Name	Name	Last commit message	Last commit date
parent directory ..
README.md	README.md
apex-rules.md	apex-rules.md
c++-rules.md	c++-rules.md
c-and-asp.net-rules.md	c-and-asp.net-rules.md
go-rules.md	go-rules.md
java-rules.md	java-rules.md
javascript-and-typescript-rules.md	javascript-and-typescript-rules.md
kotlin-rules.md	kotlin-rules.md
php-rules.md	php-rules.md
python-rules.md	python-rules.md
ruby-rules.md	ruby-rules.md
scala-rules.md	scala-rules.md
swift-rules.md	swift-rules.md
visual-basic-rules.md	visual-basic-rules.md
xml-rules.md	xml-rules.md

Snyk Code security rules

{% hint style="info" %} Snyk Code rules are updated continuously. The list expands continually, and the rules may change to provide the best protection and security solutions for your code. {% endhint %}

This page lists all security rules used by Snyk Code when scanning your source code for vulnerabilities.

Each rule includes the following information.

Rule Name: The Snyk name of the rule.
Languages: The programming languages to which this specific rule applies. Note that there might be two rules with the same name that apply to different languages.
CWE(s): The CWE numbers that are covered by this rule.
Security Categories: The OWASP Top 10 (2021 edition) category to which the rule belongs to, if any, and if it is included in SANS 25.

Rule Name	Language(s)	CWE(s)	Security Categories
ASP SSL Disabled	XML	CWE-319	OWASP:A02
Access Violation	Apex	CWE-284, CWE-285	OWASP:A01
Allocation of Resources Without Limits or Throttling	JavaScript, PHP	CWE-770
An optimizing compiler may remove memset non-zero leaving data in memory	C++	CWE-1330
Android Debug Mode Enabled	XML	CWE-489
Android Fragment Injection	Java, Kotlin	CWE-470	OWASP:A03
Android Intent Forwarding	Java, Kotlin	CWE-940	OWASP:A07
Android Uri Permission Manipulation	Java, Kotlin	CWE-266	OWASP:A04
Android World Writeable/Readable File Permission Found	Java, Kotlin, Scala	CWE-732
Anti-forgery token validation disabled	C#	CWE-352	Sans Top 25, OWASP:A01
Arbitrary File Write via Archive Extraction (Tar Slip)	Python	CWE-22	Sans Top 25, OWASP:A01
Arbitrary File Write via Archive Extraction (Zip Slip)	C#, JavaScript, PHP	CWE-22	Sans Top 25, OWASP:A01
Authentication Bypass by Spoofing	C++	CWE-290	OWASP:A07
Authentication over HTTP	Python	CWE-319	OWASP:A02
Binding to all network interfaces may open service to unintended traffic	Python	CWE-284	OWASP:A01
Broken User Authentication	Python	CWE-287	Sans Top 25, OWASP:A07
Buffer Over-read	JavaScript	CWE-126
Buffer Overflow	C++	CWE-122
Clear Text Logging	Go, Swift	CWE-200, CWE-312	OWASP:A01, OWASP:A04
Clear Text Sensitive Storage	Apex, JavaScript	CWE-200, CWE-312	OWASP:A01, OWASP:A04
Cleartext Storage of Sensitive Information in a Cookie	C#, Java, Kotlin, Scala	CWE-315	OWASP:A05
Cleartext Transmission of Sensitive Information	Java, JavaScript, Kotlin, Scala	CWE-319	OWASP:A02
Code Execution via Third Party Package Context	Java, Kotlin	CWE-94	Sans Top 25, OWASP:A03
Code Execution via Third Party Package Installation	Java, Kotlin	CWE-940	OWASP:A07
Code Injection	C#, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Swift, Visual Basic	CWE-94	Sans Top 25, OWASP:A03
Command Injection	Apex, C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic	CWE-78	Sans Top 25, OWASP:A03
Cross-Site Request Forgery (CSRF)	Java, JavaScript, Kotlin, Python, Scala	CWE-352	Sans Top 25, OWASP:A01
Cross-site Scripting (XSS)	Apex, C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic	CWE-79	Sans Top 25, OWASP:A03
Cryptographic Issues	Java, JavaScript, Kotlin, Python, Scala	CWE-310	OWASP:A02
Debug Features Enabled	C#, Visual Basic, XML	CWE-215
Debug Mode Enabled	Python	CWE-489
Denial of Service (DoS) through Nested GraphQL Queries	JavaScript	CWE-400
Dereference of a NULL Pointer	C++	CWE-476	Sans Top 25
Deserialization of Untrusted Data	C#, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Visual Basic	CWE-502	Sans Top 25, OWASP:A08
Device Authentication Bypass	Swift	CWE-287	Sans Top 25, OWASP:A07
Disabled Neutralization of CRLF Sequences in HTTP Headers	Java, Kotlin, Scala	CWE-113	OWASP:A03
Disabling Strict Contextual escaping (SCE) could provide additional attack surface for Cross-site Scripting (XSS)	JavaScript	CWE-79	Sans Top 25, OWASP:A03
Division By Zero	C++	CWE-369
Double Free	C++	CWE-415
Electron Disable Security Warnings	JavaScript	CWE-16	OWASP:A05
Electron Insecure Web Preferences	JavaScript	CWE-16	OWASP:A05
Electron Load Insecure Content	JavaScript	CWE-16	OWASP:A05
Exposure of Private Personal Information to an Unauthorized Actor	C#, C++	CWE-359	OWASP:A01
External Control of System or Configuration Setting	Java, Kotlin, Scala	CWE-15	OWASP:A05
File Access Enabled	Java, Kotlin	CWE-200	OWASP:A01
File Inclusion	PHP	CWE-98	OWASP:A03
Generation of Error Message Containing Sensitive Information	Go, XML	CWE-209	OWASP:A04
GraphQL Injection	JavaScript	CWE-89	Sans Top 25, OWASP:A03
Hardcoded Secret	Apex, C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic	CWE-547	OWASP:A05
Improper Access Control: Email Content Injection	Apex, Go, PHP	CWE-284	OWASP:A01
Improper Authentication	Java, Kotlin, Scala	CWE-287	Sans Top 25, OWASP:A07
Improper Certificate Validation	Go, Java, Kotlin, Python, Ruby, Scala, Swift	CWE-295	OWASP:A07
Improper Code Sanitization	JavaScript	CWE-116, CWE-79, CWE-94	Sans Top 25, OWASP:A03
Improper Handling of Insufficient Permissions or Privileges	Java, Kotlin, Python	CWE-280	OWASP:A04
Improper Input Validation	Ruby	CWE-20	Sans Top 25, OWASP:A03
Improper Neutralization of CRLF Sequences in HTTP Headers	C#, Java, Kotlin, Scala, Visual Basic	CWE-113	OWASP:A03
Improper Neutralization of Directives in Statically Saved Code	Go, JavaScript, Python, Ruby	CWE-96	OWASP:A03
Improper Null Termination	C++	CWE-170
Improper Restriction of Rendered UI Layers or Frames	JavaScript, PHP, XML	CWE-1021	OWASP:A04
Improper Type Validation	JavaScript	CWE-1287
Improper Validation of Certificate with Host Mismatch	Java, Kotlin, Scala	CWE-297	OWASP:A07
Improperly Controlled Modification of Dynamically-Determined Object Attributes	Ruby	CWE-915	OWASP:A08
Inadequate Encryption Strength	C#, C++, Go, Java, Kotlin, PHP, Python, Scala, Swift, Visual Basic	CWE-326	OWASP:A02
Inadequate Padding for AES encryption	Java, Kotlin, Scala	CWE-326	OWASP:A02
Inadequate Padding for Public Key Encryption	PHP, Rust	CWE-326	OWASP:A02
Incorrect Permission Assignment	Java, Kotlin	CWE-732
Incorrect regular expression for validating values	Ruby	CWE-1286
Indirect Command Injection via User Controlled Environment	Java, Kotlin, Scala	CWE-78	Sans Top 25, OWASP:A03
Information Exposure	C#, Java, JavaScript, Kotlin, PHP, Ruby, Scala, Swift	CWE-200	OWASP:A01
Insecure Anonymous LDAP Binding	C++	CWE-287	Sans Top 25, OWASP:A07
Insecure Data Storage	Swift	CWE-922	OWASP:A01
Insecure Data Transmission	Apex, C#, Ruby	CWE-319	OWASP:A02
Insecure Deserialization	Swift	CWE-502	Sans Top 25, OWASP:A08
Insecure File Permissions	Python, Rust	CWE-732
Insecure JWT Verification Method	JavaScript	CWE-347	OWASP:A02
Insecure TLS Configuration	Go, JavaScript	CWE-327	OWASP:A02
Insecure Temporary File	Python	CWE-377	OWASP:A01
Insecure Xml Parser	Python	CWE-611	OWASP:A05
Insecure default value	Python	CWE-453
Insufficient Session Expiration	Java, Kotlin, Scala	CWE-613	OWASP:A07
Insufficient postMessage Validation	JavaScript	CWE-20	Sans Top 25, OWASP:A03
Integer Overflow	C++	CWE-190	Sans Top 25
Introspection Enabled	JavaScript	CWE-200	OWASP:A01
JWT 'none' Algorithm Supported	JavaScript	CWE-347	OWASP:A02
JWT Signature Verification Bypass	Java	CWE-347	OWASP:A02
JWT Signature Verification Method Disabled	JavaScript	CWE-347	OWASP:A02
Java Naming and Directory Interface (JNDI) Injection	Java, Kotlin, Scala	CWE-074
JavaScript Enabled	Java, Kotlin	CWE-79	Sans Top 25, OWASP:A03
Jinja auto-escape is set to false.	Python	CWE-79	Sans Top 25, OWASP:A03
LDAP Injection	C#, C++, Java, Kotlin, Python, Scala	CWE-90	OWASP:A03
Log Forging	C#	CWE-117	OWASP:A09
Memory Allocation Of String Length	C++	CWE-170
Memory Corruption	Swift	CWE-822
Missing Release of File Descriptor or Handle after Effective Lifetime	C++	CWE-775
Missing Release of Memory after Effective Lifetime	C++	CWE-401
No Weak Password Requirements	Ruby	CWE-521	OWASP:A07
NoSQL Injection	Java, JavaScript, Python	CWE-943
Observable Timing Discrepancy	Rust	CWE-208
Observable Timing Discrepancy (Timing Attack)	Java, JavaScript, Kotlin, Scala	CWE-208
Open Redirect	Apex, C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Visual Basic	CWE-601	OWASP:A01
Origin Validation Error	Java, JavaScript, Kotlin, PHP, Python, Rust, Scala	CWE-346, CWE-942	OWASP:A05, OWASP:A07
Password Requirements Not Enforced in Django Application	Python	CWE-521	OWASP:A07
Path Traversal	C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic	CWE-23	OWASP:A01
Permissive Cross-domain Policy	JavaScript	CWE-942	OWASP:A05
Potential Negative Number Used as Index	C++	CWE-125, CWE-787	Sans Top 25
Potential buffer overflow from usage of unsafe function	C++	CWE-122
Privacy Leak	Java	CWE-532	OWASP:A09
Process Control	Java, Kotlin, Scala	CWE-114
Prototype Pollution	JavaScript	CWE-1321
Python 2 source code	Python	CWE-1104	OWASP:A06
Regular Expression Denial of Service (ReDoS)	JavaScript, PHP, Python, Ruby	CWE-400
Regular expression injection	Apex, C#, Java, Kotlin, Scala, Visual Basic	CWE-400, CWE-730
Remote Code Execution via Endpoint	Ruby	CWE-94	Sans Top 25, OWASP:A03
Request Validation Disabled	C#, Visual Basic, XML	CWE-554
SOQL Injection	Apex	CWE-89	Sans Top 25, OWASP:A03
SOSL Injection	Apex	CWE-89	Sans Top 25, OWASP:A03
SQL Injection	C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic	CWE-89	Sans Top 25, OWASP:A03
Selection of Less-Secure Algorithm During Negotiation (Force SSL)	Ruby	CWE-311, CWE-757	OWASP:A04, OWASP:A02
Selection of Less-Secure Algorithm During Negotiation (SSL instead of TLS)	Python	CWE-757	OWASP:A02
Sensitive Cookie Without 'HttpOnly' Flag	C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Visual Basic	CWE-1004	OWASP:A05
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute	Apex, C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Swift, Visual Basic	CWE-614	OWASP:A05
Server Information Exposure	Java, Kotlin, Python, Scala	CWE-209	OWASP:A04
Server-Side Request Forgery (SSRF)	Apex, C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Rust, Scala, Swift, Visual Basic	CWE-918	Sans Top 25, OWASP:A10
Session Manipulation	Ruby	CWE-285	OWASP:A01
Sinatra Protection Layers Disabled	Ruby	CWE-1021, CWE-16, CWE-348, CWE-35, CWE-352, CWE-693, CWE-79	Sans Top 25, OWASP:A01, OWASP:A05, OWASP:A03, OWASP:A04
Size Used as Index	C++	CWE-125, CWE-787	Sans Top 25
Spring Cross-Site Request Forgery (CSRF)	Java	CWE-352	Sans Top 25, OWASP:A01
Struts Development Mode Enabled	XML	CWE-489
The cipher text is equal to the provided input plain text	Java, Kotlin, Scala	CWE-311	OWASP:A04
Trust Boundary Violation	Java, Kotlin, Scala	CWE-501	OWASP:A04
Unauthorized File Access	Java, Kotlin	CWE-79	Sans Top 25, OWASP:A03
Unchecked Input for Loop Condition	JavaScript	CWE-400, CWE-606
Unprotected Storage of Credentials	Java, Kotlin, Scala	CWE-256	OWASP:A04
Unrestricted Android Broadcast	Java, Kotlin	CWE-862	Sans Top 25, OWASP:A01
Unsafe JQuery Plugin	JavaScript	CWE-116, CWE-79	Sans Top 25, OWASP:A03
Unsafe Reflection	Java, Ruby	CWE-470	OWASP:A03
Unsafe SOQL Concatenation	Apex	CWE-89	Sans Top 25, OWASP:A03
Unsafe SOSL Concatenation	Apex	CWE-89	Sans Top 25, OWASP:A03
Unverified Password Change	Apex	CWE-620	OWASP:A07
Usage of BinaryFormatter	C#, Visual Basic	CWE-502	Sans Top 25, OWASP:A08
Use After Free	C++	CWE-416	Sans Top 25
Use dangerouslySetInnerHTML to Explicitly Handle XSS Risks	JavaScript	CWE-79	Sans Top 25, OWASP:A03
Use of Expired File Descriptor	C++	CWE-910
Use of Externally-Controlled Format String	C++, Java, JavaScript, Kotlin, Scala	CWE-134
Use of Hardcoded Credentials	Apex, C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic	CWE-259, CWE-798	Sans Top 25, OWASP:A07
Use of Hardcoded Cryptographic Initialization Value	Python	CWE-329	OWASP:A02
Use of Hardcoded Cryptographic Key	C++, Python, Ruby	CWE-321	OWASP:A02
Use of Hardcoded Passwords	Apex, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, XML	CWE-259, CWE-798	Sans Top 25, OWASP:A07
Use of Hardcoded, Security-relevant Constants	Java, Kotlin, Scala	CWE-547	OWASP:A05
Use of Insufficiently Random Values	C#, Go, Java, JavaScript, Kotlin, PHP, Ruby, Rust, Scala, Swift, Visual Basic	CWE-330	OWASP:A02
Use of Password Hash With Insufficient Computational Effort	Apex, C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic	CWE-916	OWASP:A02
Use of Potentially Dangerous Function	Java, Kotlin, Scala	CWE-676
Use of Sticky broadcasts	Java, Kotlin	CWE-265
Use of a Broken or Risky Cryptographic Algorithm	C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic	CWE-327	OWASP:A02
User Controlled Pointer	C++	CWE-1285
Weak Password Recovery Mechanism for Forgotten Password	JavaScript	CWE-640	OWASP:A07
XAML Injection	C#	CWE-611	OWASP:A05
XML External Entity (XXE) Injection	C#, C++, Java, JavaScript, Kotlin, PHP, Ruby, Scala, Swift, Visual Basic	CWE-611	OWASP:A05
XML Injection	Apex, C#, Visual Basic	CWE-91	OWASP:A03
XPath Injection	C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Visual Basic	CWE-643	OWASP:A03

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

snyk-code-security-rules

snyk-code-security-rules

README.md

Snyk Code security rules

Files

snyk-code-security-rules

Directory actions

More options

Directory actions

More options

Latest commit

History

snyk-code-security-rules

Folders and files

parent directory

README.md

Snyk Code security rules