CWE coverage for Ruby¶
An overview of CWE coverage for Ruby in the latest release of CodeQL.
Overview¶
CWE | Language | Query id | Query name |
---|---|---|---|
CWE‑20 | Default | rb/incomplete-hostname-regexp | Incomplete regular expression for hostnames |
CWE‑20 | Default | rb/incomplete-url-substring-sanitization | Incomplete URL substring sanitization |
CWE‑20 | Default | rb/regex/missing-regexp-anchor | Missing regular expression anchor |
CWE‑20 | Default | rb/bad-tag-filter | Bad HTML filtering regexp |
CWE‑20 | Default | rb/incomplete-sanitization | Incomplete string escaping or encoding |
CWE‑22 | Default | rb/path-injection | Uncontrolled data used in path expression |
CWE‑23 | Default | rb/path-injection | Uncontrolled data used in path expression |
CWE‑36 | Default | rb/path-injection | Uncontrolled data used in path expression |
CWE‑73 | Default | rb/path-injection | Uncontrolled data used in path expression |
CWE‑73 | Default | rb/kernel-open | Use of Kernel.open or IO.read |
CWE‑74 | Default | rb/path-injection | Uncontrolled data used in path expression |
CWE‑74 | Default | rb/command-line-injection | Uncontrolled command line |
CWE‑74 | Default | rb/kernel-open | Use of Kernel.open or IO.read |
CWE‑74 | Default | rb/reflected-xss | Reflected server-side cross-site scripting |
CWE‑74 | Default | rb/stored-xss | Stored cross-site scripting |
CWE‑74 | Default | rb/sql-injection | SQL query built from user-controlled sources |
CWE‑74 | Default | rb/code-injection | Code injection |
CWE‑74 | Default | rb/incomplete-sanitization | Incomplete string escaping or encoding |
CWE‑74 | Default | rb/tainted-format-string | Use of externally-controlled format string |
CWE‑77 | Default | rb/command-line-injection | Uncontrolled command line |
CWE‑77 | Default | rb/kernel-open | Use of Kernel.open or IO.read |
CWE‑78 | Default | rb/command-line-injection | Uncontrolled command line |
CWE‑78 | Default | rb/kernel-open | Use of Kernel.open or IO.read |
CWE‑79 | Default | rb/reflected-xss | Reflected server-side cross-site scripting |
CWE‑79 | Default | rb/stored-xss | Stored cross-site scripting |
CWE‑79 | Default | rb/incomplete-sanitization | Incomplete string escaping or encoding |
CWE‑80 | Default | rb/incomplete-sanitization | Incomplete string escaping or encoding |
CWE‑88 | Default | rb/command-line-injection | Uncontrolled command line |
CWE‑88 | Default | rb/kernel-open | Use of Kernel.open or IO.read |
CWE‑89 | Default | rb/sql-injection | SQL query built from user-controlled sources |
CWE‑94 | Default | rb/code-injection | Code injection |
CWE‑95 | Default | rb/code-injection | Code injection |
CWE‑99 | Default | rb/path-injection | Uncontrolled data used in path expression |
CWE‑116 | Default | rb/reflected-xss | Reflected server-side cross-site scripting |
CWE‑116 | Default | rb/stored-xss | Stored cross-site scripting |
CWE‑116 | Default | rb/code-injection | Code injection |
CWE‑116 | Default | rb/bad-tag-filter | Bad HTML filtering regexp |
CWE‑116 | Default | rb/incomplete-sanitization | Incomplete string escaping or encoding |
CWE‑134 | Default | rb/tainted-format-string | Use of externally-controlled format string |
CWE‑185 | Default | rb/bad-tag-filter | Bad HTML filtering regexp |
CWE‑186 | Default | rb/bad-tag-filter | Bad HTML filtering regexp |
CWE‑200 | Default | rb/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
CWE‑200 | Default | rb/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
CWE‑259 | Default | rb/hardcoded-credentials | Hard-coded credentials |
CWE‑284 | Default | rb/user-controlled-bypass | User-controlled bypass of security check |
CWE‑284 | Default | rb/insecure-dependency | Dependency download using unencrypted communication channel |
CWE‑284 | Default | rb/weak-cookie-configuration | Weak cookie configuration |
CWE‑284 | Default | rb/overly-permissive-file | Overly permissive file permissions |
CWE‑284 | Default | rb/hardcoded-credentials | Hard-coded credentials |
CWE‑285 | Default | rb/weak-cookie-configuration | Weak cookie configuration |
CWE‑285 | Default | rb/overly-permissive-file | Overly permissive file permissions |
CWE‑287 | Default | rb/user-controlled-bypass | User-controlled bypass of security check |
CWE‑287 | Default | rb/hardcoded-credentials | Hard-coded credentials |
CWE‑290 | Default | rb/user-controlled-bypass | User-controlled bypass of security check |
CWE‑295 | Default | rb/request-without-cert-validation | Request without certificate validation |
CWE‑300 | Default | rb/insecure-dependency | Dependency download using unencrypted communication channel |
CWE‑311 | Default | rb/insecure-dependency | Dependency download using unencrypted communication channel |
CWE‑311 | Default | rb/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
CWE‑311 | Default | rb/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
CWE‑312 | Default | rb/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
CWE‑312 | Default | rb/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
CWE‑319 | Default | rb/insecure-dependency | Dependency download using unencrypted communication channel |
CWE‑321 | Default | rb/hardcoded-credentials | Hard-coded credentials |
CWE‑327 | Default | rb/weak-cryptographic-algorithm | Use of a broken or weak cryptographic algorithm |
CWE‑330 | Default | rb/hardcoded-credentials | Hard-coded credentials |
CWE‑344 | Default | rb/hardcoded-credentials | Hard-coded credentials |
CWE‑345 | Default | rb/csrf-protection-disabled | CSRF protection weakened or disabled |
CWE‑352 | Default | rb/csrf-protection-disabled | CSRF protection weakened or disabled |
CWE‑359 | Default | rb/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
CWE‑359 | Default | rb/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
CWE‑398 | Default | rb/useless-assignment-to-local | Useless assignment to local variable |
CWE‑398 | Default | rb/unused-parameter | Unused parameter. |
CWE‑400 | Default | rb/polynomial-redos | Polynomial regular expression used on uncontrolled data |
CWE‑400 | Default | rb/redos | Inefficient regular expression |
CWE‑400 | Default | rb/regexp-injection | Regular expression injection |
CWE‑405 | Default | rb/xxe | XML external entity expansion |
CWE‑409 | Default | rb/xxe | XML external entity expansion |
CWE‑434 | Default | rb/http-to-file-access | Network data written to file |
CWE‑441 | Default | rb/request-forgery | Server-side request forgery |
CWE‑494 | Default | rb/insecure-dependency | Dependency download using unencrypted communication channel |
CWE‑502 | Default | rb/unsafe-deserialization | Deserialization of user-controlled data |
CWE‑532 | Default | rb/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
CWE‑532 | Default | rb/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
CWE‑538 | Default | rb/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
CWE‑538 | Default | rb/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
CWE‑552 | Default | rb/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
CWE‑552 | Default | rb/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
CWE‑563 | Default | rb/useless-assignment-to-local | Useless assignment to local variable |
CWE‑563 | Default | rb/unused-parameter | Unused parameter. |
CWE‑592 | Default | rb/user-controlled-bypass | User-controlled bypass of security check |
CWE‑601 | Default | rb/url-redirection | URL redirection from remote source |
CWE‑610 | Default | rb/path-injection | Uncontrolled data used in path expression |
CWE‑610 | Default | rb/kernel-open | Use of Kernel.open or IO.read |
CWE‑610 | Default | rb/url-redirection | URL redirection from remote source |
CWE‑610 | Default | rb/xxe | XML external entity expansion |
CWE‑610 | Default | rb/request-forgery | Server-side request forgery |
CWE‑611 | Default | rb/xxe | XML external entity expansion |
CWE‑642 | Default | rb/path-injection | Uncontrolled data used in path expression |
CWE‑642 | Default | rb/kernel-open | Use of Kernel.open or IO.read |
CWE‑657 | Default | rb/hardcoded-credentials | Hard-coded credentials |
CWE‑664 | Default | rb/user-controlled-bypass | User-controlled bypass of security check |
CWE‑664 | Default | rb/path-injection | Uncontrolled data used in path expression |
CWE‑664 | Default | rb/kernel-open | Use of Kernel.open or IO.read |
CWE‑664 | Default | rb/code-injection | Code injection |
CWE‑664 | Default | rb/polynomial-redos | Polynomial regular expression used on uncontrolled data |
CWE‑664 | Default | rb/redos | Inefficient regular expression |
CWE‑664 | Default | rb/regexp-injection | Regular expression injection |
CWE‑664 | Default | rb/insecure-dependency | Dependency download using unencrypted communication channel |
CWE‑664 | Default | rb/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
CWE‑664 | Default | rb/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
CWE‑664 | Default | rb/unsafe-deserialization | Deserialization of user-controlled data |
CWE‑664 | Default | rb/url-redirection | URL redirection from remote source |
CWE‑664 | Default | rb/xxe | XML external entity expansion |
CWE‑664 | Default | rb/weak-cookie-configuration | Weak cookie configuration |
CWE‑664 | Default | rb/overly-permissive-file | Overly permissive file permissions |
CWE‑664 | Default | rb/hardcoded-credentials | Hard-coded credentials |
CWE‑664 | Default | rb/insecure-download | Download of sensitive file through insecure connection |
CWE‑664 | Default | rb/http-to-file-access | Network data written to file |
CWE‑664 | Default | rb/request-forgery | Server-side request forgery |
CWE‑668 | Default | rb/path-injection | Uncontrolled data used in path expression |
CWE‑668 | Default | rb/kernel-open | Use of Kernel.open or IO.read |
CWE‑668 | Default | rb/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
CWE‑668 | Default | rb/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
CWE‑668 | Default | rb/weak-cookie-configuration | Weak cookie configuration |
CWE‑668 | Default | rb/overly-permissive-file | Overly permissive file permissions |
CWE‑669 | Default | rb/insecure-dependency | Dependency download using unencrypted communication channel |
CWE‑669 | Default | rb/xxe | XML external entity expansion |
CWE‑669 | Default | rb/insecure-download | Download of sensitive file through insecure connection |
CWE‑669 | Default | rb/http-to-file-access | Network data written to file |
CWE‑671 | Default | rb/hardcoded-credentials | Hard-coded credentials |
CWE‑674 | Default | rb/xxe | XML external entity expansion |
CWE‑691 | Default | rb/code-injection | Code injection |
CWE‑691 | Default | rb/xxe | XML external entity expansion |
CWE‑693 | Default | rb/user-controlled-bypass | User-controlled bypass of security check |
CWE‑693 | Default | rb/incomplete-hostname-regexp | Incomplete regular expression for hostnames |
CWE‑693 | Default | rb/incomplete-url-substring-sanitization | Incomplete URL substring sanitization |
CWE‑693 | Default | rb/regex/missing-regexp-anchor | Missing regular expression anchor |
CWE‑693 | Default | rb/bad-tag-filter | Bad HTML filtering regexp |
CWE‑693 | Default | rb/incomplete-sanitization | Incomplete string escaping or encoding |
CWE‑693 | Default | rb/request-without-cert-validation | Request without certificate validation |
CWE‑693 | Default | rb/insecure-dependency | Dependency download using unencrypted communication channel |
CWE‑693 | Default | rb/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
CWE‑693 | Default | rb/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
CWE‑693 | Default | rb/weak-cryptographic-algorithm | Use of a broken or weak cryptographic algorithm |
CWE‑693 | Default | rb/csrf-protection-disabled | CSRF protection weakened or disabled |
CWE‑693 | Default | rb/weak-cookie-configuration | Weak cookie configuration |
CWE‑693 | Default | rb/overly-permissive-file | Overly permissive file permissions |
CWE‑693 | Default | rb/hardcoded-credentials | Hard-coded credentials |
CWE‑697 | Default | rb/bad-tag-filter | Bad HTML filtering regexp |
CWE‑706 | Default | rb/path-injection | Uncontrolled data used in path expression |
CWE‑706 | Default | rb/xxe | XML external entity expansion |
CWE‑707 | Default | rb/path-injection | Uncontrolled data used in path expression |
CWE‑707 | Default | rb/command-line-injection | Uncontrolled command line |
CWE‑707 | Default | rb/kernel-open | Use of Kernel.open or IO.read |
CWE‑707 | Default | rb/reflected-xss | Reflected server-side cross-site scripting |
CWE‑707 | Default | rb/stored-xss | Stored cross-site scripting |
CWE‑707 | Default | rb/sql-injection | SQL query built from user-controlled sources |
CWE‑707 | Default | rb/code-injection | Code injection |
CWE‑707 | Default | rb/bad-tag-filter | Bad HTML filtering regexp |
CWE‑707 | Default | rb/incomplete-sanitization | Incomplete string escaping or encoding |
CWE‑707 | Default | rb/tainted-format-string | Use of externally-controlled format string |
CWE‑710 | Default | rb/hardcoded-credentials | Hard-coded credentials |
CWE‑710 | Default | rb/http-to-file-access | Network data written to file |
CWE‑710 | Default | rb/useless-assignment-to-local | Useless assignment to local variable |
CWE‑710 | Default | rb/unused-parameter | Unused parameter. |
CWE‑732 | Default | rb/weak-cookie-configuration | Weak cookie configuration |
CWE‑732 | Default | rb/overly-permissive-file | Overly permissive file permissions |
CWE‑776 | Default | rb/xxe | XML external entity expansion |
CWE‑798 | Default | rb/hardcoded-credentials | Hard-coded credentials |
CWE‑807 | Default | rb/user-controlled-bypass | User-controlled bypass of security check |
CWE‑827 | Default | rb/xxe | XML external entity expansion |
CWE‑829 | Default | rb/insecure-dependency | Dependency download using unencrypted communication channel |
CWE‑829 | Default | rb/xxe | XML external entity expansion |
CWE‑829 | Default | rb/insecure-download | Download of sensitive file through insecure connection |
CWE‑834 | Default | rb/xxe | XML external entity expansion |
CWE‑912 | Default | rb/http-to-file-access | Network data written to file |
CWE‑913 | Default | rb/code-injection | Code injection |
CWE‑913 | Default | rb/unsafe-deserialization | Deserialization of user-controlled data |
CWE‑918 | Default | rb/request-forgery | Server-side request forgery |
CWE‑922 | Default | rb/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
CWE‑922 | Default | rb/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
CWE‑923 | Default | rb/insecure-dependency | Dependency download using unencrypted communication channel |
CWE‑943 | Default | rb/sql-injection | SQL query built from user-controlled sources |
CWE‑1275 | Default | rb/weak-cookie-configuration | Weak cookie configuration |
CWE‑1333 | Default | rb/polynomial-redos | Polynomial regular expression used on uncontrolled data |
CWE‑1333 | Default | rb/redos | Inefficient regular expression |
CWE‑1333 | Default | rb/regexp-injection | Regular expression injection |