CodeQL documentation

CWE coverage for Go

An overview of CWE coverage for Go in the latest release of CodeQL.

Overview

CWE Language Query id Query name
CWE‑20 Default go/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑20 Default go/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE‑20 Default go/incomplete-url-scheme-check Incomplete URL scheme check
CWE‑20 Default go/regex/missing-regexp-anchor Missing regular expression anchor
CWE‑20 Default go/suspicious-character-in-regex Suspicious characters in a regular expression
CWE‑20 Default go/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑20 Default go/untrusted-data-to-unknown-external-api Untrusted data passed to unknown external API
CWE‑22 Default go/path-injection Uncontrolled data used in path expression
CWE‑22 Default go/unsafe-unzip-symlink Arbitrary file write extracting an archive containing symbolic links
CWE‑22 Default go/zipslip Arbitrary file write during zip extraction ("zip slip")
CWE‑23 Default go/path-injection Uncontrolled data used in path expression
CWE‑36 Default go/path-injection Uncontrolled data used in path expression
CWE‑73 Default go/path-injection Uncontrolled data used in path expression
CWE‑74 Default go/path-injection Uncontrolled data used in path expression
CWE‑74 Default go/command-injection Command built from user-controlled sources
CWE‑74 Default go/stored-command Command built from stored data
CWE‑74 Default go/reflected-xss Reflected cross-site scripting
CWE‑74 Default go/stored-xss Stored cross-site scripting
CWE‑74 Default go/sql-injection Database query built from user-controlled sources
CWE‑74 Default go/unsafe-quoting Potentially unsafe quoting
CWE‑74 Default go/xml/xpath-injection XPath injection
CWE‑74 Default go/ldap-injection LDAP query built from user-controlled sources
CWE‑74 Default go/html-template-escaping-passthrough HTML template escaping passthrough
CWE‑77 Default go/command-injection Command built from user-controlled sources
CWE‑77 Default go/stored-command Command built from stored data
CWE‑77 Default go/unsafe-quoting Potentially unsafe quoting
CWE‑78 Default go/command-injection Command built from user-controlled sources
CWE‑78 Default go/stored-command Command built from stored data
CWE‑78 Default go/unsafe-quoting Potentially unsafe quoting
CWE‑79 Default go/reflected-xss Reflected cross-site scripting
CWE‑79 Default go/stored-xss Stored cross-site scripting
CWE‑79 Default go/html-template-escaping-passthrough HTML template escaping passthrough
CWE‑89 Default go/sql-injection Database query built from user-controlled sources
CWE‑89 Default go/unsafe-quoting Potentially unsafe quoting
CWE‑90 Default go/ldap-injection LDAP query built from user-controlled sources
CWE‑91 Default go/xml/xpath-injection XPath injection
CWE‑94 Default go/unsafe-quoting Potentially unsafe quoting
CWE‑99 Default go/path-injection Uncontrolled data used in path expression
CWE‑116 Default go/reflected-xss Reflected cross-site scripting
CWE‑116 Default go/stored-xss Stored cross-site scripting
CWE‑116 Default go/log-injection Log entries created from user input
CWE‑117 Default go/log-injection Log entries created from user input
CWE‑118 Default go/wrong-usage-of-unsafe Wrong usage of package unsafe
CWE‑119 Default go/wrong-usage-of-unsafe Wrong usage of package unsafe
CWE‑125 Default go/wrong-usage-of-unsafe Wrong usage of package unsafe
CWE‑126 Default go/wrong-usage-of-unsafe Wrong usage of package unsafe
CWE‑183 Default go/cors-misconfiguration CORS misconfiguration
CWE‑190 Default go/allocation-size-overflow Size computation for allocation may overflow
CWE‑190 Default go/incorrect-integer-conversion Incorrect conversion between integer types
CWE‑193 Default go/index-out-of-bounds Off-by-one comparison against length
CWE‑197 Default go/shift-out-of-range Shift out of range
CWE‑200 Default go/stack-trace-exposure Information exposure through a stack trace
CWE‑200 Default go/clear-text-logging Clear-text logging of sensitive information
CWE‑209 Default go/stack-trace-exposure Information exposure through a stack trace
CWE‑247 Default go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑259 Default go/hardcoded-credentials Hard-coded credentials
CWE‑284 Default go/email-injection Email content injection
CWE‑284 Default go/hardcoded-credentials Hard-coded credentials
CWE‑284 Default go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑284 Default go/cors-misconfiguration CORS misconfiguration
CWE‑287 Default go/email-injection Email content injection
CWE‑287 Default go/hardcoded-credentials Hard-coded credentials
CWE‑287 Default go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑290 Default go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑295 Default go/disabled-certificate-check Disabled TLS certificate check
CWE‑311 Default go/clear-text-logging Clear-text logging of sensitive information
CWE‑312 Default go/clear-text-logging Clear-text logging of sensitive information
CWE‑315 Default go/clear-text-logging Clear-text logging of sensitive information
CWE‑321 Default go/hardcoded-credentials Hard-coded credentials
CWE‑326 Default go/weak-crypto-key Use of a weak cryptographic key
CWE‑326 Default go/weak-crypto-algorithm Use of a weak cryptographic algorithm
CWE‑327 Default go/insecure-tls Insecure TLS configuration
CWE‑327 Default go/weak-crypto-algorithm Use of a weak cryptographic algorithm
CWE‑328 Default go/weak-crypto-algorithm Use of a weak cryptographic algorithm
CWE‑330 Default go/insecure-randomness Use of insufficient randomness as the key of a cryptographic algorithm
CWE‑330 Default go/hardcoded-credentials Hard-coded credentials
CWE‑338 Default go/insecure-randomness Use of insufficient randomness as the key of a cryptographic algorithm
CWE‑344 Default go/hardcoded-credentials Hard-coded credentials
CWE‑345 Default go/constant-oauth2-state Use of constant state value in OAuth 2.0 URL
CWE‑345 Default go/cors-misconfiguration CORS misconfiguration
CWE‑346 Default go/cors-misconfiguration CORS misconfiguration
CWE‑350 Default go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑352 Default go/constant-oauth2-state Use of constant state value in OAuth 2.0 URL
CWE‑359 Default go/clear-text-logging Clear-text logging of sensitive information
CWE‑369 Default go/divide-by-zero Divide by zero
CWE‑398 Default go/comparison-of-identical-expressions Comparison of identical values
CWE‑398 Default go/useless-assignment-to-field Useless assignment to field
CWE‑398 Default go/useless-assignment-to-local Useless assignment to local variable
CWE‑398 Default go/duplicate-branches Duplicate 'if' branches
CWE‑398 Default go/duplicate-condition Duplicate 'if' condition
CWE‑398 Default go/duplicate-switch-case Duplicate switch case
CWE‑398 Default go/useless-expression Expression has no effect
CWE‑398 Default go/redundant-operation Identical operands
CWE‑398 Default go/redundant-assignment Self assignment
CWE‑398 Default go/unreachable-statement Unreachable statement
CWE‑441 Default go/request-forgery Uncontrolled data used in network request
CWE‑441 Default go/ssrf Uncontrolled data used in network request
CWE‑480 Default go/useless-expression Expression has no effect
CWE‑480 Default go/redundant-operation Identical operands
CWE‑480 Default go/redundant-assignment Self assignment
CWE‑497 Default go/stack-trace-exposure Information exposure through a stack trace
CWE‑561 Default go/comparison-of-identical-expressions Comparison of identical values
CWE‑561 Default go/duplicate-branches Duplicate 'if' branches
CWE‑561 Default go/duplicate-condition Duplicate 'if' condition
CWE‑561 Default go/duplicate-switch-case Duplicate switch case
CWE‑561 Default go/useless-expression Expression has no effect
CWE‑561 Default go/redundant-operation Identical operands
CWE‑561 Default go/redundant-assignment Self assignment
CWE‑561 Default go/unreachable-statement Unreachable statement
CWE‑563 Default go/useless-assignment-to-field Useless assignment to field
CWE‑563 Default go/useless-assignment-to-local Useless assignment to local variable
CWE‑570 Default go/comparison-of-identical-expressions Comparison of identical values
CWE‑571 Default go/comparison-of-identical-expressions Comparison of identical values
CWE‑592 Default go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑601 Default go/bad-redirect-check Bad redirect check
CWE‑601 Default go/unvalidated-url-redirection Open URL redirect
CWE‑610 Default go/path-injection Uncontrolled data used in path expression
CWE‑610 Default go/bad-redirect-check Bad redirect check
CWE‑610 Default go/unvalidated-url-redirection Open URL redirect
CWE‑610 Default go/request-forgery Uncontrolled data used in network request
CWE‑610 Default go/ssrf Uncontrolled data used in network request
CWE‑640 Default go/email-injection Email content injection
CWE‑642 Default go/path-injection Uncontrolled data used in path expression
CWE‑643 Default go/xml/xpath-injection XPath injection
CWE‑657 Default go/hardcoded-credentials Hard-coded credentials
CWE‑664 Default go/shift-out-of-range Shift out of range
CWE‑664 Default go/path-injection Uncontrolled data used in path expression
CWE‑664 Default go/unsafe-unzip-symlink Arbitrary file write extracting an archive containing symbolic links
CWE‑664 Default go/zipslip Arbitrary file write during zip extraction ("zip slip")
CWE‑664 Default go/unsafe-quoting Potentially unsafe quoting
CWE‑664 Default go/stack-trace-exposure Information exposure through a stack trace
CWE‑664 Default go/clear-text-logging Clear-text logging of sensitive information
CWE‑664 Default go/bad-redirect-check Bad redirect check
CWE‑664 Default go/unvalidated-url-redirection Open URL redirect
CWE‑664 Default go/email-injection Email content injection
CWE‑664 Default go/incorrect-integer-conversion Incorrect conversion between integer types
CWE‑664 Default go/hardcoded-credentials Hard-coded credentials
CWE‑664 Default go/request-forgery Uncontrolled data used in network request
CWE‑664 Default go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑664 Default go/ssrf Uncontrolled data used in network request
CWE‑664 Default go/cors-misconfiguration CORS misconfiguration
CWE‑668 Default go/path-injection Uncontrolled data used in path expression
CWE‑668 Default go/unsafe-unzip-symlink Arbitrary file write extracting an archive containing symbolic links
CWE‑668 Default go/zipslip Arbitrary file write during zip extraction ("zip slip")
CWE‑668 Default go/stack-trace-exposure Information exposure through a stack trace
CWE‑668 Default go/clear-text-logging Clear-text logging of sensitive information
CWE‑668 Default go/cors-misconfiguration CORS misconfiguration
CWE‑670 Default go/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE‑670 Default go/useless-expression Expression has no effect
CWE‑670 Default go/redundant-operation Identical operands
CWE‑670 Default go/redundant-assignment Self assignment
CWE‑671 Default go/hardcoded-credentials Hard-coded credentials
CWE‑681 Default go/shift-out-of-range Shift out of range
CWE‑681 Default go/incorrect-integer-conversion Incorrect conversion between integer types
CWE‑682 Default go/index-out-of-bounds Off-by-one comparison against length
CWE‑682 Default go/allocation-size-overflow Size computation for allocation may overflow
CWE‑682 Default go/incorrect-integer-conversion Incorrect conversion between integer types
CWE‑682 Default go/divide-by-zero Divide by zero
CWE‑691 Default go/inconsistent-loop-direction Inconsistent direction of for loop
CWE‑691 Default go/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE‑691 Default go/useless-expression Expression has no effect
CWE‑691 Default go/redundant-operation Identical operands
CWE‑691 Default go/redundant-assignment Self assignment
CWE‑691 Default go/unsafe-quoting Potentially unsafe quoting
CWE‑693 Default go/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑693 Default go/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE‑693 Default go/incomplete-url-scheme-check Incomplete URL scheme check
CWE‑693 Default go/regex/missing-regexp-anchor Missing regular expression anchor
CWE‑693 Default go/suspicious-character-in-regex Suspicious characters in a regular expression
CWE‑693 Default go/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑693 Default go/untrusted-data-to-unknown-external-api Untrusted data passed to unknown external API
CWE‑693 Default go/disabled-certificate-check Disabled TLS certificate check
CWE‑693 Default go/clear-text-logging Clear-text logging of sensitive information
CWE‑693 Default go/weak-crypto-key Use of a weak cryptographic key
CWE‑693 Default go/insecure-tls Insecure TLS configuration
CWE‑693 Default go/constant-oauth2-state Use of constant state value in OAuth 2.0 URL
CWE‑693 Default go/email-injection Email content injection
CWE‑693 Default go/hardcoded-credentials Hard-coded credentials
CWE‑693 Default go/weak-crypto-algorithm Use of a weak cryptographic algorithm
CWE‑693 Default go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑693 Default go/cors-misconfiguration CORS misconfiguration
CWE‑697 Default go/cors-misconfiguration CORS misconfiguration
CWE‑703 Default go/stack-trace-exposure Information exposure through a stack trace
CWE‑704 Default go/shift-out-of-range Shift out of range
CWE‑704 Default go/incorrect-integer-conversion Incorrect conversion between integer types
CWE‑706 Default go/path-injection Uncontrolled data used in path expression
CWE‑706 Default go/unsafe-unzip-symlink Arbitrary file write extracting an archive containing symbolic links
CWE‑706 Default go/zipslip Arbitrary file write during zip extraction ("zip slip")
CWE‑707 Default go/path-injection Uncontrolled data used in path expression
CWE‑707 Default go/command-injection Command built from user-controlled sources
CWE‑707 Default go/stored-command Command built from stored data
CWE‑707 Default go/reflected-xss Reflected cross-site scripting
CWE‑707 Default go/stored-xss Stored cross-site scripting
CWE‑707 Default go/sql-injection Database query built from user-controlled sources
CWE‑707 Default go/unsafe-quoting Potentially unsafe quoting
CWE‑707 Default go/log-injection Log entries created from user input
CWE‑707 Default go/xml/xpath-injection XPath injection
CWE‑707 Default go/ldap-injection LDAP query built from user-controlled sources
CWE‑707 Default go/html-template-escaping-passthrough HTML template escaping passthrough
CWE‑710 Default go/comparison-of-identical-expressions Comparison of identical values
CWE‑710 Default go/useless-assignment-to-field Useless assignment to field
CWE‑710 Default go/useless-assignment-to-local Useless assignment to local variable
CWE‑710 Default go/duplicate-branches Duplicate 'if' branches
CWE‑710 Default go/duplicate-condition Duplicate 'if' condition
CWE‑710 Default go/duplicate-switch-case Duplicate switch case
CWE‑710 Default go/useless-expression Expression has no effect
CWE‑710 Default go/redundant-operation Identical operands
CWE‑710 Default go/redundant-assignment Self assignment
CWE‑710 Default go/unreachable-statement Unreachable statement
CWE‑710 Default go/hardcoded-credentials Hard-coded credentials
CWE‑755 Default go/stack-trace-exposure Information exposure through a stack trace
CWE‑783 Default go/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE‑788 Default go/wrong-usage-of-unsafe Wrong usage of package unsafe
CWE‑798 Default go/hardcoded-credentials Hard-coded credentials
CWE‑807 Default go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑834 Default go/inconsistent-loop-direction Inconsistent direction of for loop
CWE‑835 Default go/inconsistent-loop-direction Inconsistent direction of for loop
CWE‑913 Default go/unsafe-quoting Potentially unsafe quoting
CWE‑918 Default go/request-forgery Uncontrolled data used in network request
CWE‑918 Default go/ssrf Uncontrolled data used in network request
CWE‑922 Default go/clear-text-logging Clear-text logging of sensitive information
CWE‑923 Default go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑942 Default go/cors-misconfiguration CORS misconfiguration
CWE‑943 Default go/sql-injection Database query built from user-controlled sources
CWE‑943 Default go/unsafe-quoting Potentially unsafe quoting
CWE‑943 Default go/xml/xpath-injection XPath injection
CWE‑943 Default go/ldap-injection LDAP query built from user-controlled sources
CWE‑1004 Default go/cookie-httponly-not-set 'HttpOnly' attribute is not set to true
  • © GitHub, Inc.
  • Terms
  • Privacy