CWE coverage for Ruby¶
An overview of CWE coverage for Ruby in the latest release of CodeQL.
Overview¶
| CWE | Language | Query id | Query name |
|---|---|---|---|
| CWE‑20 | Default | rb/incomplete-hostname-regexp | Incomplete regular expression for hostnames |
| CWE‑20 | Default | rb/incomplete-url-substring-sanitization | Incomplete URL substring sanitization |
| CWE‑20 | Default | rb/regex/missing-regexp-anchor | Missing regular expression anchor |
| CWE‑20 | Default | rb/bad-tag-filter | Bad HTML filtering regexp |
| CWE‑20 | Default | rb/incomplete-sanitization | Incomplete string escaping or encoding |
| CWE‑22 | Default | rb/path-injection | Uncontrolled data used in path expression |
| CWE‑23 | Default | rb/path-injection | Uncontrolled data used in path expression |
| CWE‑36 | Default | rb/path-injection | Uncontrolled data used in path expression |
| CWE‑73 | Default | rb/path-injection | Uncontrolled data used in path expression |
| CWE‑73 | Default | rb/kernel-open | Use of Kernel.open or IO.read |
| CWE‑74 | Default | rb/path-injection | Uncontrolled data used in path expression |
| CWE‑74 | Default | rb/command-line-injection | Uncontrolled command line |
| CWE‑74 | Default | rb/kernel-open | Use of Kernel.open or IO.read |
| CWE‑74 | Default | rb/reflected-xss | Reflected server-side cross-site scripting |
| CWE‑74 | Default | rb/stored-xss | Stored cross-site scripting |
| CWE‑74 | Default | rb/sql-injection | SQL query built from user-controlled sources |
| CWE‑74 | Default | rb/code-injection | Code injection |
| CWE‑74 | Default | rb/incomplete-sanitization | Incomplete string escaping or encoding |
| CWE‑74 | Default | rb/tainted-format-string | Use of externally-controlled format string |
| CWE‑77 | Default | rb/command-line-injection | Uncontrolled command line |
| CWE‑77 | Default | rb/kernel-open | Use of Kernel.open or IO.read |
| CWE‑78 | Default | rb/command-line-injection | Uncontrolled command line |
| CWE‑78 | Default | rb/kernel-open | Use of Kernel.open or IO.read |
| CWE‑79 | Default | rb/reflected-xss | Reflected server-side cross-site scripting |
| CWE‑79 | Default | rb/stored-xss | Stored cross-site scripting |
| CWE‑79 | Default | rb/incomplete-sanitization | Incomplete string escaping or encoding |
| CWE‑80 | Default | rb/incomplete-sanitization | Incomplete string escaping or encoding |
| CWE‑88 | Default | rb/command-line-injection | Uncontrolled command line |
| CWE‑88 | Default | rb/kernel-open | Use of Kernel.open or IO.read |
| CWE‑89 | Default | rb/sql-injection | SQL query built from user-controlled sources |
| CWE‑94 | Default | rb/code-injection | Code injection |
| CWE‑95 | Default | rb/code-injection | Code injection |
| CWE‑99 | Default | rb/path-injection | Uncontrolled data used in path expression |
| CWE‑116 | Default | rb/reflected-xss | Reflected server-side cross-site scripting |
| CWE‑116 | Default | rb/stored-xss | Stored cross-site scripting |
| CWE‑116 | Default | rb/code-injection | Code injection |
| CWE‑116 | Default | rb/bad-tag-filter | Bad HTML filtering regexp |
| CWE‑116 | Default | rb/incomplete-sanitization | Incomplete string escaping or encoding |
| CWE‑134 | Default | rb/tainted-format-string | Use of externally-controlled format string |
| CWE‑185 | Default | rb/bad-tag-filter | Bad HTML filtering regexp |
| CWE‑186 | Default | rb/bad-tag-filter | Bad HTML filtering regexp |
| CWE‑200 | Default | rb/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
| CWE‑200 | Default | rb/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
| CWE‑259 | Default | rb/hardcoded-credentials | Hard-coded credentials |
| CWE‑284 | Default | rb/user-controlled-bypass | User-controlled bypass of security check |
| CWE‑284 | Default | rb/insecure-dependency | Dependency download using unencrypted communication channel |
| CWE‑284 | Default | rb/weak-cookie-configuration | Weak cookie configuration |
| CWE‑284 | Default | rb/overly-permissive-file | Overly permissive file permissions |
| CWE‑284 | Default | rb/hardcoded-credentials | Hard-coded credentials |
| CWE‑285 | Default | rb/weak-cookie-configuration | Weak cookie configuration |
| CWE‑285 | Default | rb/overly-permissive-file | Overly permissive file permissions |
| CWE‑287 | Default | rb/user-controlled-bypass | User-controlled bypass of security check |
| CWE‑287 | Default | rb/hardcoded-credentials | Hard-coded credentials |
| CWE‑290 | Default | rb/user-controlled-bypass | User-controlled bypass of security check |
| CWE‑295 | Default | rb/request-without-cert-validation | Request without certificate validation |
| CWE‑300 | Default | rb/insecure-dependency | Dependency download using unencrypted communication channel |
| CWE‑311 | Default | rb/insecure-dependency | Dependency download using unencrypted communication channel |
| CWE‑311 | Default | rb/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
| CWE‑311 | Default | rb/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
| CWE‑312 | Default | rb/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
| CWE‑312 | Default | rb/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
| CWE‑319 | Default | rb/insecure-dependency | Dependency download using unencrypted communication channel |
| CWE‑321 | Default | rb/hardcoded-credentials | Hard-coded credentials |
| CWE‑327 | Default | rb/weak-cryptographic-algorithm | Use of a broken or weak cryptographic algorithm |
| CWE‑330 | Default | rb/hardcoded-credentials | Hard-coded credentials |
| CWE‑344 | Default | rb/hardcoded-credentials | Hard-coded credentials |
| CWE‑345 | Default | rb/csrf-protection-disabled | CSRF protection weakened or disabled |
| CWE‑352 | Default | rb/csrf-protection-disabled | CSRF protection weakened or disabled |
| CWE‑359 | Default | rb/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
| CWE‑359 | Default | rb/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
| CWE‑398 | Default | rb/useless-assignment-to-local | Useless assignment to local variable |
| CWE‑398 | Default | rb/unused-parameter | Unused parameter. |
| CWE‑400 | Default | rb/polynomial-redos | Polynomial regular expression used on uncontrolled data |
| CWE‑400 | Default | rb/redos | Inefficient regular expression |
| CWE‑400 | Default | rb/regexp-injection | Regular expression injection |
| CWE‑405 | Default | rb/xxe | XML external entity expansion |
| CWE‑409 | Default | rb/xxe | XML external entity expansion |
| CWE‑434 | Default | rb/http-to-file-access | Network data written to file |
| CWE‑441 | Default | rb/request-forgery | Server-side request forgery |
| CWE‑494 | Default | rb/insecure-dependency | Dependency download using unencrypted communication channel |
| CWE‑502 | Default | rb/unsafe-deserialization | Deserialization of user-controlled data |
| CWE‑532 | Default | rb/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
| CWE‑532 | Default | rb/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
| CWE‑538 | Default | rb/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
| CWE‑538 | Default | rb/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
| CWE‑552 | Default | rb/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
| CWE‑552 | Default | rb/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
| CWE‑563 | Default | rb/useless-assignment-to-local | Useless assignment to local variable |
| CWE‑563 | Default | rb/unused-parameter | Unused parameter. |
| CWE‑592 | Default | rb/user-controlled-bypass | User-controlled bypass of security check |
| CWE‑601 | Default | rb/url-redirection | URL redirection from remote source |
| CWE‑610 | Default | rb/path-injection | Uncontrolled data used in path expression |
| CWE‑610 | Default | rb/kernel-open | Use of Kernel.open or IO.read |
| CWE‑610 | Default | rb/url-redirection | URL redirection from remote source |
| CWE‑610 | Default | rb/xxe | XML external entity expansion |
| CWE‑610 | Default | rb/request-forgery | Server-side request forgery |
| CWE‑611 | Default | rb/xxe | XML external entity expansion |
| CWE‑642 | Default | rb/path-injection | Uncontrolled data used in path expression |
| CWE‑642 | Default | rb/kernel-open | Use of Kernel.open or IO.read |
| CWE‑657 | Default | rb/hardcoded-credentials | Hard-coded credentials |
| CWE‑664 | Default | rb/user-controlled-bypass | User-controlled bypass of security check |
| CWE‑664 | Default | rb/path-injection | Uncontrolled data used in path expression |
| CWE‑664 | Default | rb/kernel-open | Use of Kernel.open or IO.read |
| CWE‑664 | Default | rb/code-injection | Code injection |
| CWE‑664 | Default | rb/polynomial-redos | Polynomial regular expression used on uncontrolled data |
| CWE‑664 | Default | rb/redos | Inefficient regular expression |
| CWE‑664 | Default | rb/regexp-injection | Regular expression injection |
| CWE‑664 | Default | rb/insecure-dependency | Dependency download using unencrypted communication channel |
| CWE‑664 | Default | rb/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
| CWE‑664 | Default | rb/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
| CWE‑664 | Default | rb/unsafe-deserialization | Deserialization of user-controlled data |
| CWE‑664 | Default | rb/url-redirection | URL redirection from remote source |
| CWE‑664 | Default | rb/xxe | XML external entity expansion |
| CWE‑664 | Default | rb/weak-cookie-configuration | Weak cookie configuration |
| CWE‑664 | Default | rb/overly-permissive-file | Overly permissive file permissions |
| CWE‑664 | Default | rb/hardcoded-credentials | Hard-coded credentials |
| CWE‑664 | Default | rb/insecure-download | Download of sensitive file through insecure connection |
| CWE‑664 | Default | rb/http-to-file-access | Network data written to file |
| CWE‑664 | Default | rb/request-forgery | Server-side request forgery |
| CWE‑668 | Default | rb/path-injection | Uncontrolled data used in path expression |
| CWE‑668 | Default | rb/kernel-open | Use of Kernel.open or IO.read |
| CWE‑668 | Default | rb/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
| CWE‑668 | Default | rb/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
| CWE‑668 | Default | rb/weak-cookie-configuration | Weak cookie configuration |
| CWE‑668 | Default | rb/overly-permissive-file | Overly permissive file permissions |
| CWE‑669 | Default | rb/insecure-dependency | Dependency download using unencrypted communication channel |
| CWE‑669 | Default | rb/xxe | XML external entity expansion |
| CWE‑669 | Default | rb/insecure-download | Download of sensitive file through insecure connection |
| CWE‑669 | Default | rb/http-to-file-access | Network data written to file |
| CWE‑671 | Default | rb/hardcoded-credentials | Hard-coded credentials |
| CWE‑674 | Default | rb/xxe | XML external entity expansion |
| CWE‑691 | Default | rb/code-injection | Code injection |
| CWE‑691 | Default | rb/xxe | XML external entity expansion |
| CWE‑693 | Default | rb/user-controlled-bypass | User-controlled bypass of security check |
| CWE‑693 | Default | rb/incomplete-hostname-regexp | Incomplete regular expression for hostnames |
| CWE‑693 | Default | rb/incomplete-url-substring-sanitization | Incomplete URL substring sanitization |
| CWE‑693 | Default | rb/regex/missing-regexp-anchor | Missing regular expression anchor |
| CWE‑693 | Default | rb/bad-tag-filter | Bad HTML filtering regexp |
| CWE‑693 | Default | rb/incomplete-sanitization | Incomplete string escaping or encoding |
| CWE‑693 | Default | rb/request-without-cert-validation | Request without certificate validation |
| CWE‑693 | Default | rb/insecure-dependency | Dependency download using unencrypted communication channel |
| CWE‑693 | Default | rb/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
| CWE‑693 | Default | rb/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
| CWE‑693 | Default | rb/weak-cryptographic-algorithm | Use of a broken or weak cryptographic algorithm |
| CWE‑693 | Default | rb/csrf-protection-disabled | CSRF protection weakened or disabled |
| CWE‑693 | Default | rb/weak-cookie-configuration | Weak cookie configuration |
| CWE‑693 | Default | rb/overly-permissive-file | Overly permissive file permissions |
| CWE‑693 | Default | rb/hardcoded-credentials | Hard-coded credentials |
| CWE‑697 | Default | rb/bad-tag-filter | Bad HTML filtering regexp |
| CWE‑706 | Default | rb/path-injection | Uncontrolled data used in path expression |
| CWE‑706 | Default | rb/xxe | XML external entity expansion |
| CWE‑707 | Default | rb/path-injection | Uncontrolled data used in path expression |
| CWE‑707 | Default | rb/command-line-injection | Uncontrolled command line |
| CWE‑707 | Default | rb/kernel-open | Use of Kernel.open or IO.read |
| CWE‑707 | Default | rb/reflected-xss | Reflected server-side cross-site scripting |
| CWE‑707 | Default | rb/stored-xss | Stored cross-site scripting |
| CWE‑707 | Default | rb/sql-injection | SQL query built from user-controlled sources |
| CWE‑707 | Default | rb/code-injection | Code injection |
| CWE‑707 | Default | rb/bad-tag-filter | Bad HTML filtering regexp |
| CWE‑707 | Default | rb/incomplete-sanitization | Incomplete string escaping or encoding |
| CWE‑707 | Default | rb/tainted-format-string | Use of externally-controlled format string |
| CWE‑710 | Default | rb/hardcoded-credentials | Hard-coded credentials |
| CWE‑710 | Default | rb/http-to-file-access | Network data written to file |
| CWE‑710 | Default | rb/useless-assignment-to-local | Useless assignment to local variable |
| CWE‑710 | Default | rb/unused-parameter | Unused parameter. |
| CWE‑732 | Default | rb/weak-cookie-configuration | Weak cookie configuration |
| CWE‑732 | Default | rb/overly-permissive-file | Overly permissive file permissions |
| CWE‑776 | Default | rb/xxe | XML external entity expansion |
| CWE‑798 | Default | rb/hardcoded-credentials | Hard-coded credentials |
| CWE‑807 | Default | rb/user-controlled-bypass | User-controlled bypass of security check |
| CWE‑827 | Default | rb/xxe | XML external entity expansion |
| CWE‑829 | Default | rb/insecure-dependency | Dependency download using unencrypted communication channel |
| CWE‑829 | Default | rb/xxe | XML external entity expansion |
| CWE‑829 | Default | rb/insecure-download | Download of sensitive file through insecure connection |
| CWE‑834 | Default | rb/xxe | XML external entity expansion |
| CWE‑912 | Default | rb/http-to-file-access | Network data written to file |
| CWE‑913 | Default | rb/code-injection | Code injection |
| CWE‑913 | Default | rb/unsafe-deserialization | Deserialization of user-controlled data |
| CWE‑918 | Default | rb/request-forgery | Server-side request forgery |
| CWE‑922 | Default | rb/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
| CWE‑922 | Default | rb/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
| CWE‑923 | Default | rb/insecure-dependency | Dependency download using unencrypted communication channel |
| CWE‑943 | Default | rb/sql-injection | SQL query built from user-controlled sources |
| CWE‑1275 | Default | rb/weak-cookie-configuration | Weak cookie configuration |
| CWE‑1333 | Default | rb/polynomial-redos | Polynomial regular expression used on uncontrolled data |
| CWE‑1333 | Default | rb/redos | Inefficient regular expression |
| CWE‑1333 | Default | rb/regexp-injection | Regular expression injection |