CWE coverage for JavaScript¶
An overview of CWE coverage for JavaScript in the latest release of CodeQL.
Overview¶
| CWE | Language | Query id | Query name |
|---|---|---|---|
| CWE‑20 | JavaScript | js/count-untrusted-data-external-api | Frequency counts for external APIs that are used with untrusted data |
| CWE‑20 | JavaScript | js/incomplete-hostname-regexp | Incomplete regular expression for hostnames |
| CWE‑20 | JavaScript | js/incomplete-url-scheme-check | Incomplete URL scheme check |
| CWE‑20 | JavaScript | js/incomplete-url-substring-sanitization | Incomplete URL substring sanitization |
| CWE‑20 | JavaScript | js/incorrect-suffix-check | Incorrect suffix check |
| CWE‑20 | JavaScript | js/missing-origin-check | Missing origin verification in postMessage handler |
| CWE‑20 | JavaScript | js/regex/missing-regexp-anchor | Missing regular expression anchor |
| CWE‑20 | JavaScript | js/untrusted-data-to-external-api | Untrusted data passed to external API |
| CWE‑20 | JavaScript | js/useless-regexp-character-escape | Useless regular-expression character escape |
| CWE‑20 | JavaScript | js/bad-tag-filter | Bad HTML filtering regexp |
| CWE‑20 | JavaScript | js/double-escaping | Double escaping or unescaping |
| CWE‑20 | JavaScript | js/incomplete-html-attribute-sanitization | Incomplete HTML attribute sanitization |
| CWE‑20 | JavaScript | js/incomplete-multi-character-sanitization | Incomplete multi-character sanitization |
| CWE‑20 | JavaScript | js/incomplete-sanitization | Incomplete string escaping or encoding |
| CWE‑22 | JavaScript | js/path-injection | Uncontrolled data used in path expression |
| CWE‑22 | JavaScript | js/zipslip | Arbitrary file write during zip extraction ("Zip Slip") |
| CWE‑23 | JavaScript | js/path-injection | Uncontrolled data used in path expression |
| CWE‑36 | JavaScript | js/path-injection | Uncontrolled data used in path expression |
| CWE‑73 | JavaScript | js/path-injection | Uncontrolled data used in path expression |
| CWE‑73 | JavaScript | js/template-object-injection | Template Object Injection |
| CWE‑74 | JavaScript | js/disabling-electron-websecurity | Disabling Electron webSecurity |
| CWE‑74 | JavaScript | js/enabling-electron-renderer-node-integration | Enabling Node.js integration for Electron web content renderers |
| CWE‑74 | JavaScript | js/path-injection | Uncontrolled data used in path expression |
| CWE‑74 | JavaScript | js/template-object-injection | Template Object Injection |
| CWE‑74 | JavaScript | js/command-line-injection | Uncontrolled command line |
| CWE‑74 | JavaScript | js/indirect-command-line-injection | Indirect uncontrolled command line |
| CWE‑74 | JavaScript | js/shell-command-injection-from-environment | Shell command built from environment values |
| CWE‑74 | JavaScript | js/shell-command-constructed-from-input | Unsafe shell command constructed from library input |
| CWE‑74 | JavaScript | js/unnecessary-use-of-cat | Unnecessary use of cat process |
| CWE‑74 | JavaScript | js/xss-through-exception | Exception text reinterpreted as HTML |
| CWE‑74 | JavaScript | js/reflected-xss | Reflected cross-site scripting |
| CWE‑74 | JavaScript | js/stored-xss | Stored cross-site scripting |
| CWE‑74 | JavaScript | js/html-constructed-from-input | Unsafe HTML constructed from library input |
| CWE‑74 | JavaScript | js/unsafe-jquery-plugin | Unsafe jQuery plugin |
| CWE‑74 | JavaScript | js/xss | Client-side cross-site scripting |
| CWE‑74 | JavaScript | js/xss-through-dom | DOM text reinterpreted as HTML |
| CWE‑74 | JavaScript | js/sql-injection | Database query built from user-controlled sources |
| CWE‑74 | JavaScript | js/code-injection | Code injection |
| CWE‑74 | JavaScript | js/bad-code-sanitization | Improper code sanitization |
| CWE‑74 | JavaScript | js/unsafe-code-construction | Unsafe code constructed from libary input |
| CWE‑74 | JavaScript | js/unsafe-dynamic-method-access | Unsafe dynamic method access |
| CWE‑74 | JavaScript | js/bad-tag-filter | Bad HTML filtering regexp |
| CWE‑74 | JavaScript | js/incomplete-html-attribute-sanitization | Incomplete HTML attribute sanitization |
| CWE‑74 | JavaScript | js/incomplete-multi-character-sanitization | Incomplete multi-character sanitization |
| CWE‑74 | JavaScript | js/incomplete-sanitization | Incomplete string escaping or encoding |
| CWE‑74 | JavaScript | js/unsafe-html-expansion | Unsafe expansion of self-closing HTML tag |
| CWE‑74 | JavaScript | js/tainted-format-string | Use of externally-controlled format string |
| CWE‑74 | JavaScript | js/client-side-unvalidated-url-redirection | Client-side URL redirect |
| CWE‑74 | JavaScript | js/xpath-injection | XPath injection |
| CWE‑74 | JavaScript | js/prototype-polluting-assignment | Prototype-polluting assignment |
| CWE‑74 | JavaScript | js/prototype-pollution-utility | Prototype-polluting function |
| CWE‑74 | JavaScript | js/prototype-pollution | Prototype-polluting merge call |
| CWE‑74 | JavaScript | js/actions/injection | Expression injection in Actions |
| CWE‑74 | JavaScript | js/actions/pull-request-target | Checkout of untrusted code in trusted context |
| CWE‑77 | JavaScript | js/command-line-injection | Uncontrolled command line |
| CWE‑77 | JavaScript | js/indirect-command-line-injection | Indirect uncontrolled command line |
| CWE‑77 | JavaScript | js/shell-command-injection-from-environment | Shell command built from environment values |
| CWE‑77 | JavaScript | js/shell-command-constructed-from-input | Unsafe shell command constructed from library input |
| CWE‑77 | JavaScript | js/unnecessary-use-of-cat | Unnecessary use of cat process |
| CWE‑77 | JavaScript | js/prototype-polluting-assignment | Prototype-polluting assignment |
| CWE‑77 | JavaScript | js/prototype-pollution-utility | Prototype-polluting function |
| CWE‑77 | JavaScript | js/prototype-pollution | Prototype-polluting merge call |
| CWE‑78 | JavaScript | js/command-line-injection | Uncontrolled command line |
| CWE‑78 | JavaScript | js/indirect-command-line-injection | Indirect uncontrolled command line |
| CWE‑78 | JavaScript | js/shell-command-injection-from-environment | Shell command built from environment values |
| CWE‑78 | JavaScript | js/shell-command-constructed-from-input | Unsafe shell command constructed from library input |
| CWE‑78 | JavaScript | js/unnecessary-use-of-cat | Unnecessary use of cat process |
| CWE‑78 | JavaScript | js/prototype-polluting-assignment | Prototype-polluting assignment |
| CWE‑78 | JavaScript | js/prototype-pollution-utility | Prototype-polluting function |
| CWE‑78 | JavaScript | js/prototype-pollution | Prototype-polluting merge call |
| CWE‑79 | JavaScript | js/disabling-electron-websecurity | Disabling Electron webSecurity |
| CWE‑79 | JavaScript | js/xss-through-exception | Exception text reinterpreted as HTML |
| CWE‑79 | JavaScript | js/reflected-xss | Reflected cross-site scripting |
| CWE‑79 | JavaScript | js/stored-xss | Stored cross-site scripting |
| CWE‑79 | JavaScript | js/html-constructed-from-input | Unsafe HTML constructed from library input |
| CWE‑79 | JavaScript | js/unsafe-jquery-plugin | Unsafe jQuery plugin |
| CWE‑79 | JavaScript | js/xss | Client-side cross-site scripting |
| CWE‑79 | JavaScript | js/xss-through-dom | DOM text reinterpreted as HTML |
| CWE‑79 | JavaScript | js/code-injection | Code injection |
| CWE‑79 | JavaScript | js/bad-code-sanitization | Improper code sanitization |
| CWE‑79 | JavaScript | js/unsafe-code-construction | Unsafe code constructed from libary input |
| CWE‑79 | JavaScript | js/bad-tag-filter | Bad HTML filtering regexp |
| CWE‑79 | JavaScript | js/incomplete-html-attribute-sanitization | Incomplete HTML attribute sanitization |
| CWE‑79 | JavaScript | js/incomplete-multi-character-sanitization | Incomplete multi-character sanitization |
| CWE‑79 | JavaScript | js/incomplete-sanitization | Incomplete string escaping or encoding |
| CWE‑79 | JavaScript | js/unsafe-html-expansion | Unsafe expansion of self-closing HTML tag |
| CWE‑79 | JavaScript | js/client-side-unvalidated-url-redirection | Client-side URL redirect |
| CWE‑79 | JavaScript | js/prototype-polluting-assignment | Prototype-polluting assignment |
| CWE‑79 | JavaScript | js/prototype-pollution-utility | Prototype-polluting function |
| CWE‑79 | JavaScript | js/prototype-pollution | Prototype-polluting merge call |
| CWE‑80 | JavaScript | js/bad-tag-filter | Bad HTML filtering regexp |
| CWE‑80 | JavaScript | js/incomplete-multi-character-sanitization | Incomplete multi-character sanitization |
| CWE‑80 | JavaScript | js/incomplete-sanitization | Incomplete string escaping or encoding |
| CWE‑88 | JavaScript | js/command-line-injection | Uncontrolled command line |
| CWE‑88 | JavaScript | js/indirect-command-line-injection | Indirect uncontrolled command line |
| CWE‑88 | JavaScript | js/shell-command-injection-from-environment | Shell command built from environment values |
| CWE‑88 | JavaScript | js/shell-command-constructed-from-input | Unsafe shell command constructed from library input |
| CWE‑89 | JavaScript | js/sql-injection | Database query built from user-controlled sources |
| CWE‑90 | JavaScript | js/sql-injection | Database query built from user-controlled sources |
| CWE‑91 | JavaScript | js/xpath-injection | XPath injection |
| CWE‑94 | JavaScript | js/enabling-electron-renderer-node-integration | Enabling Node.js integration for Electron web content renderers |
| CWE‑94 | JavaScript | js/template-object-injection | Template Object Injection |
| CWE‑94 | JavaScript | js/code-injection | Code injection |
| CWE‑94 | JavaScript | js/bad-code-sanitization | Improper code sanitization |
| CWE‑94 | JavaScript | js/unsafe-code-construction | Unsafe code constructed from libary input |
| CWE‑94 | JavaScript | js/unsafe-dynamic-method-access | Unsafe dynamic method access |
| CWE‑94 | JavaScript | js/prototype-polluting-assignment | Prototype-polluting assignment |
| CWE‑94 | JavaScript | js/prototype-pollution-utility | Prototype-polluting function |
| CWE‑94 | JavaScript | js/prototype-pollution | Prototype-polluting merge call |
| CWE‑94 | JavaScript | js/actions/injection | Expression injection in Actions |
| CWE‑94 | JavaScript | js/actions/pull-request-target | Checkout of untrusted code in trusted context |
| CWE‑95 | JavaScript | js/code-injection | Code injection |
| CWE‑99 | JavaScript | js/path-injection | Uncontrolled data used in path expression |
| CWE‑116 | JavaScript | js/angular/disabling-sce | Disabling SCE |
| CWE‑116 | JavaScript | js/identity-replacement | Replacement of a substring with itself |
| CWE‑116 | JavaScript | js/xss-through-exception | Exception text reinterpreted as HTML |
| CWE‑116 | JavaScript | js/reflected-xss | Reflected cross-site scripting |
| CWE‑116 | JavaScript | js/stored-xss | Stored cross-site scripting |
| CWE‑116 | JavaScript | js/html-constructed-from-input | Unsafe HTML constructed from library input |
| CWE‑116 | JavaScript | js/unsafe-jquery-plugin | Unsafe jQuery plugin |
| CWE‑116 | JavaScript | js/xss | Client-side cross-site scripting |
| CWE‑116 | JavaScript | js/xss-through-dom | DOM text reinterpreted as HTML |
| CWE‑116 | JavaScript | js/code-injection | Code injection |
| CWE‑116 | JavaScript | js/bad-code-sanitization | Improper code sanitization |
| CWE‑116 | JavaScript | js/unsafe-code-construction | Unsafe code constructed from libary input |
| CWE‑116 | JavaScript | js/bad-tag-filter | Bad HTML filtering regexp |
| CWE‑116 | JavaScript | js/double-escaping | Double escaping or unescaping |
| CWE‑116 | JavaScript | js/incomplete-html-attribute-sanitization | Incomplete HTML attribute sanitization |
| CWE‑116 | JavaScript | js/incomplete-multi-character-sanitization | Incomplete multi-character sanitization |
| CWE‑116 | JavaScript | js/incomplete-sanitization | Incomplete string escaping or encoding |
| CWE‑116 | JavaScript | js/unsafe-html-expansion | Unsafe expansion of self-closing HTML tag |
| CWE‑116 | JavaScript | js/log-injection | Log injection |
| CWE‑116 | JavaScript | js/client-side-unvalidated-url-redirection | Client-side URL redirect |
| CWE‑117 | JavaScript | js/log-injection | Log injection |
| CWE‑134 | JavaScript | js/tainted-format-string | Use of externally-controlled format string |
| CWE‑183 | JavaScript | js/angular/insecure-url-whitelist | Insecure URL whitelist |
| CWE‑183 | JavaScript | js/cors-misconfiguration-for-credentials | CORS misconfiguration for credentials transfer |
| CWE‑184 | JavaScript | js/incomplete-url-scheme-check | Incomplete URL scheme check |
| CWE‑184 | JavaScript | js/bad-tag-filter | Bad HTML filtering regexp |
| CWE‑185 | JavaScript | js/angular/insecure-url-whitelist | Insecure URL whitelist |
| CWE‑185 | JavaScript | js/bad-tag-filter | Bad HTML filtering regexp |
| CWE‑186 | JavaScript | js/bad-tag-filter | Bad HTML filtering regexp |
| CWE‑193 | JavaScript | js/index-out-of-bounds | Off-by-one comparison against length |
| CWE‑197 | JavaScript | js/shift-out-of-range | Shift out of range |
| CWE‑200 | JavaScript | js/unsafe-external-link | Potentially unsafe external link |
| CWE‑200 | JavaScript | js/file-access-to-http | File data in outbound network request |
| CWE‑200 | JavaScript | js/exposure-of-private-files | Exposure of private files |
| CWE‑200 | JavaScript | js/cross-window-information-leak | Cross-window communication with unrestricted target origin |
| CWE‑200 | JavaScript | js/stack-trace-exposure | Information exposure through a stack trace |
| CWE‑200 | JavaScript | js/build-artifact-leak | Storage of sensitive information in build artifact |
| CWE‑200 | JavaScript | js/clear-text-logging | Clear-text logging of sensitive information |
| CWE‑200 | JavaScript | js/clear-text-storage-of-sensitive-data | Clear text storage of sensitive information |
| CWE‑200 | JavaScript | js/sensitive-get-query | Sensitive data read from GET request |
| CWE‑201 | JavaScript | js/cross-window-information-leak | Cross-window communication with unrestricted target origin |
| CWE‑209 | JavaScript | js/stack-trace-exposure | Information exposure through a stack trace |
| CWE‑216 | JavaScript | js/exposure-of-private-files | Exposure of private files |
| CWE‑219 | JavaScript | js/exposure-of-private-files | Exposure of private files |
| CWE‑221 | JavaScript | js/missing-x-frame-options | Missing X-Frame-Options HTTP header |
| CWE‑227 | JavaScript | js/superfluous-trailing-arguments | Superfluous trailing arguments |
| CWE‑227 | JavaScript | js/missing-x-frame-options | Missing X-Frame-Options HTTP header |
| CWE‑248 | JavaScript | js/server-crash | Server crash |
| CWE‑250 | JavaScript | js/remote-property-injection | Remote property injection |
| CWE‑256 | JavaScript | js/password-in-configuration-file | Password in configuration file |
| CWE‑258 | JavaScript | js/empty-password-in-configuration-file | Empty password in configuration file |
| CWE‑259 | JavaScript | js/hardcoded-credentials | Hard-coded credentials |
| CWE‑260 | JavaScript | js/password-in-configuration-file | Password in configuration file |
| CWE‑260 | JavaScript | js/empty-password-in-configuration-file | Empty password in configuration file |
| CWE‑269 | JavaScript | js/remote-property-injection | Remote property injection |
| CWE‑284 | JavaScript | js/exposure-of-private-files | Exposure of private files |
| CWE‑284 | JavaScript | js/disabling-certificate-validation | Disabling certificate validation |
| CWE‑284 | JavaScript | js/insecure-dependency | Dependency download using unencrypted communication channel |
| CWE‑284 | JavaScript | js/password-in-configuration-file | Password in configuration file |
| CWE‑284 | JavaScript | js/cors-misconfiguration-for-credentials | CORS misconfiguration for credentials transfer |
| CWE‑284 | JavaScript | js/session-fixation | Failure to abandon session |
| CWE‑284 | JavaScript | js/remote-property-injection | Remote property injection |
| CWE‑284 | JavaScript | js/host-header-forgery-in-email-generation | Host header poisoning in email generation |
| CWE‑284 | JavaScript | js/missing-rate-limiting | Missing rate limiting |
| CWE‑284 | JavaScript | js/hardcoded-credentials | Hard-coded credentials |
| CWE‑284 | JavaScript | js/user-controlled-bypass | User-controlled bypass of security check |
| CWE‑284 | JavaScript | js/different-kinds-comparison-bypass | Comparison of user-controlled data of different kinds |
| CWE‑284 | JavaScript | js/empty-password-in-configuration-file | Empty password in configuration file |
| CWE‑285 | JavaScript | js/exposure-of-private-files | Exposure of private files |
| CWE‑285 | JavaScript | js/cors-misconfiguration-for-credentials | CORS misconfiguration for credentials transfer |
| CWE‑285 | JavaScript | js/empty-password-in-configuration-file | Empty password in configuration file |
| CWE‑287 | JavaScript | js/password-in-configuration-file | Password in configuration file |
| CWE‑287 | JavaScript | js/session-fixation | Failure to abandon session |
| CWE‑287 | JavaScript | js/host-header-forgery-in-email-generation | Host header poisoning in email generation |
| CWE‑287 | JavaScript | js/missing-rate-limiting | Missing rate limiting |
| CWE‑287 | JavaScript | js/hardcoded-credentials | Hard-coded credentials |
| CWE‑287 | JavaScript | js/user-controlled-bypass | User-controlled bypass of security check |
| CWE‑287 | JavaScript | js/different-kinds-comparison-bypass | Comparison of user-controlled data of different kinds |
| CWE‑287 | JavaScript | js/empty-password-in-configuration-file | Empty password in configuration file |
| CWE‑290 | JavaScript | js/user-controlled-bypass | User-controlled bypass of security check |
| CWE‑290 | JavaScript | js/different-kinds-comparison-bypass | Comparison of user-controlled data of different kinds |
| CWE‑295 | JavaScript | js/disabling-certificate-validation | Disabling certificate validation |
| CWE‑297 | JavaScript | js/disabling-certificate-validation | Disabling certificate validation |
| CWE‑300 | JavaScript | js/insecure-dependency | Dependency download using unencrypted communication channel |
| CWE‑307 | JavaScript | js/missing-rate-limiting | Missing rate limiting |
| CWE‑311 | JavaScript | js/insecure-dependency | Dependency download using unencrypted communication channel |
| CWE‑311 | JavaScript | js/build-artifact-leak | Storage of sensitive information in build artifact |
| CWE‑311 | JavaScript | js/clear-text-logging | Clear-text logging of sensitive information |
| CWE‑311 | JavaScript | js/clear-text-storage-of-sensitive-data | Clear text storage of sensitive information |
| CWE‑311 | JavaScript | js/password-in-configuration-file | Password in configuration file |
| CWE‑311 | JavaScript | js/clear-text-cookie | Clear text transmission of sensitive cookie |
| CWE‑312 | JavaScript | js/build-artifact-leak | Storage of sensitive information in build artifact |
| CWE‑312 | JavaScript | js/clear-text-logging | Clear-text logging of sensitive information |
| CWE‑312 | JavaScript | js/clear-text-storage-of-sensitive-data | Clear text storage of sensitive information |
| CWE‑312 | JavaScript | js/password-in-configuration-file | Password in configuration file |
| CWE‑312 | JavaScript | js/clear-text-cookie | Clear text transmission of sensitive cookie |
| CWE‑313 | JavaScript | js/password-in-configuration-file | Password in configuration file |
| CWE‑315 | JavaScript | js/build-artifact-leak | Storage of sensitive information in build artifact |
| CWE‑315 | JavaScript | js/clear-text-storage-of-sensitive-data | Clear text storage of sensitive information |
| CWE‑319 | JavaScript | js/insecure-dependency | Dependency download using unencrypted communication channel |
| CWE‑319 | JavaScript | js/clear-text-cookie | Clear text transmission of sensitive cookie |
| CWE‑321 | JavaScript | js/hardcoded-credentials | Hard-coded credentials |
| CWE‑326 | JavaScript | js/insufficient-key-size | Use of a weak cryptographic key |
| CWE‑326 | JavaScript | js/weak-cryptographic-algorithm | Use of a broken or weak cryptographic algorithm |
| CWE‑327 | JavaScript | js/biased-cryptographic-random | Creating biased random numbers from a cryptographically secure source. |
| CWE‑327 | JavaScript | js/weak-cryptographic-algorithm | Use of a broken or weak cryptographic algorithm |
| CWE‑327 | JavaScript | js/insufficient-password-hash | Use of password hash with insufficient computational effort |
| CWE‑328 | JavaScript | js/weak-cryptographic-algorithm | Use of a broken or weak cryptographic algorithm |
| CWE‑330 | JavaScript | js/insecure-randomness | Insecure randomness |
| CWE‑330 | JavaScript | js/hardcoded-credentials | Hard-coded credentials |
| CWE‑338 | JavaScript | js/insecure-randomness | Insecure randomness |
| CWE‑344 | JavaScript | js/hardcoded-credentials | Hard-coded credentials |
| CWE‑345 | JavaScript | js/cors-misconfiguration-for-credentials | CORS misconfiguration for credentials transfer |
| CWE‑345 | JavaScript | js/jwt-missing-verification | JWT missing secret or public key verification |
| CWE‑345 | JavaScript | js/missing-token-validation | Missing CSRF middleware |
| CWE‑346 | JavaScript | js/cors-misconfiguration-for-credentials | CORS misconfiguration for credentials transfer |
| CWE‑347 | JavaScript | js/jwt-missing-verification | JWT missing secret or public key verification |
| CWE‑352 | JavaScript | js/missing-token-validation | Missing CSRF middleware |
| CWE‑359 | JavaScript | js/cross-window-information-leak | Cross-window communication with unrestricted target origin |
| CWE‑359 | JavaScript | js/build-artifact-leak | Storage of sensitive information in build artifact |
| CWE‑359 | JavaScript | js/clear-text-logging | Clear-text logging of sensitive information |
| CWE‑359 | JavaScript | js/clear-text-storage-of-sensitive-data | Clear text storage of sensitive information |
| CWE‑362 | JavaScript | js/file-system-race | Potential file system race condition |
| CWE‑367 | JavaScript | js/file-system-race | Potential file system race condition |
| CWE‑384 | JavaScript | js/session-fixation | Failure to abandon session |
| CWE‑398 | JavaScript | js/todo-comment | TODO comment |
| CWE‑398 | JavaScript | js/eval-like-call | Call to eval-like DOM function |
| CWE‑398 | JavaScript | js/variable-initialization-conflict | Conflicting variable initialization |
| CWE‑398 | JavaScript | js/function-declaration-conflict | Conflicting function declarations |
| CWE‑398 | JavaScript | js/useless-assignment-to-global | Useless assignment to global variable |
| CWE‑398 | JavaScript | js/useless-assignment-to-local | Useless assignment to local variable |
| CWE‑398 | JavaScript | js/overwritten-property | Overwritten property |
| CWE‑398 | JavaScript | js/comparison-of-identical-expressions | Comparison of identical values |
| CWE‑398 | JavaScript | js/comparison-with-nan | Comparison with NaN |
| CWE‑398 | JavaScript | js/duplicate-condition | Duplicate 'if' condition |
| CWE‑398 | JavaScript | js/duplicate-property | Duplicate property |
| CWE‑398 | JavaScript | js/duplicate-switch-case | Duplicate switch case |
| CWE‑398 | JavaScript | js/useless-expression | Expression has no effect |
| CWE‑398 | JavaScript | js/comparison-between-incompatible-types | Comparison between inconvertible types |
| CWE‑398 | JavaScript | js/redundant-operation | Identical operands |
| CWE‑398 | JavaScript | js/redundant-assignment | Self assignment |
| CWE‑398 | JavaScript | js/call-to-non-callable | Invocation of non-function |
| CWE‑398 | JavaScript | js/property-access-on-non-object | Property access on null or undefined |
| CWE‑398 | JavaScript | js/unneeded-defensive-code | Unneeded defensive code |
| CWE‑398 | JavaScript | js/useless-type-test | Useless type test |
| CWE‑398 | JavaScript | js/eval-call | Use of eval |
| CWE‑398 | JavaScript | js/node/assignment-to-exports-variable | Assignment to exports variable |
| CWE‑398 | JavaScript | js/regex/unmatchable-caret | Unmatchable caret in regular expression |
| CWE‑398 | JavaScript | js/regex/unmatchable-dollar | Unmatchable dollar in regular expression |
| CWE‑398 | JavaScript | js/useless-assignment-in-return | Return statement assigns local variable |
| CWE‑398 | JavaScript | js/unreachable-statement | Unreachable statement |
| CWE‑398 | JavaScript | js/trivial-conditional | Useless conditional |
| CWE‑400 | JavaScript | js/polynomial-redos | Polynomial regular expression used on uncontrolled data |
| CWE‑400 | JavaScript | js/redos | Inefficient regular expression |
| CWE‑400 | JavaScript | js/resource-exhaustion-from-deep-object-traversal | Resources exhaustion from deep object traversal |
| CWE‑400 | JavaScript | js/remote-property-injection | Remote property injection |
| CWE‑400 | JavaScript | js/regex-injection | Regular expression injection |
| CWE‑400 | JavaScript | js/missing-rate-limiting | Missing rate limiting |
| CWE‑400 | JavaScript | js/resource-exhaustion | Resource exhaustion |
| CWE‑400 | JavaScript | js/xml-bomb | XML internal entity expansion |
| CWE‑400 | JavaScript | js/prototype-polluting-assignment | Prototype-polluting assignment |
| CWE‑400 | JavaScript | js/prototype-pollution-utility | Prototype-polluting function |
| CWE‑400 | JavaScript | js/prototype-pollution | Prototype-polluting merge call |
| CWE‑405 | JavaScript | js/xml-bomb | XML internal entity expansion |
| CWE‑409 | JavaScript | js/xml-bomb | XML internal entity expansion |
| CWE‑434 | JavaScript | js/http-to-file-access | Network data written to file |
| CWE‑441 | JavaScript | js/client-side-request-forgery | Client-side request forgery |
| CWE‑441 | JavaScript | js/request-forgery | Server-side request forgery |
| CWE‑441 | JavaScript | javascript/ssrf | Uncontrolled data used in network request |
| CWE‑451 | JavaScript | js/missing-x-frame-options | Missing X-Frame-Options HTTP header |
| CWE‑471 | JavaScript | js/prototype-polluting-assignment | Prototype-polluting assignment |
| CWE‑471 | JavaScript | js/prototype-pollution-utility | Prototype-polluting function |
| CWE‑471 | JavaScript | js/prototype-pollution | Prototype-polluting merge call |
| CWE‑476 | JavaScript | js/call-to-non-callable | Invocation of non-function |
| CWE‑476 | JavaScript | js/property-access-on-non-object | Property access on null or undefined |
| CWE‑480 | JavaScript | js/useless-expression | Expression has no effect |
| CWE‑480 | JavaScript | js/redundant-operation | Identical operands |
| CWE‑480 | JavaScript | js/redundant-assignment | Self assignment |
| CWE‑480 | JavaScript | js/deletion-of-non-property | Deleting non-property |
| CWE‑483 | JavaScript | js/misleading-indentation-of-dangling-else | Misleading indentation of dangling 'else' |
| CWE‑483 | JavaScript | js/misleading-indentation-after-control-statement | Misleading indentation after control statement |
| CWE‑485 | JavaScript | js/alert-call | Invocation of alert |
| CWE‑485 | JavaScript | js/debugger-statement | Use of debugger statement |
| CWE‑485 | JavaScript | js/exposure-of-private-files | Exposure of private files |
| CWE‑489 | JavaScript | js/alert-call | Invocation of alert |
| CWE‑489 | JavaScript | js/debugger-statement | Use of debugger statement |
| CWE‑494 | JavaScript | js/enabling-electron-insecure-content | Enabling Electron allowRunningInsecureContent |
| CWE‑494 | JavaScript | js/insecure-dependency | Dependency download using unencrypted communication channel |
| CWE‑497 | JavaScript | js/stack-trace-exposure | Information exposure through a stack trace |
| CWE‑502 | JavaScript | js/unsafe-deserialization | Deserialization of user-controlled data |
| CWE‑506 | JavaScript | js/hardcoded-data-interpreted-as-code | Hard-coded data interpreted as code |
| CWE‑521 | JavaScript | js/empty-password-in-configuration-file | Empty password in configuration file |
| CWE‑522 | JavaScript | js/password-in-configuration-file | Password in configuration file |
| CWE‑522 | JavaScript | js/empty-password-in-configuration-file | Empty password in configuration file |
| CWE‑532 | JavaScript | js/clear-text-logging | Clear-text logging of sensitive information |
| CWE‑538 | JavaScript | js/exposure-of-private-files | Exposure of private files |
| CWE‑538 | JavaScript | js/clear-text-logging | Clear-text logging of sensitive information |
| CWE‑546 | JavaScript | js/todo-comment | TODO comment |
| CWE‑548 | JavaScript | js/exposure-of-private-files | Exposure of private files |
| CWE‑552 | JavaScript | js/exposure-of-private-files | Exposure of private files |
| CWE‑552 | JavaScript | js/clear-text-logging | Clear-text logging of sensitive information |
| CWE‑561 | JavaScript | js/comparison-of-identical-expressions | Comparison of identical values |
| CWE‑561 | JavaScript | js/comparison-with-nan | Comparison with NaN |
| CWE‑561 | JavaScript | js/duplicate-condition | Duplicate 'if' condition |
| CWE‑561 | JavaScript | js/duplicate-switch-case | Duplicate switch case |
| CWE‑561 | JavaScript | js/useless-expression | Expression has no effect |
| CWE‑561 | JavaScript | js/comparison-between-incompatible-types | Comparison between inconvertible types |
| CWE‑561 | JavaScript | js/redundant-operation | Identical operands |
| CWE‑561 | JavaScript | js/redundant-assignment | Self assignment |
| CWE‑561 | JavaScript | js/unneeded-defensive-code | Unneeded defensive code |
| CWE‑561 | JavaScript | js/useless-type-test | Useless type test |
| CWE‑561 | JavaScript | js/regex/unmatchable-caret | Unmatchable caret in regular expression |
| CWE‑561 | JavaScript | js/regex/unmatchable-dollar | Unmatchable dollar in regular expression |
| CWE‑561 | JavaScript | js/unreachable-statement | Unreachable statement |
| CWE‑561 | JavaScript | js/trivial-conditional | Useless conditional |
| CWE‑563 | JavaScript | js/variable-initialization-conflict | Conflicting variable initialization |
| CWE‑563 | JavaScript | js/function-declaration-conflict | Conflicting function declarations |
| CWE‑563 | JavaScript | js/useless-assignment-to-global | Useless assignment to global variable |
| CWE‑563 | JavaScript | js/useless-assignment-to-local | Useless assignment to local variable |
| CWE‑563 | JavaScript | js/overwritten-property | Overwritten property |
| CWE‑563 | JavaScript | js/duplicate-property | Duplicate property |
| CWE‑563 | JavaScript | js/node/assignment-to-exports-variable | Assignment to exports variable |
| CWE‑563 | JavaScript | js/useless-assignment-in-return | Return statement assigns local variable |
| CWE‑570 | JavaScript | js/comparison-of-identical-expressions | Comparison of identical values |
| CWE‑570 | JavaScript | js/comparison-with-nan | Comparison with NaN |
| CWE‑570 | JavaScript | js/comparison-between-incompatible-types | Comparison between inconvertible types |
| CWE‑570 | JavaScript | js/unneeded-defensive-code | Unneeded defensive code |
| CWE‑570 | JavaScript | js/useless-type-test | Useless type test |
| CWE‑570 | JavaScript | js/trivial-conditional | Useless conditional |
| CWE‑571 | JavaScript | js/comparison-of-identical-expressions | Comparison of identical values |
| CWE‑571 | JavaScript | js/comparison-with-nan | Comparison with NaN |
| CWE‑571 | JavaScript | js/comparison-between-incompatible-types | Comparison between inconvertible types |
| CWE‑571 | JavaScript | js/unneeded-defensive-code | Unneeded defensive code |
| CWE‑571 | JavaScript | js/useless-type-test | Useless type test |
| CWE‑571 | JavaScript | js/trivial-conditional | Useless conditional |
| CWE‑573 | JavaScript | js/superfluous-trailing-arguments | Superfluous trailing arguments |
| CWE‑584 | JavaScript | js/exit-from-finally | Jump from finally |
| CWE‑592 | JavaScript | js/user-controlled-bypass | User-controlled bypass of security check |
| CWE‑592 | JavaScript | js/different-kinds-comparison-bypass | Comparison of user-controlled data of different kinds |
| CWE‑598 | JavaScript | js/sensitive-get-query | Sensitive data read from GET request |
| CWE‑601 | JavaScript | js/client-side-unvalidated-url-redirection | Client-side URL redirect |
| CWE‑601 | JavaScript | js/server-side-unvalidated-url-redirection | Server-side URL redirect |
| CWE‑610 | JavaScript | js/path-injection | Uncontrolled data used in path expression |
| CWE‑610 | JavaScript | js/template-object-injection | Template Object Injection |
| CWE‑610 | JavaScript | js/client-side-unvalidated-url-redirection | Client-side URL redirect |
| CWE‑610 | JavaScript | js/server-side-unvalidated-url-redirection | Server-side URL redirect |
| CWE‑610 | JavaScript | js/xxe | XML external entity expansion |
| CWE‑610 | JavaScript | js/client-side-request-forgery | Client-side request forgery |
| CWE‑610 | JavaScript | js/request-forgery | Server-side request forgery |
| CWE‑610 | JavaScript | javascript/ssrf | Uncontrolled data used in network request |
| CWE‑611 | JavaScript | js/xxe | XML external entity expansion |
| CWE‑614 | JavaScript | js/clear-text-cookie | Clear text transmission of sensitive cookie |
| CWE‑625 | JavaScript | js/angular/insecure-url-whitelist | Insecure URL whitelist |
| CWE‑628 | JavaScript | js/superfluous-trailing-arguments | Superfluous trailing arguments |
| CWE‑639 | JavaScript | js/cors-misconfiguration-for-credentials | CORS misconfiguration for credentials transfer |
| CWE‑640 | JavaScript | js/host-header-forgery-in-email-generation | Host header poisoning in email generation |
| CWE‑642 | JavaScript | js/path-injection | Uncontrolled data used in path expression |
| CWE‑642 | JavaScript | js/template-object-injection | Template Object Injection |
| CWE‑643 | JavaScript | js/xpath-injection | XPath injection |
| CWE‑657 | JavaScript | js/remote-property-injection | Remote property injection |
| CWE‑657 | JavaScript | js/hardcoded-credentials | Hard-coded credentials |
| CWE‑664 | JavaScript | js/alert-call | Invocation of alert |
| CWE‑664 | JavaScript | js/unsafe-external-link | Potentially unsafe external link |
| CWE‑664 | JavaScript | js/enabling-electron-insecure-content | Enabling Electron allowRunningInsecureContent |
| CWE‑664 | JavaScript | js/enabling-electron-renderer-node-integration | Enabling Node.js integration for Electron web content renderers |
| CWE‑664 | JavaScript | js/implicit-operand-conversion | Implicit operand conversion |
| CWE‑664 | JavaScript | js/shift-out-of-range | Shift out of range |
| CWE‑664 | JavaScript | js/debugger-statement | Use of debugger statement |
| CWE‑664 | JavaScript | js/invalid-prototype-value | Invalid prototype value |
| CWE‑664 | JavaScript | js/property-assignment-on-primitive | Assignment to property of primitive value |
| CWE‑664 | JavaScript | js/polynomial-redos | Polynomial regular expression used on uncontrolled data |
| CWE‑664 | JavaScript | js/redos | Inefficient regular expression |
| CWE‑664 | JavaScript | js/path-injection | Uncontrolled data used in path expression |
| CWE‑664 | JavaScript | js/zipslip | Arbitrary file write during zip extraction ("Zip Slip") |
| CWE‑664 | JavaScript | js/template-object-injection | Template Object Injection |
| CWE‑664 | JavaScript | js/code-injection | Code injection |
| CWE‑664 | JavaScript | js/bad-code-sanitization | Improper code sanitization |
| CWE‑664 | JavaScript | js/unsafe-code-construction | Unsafe code constructed from libary input |
| CWE‑664 | JavaScript | js/unsafe-dynamic-method-access | Unsafe dynamic method access |
| CWE‑664 | JavaScript | js/file-access-to-http | File data in outbound network request |
| CWE‑664 | JavaScript | js/exposure-of-private-files | Exposure of private files |
| CWE‑664 | JavaScript | js/cross-window-information-leak | Cross-window communication with unrestricted target origin |
| CWE‑664 | JavaScript | js/stack-trace-exposure | Information exposure through a stack trace |
| CWE‑664 | JavaScript | js/disabling-certificate-validation | Disabling certificate validation |
| CWE‑664 | JavaScript | js/insecure-dependency | Dependency download using unencrypted communication channel |
| CWE‑664 | JavaScript | js/build-artifact-leak | Storage of sensitive information in build artifact |
| CWE‑664 | JavaScript | js/clear-text-logging | Clear-text logging of sensitive information |
| CWE‑664 | JavaScript | js/clear-text-storage-of-sensitive-data | Clear text storage of sensitive information |
| CWE‑664 | JavaScript | js/password-in-configuration-file | Password in configuration file |
| CWE‑664 | JavaScript | js/cors-misconfiguration-for-credentials | CORS misconfiguration for credentials transfer |
| CWE‑664 | JavaScript | js/session-fixation | Failure to abandon session |
| CWE‑664 | JavaScript | js/resource-exhaustion-from-deep-object-traversal | Resources exhaustion from deep object traversal |
| CWE‑664 | JavaScript | js/remote-property-injection | Remote property injection |
| CWE‑664 | JavaScript | js/missing-x-frame-options | Missing X-Frame-Options HTTP header |
| CWE‑664 | JavaScript | js/unsafe-deserialization | Deserialization of user-controlled data |
| CWE‑664 | JavaScript | js/sensitive-get-query | Sensitive data read from GET request |
| CWE‑664 | JavaScript | js/client-side-unvalidated-url-redirection | Client-side URL redirect |
| CWE‑664 | JavaScript | js/server-side-unvalidated-url-redirection | Server-side URL redirect |
| CWE‑664 | JavaScript | js/xxe | XML external entity expansion |
| CWE‑664 | JavaScript | js/clear-text-cookie | Clear text transmission of sensitive cookie |
| CWE‑664 | JavaScript | js/host-header-forgery-in-email-generation | Host header poisoning in email generation |
| CWE‑664 | JavaScript | js/regex-injection | Regular expression injection |
| CWE‑664 | JavaScript | js/missing-rate-limiting | Missing rate limiting |
| CWE‑664 | JavaScript | js/resource-exhaustion | Resource exhaustion |
| CWE‑664 | JavaScript | js/xml-bomb | XML internal entity expansion |
| CWE‑664 | JavaScript | js/hardcoded-credentials | Hard-coded credentials |
| CWE‑664 | JavaScript | js/user-controlled-bypass | User-controlled bypass of security check |
| CWE‑664 | JavaScript | js/different-kinds-comparison-bypass | Comparison of user-controlled data of different kinds |
| CWE‑664 | JavaScript | js/insecure-download | Download of sensitive file through insecure connection |
| CWE‑664 | JavaScript | js/functionality-from-untrusted-source | Inclusion of functionality from an untrusted source |
| CWE‑664 | JavaScript | js/type-confusion-through-parameter-tampering | Type confusion through parameter tampering |
| CWE‑664 | JavaScript | js/empty-password-in-configuration-file | Empty password in configuration file |
| CWE‑664 | JavaScript | js/http-to-file-access | Network data written to file |
| CWE‑664 | JavaScript | js/prototype-polluting-assignment | Prototype-polluting assignment |
| CWE‑664 | JavaScript | js/prototype-pollution-utility | Prototype-polluting function |
| CWE‑664 | JavaScript | js/prototype-pollution | Prototype-polluting merge call |
| CWE‑664 | JavaScript | js/client-side-request-forgery | Client-side request forgery |
| CWE‑664 | JavaScript | js/request-forgery | Server-side request forgery |
| CWE‑664 | JavaScript | js/actions/injection | Expression injection in Actions |
| CWE‑664 | JavaScript | js/actions/pull-request-target | Checkout of untrusted code in trusted context |
| CWE‑664 | JavaScript | javascript/ssrf | Uncontrolled data used in network request |
| CWE‑665 | JavaScript | js/missing-rate-limiting | Missing rate limiting |
| CWE‑665 | JavaScript | js/resource-exhaustion | Resource exhaustion |
| CWE‑668 | JavaScript | js/unsafe-external-link | Potentially unsafe external link |
| CWE‑668 | JavaScript | js/path-injection | Uncontrolled data used in path expression |
| CWE‑668 | JavaScript | js/zipslip | Arbitrary file write during zip extraction ("Zip Slip") |
| CWE‑668 | JavaScript | js/template-object-injection | Template Object Injection |
| CWE‑668 | JavaScript | js/file-access-to-http | File data in outbound network request |
| CWE‑668 | JavaScript | js/exposure-of-private-files | Exposure of private files |
| CWE‑668 | JavaScript | js/cross-window-information-leak | Cross-window communication with unrestricted target origin |
| CWE‑668 | JavaScript | js/stack-trace-exposure | Information exposure through a stack trace |
| CWE‑668 | JavaScript | js/build-artifact-leak | Storage of sensitive information in build artifact |
| CWE‑668 | JavaScript | js/clear-text-logging | Clear-text logging of sensitive information |
| CWE‑668 | JavaScript | js/clear-text-storage-of-sensitive-data | Clear text storage of sensitive information |
| CWE‑668 | JavaScript | js/password-in-configuration-file | Password in configuration file |
| CWE‑668 | JavaScript | js/cors-misconfiguration-for-credentials | CORS misconfiguration for credentials transfer |
| CWE‑668 | JavaScript | js/sensitive-get-query | Sensitive data read from GET request |
| CWE‑668 | JavaScript | js/empty-password-in-configuration-file | Empty password in configuration file |
| CWE‑669 | JavaScript | js/enabling-electron-insecure-content | Enabling Electron allowRunningInsecureContent |
| CWE‑669 | JavaScript | js/insecure-dependency | Dependency download using unencrypted communication channel |
| CWE‑669 | JavaScript | js/missing-x-frame-options | Missing X-Frame-Options HTTP header |
| CWE‑669 | JavaScript | js/xxe | XML external entity expansion |
| CWE‑669 | JavaScript | js/insecure-download | Download of sensitive file through insecure connection |
| CWE‑669 | JavaScript | js/functionality-from-untrusted-source | Inclusion of functionality from an untrusted source |
| CWE‑669 | JavaScript | js/http-to-file-access | Network data written to file |
| CWE‑670 | JavaScript | js/useless-expression | Expression has no effect |
| CWE‑670 | JavaScript | js/redundant-operation | Identical operands |
| CWE‑670 | JavaScript | js/redundant-assignment | Self assignment |
| CWE‑670 | JavaScript | js/unclear-operator-precedence | Unclear precedence of nested operators |
| CWE‑670 | JavaScript | js/whitespace-contradicts-precedence | Whitespace contradicts operator precedence |
| CWE‑670 | JavaScript | js/deletion-of-non-property | Deleting non-property |
| CWE‑670 | JavaScript | js/misleading-indentation-of-dangling-else | Misleading indentation of dangling 'else' |
| CWE‑670 | JavaScript | js/misleading-indentation-after-control-statement | Misleading indentation after control statement |
| CWE‑671 | JavaScript | js/hardcoded-credentials | Hard-coded credentials |
| CWE‑674 | JavaScript | js/xml-bomb | XML internal entity expansion |
| CWE‑676 | JavaScript | js/eval-like-call | Call to eval-like DOM function |
| CWE‑676 | JavaScript | js/eval-call | Use of eval |
| CWE‑681 | JavaScript | js/shift-out-of-range | Shift out of range |
| CWE‑682 | JavaScript | js/index-out-of-bounds | Off-by-one comparison against length |
| CWE‑684 | JavaScript | js/missing-x-frame-options | Missing X-Frame-Options HTTP header |
| CWE‑685 | JavaScript | js/superfluous-trailing-arguments | Superfluous trailing arguments |
| CWE‑691 | JavaScript | js/enabling-electron-renderer-node-integration | Enabling Node.js integration for Electron web content renderers |
| CWE‑691 | JavaScript | js/useless-expression | Expression has no effect |
| CWE‑691 | JavaScript | js/redundant-operation | Identical operands |
| CWE‑691 | JavaScript | js/redundant-assignment | Self assignment |
| CWE‑691 | JavaScript | js/unclear-operator-precedence | Unclear precedence of nested operators |
| CWE‑691 | JavaScript | js/whitespace-contradicts-precedence | Whitespace contradicts operator precedence |
| CWE‑691 | JavaScript | js/deletion-of-non-property | Deleting non-property |
| CWE‑691 | JavaScript | js/exit-from-finally | Jump from finally |
| CWE‑691 | JavaScript | js/template-object-injection | Template Object Injection |
| CWE‑691 | JavaScript | js/code-injection | Code injection |
| CWE‑691 | JavaScript | js/bad-code-sanitization | Improper code sanitization |
| CWE‑691 | JavaScript | js/unsafe-code-construction | Unsafe code constructed from libary input |
| CWE‑691 | JavaScript | js/unsafe-dynamic-method-access | Unsafe dynamic method access |
| CWE‑691 | JavaScript | js/file-system-race | Potential file system race condition |
| CWE‑691 | JavaScript | js/server-crash | Server crash |
| CWE‑691 | JavaScript | js/missing-rate-limiting | Missing rate limiting |
| CWE‑691 | JavaScript | js/xml-bomb | XML internal entity expansion |
| CWE‑691 | JavaScript | js/loop-bound-injection | Loop bound injection |
| CWE‑691 | JavaScript | js/prototype-polluting-assignment | Prototype-polluting assignment |
| CWE‑691 | JavaScript | js/prototype-pollution-utility | Prototype-polluting function |
| CWE‑691 | JavaScript | js/prototype-pollution | Prototype-polluting merge call |
| CWE‑691 | JavaScript | js/misleading-indentation-of-dangling-else | Misleading indentation of dangling 'else' |
| CWE‑691 | JavaScript | js/inconsistent-loop-direction | Inconsistent direction of for loop |
| CWE‑691 | JavaScript | js/misleading-indentation-after-control-statement | Misleading indentation after control statement |
| CWE‑691 | JavaScript | js/actions/injection | Expression injection in Actions |
| CWE‑691 | JavaScript | js/actions/pull-request-target | Checkout of untrusted code in trusted context |
| CWE‑693 | JavaScript | js/angular/insecure-url-whitelist | Insecure URL whitelist |
| CWE‑693 | JavaScript | js/count-untrusted-data-external-api | Frequency counts for external APIs that are used with untrusted data |
| CWE‑693 | JavaScript | js/incomplete-hostname-regexp | Incomplete regular expression for hostnames |
| CWE‑693 | JavaScript | js/incomplete-url-scheme-check | Incomplete URL scheme check |
| CWE‑693 | JavaScript | js/incomplete-url-substring-sanitization | Incomplete URL substring sanitization |
| CWE‑693 | JavaScript | js/incorrect-suffix-check | Incorrect suffix check |
| CWE‑693 | JavaScript | js/missing-origin-check | Missing origin verification in postMessage handler |
| CWE‑693 | JavaScript | js/regex/missing-regexp-anchor | Missing regular expression anchor |
| CWE‑693 | JavaScript | js/untrusted-data-to-external-api | Untrusted data passed to external API |
| CWE‑693 | JavaScript | js/useless-regexp-character-escape | Useless regular-expression character escape |
| CWE‑693 | JavaScript | js/bad-tag-filter | Bad HTML filtering regexp |
| CWE‑693 | JavaScript | js/double-escaping | Double escaping or unescaping |
| CWE‑693 | JavaScript | js/incomplete-html-attribute-sanitization | Incomplete HTML attribute sanitization |
| CWE‑693 | JavaScript | js/incomplete-multi-character-sanitization | Incomplete multi-character sanitization |
| CWE‑693 | JavaScript | js/incomplete-sanitization | Incomplete string escaping or encoding |
| CWE‑693 | JavaScript | js/exposure-of-private-files | Exposure of private files |
| CWE‑693 | JavaScript | js/disabling-certificate-validation | Disabling certificate validation |
| CWE‑693 | JavaScript | js/insecure-dependency | Dependency download using unencrypted communication channel |
| CWE‑693 | JavaScript | js/build-artifact-leak | Storage of sensitive information in build artifact |
| CWE‑693 | JavaScript | js/clear-text-logging | Clear-text logging of sensitive information |
| CWE‑693 | JavaScript | js/clear-text-storage-of-sensitive-data | Clear text storage of sensitive information |
| CWE‑693 | JavaScript | js/password-in-configuration-file | Password in configuration file |
| CWE‑693 | JavaScript | js/insufficient-key-size | Use of a weak cryptographic key |
| CWE‑693 | JavaScript | js/biased-cryptographic-random | Creating biased random numbers from a cryptographically secure source. |
| CWE‑693 | JavaScript | js/weak-cryptographic-algorithm | Use of a broken or weak cryptographic algorithm |
| CWE‑693 | JavaScript | js/cors-misconfiguration-for-credentials | CORS misconfiguration for credentials transfer |
| CWE‑693 | JavaScript | js/jwt-missing-verification | JWT missing secret or public key verification |
| CWE‑693 | JavaScript | js/missing-token-validation | Missing CSRF middleware |
| CWE‑693 | JavaScript | js/session-fixation | Failure to abandon session |
| CWE‑693 | JavaScript | js/remote-property-injection | Remote property injection |
| CWE‑693 | JavaScript | js/clear-text-cookie | Clear text transmission of sensitive cookie |
| CWE‑693 | JavaScript | js/host-header-forgery-in-email-generation | Host header poisoning in email generation |
| CWE‑693 | JavaScript | js/missing-rate-limiting | Missing rate limiting |
| CWE‑693 | JavaScript | js/hardcoded-credentials | Hard-coded credentials |
| CWE‑693 | JavaScript | js/user-controlled-bypass | User-controlled bypass of security check |
| CWE‑693 | JavaScript | js/different-kinds-comparison-bypass | Comparison of user-controlled data of different kinds |
| CWE‑693 | JavaScript | js/empty-password-in-configuration-file | Empty password in configuration file |
| CWE‑693 | JavaScript | js/insufficient-password-hash | Use of password hash with insufficient computational effort |
| CWE‑697 | JavaScript | js/angular/insecure-url-whitelist | Insecure URL whitelist |
| CWE‑697 | JavaScript | js/incomplete-url-scheme-check | Incomplete URL scheme check |
| CWE‑697 | JavaScript | js/bad-tag-filter | Bad HTML filtering regexp |
| CWE‑697 | JavaScript | js/cors-misconfiguration-for-credentials | CORS misconfiguration for credentials transfer |
| CWE‑703 | JavaScript | js/stack-trace-exposure | Information exposure through a stack trace |
| CWE‑703 | JavaScript | js/server-crash | Server crash |
| CWE‑703 | JavaScript | js/unvalidated-dynamic-method-call | Unvalidated dynamic method call |
| CWE‑704 | JavaScript | js/implicit-operand-conversion | Implicit operand conversion |
| CWE‑704 | JavaScript | js/shift-out-of-range | Shift out of range |
| CWE‑704 | JavaScript | js/invalid-prototype-value | Invalid prototype value |
| CWE‑704 | JavaScript | js/property-assignment-on-primitive | Assignment to property of primitive value |
| CWE‑704 | JavaScript | js/type-confusion-through-parameter-tampering | Type confusion through parameter tampering |
| CWE‑705 | JavaScript | js/exit-from-finally | Jump from finally |
| CWE‑705 | JavaScript | js/server-crash | Server crash |
| CWE‑706 | JavaScript | js/path-injection | Uncontrolled data used in path expression |
| CWE‑706 | JavaScript | js/zipslip | Arbitrary file write during zip extraction ("Zip Slip") |
| CWE‑706 | JavaScript | js/xxe | XML external entity expansion |
| CWE‑707 | JavaScript | js/angular/disabling-sce | Disabling SCE |
| CWE‑707 | JavaScript | js/disabling-electron-websecurity | Disabling Electron webSecurity |
| CWE‑707 | JavaScript | js/enabling-electron-renderer-node-integration | Enabling Node.js integration for Electron web content renderers |
| CWE‑707 | JavaScript | js/identity-replacement | Replacement of a substring with itself |
| CWE‑707 | JavaScript | js/path-injection | Uncontrolled data used in path expression |
| CWE‑707 | JavaScript | js/template-object-injection | Template Object Injection |
| CWE‑707 | JavaScript | js/command-line-injection | Uncontrolled command line |
| CWE‑707 | JavaScript | js/indirect-command-line-injection | Indirect uncontrolled command line |
| CWE‑707 | JavaScript | js/shell-command-injection-from-environment | Shell command built from environment values |
| CWE‑707 | JavaScript | js/shell-command-constructed-from-input | Unsafe shell command constructed from library input |
| CWE‑707 | JavaScript | js/unnecessary-use-of-cat | Unnecessary use of cat process |
| CWE‑707 | JavaScript | js/xss-through-exception | Exception text reinterpreted as HTML |
| CWE‑707 | JavaScript | js/reflected-xss | Reflected cross-site scripting |
| CWE‑707 | JavaScript | js/stored-xss | Stored cross-site scripting |
| CWE‑707 | JavaScript | js/html-constructed-from-input | Unsafe HTML constructed from library input |
| CWE‑707 | JavaScript | js/unsafe-jquery-plugin | Unsafe jQuery plugin |
| CWE‑707 | JavaScript | js/xss | Client-side cross-site scripting |
| CWE‑707 | JavaScript | js/xss-through-dom | DOM text reinterpreted as HTML |
| CWE‑707 | JavaScript | js/sql-injection | Database query built from user-controlled sources |
| CWE‑707 | JavaScript | js/code-injection | Code injection |
| CWE‑707 | JavaScript | js/bad-code-sanitization | Improper code sanitization |
| CWE‑707 | JavaScript | js/unsafe-code-construction | Unsafe code constructed from libary input |
| CWE‑707 | JavaScript | js/unsafe-dynamic-method-access | Unsafe dynamic method access |
| CWE‑707 | JavaScript | js/bad-tag-filter | Bad HTML filtering regexp |
| CWE‑707 | JavaScript | js/double-escaping | Double escaping or unescaping |
| CWE‑707 | JavaScript | js/incomplete-html-attribute-sanitization | Incomplete HTML attribute sanitization |
| CWE‑707 | JavaScript | js/incomplete-multi-character-sanitization | Incomplete multi-character sanitization |
| CWE‑707 | JavaScript | js/incomplete-sanitization | Incomplete string escaping or encoding |
| CWE‑707 | JavaScript | js/unsafe-html-expansion | Unsafe expansion of self-closing HTML tag |
| CWE‑707 | JavaScript | js/log-injection | Log injection |
| CWE‑707 | JavaScript | js/tainted-format-string | Use of externally-controlled format string |
| CWE‑707 | JavaScript | js/client-side-unvalidated-url-redirection | Client-side URL redirect |
| CWE‑707 | JavaScript | js/xpath-injection | XPath injection |
| CWE‑707 | JavaScript | js/prototype-polluting-assignment | Prototype-polluting assignment |
| CWE‑707 | JavaScript | js/prototype-pollution-utility | Prototype-polluting function |
| CWE‑707 | JavaScript | js/prototype-pollution | Prototype-polluting merge call |
| CWE‑707 | JavaScript | js/actions/injection | Expression injection in Actions |
| CWE‑707 | JavaScript | js/actions/pull-request-target | Checkout of untrusted code in trusted context |
| CWE‑710 | JavaScript | js/todo-comment | TODO comment |
| CWE‑710 | JavaScript | js/conflicting-html-attribute | Conflicting HTML element attributes |
| CWE‑710 | JavaScript | js/malformed-html-id | Malformed id attribute |
| CWE‑710 | JavaScript | js/eval-like-call | Call to eval-like DOM function |
| CWE‑710 | JavaScript | js/variable-initialization-conflict | Conflicting variable initialization |
| CWE‑710 | JavaScript | js/function-declaration-conflict | Conflicting function declarations |
| CWE‑710 | JavaScript | js/useless-assignment-to-global | Useless assignment to global variable |
| CWE‑710 | JavaScript | js/useless-assignment-to-local | Useless assignment to local variable |
| CWE‑710 | JavaScript | js/overwritten-property | Overwritten property |
| CWE‑710 | JavaScript | js/comparison-of-identical-expressions | Comparison of identical values |
| CWE‑710 | JavaScript | js/comparison-with-nan | Comparison with NaN |
| CWE‑710 | JavaScript | js/duplicate-condition | Duplicate 'if' condition |
| CWE‑710 | JavaScript | js/duplicate-property | Duplicate property |
| CWE‑710 | JavaScript | js/duplicate-switch-case | Duplicate switch case |
| CWE‑710 | JavaScript | js/useless-expression | Expression has no effect |
| CWE‑710 | JavaScript | js/comparison-between-incompatible-types | Comparison between inconvertible types |
| CWE‑710 | JavaScript | js/redundant-operation | Identical operands |
| CWE‑710 | JavaScript | js/redundant-assignment | Self assignment |
| CWE‑710 | JavaScript | js/call-to-non-callable | Invocation of non-function |
| CWE‑710 | JavaScript | js/property-access-on-non-object | Property access on null or undefined |
| CWE‑710 | JavaScript | js/unneeded-defensive-code | Unneeded defensive code |
| CWE‑710 | JavaScript | js/useless-type-test | Useless type test |
| CWE‑710 | JavaScript | js/conditional-comment | Conditional comments |
| CWE‑710 | JavaScript | js/eval-call | Use of eval |
| CWE‑710 | JavaScript | js/non-standard-language-feature | Use of platform-specific language features |
| CWE‑710 | JavaScript | js/for-in-comprehension | Use of for-in comprehension blocks |
| CWE‑710 | JavaScript | js/superfluous-trailing-arguments | Superfluous trailing arguments |
| CWE‑710 | JavaScript | js/yield-outside-generator | Yield in non-generator function |
| CWE‑710 | JavaScript | js/node/assignment-to-exports-variable | Assignment to exports variable |
| CWE‑710 | JavaScript | js/regex/unmatchable-caret | Unmatchable caret in regular expression |
| CWE‑710 | JavaScript | js/regex/unmatchable-dollar | Unmatchable dollar in regular expression |
| CWE‑710 | JavaScript | js/remote-property-injection | Remote property injection |
| CWE‑710 | JavaScript | js/missing-x-frame-options | Missing X-Frame-Options HTTP header |
| CWE‑710 | JavaScript | js/hardcoded-data-interpreted-as-code | Hard-coded data interpreted as code |
| CWE‑710 | JavaScript | js/hardcoded-credentials | Hard-coded credentials |
| CWE‑710 | JavaScript | js/http-to-file-access | Network data written to file |
| CWE‑710 | JavaScript | js/useless-assignment-in-return | Return statement assigns local variable |
| CWE‑710 | JavaScript | js/unreachable-statement | Unreachable statement |
| CWE‑710 | JavaScript | js/trivial-conditional | Useless conditional |
| CWE‑754 | JavaScript | js/unvalidated-dynamic-method-call | Unvalidated dynamic method call |
| CWE‑755 | JavaScript | js/stack-trace-exposure | Information exposure through a stack trace |
| CWE‑758 | JavaScript | js/conflicting-html-attribute | Conflicting HTML element attributes |
| CWE‑758 | JavaScript | js/malformed-html-id | Malformed id attribute |
| CWE‑758 | JavaScript | js/conditional-comment | Conditional comments |
| CWE‑758 | JavaScript | js/non-standard-language-feature | Use of platform-specific language features |
| CWE‑758 | JavaScript | js/for-in-comprehension | Use of for-in comprehension blocks |
| CWE‑758 | JavaScript | js/yield-outside-generator | Yield in non-generator function |
| CWE‑770 | JavaScript | js/missing-rate-limiting | Missing rate limiting |
| CWE‑770 | JavaScript | js/resource-exhaustion | Resource exhaustion |
| CWE‑776 | JavaScript | js/xml-bomb | XML internal entity expansion |
| CWE‑783 | JavaScript | js/unclear-operator-precedence | Unclear precedence of nested operators |
| CWE‑783 | JavaScript | js/whitespace-contradicts-precedence | Whitespace contradicts operator precedence |
| CWE‑798 | JavaScript | js/hardcoded-credentials | Hard-coded credentials |
| CWE‑799 | JavaScript | js/missing-rate-limiting | Missing rate limiting |
| CWE‑807 | JavaScript | js/user-controlled-bypass | User-controlled bypass of security check |
| CWE‑807 | JavaScript | js/different-kinds-comparison-bypass | Comparison of user-controlled data of different kinds |
| CWE‑827 | JavaScript | js/xxe | XML external entity expansion |
| CWE‑829 | JavaScript | js/insecure-dependency | Dependency download using unencrypted communication channel |
| CWE‑829 | JavaScript | js/missing-x-frame-options | Missing X-Frame-Options HTTP header |
| CWE‑829 | JavaScript | js/xxe | XML external entity expansion |
| CWE‑829 | JavaScript | js/insecure-download | Download of sensitive file through insecure connection |
| CWE‑829 | JavaScript | js/functionality-from-untrusted-source | Inclusion of functionality from an untrusted source |
| CWE‑830 | JavaScript | js/functionality-from-untrusted-source | Inclusion of functionality from an untrusted source |
| CWE‑834 | JavaScript | js/xml-bomb | XML internal entity expansion |
| CWE‑834 | JavaScript | js/loop-bound-injection | Loop bound injection |
| CWE‑834 | JavaScript | js/inconsistent-loop-direction | Inconsistent direction of for loop |
| CWE‑835 | JavaScript | js/inconsistent-loop-direction | Inconsistent direction of for loop |
| CWE‑843 | JavaScript | js/type-confusion-through-parameter-tampering | Type confusion through parameter tampering |
| CWE‑862 | JavaScript | js/cors-misconfiguration-for-credentials | CORS misconfiguration for credentials transfer |
| CWE‑862 | JavaScript | js/empty-password-in-configuration-file | Empty password in configuration file |
| CWE‑912 | JavaScript | js/hardcoded-data-interpreted-as-code | Hard-coded data interpreted as code |
| CWE‑912 | JavaScript | js/http-to-file-access | Network data written to file |
| CWE‑913 | JavaScript | js/enabling-electron-renderer-node-integration | Enabling Node.js integration for Electron web content renderers |
| CWE‑913 | JavaScript | js/template-object-injection | Template Object Injection |
| CWE‑913 | JavaScript | js/code-injection | Code injection |
| CWE‑913 | JavaScript | js/bad-code-sanitization | Improper code sanitization |
| CWE‑913 | JavaScript | js/unsafe-code-construction | Unsafe code constructed from libary input |
| CWE‑913 | JavaScript | js/unsafe-dynamic-method-access | Unsafe dynamic method access |
| CWE‑913 | JavaScript | js/unsafe-deserialization | Deserialization of user-controlled data |
| CWE‑913 | JavaScript | js/prototype-polluting-assignment | Prototype-polluting assignment |
| CWE‑913 | JavaScript | js/prototype-pollution-utility | Prototype-polluting function |
| CWE‑913 | JavaScript | js/prototype-pollution | Prototype-polluting merge call |
| CWE‑913 | JavaScript | js/actions/injection | Expression injection in Actions |
| CWE‑913 | JavaScript | js/actions/pull-request-target | Checkout of untrusted code in trusted context |
| CWE‑915 | JavaScript | js/prototype-polluting-assignment | Prototype-polluting assignment |
| CWE‑915 | JavaScript | js/prototype-pollution-utility | Prototype-polluting function |
| CWE‑915 | JavaScript | js/prototype-pollution | Prototype-polluting merge call |
| CWE‑916 | JavaScript | js/insufficient-password-hash | Use of password hash with insufficient computational effort |
| CWE‑918 | JavaScript | js/client-side-request-forgery | Client-side request forgery |
| CWE‑918 | JavaScript | js/request-forgery | Server-side request forgery |
| CWE‑918 | JavaScript | javascript/ssrf | Uncontrolled data used in network request |
| CWE‑922 | JavaScript | js/build-artifact-leak | Storage of sensitive information in build artifact |
| CWE‑922 | JavaScript | js/clear-text-logging | Clear-text logging of sensitive information |
| CWE‑922 | JavaScript | js/clear-text-storage-of-sensitive-data | Clear text storage of sensitive information |
| CWE‑922 | JavaScript | js/password-in-configuration-file | Password in configuration file |
| CWE‑922 | JavaScript | js/clear-text-cookie | Clear text transmission of sensitive cookie |
| CWE‑923 | JavaScript | js/disabling-certificate-validation | Disabling certificate validation |
| CWE‑923 | JavaScript | js/insecure-dependency | Dependency download using unencrypted communication channel |
| CWE‑942 | JavaScript | js/cors-misconfiguration-for-credentials | CORS misconfiguration for credentials transfer |
| CWE‑943 | JavaScript | js/sql-injection | Database query built from user-controlled sources |
| CWE‑943 | JavaScript | js/xpath-injection | XPath injection |
| CWE‑1004 | JavaScript | js/client-exposed-cookie | Sensitive server cookie exposed to the client |
| CWE‑1022 | JavaScript | js/unsafe-external-link | Potentially unsafe external link |
| CWE‑1176 | JavaScript | js/angular/double-compilation | Double compilation |
| CWE‑1275 | JavaScript | js/samesite-none-cookie | Sensitive cookie without SameSite restrictions |
| CWE‑1333 | JavaScript | js/polynomial-redos | Polynomial regular expression used on uncontrolled data |
| CWE‑1333 | JavaScript | js/redos | Inefficient regular expression |