CodeQL documentation

CWE coverage for JavaScript

An overview of CWE coverage for JavaScript in the latest release of CodeQL.

Overview

CWE Language Query id Query name
CWE‑20 JavaScript js/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑20 JavaScript js/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE‑20 JavaScript js/incomplete-url-scheme-check Incomplete URL scheme check
CWE‑20 JavaScript js/incomplete-url-substring-sanitization Incomplete URL substring sanitization
CWE‑20 JavaScript js/incorrect-suffix-check Incorrect suffix check
CWE‑20 JavaScript js/missing-origin-check Missing origin verification in postMessage handler
CWE‑20 JavaScript js/regex/missing-regexp-anchor Missing regular expression anchor
CWE‑20 JavaScript js/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑20 JavaScript js/useless-regexp-character-escape Useless regular-expression character escape
CWE‑20 JavaScript js/bad-tag-filter Bad HTML filtering regexp
CWE‑20 JavaScript js/double-escaping Double escaping or unescaping
CWE‑20 JavaScript js/incomplete-html-attribute-sanitization Incomplete HTML attribute sanitization
CWE‑20 JavaScript js/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑20 JavaScript js/incomplete-sanitization Incomplete string escaping or encoding
CWE‑22 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑22 JavaScript js/zipslip Arbitrary file write during zip extraction ("Zip Slip")
CWE‑23 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑36 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑73 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑73 JavaScript js/template-object-injection Template Object Injection
CWE‑74 JavaScript js/disabling-electron-websecurity Disabling Electron webSecurity
CWE‑74 JavaScript js/enabling-electron-renderer-node-integration Enabling Node.js integration for Electron web content renderers
CWE‑74 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑74 JavaScript js/template-object-injection Template Object Injection
CWE‑74 JavaScript js/command-line-injection Uncontrolled command line
CWE‑74 JavaScript js/indirect-command-line-injection Indirect uncontrolled command line
CWE‑74 JavaScript js/shell-command-injection-from-environment Shell command built from environment values
CWE‑74 JavaScript js/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑74 JavaScript js/unnecessary-use-of-cat Unnecessary use of cat process
CWE‑74 JavaScript js/xss-through-exception Exception text reinterpreted as HTML
CWE‑74 JavaScript js/reflected-xss Reflected cross-site scripting
CWE‑74 JavaScript js/stored-xss Stored cross-site scripting
CWE‑74 JavaScript js/html-constructed-from-input Unsafe HTML constructed from library input
CWE‑74 JavaScript js/unsafe-jquery-plugin Unsafe jQuery plugin
CWE‑74 JavaScript js/xss Client-side cross-site scripting
CWE‑74 JavaScript js/xss-through-dom DOM text reinterpreted as HTML
CWE‑74 JavaScript js/sql-injection Database query built from user-controlled sources
CWE‑74 JavaScript js/code-injection Code injection
CWE‑74 JavaScript js/bad-code-sanitization Improper code sanitization
CWE‑74 JavaScript js/unsafe-code-construction Unsafe code constructed from libary input
CWE‑74 JavaScript js/unsafe-dynamic-method-access Unsafe dynamic method access
CWE‑74 JavaScript js/bad-tag-filter Bad HTML filtering regexp
CWE‑74 JavaScript js/incomplete-html-attribute-sanitization Incomplete HTML attribute sanitization
CWE‑74 JavaScript js/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑74 JavaScript js/incomplete-sanitization Incomplete string escaping or encoding
CWE‑74 JavaScript js/unsafe-html-expansion Unsafe expansion of self-closing HTML tag
CWE‑74 JavaScript js/tainted-format-string Use of externally-controlled format string
CWE‑74 JavaScript js/client-side-unvalidated-url-redirection Client-side URL redirect
CWE‑74 JavaScript js/xpath-injection XPath injection
CWE‑74 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑74 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑74 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑74 JavaScript js/actions/injection Expression injection in Actions
CWE‑74 JavaScript js/actions/pull-request-target Checkout of untrusted code in trusted context
CWE‑77 JavaScript js/command-line-injection Uncontrolled command line
CWE‑77 JavaScript js/indirect-command-line-injection Indirect uncontrolled command line
CWE‑77 JavaScript js/shell-command-injection-from-environment Shell command built from environment values
CWE‑77 JavaScript js/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑77 JavaScript js/unnecessary-use-of-cat Unnecessary use of cat process
CWE‑77 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑77 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑77 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑78 JavaScript js/command-line-injection Uncontrolled command line
CWE‑78 JavaScript js/indirect-command-line-injection Indirect uncontrolled command line
CWE‑78 JavaScript js/shell-command-injection-from-environment Shell command built from environment values
CWE‑78 JavaScript js/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑78 JavaScript js/unnecessary-use-of-cat Unnecessary use of cat process
CWE‑78 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑78 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑78 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑79 JavaScript js/disabling-electron-websecurity Disabling Electron webSecurity
CWE‑79 JavaScript js/xss-through-exception Exception text reinterpreted as HTML
CWE‑79 JavaScript js/reflected-xss Reflected cross-site scripting
CWE‑79 JavaScript js/stored-xss Stored cross-site scripting
CWE‑79 JavaScript js/html-constructed-from-input Unsafe HTML constructed from library input
CWE‑79 JavaScript js/unsafe-jquery-plugin Unsafe jQuery plugin
CWE‑79 JavaScript js/xss Client-side cross-site scripting
CWE‑79 JavaScript js/xss-through-dom DOM text reinterpreted as HTML
CWE‑79 JavaScript js/code-injection Code injection
CWE‑79 JavaScript js/bad-code-sanitization Improper code sanitization
CWE‑79 JavaScript js/unsafe-code-construction Unsafe code constructed from libary input
CWE‑79 JavaScript js/bad-tag-filter Bad HTML filtering regexp
CWE‑79 JavaScript js/incomplete-html-attribute-sanitization Incomplete HTML attribute sanitization
CWE‑79 JavaScript js/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑79 JavaScript js/incomplete-sanitization Incomplete string escaping or encoding
CWE‑79 JavaScript js/unsafe-html-expansion Unsafe expansion of self-closing HTML tag
CWE‑79 JavaScript js/client-side-unvalidated-url-redirection Client-side URL redirect
CWE‑79 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑79 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑79 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑80 JavaScript js/bad-tag-filter Bad HTML filtering regexp
CWE‑80 JavaScript js/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑80 JavaScript js/incomplete-sanitization Incomplete string escaping or encoding
CWE‑88 JavaScript js/command-line-injection Uncontrolled command line
CWE‑88 JavaScript js/indirect-command-line-injection Indirect uncontrolled command line
CWE‑88 JavaScript js/shell-command-injection-from-environment Shell command built from environment values
CWE‑88 JavaScript js/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑89 JavaScript js/sql-injection Database query built from user-controlled sources
CWE‑90 JavaScript js/sql-injection Database query built from user-controlled sources
CWE‑91 JavaScript js/xpath-injection XPath injection
CWE‑94 JavaScript js/enabling-electron-renderer-node-integration Enabling Node.js integration for Electron web content renderers
CWE‑94 JavaScript js/template-object-injection Template Object Injection
CWE‑94 JavaScript js/code-injection Code injection
CWE‑94 JavaScript js/bad-code-sanitization Improper code sanitization
CWE‑94 JavaScript js/unsafe-code-construction Unsafe code constructed from libary input
CWE‑94 JavaScript js/unsafe-dynamic-method-access Unsafe dynamic method access
CWE‑94 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑94 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑94 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑94 JavaScript js/actions/injection Expression injection in Actions
CWE‑94 JavaScript js/actions/pull-request-target Checkout of untrusted code in trusted context
CWE‑95 JavaScript js/code-injection Code injection
CWE‑99 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑116 JavaScript js/angular/disabling-sce Disabling SCE
CWE‑116 JavaScript js/identity-replacement Replacement of a substring with itself
CWE‑116 JavaScript js/xss-through-exception Exception text reinterpreted as HTML
CWE‑116 JavaScript js/reflected-xss Reflected cross-site scripting
CWE‑116 JavaScript js/stored-xss Stored cross-site scripting
CWE‑116 JavaScript js/html-constructed-from-input Unsafe HTML constructed from library input
CWE‑116 JavaScript js/unsafe-jquery-plugin Unsafe jQuery plugin
CWE‑116 JavaScript js/xss Client-side cross-site scripting
CWE‑116 JavaScript js/xss-through-dom DOM text reinterpreted as HTML
CWE‑116 JavaScript js/code-injection Code injection
CWE‑116 JavaScript js/bad-code-sanitization Improper code sanitization
CWE‑116 JavaScript js/unsafe-code-construction Unsafe code constructed from libary input
CWE‑116 JavaScript js/bad-tag-filter Bad HTML filtering regexp
CWE‑116 JavaScript js/double-escaping Double escaping or unescaping
CWE‑116 JavaScript js/incomplete-html-attribute-sanitization Incomplete HTML attribute sanitization
CWE‑116 JavaScript js/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑116 JavaScript js/incomplete-sanitization Incomplete string escaping or encoding
CWE‑116 JavaScript js/unsafe-html-expansion Unsafe expansion of self-closing HTML tag
CWE‑116 JavaScript js/log-injection Log injection
CWE‑116 JavaScript js/client-side-unvalidated-url-redirection Client-side URL redirect
CWE‑117 JavaScript js/log-injection Log injection
CWE‑134 JavaScript js/tainted-format-string Use of externally-controlled format string
CWE‑183 JavaScript js/angular/insecure-url-whitelist Insecure URL whitelist
CWE‑183 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑184 JavaScript js/incomplete-url-scheme-check Incomplete URL scheme check
CWE‑184 JavaScript js/bad-tag-filter Bad HTML filtering regexp
CWE‑185 JavaScript js/angular/insecure-url-whitelist Insecure URL whitelist
CWE‑185 JavaScript js/bad-tag-filter Bad HTML filtering regexp
CWE‑186 JavaScript js/bad-tag-filter Bad HTML filtering regexp
CWE‑193 JavaScript js/index-out-of-bounds Off-by-one comparison against length
CWE‑197 JavaScript js/shift-out-of-range Shift out of range
CWE‑200 JavaScript js/unsafe-external-link Potentially unsafe external link
CWE‑200 JavaScript js/file-access-to-http File data in outbound network request
CWE‑200 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑200 JavaScript js/cross-window-information-leak Cross-window communication with unrestricted target origin
CWE‑200 JavaScript js/stack-trace-exposure Information exposure through a stack trace
CWE‑200 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑200 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑200 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑200 JavaScript js/sensitive-get-query Sensitive data read from GET request
CWE‑201 JavaScript js/cross-window-information-leak Cross-window communication with unrestricted target origin
CWE‑209 JavaScript js/stack-trace-exposure Information exposure through a stack trace
CWE‑216 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑219 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑221 JavaScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑227 JavaScript js/superfluous-trailing-arguments Superfluous trailing arguments
CWE‑227 JavaScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑248 JavaScript js/server-crash Server crash
CWE‑250 JavaScript js/remote-property-injection Remote property injection
CWE‑256 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑258 JavaScript js/empty-password-in-configuration-file Empty password in configuration file
CWE‑259 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑260 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑260 JavaScript js/empty-password-in-configuration-file Empty password in configuration file
CWE‑269 JavaScript js/remote-property-injection Remote property injection
CWE‑284 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑284 JavaScript js/disabling-certificate-validation Disabling certificate validation
CWE‑284 JavaScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE‑284 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑284 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑284 JavaScript js/session-fixation Failure to abandon session
CWE‑284 JavaScript js/remote-property-injection Remote property injection
CWE‑284 JavaScript js/host-header-forgery-in-email-generation Host header poisoning in email generation
CWE‑284 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑284 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑284 JavaScript js/user-controlled-bypass User-controlled bypass of security check
CWE‑284 JavaScript js/different-kinds-comparison-bypass Comparison of user-controlled data of different kinds
CWE‑284 JavaScript js/empty-password-in-configuration-file Empty password in configuration file
CWE‑285 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑285 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑285 JavaScript js/empty-password-in-configuration-file Empty password in configuration file
CWE‑287 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑287 JavaScript js/session-fixation Failure to abandon session
CWE‑287 JavaScript js/host-header-forgery-in-email-generation Host header poisoning in email generation
CWE‑287 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑287 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑287 JavaScript js/user-controlled-bypass User-controlled bypass of security check
CWE‑287 JavaScript js/different-kinds-comparison-bypass Comparison of user-controlled data of different kinds
CWE‑287 JavaScript js/empty-password-in-configuration-file Empty password in configuration file
CWE‑290 JavaScript js/user-controlled-bypass User-controlled bypass of security check
CWE‑290 JavaScript js/different-kinds-comparison-bypass Comparison of user-controlled data of different kinds
CWE‑295 JavaScript js/disabling-certificate-validation Disabling certificate validation
CWE‑297 JavaScript js/disabling-certificate-validation Disabling certificate validation
CWE‑300 JavaScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE‑307 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑311 JavaScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE‑311 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑311 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑311 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑311 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑311 JavaScript js/clear-text-cookie Clear text transmission of sensitive cookie
CWE‑312 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑312 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑312 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑312 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑312 JavaScript js/clear-text-cookie Clear text transmission of sensitive cookie
CWE‑313 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑315 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑315 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑319 JavaScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE‑319 JavaScript js/clear-text-cookie Clear text transmission of sensitive cookie
CWE‑321 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑326 JavaScript js/insufficient-key-size Use of a weak cryptographic key
CWE‑326 JavaScript js/weak-cryptographic-algorithm Use of a broken or weak cryptographic algorithm
CWE‑327 JavaScript js/biased-cryptographic-random Creating biased random numbers from a cryptographically secure source.
CWE‑327 JavaScript js/weak-cryptographic-algorithm Use of a broken or weak cryptographic algorithm
CWE‑327 JavaScript js/insufficient-password-hash Use of password hash with insufficient computational effort
CWE‑328 JavaScript js/weak-cryptographic-algorithm Use of a broken or weak cryptographic algorithm
CWE‑330 JavaScript js/insecure-randomness Insecure randomness
CWE‑330 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑338 JavaScript js/insecure-randomness Insecure randomness
CWE‑344 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑345 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑345 JavaScript js/jwt-missing-verification JWT missing secret or public key verification
CWE‑345 JavaScript js/missing-token-validation Missing CSRF middleware
CWE‑346 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑347 JavaScript js/jwt-missing-verification JWT missing secret or public key verification
CWE‑352 JavaScript js/missing-token-validation Missing CSRF middleware
CWE‑359 JavaScript js/cross-window-information-leak Cross-window communication with unrestricted target origin
CWE‑359 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑359 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑359 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑362 JavaScript js/file-system-race Potential file system race condition
CWE‑367 JavaScript js/file-system-race Potential file system race condition
CWE‑384 JavaScript js/session-fixation Failure to abandon session
CWE‑398 JavaScript js/todo-comment TODO comment
CWE‑398 JavaScript js/eval-like-call Call to eval-like DOM function
CWE‑398 JavaScript js/variable-initialization-conflict Conflicting variable initialization
CWE‑398 JavaScript js/function-declaration-conflict Conflicting function declarations
CWE‑398 JavaScript js/useless-assignment-to-global Useless assignment to global variable
CWE‑398 JavaScript js/useless-assignment-to-local Useless assignment to local variable
CWE‑398 JavaScript js/overwritten-property Overwritten property
CWE‑398 JavaScript js/comparison-of-identical-expressions Comparison of identical values
CWE‑398 JavaScript js/comparison-with-nan Comparison with NaN
CWE‑398 JavaScript js/duplicate-condition Duplicate 'if' condition
CWE‑398 JavaScript js/duplicate-property Duplicate property
CWE‑398 JavaScript js/duplicate-switch-case Duplicate switch case
CWE‑398 JavaScript js/useless-expression Expression has no effect
CWE‑398 JavaScript js/comparison-between-incompatible-types Comparison between inconvertible types
CWE‑398 JavaScript js/redundant-operation Identical operands
CWE‑398 JavaScript js/redundant-assignment Self assignment
CWE‑398 JavaScript js/call-to-non-callable Invocation of non-function
CWE‑398 JavaScript js/property-access-on-non-object Property access on null or undefined
CWE‑398 JavaScript js/unneeded-defensive-code Unneeded defensive code
CWE‑398 JavaScript js/useless-type-test Useless type test
CWE‑398 JavaScript js/eval-call Use of eval
CWE‑398 JavaScript js/node/assignment-to-exports-variable Assignment to exports variable
CWE‑398 JavaScript js/regex/unmatchable-caret Unmatchable caret in regular expression
CWE‑398 JavaScript js/regex/unmatchable-dollar Unmatchable dollar in regular expression
CWE‑398 JavaScript js/useless-assignment-in-return Return statement assigns local variable
CWE‑398 JavaScript js/unreachable-statement Unreachable statement
CWE‑398 JavaScript js/trivial-conditional Useless conditional
CWE‑400 JavaScript js/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE‑400 JavaScript js/redos Inefficient regular expression
CWE‑400 JavaScript js/resource-exhaustion-from-deep-object-traversal Resources exhaustion from deep object traversal
CWE‑400 JavaScript js/remote-property-injection Remote property injection
CWE‑400 JavaScript js/regex-injection Regular expression injection
CWE‑400 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑400 JavaScript js/resource-exhaustion Resource exhaustion
CWE‑400 JavaScript js/xml-bomb XML internal entity expansion
CWE‑400 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑400 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑400 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑405 JavaScript js/xml-bomb XML internal entity expansion
CWE‑409 JavaScript js/xml-bomb XML internal entity expansion
CWE‑434 JavaScript js/http-to-file-access Network data written to file
CWE‑441 JavaScript js/client-side-request-forgery Client-side request forgery
CWE‑441 JavaScript js/request-forgery Server-side request forgery
CWE‑441 JavaScript javascript/ssrf Uncontrolled data used in network request
CWE‑451 JavaScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑471 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑471 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑471 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑476 JavaScript js/call-to-non-callable Invocation of non-function
CWE‑476 JavaScript js/property-access-on-non-object Property access on null or undefined
CWE‑480 JavaScript js/useless-expression Expression has no effect
CWE‑480 JavaScript js/redundant-operation Identical operands
CWE‑480 JavaScript js/redundant-assignment Self assignment
CWE‑480 JavaScript js/deletion-of-non-property Deleting non-property
CWE‑483 JavaScript js/misleading-indentation-of-dangling-else Misleading indentation of dangling 'else'
CWE‑483 JavaScript js/misleading-indentation-after-control-statement Misleading indentation after control statement
CWE‑485 JavaScript js/alert-call Invocation of alert
CWE‑485 JavaScript js/debugger-statement Use of debugger statement
CWE‑485 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑489 JavaScript js/alert-call Invocation of alert
CWE‑489 JavaScript js/debugger-statement Use of debugger statement
CWE‑494 JavaScript js/enabling-electron-insecure-content Enabling Electron allowRunningInsecureContent
CWE‑494 JavaScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE‑497 JavaScript js/stack-trace-exposure Information exposure through a stack trace
CWE‑502 JavaScript js/unsafe-deserialization Deserialization of user-controlled data
CWE‑506 JavaScript js/hardcoded-data-interpreted-as-code Hard-coded data interpreted as code
CWE‑521 JavaScript js/empty-password-in-configuration-file Empty password in configuration file
CWE‑522 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑522 JavaScript js/empty-password-in-configuration-file Empty password in configuration file
CWE‑532 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑538 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑538 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑546 JavaScript js/todo-comment TODO comment
CWE‑548 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑552 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑552 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑561 JavaScript js/comparison-of-identical-expressions Comparison of identical values
CWE‑561 JavaScript js/comparison-with-nan Comparison with NaN
CWE‑561 JavaScript js/duplicate-condition Duplicate 'if' condition
CWE‑561 JavaScript js/duplicate-switch-case Duplicate switch case
CWE‑561 JavaScript js/useless-expression Expression has no effect
CWE‑561 JavaScript js/comparison-between-incompatible-types Comparison between inconvertible types
CWE‑561 JavaScript js/redundant-operation Identical operands
CWE‑561 JavaScript js/redundant-assignment Self assignment
CWE‑561 JavaScript js/unneeded-defensive-code Unneeded defensive code
CWE‑561 JavaScript js/useless-type-test Useless type test
CWE‑561 JavaScript js/regex/unmatchable-caret Unmatchable caret in regular expression
CWE‑561 JavaScript js/regex/unmatchable-dollar Unmatchable dollar in regular expression
CWE‑561 JavaScript js/unreachable-statement Unreachable statement
CWE‑561 JavaScript js/trivial-conditional Useless conditional
CWE‑563 JavaScript js/variable-initialization-conflict Conflicting variable initialization
CWE‑563 JavaScript js/function-declaration-conflict Conflicting function declarations
CWE‑563 JavaScript js/useless-assignment-to-global Useless assignment to global variable
CWE‑563 JavaScript js/useless-assignment-to-local Useless assignment to local variable
CWE‑563 JavaScript js/overwritten-property Overwritten property
CWE‑563 JavaScript js/duplicate-property Duplicate property
CWE‑563 JavaScript js/node/assignment-to-exports-variable Assignment to exports variable
CWE‑563 JavaScript js/useless-assignment-in-return Return statement assigns local variable
CWE‑570 JavaScript js/comparison-of-identical-expressions Comparison of identical values
CWE‑570 JavaScript js/comparison-with-nan Comparison with NaN
CWE‑570 JavaScript js/comparison-between-incompatible-types Comparison between inconvertible types
CWE‑570 JavaScript js/unneeded-defensive-code Unneeded defensive code
CWE‑570 JavaScript js/useless-type-test Useless type test
CWE‑570 JavaScript js/trivial-conditional Useless conditional
CWE‑571 JavaScript js/comparison-of-identical-expressions Comparison of identical values
CWE‑571 JavaScript js/comparison-with-nan Comparison with NaN
CWE‑571 JavaScript js/comparison-between-incompatible-types Comparison between inconvertible types
CWE‑571 JavaScript js/unneeded-defensive-code Unneeded defensive code
CWE‑571 JavaScript js/useless-type-test Useless type test
CWE‑571 JavaScript js/trivial-conditional Useless conditional
CWE‑573 JavaScript js/superfluous-trailing-arguments Superfluous trailing arguments
CWE‑584 JavaScript js/exit-from-finally Jump from finally
CWE‑592 JavaScript js/user-controlled-bypass User-controlled bypass of security check
CWE‑592 JavaScript js/different-kinds-comparison-bypass Comparison of user-controlled data of different kinds
CWE‑598 JavaScript js/sensitive-get-query Sensitive data read from GET request
CWE‑601 JavaScript js/client-side-unvalidated-url-redirection Client-side URL redirect
CWE‑601 JavaScript js/server-side-unvalidated-url-redirection Server-side URL redirect
CWE‑610 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑610 JavaScript js/template-object-injection Template Object Injection
CWE‑610 JavaScript js/client-side-unvalidated-url-redirection Client-side URL redirect
CWE‑610 JavaScript js/server-side-unvalidated-url-redirection Server-side URL redirect
CWE‑610 JavaScript js/xxe XML external entity expansion
CWE‑610 JavaScript js/client-side-request-forgery Client-side request forgery
CWE‑610 JavaScript js/request-forgery Server-side request forgery
CWE‑610 JavaScript javascript/ssrf Uncontrolled data used in network request
CWE‑611 JavaScript js/xxe XML external entity expansion
CWE‑614 JavaScript js/clear-text-cookie Clear text transmission of sensitive cookie
CWE‑625 JavaScript js/angular/insecure-url-whitelist Insecure URL whitelist
CWE‑628 JavaScript js/superfluous-trailing-arguments Superfluous trailing arguments
CWE‑639 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑640 JavaScript js/host-header-forgery-in-email-generation Host header poisoning in email generation
CWE‑642 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑642 JavaScript js/template-object-injection Template Object Injection
CWE‑643 JavaScript js/xpath-injection XPath injection
CWE‑657 JavaScript js/remote-property-injection Remote property injection
CWE‑657 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑664 JavaScript js/alert-call Invocation of alert
CWE‑664 JavaScript js/unsafe-external-link Potentially unsafe external link
CWE‑664 JavaScript js/enabling-electron-insecure-content Enabling Electron allowRunningInsecureContent
CWE‑664 JavaScript js/enabling-electron-renderer-node-integration Enabling Node.js integration for Electron web content renderers
CWE‑664 JavaScript js/implicit-operand-conversion Implicit operand conversion
CWE‑664 JavaScript js/shift-out-of-range Shift out of range
CWE‑664 JavaScript js/debugger-statement Use of debugger statement
CWE‑664 JavaScript js/invalid-prototype-value Invalid prototype value
CWE‑664 JavaScript js/property-assignment-on-primitive Assignment to property of primitive value
CWE‑664 JavaScript js/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE‑664 JavaScript js/redos Inefficient regular expression
CWE‑664 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑664 JavaScript js/zipslip Arbitrary file write during zip extraction ("Zip Slip")
CWE‑664 JavaScript js/template-object-injection Template Object Injection
CWE‑664 JavaScript js/code-injection Code injection
CWE‑664 JavaScript js/bad-code-sanitization Improper code sanitization
CWE‑664 JavaScript js/unsafe-code-construction Unsafe code constructed from libary input
CWE‑664 JavaScript js/unsafe-dynamic-method-access Unsafe dynamic method access
CWE‑664 JavaScript js/file-access-to-http File data in outbound network request
CWE‑664 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑664 JavaScript js/cross-window-information-leak Cross-window communication with unrestricted target origin
CWE‑664 JavaScript js/stack-trace-exposure Information exposure through a stack trace
CWE‑664 JavaScript js/disabling-certificate-validation Disabling certificate validation
CWE‑664 JavaScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE‑664 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑664 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑664 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑664 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑664 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑664 JavaScript js/session-fixation Failure to abandon session
CWE‑664 JavaScript js/resource-exhaustion-from-deep-object-traversal Resources exhaustion from deep object traversal
CWE‑664 JavaScript js/remote-property-injection Remote property injection
CWE‑664 JavaScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑664 JavaScript js/unsafe-deserialization Deserialization of user-controlled data
CWE‑664 JavaScript js/sensitive-get-query Sensitive data read from GET request
CWE‑664 JavaScript js/client-side-unvalidated-url-redirection Client-side URL redirect
CWE‑664 JavaScript js/server-side-unvalidated-url-redirection Server-side URL redirect
CWE‑664 JavaScript js/xxe XML external entity expansion
CWE‑664 JavaScript js/clear-text-cookie Clear text transmission of sensitive cookie
CWE‑664 JavaScript js/host-header-forgery-in-email-generation Host header poisoning in email generation
CWE‑664 JavaScript js/regex-injection Regular expression injection
CWE‑664 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑664 JavaScript js/resource-exhaustion Resource exhaustion
CWE‑664 JavaScript js/xml-bomb XML internal entity expansion
CWE‑664 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑664 JavaScript js/user-controlled-bypass User-controlled bypass of security check
CWE‑664 JavaScript js/different-kinds-comparison-bypass Comparison of user-controlled data of different kinds
CWE‑664 JavaScript js/insecure-download Download of sensitive file through insecure connection
CWE‑664 JavaScript js/functionality-from-untrusted-source Inclusion of functionality from an untrusted source
CWE‑664 JavaScript js/type-confusion-through-parameter-tampering Type confusion through parameter tampering
CWE‑664 JavaScript js/empty-password-in-configuration-file Empty password in configuration file
CWE‑664 JavaScript js/http-to-file-access Network data written to file
CWE‑664 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑664 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑664 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑664 JavaScript js/client-side-request-forgery Client-side request forgery
CWE‑664 JavaScript js/request-forgery Server-side request forgery
CWE‑664 JavaScript js/actions/injection Expression injection in Actions
CWE‑664 JavaScript js/actions/pull-request-target Checkout of untrusted code in trusted context
CWE‑664 JavaScript javascript/ssrf Uncontrolled data used in network request
CWE‑665 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑665 JavaScript js/resource-exhaustion Resource exhaustion
CWE‑668 JavaScript js/unsafe-external-link Potentially unsafe external link
CWE‑668 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑668 JavaScript js/zipslip Arbitrary file write during zip extraction ("Zip Slip")
CWE‑668 JavaScript js/template-object-injection Template Object Injection
CWE‑668 JavaScript js/file-access-to-http File data in outbound network request
CWE‑668 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑668 JavaScript js/cross-window-information-leak Cross-window communication with unrestricted target origin
CWE‑668 JavaScript js/stack-trace-exposure Information exposure through a stack trace
CWE‑668 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑668 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑668 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑668 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑668 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑668 JavaScript js/sensitive-get-query Sensitive data read from GET request
CWE‑668 JavaScript js/empty-password-in-configuration-file Empty password in configuration file
CWE‑669 JavaScript js/enabling-electron-insecure-content Enabling Electron allowRunningInsecureContent
CWE‑669 JavaScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE‑669 JavaScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑669 JavaScript js/xxe XML external entity expansion
CWE‑669 JavaScript js/insecure-download Download of sensitive file through insecure connection
CWE‑669 JavaScript js/functionality-from-untrusted-source Inclusion of functionality from an untrusted source
CWE‑669 JavaScript js/http-to-file-access Network data written to file
CWE‑670 JavaScript js/useless-expression Expression has no effect
CWE‑670 JavaScript js/redundant-operation Identical operands
CWE‑670 JavaScript js/redundant-assignment Self assignment
CWE‑670 JavaScript js/unclear-operator-precedence Unclear precedence of nested operators
CWE‑670 JavaScript js/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE‑670 JavaScript js/deletion-of-non-property Deleting non-property
CWE‑670 JavaScript js/misleading-indentation-of-dangling-else Misleading indentation of dangling 'else'
CWE‑670 JavaScript js/misleading-indentation-after-control-statement Misleading indentation after control statement
CWE‑671 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑674 JavaScript js/xml-bomb XML internal entity expansion
CWE‑676 JavaScript js/eval-like-call Call to eval-like DOM function
CWE‑676 JavaScript js/eval-call Use of eval
CWE‑681 JavaScript js/shift-out-of-range Shift out of range
CWE‑682 JavaScript js/index-out-of-bounds Off-by-one comparison against length
CWE‑684 JavaScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑685 JavaScript js/superfluous-trailing-arguments Superfluous trailing arguments
CWE‑691 JavaScript js/enabling-electron-renderer-node-integration Enabling Node.js integration for Electron web content renderers
CWE‑691 JavaScript js/useless-expression Expression has no effect
CWE‑691 JavaScript js/redundant-operation Identical operands
CWE‑691 JavaScript js/redundant-assignment Self assignment
CWE‑691 JavaScript js/unclear-operator-precedence Unclear precedence of nested operators
CWE‑691 JavaScript js/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE‑691 JavaScript js/deletion-of-non-property Deleting non-property
CWE‑691 JavaScript js/exit-from-finally Jump from finally
CWE‑691 JavaScript js/template-object-injection Template Object Injection
CWE‑691 JavaScript js/code-injection Code injection
CWE‑691 JavaScript js/bad-code-sanitization Improper code sanitization
CWE‑691 JavaScript js/unsafe-code-construction Unsafe code constructed from libary input
CWE‑691 JavaScript js/unsafe-dynamic-method-access Unsafe dynamic method access
CWE‑691 JavaScript js/file-system-race Potential file system race condition
CWE‑691 JavaScript js/server-crash Server crash
CWE‑691 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑691 JavaScript js/xml-bomb XML internal entity expansion
CWE‑691 JavaScript js/loop-bound-injection Loop bound injection
CWE‑691 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑691 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑691 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑691 JavaScript js/misleading-indentation-of-dangling-else Misleading indentation of dangling 'else'
CWE‑691 JavaScript js/inconsistent-loop-direction Inconsistent direction of for loop
CWE‑691 JavaScript js/misleading-indentation-after-control-statement Misleading indentation after control statement
CWE‑691 JavaScript js/actions/injection Expression injection in Actions
CWE‑691 JavaScript js/actions/pull-request-target Checkout of untrusted code in trusted context
CWE‑693 JavaScript js/angular/insecure-url-whitelist Insecure URL whitelist
CWE‑693 JavaScript js/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑693 JavaScript js/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE‑693 JavaScript js/incomplete-url-scheme-check Incomplete URL scheme check
CWE‑693 JavaScript js/incomplete-url-substring-sanitization Incomplete URL substring sanitization
CWE‑693 JavaScript js/incorrect-suffix-check Incorrect suffix check
CWE‑693 JavaScript js/missing-origin-check Missing origin verification in postMessage handler
CWE‑693 JavaScript js/regex/missing-regexp-anchor Missing regular expression anchor
CWE‑693 JavaScript js/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑693 JavaScript js/useless-regexp-character-escape Useless regular-expression character escape
CWE‑693 JavaScript js/bad-tag-filter Bad HTML filtering regexp
CWE‑693 JavaScript js/double-escaping Double escaping or unescaping
CWE‑693 JavaScript js/incomplete-html-attribute-sanitization Incomplete HTML attribute sanitization
CWE‑693 JavaScript js/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑693 JavaScript js/incomplete-sanitization Incomplete string escaping or encoding
CWE‑693 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑693 JavaScript js/disabling-certificate-validation Disabling certificate validation
CWE‑693 JavaScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE‑693 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑693 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑693 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑693 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑693 JavaScript js/insufficient-key-size Use of a weak cryptographic key
CWE‑693 JavaScript js/biased-cryptographic-random Creating biased random numbers from a cryptographically secure source.
CWE‑693 JavaScript js/weak-cryptographic-algorithm Use of a broken or weak cryptographic algorithm
CWE‑693 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑693 JavaScript js/jwt-missing-verification JWT missing secret or public key verification
CWE‑693 JavaScript js/missing-token-validation Missing CSRF middleware
CWE‑693 JavaScript js/session-fixation Failure to abandon session
CWE‑693 JavaScript js/remote-property-injection Remote property injection
CWE‑693 JavaScript js/clear-text-cookie Clear text transmission of sensitive cookie
CWE‑693 JavaScript js/host-header-forgery-in-email-generation Host header poisoning in email generation
CWE‑693 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑693 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑693 JavaScript js/user-controlled-bypass User-controlled bypass of security check
CWE‑693 JavaScript js/different-kinds-comparison-bypass Comparison of user-controlled data of different kinds
CWE‑693 JavaScript js/empty-password-in-configuration-file Empty password in configuration file
CWE‑693 JavaScript js/insufficient-password-hash Use of password hash with insufficient computational effort
CWE‑697 JavaScript js/angular/insecure-url-whitelist Insecure URL whitelist
CWE‑697 JavaScript js/incomplete-url-scheme-check Incomplete URL scheme check
CWE‑697 JavaScript js/bad-tag-filter Bad HTML filtering regexp
CWE‑697 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑703 JavaScript js/stack-trace-exposure Information exposure through a stack trace
CWE‑703 JavaScript js/server-crash Server crash
CWE‑703 JavaScript js/unvalidated-dynamic-method-call Unvalidated dynamic method call
CWE‑704 JavaScript js/implicit-operand-conversion Implicit operand conversion
CWE‑704 JavaScript js/shift-out-of-range Shift out of range
CWE‑704 JavaScript js/invalid-prototype-value Invalid prototype value
CWE‑704 JavaScript js/property-assignment-on-primitive Assignment to property of primitive value
CWE‑704 JavaScript js/type-confusion-through-parameter-tampering Type confusion through parameter tampering
CWE‑705 JavaScript js/exit-from-finally Jump from finally
CWE‑705 JavaScript js/server-crash Server crash
CWE‑706 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑706 JavaScript js/zipslip Arbitrary file write during zip extraction ("Zip Slip")
CWE‑706 JavaScript js/xxe XML external entity expansion
CWE‑707 JavaScript js/angular/disabling-sce Disabling SCE
CWE‑707 JavaScript js/disabling-electron-websecurity Disabling Electron webSecurity
CWE‑707 JavaScript js/enabling-electron-renderer-node-integration Enabling Node.js integration for Electron web content renderers
CWE‑707 JavaScript js/identity-replacement Replacement of a substring with itself
CWE‑707 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑707 JavaScript js/template-object-injection Template Object Injection
CWE‑707 JavaScript js/command-line-injection Uncontrolled command line
CWE‑707 JavaScript js/indirect-command-line-injection Indirect uncontrolled command line
CWE‑707 JavaScript js/shell-command-injection-from-environment Shell command built from environment values
CWE‑707 JavaScript js/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑707 JavaScript js/unnecessary-use-of-cat Unnecessary use of cat process
CWE‑707 JavaScript js/xss-through-exception Exception text reinterpreted as HTML
CWE‑707 JavaScript js/reflected-xss Reflected cross-site scripting
CWE‑707 JavaScript js/stored-xss Stored cross-site scripting
CWE‑707 JavaScript js/html-constructed-from-input Unsafe HTML constructed from library input
CWE‑707 JavaScript js/unsafe-jquery-plugin Unsafe jQuery plugin
CWE‑707 JavaScript js/xss Client-side cross-site scripting
CWE‑707 JavaScript js/xss-through-dom DOM text reinterpreted as HTML
CWE‑707 JavaScript js/sql-injection Database query built from user-controlled sources
CWE‑707 JavaScript js/code-injection Code injection
CWE‑707 JavaScript js/bad-code-sanitization Improper code sanitization
CWE‑707 JavaScript js/unsafe-code-construction Unsafe code constructed from libary input
CWE‑707 JavaScript js/unsafe-dynamic-method-access Unsafe dynamic method access
CWE‑707 JavaScript js/bad-tag-filter Bad HTML filtering regexp
CWE‑707 JavaScript js/double-escaping Double escaping or unescaping
CWE‑707 JavaScript js/incomplete-html-attribute-sanitization Incomplete HTML attribute sanitization
CWE‑707 JavaScript js/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑707 JavaScript js/incomplete-sanitization Incomplete string escaping or encoding
CWE‑707 JavaScript js/unsafe-html-expansion Unsafe expansion of self-closing HTML tag
CWE‑707 JavaScript js/log-injection Log injection
CWE‑707 JavaScript js/tainted-format-string Use of externally-controlled format string
CWE‑707 JavaScript js/client-side-unvalidated-url-redirection Client-side URL redirect
CWE‑707 JavaScript js/xpath-injection XPath injection
CWE‑707 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑707 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑707 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑707 JavaScript js/actions/injection Expression injection in Actions
CWE‑707 JavaScript js/actions/pull-request-target Checkout of untrusted code in trusted context
CWE‑710 JavaScript js/todo-comment TODO comment
CWE‑710 JavaScript js/conflicting-html-attribute Conflicting HTML element attributes
CWE‑710 JavaScript js/malformed-html-id Malformed id attribute
CWE‑710 JavaScript js/eval-like-call Call to eval-like DOM function
CWE‑710 JavaScript js/variable-initialization-conflict Conflicting variable initialization
CWE‑710 JavaScript js/function-declaration-conflict Conflicting function declarations
CWE‑710 JavaScript js/useless-assignment-to-global Useless assignment to global variable
CWE‑710 JavaScript js/useless-assignment-to-local Useless assignment to local variable
CWE‑710 JavaScript js/overwritten-property Overwritten property
CWE‑710 JavaScript js/comparison-of-identical-expressions Comparison of identical values
CWE‑710 JavaScript js/comparison-with-nan Comparison with NaN
CWE‑710 JavaScript js/duplicate-condition Duplicate 'if' condition
CWE‑710 JavaScript js/duplicate-property Duplicate property
CWE‑710 JavaScript js/duplicate-switch-case Duplicate switch case
CWE‑710 JavaScript js/useless-expression Expression has no effect
CWE‑710 JavaScript js/comparison-between-incompatible-types Comparison between inconvertible types
CWE‑710 JavaScript js/redundant-operation Identical operands
CWE‑710 JavaScript js/redundant-assignment Self assignment
CWE‑710 JavaScript js/call-to-non-callable Invocation of non-function
CWE‑710 JavaScript js/property-access-on-non-object Property access on null or undefined
CWE‑710 JavaScript js/unneeded-defensive-code Unneeded defensive code
CWE‑710 JavaScript js/useless-type-test Useless type test
CWE‑710 JavaScript js/conditional-comment Conditional comments
CWE‑710 JavaScript js/eval-call Use of eval
CWE‑710 JavaScript js/non-standard-language-feature Use of platform-specific language features
CWE‑710 JavaScript js/for-in-comprehension Use of for-in comprehension blocks
CWE‑710 JavaScript js/superfluous-trailing-arguments Superfluous trailing arguments
CWE‑710 JavaScript js/yield-outside-generator Yield in non-generator function
CWE‑710 JavaScript js/node/assignment-to-exports-variable Assignment to exports variable
CWE‑710 JavaScript js/regex/unmatchable-caret Unmatchable caret in regular expression
CWE‑710 JavaScript js/regex/unmatchable-dollar Unmatchable dollar in regular expression
CWE‑710 JavaScript js/remote-property-injection Remote property injection
CWE‑710 JavaScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑710 JavaScript js/hardcoded-data-interpreted-as-code Hard-coded data interpreted as code
CWE‑710 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑710 JavaScript js/http-to-file-access Network data written to file
CWE‑710 JavaScript js/useless-assignment-in-return Return statement assigns local variable
CWE‑710 JavaScript js/unreachable-statement Unreachable statement
CWE‑710 JavaScript js/trivial-conditional Useless conditional
CWE‑754 JavaScript js/unvalidated-dynamic-method-call Unvalidated dynamic method call
CWE‑755 JavaScript js/stack-trace-exposure Information exposure through a stack trace
CWE‑758 JavaScript js/conflicting-html-attribute Conflicting HTML element attributes
CWE‑758 JavaScript js/malformed-html-id Malformed id attribute
CWE‑758 JavaScript js/conditional-comment Conditional comments
CWE‑758 JavaScript js/non-standard-language-feature Use of platform-specific language features
CWE‑758 JavaScript js/for-in-comprehension Use of for-in comprehension blocks
CWE‑758 JavaScript js/yield-outside-generator Yield in non-generator function
CWE‑770 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑770 JavaScript js/resource-exhaustion Resource exhaustion
CWE‑776 JavaScript js/xml-bomb XML internal entity expansion
CWE‑783 JavaScript js/unclear-operator-precedence Unclear precedence of nested operators
CWE‑783 JavaScript js/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE‑798 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑799 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑807 JavaScript js/user-controlled-bypass User-controlled bypass of security check
CWE‑807 JavaScript js/different-kinds-comparison-bypass Comparison of user-controlled data of different kinds
CWE‑827 JavaScript js/xxe XML external entity expansion
CWE‑829 JavaScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE‑829 JavaScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑829 JavaScript js/xxe XML external entity expansion
CWE‑829 JavaScript js/insecure-download Download of sensitive file through insecure connection
CWE‑829 JavaScript js/functionality-from-untrusted-source Inclusion of functionality from an untrusted source
CWE‑830 JavaScript js/functionality-from-untrusted-source Inclusion of functionality from an untrusted source
CWE‑834 JavaScript js/xml-bomb XML internal entity expansion
CWE‑834 JavaScript js/loop-bound-injection Loop bound injection
CWE‑834 JavaScript js/inconsistent-loop-direction Inconsistent direction of for loop
CWE‑835 JavaScript js/inconsistent-loop-direction Inconsistent direction of for loop
CWE‑843 JavaScript js/type-confusion-through-parameter-tampering Type confusion through parameter tampering
CWE‑862 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑862 JavaScript js/empty-password-in-configuration-file Empty password in configuration file
CWE‑912 JavaScript js/hardcoded-data-interpreted-as-code Hard-coded data interpreted as code
CWE‑912 JavaScript js/http-to-file-access Network data written to file
CWE‑913 JavaScript js/enabling-electron-renderer-node-integration Enabling Node.js integration for Electron web content renderers
CWE‑913 JavaScript js/template-object-injection Template Object Injection
CWE‑913 JavaScript js/code-injection Code injection
CWE‑913 JavaScript js/bad-code-sanitization Improper code sanitization
CWE‑913 JavaScript js/unsafe-code-construction Unsafe code constructed from libary input
CWE‑913 JavaScript js/unsafe-dynamic-method-access Unsafe dynamic method access
CWE‑913 JavaScript js/unsafe-deserialization Deserialization of user-controlled data
CWE‑913 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑913 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑913 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑913 JavaScript js/actions/injection Expression injection in Actions
CWE‑913 JavaScript js/actions/pull-request-target Checkout of untrusted code in trusted context
CWE‑915 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑915 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑915 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑916 JavaScript js/insufficient-password-hash Use of password hash with insufficient computational effort
CWE‑918 JavaScript js/client-side-request-forgery Client-side request forgery
CWE‑918 JavaScript js/request-forgery Server-side request forgery
CWE‑918 JavaScript javascript/ssrf Uncontrolled data used in network request
CWE‑922 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑922 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑922 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑922 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑922 JavaScript js/clear-text-cookie Clear text transmission of sensitive cookie
CWE‑923 JavaScript js/disabling-certificate-validation Disabling certificate validation
CWE‑923 JavaScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE‑942 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑943 JavaScript js/sql-injection Database query built from user-controlled sources
CWE‑943 JavaScript js/xpath-injection XPath injection
CWE‑1004 JavaScript js/client-exposed-cookie Sensitive server cookie exposed to the client
CWE‑1022 JavaScript js/unsafe-external-link Potentially unsafe external link
CWE‑1176 JavaScript js/angular/double-compilation Double compilation
CWE‑1275 JavaScript js/samesite-none-cookie Sensitive cookie without SameSite restrictions
CWE‑1333 JavaScript js/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE‑1333 JavaScript js/redos Inefficient regular expression
  • © GitHub, Inc.
  • Terms
  • Privacy