 C# cs/hardcoded-credentials Hard-coded credentials
CWE-260 C# cs/empty-password-in-configuration Empty password in configuration file
CWE-260 C# cs/password-in-configuration Password in configuration file
CWE-284 C# cs/empty-password-in-configuration Empty password in configuration file
CWE-284 C# cs/password-in-configuration Password in configuration file
CWE-284 C# cs/web/missing-function-level-access-control Missing function level access control
CWE-284 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE-284 C# cs/session-reuse Failure to abandon session
CWE-284 C# cs/web/insecure-direct-object-reference Insecure Direct Object Reference
CWE-284 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE-284 C# cs/hardcoded-credentials Hard-coded credentials
CWE-284 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE-284 C# cs/web/broad-cookie-domain Cookie security: overly broad domain
CWE-284 C# cs/web/broad-cookie-path Cookie security: overly broad path
CWE-285 C# cs/empty-password-in-configuration Empty password in configuration file
CWE-285 C# cs/web/missing-function-level-access-control Missing function level access control
CWE-285 C# cs/web/insecure-direct-object-reference Insecure Direct Object Reference
CWE-287 C# cs/empty-password-in-configuration Empty password in configuration file
CWE-287 C# cs/password-in-configuration Password in configuration file
CWE-287 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE-287 C# cs/session-reuse Failure to abandon session
CWE-287 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE-287 C# cs/hardcoded-credentials Hard-coded credentials
CWE-287 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE-287 C# cs/web/broad-cookie-domain Cookie security: overly broad domain
CWE-287 C# cs/web/broad-cookie-path Cookie security: overly broad path
CWE-290 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE-311 C# cs/password-in-configuration Password in configuration file
CWE-311 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE-311 C# cs/web/requiressl-not-set 'requireSSL' attribute is not set to true
CWE-311 C# cs/web/cookie-secure-not-set 'Secure' attribute is not set to true
CWE-312 C# cs/password-in-configuration Password in configuration file
CWE-312 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE-313 C# cs/password-in-configuration Password in configuration file
CWE-315 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE-319 C# cs/web/requiressl-not-set 'requireSSL' attribute is not set to true
CWE-319 C# cs/web/cookie-secure-not-set 'Secure' attribute is not set to true
CWE-321 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE-321 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE-321 C# cs/hardcoded-credentials Hard-coded credentials
CWE-326 C# cs/insufficient-key-size Weak encryption: Insufficient key size
CWE-327 C# cs/adding-cert-to-root-store Do not add certificates to the system root store.
CWE-327 C# cs/insecure-sql-connection Insecure SQL connection
CWE-327 C# cs/ecb-encryption Encryption using ECB
CWE-327 C# cs/inadequate-rsa-padding Weak encryption: inadequate RSA padding
CWE-327 C# cs/weak-encryption Weak encryption
CWE-327 C# cs/azure-storage/unsafe-usage-of-client-side-encryption-version Unsafe usage of v1 version of Azure Storage client-side encryption (CVE-2022-30187).
CWE-327 C# cs/hash-without-salt Use of a hash function without a salt
CWE-330 C# cs/random-used-once Random used only once
CWE-330 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE-330 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE-330 C# cs/hardcoded-credentials Hard-coded credentials
CWE-330 C# cs/insecure-randomness Insecure randomness
CWE-335 C# cs/random-used-once Random used only once
CWE-338 C# cs/insecure-randomness Insecure randomness
CWE-344 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE-344 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE-344 C# cs/hardcoded-credentials Hard-coded credentials
CWE-345 C# cs/web/ambiguous-client-variable Value shadowing
CWE-345 C# cs/web/ambiguous-server-variable Value shadowing: server variable
CWE-345 C# cs/web/missing-token-validation Missing cross-site request forgery token validation
CWE-348 C# cs/web/ambiguous-client-variable Value shadowing
CWE-348 C# cs/web/ambiguous-server-variable Value shadowing: server variable
CWE-350 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE-352 C# cs/web/missing-token-validation Missing cross-site request forgery token validation
CWE-359 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE-359 C# cs/exposure-of-sensitive-information Exposure of private information
CWE-362 C# cs/unsafe-sync-on-field Futile synchronization on field
CWE-362 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context
CWE-362 C# cs/thread-unsafe-icryptotransform-field-in-class Thread-unsafe use of a static ICryptoTransform field
CWE-362 C# cs/thread-unsafe-icryptotransform-captured-in-lambda Thread-unsafe capturing of an ICryptoTransform object
CWE-366 C# cs/unsafe-sync-on-field Futile synchronization on field
CWE-384 C# cs/session-reuse Failure to abandon session
CWE-390 C# cs/empty-catch-block Poor error handling: empty catch block
CWE-391 C# cs/empty-catch-block Poor error handling: empty catch block
CWE-395 C# cs/catch-nullreferenceexception Poor error handling: catch of NullReferenceException
CWE-396 C# cs/catch-of-all-exceptions Generic catch clause
CWE-398 C# cs/call-to-obsolete-method Call to obsolete method
CWE-398 C# cs/todo-comment TODO comment
CWE-398 C# cs/dereferenced-value-is-always-null Dereferenced variable is always null
CWE-398 C# cs/dereferenced-value-may-be-null Dereferenced variable may be null
CWE-398 C# cs/unused-reftype Dead reference types
CWE-398 C# cs/useless-assignment-to-local Useless assignment to local variable
CWE-398 C# cs/unused-field Unused field
CWE-398 C# cs/unused-method Unused method
CWE-398 C# cs/useless-cast-to-self Cast to same type
CWE-398 C# cs/useless-is-before-as Useless 'is' before 'as'
CWE-398 C# cs/coalesce-of-identical-expressions Useless ?? expression
CWE-398 C# cs/useless-type-test Useless type test
CWE-398 C# cs/useless-upcast Useless upcast
CWE-398 C# cs/empty-collection Container contents are never initialized
CWE-398 C# cs/unused-collection Container contents are never accessed
CWE-398 C# cs/empty-lock-statement Empty lock statement
CWE-398 C# cs/linq/useless-select Redundant Select
CWE-400 C# cs/redos Denial of Service from comparison of user input against expensive regex
CWE-400 C# cs/regex-injection Regular expression injection
CWE-404 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution
CWE-404 C# cs/member-not-disposed Missing Dispose call
CWE-404 C# cs/missing-dispose-method Missing Dispose method
CWE-404 C# cs/local-not-disposed Missing Dispose call on local IDisposable
CWE-405 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE-405 C# cs/insecure-xml-read XML is read insecurely
CWE-409 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE-409 C# cs/insecure-xml-read XML is read insecurely
CWE-434 C# cs/web/file-upload Use of file upload
CWE-441 C# cs/request-forgery Server-side request forgery
CWE-451 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE-457 C# cs/unassigned-field Field is never assigned a non-default value
CWE-459 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution
CWE-459 C# cs/member-not-disposed Missing Dispose call
CWE-459 C# cs/missing-dispose-method Missing Dispose method
CWE-459 C# cs/local-not-disposed Missing Dispose call on local IDisposable
CWE-460 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution
CWE-460 C# cs/local-not-disposed Missing Dispose call on local IDisposable
CWE-471 C# cs/web/html-hidden-input Use of HTMLInputHidden
CWE-472 C# cs/web/html-hidden-input Use of HTMLInputHidden
CWE-476 C# cs/dereferenced-value-is-always-null Dereferenced variable is always null
CWE-476 C# cs/dereferenced-value-may-be-null Dereferenced variable may be null
CWE-477 C# cs/call-to-obsolete-method Call to obsolete method
CWE-480 C# cs/non-short-circuit Potentially dangerous use of non-short-circuit logic
CWE-485 C# cs/class-name-comparison Erroneous class compare
CWE-485 C# cs/cast-from-abstract-to-concrete-collection Cast from abstract to concrete collection
CWE-485 C# cs/expose-implementation Exposing internal representation
CWE-485 C# cs/web/debug-code ASP.NET: leftover debug code
CWE-486 C# cs/class-name-comparison Erroneous class compare
CWE-489 C# cs/web/debug-code ASP.NET: leftover debug code
CWE-497 C# cs/information-exposure-through-exception Information exposure through an exception
CWE-502 C# cs/deserialized-delegate Deserialized delegate
CWE-502 C# cs/unsafe-deserialization Unsafe deserializer
CWE-502 C# cs/unsafe-deserialization-untrusted-input Deserialization of untrusted data
CWE-521 C# cs/empty-password-in-configuration Empty password in configuration file
CWE-522 C# cs/empty-password-in-configuration Empty password in configuration file
CWE-522 C# cs/password-in-configuration Password in configuration file
CWE-532 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE-538 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE-538 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing
CWE-538 C# cs/web/persistent-cookie Cookie security: persistent cookie
CWE-539 C# cs/web/persistent-cookie Cookie security: persistent cookie
CWE-546 C# cs/todo-comment TODO comment
CWE-548 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing
CWE-552 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE-552 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing
CWE-561 C# cs/unused-reftype Dead reference types
CWE-561 C# cs/unused-field Unused field
CWE-561 C# cs/unused-method Unused method
CWE-561 C# cs/useless-cast-to-self Cast to same type
CWE-561 C# cs/useless-is-before-as Useless 'is' before 'as'
CWE-561 C# cs/coalesce-of-identical-expressions Useless ?? expression
CWE-561 C# cs/useless-type-test Useless type test
CWE-561 C# cs/useless-upcast Useless upcast
CWE-561 C# cs/empty-collection Container contents are never initialized
CWE-561 C# cs/unused-collection Container contents are never accessed
CWE-561 C# cs/linq/useless-select Redundant Select
CWE-563 C# cs/useless-assignment-to-local Useless assignment to local variable
CWE-567 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context
CWE-573 C# cs/inconsistent-equals-and-gethashcode Inconsistent Equals(object) and GetHashCode()
CWE-573 C# cs/invalid-dynamic-call Bad dynamic call
CWE-581 C# cs/inconsistent-equals-and-gethashcode Inconsistent Equals(object) and GetHashCode()
CWE-582 C# cs/static-array Array constant vulnerable to change
CWE-585 C# cs/empty-lock-statement Empty lock statement
CWE-592 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE-595 C# cs/reference-equality-with-object Reference equality test on System.Object
CWE-595 C# cs/reference-equality-on-valuetypes Call to ReferenceEquals(...) on value type expressions
CWE-601 C# cs/web/unvalidated-url-redirection URL redirection from remote source
CWE-609 C# cs/unsafe-double-checked-lock Double-checked lock is not thread-safe
CWE-610 C# cs/path-injection Uncontrolled data used in path expression
CWE-610 C# cs/web/unvalidated-url-redirection URL redirection from remote source
CWE-610 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE-610 C# cs/insecure-xml-read XML is read insecurely
CWE-610 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE-610 C# cs/request-forgery Server-side request forgery
CWE-611 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE-611 C# cs/insecure-xml-read XML is read insecurely
CWE-614 C# cs/web/requiressl-not-set 'requireSSL' attribute is not set to true
CWE-614 C# cs/web/cookie-secure-not-set 'Secure' attribute is not set to true
CWE-628 C# cs/invalid-dynamic-call Bad dynamic call
CWE-639 C# cs/web/insecure-direct-object-reference Insecure Direct Object Reference
CWE-642 C# cs/web/html-hidden-input Use of HTMLInputHidden
CWE-642 C# cs/path-injection Uncontrolled data used in path expression
CWE-642 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE-643 C# cs/xml/xpath-injection XPath injection
CWE-657 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE-657 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE-657 C# cs/hardcoded-credentials Hard-coded credentials
CWE-662 C# cs/unsafe-sync-on-field Futile synchronization on field
CWE-662 C# cs/inconsistent-lock-sequence Inconsistent lock sequence
CWE-662 C# cs/lock-this Locking the 'this' object in a lock statement
CWE-662 C# cs/locked-wait A lock is held during a wait
CWE-662 C# cs/unsynchronized-getter Inconsistently synchronized property
CWE-662 C# cs/unsafe-double-checked-lock Double-checked lock is not thread-safe
CWE-662 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context
CWE-664 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution
CWE-664 C# cs/member-not-disposed Missing Dispose call
CWE-664 C# cs/missing-dispose-method Missing Dispose method
CWE-664 C# cs/local-not-disposed Missing Dispose call on local IDisposable
CWE-664 C# cs/class-name-comparison Erroneous class compare
CWE-664 C# cs/cast-from-abstract-to-concrete-collection Cast from abstract to concrete collection
CWE-664 C# cs/expose-implementation Exposing internal representation
CWE-664 C# cs/static-array Array constant vulnerable to change
CWE-664 C# cs/web/debug-code ASP.NET: leftover debug code
CWE-664 C# cs/web/html-hidden-input Use of HTMLInputHidden
CWE-664 C# cs/unsafe-sync-on-field Futile synchronization on field
CWE-664 C# cs/inconsistent-lock-sequence Inconsistent lock sequence
CWE-664 C# cs/lock-this Locking the 'this' object in a lock statement
CWE-664 C# cs/locked-wait A lock is held during a wait
CWE-664 C# cs/unsynchronized-getter Inconsistently synchronized property
CWE-664 C# cs/unsafe-double-checked-lock Double-checked lock is not thread-safe
CWE-664 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context
CWE-664 C# cs/empty-password-in-configuration Empty password in configuration file
CWE-664 C# cs/password-in-configuration Password in configuration file
CWE-664 C# cs/unassigned-field Field is never assigned a non-default value
CWE-664 C# cs/web/file-upload Use of file upload
CWE-664 C# cs/catch-of-all-exceptions Generic catch clause
CWE-664 C# cs/loss-of-precision Possible loss of precision
CWE-664 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE-664 C# cs/path-injection Uncontrolled data used in path expression
CWE-664 C# cs/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE-664 C# cs/code-injection Improper control of generation of code
CWE-664 C# cs/sensitive-data-transmission Information exposure through transmitted data
CWE-664 C# cs/information-exposure-through-exception Information exposure through an exception
CWE-664 C# cs/web/missing-function-level-access-control Missing function level access control
CWE-664 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE-664 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE-664 C# cs/exposure-of-sensitive-information Exposure of private information
CWE-664 C# cs/session-reuse Failure to abandon session
CWE-664 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE-664 C# cs/deserialized-delegate Deserialized delegate
CWE-664 C# cs/unsafe-deserialization Unsafe deserializer
CWE-664 C# cs/unsafe-deserialization-untrusted-input Deserialization of untrusted data
CWE-664 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing
CWE-664 C# cs/web/unvalidated-url-redirection URL redirection from remote source
CWE-664 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE-664 C# cs/insecure-xml-read XML is read insecurely
CWE-664 C# cs/web/insecure-direct-object-reference Insecure Direct Object Reference
CWE-664 C# cs/redos Denial of Service from comparison of user input against expensive regex
CWE-664 C# cs/regex-injection Regular expression injection
CWE-664 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE-664 C# cs/hardcoded-credentials Hard-coded credentials
CWE-664 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE-664 C# cs/web/broad-cookie-domain Cookie security: overly broad domain
CWE-664 C# cs/web/broad-cookie-path Cookie security: overly broad path
CWE-664 C# cs/web/persistent-cookie Cookie security: persistent cookie
CWE-664 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE-664 C# cs/request-forgery Server-side request forgery
CWE-665 C# cs/unassigned-field Field is never assigned a non-default value
CWE-667 C# cs/locked-wait A lock is held during a wait
CWE-667 C# cs/unsafe-double-checked-lock Double-checked lock is not thread-safe
CWE-668 C# cs/static-array Array constant vulnerable to change
CWE-668 C# cs/web/html-hidden-input Use of HTMLInputHidden
CWE-668 C# cs/empty-password-in-configuration Empty password in configuration file
CWE-668 C# cs/password-in-configuration Password in configuration file
CWE-668 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE-668 C# cs/path-injection Uncontrolled data used in path expression
CWE-668 C# cs/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE-668 C# cs/sensitive-data-transmission Information exposure through transmitted data
CWE-668 C# cs/information-exposure-through-exception Information exposure through an exception
CWE-668 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE-668 C# cs/exposure-of-sensitive-information Exposure of private information
CWE-668 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing
CWE-668 C# cs/web/persistent-cookie Cookie security: persistent cookie
CWE-668 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE-669 C# cs/web/file-upload Use of file upload
CWE-669 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE-669 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE-669 C# cs/insecure-xml-read XML is read insecurely
CWE-670 C# cs/non-short-circuit Potentially dangerous use of non-short-circuit logic
CWE-671 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE-671 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE-671 C# cs/hardcoded-credentials Hard-coded credentials
CWE-674 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE-674 C# cs/insecure-xml-read XML is read insecurely
CWE-681 C# cs/loss-of-precision Possible loss of precision
CWE-682 C# cs/index-out-of-bounds Off-by-one comparison against container length
CWE-682 C# cs/loss-of-precision Possible loss of precision
CWE-684 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE-691 C# cs/catch-nullreferenceexception Poor error handling: catch of NullReferenceException
CWE-691 C# cs/constant-condition Constant condition
CWE-691 C# cs/unsafe-sync-on-field Futile synchronization on field
CWE-691 C# cs/inconsistent-lock-sequence Inconsistent lock sequence
CWE-691 C# cs/lock-this Locking the 'this' object in a lock statement
CWE-691 C# cs/locked-wait A lock is held during a wait
CWE-691 C# cs/unsynchronized-getter Inconsistently synchronized property
CWE-691 C# cs/unsafe-double-checked-lock Double-checked lock is not thread-safe
CWE-691 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context
CWE-691 C# cs/catch-of-all-exceptions Generic catch clause
CWE-691 C# cs/non-short-circuit Potentially dangerous use of non-short-circuit logic
CWE-691 C# cs/thread-unsafe-icryptotransform-field-in-class Thread-unsafe use of a static ICryptoTransform field
CWE-691 C# cs/thread-unsafe-icryptotransform-captured-in-lambda Thread-unsafe capturing of an ICryptoTransform object
CWE-691 C# cs/linq/inconsistent-enumeration Bad multiple iteration
CWE-691 C# cs/code-injection Improper control of generation of code
CWE-691 C# cs/web/missing-global-error-handler Missing global error handler
CWE-691 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE-691 C# cs/insecure-xml-read XML is read insecurely
CWE-693 C# cs/empty-password-in-configuration Empty password in configuration file
CWE-693 C# cs/password-in-configuration Password in configuration file
CWE-693 C# cs/web/ambiguous-client-variable Value shadowing
CWE-693 C# cs/web/ambiguous-server-variable Value shadowing: server variable
CWE-693 C# cs/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE-693 C# cs/serialization-check-bypass Serialization check bypass
CWE-693 C# cs/untrusted-data-to-external-api Untrusted data passed to external API
CWE-693 C# cs/xml/missing-validation Missing XML validation
CWE-693 C# cs/assembly-path-injection Assembly path injection
CWE-693 C# cs/web/missing-function-level-access-control Missing function level access control
CWE-693 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE-693 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE-693 C# cs/adding-cert-to-root-store Do not add certificates to the system root store.
CWE-693 C# cs/insecure-sql-connection Insecure SQL connection
CWE-693 C# cs/web/missing-token-validation Missing cross-site request forgery token validation
CWE-693 C# cs/session-reuse Failure to abandon session
CWE-693 C# cs/web/requiressl-not-set 'requireSSL' attribute is not set to true
CWE-693 C# cs/web/insecure-direct-object-reference Insecure Direct Object Reference
CWE-693 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE-693 C# cs/hardcoded-credentials Hard-coded credentials
CWE-693 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE-693 C# cs/web/broad-cookie-domain Cookie security: overly broad domain
CWE-693 C# cs/web/broad-cookie-path Cookie security: overly broad path
CWE-693 C# cs/ecb-encryption Encryption using ECB
CWE-693 C# cs/inadequate-rsa-padding Weak encryption: inadequate RSA padding
CWE-693 C# cs/insufficient-key-size Weak encryption: Insufficient key size
CWE-693 C# cs/weak-encryption Weak encryption
CWE-693 C# cs/azure-storage/unsafe-usage-of-client-side-encryption-version Unsafe usage of v1 version of Azure Storage client-side encryption (CVE-2022-30187).
CWE-693 C# cs/web/cookie-secure-not-set 'Secure' attribute is not set to true
CWE-693 C# cs/hash-without-salt Use of a hash function without a salt
CWE-697 C# cs/class-name-comparison Erroneous class compare
CWE-697 C# cs/reference-equality-with-object Reference equality test on System.Object
CWE-697 C# cs/reference-equality-on-valuetypes Call to ReferenceEquals(...) on value type expressions
CWE-703 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution
CWE-703 C# cs/local-not-disposed Missing Dispose call on local IDisposable
CWE-703 C# cs/unchecked-return-value Unchecked return value
CWE-703 C# cs/catch-nullreferenceexception Poor error handling: catch of NullReferenceException
CWE-703 C# cs/empty-catch-block Poor error handling: empty catch block
CWE-703 C# cs/catch-of-all-exceptions Generic catch clause
CWE-703 C# cs/information-exposure-through-exception Information exposure through an exception
CWE-703 C# cs/web/missing-global-error-handler Missing global error handler
CWE-704 C# cs/loss-of-precision Possible loss of precision
CWE-705 C# cs/catch-nullreferenceexception Poor error handling: catch of NullReferenceException
CWE-705 C# cs/catch-of-all-exceptions Generic catch clause
CWE-705 C# cs/web/missing-global-error-handler Missing global error handler
CWE-706 C# cs/path-injection Uncontrolled data used in path expression
CWE-706 C# cs/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE-706 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE-706 C# cs/insecure-xml-read XML is read insecurely
CWE-706 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE-707 C# cs/path-injection Uncontrolled data used in path expression
CWE-707 C# cs/command-line-injection Uncontrolled command line
CWE-707 C# cs/web/xss Cross-site scripting
CWE-707 C# cs/sql-injection SQL query built from user-controlled sources
CWE-707 C# cs/ldap-injection LDAP query built from user-controlled sources
CWE-707 C# cs/xml-injection XML injection
CWE-707 C# cs/code-injection Improper control of generation of code
CWE-707 C# cs/resource-injection Resource injection
CWE-707 C# cs/log-forging Log entries created from user input
CWE-707 C# cs/uncontrolled-format-string Uncontrolled format string
CWE-707 C# cs/xml/xpath-injection XPath injection
CWE-707 C# cs/inappropriate-encoding Inappropriate encoding
CWE-707 C# cs/web/disabled-header-checking Header checking disabled
CWE-707 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE-710 C# cs/call-to-obsolete-method Call to obsolete method
CWE-710 C# cs/inconsistent-equals-and-gethashcode Inconsistent Equals(object) and GetHashCode()
CWE-710 C# cs/todo-comment TODO comment
CWE-710 C# cs/dereferenced-value-is-always-null Dereferenced variable is always null
CWE-710 C# cs/dereferenced-value-may-be-null Dereferenced variable may be null
CWE-710 C# cs/unused-reftype Dead reference types
CWE-710 C# cs/useless-assignment-to-local Useless assignment to local variable
CWE-710 C# cs/unused-field Unused field
CWE-710 C# cs/unused-method Unused method
CWE-710 C# cs/captured-foreach-variable Capturing a foreach variable
CWE-710 C# cs/useless-cast-to-self Cast to same type
CWE-710 C# cs/useless-is-before-as Useless 'is' before 'as'
CWE-710 C# cs/coalesce-of-identical-expressions Useless ?? expression
CWE-710 C# cs/useless-type-test Useless type test
CWE-710 C# cs/useless-upcast Useless upcast
CWE-710 C# cs/empty-collection Container contents are never initialized
CWE-710 C# cs/unused-collection Container contents are never accessed
CWE-710 C# cs/invalid-dynamic-call Bad dynamic call
CWE-710 C# cs/empty-lock-statement Empty lock statement
CWE-710 C# cs/linq/useless-select Redundant Select
CWE-710 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE-710 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE-710 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE-710 C# cs/hardcoded-credentials Hard-coded credentials
CWE-754 C# cs/unchecked-return-value Unchecked return value
CWE-755 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution
CWE-755 C# cs/local-not-disposed Missing Dispose call on local IDisposable
CWE-755 C# cs/catch-nullreferenceexception Poor error handling: catch of NullReferenceException
CWE-755 C# cs/empty-catch-block Poor error handling: empty catch block
CWE-755 C# cs/catch-of-all-exceptions Generic catch clause
CWE-755 C# cs/information-exposure-through-exception Information exposure through an exception
CWE-755 C# cs/web/missing-global-error-handler Missing global error handler
CWE-756 C# cs/web/missing-global-error-handler Missing global error handler
CWE-758 C# cs/captured-foreach-variable Capturing a foreach variable
CWE-759 C# cs/hash-without-salt Use of a hash function without a salt
CWE-776 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE-776 C# cs/insecure-xml-read XML is read insecurely
CWE-780 C# cs/inadequate-rsa-padding Weak encryption: inadequate RSA padding
CWE-787 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic
CWE-788 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic
CWE-798 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE-798 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE-798 C# cs/hardcoded-credentials Hard-coded credentials
CWE-807 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE-820 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context
CWE-827 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE-827 C# cs/insecure-xml-read XML is read insecurely
CWE-829 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE-829 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE-829 C# cs/insecure-xml-read XML is read insecurely
CWE-833 C# cs/locked-wait A lock is held during a wait
CWE-834 C# cs/constant-condition Constant condition
CWE-834 C# cs/linq/inconsistent-enumeration Bad multiple iteration
CWE-834 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE-834 C# cs/insecure-xml-read XML is read insecurely
CWE-835 C# cs/constant-condition Constant condition
CWE-838 C# cs/inappropriate-encoding Inappropriate encoding
CWE-862 C# cs/empty-password-in-configuration Empty password in configuration file
CWE-862 C# cs/web/missing-function-level-access-control Missing function level access control
CWE-862 C# cs/web/insecure-direct-object-reference Insecure Direct Object Reference
CWE-913 C# cs/code-injection Improper control of generation of code
CWE-913 C# cs/deserialized-delegate Deserialized delegate
CWE-913 C# cs/unsafe-deserialization Unsafe deserializer
CWE-913 C# cs/unsafe-deserialization-untrusted-input Deserialization of untrusted data
CWE-916 C# cs/hash-without-salt Use of a hash function without a salt
CWE-918 C# cs/request-forgery Server-side request forgery
CWE-922 C# cs/password-in-configuration Password in configuration file
CWE-922 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE-923 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE-943 C# cs/sql-injection SQL query built from user-controlled sources
CWE-943 C# cs/ldap-injection LDAP query built from user-controlled sources
CWE-943 C# cs/xml/xpath-injection XPath injection
CWE-1004 C# cs/web/cookie-httponly-not-set 'HttpOnly' attribute is not set to true
CWE-1333 C# cs/redos Denial of Service from comparison of user input against expensive regex
  • © GitHub, Inc.
  • Terms
  • Privacy