From 037ef971c57b93e1054a99f5bc49104dab8d435f Mon Sep 17 00:00:00 2001 From: slef Date: Thu, 7 Nov 2024 21:36:10 -0500 Subject: [PATCH] removes checkmarx from production. --- .../checkmarx-provider/module.yaml | 5 - .../checkmarx-provider/rules.yaml | 54426 ---------------- 2 files changed, 54431 deletions(-) delete mode 100644 server-side-scanners/boostsecurityio/checkmarx-provider/module.yaml delete mode 100644 server-side-scanners/boostsecurityio/checkmarx-provider/rules.yaml diff --git a/server-side-scanners/boostsecurityio/checkmarx-provider/module.yaml b/server-side-scanners/boostsecurityio/checkmarx-provider/module.yaml deleted file mode 100644 index 4df19d30..00000000 --- a/server-side-scanners/boostsecurityio/checkmarx-provider/module.yaml +++ /dev/null @@ -1,5 +0,0 @@ -name: Checkmarx Provider -namespace: boostsecurityio/checkmarx-provider -scan_types: - - sast - - iac diff --git a/server-side-scanners/boostsecurityio/checkmarx-provider/rules.yaml b/server-side-scanners/boostsecurityio/checkmarx-provider/rules.yaml deleted file mode 100644 index c5d98a5e..00000000 --- a/server-side-scanners/boostsecurityio/checkmarx-provider/rules.yaml +++ /dev/null @@ -1,54426 +0,0 @@ -default: - CWE-UNKNOWN: - categories: - - ALL - - boost-hardened - description: the original rule did not map to a known CWE rule - group: top10-insecure-design - name: CWE-UNKNOWN - pretty_name: CWE-UNKNOWN - Original rule did not map to a known CWE rule - ref: https://checkmarx.com/resource/documents/en/34965-46525-audit-guide.html -rules: - 0008c003-79aa-42d8-95b8-1c2fe37dbfe6: - categories: - - ALL - - boost-baseline - description: 'Multiple commands (RUN, COPY, ADD) should be grouped in order to - reduce the number of layers. ' - group: top10-insecure-design - name: 0008c003-79aa-42d8-95b8-1c2fe37dbfe6 - pretty_name: Multiple RUN, ADD, COPY, Instructions Listed - recommended: true - ref: https://sysdig.com/blog/dockerfile-best-practices/ - 00481784-25aa-4a55-8633-3136dfcf4f37: - categories: - - ALL - - boost-baseline - description: 'Need to use ''yum clean all'' after using a ''yum install'' command - to clean package cached data and reduce image size ' - group: supply-chain-scm-weak-configuration - name: 00481784-25aa-4a55-8633-3136dfcf4f37 - pretty_name: Yum Clean All Missing - recommended: true - ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run - 00603add-7f72-448f-a6c0-9e456a7a3f94: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Amazon Elasticsearch does not have encryption for its domains enabled. - To prevent such a scenario, update the attribute ''EnforceHTTPS'' to true. ' - group: cloud-resources-public-access - name: 00603add-7f72-448f-a6c0-9e456a7a3f94 - pretty_name: Elasticsearch with HTTPS disabled - recommended: true - ref: https://www.pulumi.com/registry/packages/aws/api-docs/elasticsearch/domain/#enforcehttps_yaml - 00b78adf-b83f-419c-8ed8-c6018441dd3a: - categories: - - ALL - - boost-baseline - description: 'String schema should have ''pattern'' defined. ' - group: cloud-weak-configuration - name: 00b78adf-b83f-419c-8ed8-c6018441dd3a - pretty_name: Pattern Undefined (v3) - recommended: true - ref: https://swagger.io/specification/#schema-object - 00e5e55e-c2ff-46b3-a757-a7a1cd802456: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'CloudFront Minimum Protocol version should be at least TLS 1.2 ' - group: cloud-weak-configuration - name: 00e5e55e-c2ff-46b3-a757-a7a1cd802456 - pretty_name: CloudFront Without Minimum Protocol TLS 1.2 - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution - 0104165b-02d5-426f-abc9-91fb48189899: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'The IP address in a DB Security Group must not have more than 256 - hosts. ' - group: cloud-resources-public-access - name: 0104165b-02d5-426f-abc9-91fb48189899 - pretty_name: DB Security Group Open To Large Scope - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html - 013bdb4b-9246-4248-b0c3-7fb0fee42a29: - categories: - - ALL - - boost-baseline - description: 'Required properties receive value from requests, which makes unnecessary - declare a default value ' - group: top10-insecure-design - name: 013bdb4b-9246-4248-b0c3-7fb0fee42a29 - pretty_name: Required Property With Default Value (v3) - recommended: true - ref: https://swagger.io/specification/#schema-object - 015eac96-6313-43c0-84e5-81b1374fa637: - categories: - - ALL - - boost-baseline - description: 'Schema reference should exists on components field ' - group: top10-insecure-design - name: 015eac96-6313-43c0-84e5-81b1374fa637 - pretty_name: Schema JSON Reference Does Not Exists (v3) - recommended: true - ref: https://swagger.io/specification/#components-object - 01986452-bdd8-4aaa-b5df-d6bf61d616ff: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'ECS Services must not have Admin roles, which means the attribute - ''role'' must not be an admin role ' - group: cloud-insecure-iam - name: 01986452-bdd8-4aaa-b5df-d6bf61d616ff - pretty_name: ECS Service Admin Role Is Present - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html - 01aec7c2-3e4d-4274-ae47-2b8fea22fd1f: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Network_Mode should be ''awsvpc'' in ecs_task_definition. AWS VPCs - provides the controls to facilitate a formal process for approving and testing - all network connections and changes to the firewall and router configurations ' - group: cloud-weak-configuration - name: 01aec7c2-3e4d-4274-ae47-2b8fea22fd1f - pretty_name: ECS Task Definition Network Mode Not Recommended - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_taskdefinition_module.html#parameter-network_mode - 01d50b14-e933-4c99-b314-6d08cd37ad35: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Glue Data Catalog Encryption Settings should have ''connection_password_encryption'' - and ''encryption_at_rest'' enabled ' - group: top10-crypto-failures - name: 01d50b14-e933-4c99-b314-6d08cd37ad35 - pretty_name: Glue Data Catalog Encryption Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/glue_data_catalog_encryption_settings#data_catalog_encryption_settings - 01d5a458-a6c4-452a-ac50-054d59275b7c: - categories: - - ALL - - boost-baseline - description: "An AWS Elastic Load Balancer (ELB) shouldn\xB4t have security groups\ - \ without outbound rules " - group: cloud-resources-public-access - name: 01d5a458-a6c4-452a-ac50-054d59275b7c - pretty_name: ELB With Security Group Without Outbound Rules - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html#cfn-ec2-securitygroup-securitygroupegress - 0220e1c5-65d1-49dd-b7c2-cef6d6cb5283: - categories: - - ALL - - boost-baseline - description: 'Schema Object reference must always point to ''#/definitions'' ' - group: top10-insecure-design - name: 0220e1c5-65d1-49dd-b7c2-cef6d6cb5283 - pretty_name: Schema Object Incorrect Ref (v2) - recommended: true - ref: https://swagger.io/specification/v2/#schema-object - 02323c00-cdc3-4fdc-a310-4f2b3e7a1660: - categories: - - ALL - - boost-baseline - description: 'Check if containers are running with low UID, which might cause - conflicts with the host''s user table. ' - group: top10-insecure-design - name: 02323c00-cdc3-4fdc-a310-4f2b3e7a1660 - pretty_name: Container Running With Low UID - recommended: true - ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - 02474449-71aa-40a1-87ae-e14497747b00: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Cloud SQL Database Instance should have SLL enabled ' - group: top10-crypto-failures - name: 02474449-71aa-40a1-87ae-e14497747b00 - pretty_name: SQL DB Instance With SSL Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance#require_ssl - 0264093f-6791-4475-af34-4b8102dcbcd0: - categories: - - ALL - - boost-baseline - description: 'EC2 Instance should have detailed monitoring enabled. With detailed - monitoring enabled data is available in 1-minute periods ' - group: top10-security-logging-monitoring-failures - name: 0264093f-6791-4475-af34-4b8102dcbcd0 - pretty_name: EC2 Instance Monitoring Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html#cfn-ec2-instance-monitoring - 027a4b7a-8a59-4938-a04f-ed532512cf45: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Network_Mode should be ''awsvpc'' in ecs_task_definition. AWS VPCs - provides the controls to facilitate a formal process for approving and testing - all network connections and changes to the firewall and router configurations ' - group: cloud-weak-configuration - name: 027a4b7a-8a59-4938-a04f-ed532512cf45 - pretty_name: ECS Task Definition Network Mode Not Recommended - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-taskdefinition.html#cfn-ecs-taskdefinition-networkmode - 02d9c71f-3ee8-4986-9c27-1a20d0d19bfc: - categories: - - ALL - - boost-baseline - description: 'Package version pinning reduces the range of versions that can be - installed, reducing the chances of failure due to unanticipated changes ' - group: supply-chain-scm-weak-configuration - name: 02d9c71f-3ee8-4986-9c27-1a20d0d19bfc - pretty_name: Unpinned Package Version in Pip Install - recommended: true - ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/ - 030d3b18-1821-45b4-9e08-50efbe7becbb: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Amazon DMS is publicly accessible, therefore exposing possible sensitive - information. To prevent such a scenario, update the attribute ''PubliclyAccessible'' - to false. ' - group: cloud-insecure-iam - name: 030d3b18-1821-45b4-9e08-50efbe7becbb - pretty_name: Amazon DMS Replication Instance Is Publicly Accessible - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dms_replication_instance - 034d0aee-620f-4bf7-b7fb-efdf661fdb9e: - categories: - - ALL - - boost-baseline - description: 'Group with privilege escalation by actions ''lambda:CreateFunction'' - and ''iam:PassRole'' and ''lambda:InvokeFunction'' and Resource set to ''*''. - For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 034d0aee-620f-4bf7-b7fb-efdf661fdb9e - pretty_name: Group With Privilege Escalation By Actions 'lambda:CreateFunction' - And 'iam:PassRole' And 'lambda:InvokeFunction' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy - 03856cb2-e46c-4daf-bfbf-214ec93c882b: - categories: - - ALL - - boost-baseline - description: 'The field ''enum'' of Schema Object should be consistent with the - schema''s type ' - group: top10-insecure-design - name: 03856cb2-e46c-4daf-bfbf-214ec93c882b - pretty_name: Schema Enum Invalid (v3) - recommended: true - ref: https://swagger.io/specification/#schema-object - 03879981-efa2-47a0-a818-c843e1441b88: - categories: - - ALL - - boost-baseline - description: 'To avoid opening all ports for Allow rules, EC2 NetworkACL Entry - Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for - ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code). ' - group: cloud-resources-public-access - name: 03879981-efa2-47a0-a818-c843e1441b88 - pretty_name: EC2 Permissive Network ACL Protocols - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-network-acl-entry.html - 03aabc8c-35d6-481e-9c85-20139cf72d23: - categories: - - ALL - - boost-baseline - description: 'Ensure the use of CNI Plugin that support Network Policies. If the - CNI Plugin in use does not support Network Policies it may not be possible to - effectively restrict traffic in the cluster ' - group: cloud-resources-public-access - name: 03aabc8c-35d6-481e-9c85-20139cf72d23 - pretty_name: CNI Plugin Does Not Support Network Policies - recommended: true - ref: https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/ - 03b38885-8f4e-480c-a0e4-12c1affd15db: - categories: - - ALL - - boost-baseline - description: 'Amplify App OAuth Token must not be a plaintext string or a Ref - to a Parameter with a Default value. ' - group: cloud-weak-secrets-management - name: 03b38885-8f4e-480c-a0e4-12c1affd15db - pretty_name: Amplify App OAuth Token Exposed - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-amplify-app-basicauthconfig.html - 0401f71b-9c1e-4821-ab15-a955caa621be: - categories: - - ALL - - boost-baseline - description: 'Check if any pod is not being targeted by a proper network policy. ' - group: cloud-resources-public-access - name: 0401f71b-9c1e-4821-ab15-a955caa621be - pretty_name: Pod Misconfigured Network Policy - recommended: true - ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ - 0437633b-daa6-4bbc-8526-c0d2443b946e: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Make sure that for PosgreSQL, the ''Enforce SSL connection'' is - set to ''ENABLED'' ' - group: top10-crypto-failures - name: 0437633b-daa6-4bbc-8526-c0d2443b946e - pretty_name: SSL Enforce Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_server - 045ddb54-cfc5-4abb-9e05-e427b2bc96fe: - categories: - - ALL - - boost-baseline - description: 'A Network ACL''s rule numbers cannot be repeated unless one is egress - and the other is ingress ' - group: cloud-resources-public-access - name: 045ddb54-cfc5-4abb-9e05-e427b2bc96fe - pretty_name: EC2 Network ACL Duplicate Rule - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-network-acl-entry.html#cfn-ec2-networkaclentry-rulenumber - 0461b4fd-21ef-4687-929e-484ee4796785: - categories: - - ALL - - boost-baseline - description: 'Make sure that for PostgreSQL Database, server parameter ''log_retention'' - is set to ''ON'' ' - group: top10-security-logging-monitoring-failures - name: 0461b4fd-21ef-4687-929e-484ee4796785 - pretty_name: Log Retention Is Not Set - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_postgresqlconfiguration_module.html - 04c686f1-e0cd-4812-88e1-4e038410074c: - categories: - - ALL - - boost-baseline - description: 'Group with privilege escalation by actions ''iam:CreateLoginProfile'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 04c686f1-e0cd-4812-88e1-4e038410074c - pretty_name: Group With Privilege Escalation By Actions 'iam:CreateLoginProfile' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy - 050a9ba8-d1cb-4c61-a5e8-8805a70d3b85: - categories: - - ALL - - boost-baseline - description: 'Logs delivered by CloudTrail should be encrypted using KMS to increase - security of your CloudTrail ' - group: top10-crypto-failures - name: 050a9ba8-d1cb-4c61-a5e8-8805a70d3b85 - pretty_name: CloudTrail Log Files Not Encrypted With KMS - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#cfn-cloudtrail-trail-kmskeyid - 050f085f-a8db-4072-9010-2cca235cc02f: - categories: - - ALL - - boost-baseline - description: 'AWS Auto Scaling Groups must have associated ELBs to ensure high - availability and improve application performance. This means the attribute ''load_balancers'' - must be defined and not empty. ' - group: top10-insecure-design - name: 050f085f-a8db-4072-9010-2cca235cc02f - pretty_name: Auto Scaling Group With No Associated ELB - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/ec2_asg_module.html#parameter-load_balancers - 051f2063-2517-4295-ad8e-ba88c1bf5cfc: - categories: - - ALL - description: 'A list of MSK resources specified. Amazon Managed Streaming for - Apache Kafka (Amazon MSK) is a fully managed service that enables you to build - and run applications that use Apache Kafka to process streaming data. ' - group: supply-chain-missing-artifact-integrity-verification - name: 051f2063-2517-4295-ad8e-ba88c1bf5cfc - pretty_name: BOM - AWS MSK - ref: https://kics.io/ - 054d07b5-941b-4c28-8eef-18989dc62323: - categories: - - ALL - - boost-baseline - description: 'Make sure that for PostgreSQL Database, server parameter ''log_disconnections'' - is set to ''ON'' ' - group: top10-security-logging-monitoring-failures - name: 054d07b5-941b-4c28-8eef-18989dc62323 - pretty_name: PostgreSQL Log Disconnections Not Set - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_postgresqlconfiguration_module.html - 05505192-ba2c-4a81-9b25-dcdbcc973746: - categories: - - ALL - - boost-baseline - description: 'Parameter Objects should not have duplicate names for ''header'' - location, since HTTP headers are not case sensitive. ' - group: top10-insecure-design - name: 05505192-ba2c-4a81-9b25-dcdbcc973746 - pretty_name: Parameter Objects Headers With Duplicated Name (v3) - recommended: true - ref: https://swagger.io/specification/#parameter-object - 056ac60e-fe07-4acc-9b34-8e1d51716ab9: - categories: - - ALL - - boost-baseline - description: 'Roles and ClusterRoles when binded, should not use get, list or - watch as verbs ' - group: cloud-weak-secrets-management - name: 056ac60e-fe07-4acc-9b34-8e1d51716ab9 - pretty_name: ServiceAccount Allows Access Secrets - recommended: true - ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ - 058ac855-989f-4378-ba4d-52d004020da7: - categories: - - ALL - - boost-baseline - description: 'CloudTrail multi region should be enabled, which means attribute - ''IsMultiRegionTrail'' should be set to true ' - group: top10-security-logging-monitoring-failures - name: 058ac855-989f-4378-ba4d-52d004020da7 - pretty_name: CloudTrail Multi Region Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#cfn-cloudtrail-trail-ismultiregiontrail - 05db341e-de7d-4972-a106-3e2bd5ee53e1: - categories: - - ALL - - boost-baseline - description: 'OSS Bucket should have logging enabled, for better visibility of - resources and objects. ' - group: top10-security-logging-monitoring-failures - name: 05db341e-de7d-4972-a106-3e2bd5ee53e1 - pretty_name: OSS Bucket Logging Disabled - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#logging - 05fb986f-ac73-4ebb-a5b2-7faafa93d882: - categories: - - ALL - - boost-baseline - description: 'When using kube-controller-manager commands, the ''--root-ca-file'' - should be defined ' - group: top10-crypto-failures - name: 05fb986f-ac73-4ebb-a5b2-7faafa93d882 - pretty_name: Root CA File Not Defined - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/ - 063234c0-91c0-4ab5-bbd0-47ddb5f23786: - categories: - - ALL - - boost-baseline - description: 'Ram Account Password Policy should have ''require_numbers'' set - to true ' - group: cloud-weak-secrets-management - name: 063234c0-91c0-4ab5-bbd0-47ddb5f23786 - pretty_name: Ram Account Password Policy Not Required Numbers - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#require_numbers - 0632d0db-9190-450a-8bb3-c283bffea445: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Firewall rule allowing unrestricted access to Redis from other Azure - sources ' - group: cloud-resources-public-access - name: 0632d0db-9190-450a-8bb3-c283bffea445 - pretty_name: Redis Publicly Accessible - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_rediscachefirewallrule_module.html#parameter-start_ip_address - 06764426-3c56-407e-981f-caa25db1c149: - categories: - - ALL - - boost-baseline - description: 'Security Scheme HTTP scheme should be registered in the IANA Authentication - Scheme registry ' - group: cloud-insecure-iam - name: 06764426-3c56-407e-981f-caa25db1c149 - pretty_name: Security Scheme HTTP Unknown Scheme - recommended: true - ref: https://swagger.io/specification/#security-scheme-object - 06933df4-0ea7-461c-b9b5-104d27390e0e: - categories: - - ALL - - boost-baseline - description: 'A IAM user should belong to a group ' - group: cloud-insecure-iam - name: 06933df4-0ea7-461c-b9b5-104d27390e0e - pretty_name: IAM User With No Group - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-policy - 069a5378-2091-43f0-aa3b-ee8f20996e99: - categories: - - ALL - - boost-baseline - description: HTTP Responses status code should be in range of [200-599] - group: top10-insecure-design - name: 069a5378-2091-43f0-aa3b-ee8f20996e99 - pretty_name: Responses With Wrong HTTP Status Code (v2) - recommended: true - ref: https://swagger.io/specification/v2/#parameterObject - 06adef8c-c284-4de7-aad2-af43b07a8ca1: - categories: - - ALL - - boost-baseline - description: 'IAM User LoginProfile Password must not be a plaintext string ' - group: cloud-weak-configuration - name: 06adef8c-c284-4de7-aad2-af43b07a8ca1 - pretty_name: IAM User LoginProfile Password Is In Plaintext - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html - 06b9f52a-8cd5-459b-bdc6-21a22521e1be: - categories: - - ALL - - boost-baseline - description: 'Directory Service Microsoft AD password must not be a plaintext - string or a Ref to a Parameter with a Default value. ' - group: cloud-weak-secrets-management - name: 06b9f52a-8cd5-459b-bdc6-21a22521e1be - pretty_name: Directory Service Microsoft AD Password Set to Plaintext or Default - Ref - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-directoryservice-microsoftad.html - 06ec63e3-9f72-4fe2-a218-2eb9200b8db5: - categories: - - ALL - - boost-baseline - description: 'API Gateway Deployment should have access log setting defined when - connected to an API Gateway Stage. ' - group: top10-security-logging-monitoring-failures - name: 06ec63e3-9f72-4fe2-a218-2eb9200b8db5 - pretty_name: API Gateway Deployment Without Access Log Setting - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-deployment.html - 071a71ff-f868-47a4-ac0b-3c59e4ab5443: - categories: - - ALL - - boost-baseline - description: 'Container should not share the host network namespace ' - group: cloud-insecure-iam - name: 071a71ff-f868-47a4-ac0b-3c59e4ab5443 - pretty_name: Shared Host Network Namespace - recommended: true - ref: https://docs.docker.com/compose/compose-file/compose-file-v3/#network_mode - 075ca296-6768-4322-aea2-ba5063b969a9: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'When using etcd commands, the ''--cert-file'' and ''--key-file'' - should be defined ' - group: cloud-resources-public-access - name: 075ca296-6768-4322-aea2-ba5063b969a9 - pretty_name: Etcd TLS Certificate Files Not Properly Set - recommended: true - ref: https://etcd.io/docs/v3.4/op-guide/security/ - 07dda8de-d90d-469e-9b37-1aca53526ced: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'S3 Buckets should not be readable and writable to all users ' - group: cloud-insecure-iam - name: 07dda8de-d90d-469e-9b37-1aca53526ced - pretty_name: S3 Bucket ACL Allows Read Or Write to All Users - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html - 07f7134f-9f37-476e-8664-670c218e4702: - categories: - - ALL - - boost-baseline - description: 'Make sure that for PostgreSQL Database, server parameter ''log_disconnections'' - is set to ''ON'' ' - group: top10-security-logging-monitoring-failures - name: 07f7134f-9f37-476e-8664-670c218e4702 - pretty_name: PostgreSQL Log Disconnections Not Set - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_configuration - 07fc3413-e572-42f7-9877-5c8fc6fccfb5: - categories: - - ALL - - boost-baseline - description: 'Kubernetes_role and Kubernetes_cluster_role when binded, should - not use get, list or watch as verbs ' - group: cloud-weak-secrets-management - name: 07fc3413-e572-42f7-9877-5c8fc6fccfb5 - pretty_name: Service Account Allows Access Secrets - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding#subject - 081069cb-588b-4ce1-884c-2a1ce3029fe5: - categories: - - ALL - - boost-baseline - description: 'Checks if CloudWatch Metrics is Enabled ' - group: top10-security-logging-monitoring-failures - name: 081069cb-588b-4ce1-884c-2a1ce3029fe5 - pretty_name: CloudWatch Metrics Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method_settings#metrics_enabled - 084c6686-2a70-4710-91b1-000393e54c12: - categories: - - ALL - - boost-baseline - description: 'AWS Shield Advanced should be used for Amazon Route 53 hosted zone, - AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, - and Amazon CloudFront Distribution to protect these resources against robust - DDoS attacks ' - group: cloud-resources-public-access - name: 084c6686-2a70-4710-91b1-000393e54c12 - pretty_name: Shield Advanced Not In Use - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/shield_protection#resource_arn - 086031e1-9d4a-4249-acb3-5bfe4c363db2: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Cloud Storage Buckets must not be anonymously or publicly accessible, - which means the attribute ''entity'' must not be ''allUsers'' or ''allAuthenticatedUsers'' ' - group: cloud-insecure-iam - name: 086031e1-9d4a-4249-acb3-5bfe4c363db2 - pretty_name: Cloud Storage Anonymous or Publicly Accessible - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_storage_bucket_module.html - 086ea2eb-14a6-4fd4-914b-38e0bc8703e8: - categories: - - ALL - - boost-baseline - description: 'Ensure that AWS Elasticsearch enables support for slow logs ' - group: top10-security-logging-monitoring-failures - name: 086ea2eb-14a6-4fd4-914b-38e0bc8703e8 - pretty_name: ElasticSearch Without Slow Logs - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticsearch-domain.html#cfn-elasticsearch-domain-logpublishingoptions - 08b81bb3-0985-4023-8602-b606ad81d279: - categories: - - ALL - - boost-baseline - description: 'EC2 instances should not use default security group(s) ' - group: cloud-insecure-iam - name: 08b81bb3-0985-4023-8602-b606ad81d279 - pretty_name: EC2 Instance Using Default Security Group - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html#cfn-ec2-instance-securitygroups - 08bd0760-8752-44e1-9779-7bb369b2b4e4: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'AWS DB Instance should have its storage encrypted by setting the - parameter to ''true''. The storage_encrypted default value is ''false''. ' - group: top10-crypto-failures - name: 08bd0760-8752-44e1-9779-7bb369b2b4e4 - pretty_name: DB Instance Storage Not Encrypted - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#storage_encrypted - 08e39832-5e42-4304-98a0-aa5b43393162: - categories: - - ALL - - boost-baseline - description: 'Amazon Elastic Filesystem should have filesystem tags associated ' - group: supply-chain-cicd-weak-configuration - name: 08e39832-5e42-4304-98a0-aa5b43393162 - pretty_name: EFS Without Tags - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-efs-filesystem.html - 092bae86-6105-4802-99d2-99cd7e7431f3: - categories: - - ALL - - boost-baseline - description: 'VM disks for critical VMs must be encrypted with Customer Supplied - Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which - means the attribute ''disk_encryption_key'' must be defined and its sub attributes - ''raw_key'' or ''kms_key_self_link'' must also be defined ' - group: top10-crypto-failures - name: 092bae86-6105-4802-99d2-99cd7e7431f3 - pretty_name: Disk Encryption Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_disk_module.html - 0956aedf-6a7a-478b-ab56-63e2b19923ad: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'The IP address in a DB Security Group should not be ''0.0.0.0/0'' - (IPv4) or ''::/0'' (IPv6). If so, any IP can access it ' - group: cloud-resources-public-access - name: 0956aedf-6a7a-478b-ab56-63e2b19923ad - pretty_name: DB Security Group With Public Scope - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html - 099b4411-d11e-4537-a0fc-146b19762a79: - categories: - - ALL - - boost-baseline - description: 'VM Instance should block project-wide SSH keys ' - group: cloud-weak-secrets-management - name: 099b4411-d11e-4537-a0fc-146b19762a79 - pretty_name: Project-wide SSH Keys Are Enabled In VM Instances - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html - 09bb9e96-8da3-4736-b89a-b36814acca60: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'When using etcd commands, the ''--peer-cert-file'' and ''--peer-key-file'' - should be defined ' - group: cloud-resources-public-access - name: 09bb9e96-8da3-4736-b89a-b36814acca60 - pretty_name: Etcd Peer TLS Certificate Files Not Properly Set - recommended: true - ref: https://etcd.io/docs/v3.4/op-guide/security/ - 09c35abf-5852-4622-ac7a-b987b331232e: - categories: - - ALL - - boost-baseline - description: 'Cross-Account IAM Assume Role Policy should require external ID - or MFA to protect cross-account access ' - group: cloud-insecure-iam - name: 09c35abf-5852-4622-ac7a-b987b331232e - pretty_name: Cross-Account IAM Assume Role Policy Without ExternalId or MFA - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role#assume_role_policy - 0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3: - categories: - - ALL - - boost-baseline - description: 'Redshift Cluster should be configured in VPC (Virtual Private Cloud) ' - group: cloud-weak-configuration - name: 0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3 - pretty_name: Redshift Cluster Without VPC - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_cluster#vpc_security_group_ids - 0a592060-8166-49f5-8e65-99ac6dce9871: - categories: - - ALL - - boost-baseline - description: 'Role with privilege escalation by actions ''glue:CreateDevEndpoint'' - and ''iam:PassRole'' and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 0a592060-8166-49f5-8e65-99ac6dce9871 - pretty_name: Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' - And 'iam:PassRole' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy - 0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1: - categories: - - ALL - - boost-baseline - description: 'MariaDB Server Geo-redundant Backup should be enabled ' - group: top10-software-data-integrity-failures - name: 0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1 - pretty_name: MariaDB Server Geo-redundant Backup Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mariadb_server#geo_redundant_backup_enabled - 0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0: - categories: - - ALL - - boost-baseline - description: 'Ensure a log metric filter and alarm exist for changes to NACL ' - group: top10-security-logging-monitoring-failures - name: 0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0 - pretty_name: CloudWatch Changes To NACL Alarm Missing - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern - 0a96ce49-4163-4ee6-8169-eb3b0797d694: - categories: - - ALL - - boost-baseline - description: 'API Gateway REST API should have an API Gateway Authorizer ' - group: cloud-insecure-iam - name: 0a96ce49-4163-4ee6-8169-eb3b0797d694 - pretty_name: API Gateway Without Configured Authorizer - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_authorizer - 0a994e04-c6dc-471d-817e-d37451d18a3b: - categories: - - ALL - - boost-baseline - description: 'AWS Serverless API/AWS Serverless HTTP API should have Access Logging - Setting(s) defined ' - group: top10-security-logging-monitoring-failures - name: 0a994e04-c6dc-471d-817e-d37451d18a3b - pretty_name: Serverless API Access Logging Setting Undefined - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-stage-accesslogsetting.html - 0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'A sensitive port, such as port 23 or port 110, is open for the whole - network in either TCP or UDP protocol ' - group: cloud-resources-public-access - name: 0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc - pretty_name: Sensitive Port Is Exposed To Entire Network - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_securitygroup_module.html#parameter-rules - 0ad60203-c050-4115-83b6-b94bde92541d: - categories: - - ALL - - boost-baseline - description: "Check if a container has full access (unmasked) to the host\u2019\ - s /proc command, which would allow to retrieve sensitive information and possibly\ - \ change the kernel parameters in runtime. " - group: cloud-weak-configuration - name: 0ad60203-c050-4115-83b6-b94bde92541d - pretty_name: Container Runs Unmasked - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#allowed_proc_mount_types - 0afa6ab8-a047-48cf-be07-93a2f8c34cf7: - categories: - - ALL - - boost-baseline - description: 'All Application Load Balancers (ALB) must be protected with Web - Application Firewall (WAF) service ' - group: cloud-resources-public-access - name: 0afa6ab8-a047-48cf-be07-93a2f8c34cf7 - pretty_name: ALB Is Not Integrated With WAF - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafregional_web_acl_association - 0afbcfe9-d341-4b92-a64c-7e6de0543879: - categories: - - ALL - - boost-baseline - description: 'AWS CloudWatch Log groups should be encrypted using KMS ' - group: top10-crypto-failures - name: 0afbcfe9-d341-4b92-a64c-7e6de0543879 - pretty_name: CloudWatch Log Group Without KMS - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group - 0b0556ea-9cd9-476f-862e-20679dda752b: - categories: - - ALL - description: 'A list of EBS resources found. Amazon Elastic Block Store (Amazon - EBS) is an easy-to-use, scalable, high-performance block-storage service designed - for Amazon Elastic Compute Cloud (Amazon EC2). ' - group: supply-chain-missing-artifact-integrity-verification - name: 0b0556ea-9cd9-476f-862e-20679dda752b - pretty_name: BOM - AWS EBS - ref: https://kics.io/ - 0b4869fc-a842-4597-aa00-1294df425440: - categories: - - ALL - - boost-baseline - description: 'SSL Client Certificate should be enabled ' - group: cloud-weak-configuration - name: 0b4869fc-a842-4597-aa00-1294df425440 - pretty_name: API Gateway Without SSL Certificate - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage#client_certificate_id - 0b530315-0ea4-497f-b34c-4ff86268f59d: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'AWS KMS Key should have a valid deletion window ' - group: top10-security-logging-monitoring-failures - name: 0b530315-0ea4-497f-b34c-4ff86268f59d - pretty_name: KMS Key With No Deletion Window - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key - 0b76d993-ee52-43e0-8b39-3787d2ddabf1: - categories: - - ALL - - boost-baseline - description: 'All global responses definitions should be in use ' - group: top10-insecure-design - name: 0b76d993-ee52-43e0-8b39-3787d2ddabf1 - pretty_name: Global Responses Definition Not Being Used - recommended: true - ref: https://swagger.io/specification/v2/#responsesDefinitionsObject - 0b93729a-d882-4803-bdc3-ac429a21f158: - categories: - - ALL - - boost-baseline - description: 'EC2 instances should use roles to be granted access to other AWS - services ' - group: cloud-insecure-iam - name: 0b93729a-d882-4803-bdc3-ac429a21f158 - pretty_name: EC2 Instance Using API Keys - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#iam_instance_profile - 0bc1477d-0922-478b-ae16-674a7634a1a8: - categories: - - ALL - - boost-baseline - description: Property 'allowEmptyValue' should be only defined for query parameters - and formData parameters - group: top10-insecure-design - name: 0bc1477d-0922-478b-ae16-674a7634a1a8 - pretty_name: Property 'allowEmptyValue' Improperly Defined (v2) - recommended: true - ref: https://swagger.io/specification/v2/#parameterObject - 0bc534c5-13d1-4353-a7fe-b8665d5c1d7d: - categories: - - ALL - - boost-baseline - description: 'Dynamodb VPC Endpoint should be associated with Route Table Association ' - group: cloud-resources-public-access - name: 0bc534c5-13d1-4353-a7fe-b8665d5c1d7d - pretty_name: Dynamodb VPC Endpoint Without Route Table Association - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint#vpc_id - 0c10d7da-85c4-4d62-b2a8-d6c104f1bd77: - categories: - - ALL - - boost-baseline - description: 'User with privilege escalation by actions ''iam:PutUserPolicy'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 0c10d7da-85c4-4d62-b2a8-d6c104f1bd77 - pretty_name: User With Privilege Escalation By Actions 'iam:PutUserPolicy' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy - 0c79e50e-b3cf-490c-b8f6-587c644d4d0c: - categories: - - ALL - - boost-baseline - description: 'Operation Object should have ''consumes'' feild defined for ''POST'', - ''PUT'' and ''PATCH'' operations ' - group: cloud-weak-configuration - name: 0c79e50e-b3cf-490c-b8f6-587c644d4d0c - pretty_name: Operation Object Without 'consumes' - recommended: true - ref: https://swagger.io/specification/v2/#operation-object - 0c82eae2-aca0-401f-93e4-fb37a0f9e5e8: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Checks if backup configuration is enabled for all Cloud SQL Database - instances ' - group: top10-software-data-integrity-failures - name: 0c82eae2-aca0-401f-93e4-fb37a0f9e5e8 - pretty_name: SQL DB Instance Backup Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/backup_configuration/enabled - 0ca1017d-3b80-423e-bb9c-6cd5898d34bd: - categories: - - ALL - - boost-baseline - description: 'Lambda permission may be misconfigured if the action field is not - filled in by ''lambda:InvokeFunction'' ' - group: top10-insecure-design - name: 0ca1017d-3b80-423e-bb9c-6cd5898d34bd - pretty_name: Lambda IAM InvokeFunction Misconfigured - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission - 0ce1ba20-8ba8-4364-836f-40c24b8cb0ab: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Public AWS MSK allows anyone to interact with the Apache Kafka broker, - therefore increasing the opportunity for malicious activity. To prevent such - a scenario, it is recommended for AWS MSK to not be publicly accessible ' - group: cloud-insecure-iam - name: 0ce1ba20-8ba8-4364-836f-40c24b8cb0ab - pretty_name: MSK Broker Is Publicly Accessible - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-msk-cluster-publicaccess.html - 0d0c12b9-edce-4510-9065-13f6a758750c: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Firewall rule allowing unrestricted access to Redis from the Internet ' - group: cloud-resources-public-access - name: 0d0c12b9-edce-4510-9065-13f6a758750c - pretty_name: Redis Entirely Accessible - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_rediscachefirewallrule_module.html#parameter-start_ip_address - 0d7ef70f-e176-44e6-bdba-add3e429788d: - categories: - - ALL - - boost-baseline - description: 'Serverless Function should have Tracing enabled. For this, property - ''tracing'' should have the value ''Active'' ' - group: top10-security-logging-monitoring-failures - name: 0d7ef70f-e176-44e6-bdba-add3e429788d - pretty_name: Serverless Function Without X-Ray Tracing - recommended: true - ref: https://www.serverless.com/framework/docs/providers/aws/guide/functions#aws-x-ray-tracing - 0de50145-e845-47f4-9a15-23bcf2125710: - categories: - - ALL - - boost-baseline - description: 'The property ''required'' determines whether the parameter is mandatory. - If the parameter location is ''path'', this property is required and its value - must be true. ' - group: top10-insecure-design - name: 0de50145-e845-47f4-9a15-23bcf2125710 - pretty_name: Path Parameter Not Required (v3) - recommended: true - ref: https://swagger.io/specification/#parameter-object - 0e32d561-4b5a-4664-a6e3-a3fa85649157: - categories: - - ALL - - boost-baseline - description: 'ECR repositories should be encrypted with customer-managed keys - to meet stricter security and compliance requirements on access control, monitoring, - and key rotation ' - group: top10-crypto-failures - name: 0e32d561-4b5a-4664-a6e3-a3fa85649157 - pretty_name: ECR Repository Not Encrypted With CMK - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#encryption_configuration - 0e5872b4-19a0-4165-8b2f-56d9e14b909f: - categories: - - ALL - - boost-baseline - description: 'Make sure that any managed IAM policies are implemented in a group - and not in a user. ' - group: top10-insecure-design - name: 0e5872b4-19a0-4165-8b2f-56d9e14b909f - pretty_name: IAM Managed Policy Applied to a User - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-groups - 0e59d33e-bba2-4037-8f88-9765647ca7ad: - categories: - - ALL - description: 'A list of Kinesis resources found. Amazon Kinesis is a real-time - streaming service that provides collection, processing, and analysis of video - and data streams in real-time ' - group: supply-chain-missing-artifact-integrity-verification - name: 0e59d33e-bba2-4037-8f88-9765647ca7ad - pretty_name: BOM - AWS Kinesis - ref: https://kics.io/ - 0ed012a4-9199-43d2-b9e4-9bd049a48aa4: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'IAM Database Auth Enabled should be configured to true when using - compatible engine and version ' - group: top10-crypto-failures - name: 0ed012a4-9199-43d2-b9e4-9bd049a48aa4 - pretty_name: IAM Database Auth Not Enabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html - 0f0fb06b-0f2f-4374-8588-f2c7c348c7a0: - categories: - - ALL - - boost-baseline - description: 'Check if CloudWatch logging is disabled for Route53 hosted zones ' - group: top10-security-logging-monitoring-failures - name: 0f0fb06b-0f2f-4374-8588-f2c7c348c7a0 - pretty_name: CloudWatch Logging Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-route53-hostedzone.html#cfn-route53-hostedzone-queryloggingconfig - 0f139403-303f-467c-96bd-e717e6cfd62d: - categories: - - ALL - - boost-baseline - description: 'All AWS CloudFront distributions should be integrated with the Web - Application Firewall (AWS WAF) service ' - group: cloud-resources-public-access - name: 0f139403-303f-467c-96bd-e717e6cfd62d - pretty_name: CloudFront Without WAF - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-distributionconfig.html#cfn-cloudfront-distribution-distributionconfig-webaclid - 0f6cbf69-41bb-47dc-93f3-3844640bf480: - categories: - - ALL - - boost-baseline - description: 'Ensure a log metric filter and alarm exist for CloudTrail configuration - changes ' - group: top10-security-logging-monitoring-failures - name: 0f6cbf69-41bb-47dc-93f3-3844640bf480 - pretty_name: Cloudwatch Cloudtrail Configuration Changes Alarm Missing - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern - 0f6cd0ab-c366-4595-84fc-fbd8b9901e4d: - categories: - - ALL - - boost-baseline - description: 'Request Body reference must always point to ''#/components/RequestBodies'' ' - group: top10-insecure-design - name: 0f6cd0ab-c366-4595-84fc-fbd8b9901e4d - pretty_name: Request Body With Incorrect Ref - recommended: true - ref: https://swagger.io/specification/#request-body-object - 0fd7d920-4711-46bd-aff2-d307d82cd8b7: - categories: - - ALL - - boost-baseline - description: 'User with privilege escalation by actions ''iam:CreateLoginProfile'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 0fd7d920-4711-46bd-aff2-d307d82cd8b7 - pretty_name: User With Privilege Escalation By Actions 'iam:CreateLoginProfile' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy - 1056dfbb-5802-4762-bf2b-8b9b9684b1b0: - categories: - - ALL - - boost-baseline - description: 'API Gateway Method should restrict the authorization type, except - for the HTTP OPTIONS method. ' - group: cloud-weak-configuration - name: 1056dfbb-5802-4762-bf2b-8b9b9684b1b0 - pretty_name: API Gateway With Open Access - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-method.html - 105ba098-1e34-48cd-b0f2-a8a43a51bf9b: - categories: - - ALL - - boost-baseline - description: 'All Application Load Balancers (ALB) must be protected with Web - Application Firewall (WAF) service ' - group: cloud-resources-public-access - name: 105ba098-1e34-48cd-b0f2-a8a43a51bf9b - pretty_name: ALB Is Not Integrated With WAF - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafregional-webaclassociation.html - 105e20dd-8449-4d71-95c6-d5dac96639af: - categories: - - ALL - - boost-baseline - description: 'Trace should define the ''200'' successful code ' - group: cloud-resources-public-access - name: 105e20dd-8449-4d71-95c6-d5dac96639af - pretty_name: Success Response Code Undefined for Trace Operation - recommended: true - ref: https://swagger.io/specification/#operation-object - 10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa: - categories: - - ALL - - boost-baseline - description: 'Schema Object Property key should be unique through out the fields - ''properties'', ''allOf'', ''additionalProperties'' ' - group: top10-insecure-design - name: 10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa - pretty_name: Schema Object Properties With Duplicated Keys (v3) - recommended: true - ref: https://swagger.io/specification/#schema-object - 10efce34-5af6-4d83-b414-9e096d5a06a9: - categories: - - ALL - - boost-baseline - description: 'The EncryptionConfiguration should be configured to have at least - one ''aescbc'', ''kms'' or ''secretbox'' provider ' - group: top10-crypto-failures - name: 10efce34-5af6-4d83-b414-9e096d5a06a9 - pretty_name: Encryption Provider Not Properly Configured - recommended: true - ref: https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#understanding-the-encryption-at-rest-configuration - 1123031a-f921-4c5b-bd86-ef354ecfd37a: - categories: - - ALL - - boost-baseline - description: 'Check if any label in the metadata is invalid. ' - group: top10-insecure-design - name: 1123031a-f921-4c5b-bd86-ef354ecfd37a - pretty_name: Metadata Label Is Invalid - recommended: true - ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - 113208f2-a886-4526-9ecc-f3218600e12c: - categories: - - ALL - - boost-baseline - description: 'User with privilege escalation by actions ''iam:CreateAccessKey'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 113208f2-a886-4526-9ecc-f3218600e12c - pretty_name: User With Privilege Escalation By Actions 'iam:CreateAccessKey' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy - 118281d0-6471-422e-a7c5-051bc667926e: - categories: - - ALL - - boost-baseline - description: 'Role with privilege escalation by actions ''iam:SetDefaultPolicyVersion'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 118281d0-6471-422e-a7c5-051bc667926e - pretty_name: Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy - 11bd3554-cd56-4257-8e25-7aaf30cf8f5f: - categories: - - ALL - - boost-baseline - description: 'Instances must not have IP forwarding enabled, which means the attribute - ''can_ip_forward'' must not be true ' - group: cloud-resources-public-access - name: 11bd3554-cd56-4257-8e25-7aaf30cf8f5f - pretty_name: IP Forwarding Enabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html - 11e7550e-c4b6-472e-adff-c698f157cdd7: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Kubernetes Engine Clusters must have Network Policy enabled, meaning - that the attribute ''network_policy.enabled'' must be true and the attribute - ''addons_config.network_policy_config.disabled'' must be false ' - group: cloud-weak-configuration - name: 11e7550e-c4b6-472e-adff-c698f157cdd7 - pretty_name: Network Policy Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster - 11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Web app should only accept HTTPS traffic in Azure Web App Service. ' - group: cloud-weak-configuration - name: 11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe - pretty_name: Web App Accepting Traffic Other Than HTTPS - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#https_only - 1239f54b-33de-482a-8132-faebe288e6a6: - categories: - - ALL - - boost-baseline - description: 'Google Storage Bucket Level Access should be enabled ' - group: cloud-weak-configuration - name: 1239f54b-33de-482a-8132-faebe288e6a6 - pretty_name: Google Storage Bucket Level Access Disabled - recommended: true - ref: https://cloud.google.com/storage/docs/json_api/v1/buckets - 124b173b-e06d-48a6-8acd-f889443d97a4: - categories: - - ALL - description: 'A list of Cassandra resources found. Amazon Cassandra is an open-source - NoSQL database designed to store data for applications that require fast read - and write performance ' - group: supply-chain-missing-artifact-integrity-verification - name: 124b173b-e06d-48a6-8acd-f889443d97a4 - pretty_name: BOM - AWS Cassandra - ref: https://kics.io/ - 126c1788-23c2-4a10-906c-ef179f4f96ec: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'ELB Predefined or Custom Security Policies must not use insecure - protocols, to reduce the risk of the SSL connection between the client and the - load balancer being exploited. That means the ''name'' of ''policy_attributes'' - must not coincide with any of a predefined list of insecure protocols. ' - group: top10-crypto-failures - name: 126c1788-23c2-4a10-906c-ef179f4f96ec - pretty_name: ELB Using Insecure Protocols - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/load_balancer_policy - 12726829-93ed-4d51-9cbe-13423f4299e1: - categories: - - ALL - - boost-baseline - description: 'Amazon Simple Queue Service (SQS) queue should protect the contents - of their messages using Server-Side Encryption (SSE) ' - group: top10-crypto-failures - name: 12726829-93ed-4d51-9cbe-13423f4299e1 - pretty_name: SQS With SSE Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html#aws-sqs-queue-kmsmasterkeyid - 128df7ec-f185-48bc-8913-ce756a3ccb85: - categories: - - ALL - - boost-baseline - description: 'Running outdated versions of Google Kubernetes Engine (GKE) can - expose it to known vulnerabilities and attacks. To reduce these risks, it is - recommended to ensure that GKE is always running the latest version. ' - group: top10-insecure-design - name: 128df7ec-f185-48bc-8913-ce756a3ccb85 - pretty_name: Outdated GKE Version - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#master_version - 12933609-c5bf-44b4-9a41-a6467c3b685b: - categories: - - ALL - description: 'A list of RDS resources found. Amazon Relational Database Service - (Amazon RDS) is a collection of managed services that makes it simple to set - up, operate, and scale databases in the cloud. ' - group: supply-chain-missing-artifact-integrity-verification - name: 12933609-c5bf-44b4-9a41-a6467c3b685b - pretty_name: BOM - AWS RDS - ref: https://kics.io/ - 12944ec4-1fa0-47be-8b17-42a034f937c2: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Storage Accounts should enforce the use of HTTPS ' - group: top10-crypto-failures - name: 12944ec4-1fa0-47be-8b17-42a034f937c2 - pretty_name: Storage Account Not Forcing HTTPS - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account - 12a7210b-f4b4-47d0-acac-0a819e2a0ca3: - categories: - - ALL - - boost-baseline - description: 'If a response is head or its code is 204 or 304, it shouldn''t have - a content defined ' - group: cloud-resources-public-access - name: 12a7210b-f4b4-47d0-acac-0a819e2a0ca3 - pretty_name: Response on operations that should not have a body has declared content - (v3) - recommended: true - ref: https://swagger.io/docs/specification/describing-responses/ - 12a7a7ce-39d6-49dd-923d-aeb4564eb66c: - categories: - - ALL - - boost-baseline - description: 'IAM Policy should not grant ''AssumeRole'' permission across all - services. ' - group: cloud-insecure-iam - name: 12a7a7ce-39d6-49dd-923d-aeb4564eb66c - pretty_name: IAM Policy Grants 'AssumeRole' Permission Across All Services - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/iam_managed_policy_module.html - 12b7e704-37f0-4d1e-911a-44bf60c48c21: - categories: - - ALL - - boost-baseline - description: 'IAM role allows all services or principals to assume it ' - group: cloud-insecure-iam - name: 12b7e704-37f0-4d1e-911a-44bf60c48c21 - pretty_name: IAM Role Allows All Principals To Assume - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role - 132a8c31-9837-4203-9fd1-15ca210c7b73: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'SSO policies should be configured to grant limited administrative - privileges, rather than full access to all resources. This approach allows for - better security and control over the resources being accessed. ' - group: cloud-insecure-iam - name: 132a8c31-9837-4203-9fd1-15ca210c7b73 - pretty_name: SSO Policy with full privileges - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set_inline_policy - 133fee21-37ef-45df-a563-4d07edc169f4: - categories: - - ALL - - boost-baseline - description: 'AWS Key Management Service (KMS) must only possess usable Customer - Master Keys (CMK), which means the CMKs must have the attribute ''enabled'' - set to true and the attribute ''pending_window'' must be undefined. ' - group: top10-insecure-design - name: 133fee21-37ef-45df-a563-4d07edc169f4 - pretty_name: CMK Is Unusable - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/aws_kms_module.html#parameter-enabled - 1367dd13-2c90-4020-80b7-e4339a3dc2c4: - categories: - - ALL - - boost-baseline - - boost-hardened - description: '''Microsoft.Storage/storageAccounts'' should force the use of HTTPS ' - group: top10-crypto-failures - name: 1367dd13-2c90-4020-80b7-e4339a3dc2c4 - pretty_name: Storage Account Allows Unsecure Transfer - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?tabs=json#storageaccountpropertiescreateparameters-object - 13a49a2e-488e-4309-a7c0-d6b05577a5fb: - categories: - - ALL - - boost-baseline - description: 'When using kube-apiserver command, the ''--audit-policy-file'' flag - should be defined ' - group: top10-security-logging-monitoring-failures - name: 13a49a2e-488e-4309-a7c0-d6b05577a5fb - pretty_name: Audit Policy File Not Defined - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ - 1402afd8-a95c-4e84-8b0b-6fb43758e6ce: - categories: - - ALL - - boost-baseline - description: 'Lambda access/secret keys should not be hardcoded ' - group: cloud-weak-secrets-management - name: 1402afd8-a95c-4e84-8b0b-6fb43758e6ce - pretty_name: Hardcoded AWS Access Key In Lambda - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function - 140869ea-25f2-40d4-a595-0c0da135114e: - categories: - - ALL - - boost-baseline - description: '''log_connections'' parameter should be set to ON for RDS instances ' - group: top10-security-logging-monitoring-failures - name: 140869ea-25f2-40d4-a595-0c0da135114e - pretty_name: RDS Instance Log Connections Disabled - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#parameters - 1419b4c6-6d5c-4534-9cf6-6a5266085333: - categories: - - ALL - - boost-baseline - description: 'All AWS CloudFront distributions should be integrated with the Web - Application Firewall (AWS WAF) service ' - group: cloud-resources-public-access - name: 1419b4c6-6d5c-4534-9cf6-6a5266085333 - pretty_name: CloudFront Without WAF - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution - 1455cb21-1d48-46d6-8ae3-cef911b71fd5: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'ECS Launch Template should have the data in the disk encrypted. - To encrypt the data, the ''encrypted'' argument should be set to true. ' - group: top10-crypto-failures - name: 1455cb21-1d48-46d6-8ae3-cef911b71fd5 - pretty_name: Launch Template Is Not Encrypted - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/launch_template#encrypted - 149fa56c-4404-4f90-9e25-d34b676d5b39: - categories: - - ALL - - boost-baseline - description: 'Azure Container Service (AKS) instance should have role-based access - control (RBAC) enabled ' - group: cloud-insecure-iam - name: 149fa56c-4404-4f90-9e25-d34b676d5b39 - pretty_name: AKS RBAC Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_aks_module.html - 14a457f0-473d-4d1d-9e37-6d99b355b336: - categories: - - ALL - - boost-baseline - description: 'This query confirms if Google Compute SSL Policy Weak Chyper Suits - is Enabled, to do so we need to check if TLS is TLS_1_2, because other version - have Weak Chypers ' - group: top10-crypto-failures - name: 14a457f0-473d-4d1d-9e37-6d99b355b336 - pretty_name: Google Compute SSL Policy Weak Cipher In Use - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_ssl_policy - 14abda69-8e91-4acb-9931-76e2bee90284: - categories: - - ALL - - boost-baseline - description: 'When using kube-apiserver command, the --enable-admission-plugins - flag should have ''ImagePolicyWebhook'' plugin and the plugin should be correctly - configured in AdmissionControl Config file ' - group: supply-chain-cicd-weak-configuration - name: 14abda69-8e91-4acb-9931-76e2bee90284 - pretty_name: Image Policy Webhook Admission Control Plugin Not Set - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ - 151187cb-0efc-481c-babd-ad24e3c9bc22: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'The Remote Desktop port is open to the internet in a Security Group ' - group: cloud-resources-public-access - name: 151187cb-0efc-481c-babd-ad24e3c9bc22 - pretty_name: Remote Desktop Port Open To Internet - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group - 151331e2-11f4-4bb6-bd35-9a005e695087: - categories: - - ALL - - boost-baseline - description: 'Components object fixed fields (schemas, responses, parameters, - examples, requestBodies, headers, securitySchemes, links, and callbacks) should - use keys that match the following REGEX: ^[a-zA-Z0-9\.\-_]+$ ' - group: top10-insecure-design - name: 151331e2-11f4-4bb6-bd35-9a005e695087 - pretty_name: Components Object Fixed Field Key Improperly Named - recommended: true - ref: https://swagger.io/specification/#components-object - 15ccec05-5476-4890-ad19-53991eba1db8: - categories: - - ALL - - boost-baseline - description: 'API Gateway Method should restrict the authorization type, except - for the HTTP OPTIONS method. ' - group: cloud-weak-configuration - name: 15ccec05-5476-4890-ad19-53991eba1db8 - pretty_name: API Gateway With Open Access - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method - 15d8a7fd-465a-4d15-a868-add86552f17b: - categories: - - ALL - - boost-baseline - description: 'Repositories must be set to private, which means the attribute ''visibility'' - must be set to ''private'' and/or the attribute ''private'' must be set to true - (the attribute ''visibility'' overrides ''private'') ' - group: cloud-weak-configuration - name: 15d8a7fd-465a-4d15-a868-add86552f17b - pretty_name: GitHub Repository Set To Public - recommended: true - ref: https://www.terraform.io/docs/providers/github/r/repository.html - 15e6ad8c-f420-49a6-bafb-074f5eb1ec74: - categories: - - ALL - - boost-baseline - description: 'Group with privilege escalation by actions ''ec2:RunInstances'' - and ''iam:PassRole'' and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 15e6ad8c-f420-49a6-bafb-074f5eb1ec74 - pretty_name: Group With Privilege Escalation By Actions 'ec2:RunInstances' And - 'iam:PassRole' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy - 15ffbacc-fa42-4f6f-a57d-2feac7365caa: - categories: - - ALL - - boost-baseline - description: 'Make sure Logging is enabled for Redshift Cluster ' - group: top10-security-logging-monitoring-failures - name: 15ffbacc-fa42-4f6f-a57d-2feac7365caa - pretty_name: Redshift Cluster Logging Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_cluster#enable - 165aae3b-a56a-48f3-b76d-d2b5083f5b8f: - categories: - - ALL - - boost-baseline - description: 'Serverless Function should not share IAM Role to ensure it will - have the minimum privileges needed to perform the required tasks ' - group: cloud-weak-configuration - name: 165aae3b-a56a-48f3-b76d-d2b5083f5b8f - pretty_name: Serverless Function Without Unique IAM Role - recommended: true - ref: https://www.serverless.com/framework/docs/providers/aws/guide/serverless.yml#functions - 16732649-4ff6-4cd2-8746-e72c13fae4b8: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'RDS should not run in public subnet ' - group: cloud-resources-public-access - name: 16732649-4ff6-4cd2-8746-e72c13fae4b8 - pretty_name: RDS Associated with Public Subnet - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-db_subnet_group_name - 16c4216a-50d3-4785-bfb2-4adb5144a8ba: - categories: - - ALL - - boost-baseline - description: 'Elasticsearch Domain policy should avoid wildcard in ''Action'' - and ''Principal''. ' - group: cloud-insecure-iam - name: 16c4216a-50d3-4785-bfb2-4adb5144a8ba - pretty_name: Elasticsearch Domain With Vulnerable Policy - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain_policy#access_policies - 16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'KMS Crypto Key should not be publicly accessible. In other words, - the KMS Crypto Key policy should not set ''allUsers'' or ''allAuthenticatedUsers'' - in the attribute ''member''/''members'' ' - group: top10-crypto-failures - name: 16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5 - pretty_name: KMS Crypto Key is Publicly Accessible - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_kms_crypto_key_iam#google_kms_crypto_key_iam_policy - 16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f: - categories: - - ALL - - boost-baseline - description: 'Make sure that for PostgreSQL Database, server parameter ''log_duration'' - is set to ''ON'' ' - group: top10-security-logging-monitoring-failures - name: 16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f - pretty_name: PostgreSQL Log Duration Not Set - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_configuration - 17172bc2-56fb-4f17-916f-a014147706cd: - categories: - - ALL - - boost-baseline - description: 'Ensure that the cluster-admin role is only used where required (RBAC) ' - group: cloud-insecure-iam - name: 17172bc2-56fb-4f17-916f-a014147706cd - pretty_name: Cluster Admin Rolebinding With Superuser Permissions - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding#name - 1743f5f1-0bb0-4934-acef-c80baa5dadfa: - categories: - - ALL - - boost-baseline - description: 'User with privilege escalation by actions ''iam:CreatePolicyVersion'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 1743f5f1-0bb0-4934-acef-c80baa5dadfa - pretty_name: User With Privilege Escalation By Actions 'iam:CreatePolicyVersion' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy - 17b30f8f-8dfb-4597-adf6-57600b6cf25e: - categories: - - ALL - - boost-baseline - description: 'CloudTrail should be integrated with CloudWatch ' - group: top10-security-logging-monitoring-failures - name: 17b30f8f-8dfb-4597-adf6-57600b6cf25e - pretty_name: CloudTrail Not Integrated With CloudWatch - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail - 17d5ba1d-7667-4729-b1a6-b11fde3db7f7: - categories: - - ALL - - boost-baseline - description: 'Make sure that retain_stack is enabled to keep the Stack and it''s - associated resources during resource destruction ' - group: top10-software-data-integrity-failures - name: 17d5ba1d-7667-4729-b1a6-b11fde3db7f7 - pretty_name: Stack Retention Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/cloudformation_stack_set_module.html#parameter-purge_stacks - 17e52ca3-ddd0-4610-9d56-ce107442e110: - categories: - - ALL - - boost-baseline - description: 'The Horizontal Pod Autoscaler must target a valid object ' - group: top10-insecure-design - name: 17e52ca3-ddd0-4610-9d56-ce107442e110 - pretty_name: HPA Targets Invalid Object - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/horizontal_pod_autoscaler#metric - 17f75827-0684-48f4-8747-61129c7e4198: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Storage Account should not be public to grant the principle of least - privileges ' - group: cloud-insecure-iam - name: 17f75827-0684-48f4-8747-61129c7e4198 - pretty_name: Public Storage Account - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account - 1819ac03-542b-4026-976b-f37addd59f3b: - categories: - - ALL - - boost-baseline - description: 'EBS Volumes that are unattached to instances may contain sensitive - data ' - group: top10-insecure-design - name: 1819ac03-542b-4026-976b-f37addd59f3b - pretty_name: EBS Volume Not Attached To Instances - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-ebs-volumeattachment.html - 181bd815-767e-4e95-a24d-bb3c87328e19: - categories: - - ALL - - boost-baseline - description: 'Numeric schema (type set to ''integer'' or ''number'') should have - ''minimum'' defined. ' - group: cloud-weak-configuration - name: 181bd815-767e-4e95-a24d-bb3c87328e19 - pretty_name: Numeric Schema Without Minimum (v3) - recommended: true - ref: https://swagger.io/specification/#schema-object - 1828a670-5957-4bc5-9974-47da228f75e2: - categories: - - ALL - - boost-baseline - description: 'Audit Policy should cover key security concerns about the sensitive - data logged in Kubernetes audit policies ' - group: top10-security-logging-monitoring-failures - name: 1828a670-5957-4bc5-9974-47da228f75e2 - pretty_name: Audit Policy Not Cover Key Security Concerns - recommended: true - ref: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/ - 18d3a83d-4414-49dc-90ea-f0387b2856cc: - categories: - - ALL - - boost-baseline - description: 'Compute instances must be launched with Shielded VM enabled, which - means the attribute ''shielded_instance_config'' must be defined and its sub - attributes ''enable_secure_boot'', ''enable_vtpm'' and ''enable_integrity_monitoring'' - must be set to true ' - group: cloud-weak-configuration - name: 18d3a83d-4414-49dc-90ea-f0387b2856cc - pretty_name: Shielded VM Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html - 1908a8ee-927d-4166-8f18-241152170cc1: - categories: - - ALL - - boost-baseline - description: 'Patch should define at least one success response (200, 201, 202 - or 204) ' - group: cloud-resources-public-access - name: 1908a8ee-927d-4166-8f18-241152170cc1 - pretty_name: Success Response Code Undefined for Patch Operation (v3) - recommended: true - ref: https://swagger.io/specification/#operation-object - 192fe40b-b1c3-448a-aba2-6cc19a300fe3: - categories: - - ALL - - boost-baseline - description: 'Cronjobs must have a configured deadline, which means the attribute - ''startingDeadlineSeconds'' must be defined ' - group: cloud-insecure-iam - name: 192fe40b-b1c3-448a-aba2-6cc19a300fe3 - pretty_name: CronJob Deadline Not Configured - recommended: true - ref: https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/ - 194ef1f8-360e-4c14-8ed2-e83e2bafa142: - categories: - - ALL - - boost-baseline - description: The path parameter must have a corresponding template path for a - given operation - group: top10-insecure-design - name: 194ef1f8-360e-4c14-8ed2-e83e2bafa142 - pretty_name: Path Parameter With No Corresponding Template Path (v2) - recommended: true - ref: https://swagger.io/specification/v2/#pathTemplating - 19c9e2a0-fc33-4264-bba1-e3682661e8f7: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Kubernetes Engine Clusters must have Stackdriver Logging enabled, - which means the attribute ''logging_service'' must be defined and different - from ''none'' ' - group: top10-security-logging-monitoring-failures - name: 19c9e2a0-fc33-4264-bba1-e3682661e8f7 - pretty_name: Stackdriver Logging Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html - 19ebaa28-fc86-4a58-bcfa-015c9e22fe40: - categories: - - ALL - - boost-baseline - description: 'Containers should not have extra capabilities allowed ' - group: cloud-weak-configuration - name: 19ebaa28-fc86-4a58-bcfa-015c9e22fe40 - pretty_name: Containers With Added Capabilities - recommended: true - ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - 19ffbe31-9d72-4379-9768-431195eae328: - categories: - - ALL - - boost-baseline - description: 'User with privilege escalation by actions ''cloudformation:CreateStack'' - and ''iam:PassRole'' and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 19ffbe31-9d72-4379-9768-431195eae328 - pretty_name: User With Privilege Escalation By Actions 'cloudformation:CreateStack' - And 'iam:PassRole' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy - 1a07a446-8e61-4e4d-bc16-b0781fcb8211: - categories: - - ALL - - boost-baseline - description: 'When using the kubelet command, the ''--event-qps'' should be set - to 0 ' - group: top10-security-logging-monitoring-failures - name: 1a07a446-8e61-4e4d-bc16-b0781fcb8211 - pretty_name: Kubelet Event QPS Not Properly Set - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/ - 1a1aea94-745b-40a7-b860-0702ea6ee636: - categories: - - ALL - - boost-baseline - description: 'Schema Object should not reference it self in ''allOf'', ''oneOf'', - ''anyOf'' and ''not'' properties ' - group: top10-insecure-design - name: 1a1aea94-745b-40a7-b860-0702ea6ee636 - pretty_name: Schema Object With Circular Ref (v3) - recommended: true - ref: https://swagger.io/specification/#schema-object - 1a427b25-2e9e-4298-9530-0499a55e736b: - categories: - - ALL - - boost-baseline - description: 'AWS Security Group Ingress should not specify all protocols to prevent - allow traffic on all ports ' - group: cloud-resources-public-access - name: 1a427b25-2e9e-4298-9530-0499a55e736b - pretty_name: Security Group Ingress With All Protocols - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html - 1a4bc881-9f69-4d44-8c9a-d37d08f54c50: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'S3 bucket allows public policy ' - group: cloud-insecure-iam - name: 1a4bc881-9f69-4d44-8c9a-d37d08f54c50 - pretty_name: S3 Bucket Allows Public Policy - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block - 1a690d1d-0ae7-49fa-b2db-b75ae0dd1d3e: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Amazon Aurora does not have encryption for data at rest enabled. - To prevent such a scenario, update the attribute ''StorageEncrypted'' to ''true''. ' - group: top10-crypto-failures - name: 1a690d1d-0ae7-49fa-b2db-b75ae0dd1d3e - pretty_name: Aurora With Disabled at Rest Encryption - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#storage_encrypted - 1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e: - categories: - - ALL - - boost-baseline - description: 'When using kube-apiserver command, the ''authorization-mode'' flag - should have ''RBAC'' mode ' - group: cloud-insecure-iam - name: 1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e - pretty_name: Authorization Mode RBAC Not Set - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ - 1acd93f1-5a37-45c0-aaac-82ece818be7d: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'When using kube-controller-manager commands, the ''--use-service-account-credentials'' - should be set to true ' - group: cloud-insecure-iam - name: 1acd93f1-5a37-45c0-aaac-82ece818be7d - pretty_name: Use Service Account Credentials Not Set To True - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/ - 1afbb3fa-cf6c-4a3d-b730-95e9f4df343e: - categories: - - ALL - - boost-baseline - description: 'ElastiCache Replication Group encryption should be enabled at Transit ' - group: top10-crypto-failures - name: 1afbb3fa-cf6c-4a3d-b730-95e9f4df343e - pretty_name: ElastiCache Replication Group Not Encrypted At Transit - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_replication_group#transit_encryption_enabled - 1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'It is not advisable for AWS Lambda Functions to have privileged - permissions. ' - group: cloud-weak-configuration - name: 1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2 - pretty_name: Lambda Function With Privileged Role - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function - 1b44e234-3d73-41a8-9954-0b154135280e: - categories: - - ALL - - boost-baseline - description: 'Compute instances must be launched with Shielded VM enabled, which - means the attribute ''shielded_instance_config'' must be defined and its sub - attributes ''enable_secure_boot'', ''enable_vtpm'' and ''enable_integrity_monitoring'' - must be set to true ' - group: cloud-weak-configuration - name: 1b44e234-3d73-41a8-9954-0b154135280e - pretty_name: Shielded VM Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#shielded_instance_config - 1b4565c0-4877-49ac-ab03-adebbccd42ae: - categories: - - ALL - - boost-baseline - - boost-hardened - description: '''0.0.0.0'' or ''0.0.0.0/0'' should not be in ''security_ips'' list ' - group: cloud-weak-configuration - name: 1b4565c0-4877-49ac-ab03-adebbccd42ae - pretty_name: RDS DB Instance Publicly Accessible - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#security_ips - 1b6322d9-c755-4f8c-b804-32c19250f2d9: - categories: - - ALL - - boost-baseline - description: 'Check if AWS config rules do not identify Encrypted Volumes as a - source. ' - group: top10-crypto-failures - name: 1b6322d9-c755-4f8c-b804-32c19250f2d9 - pretty_name: Config Rule For Encrypted Volumes Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-configrule.html#cfn-config-configrule-source - 1b6799eb-4a7a-4b04-9001-8cceb9999326: - categories: - - ALL - - boost-baseline - description: 'API Gateway should have Access Log Settings defined ' - group: top10-security-logging-monitoring-failures - name: 1b6799eb-4a7a-4b04-9001-8cceb9999326 - pretty_name: API Gateway Access Logging Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage#access_log_settings - 1bc1c685-e593-450e-88fb-19db4c82aa1d: - categories: - - ALL - - boost-baseline - description: 'IAM password should have the required minimum length ' - group: top10-insecure-design - name: 1bc1c685-e593-450e-88fb-19db4c82aa1d - pretty_name: IAM Password Without Minimum Length - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy - 1bc3205c-0d60-44e6-84f3-44fbf4dac5b3: - categories: - - ALL - - boost-baseline - description: 'Oauth 1.0 is deprecated, OAuth2 should be used instead ' - group: cloud-insecure-iam - name: 1bc3205c-0d60-44e6-84f3-44fbf4dac5b3 - pretty_name: Security Scheme Using Oauth 1.0 - recommended: true - ref: https://swagger.io/specification/#security-scheme-object - 1bc367f6-901d-4870-ad0c-71d79762ef52: - categories: - - ALL - - boost-baseline - description: 'Content Delivery Network (CDN) service is used within an AWS account - to secure and accelerate the delivery of websites. The use of a CDN can provide - a layer of security between your origin content and the destination. ' - group: top10-insecure-design - name: 1bc367f6-901d-4870-ad0c-71d79762ef52 - pretty_name: CDN Configuration Is Missing - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution - 1bc398a8-d274-47de-a4c8-6ac867b353de: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Trusted Microsoft Services should be enabled for Storage Account - access ' - group: cloud-resources-public-access - name: 1bc398a8-d274-47de-a4c8-6ac867b353de - pretty_name: Trusted Microsoft Services Not Enabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_storageaccount_module.html#parameter-network_acls/bypass - 1bcdf9f0-b1aa-40a4-b8c6-cd7785836843: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'API Gateway API protocol should be set to HTTPS ' - group: cloud-resources-public-access - name: 1bcdf9f0-b1aa-40a4-b8c6-cd7785836843 - pretty_name: API Gateway API Protocol Not HTTPS - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/api_gateway_api#protocol - 1bf3b3d4-f373-4d7c-afbb-7d85948a67a5: - categories: - - ALL - - boost-baseline - description: 'DocDB logging should be enabled ' - group: top10-security-logging-monitoring-failures - name: 1bf3b3d4-f373-4d7c-afbb-7d85948a67a5 - pretty_name: DocDB Logging Is Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-docdb-dbcluster.html#cfn-docdb-dbcluster-enablecloudwatchlogsexports - 1c07bfaf-663c-4f6f-b22b-8e2d481e4df5: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Customer Master Keys (CMK) must have rotation enabled, which means - the attribute ''EnableKeyRotation'' must be set to ''true'' when the key is - enabled. ' - group: top10-security-logging-monitoring-failures - name: 1c07bfaf-663c-4f6f-b22b-8e2d481e4df5 - pretty_name: CMK Rotation Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html - 1c1325ff-831d-43a1-973e-839ae57dfcc0: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Container has sensitive host directory mounted as a volume ' - group: supply-chain-cicd-weak-configuration - name: 1c1325ff-831d-43a1-973e-839ae57dfcc0 - pretty_name: Volume Has Sensitive Host Directory - recommended: true - ref: https://docs.docker.com/compose/compose-file/compose-file-v3/#volume-configuration-reference - 1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2: - categories: - - ALL - - boost-baseline - description: 'The RotateKubeletServerCertificate argument should be true ' - group: cloud-weak-secrets-management - name: 1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2 - pretty_name: Rotate Kubelet Server Certificate Not Active - recommended: true - ref: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ - 1c8eef02-17b1-4a3e-b01d-dcc3292d2c38: - categories: - - ALL - - boost-baseline - description: 'Kubernetes Engine Clusters should not be configured to use the default - service account ' - group: cloud-weak-configuration - name: 1c8eef02-17b1-4a3e-b01d-dcc3292d2c38 - pretty_name: GKE Using Default Service Account - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#node_config - 1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a: - categories: - - ALL - - boost-baseline - description: 'AWS Security Group Egress CIDR should not be open to the world ' - group: cloud-resources-public-access - name: 1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a - pretty_name: Security Group Egress CIDR Open To World - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-security-group-egress.html - 1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7: - categories: - - ALL - - boost-baseline - description: 'Lambda Permission Principal should not contain a wildcard. ' - group: cloud-insecure-iam - name: 1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7 - pretty_name: Lambda Permission Principal Is Wildcard - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html - 1d972c56-8ec2-48c1-a578-887adb09c57a: - categories: - - ALL - - boost-baseline - description: 'Lambda Permission Principal should not contain a wildcard. ' - group: cloud-insecure-iam - name: 1d972c56-8ec2-48c1-a578-887adb09c57a - pretty_name: Lambda Permission Principal Is Wildcard - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/lambda_policy_module.html - 1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5: - categories: - - ALL - - boost-baseline - description: 'StatefulSets should be assigned with a PodDisruptionBudget to ensure - high availability ' - group: top10-insecure-design - name: 1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5 - pretty_name: StatefulSet Without PodDisruptionBudget - recommended: true - ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ - 1dc73fb4-5b51-430c-8c5f-25dcf9090b02: - categories: - - ALL - - boost-baseline - description: 'Make sure the AWS RDS configuration has automatic backup configured. - If the retention period is equal to 0 there is no backup ' - group: top10-software-data-integrity-failures - name: 1dc73fb4-5b51-430c-8c5f-25dcf9090b02 - pretty_name: RDS With Backup Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance - 1de5cc51-f376-4638-a940-20f2e85ae238: - categories: - - ALL - - boost-baseline - description: 'When using the kubelet or kube-apiserver command, the ''anonymous-auth'' - flag should be set to false (--anonymous-auth=false) ' - group: cloud-insecure-iam - name: 1de5cc51-f376-4638-a940-20f2e85ae238 - pretty_name: Anonymous Auth Is Not Set To False - recommended: true - ref: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ - 1df37f4b-7197-45ce-83f8-9994d2fcf885: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'S3 Buckets must not allow Get Action From All Principals, as to - prevent leaking private information to the entire internet or allow unauthorized - data tampering / deletion. This means the ''Effect'' must not be ''Allow'' when - the ''Action'' is Get, for all Principals. ' - group: cloud-insecure-iam - name: 1df37f4b-7197-45ce-83f8-9994d2fcf885 - pretty_name: S3 Bucket Allows Get Action From All Principals - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy - 1e0ef61b-ad85-4518-a3d3-85eaad164885: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'The IP address in a DB Security Group should not be ''0.0.0.0/0'' - (IPv4) or ''::/0'' (IPv6). If so, any IP can access it ' - group: cloud-resources-public-access - name: 1e0ef61b-ad85-4518-a3d3-85eaad164885 - pretty_name: DB Security Group With Public Scope - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_security_group - 1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'User Data Shell Script must be encoded ' - group: top10-crypto-failures - name: 1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89 - pretty_name: User Data Shell Script Is Encoded - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/ec2_lc_module.html - 1e434b25-8763-4b00-a5ca-ca03b7abbb66: - categories: - - ALL - - boost-baseline - description: 'All names should follow snake case pattern. ' - group: top10-insecure-design - name: 1e434b25-8763-4b00-a5ca-ca03b7abbb66 - pretty_name: Name Is Not Snake Case - recommended: true - ref: https://www.terraform.io/docs/extend/best-practices/naming.html#naming - 1e5f5307-3e01-438d-8da6-985307ed25ce: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'No Network Security Group is attached to the Virtual Machine ' - group: cloud-weak-configuration - name: 1e5f5307-3e01-438d-8da6-985307ed25ce - pretty_name: VM Not Attached To Network - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_virtualmachine_module.html#parameter-network_interface_names - 1e749bc9-fde8-471c-af0c-8254efd2dee5: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'No role nor cluster role should bind to a default service account ' - group: cloud-weak-configuration - name: 1e749bc9-fde8-471c-af0c-8254efd2dee5 - pretty_name: Role Binding To Default Service Account - recommended: true - ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ - 1ec253ab-c220-4d63-b2de-5b40e0af9293: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'S3 bucket without restriction of public bucket ' - group: cloud-weak-configuration - name: 1ec253ab-c220-4d63-b2de-5b40e0af9293 - pretty_name: S3 Bucket Without Restriction Of Public Bucket - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block - 1fe9d958-ddce-4228-a124-05265a959a8b: - categories: - - ALL - - boost-baseline - description: 'RDS should not use the default port (an attacker can easily guess - the port). For engines related to Aurora, MariaDB or MySQL, the default port - is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL - Server default port is 1433 ' - group: cloud-resources-public-access - name: 1fe9d958-ddce-4228-a124-05265a959a8b - pretty_name: RDS Using Default Port - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-port - 1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37: - categories: - - ALL - - boost-baseline - description: 'When using kube-apiserver command, the ''--disable-admission-plugins'' - flag should not have ''NamespaceLifecycle'' plugin ' - group: supply-chain-cicd-weak-configuration - name: 1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37 - pretty_name: Namespace Lifecycle Admission Control Plugin Disabled - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ - 20018359-6fd7-4d05-ab26-d4dffccbdf79: - categories: - - ALL - - boost-baseline - description: 'ELB should have logging enabled to help on error investigation ' - group: top10-security-logging-monitoring-failures - name: 20018359-6fd7-4d05-ab26-d4dffccbdf79 - pretty_name: ELB Access Log Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elb#enabled - 20180133-a0d0-4745-bfe0-94049fbb12a9: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Kubernetes Clusters must be created with Client Certificate enabled, - which means ''master_auth'' must have ''client_certificate_config'' with the - attribute ''issue_client_certificate'' equal to true ' - group: cloud-weak-configuration - name: 20180133-a0d0-4745-bfe0-94049fbb12a9 - pretty_name: Client Certificate Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html - 2034fb37-bc23-4ca0-8d95-2b9f15829ab5: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'ELB Predefined or Custom Security Policies must not use weak ciphers, - to reduce the risk of the SSL connection between the client and the load balancer - being exploited. That means the ''SslPolicy'' of ''listeners'' must not coincide - with any of a predefined list of weak ciphers. ' - group: top10-crypto-failures - name: 2034fb37-bc23-4ca0-8d95-2b9f15829ab5 - pretty_name: ELB Using Weak Ciphers - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/elb_application_lb_module.html - 203eee11-15b6-4d47-b888-4c7f534967ee: - categories: - - ALL - - boost-baseline - description: Numeric schema (type set to 'integer' or 'number') should have 'maximum' - defined. - group: cloud-weak-configuration - name: 203eee11-15b6-4d47-b888-4c7f534967ee - pretty_name: Numeric Schema Without Maximum (v2) - recommended: true - ref: https://swagger.io/specification/v2/#schemaObject - 2059155b-27fd-441e-b616-6966c468561f: - categories: - - ALL - - boost-baseline - description: 'API Gateway should have X-Ray Tracing enabled ' - group: top10-security-logging-monitoring-failures - name: 2059155b-27fd-441e-b616-6966c468561f - pretty_name: API Gateway X-Ray Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/aws_api_gateway_module.html#parameter-tracing_enabled - 2081c7d6-2851-4cce-bda5-cb49d462da42: - categories: - - ALL - - boost-baseline - description: 'Azure Security Center provides more features for standard pricing - mode, so it must be activated. ' - group: cloud-resources-public-access - name: 2081c7d6-2851-4cce-bda5-cb49d462da42 - pretty_name: Standard Price Is Not Selected - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.security/pricings?tabs=json#pricingproperties-object - 209189f3-c879-48a7-9703-fbcfa96d0cef: - categories: - - ALL - description: 'A list of MQ resources found. Amazon MQ is a managed message broker - service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate - message brokers on AWS. ' - group: supply-chain-missing-artifact-integrity-verification - name: 209189f3-c879-48a7-9703-fbcfa96d0cef - pretty_name: BOM - AWS MQ - ref: https://kics.io/ - 20a482d5-c5d9-4a7a-b7a4-60d0805047b4: - categories: - - ALL - - boost-baseline - description: 'Security operation field should be defined in ''#/components/securitySchemes'' ' - group: top10-insecure-design - name: 20a482d5-c5d9-4a7a-b7a4-60d0805047b4 - pretty_name: Security Operation Field Undefined - recommended: true - ref: https://swagger.io/specification/#operation-object - 20cb3159-b219-496b-8dac-54ae3ab2021a: - categories: - - ALL - - boost-baseline - description: 'Non-Array Schema should not have ''items'' defined ' - group: top10-insecure-design - name: 20cb3159-b219-496b-8dac-54ae3ab2021a - pretty_name: Non-Array Schema With Items (v3) - recommended: true - ref: https://swagger.io/specification/#schema-object - 20dcd953-a8b8-4892-9026-9afa6d05a525: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, - which means the attribute ''monitoring_service'' must be defined and different - than ''none'' ' - group: top10-security-logging-monitoring-failures - name: 20dcd953-a8b8-4892-9026-9afa6d05a525 - pretty_name: Stackdriver Monitoring Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html - 21245007-91c4-40e5-964e-40c85d1e5aa6: - categories: - - ALL - - boost-baseline - description: OperationId should be unique when defined - group: top10-insecure-design - name: 21245007-91c4-40e5-964e-40c85d1e5aa6 - pretty_name: OperationId Not Unique (v2) - recommended: true - ref: https://swagger.io/specification/v2/#operationObject - 2134641d-30a4-4b16-8ffc-2cd4c4ffd15d: - categories: - - ALL - - boost-baseline - description: 'DOCDB Cluster should be encrypted with customer-managed KMS keys - instead of AWS managed keys ' - group: top10-crypto-failures - name: 2134641d-30a4-4b16-8ffc-2cd4c4ffd15d - pretty_name: DOCDB Cluster Encrypted With AWS Managed Key - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#kms_key_id - 21719347-d02b-497d-bda4-04a03c8e5b61: - categories: - - ALL - - boost-baseline - description: 'Memory requests should be defined for each container. This allows - the kubelet to reserve the requested amount of system resources and prevents - over-provisioning on individual nodes ' - group: cloud-insecure-iam - name: 21719347-d02b-497d-bda4-04a03c8e5b61 - pretty_name: Memory Requests Not Defined - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#requests - 218413a0-c716-4b94-9e08-0bb70d854709: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Check if secure ciphers aren''t used in CloudFront ' - group: top10-crypto-failures - name: 218413a0-c716-4b94-9e08-0bb70d854709 - pretty_name: Secure Ciphers Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html - 219f4c95-aa50-44e0-97de-cf71f4641170: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'S3 Buckets should not be readable to all users ' - group: cloud-insecure-iam - name: 219f4c95-aa50-44e0-97de-cf71f4641170 - pretty_name: S3 Bucket ACL Allows Read to All Users - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html - 21cef75f-289f-470e-8038-c7cee0664164: - categories: - - ALL - - boost-baseline - description: 'Sees if Kubernetes Drop Capabilities exists to ensure containers - security context ' - group: top10-insecure-design - name: 21cef75f-289f-470e-8038-c7cee0664164 - pretty_name: No Drop Capabilities for Containers - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#drop - 221015a8-aa2a-43f5-b00b-ad7d2b1d47a8: - categories: - - ALL - - boost-baseline - description: 'Security Definition Object should not use basic authentication ' - group: cloud-insecure-iam - name: 221015a8-aa2a-43f5-b00b-ad7d2b1d47a8 - pretty_name: Security Definitions Using Basic Auth - recommended: true - ref: https://swagger.io/specification/v2/#securitySchemeObject - 221e0658-cb2a-44e3-b08a-db96a341d6fa: - categories: - - ALL - - boost-baseline - description: '''pids_limit'' should be set and different than -1 ' - group: cloud-insecure-iam - name: 221e0658-cb2a-44e3-b08a-db96a341d6fa - pretty_name: Pids Limit Not Set - recommended: true - ref: https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir - 2263b286-2fe9-4747-a0ae-8b4768a2bbd2: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'BigQuery dataset is anonymously or publicly accessible ' - group: cloud-insecure-iam - name: 2263b286-2fe9-4747-a0ae-8b4768a2bbd2 - pretty_name: BigQuery Dataset Is Public - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_bigquery_dataset_module.html#parameter-access/special_group - 2270987f-bb51-479f-b8be-3ca73e5ad648: - categories: - - ALL - - boost-baseline - description: 'Containers need to have NET_RAW or All as drop capabilities ' - group: cloud-weak-configuration - name: 2270987f-bb51-479f-b8be-3ca73e5ad648 - pretty_name: NET_RAW Capabilities Disabled for PSP - recommended: true - ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ - 227c2f58-70c6-4432-8e9a-a89c1a548cf5: - categories: - - ALL - - boost-baseline - description: 'Bucket should have versioning enabled ' - group: top10-security-logging-monitoring-failures - name: 227c2f58-70c6-4432-8e9a-a89c1a548cf5 - pretty_name: Bucket Without Versioning - recommended: true - ref: https://cloud.google.com/storage/docs/json_api/v1/buckets - 2285e608-ddbc-47f3-ba54-ce7121e31216: - categories: - - ALL - - boost-baseline - description: 'Ensure a log metric filter and alarm exist for route table changes ' - group: top10-security-logging-monitoring-failures - name: 2285e608-ddbc-47f3-ba54-ce7121e31216 - pretty_name: CloudWatch Route Table Changes Alarm Missing - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern - 228c4c19-feeb-4c18-848c-800ac70fdfb7: - categories: - - ALL - - boost-baseline - description: 'Images should be specified together with their digests to ensure - integrity ' - group: cloud-weak-configuration - name: 228c4c19-feeb-4c18-848c-800ac70fdfb7 - pretty_name: Image Without Digest - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#image - 229588ef-8fde-40c8-8756-f4f2b5825ded: - categories: - - ALL - - boost-baseline - description: 'Memory requests should be defined for each container. This allows - the kubelet to reserve the requested amount of system resources and prevents - over-provisioning on individual nodes ' - group: cloud-insecure-iam - name: 229588ef-8fde-40c8-8756-f4f2b5825ded - pretty_name: Memory Requests Not Defined - recommended: true - ref: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/ - 22c80725-e390-4055-8d14-a872230f6607: - categories: - - ALL - - boost-baseline - description: 'All AWS CloudFront distributions should be integrated with the Web - Application Firewall (AWS WAF) service ' - group: cloud-resources-public-access - name: 22c80725-e390-4055-8d14-a872230f6607 - pretty_name: CloudFront Without WAF - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html - 22cd11f7-9c6c-4f6e-84c0-02058120b341: - categories: - - ALL - - boost-baseline - description: 'Instead of ''gem install '' we should use ''gem install :'' ' - group: supply-chain-scm-weak-configuration - name: 22cd11f7-9c6c-4f6e-84c0-02058120b341 - pretty_name: Gem Install Without Version - recommended: true - ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run - 22ef1d26-80f8-4a6c-8c15-f35aab3cac78: - categories: - - ALL - - boost-baseline - description: 'Google Compute Network should not use a firewall rule that allows - all ports ' - group: cloud-resources-public-access - name: 22ef1d26-80f8-4a6c-8c15-f35aab3cac78 - pretty_name: Google Compute Network Using Firewall Rule that Allows All Ports - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall#allow - 22fbfeac-7b5a-421a-8a27-7a2178bb910b: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Customer Master Keys (CMK) must have rotation enabled, which means - the attribute ''enable_key_rotation'' must be set to ''true'' when the key is - enabled. ' - group: top10-security-logging-monitoring-failures - name: 22fbfeac-7b5a-421a-8a27-7a2178bb910b - pretty_name: CMK Rotation Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key#enable_key_rotation - 235236ee-ad78-4065-bd29-61b061f28ce0: - categories: - - ALL - - boost-baseline - description: 'Containers should not have CAP_SYS_ADMIN Linux capability ' - group: cloud-weak-configuration - name: 235236ee-ad78-4065-bd29-61b061f28ce0 - pretty_name: Containers With Sys Admin Capabilities - recommended: true - ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - 235ca980-eb71-48f4-9030-df0c371029eb: - categories: - - ALL - - boost-baseline - description: 'EnableKeyRotation should not be false or undefined ' - group: top10-crypto-failures - name: 235ca980-eb71-48f4-9030-df0c371029eb - pretty_name: KMS Key Rotation Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html - 237402e2-c2f0-46c9-9cf5-286160cf7bfc: - categories: - - ALL - - boost-baseline - description: 'All path should be unique, if has more than one operation, all operations - should be part of same Path Object ' - group: top10-insecure-design - name: 237402e2-c2f0-46c9-9cf5-286160cf7bfc - pretty_name: Path Is Ambiguous (v3) - recommended: true - ref: https://swagger.io/specification/#path-item-object - 23a4dc83-4959-4d99-8056-8e051a82bc1e: - categories: - - ALL - - boost-baseline - description: 'Cosmos DB Account must have a mapping of tags. ' - group: supply-chain-cicd-weak-configuration - name: 23a4dc83-4959-4d99-8056-8e051a82bc1e - pretty_name: Cosmos DB Account Without Tags - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_cosmosdbaccount_module.html - 23a9e2d9-8738-4556-a71c-2802b6ffa022: - categories: - - ALL - - boost-baseline - description: 'Using an scope on global security field that is undefined on ''securityScheme'' - can be defined by an attacker ' - group: cloud-insecure-iam - name: 23a9e2d9-8738-4556-a71c-2802b6ffa022 - pretty_name: Undefined Scope 'securityScheme' On Global 'security' Field - recommended: true - ref: https://swagger.io/specification/#oauth-flow-object - 23b70e32-032e-4fa6-ba5c-82f56b9980e6: - categories: - - ALL - - boost-baseline - description: 'EC2 Instance should have detailed monitoring enabled. With detailed - monitoring enabled data is available in 1-minute periods ' - group: top10-security-logging-monitoring-failures - name: 23b70e32-032e-4fa6-ba5c-82f56b9980e6 - pretty_name: EC2 Instance Monitoring Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#monitoring - 23edf35f-7c22-4ff9-87e6-0ca74261cfbf: - categories: - - ALL - description: 'A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, - serverless, key-value NoSQL database designed to run high-performance applications - at any scale. ' - group: supply-chain-missing-artifact-integrity-verification - name: 23edf35f-7c22-4ff9-87e6-0ca74261cfbf - pretty_name: BOM - AWS DynamoDB - ref: https://kics.io/ - 249328b8-5f0f-409f-b1dd-029f07882e11: - categories: - - ALL - - boost-baseline - description: 'Ensure that the cluster-admin role is only used where required (RBAC) ' - group: cloud-insecure-iam - name: 249328b8-5f0f-409f-b1dd-029f07882e11 - pretty_name: Cluster Admin Rolebinding With Superuser Permissions - recommended: true - ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles - 24b132df-5cc7-4823-8029-f898e1c50b72: - categories: - - ALL - - boost-baseline - description: 'A Kubernetes Pod should have a Service Account defined so to restrict - Kubernetes API access, which means the attribute ''service_account_name'' should - be defined and not empty. ' - group: cloud-weak-configuration - name: 24b132df-5cc7-4823-8029-f898e1c50b72 - pretty_name: Service Account Name Undefined Or Empty - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#service_account_name - 24d932e1-91f0-46ea-836f-fdbd81694151: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Route53 HostedZone must have the Record Set defined. ' - group: cloud-resources-public-access - name: 24d932e1-91f0-46ea-836f-fdbd81694151 - pretty_name: Route53 Record Undefined - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-route53-hostedzone.html - 24e16922-4330-4e9d-be8a-caa90299466a: - categories: - - ALL - - boost-baseline - description: 'Check if ElasticSearch encryption is disabled at Rest ' - group: top10-crypto-failures - name: 24e16922-4330-4e9d-be8a-caa90299466a - pretty_name: ElasticSearch Not Encrypted At Rest - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain - 254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Check if the redis version is compliant with the necessary AWS PCI - DSS requirements ' - group: top10-crypto-failures - name: 254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4 - pretty_name: Redis Not Compliant - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster#engine_version - 255b0fcc-9f82-41fe-9229-01b163e3376b: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'CloudFront Minimum Protocol version should be at least TLS 1.2 ' - group: cloud-weak-configuration - name: 255b0fcc-9f82-41fe-9229-01b163e3376b - pretty_name: CloudFront Without Minimum Protocol TLS 1.2 - recommended: true - ref: https://doc.crds.dev/github.com/crossplane/provider-aws/cloudfront.aws.crossplane.io/Distribution/v1alpha1@v0.29.0#spec-forProvider-distributionConfig-viewerCertificate-minimumProtocolVersion - 25635c31-ee32-4708-88e5-fced87516f51: - categories: - - ALL - - boost-baseline - description: Operation External Documentation URL should be a valid URL - group: top10-insecure-design - name: 25635c31-ee32-4708-88e5-fced87516f51 - pretty_name: Invalid Operation External Documentation URL (v2) - recommended: true - ref: https://swagger.io/specification/v2/#externalDocumentationObject - 2564172f-c92b-4261-9acd-464aed511696: - categories: - - ALL - - boost-baseline - description: 'Lambda access/secret keys should not be hardcoded ' - group: cloud-weak-secrets-management - name: 2564172f-c92b-4261-9acd-464aed511696 - pretty_name: Hardcoded AWS Access Key In Lambda - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html#cfn-lambda-function-environment - 25684eac-daaa-4c2c-94b4-8d2dbb627909: - categories: - - ALL - - boost-baseline - description: 'Log Profile Retention Policy should be enabled and the recommended - number of days for the retention should be higher than 365 or 0 (0 will retain - the events indefinitely) ' - group: top10-security-logging-monitoring-failures - name: 25684eac-daaa-4c2c-94b4-8d2dbb627909 - pretty_name: Unrecommended Log Profile Retention Policy - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/2016-03-01/logprofiles?tabs=json#retentionpolicy-object - 2583fab1-953b-4fae-bd02-4a136a6c21f9: - categories: - - ALL - - boost-baseline - description: 'Azure Kubernetes Service must have an authorized IP range for API - Services enabled ' - group: cloud-resources-public-access - name: 2583fab1-953b-4fae-bd02-4a136a6c21f9 - pretty_name: AKS With Authorized IP Ranges Disabled - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.containerservice/managedclusters?tabs=json#managedclusterapiserveraccessprofile-object - 2596545e-1757-4ff7-a15a-8a9a180a42f3: - categories: - - ALL - - boost-baseline - description: 'Parameter Object reference must always point to ''#/parameters'' ' - group: top10-insecure-design - name: 2596545e-1757-4ff7-a15a-8a9a180a42f3 - pretty_name: Parameter Object With Incorrect Ref (v2) - recommended: true - ref: https://swagger.io/specification/v2/#parameter-object - 25c0228e-4444-459b-a2df-93c7df40b7ed: - categories: - - ALL - - boost-baseline - description: 'Azure Kubernetes Service must have a network policy defined. ' - group: cloud-weak-configuration - name: 25c0228e-4444-459b-a2df-93c7df40b7ed - pretty_name: AKS Cluster Network Policy Not Configured - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.containerservice/managedclusters?tabs=json#containerservicenetworkprofile-object - 25c0ea09-f1c5-4380-b055-3b83863f2bb8: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. ' - group: cloud-resources-public-access - name: 25c0ea09-f1c5-4380-b055-3b83863f2bb8 - pretty_name: SQLServer Ingress From Any IP - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_firewall_rule - 25d251f3-f348-4f95-845c-1090e41a615c: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Amazon Elastic Filesystem should have filesystem encryption enabled - using KMS CMK customer-managed keys instead of AWS managed-keys ' - group: top10-crypto-failures - name: 25d251f3-f348-4f95-845c-1090e41a615c - pretty_name: EFS Without KMS - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system#kms_key_id - 25db74bf-fa3b-44da-934e-8c3e005c0453: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Check if Record is set ' - group: cloud-resources-public-access - name: 25db74bf-fa3b-44da-934e-8c3e005c0453 - pretty_name: Route53 Record Undefined - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record - 261a83f8-dd72-4e8c-b5e1-ebf06e8fe606: - categories: - - ALL - - boost-baseline - description: 'Check if PostgreSQL Database Server retains logs for less than 3 - Days ' - group: top10-security-logging-monitoring-failures - name: 261a83f8-dd72-4e8c-b5e1-ebf06e8fe606 - pretty_name: Small PostgreSQL DB Server Log Retention Period - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_configuration - 2623d682-dccb-44cd-99d0-54d9fd62f8f2: - categories: - - ALL - - boost-baseline - description: 'Ineffective deny rules. A deny rule should be applied to all IP - addresses. ' - group: cloud-insecure-iam - name: 2623d682-dccb-44cd-99d0-54d9fd62f8f2 - pretty_name: EC2 Network ACL Ineffective Denied Traffic - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-network-acl-entry.html - 265d9725-2fb8-42a2-bc57-3279c5db82d5: - categories: - - ALL - - boost-baseline - description: 'AWS Lambda Functions must have associated tags. ' - group: cloud-weak-configuration - name: 265d9725-2fb8-42a2-bc57-3279c5db82d5 - pretty_name: Lambda Function Without Tags - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/lambda_module.html - 26763a1c-5dda-4772-b507-5fca7fb5f165: - categories: - - ALL - - boost-baseline - description: 'Service has an external load balancer, which may cause accessibility - from other networks and the Internet ' - group: cloud-resources-public-access - name: 26763a1c-5dda-4772-b507-5fca7fb5f165 - pretty_name: Service With External Load Balancer - recommended: true - ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ - 268c65a8-58ad-43e4-9019-1a9bbc56749f: - categories: - - ALL - description: 'A list of Persistent Disk resources found. Persistent Disk is Google''s - local durable storage service, fully integrated with Google Cloud products, - Compute Engine and Google Kubernetes Engine. ' - group: supply-chain-missing-artifact-integrity-verification - name: 268c65a8-58ad-43e4-9019-1a9bbc56749f - pretty_name: BOM - GCP PD - ref: https://kics.io/ - 268ca686-7fb7-4ae9-b129-955a2a89064e: - categories: - - ALL - - boost-baseline - description: 'Sees if Kubernetes Drop Capabilities exists to ensure containers - security context ' - group: top10-insecure-design - name: 268ca686-7fb7-4ae9-b129-955a2a89064e - pretty_name: No Drop Capabilities for Containers - recommended: true - ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ - 268defd2-2839-4e15-8cbc-de86eb38c231: - categories: - - ALL - - boost-baseline - description: If a response is head or its code is 204 or 304, it shouldn't have - a schema defined - group: cloud-resources-public-access - name: 268defd2-2839-4e15-8cbc-de86eb38c231 - pretty_name: Response on operations that should not have a body has declared content - (v2) - recommended: true - ref: https://swagger.io/docs/specification/2-0/describing-responses/ - 26b047a9-0329-48fd-8fb7-05bbe5ba80ee: - categories: - - ALL - - boost-baseline - description: 'Kubernetes Stateful Sets must have one Volume Claim template with - the access mode ''ReadWriteOnce'' ' - group: supply-chain-cicd-weak-configuration - name: 26b047a9-0329-48fd-8fb7-05bbe5ba80ee - pretty_name: Incorrect Volume Claim Access Mode ReadWriteOnce - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/stateful_set#volume_claim_template - 26f06397-36d8-4ce7-b993-17711261d777: - categories: - - ALL - - boost-baseline - description: 'Content Type should be set to ''multipart/form-data'' in case of - uploading an arbitrary number of files (array) ' - group: top10-insecure-design - name: 26f06397-36d8-4ce7-b993-17711261d777 - pretty_name: Invalid Content Type For Multiple Files Upload - recommended: true - ref: https://swagger.io/docs/specification/describing-request-body/file-upload/ - 2730c169-51d7-4ae7-99b5-584379eff1bb: - categories: - - ALL - description: 'A list of MSK resources specified. Amazon Managed Streaming for - Apache Kafka (Amazon MSK) is a fully managed service that enables you to build - and run applications that use Apache Kafka to process streaming data. ' - group: supply-chain-missing-artifact-integrity-verification - name: 2730c169-51d7-4ae7-99b5-584379eff1bb - pretty_name: BOM - AWS MSK - ref: https://kics.io/ - 274f910a-0665-4f08-b66d-7058fe927dba: - categories: - - ALL - - boost-baseline - description: 'OAuth2 security definition flow requires a valid URL in the tokenUrl - field ' - group: cloud-insecure-iam - name: 274f910a-0665-4f08-b66d-7058fe927dba - pretty_name: Invalid OAuth2 Token URL (v2) - recommended: true - ref: https://swagger.io/specification/v2/#security-scheme-object - 275a3217-ca37-40c1-a6cf-bb57d245ab32: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'AWS Application Load Balancer (alb) should not listen on HTTP ' - group: cloud-resources-public-access - name: 275a3217-ca37-40c1-a6cf-bb57d245ab32 - pretty_name: ALB Listening on HTTP - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb-listener.html#cfn-ec2-elb-listener-protocol - 2775e169-e708-42a9-9305-b58aadd2c4dd: - categories: - - ALL - - boost-baseline - description: 'Instances must not be configured to use the Default Service Account, - that has full access to all Cloud APIs, which means the attribute ''service_account_email'' - must be defined. Additionally, it must not be empty and must also not be a default - Google Compute Engine service account. ' - group: cloud-weak-configuration - name: 2775e169-e708-42a9-9305-b58aadd2c4dd - pretty_name: Using Default Service Account - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html - 27c6a499-895a-4dc7-9617-5c485218db13: - categories: - - ALL - - boost-baseline - description: 'Ensure a log metric filter and alarm exist for S3 bucket policy - changes ' - group: top10-security-logging-monitoring-failures - name: 27c6a499-895a-4dc7-9617-5c485218db13 - pretty_name: CloudWatch S3 policy Change Alarm Missing - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern - 27fcc7d6-c49b-46e0-98f1-6c082a6a2750: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Ensuring the process does not gain any new privileges lessens the - risk associated with many operations. ' - group: cloud-insecure-iam - name: 27fcc7d6-c49b-46e0-98f1-6c082a6a2750 - pretty_name: No New Privileges Not Set - recommended: true - ref: https://docs.docker.com/engine/reference/run/#security-configuration - 281b8071-6226-4a43-911d-fec246d422c2: - categories: - - ALL - - boost-baseline - description: 'API Keys should not be transported over network ' - group: cloud-insecure-iam - name: 281b8071-6226-4a43-911d-fec246d422c2 - pretty_name: API Key Exposed In Operation Security (v3) - recommended: true - ref: https://swagger.io/specification/#security-scheme-object - 2844c749-bd78-4cd1-90e8-b179df827602: - categories: - - ALL - - boost-baseline - description: 'AWS Key Management Service (KMS) must only possess usable Customer - Master Keys (CMK), which means the CMKs must have the attribute ''Enabled'' - set to true and the attribute ''PendingWindowInDays'' must be undefined. ' - group: top10-insecure-design - name: 2844c749-bd78-4cd1-90e8-b179df827602 - pretty_name: CMK Is Unusable - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html - 28545147-2fc6-42d5-a1f9-cf226658e591: - categories: - - ALL - - boost-baseline - description: 'SNS (Simple Notification Service) Topic should be encrypted ' - group: top10-crypto-failures - name: 28545147-2fc6-42d5-a1f9-cf226658e591 - pretty_name: SNS Topic Not Encrypted - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic#kms_master_key_id - 28727987-e398-49b8-aef1-8a3e7789d111: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Kubernetes Clusters must be created with Alias IP ranges enabled, - which means the attribute ''ipAllocationPolicy'' must be defined and the subattribute - ''useIpAliases'' must be set to ''true''. ' - group: cloud-weak-configuration - name: 28727987-e398-49b8-aef1-8a3e7789d111 - pretty_name: IP Aliasing Disabled - recommended: true - ref: https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.locations.clusters - 28a757fc-3d8f-424a-90c0-4233363b2711: - categories: - - ALL - - boost-baseline - description: 'PostgreSQL database ''log_min_messages'' flag isn''t set to a valid - value ' - group: top10-security-logging-monitoring-failures - name: 28a757fc-3d8f-424a-90c0-4233363b2711 - pretty_name: PostgreSQL Misconfigured Log Messages Flag - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags - 292919fb-7b26-4454-bee9-ce29094768dd: - categories: - - ALL - - boost-baseline - - boost-hardened - description: Global security definition must not have empty objects - group: cloud-insecure-iam - name: 292919fb-7b26-4454-bee9-ce29094768dd - pretty_name: Global security field has an empty object (v2) - recommended: true - ref: https://swagger.io/specification/v2/#security-requirement-object - 2940d48a-dc5e-4178-a3f8-bfbd80720b41: - categories: - - ALL - - boost-baseline - description: 'When using the kubelet command, the read-only port should be set - to zero (--read-only-port=0) ' - group: cloud-resources-public-access - name: 2940d48a-dc5e-4178-a3f8-bfbd80720b41 - pretty_name: Kubelet Read Only Port Is Not Set To Zero - recommended: true - ref: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ - 295acb63-9246-4b21-b441-7c1f1fb62dc0: - categories: - - ALL - - boost-baseline - description: 'Cached package data should be cleaned after installation to reduce - image size ' - group: supply-chain-scm-weak-configuration - name: 295acb63-9246-4b21-b441-7c1f1fb62dc0 - pretty_name: Missing Dnf Clean All - recommended: true - ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/ - 29b8224a-60e9-4011-8ac2-7916a659841f: - categories: - - ALL - - boost-baseline - description: 'Google Compute Network should not use default firewall rule ' - group: cloud-resources-public-access - name: 29b8224a-60e9-4011-8ac2-7916a659841f - pretty_name: Google Compute Network Using Default Firewall Rule - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_firewall_module.html#parameter-name - 29f35127-98e6-43af-8ec1-201b79f99604: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Admin user is enabled for Container Registry ' - group: cloud-insecure-iam - name: 29f35127-98e6-43af-8ec1-201b79f99604 - pretty_name: Admin User Enabled For Container Registry - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_containerregistry_module.html - 2a153952-2544-4687-bcc9-cc8fea814a9b: - categories: - - ALL - - boost-baseline - description: 'All variables should contain a valid description. ' - group: top10-insecure-design - name: 2a153952-2544-4687-bcc9-cc8fea814a9b - pretty_name: Variable Without Description - recommended: true - ref: https://www.terraform.io/docs/language/values/variables.html#input-variable-documentation - 2a3560fe-52ca-4443-b34f-bf0ed5eb74c8: - categories: - - ALL - - boost-baseline - description: 'CloudTrail log file validation should be enabled to determine whether - a log file has not been tampered ' - group: top10-security-logging-monitoring-failures - name: 2a3560fe-52ca-4443-b34f-bf0ed5eb74c8 - pretty_name: CloudTrail Log File Validation Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#cfn-cloudtrail-trail-enablelogfilevalidation - 2a52567c-abb8-4651-a038-52fa27c77aed: - categories: - - ALL - - boost-baseline - description: 'Service has an external load balancer, which may cause accessibility - from other networks and the Internet ' - group: cloud-resources-public-access - name: 2a52567c-abb8-4651-a038-52fa27c77aed - pretty_name: Service With External Load Balancer - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service - 2a901825-0f3b-4655-a0fe-e0470e50f8e6: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Make sure that for MySQL Database Server, ''Enforce SSL connection'' - is enabled ' - group: top10-crypto-failures - name: 2a901825-0f3b-4655-a0fe-e0470e50f8e6 - pretty_name: MySQL SSL Connection Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_mysqlserver_module.html - 2ab6de9a-0136-415c-be92-79d2e4fd750f: - categories: - - ALL - - boost-baseline - description: 'Azure SQL Server''s Admin account login must avoid using names like - ''Admin'', that are too predictable, which means the attribute ''administrator_login'' - must be set to a name that is not easy to predict ' - group: top10-insecure-design - name: 2ab6de9a-0136-415c-be92-79d2e4fd750f - pretty_name: SQL Server Predictable Admin Account Name - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_server - 2acb555f-f4ad-4b1b-b984-84e6588f4b05: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Limit capabilities for a Pod Security Policy ' - group: cloud-weak-configuration - name: 2acb555f-f4ad-4b1b-b984-84e6588f4b05 - pretty_name: Not Limited Capabilities For Pod Security Policy - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#required_drop_capabilities - 2ade1579-4b2c-4590-bebb-f99bf597f612: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Port 22 (SSH) is exposed to the Internet ' - group: cloud-resources-public-access - name: 2ade1579-4b2c-4590-bebb-f99bf597f612 - pretty_name: Network Security Group With Unrestricted Access To SSH - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2020-07-01/networksecuritygroups?tabs=json#securityrulepropertiesformat-object - 2ae9d554-23fb-4065-bfd1-fe43d5f7c419: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'A sensitive port, such as port 23 or port 110, is open to the public - in either TCP or UDP protocol ' - group: cloud-resources-public-access - name: 2ae9d554-23fb-4065-bfd1-fe43d5f7c419 - pretty_name: Public Security Group Rule Sensitive Port - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/security_group_rule#port_range - 2b13c6ff-b87a-484d-86fd-21ef6e97d426: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Checks if any static websties are hosted on buckets. Be aware of - any website you are running. ' - group: cloud-weak-configuration - name: 2b13c6ff-b87a-484d-86fd-21ef6e97d426 - pretty_name: OSS Bucket Has Static Website - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#website - 2b1836f1-dcce-416e-8e16-da8c71920633: - categories: - - ALL - - boost-baseline - description: 'Verifies if Kubernetes workload''s host port is specified ' - group: cloud-resources-public-access - name: 2b1836f1-dcce-416e-8e16-da8c71920633 - pretty_name: Workload Host Port Not Specified - recommended: true - ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/#exposing-the-service - 2b1d4935-9acf-48a7-8466-10d18bf51a69: - categories: - - ALL - - boost-baseline - description: 'AWS RDS Instance should have a multi-az deployment ' - group: top10-software-data-integrity-failures - name: 2b1d4935-9acf-48a7-8466-10d18bf51a69 - pretty_name: RDS Multi-AZ Deployment Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html - 2b3c671f-1b76-4741-8789-ed1fe0785dc4: - categories: - - ALL - - boost-baseline - description: 'Ensure that Connection Throttling is set for the PostgreSQL server ' - group: top10-security-logging-monitoring-failures - name: 2b3c671f-1b76-4741-8789-ed1fe0785dc4 - pretty_name: PostgreSQL Server Without Connection Throttling - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_configuration - 2b3c8a6d-9856-43e6-ab1d-d651094f03b4: - categories: - - ALL - - boost-baseline - description: 'Elastic MapReduce Cluster (EMR) should be launched in a Virtual - Private Cloud (VPC) ' - group: cloud-resources-public-access - name: 2b3c8a6d-9856-43e6-ab1d-d651094f03b4 - pretty_name: EMR Without VPC - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/emr_cluster#subnet_id - 2b856bf9-8e8c-4005-875f-303a8cba3918: - categories: - - ALL - - boost-baseline - description: 'Ensure that Activity Log Retention is set 365 days or greater ' - group: top10-security-logging-monitoring-failures - name: 2b856bf9-8e8c-4005-875f-303a8cba3918 - pretty_name: Small Activity Log Retention Period - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_log_profile - 2bb13841-7575-439e-8e0a-cccd9ede2fa8: - categories: - - ALL - - boost-baseline - description: 'Ram Account Password Policy Password ''max_password_age'' should - be higher than 0 and lower than 91 ' - group: cloud-weak-secrets-management - name: 2bb13841-7575-439e-8e0a-cccd9ede2fa8 - pretty_name: Ram Account Password Policy Max Password Age Unrecommended - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#max_password_age - 2bc626a8-0751-446f-975d-8139214fc790: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'There is a role assignment for guest user ' - group: cloud-insecure-iam - name: 2bc626a8-0751-446f-975d-8139214fc790 - pretty_name: Role Assignment Of Guest Users - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment - 2bd608ae-8a1f-457f-b710-c237883cb313: - categories: - - ALL - - boost-baseline - description: 'Schema Object should not be have a required property that is not - defined on properties ' - group: top10-insecure-design - name: 2bd608ae-8a1f-457f-b710-c237883cb313 - pretty_name: Schema Has A Required Property Undefined (v3) - recommended: true - ref: https://swagger.io/specification/#schema-object - 2bff9906-4e9b-4f71-9346-8ebedfdf43ef: - categories: - - ALL - - boost-baseline - description: 'PodSecurityPolicy should not allow privilege escalation ' - group: cloud-weak-configuration - name: 2bff9906-4e9b-4f71-9346-8ebedfdf43ef - pretty_name: PSP Allows Privilege Escalation - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#allow_privilege_escalation - 2c161e58-cb52-454f-abea-6470c37b5e6e: - categories: - - ALL - - boost-baseline - description: 'RDS DBInstance should have deletion protection set to true ' - group: top10-software-data-integrity-failures - name: 2c161e58-cb52-454f-abea-6470c37b5e6e - pretty_name: RDS DB Instance With Deletion Protection Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-deletionprotection - 2c99a474-2a3c-4c17-8294-53ffa5ed0522: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Storage Accounts should enforce the use of HTTPS ' - group: top10-crypto-failures - name: 2c99a474-2a3c-4c17-8294-53ffa5ed0522 - pretty_name: Storage Account Not Forcing HTTPS - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_storageaccount_module.html#parameter-https_only - 2ca87964-fe7e-4cdc-899c-427f0f3525f8: - categories: - - ALL - - boost-baseline - description: 'DocDB logging should be enabled ' - group: top10-security-logging-monitoring-failures - name: 2ca87964-fe7e-4cdc-899c-427f0f3525f8 - pretty_name: DocDB Logging Is Disabled - recommended: true - ref: https://www.pulumi.com/registry/packages/aws/api-docs/docdb/cluster/#enabledcloudwatchlogsexports_yaml - 2cb674f6-32f9-40be-97f2-62c0dc38f0d5: - categories: - - ALL - - boost-baseline - description: 'RDS should not use the default port (an attacker can easily guess - the port). For engines related to Aurora, MariaDB or MySQL, the default port - is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL - Server default port is 1433 ' - group: cloud-resources-public-access - name: 2cb674f6-32f9-40be-97f2-62c0dc38f0d5 - pretty_name: RDS Using Default Port - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-port - 2cf35b40-ded3-43d6-9633-c8dcc8bcc822: - categories: - - ALL - - boost-baseline - description: 'Example should match one of MimeTypes on ''produces''. It is important - to know that, if a ''produces'' is declared on operation it will override global - ''produces'' ' - group: top10-insecure-design - name: 2cf35b40-ded3-43d6-9633-c8dcc8bcc822 - pretty_name: Operation Example Mismatch Produces MimeType - recommended: true - ref: https://swagger.io/specification/v2/#exampleObject - 2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045: - categories: - - ALL - description: 'A list of S3 resources found. Amazon Simple Storage Service (Amazon - S3) is an object storage service that offers industry-leading scalability, data - availability, security, and performance. ' - group: supply-chain-missing-artifact-integrity-verification - name: 2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045 - pretty_name: BOM - AWS S3 Buckets - ref: https://kics.io/ - 2d55ef88-b616-4890-b822-47f280763e89: - categories: - - ALL - - boost-baseline - description: 'Check if the Memcached is disabled on the ElastiCache ' - group: top10-crypto-failures - name: 2d55ef88-b616-4890-b822-47f280763e89 - pretty_name: Memcached Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/elasticache_module.html#parameter-engine - 2d6646f4-2946-420f-8c14-3232d49ae0cb: - categories: - - ALL - - boost-baseline - description: 'Header Object reference must always point to ''#/components/headers'' ' - group: top10-insecure-design - name: 2d6646f4-2946-420f-8c14-3232d49ae0cb - pretty_name: Header Object With Incorrect Ref - recommended: true - ref: https://swagger.io/specification/#responses-object - 2d8c175a-6d90-412b-8b0e-e034ea49a1fe: - categories: - - ALL - - boost-baseline - description: 'Global server object URL should use ''https'' protocol instead of - ''http'' ' - group: top10-crypto-failures - name: 2d8c175a-6d90-412b-8b0e-e034ea49a1fe - pretty_name: Global Server Object Uses HTTP - recommended: true - ref: https://swagger.io/specification/#server-object - 2da46be4-4317-4650-9285-56d7103c4f93: - categories: - - ALL - - boost-baseline - description: 'Security should not use ''password'' Flow in OAuth2 authentication ' - group: cloud-insecure-iam - name: 2da46be4-4317-4650-9285-56d7103c4f93 - pretty_name: Global Security Using Password Flow - recommended: true - ref: https://swagger.io/specification/v2/#securityRequirementObject - 2e275f16-b627-4d3f-ae73-a6153a23ae8f: - categories: - - ALL - - boost-baseline - description: 'Parameter reference should exists on components field ' - group: top10-insecure-design - name: 2e275f16-b627-4d3f-ae73-a6153a23ae8f - pretty_name: Parameter JSON Reference Does Not Exists (v3) - recommended: true - ref: https://swagger.io/specification/#components-object - 2e44e632-d617-43cb-b294-6bfe72a08938: - categories: - - ALL - - boost-baseline - description: 'Operation Object should not use ''password'' Flow in OAuth2 authentication ' - group: cloud-insecure-iam - name: 2e44e632-d617-43cb-b294-6bfe72a08938 - pretty_name: Operation Using Password Flow - recommended: true - ref: https://swagger.io/specification/v2/#operation-object - 2e48d91c-50e4-45c8-9312-27b625868a72: - categories: - - ALL - - boost-baseline - description: 'Check if Web Application Firewall is disabled or not configured - for Azure''s Application Gateway. ' - group: cloud-resources-public-access - name: 2e48d91c-50e4-45c8-9312-27b625868a72 - pretty_name: WAF Is Disabled For Azure Application Gateway - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_gateway - 2e9b6612-8f69-42e0-a5b8-ed17739c2f3a: - categories: - - ALL - - boost-baseline - description: 'Schema Object properties should not contain ''enum'' and schema - keywords ' - group: top10-insecure-design - name: 2e9b6612-8f69-42e0-a5b8-ed17739c2f3a - pretty_name: Object Using Enum With Keyword (v3) - recommended: true - ref: https://swagger.io/specification/#schema-object - 2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Amazon Elasticsearch does not have encryption for its domains enabled. - To prevent such a scenario, update the attribute ''EnforceHTTPS'' to true. ' - group: cloud-resources-public-access - name: 2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e - pretty_name: Elasticsearch with HTTPS disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain#enforce_https - 2ea04bef-c769-409e-9179-ee3a50b5c0ac: - categories: - - ALL - - boost-baseline - description: 'Numeric schema (type set to ''integer'' or ''number'') should have - ''maximum'' defined. ' - group: cloud-weak-configuration - name: 2ea04bef-c769-409e-9179-ee3a50b5c0ac - pretty_name: Numeric Schema Without Maximum (v3) - recommended: true - ref: https://swagger.io/specification/#schema-object - 2ec86e48-ab90-4cb6-a131-0502afd1f442: - categories: - - ALL - - boost-baseline - description: String schema/parameter/header should have 'maxLength' defined. - group: cloud-weak-configuration - name: 2ec86e48-ab90-4cb6-a131-0502afd1f442 - pretty_name: Maximum Length Undefined (v2) - recommended: true - ref: https://swagger.io/specification/v2/#schemaObject - 2f01fb2d-828a-499d-b98e-b83747305052: - categories: - - ALL - - boost-baseline - description: 'AWS CloudFormation Stack should have a stack policy in order to - protect stack resources from update actions ' - group: cloud-insecure-iam - name: 2f01fb2d-828a-499d-b98e-b83747305052 - pretty_name: No Stack Policy - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack - 2f06d22c-56bd-4f73-8a51-db001fcf2150: - categories: - - ALL - description: 'A list of Storage Bucket resources found. Buckets are the basic - containers that hold your data. Everything that you store in Cloud Storage must - be contained in a bucket. ' - group: supply-chain-missing-artifact-integrity-verification - name: 2f06d22c-56bd-4f73-8a51-db001fcf2150 - pretty_name: BOM - GCP SB - ref: https://kics.io/ - 2f1a0619-b12b-48a0-825f-993bb6f01d58: - categories: - - ALL - - boost-baseline - description: 'Limit the capabilities for a Container. ' - group: cloud-weak-configuration - name: 2f1a0619-b12b-48a0-825f-993bb6f01d58 - pretty_name: Not Limited Capabilities For Container - recommended: true - ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - 2f37c4a3-58b9-4afe-8a87-d7f1d2286f84: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'IAM policies shouldn''t allow full administrative privileges (for - all resources) ' - group: cloud-insecure-iam - name: 2f37c4a3-58b9-4afe-8a87-d7f1d2286f84 - pretty_name: IAM Policies With Full Privileges - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy - 2f491173-6375-4a84-b28e-a4e2b9a58a69: - categories: - - ALL - - boost-baseline - description: 'When using kube-apiserver or kube-controller-manager or kube-scheduler - command, the ''--profiling'' flag should be defined and set to false ' - group: top10-security-logging-monitoring-failures - name: 2f491173-6375-4a84-b28e-a4e2b9a58a69 - pretty_name: Profiling Not Set To False - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ - 2f56b7ab-7fba-4e93-82f0-247e5ddeb239: - categories: - - ALL - - boost-baseline - description: 'Ensure MSK Cluster Logging is enabled ' - group: top10-security-logging-monitoring-failures - name: 2f56b7ab-7fba-4e93-82f0-247e5ddeb239 - pretty_name: MSK Cluster Logging Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/msk_cluster#broker_logs - 2f652c42-619d-4361-b361-9f599688f8ca: - categories: - - ALL - - boost-baseline - description: 'The Horizontal Pod Autoscaler must target a valid object ' - group: top10-insecure-design - name: 2f652c42-619d-4361-b361-9f599688f8ca - pretty_name: HPA Targets Invalid Object - recommended: true - ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/ - 2f737336-b18a-4602-8ea0-b200312e1ac1: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'RDS should not run in public subnet ' - group: cloud-resources-public-access - name: 2f737336-b18a-4602-8ea0-b200312e1ac1 - pretty_name: RDS Associated with Public Subnet - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#db_subnet_group_name - 2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255: - categories: - - ALL - - boost-baseline - description: 'Check if Web Application Firewall is disabled or not configured - for Azure''s Application Gateway. ' - group: cloud-resources-public-access - name: 2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255 - pretty_name: WAF Is Disabled For Azure Application Gateway - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_appgateway_module.html - 2fc99041-ddad-49d5-853f-e35e70a48391: - categories: - - ALL - - boost-baseline - description: 'Attribute ''restart:on-failure'' should be set to 5. Restart policies - in general should be used. ' - group: supply-chain-cicd-weak-configuration - name: 2fc99041-ddad-49d5-853f-e35e70a48391 - pretty_name: Restart Policy On Failure Not Set To 5 - recommended: true - ref: https://docs.docker.com/config/containers/start-containers-automatically/#use-a-restart-policy - 2ff8e83c-90e1-4d68-a300-6d652112e622: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Elastic File System (EFS) must be encrypted ' - group: top10-crypto-failures - name: 2ff8e83c-90e1-4d68-a300-6d652112e622 - pretty_name: EFS Not Encrypted - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-efs-filesystem.html - 300a9964-b086-41f7-9378-b6de3ba1c32b: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Kubernetes Engine Clusters must have Legacy Authorization set to - disabled, which means the attribute ''legacy_abac.enabled'' must be false. ' - group: cloud-weak-configuration - name: 300a9964-b086-41f7-9378-b6de3ba1c32b - pretty_name: GKE Legacy Authorization Enabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html - 302736f4-b16c-41b8-befe-c0baffa0bd9d: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Container should not share the host process ID namespace ' - group: cloud-weak-configuration - name: 302736f4-b16c-41b8-befe-c0baffa0bd9d - pretty_name: Shared Host PID Namespace - recommended: true - ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ - 309edc5b-5a59-42b4-a357-d4d098311fd4: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'If algorithm is AES256 then the master key is null, empty or undefined, - otherwise the master key is required ' - group: top10-crypto-failures - name: 309edc5b-5a59-42b4-a357-d4d098311fd4 - pretty_name: S3 Bucket SSE Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html#parameter-encryption_key_id - 30b88745-eebe-4ecb-a3a9-5cf886e96204: - categories: - - ALL - - boost-baseline - description: 'Role with privilege escalation by actions ''ec2:RunInstances'' and - ''iam:PassRole'' and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 30b88745-eebe-4ecb-a3a9-5cf886e96204 - pretty_name: Role With Privilege Escalation By Actions 'ec2:RunInstances' And - 'iam:PassRole' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy - 30e8dfd2-3591-4d19-8d11-79e93106c93d: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, - which means the attribute ''monitoring_service'' must either be undefined or - set to ''monitoring.googleapis.com/kubernetes'' ' - group: top10-security-logging-monitoring-failures - name: 30e8dfd2-3591-4d19-8d11-79e93106c93d - pretty_name: Stackdriver Monitoring Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#monitoring_service - 31245f98-a6a9-4182-9fc1-45482b9d030a: - categories: - - ALL - - boost-baseline - description: 'Check if MQ Brokers don''t have logging enabled in any of the two - options possible (audit and general). ' - group: top10-security-logging-monitoring-failures - name: 31245f98-a6a9-4182-9fc1-45482b9d030a - pretty_name: MQ Broker Logging Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mq_broker - 313d6deb-3b67-4948-b41d-35b699c2492e: - categories: - - ALL - - boost-baseline - description: 'DNSSEC must be enabled for Cloud DNS ' - group: cloud-weak-configuration - name: 313d6deb-3b67-4948-b41d-35b699c2492e - pretty_name: Cloud DNS Without DNSSEC - recommended: true - ref: https://cloud.google.com/dns/docs/reference/v1/managedZones - 316278b3-87ac-444c-8f8f-a733a28da60f: - categories: - - ALL - - boost-baseline - description: 'AmazonMQ Broker should have Encryption Options defined ' - group: top10-crypto-failures - name: 316278b3-87ac-444c-8f8f-a733a28da60f - pretty_name: AmazonMQ Broker Encryption Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-amazonmq-broker.html#cfn-amazonmq-broker-encryptionoptions - 31733ee2-fef0-4e87-9778-65da22a8ecf1: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Checks if the connection between CloudFront and the viewer is encrypted ' - group: top10-crypto-failures - name: 31733ee2-fef0-4e87-9778-65da22a8ecf1 - pretty_name: Cloudfront Viewer Protocol Policy Allows HTTP - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-distribution.html - 3199c26c-7871-4cb3-99c2-10a59244ce7f: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'RDS Storage should be encrypted, which means the attribute ''storage_encrypted'' - should be set to ''true'' ' - group: top10-crypto-failures - name: 3199c26c-7871-4cb3-99c2-10a59244ce7f - pretty_name: RDS Storage Not Encrypted - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#storage_encrypted - 31afbcb7-70e0-48bb-a31a-3374f95cf859: - categories: - - ALL - - boost-baseline - description: If a response is not head or its code is not 204 or 304, it should - have a schema defined - group: cloud-resources-public-access - name: 31afbcb7-70e0-48bb-a31a-3374f95cf859 - pretty_name: Response on operations that should have a body has undefined schema - (v2) - recommended: true - ref: https://swagger.io/specification/v2/#responses-object - 31dd6fc0-f274-493b-9614-e063086c19fc: - categories: - - ALL - - boost-baseline - description: 'A Parameter Object must contain either a ''schema'' property, or - a ''content'' property, but not both since they are mutually exclusive ' - group: top10-insecure-design - name: 31dd6fc0-f274-493b-9614-e063086c19fc - pretty_name: Parameter Object With Schema And Content - recommended: true - ref: https://swagger.io/specification/#parameter-object - 3206240f-2e87-4e58-8d24-3e19e7c83d7c: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'ECS Services must not have Admin roles, which means the attribute - ''iam_role'' must not be an admin role ' - group: cloud-insecure-iam - name: 3206240f-2e87-4e58-8d24-3e19e7c83d7c - pretty_name: ECS Service Admin Role Is Present - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service - 323db967-c68e-44e6-916c-a777f95af34b: - categories: - - ALL - - boost-baseline - description: 'ElastiCache should not use the default port (an attacker can easily - guess the port). For engine set to Redis, the default port is 6379. The Memcached - default port is 11211 ' - group: cloud-resources-public-access - name: 323db967-c68e-44e6-916c-a777f95af34b - pretty_name: ElastiCache Using Default Port - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticache-replicationgroup.html#cfn-elasticache-replicationgroup-port - 327b0729-4c5c-4c44-8b5c-e476cd9c7290: - categories: - - ALL - - boost-baseline - description: 'It''s considered a best practice to have point in time recovery - enabled for DynamoDB Table ' - group: top10-insecure-design - name: 327b0729-4c5c-4c44-8b5c-e476cd9c7290 - pretty_name: DynamoDB Table Point In Time Recovery Disabled - recommended: true - ref: https://www.pulumi.com/registry/packages/aws/api-docs/dynamodb/table/#pointintimerecovery_yaml - 32d31f1f-0f83-4721-b7ec-1e6948c60145: - categories: - - ALL - - boost-baseline - description: 'AWS CloudFormation should have a template defined through the attribute - template, template_url or attribute template_body ' - group: supply-chain-cicd-weak-configuration - name: 32d31f1f-0f83-4721-b7ec-1e6948c60145 - pretty_name: Stack Without Template - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/cloudformation_module.html - 32ecd6eb-0711-421f-9627-1a28d9eff217: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Verifies that the OSLogin is enabled ' - group: cloud-insecure-iam - name: 32ecd6eb-0711-421f-9627-1a28d9eff217 - pretty_name: OSLogin Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_project_metadata#metadata - 32ecd76e-7bbf-402e-bf48-8b9485749558: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'When using kube-apiserver command, the ''token-auth-file'' flag - should not be set ' - group: cloud-insecure-iam - name: 32ecd76e-7bbf-402e-bf48-8b9485749558 - pretty_name: Token Auth File Is Set - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ - 332cf2ad-380d-4b90-b436-46f8e635cf38: - categories: - - ALL - - boost-baseline - description: 'Contact Object URL should be a valid URL ' - group: top10-insecure-design - name: 332cf2ad-380d-4b90-b436-46f8e635cf38 - pretty_name: Invalid Contact URL (v3) - recommended: true - ref: https://swagger.io/specification/#contact-object - 3360c01e-c8c0-4812-96a2-a6329b9b7f9f: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'No role nor cluster role should bind to a default service account ' - group: cloud-weak-configuration - name: 3360c01e-c8c0-4812-96a2-a6329b9b7f9f - pretty_name: Role Binding To Default Service Account - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding#subject - 33627268-1445-4385-988a-318fd9d1a512: - categories: - - ALL - - boost-baseline - description: 'User with privilege escalation by actions ''iam:UpdateAssumeRolePolicy'' - and ''sts:AssumeRole'' and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 33627268-1445-4385-988a-318fd9d1a512 - pretty_name: User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' - And 'sts:AssumeRole' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy - 338b6cab-961d-4998-bb49-e5b6a11c9a5c: - categories: - - ALL - - boost-baseline - description: 'It''s considered a best practice for an EC2 instance to use an EBS - optimized instance. This provides the best performance for your EBS volumes - by minimizing contention between Amazon EBS I/O and other traffic from your - instance ' - group: top10-insecure-design - name: 338b6cab-961d-4998-bb49-e5b6a11c9a5c - pretty_name: EC2 Not EBS Optimized - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_module.html#parameter-ebs_optimized - 33d96c65-977d-4c33-943f-440baca49185: - categories: - - ALL - - boost-baseline - description: 'The field authorizationUrl on implicit or authorizationCode fields - from OAuth must be a valid URL ' - group: cloud-insecure-iam - name: 33d96c65-977d-4c33-943f-440baca49185 - pretty_name: Invalid OAuth2 Authorization URL (v2) - recommended: true - ref: https://swagger.io/specification/v2/#securitySchemeObject - 33f41d31-86b1-46a4-81f7-9c9a671f59ac: - categories: - - ALL - - boost-baseline - description: 'ECR should have an image tag be immutable. This prevents image tags - from being overwritten. ' - group: cloud-weak-configuration - name: 33f41d31-86b1-46a4-81f7-9c9a671f59ac - pretty_name: ECR Image Tag Not Immutable - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecr-repository.html - 33fc6923-6553-4fe6-9d3a-4efa51eb874b: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'When using kube-apiserver command, the --enable-admission-plugins - flag should have ''NodeRestriction'' plugin and the plugin should be correctly - configured in AdmissionControl Config file ' - group: cloud-insecure-iam - name: 33fc6923-6553-4fe6-9d3a-4efa51eb874b - pretty_name: Node Restriction Admission Control Plugin Not Set - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ - 344bf8ab-9308-462b-a6b2-697432e40ba1: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'GCP - Google Kubernetes Engine (GKE) Basic Authentication must be - disabled, which means the username and password provided in the master_auth - block must be empty ' - group: cloud-weak-configuration - name: 344bf8ab-9308-462b-a6b2-697432e40ba1 - pretty_name: GKE Basic Authentication Enabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html - 34664094-59e0-4524-b69f-deaa1a68cce3: - categories: - - ALL - - boost-baseline - description: 'Security Contact Email should be defined ' - group: top10-insecure-design - name: 34664094-59e0-4524-b69f-deaa1a68cce3 - pretty_name: Security Contact Email - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/security_center_contact#email - 34b921bd-90a0-402e-a0a5-dc73371fd963: - categories: - - ALL - - boost-baseline - description: 'SES policy should not allow IAM actions to all principals ' - group: cloud-insecure-iam - name: 34b921bd-90a0-402e-a0a5-dc73371fd963 - pretty_name: SES Policy With Allowed IAM Actions - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ses_identity_policy#policy - 3505094c-f77c-4ba0-95da-f83db712f86c: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'If the CORS (Cross-Origin Resource Sharing) rule is defined in an - S3 bucket, it should be secure ' - group: cloud-weak-configuration - name: 3505094c-f77c-4ba0-95da-f83db712f86c - pretty_name: S3 Bucket with Unsecured CORS Rule - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/aws_s3_cors_module.html#parameter-rules - 350cd468-0e2c-44ef-9d22-cfb73a62523c: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'S3 bucket without restriction of public bucket ' - group: cloud-weak-configuration - name: 350cd468-0e2c-44ef-9d22-cfb73a62523c - pretty_name: S3 Bucket Without Restriction Of Public Bucket - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-publicaccessblockconfiguration.html - 350f3955-b5be-436f-afaa-3d2be2fa6cdd: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Azure Disk Encryption should be enabled ' - group: top10-crypto-failures - name: 350f3955-b5be-436f-afaa-3d2be2fa6cdd - pretty_name: Azure Managed Disk Without Encryption - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.compute/disks?tabs=json#encryptionsettingscollection-object - 35113e6f-2c6b-414d-beec-7a9482d3b2d1: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'RDS must not be defined with public interface, which means the field - ''publicly_accessible'' should not be set to ''true'' (default is ''false''). ' - group: cloud-weak-configuration - name: 35113e6f-2c6b-414d-beec-7a9482d3b2d1 - pretty_name: RDS DB Instance Publicly Accessible - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#publicly_accessible - 3561130e-9c5f-485b-9e16-2764c82763e5: - categories: - - ALL - - boost-baseline - description: 'Any IAM User should not have more than one access key since it increases - the risk of unauthorized access and compromise credentials ' - group: cloud-weak-configuration - name: 3561130e-9c5f-485b-9e16-2764c82763e5 - pretty_name: IAM User Has Too Many Access Keys - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key#user - 35c0a471-f7c8-4993-aa2c-503a3c712a66: - categories: - - ALL - - boost-baseline - description: 'When using kube-apiserver command, the ''--audit-log-maxsize'' flag - should be defined and set to 100 or more MegaBytes ' - group: top10-security-logging-monitoring-failures - name: 35c0a471-f7c8-4993-aa2c-503a3c712a66 - pretty_name: Audit Log Maxsize Not Properly Set - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ - 35ccf766-0e4d-41ed-9ec4-2dab155082b4: - categories: - - ALL - - boost-baseline - description: 'Role with privilege escalation by actions ''iam:UpdateLoginProfile'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 35ccf766-0e4d-41ed-9ec4-2dab155082b4 - pretty_name: Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy - 35e2f133-a395-40de-a79d-b260d973d1bd: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Storage Account should not be public to grant the principle of least - privileges ' - group: cloud-insecure-iam - name: 35e2f133-a395-40de-a79d-b260d973d1bd - pretty_name: Public Storage Account - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_storageaccount_module.html#parameter-network_acls - 3602d273-3290-47b2-80fa-720162b1a8af: - categories: - - ALL - - boost-baseline - description: 'Google Compute Network should not use a firewall rule that allows - all ports ' - group: cloud-resources-public-access - name: 3602d273-3290-47b2-80fa-720162b1a8af - pretty_name: Google Compute Network Using Firewall Rule that Allows All Ports - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_firewall_module.html#parameter-allowed - 3609d27c-3698-483a-9402-13af6ae80583: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'If the CORS (Cross-Origin Resource Sharing) rule is defined in an - S3 bucket, it should be secure ' - group: cloud-weak-configuration - name: 3609d27c-3698-483a-9402-13af6ae80583 - pretty_name: S3 Bucket With Unsecured CORS Rule - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-cors.html - 3641d5b4-d339-4bc2-bfb9-208fe8d3477f: - categories: - - ALL - - boost-baseline - description: 'An API Key should be required on a method request. ' - group: cloud-insecure-iam - name: 3641d5b4-d339-4bc2-bfb9-208fe8d3477f - pretty_name: API Gateway Method Does Not Contains An API Key - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-method.html - 36a27826-1bf5-49da-aeb0-a60a30c0e834: - categories: - - ALL - - boost-baseline - description: 'When using kube-apiserver command, the ''kubelet-client-key'' and - ''kubelet-client-certificate'' flags should be set ' - group: cloud-weak-secrets-management - name: 36a27826-1bf5-49da-aeb0-a60a30c0e834 - pretty_name: Kubelet Client Certificate Or Key Not Set - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ - 37140f7f-724a-4c87-a536-e9cee1d61533: - categories: - - ALL - - boost-baseline - description: 'Security Requirement Object should only have scopes defined for - security schemes of type ''oauth2'' and ''openIdConnect'' ' - group: top10-insecure-design - name: 37140f7f-724a-4c87-a536-e9cee1d61533 - pretty_name: Security Requirement Object With Wrong Scopes - recommended: true - ref: https://swagger.io/specification/#security-requirement-object - 37304d3f-f852-40b8-ae3f-725e87a7cedf: - categories: - - ALL - - boost-baseline - description: 'Amazon EKS control plane logging is not enabled ' - group: top10-security-logging-monitoring-failures - name: 37304d3f-f852-40b8-ae3f-725e87a7cedf - pretty_name: EKS cluster logging is not enabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#enabled_cluster_log_types - 376c9390-7e9e-4cb8-a067-fd31c05451fd: - categories: - - ALL - - boost-baseline - description: 'Header reference should exists on components field ' - group: top10-insecure-design - name: 376c9390-7e9e-4cb8-a067-fd31c05451fd - pretty_name: Header JSON Reference Does Not Exists - recommended: true - ref: https://swagger.io/specification/#components-object - 3790d386-be81-4dcf-9850-eaa7df6c10d9: - categories: - - ALL - - boost-baseline - description: 'Make sure that for Postgre SQL Database Server, parameter ''log_checkpoints'' - is set to ''ON'' ' - group: top10-security-logging-monitoring-failures - name: 3790d386-be81-4dcf-9850-eaa7df6c10d9 - pretty_name: PostgreSQL Log Checkpoints Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_configuration - 37cca703-b74c-48ba-ac81-595b53398e9b: - categories: - - ALL - - boost-baseline - - boost-hardened - description: '''API::Gateway::Deployment'' should have ''CacheDataEncrypted'' - enabled when ''CachingEnabled'' is set to true ' - group: top10-crypto-failures - name: 37cca703-b74c-48ba-ac81-595b53398e9b - pretty_name: API Gateway Cache Encrypted Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-deployment-stagedescription.html - 37fa8188-738b-42c8-bf82-6334ea567738: - categories: - - ALL - - boost-baseline - description: 'Checks if S3 Bucket has the same name as a Bucket Policy, if it - has, S3 Bucket has a Bucket Policy associated ' - group: cloud-weak-configuration - name: 37fa8188-738b-42c8-bf82-6334ea567738 - pretty_name: S3 Bucket Should Have Bucket Policy - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html - 37fafbea-dedb-4e0d-852e-d16ee0589326: - categories: - - ALL - - boost-baseline - description: 'Ensure that Activity Log Retention is set 365 days or greater ' - group: top10-security-logging-monitoring-failures - name: 37fafbea-dedb-4e0d-852e-d16ee0589326 - pretty_name: Small Activity Log Retention Period - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_monitorlogprofile_module.html - 381c3f2a-ef6f-4eff-99f7-b169cda3422c: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'A sensitive port, such as port 23 or port 110, is open for the whole - network in either TCP or UDP protocol ' - group: cloud-resources-public-access - name: 381c3f2a-ef6f-4eff-99f7-b169cda3422c - pretty_name: Sensitive Port Is Exposed To Entire Network - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group - 38300d1a-feb2-4a48-936a-d1ef1cd24313: - categories: - - ALL - - boost-baseline - description: 'Reduce layer and image size by deleting unneeded caches after running - zypper ' - group: supply-chain-scm-weak-configuration - name: 38300d1a-feb2-4a48-936a-d1ef1cd24313 - pretty_name: Missing Zypper Clean - recommended: true - ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run - 3847280c-9193-40bc-8009-76168e822ce2: - categories: - - ALL - - boost-baseline - description: 'Using an scope on security of operations that is undefined on ''securityDefinitions'' - can be defined by an attacker ' - group: cloud-insecure-iam - name: 3847280c-9193-40bc-8009-76168e822ce2 - pretty_name: Undefined Scope 'securityDefinition' On 'security' Field On Operations - recommended: true - ref: https://swagger.io/specification/v2/#security-scheme-object - 3878dc92-8e5d-47cf-9cdd-7590f71d21b9: - categories: - - ALL - - boost-baseline - description: 'Kubernetes Stateful Sets must have one Volume Claim template with - the access mode ''ReadWriteOnce'' ' - group: supply-chain-cicd-weak-configuration - name: 3878dc92-8e5d-47cf-9cdd-7590f71d21b9 - pretty_name: Incorrect Volume Claim Access Mode ReadWriteOnce - recommended: true - ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/ - 38b85c45-e772-4de8-a247-69619ca137b3: - categories: - - ALL - - boost-baseline - description: 'Ensure a log metric filter and alarm exist for AWS organizations - changes ' - group: top10-security-logging-monitoring-failures - name: 38b85c45-e772-4de8-a247-69619ca137b3 - pretty_name: CloudWatch AWS Organizations Changes Missing Alarm - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern - 38c5ee0d-7f22-4260-ab72-5073048df100: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'S3 Buckets should not be readable and writable to all users ' - group: cloud-insecure-iam - name: 38c5ee0d-7f22-4260-ab72-5073048df100 - pretty_name: S3 Bucket ACL Allows Read Or Write to All Users - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket - 38c64e76-c71e-4d92-a337-60174d1de1c9: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'S3 Buckets should enforce encryption of data transfers using Secure - Sockets Layer (SSL) ' - group: top10-crypto-failures - name: 38c64e76-c71e-4d92-a337-60174d1de1c9 - pretty_name: S3 Bucket Without SSL In Write Actions - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html - 38c71c00-c177-4cd7-8d36-cd1007cdb190: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Ensure that logging for Azure KeyVault is ''Enabled'' ' - group: top10-security-logging-monitoring-failures - name: 38c71c00-c177-4cd7-8d36-cd1007cdb190 - pretty_name: Vault Auditing Disabled - recommended: true - ref: https://www.terraform.io/docs/providers/azurerm/r/key_vault.html - 38fa11ef-dbcc-4da8-9680-7e1fd855b6fb: - categories: - - ALL - - boost-baseline - description: 'Roles or ClusterRoles with RBAC permissions to port-forward into - pods can open socket-level communication channels to containers. In case of - compromise, attackers may abuse this for direct communication that bypasses - network security restrictions ' - group: cloud-insecure-iam - name: 38fa11ef-dbcc-4da8-9680-7e1fd855b6fb - pretty_name: RBAC Roles with Port-Forwarding Permission - recommended: true - ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ - 392599e4-a4e2-403d-bc56-3fe05755782d: - categories: - - ALL - - boost-baseline - description: API Keys should not be transported over network - group: cloud-insecure-iam - name: 392599e4-a4e2-403d-bc56-3fe05755782d - pretty_name: API Key Exposed In Operation Security (v2) - recommended: true - ref: https://swagger.io/specification/v2/#securityDefinitionsObject - 39423ce4-9011-46cd-b6b1-009edcd9385d: - categories: - - ALL - - boost-baseline - description: 'DocDB DB Cluster master user password must not be in a plain text - string or referenced in a parameter as a default value. ' - group: cloud-weak-secrets-management - name: 39423ce4-9011-46cd-b6b1-009edcd9385d - pretty_name: DocDB Cluster Master Password In Plaintext - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-docdb-dbcluster.html - 39750e32-3fe9-453b-8c33-dd277acdb2cc: - categories: - - ALL - - boost-baseline - description: 'Disks should have encryption enabled ' - group: top10-crypto-failures - name: 39750e32-3fe9-453b-8c33-dd277acdb2cc - pretty_name: Disk Encryption Disabled - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/disk#encrypted - 3979b0a4-532c-4ea7-86e4-34c090eaa4f2: - categories: - - ALL - - boost-baseline - description: 'OAuth2 password flow insecurely exposes the credentials of the resource - owner to the client ' - group: cloud-insecure-iam - name: 3979b0a4-532c-4ea7-86e4-34c090eaa4f2 - pretty_name: OAuth2 With Password Flow - recommended: true - ref: https://swagger.io/specification/#oauth-flows-object - 39cb32f2-3a42-4af0-8037-82a7a9654b6c: - categories: - - ALL - - boost-baseline - description: 'OAuth2 implicit flow is vulnerable to access token leakage and access - token replay ' - group: cloud-insecure-iam - name: 39cb32f2-3a42-4af0-8037-82a7a9654b6c - pretty_name: OAuth2 With Implicit Flow - recommended: true - ref: https://swagger.io/specification/#oauth-flows-object - 3a01790c-ebee-4da6-8fd3-e78657383b75: - categories: - - ALL - - boost-baseline - description: 'The value of ''additionalProperties'' should be set as object instead - of boolean, since swagger 2.0 does not support boolean value for it ' - group: top10-insecure-design - name: 3a01790c-ebee-4da6-8fd3-e78657383b75 - pretty_name: Schema with 'additionalProperties' set as Boolean - recommended: true - ref: https://swagger.io/specification/v2/#schema-object - 3a1e94df-6847-4c0e-a3b6-6c6af4e128ef: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'CloudFront web distributions should use custom (and not default) - SSL certificates. Custom SSL certificates allow only defined users to access - content by using an alternate domain name instead of the default one. ' - group: cloud-weak-configuration - name: 3a1e94df-6847-4c0e-a3b6-6c6af4e128ef - pretty_name: Vulnerable Default SSL Certificate - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution - 3a81fc06-566f-492a-91dd-7448e409e2cd: - categories: - - ALL - - boost-baseline - description: 'All generic git repositories should reference a revision. ' - group: top10-insecure-design - name: 3a81fc06-566f-492a-91dd-7448e409e2cd - pretty_name: Generic Git Module Without Revision - recommended: true - ref: https://www.terraform.io/docs/language/modules/sources.html#selecting-a-revision - 3ab1f27d-52cc-4943-af1d-43c1939e739a: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Checks if the S3 bucket is accessible for all users ' - group: cloud-insecure-iam - name: 3ab1f27d-52cc-4943-af1d-43c1939e739a - pretty_name: S3 Bucket Access to Any Principal - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html#ansible-collections-amazon-aws-s3-bucket-module - 3ac3e75c-6374-4a32-8ba0-6ed69bda404e: - categories: - - ALL - - boost-baseline - description: 'Azure Storage Table should not allow all ACL (Access Control List) - permissions - r (read), w (write), d (delete), and l (list). ' - group: cloud-insecure-iam - name: 3ac3e75c-6374-4a32-8ba0-6ed69bda404e - pretty_name: Storage Table Allows All ACL Permissions - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_table#permissions - 3ae83918-7ec7-4cb8-80db-b91ef0f94002: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Security Groups does not allow 0.0.0.0/0 for rdp (port:3389) ' - group: cloud-resources-public-access - name: 3ae83918-7ec7-4cb8-80db-b91ef0f94002 - pretty_name: Security Group Unrestricted Access To RDP - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html - 3af7f2fd-06e6-4dab-b996-2912bea19ba4: - categories: - - ALL - - boost-baseline - - boost-hardened - description: '''SSH'' (TCP:22) should not be public in AWS Network ACL ' - group: cloud-resources-public-access - name: 3af7f2fd-06e6-4dab-b996-2912bea19ba4 - pretty_name: Network ACL With Unrestricted Access To SSH - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl - 3b02569b-fc6f-4153-b3a3-ba91022fed68: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Ensure AWS ElastiCache Redis clusters have encryption for data at - transit enabled ' - group: top10-crypto-failures - name: 3b02569b-fc6f-4153-b3a3-ba91022fed68 - pretty_name: ElastiCache With Disabled Transit Encryption - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticache-replicationgroup.html - 3b066059-f411-4554-ac8d-96f32bff90da: - categories: - - ALL - - boost-baseline - description: 'Head should define at least one success response (200 or 202) ' - group: cloud-resources-public-access - name: 3b066059-f411-4554-ac8d-96f32bff90da - pretty_name: Success Response Code Undefined for Head Operation (v3) - recommended: true - ref: https://swagger.io/specification/#operation-object - 3b30e3d6-c99b-4318-b38f-b99db74578b5: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Kubernetes Clusters must be created with Private Clusters enabled, - meaning the ''private_cluster_config'' must be defined and the attributes ''enable_private_endpoint'' - and ''enable_private_nodes'' must be true. ' - group: cloud-weak-configuration - name: 3b30e3d6-c99b-4318-b38f-b99db74578b5 - pretty_name: Private Cluster Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html - 3b316b05-564c-44a7-9c3f-405bb95e211e: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'AWS Redshift Cluster should be encrypted. Check if ''Encrypted'' - field is false or undefined (default is false) ' - group: top10-crypto-failures - name: 3b316b05-564c-44a7-9c3f-405bb95e211e - pretty_name: Redshift Not Encrypted - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html - 3b3b4411-ad1f-40e7-b257-a78a6bb9673a: - categories: - - ALL - - boost-baseline - description: 'VPCs without attached subnets may indicate that they are not being - used ' - group: cloud-insecure-iam - name: 3b3b4411-ad1f-40e7-b257-a78a6bb9673a - pretty_name: VPC Without Attached Subnet - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-subnet.html - 3b497874-ae59-46dd-8d72-1868a3b8f150: - categories: - - ALL - - boost-baseline - description: 'Delete should define at least one success response (200, 201, 202 - or 204) ' - group: cloud-resources-public-access - name: 3b497874-ae59-46dd-8d72-1868a3b8f150 - pretty_name: Success Response Code Undefined for Delete Operation (v3) - recommended: true - ref: https://swagger.io/specification/#operation-object - 3b615f00-c443-4ba9-acc4-7c308716917d: - categories: - - ALL - - boost-baseline - description: 'The media type prefix should be set as ''application'', ''audio'', - ''font'', ''example'', ''image'', ''message'', ''model'', ''multipart'', ''text'' - or ''video'' ' - group: top10-insecure-design - name: 3b615f00-c443-4ba9-acc4-7c308716917d - pretty_name: Unknown Prefix (v2) - recommended: true - ref: https://swagger.io/specification/v2/#swagger-object - 3b6d777b-76e3-4133-80a3-0d6f667ade7f: - categories: - - ALL - - boost-baseline - description: 'RDS instance should have automatic minor upgrades enabled, which - means the attribute ''auto_minor_version_upgrade'' must be set to true. ' - group: top10-insecure-design - name: 3b6d777b-76e3-4133-80a3-0d6f667ade7f - pretty_name: Automatic Minor Upgrades Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#auto_minor_version_upgrade - 3ba0cca1-b815-47bf-ac62-1e584eb64a05: - categories: - - ALL - - boost-baseline - description: 'OAuth2 security scheme flow requires a valid URL in the tokenUrl - field ' - group: cloud-insecure-iam - name: 3ba0cca1-b815-47bf-ac62-1e584eb64a05 - pretty_name: Invalid OAuth2 Token URL (v3) - recommended: true - ref: https://swagger.io/specification/#oauth-flow-object - 3c3b7a58-b018-4d07-9444-d9ee7156e111: - categories: - - ALL - - boost-baseline - description: 'Alexa skills'' client secrets should not be defined as a plaintext - string. It should either use ''AWS Systems Manager Parameter Store'' or ''AWS - Secrets Manager'' to retrieve sensitive information ' - group: top10-crypto-failures - name: 3c3b7a58-b018-4d07-9444-d9ee7156e111 - pretty_name: Alexa Skill Plaintext Client Secret Exposed - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ask-skill.html#cfn-ask-skill-authenticationconfiguration - 3ca03a61-3249-4c16-8427-6f8e47dda729: - categories: - - ALL - - boost-baseline - description: 'Service should Target a Pod ' - group: cloud-weak-configuration - name: 3ca03a61-3249-4c16-8427-6f8e47dda729 - pretty_name: Service Does Not Target Pod - recommended: true - ref: https://kubernetes.io/docs/concepts/services-networking/service/ - 3cb4af0b-056d-4fb1-8b95-fdc4593625ff: - categories: - - ALL - - boost-baseline - description: 'Instances should not be configured to use the Default Service Account, - that has full access to all Cloud APIs, which means the attribute ''service_account'' - and its sub attribute ''email'' must be defined. Additionally, ''email'' must - not be empty and must also not be a default Google Compute Engine service account. ' - group: cloud-weak-configuration - name: 3cb4af0b-056d-4fb1-8b95-fdc4593625ff - pretty_name: Using Default Service Account - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance - 3d24b204-b73d-42cb-b0bf-1a5438c5f71e: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'When using kube-apiserver command, the --secure-port flag should - not be 0 ' - group: cloud-resources-public-access - name: 3d24b204-b73d-42cb-b0bf-1a5438c5f71e - pretty_name: Secure Port Set To Zero - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ - 3d28f751-bc18-4f83-ace0-216b6086410b: - categories: - - ALL - - boost-baseline - description: Schema of the JSON object should have properties defined and 'additionalProperties' - set to false. - group: cloud-weak-configuration - name: 3d28f751-bc18-4f83-ace0-216b6086410b - pretty_name: JSON Object Schema Without Properties (v2) - recommended: true - ref: https://swagger.io/specification/v2/#schemaObject - 3d3f6270-546b-443c-adb4-bb6fb2187ca6: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'EBS Encryption should be enabled ' - group: top10-crypto-failures - name: 3d3f6270-546b-443c-adb4-bb6fb2187ca6 - pretty_name: EBS Default Encryption Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_encryption_by_default - 3d658f8b-d988-41a0-a841-40043121de1e: - categories: - - ALL - - boost-baseline - description: 'Container should not use secrets as environment variables ' - group: cloud-weak-secrets-management - name: 3d658f8b-d988-41a0-a841-40043121de1e - pretty_name: Secrets As Environment Variables - recommended: true - ref: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables - 3d7d7b6c-fb0a-475e-8a28-c125e30d15f0: - categories: - - ALL - - boost-baseline - description: 'Host field should be an IP or a valid host name ' - group: top10-insecure-design - name: 3d7d7b6c-fb0a-475e-8a28-c125e30d15f0 - pretty_name: Host With Invalid Pattern - recommended: true - ref: https://swagger.io/specification/v2/#swagger-object - 3db3f534-e3a3-487f-88c7-0a9fbf64b702: - categories: - - ALL - - boost-baseline - description: 'AmazonMQ Broker should have Encryption Options defined ' - group: top10-crypto-failures - name: 3db3f534-e3a3-487f-88c7-0a9fbf64b702 - pretty_name: AmazonMQ Broker Encryption Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mq_broker - 3dd96caa-0b5f-4a85-b929-acfac4646cc2: - categories: - - ALL - - boost-baseline - description: 'Group with privilege escalation by actions ''iam:AttachRolePolicy'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 3dd96caa-0b5f-4a85-b929-acfac4646cc2 - pretty_name: Group With Privilege Escalation By Actions 'iam:AttachRolePolicy' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy - 3ddd74cc-6582-486c-8b0c-2b48cb38e0a3: - categories: - - ALL - - boost-baseline - description: The header Parameter should not be named as 'Accept'. If so, it will - be ignored. - group: top10-insecure-design - name: 3ddd74cc-6582-486c-8b0c-2b48cb38e0a3 - pretty_name: Header Parameter Named as 'Accept' (v2) - recommended: true - ref: https://swagger.io/specification/v2/#parameterObject - 3ddf3417-424d-420d-8275-0724dc426520: - categories: - - ALL - - boost-baseline - description: 'Lambda permission may be misconfigured if the action field is not - filled in by ''lambda:InvokeFunction'' ' - group: top10-insecure-design - name: 3ddf3417-424d-420d-8275-0724dc426520 - pretty_name: Lambda Permission Misconfigured - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/lambda_policy_module.html - 3ddfa124-6407-4845-a501-179f90c65097: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Users should authenticate with MFA (Multi-factor Authentication) - to ensure an extra layer of protection when authenticating ' - group: cloud-insecure-iam - name: 3ddfa124-6407-4845-a501-179f90c65097 - pretty_name: Authentication Without MFA - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy - 3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6: - categories: - - ALL - - boost-baseline - description: 'Make sure Logging is enabled for Redshift Cluster ' - group: top10-security-logging-monitoring-failures - name: 3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6 - pretty_name: Redshift Cluster Logging Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html#cfn-redshift-cluster-loggingproperties - 3deec14b-03d2-4d27-9670-7d79322e3340: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'CodeBuild Project should be encrypted with customer-managed KMS - keys instead of AWS managed keys ' - group: top10-crypto-failures - name: 3deec14b-03d2-4d27-9670-7d79322e3340 - pretty_name: CodeBuild Project Encrypted With AWS Managed Key - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project#encryption_key - 3e09413f-471e-40f3-8626-990c79ae63f3: - categories: - - ALL - - boost-baseline - description: 'Check if SNS topic name is set for CloudTrail ' - group: top10-security-logging-monitoring-failures - name: 3e09413f-471e-40f3-8626-990c79ae63f3 - pretty_name: CloudTrail SNS Topic Name Undefined - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#cfn-cloudtrail-trail-snstopicname - 3e293410-d5b8-411f-85fd-7d26294f20c9: - categories: - - ALL - - boost-baseline - description: 'VPC should have a Network Firewall associated ' - group: cloud-resources-public-access - name: 3e293410-d5b8-411f-85fd-7d26294f20c9 - pretty_name: VPC Without Network Firewall - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-firewall.html#cfn-networkfirewall-firewall-vpcid - 3e3c175e-aadf-4e2b-a464-3fdac5748d24: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Port 22 (SSH) is exposed to the internet ' - group: cloud-resources-public-access - name: 3e3c175e-aadf-4e2b-a464-3fdac5748d24 - pretty_name: SSH Is Exposed To The Internet - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule - 3e4d34d2-36cf-4449-976d-6c256db8fc49: - categories: - - ALL - - boost-baseline - description: Schema/Parameter items should be defined when the schema/parameter - is set to an array. - group: top10-insecure-design - name: 3e4d34d2-36cf-4449-976d-6c256db8fc49 - pretty_name: Items Undefined (v2) - recommended: true - ref: https://swagger.io/specification/v2/#schema-object - 3e4d5ce6-3280-4027-8010-c26eeea1ec01: - categories: - - ALL - - boost-baseline - description: 'VM Instance should block project-wide SSH keys ' - group: cloud-weak-secrets-management - name: 3e4d5ce6-3280-4027-8010-c26eeea1ec01 - pretty_name: Project-wide SSH Keys Are Enabled In VM Instances - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance - 3e6c7b1c-8a8d-43ab-98b9-65159f44db4a: - categories: - - ALL - - boost-baseline - description: Paths object may be empty due to ACL constraints, meaning they are - not exposed - group: top10-insecure-design - name: 3e6c7b1c-8a8d-43ab-98b9-65159f44db4a - pretty_name: Paths Object is Empty (v2) - recommended: true - ref: https://swagger.io/specification/v2/#pathsObject - 3e9fcc67-1f64-405f-b2f9-0a6be17598f0: - categories: - - ALL - - boost-baseline - description: 'Microsoft.Security securityContacts should have a phone number defined ' - group: top10-insecure-design - name: 3e9fcc67-1f64-405f-b2f9-0a6be17598f0 - pretty_name: Phone Number Not Set For Security Contacts - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.security/securitycontacts?tabs=json - 3ed8fc82-c2bb-49e0-811f-c53923674c49: - categories: - - ALL - - boost-baseline - description: Numeric schema (type set to 'integer' or 'number') should have 'format' - defined. - group: cloud-weak-configuration - name: 3ed8fc82-c2bb-49e0-811f-c53923674c49 - pretty_name: Numeric Schema Without Format (v2) - recommended: true - ref: https://swagger.io/specification/v2/#schemaObject - 3ef8696c-e4ae-4872-92c7-520bb44dfe77: - categories: - - ALL - - boost-baseline - description: 'Allowing to run lambda function using public API Gateway ' - group: cloud-insecure-iam - name: 3ef8696c-e4ae-4872-92c7-520bb44dfe77 - pretty_name: Public Lambda via API Gateway - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission - 3f23c96c-f9f5-488d-9b17-605b8da5842f: - categories: - - ALL - - boost-baseline - description: 'Azure SQL Server Accessibility should be set to a minimal address - range to grant the principle of least privileges, which means the difference - between the values of the ''end_ip_address'' and ''start_ip_address'' should - be less than 256. Additionally, both ips should be different from ''0.0.0.0'' ' - group: cloud-resources-public-access - name: 3f23c96c-f9f5-488d-9b17-605b8da5842f - pretty_name: Unrestricted SQL Server Access - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_sqlfirewallrule_module.html - 3f2cf811-88fa-4eda-be45-7a191a18aba9: - categories: - - ALL - - boost-baseline - description: 'No password expiration policy ' - group: top10-insecure-design - name: 3f2cf811-88fa-4eda-be45-7a191a18aba9 - pretty_name: Misconfigured Password Policy Expiration - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html - 3f55386d-75cd-4e9a-ac47-167b26c04724: - categories: - - ALL - - boost-baseline - description: 'Containers should not have CAP_SYS_ADMIN Linux capability ' - group: cloud-weak-configuration - name: 3f55386d-75cd-4e9a-ac47-167b26c04724 - pretty_name: Containers With Sys Admin Capabilities - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#capabilities-1 - 3f5ff8a7-5ad6-4d02-86f5-666307da1b20: - categories: - - ALL - - boost-baseline - description: 'When using kube-apiserver commands, the ''--etcd-cafile'' flag should - be defined ' - group: cloud-weak-secrets-management - name: 3f5ff8a7-5ad6-4d02-86f5-666307da1b20 - pretty_name: Etcd Client Certificate File Not Defined - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ - 3fa5900f-9aac-4982-96b2-a6143d9c99fb: - categories: - - ALL - - boost-baseline - description: 'Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) ' - group: cloud-insecure-iam - name: 3fa5900f-9aac-4982-96b2-a6143d9c99fb - pretty_name: Role Definition Allows Custom Role Creation - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition#actions - 3fb03214-25d4-4bd4-867c-c2d8d708a483: - categories: - - ALL - - boost-baseline - description: 'Schema Object should have all required properties defined ' - group: top10-insecure-design - name: 3fb03214-25d4-4bd4-867c-c2d8d708a483 - pretty_name: Properties Missing Required Property (v3) - recommended: true - ref: https://swagger.io/specification/#schema-object - 4003118b-046b-4640-b200-b8c7a4c8b89f: - categories: - - ALL - - boost-baseline - description: 'The use of AWS SSO for creating users may pose a security risk as - it does not synchronize with external Identity Providers (IdP) or Active Directory - (AD). This can lead to inconsistencies and potential unauthorized access to - resources. It is recommended to review and update user creation processes to - ensure proper security protocols are in place. ' - group: cloud-insecure-iam - name: 4003118b-046b-4640-b200-b8c7a4c8b89f - pretty_name: SSO Identity User Unsafe Creation - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/identitystore_user - 40430747-442d-450a-a34f-dc57149f4609: - categories: - - ALL - - boost-baseline - description: 'This query checks if logs are enabled for a Google Compute Subnetwork - resource. ' - group: top10-security-logging-monitoring-failures - name: 40430747-442d-450a-a34f-dc57149f4609 - pretty_name: Google Compute Subnetwork Logging Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork - 404fde2c-bc4b-4371-9747-7054132ac953: - categories: - - ALL - - boost-baseline - description: 'Seccomp offers a whitelist of common system calls, blocking all - others. Having less kernel exposed to an app then increases security. ' - group: cloud-insecure-iam - name: 404fde2c-bc4b-4371-9747-7054132ac953 - pretty_name: Default Seccomp Profile Disabled - recommended: true - ref: https://docs.docker.com/compose/compose-file/compose-file-v3/#security_opt - 40abce54-95b1-478c-8e5f-ea0bf0bb0e33: - categories: - - ALL - - boost-baseline - description: 'Google Compute Network should not use default firewall rule ' - group: cloud-resources-public-access - name: 40abce54-95b1-478c-8e5f-ea0bf0bb0e33 - pretty_name: Google Compute Network Using Default Firewall Rule - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall#name - 40d3df21-c170-4dbe-9c02-4289b51f994f: - categories: - - ALL - - boost-baseline - description: 'Schema discriminator values should match defined properties. ' - group: top10-insecure-design - name: 40d3df21-c170-4dbe-9c02-4289b51f994f - pretty_name: Schema Discriminator Mismatch Defined Properties (v3) - recommended: true - ref: https://swagger.io/specification/#schema-object - 40e1d1bf-11a9-4f63-a3a2-a8b84c602839: - categories: - - ALL - - boost-baseline - description: 'API Keys should not be transported over network ' - group: cloud-insecure-iam - name: 40e1d1bf-11a9-4f63-a3a2-a8b84c602839 - pretty_name: API Key Exposed In Global Security Scheme - recommended: true - ref: https://swagger.io/specification/#security-scheme-object - 4190dda7-af03-4cf0-a128-70ac1661ca09: - categories: - - ALL - - boost-baseline - description: 'Property ''allowReserved'' of the encoding object should be defined - when the media type of the request body is ''application/x-www-form-urlencoded''. - If not, it will be ignored. ' - group: top10-insecure-design - name: 4190dda7-af03-4cf0-a128-70ac1661ca09 - pretty_name: Property 'allowReserved' of Encoding Object Ignored - recommended: true - ref: https://swagger.io/specification/#encoding-object - 41a38329-d81b-4be4-aef4-55b2615d3282: - categories: - - ALL - - boost-baseline - description: 'RAM account password security should require at least one symbol ' - group: cloud-weak-secrets-management - name: 41a38329-d81b-4be4-aef4-55b2615d3282 - pretty_name: RAM Account Password Policy Not Required Symbols - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#require_symbols - 41abc6cc-dde1-4217-83d3-fb5f0cc09d8f: - categories: - - ALL - - boost-baseline - description: 'Redshift should not use the default port (5439) because an attacker - can easily guess the port ' - group: cloud-resources-public-access - name: 41abc6cc-dde1-4217-83d3-fb5f0cc09d8f - pretty_name: Redshift Using Default Port - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_cluster#port - 41c195f4-fc31-4a5c-8a1b-90605538d49f: - categories: - - ALL - - boost-baseline - description: 'There can only be one CMD instruction in a Dockerfile. If you list - more than one CMD then only the last CMD will take effect ' - group: supply-chain-cicd-weak-configuration - name: 41c195f4-fc31-4a5c-8a1b-90605538d49f - pretty_name: Multiple CMD Instructions Listed - recommended: true - ref: https://docs.docker.com/engine/reference/builder/#cmd - 420e6360-47bb-46f6-9072-b20ed22c842d: - categories: - - ALL - - boost-baseline - description: 'StatefulSets should have an existing headless ''serviceName''. The - headless service labels should also be implemented on StatefulSets labels. ' - group: top10-insecure-design - name: 420e6360-47bb-46f6-9072-b20ed22c842d - pretty_name: StatefulSet Without Service Name - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/stateful_set#selector - 4216ebac-d74c-4423-b437-35025cb88af5: - categories: - - ALL - - boost-baseline - description: 'Network Interfaces IP Forwarding should be disabled ' - group: cloud-resources-public-access - name: 4216ebac-d74c-4423-b437-35025cb88af5 - pretty_name: Network Interfaces IP Forwarding Enabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface#enable_ip_forwarding - 429b2106-ba37-43ba-9727-7f699cc611e1: - categories: - - ALL - - boost-baseline - description: 'All properties defined in OpenAPI objects should be known ' - group: top10-insecure-design - name: 429b2106-ba37-43ba-9727-7f699cc611e1 - pretty_name: Unknown Property (v2) - recommended: true - ref: https://swagger.io/specification/v2/ - 42bb6b7f-6d54-4428-b707-666f669d94fb: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Checks if any static websites are hosted on buckets. Even static - websites can be a liability when poorly configured. ' - group: cloud-weak-configuration - name: 42bb6b7f-6d54-4428-b707-666f669d94fb - pretty_name: S3 Static Website Host Enabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#website - 42e7dca3-8cce-4325-8df0-108888259136: - categories: - - ALL - description: 'A list of SNS resources specified. Amazon Simple Notification Service - (Amazon SNS) is a fully managed messaging service for both application-to-application - (A2A) and application-to-person (A2P) communication. ' - group: supply-chain-missing-artifact-integrity-verification - name: 42e7dca3-8cce-4325-8df0-108888259136 - pretty_name: BOM - AWS SNS - ref: https://kics.io/ - 42f4b905-3736-4213-bfe9-c0660518cda8: - categories: - - ALL - - boost-baseline - description: 'Amazon EKS public endpoint shoud be set to false ' - group: cloud-weak-configuration - name: 42f4b905-3736-4213-bfe9-c0660518cda8 - pretty_name: EKS Cluster Has Public Access - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster - 43356255-495d-4148-ad8d-f6af5eac09dd: - categories: - - ALL - - boost-baseline - description: 'AWS GameLift Fleet EC2InboundPermissions should have a single port ' - group: cloud-resources-public-access - name: 43356255-495d-4148-ad8d-f6af5eac09dd - pretty_name: GameLift Fleet EC2 InboundPermissions With Port Range - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-gamelift-fleet.html - 434945e5-4dfd-41b1-aba1-47075ccd9265: - categories: - - ALL - - boost-baseline - description: 'Serverless API Gateway should have X-Ray Tracing enabled ' - group: top10-security-logging-monitoring-failures - name: 434945e5-4dfd-41b1-aba1-47075ccd9265 - pretty_name: Serverless API X-Ray Tracing Disabled - recommended: true - ref: https://www.serverless.com/framework/docs/providers/aws/events/apigateway#aws-x-ray-tracing - 43789711-161b-4708-b5bb-9d1c626f7492: - categories: - - ALL - - boost-baseline - description: 'Azure Container Service (AKS) should use Azure Policies Add-On ' - group: top10-insecure-design - name: 43789711-161b-4708-b5bb-9d1c626f7492 - pretty_name: AKS Uses Azure Policies Add-On Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#azure_policy - 43a41523-386a-4cb1-becb-42af6b414433: - categories: - - ALL - - boost-baseline - description: 'User with privilege escalation by actions ''iam:SetDefaultPolicyVersion'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 43a41523-386a-4cb1-becb-42af6b414433 - pretty_name: User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy - 43f6e60c-9cdb-4e77-864d-a66595d26518: - categories: - - ALL - - boost-baseline - description: 'Storage Logging should be enabled for read, write and delete methods ' - group: top10-security-logging-monitoring-failures - name: 43f6e60c-9cdb-4e77-864d-a66595d26518 - pretty_name: Storage Logging For Read Write And Delete Requests Disabled - recommended: true - ref: https://docs.microsoft.com/pt-pt/azure/azure-monitor/essentials/resource-manager-diagnostic-settings#diagnostic-setting-for-azure-storage - 44034eda-1c3f-486a-831d-e09a7dd94354: - categories: - - ALL - - boost-baseline - description: 'KmsKeyId attribute should be defined ' - group: top10-crypto-failures - name: 44034eda-1c3f-486a-831d-e09a7dd94354 - pretty_name: SageMaker EndPoint Config Should Specify KmsKeyId Attribute - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sagemaker-endpointconfig.html - 443488f5-c734-460b-a36d-5b3f330174dc: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'User Data should not contain a base64 encoded private key. If so, - anyone can decode the private key easily ' - group: top10-crypto-failures - name: 443488f5-c734-460b-a36d-5b3f330174dc - pretty_name: User Data Contains Encoded Private Key - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#user_data_base64 - 445020f6-b69e-4484-847f-02d4b7768902: - categories: - - ALL - - boost-baseline - description: 'IAM password should have at least one uppercase letter ' - group: top10-insecure-design - name: 445020f6-b69e-4484-847f-02d4b7768902 - pretty_name: IAM Password Without Uppercase Letter - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user - 445dce51-7e53-4e50-80ef-7f94f14169e4: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Route53 Record should have a list of records ' - group: cloud-resources-public-access - name: 445dce51-7e53-4e50-80ef-7f94f14169e4 - pretty_name: Route53 Record Undefined - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/route53_module.html#parameter-value - 448db771-06ea-4dee-b48c-1689cbfb4b43: - categories: - - ALL - - boost-baseline - description: Examples values and fields should be compliant with the schema type - group: top10-insecure-design - name: 448db771-06ea-4dee-b48c-1689cbfb4b43 - pretty_name: Example Not Compliant With Schema Type (v2) - recommended: true - ref: https://swagger.io/specification/v2/#example-object - 4495bc5d-4d1e-4a26-ae92-152d18195648: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Serverless Function should encrypt environment variables ' - group: top10-crypto-failures - name: 4495bc5d-4d1e-4a26-ae92-152d18195648 - pretty_name: Serverless Function Environment Variables Not Encrypted - recommended: true - ref: https://www.serverless.com/framework/docs/providers/aws/guide/functions#kms-keys - 44ceb4fa-0897-4fd2-b676-30e7a58f2933: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Ensure a log metric filter and alarm exist for management console - sign-in without MFA ' - group: top10-security-logging-monitoring-failures - name: 44ceb4fa-0897-4fd2-b676-30e7a58f2933 - pretty_name: CloudWatch Console Sign-in Without MFA Alarm Missing - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern - 44d434ca-a9bf-4203-8828-4c81a8d5a598: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'tde_status parameter should be Enabled for supported RDS instances ' - group: top10-crypto-failures - name: 44d434ca-a9bf-4203-8828-4c81a8d5a598 - pretty_name: RDS Instance TDE Status Disabled - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#tde_status - 451d79dc-0588-476a-ad03-3c7f0320abb3: - categories: - - ALL - - boost-baseline - description: 'Incoming container traffic should be bound to a specific host interface ' - group: cloud-resources-public-access - name: 451d79dc-0588-476a-ad03-3c7f0320abb3 - pretty_name: Container Traffic Not Bound To Host Interface - recommended: true - ref: https://docs.docker.com/compose/compose-file/compose-file-v3/#ports - 4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c: - categories: - - ALL - - boost-baseline - description: 'Server Access Logging should be enabled on S3 Buckets so that all - changes are logged and trackable ' - group: top10-security-logging-monitoring-failures - name: 4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c - pretty_name: S3 Bucket Logging Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html#cfn-s3-bucket-loggingconfig - 455f2e0c-686d-4fcb-8b5f-3f953f12c43c: - categories: - - ALL - - boost-baseline - description: 'Containers should be configured with a secure Seccomp profile to - restrict potentially dangerous syscalls ' - group: cloud-weak-configuration - name: 455f2e0c-686d-4fcb-8b5f-3f953f12c43c - pretty_name: Seccomp Profile Is Not Configured - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#annotations - 456b00a3-1072-4149-9740-6b8bb60251b0: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'S3 Buckets must not allow Restore Actions From All Principals, as - to prevent leaking private information to the entire internet or allow unauthorized - data tampering / deletion. This means the ''Effect'' must not be ''Allow'' when - the ''Action'' is Restore, for all Principals. ' - group: cloud-insecure-iam - name: 456b00a3-1072-4149-9740-6b8bb60251b0 - pretty_name: S3 Bucket Allows Restore Actions From All Principals - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html - 45cff7b6-3b80-40c1-ba7b-2cf480678bb8: - categories: - - ALL - - boost-baseline - description: 'Neptune logging should be enabled ' - group: top10-security-logging-monitoring-failures - name: 45cff7b6-3b80-40c1-ba7b-2cf480678bb8 - pretty_name: Neptune Logging Is Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/neptune_cluster#enable_cloudwatch_logs_exports - 45e1fca5-f90e-465d-825f-c2cb63fa3944: - categories: - - ALL - - boost-baseline - description: 'Omitting the non-interactive switch causes the command to fail during - the build process, because zypper would expect manual input ' - group: supply-chain-scm-weak-configuration - name: 45e1fca5-f90e-465d-825f-c2cb63fa3944 - pretty_name: Missing Zypper Non-interactive Switch - recommended: true - ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run - 45fc717a-bd86-415c-bdd8-677901be1aa6: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Ensure Function App is using the latest version of TLS encryption ' - group: top10-crypto-failures - name: 45fc717a-bd86-415c-bdd8-677901be1aa6 - pretty_name: Function App Not Using Latest TLS Encryption Version - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#min_tls_version - 461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3: - categories: - - ALL - - boost-baseline - description: 'Check if Deployment resources don''t have a podAntiAffinity policy, - which prevents multiple pods from being scheduled on the same node. ' - group: cloud-insecure-iam - name: 461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3 - pretty_name: Deployment Has No PodAntiAffinity - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/deployment#affinity - 462d6a1d-fed9-4d75-bb9e-3de902f35e6e: - categories: - - ALL - - boost-baseline - description: 'Using an scope on security of operations that is undefined on ''securityScheme'' - can be defined by an attacker ' - group: cloud-insecure-iam - name: 462d6a1d-fed9-4d75-bb9e-3de902f35e6e - pretty_name: Undefined Scope 'securityScheme' On 'security' Field On Operations - recommended: true - ref: https://swagger.io/specification/#oauth-flow-object - 46883ce1-dc3e-4b17-9195-c6a601624c73: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Check if default security group does not restrict all inbound and - outbound traffic. ' - group: cloud-resources-public-access - name: 46883ce1-dc3e-4b17-9195-c6a601624c73 - pretty_name: Default Security Groups With Unrestricted Traffic - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group - 46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'When using kube-controller-manager or kube-scheduler commands, the - ''--bind-address'' should not be set to 127.0.0.1 ' - group: cloud-resources-public-access - name: 46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2 - pretty_name: Bind Address Not Properly Set - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ - 46d3b74d-9fe9-45bf-9e9e-efb7f701ee28: - categories: - - ALL - - boost-baseline - description: Global External Documentation URL should be a valid URL - group: top10-insecure-design - name: 46d3b74d-9fe9-45bf-9e9e-efb7f701ee28 - pretty_name: Invalid Global External Documentation URL (v2) - recommended: true - ref: https://swagger.io/specification/v2/#externalDocumentationObject - 46facedc-f243-4108-ab33-583b807d50b0: - categories: - - ALL - - boost-baseline - description: 'A Parameter Object must contain either a ''schema'' property, or - a ''content'' property ' - group: top10-insecure-design - name: 46facedc-f243-4108-ab33-583b807d50b0 - pretty_name: Parameter Object With Undefined Type - recommended: true - ref: https://swagger.io/specification/#parameter-object - 4728cd65-a20c-49da-8b31-9c08b423e4db: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Security groups allow ingress from 0.0.0.0:0 and/or ::/0 ' - group: cloud-resources-public-access - name: 4728cd65-a20c-49da-8b31-9c08b423e4db - pretty_name: Unrestricted Security Group Ingress - recommended: true - ref: https://www.terraform.io/docs/providers/aws/r/security_group.html - 4766d3ea-241c-4ee6-93ff-c380c996bd1a: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'AWS DOCDB Cluster should be encrypted with a KMS encryption key ' - group: top10-crypto-failures - name: 4766d3ea-241c-4ee6-93ff-c380c996bd1a - pretty_name: DOCDB Cluster Without KMS - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#kms_key_id - 48207659-729f-4b5c-9402-f884257d794f: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Elastic File System (EFS) must be encrypted ' - group: top10-crypto-failures - name: 48207659-729f-4b5c-9402-f884257d794f - pretty_name: EFS Not Encrypted - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system#encrypted - 482b7d26-0bdb-4b5f-bf6f-545826c0a3dd: - categories: - - ALL - - boost-baseline - description: 'Check if SNS topic name is set for CloudTrail ' - group: top10-security-logging-monitoring-failures - name: 482b7d26-0bdb-4b5f-bf6f-545826c0a3dd - pretty_name: CloudTrail SNS Topic Name Undefined - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail - 48388bd2-7201-4dcc-b56d-e8a9efa58fad: - categories: - - ALL - - boost-baseline - description: 'PodSecurityPolicy should not have added capabilities ' - group: cloud-weak-configuration - name: 48388bd2-7201-4dcc-b56d-e8a9efa58fad - pretty_name: PSP With Added Capabilities - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#allowed_capabilities - 48471392-d4d0-47c0-b135-cdec95eb3eef: - categories: - - ALL - - boost-baseline - description: 'Service Account Tokens are automatically mounted even if not necessary ' - group: cloud-weak-configuration - name: 48471392-d4d0-47c0-b135-cdec95eb3eef - pretty_name: Service Account Token Automount Not Disabled - recommended: true - ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server - 4849211b-ac39-479e-ae78-5694d506cb24: - categories: - - ALL - - boost-baseline - description: 'Security group must be used or not declared ' - group: cloud-insecure-iam - name: 4849211b-ac39-479e-ae78-5694d506cb24 - pretty_name: Security Group Not Used - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group - 48677914-6fdf-40ec-80c4-2b0e94079f54: - categories: - - ALL - - boost-baseline - description: 'Any IAM User should not have more than one access key since it increases - the risk of unauthorized access and compromise credentials ' - group: cloud-weak-configuration - name: 48677914-6fdf-40ec-80c4-2b0e94079f54 - pretty_name: IAM User Has Too Many Access Keys - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html - 488847ff-6031-487c-bf42-98fd6ac5c9a0: - categories: - - ALL - - boost-baseline - - boost-hardened - description: '''Microsoft.Web/sites'' should force the use of HTTPS ' - group: cloud-weak-configuration - name: 488847ff-6031-487c-bf42-98fd6ac5c9a0 - pretty_name: Website Not Forcing HTTPS - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.web/sites?tabs=json#siteproperties-object - 48a5beba-e4c0-4584-a2aa-e6894e4cf424: - categories: - - ALL - - boost-baseline - description: 'Each namespace should have a ResourceQuota policy associated to - limit the total amount of resources Pods, Containers and PersistentVolumeClaims - can consume ' - group: cloud-weak-configuration - name: 48a5beba-e4c0-4584-a2aa-e6894e4cf424 - pretty_name: Pod or Container Without ResourceQuota - recommended: true - ref: https://kubernetes.io/docs/concepts/policy/resource-quotas/ - 48af92a5-c89b-4936-bc62-1086fe2bab23: - categories: - - ALL - - boost-baseline - description: 'EMR Cluster should have security configuration defined. ' - group: cloud-weak-configuration - name: 48af92a5-c89b-4936-bc62-1086fe2bab23 - pretty_name: EMR Cluster Without Security Configuration - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticmapreduce-cluster.html#cfn-elasticmapreduce-cluster-securityconfiguration - 48bbe0fd-57e4-4678-a4a1-119e79c90fc3: - categories: - - ALL - - boost-baseline - description: 'Azure Storage Share File should not allow all ACL (Access Control - List) permissions - r (read), w (write), d (delete), and l (list). ' - group: cloud-insecure-iam - name: 48bbe0fd-57e4-4678-a4a1-119e79c90fc3 - pretty_name: Storage Share File Allows All ACL Permissions - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_share_file - 48c3bc58-6959-4f27-b647-4fedeace23be: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'User Data Shell Script must be encoded ' - group: top10-crypto-failures - name: 48c3bc58-6959-4f27-b647-4fedeace23be - pretty_name: User Data Shell Script Is Encoded - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-launchtemplatedata.html#cfn-ec2-launchtemplate-launchtemplatedata-userdata - 48c61fbd-09c9-46cc-a521-012e0c325412: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Kubernetes Clusters must be created with Private Clusters enabled, - meaning the ''privateClusterConfig'' must be defined and the attributes ''enablePrivateEndpoint'' - and ''enablePrivateNodes'' must be true. ' - group: cloud-weak-configuration - name: 48c61fbd-09c9-46cc-a521-012e0c325412 - pretty_name: Private Cluster Disabled - recommended: true - ref: https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters - 48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd: - categories: - - ALL - - boost-baseline - description: 'Operation Object should have at least one successful HTTP status - code defined ' - group: top10-insecure-design - name: 48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd - pretty_name: Operation Without Successful HTTP Status Code (v3) - recommended: true - ref: https://swagger.io/specification/#operation-object - 48f100d9-f499-4c6d-b2b8-deafe47ffb26: - categories: - - ALL - - boost-baseline - description: 'S3 bucket allows public ACL ' - group: cloud-insecure-iam - name: 48f100d9-f499-4c6d-b2b8-deafe47ffb26 - pretty_name: S3 Bucket Allows Public ACL - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-publicaccessblockconfiguration.html - 48f7e44d-d1d1-44c2-b336-9f11b65c4fb0: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Cloud storage bucket should have logging enabled ' - group: top10-security-logging-monitoring-failures - name: 48f7e44d-d1d1-44c2-b336-9f11b65c4fb0 - pretty_name: Cloud Storage Bucket Logging Not Enabled - recommended: true - ref: https://www.pulumi.com/registry/packages/gcp/api-docs/storage/bucket/#logging_yaml - 49113af4-29ca-458e-b8d4-724c01a4a24f: - categories: - - ALL - - boost-baseline - description: 'When using kube-controller-manager commands, the ''--terminated-pod-gc-threshold'' - should be set between 0 and 12501 ' - group: top10-insecure-design - name: 49113af4-29ca-458e-b8d4-724c01a4a24f - pretty_name: Terminated Pod Garbage Collector Threshold Not Properly Set - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/ - 492c6cbb-f3f8-4807-aa4f-42b8b1c46b59: - categories: - - ALL - - boost-baseline - description: Schema/Parameter/Header Object define type should not use a keyword - of another type - group: top10-insecure-design - name: 492c6cbb-f3f8-4807-aa4f-42b8b1c46b59 - pretty_name: Type Has Invalid Keyword (v2) - recommended: true - ref: https://swagger.io/specification/v2/#schemaObject - 493d9591-6249-47bf-8dc0-5c10161cc558: - categories: - - ALL - - boost-baseline - description: 'Security Groups must have a VPC. ' - group: cloud-resources-public-access - name: 493d9591-6249-47bf-8dc0-5c10161cc558 - pretty_name: Security Groups Without VPC Attached - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html - 494b03d3-bf40-4464-8524-7c56ad0700ed: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'The EC2 instance has a sensitive port connection exposed to the - entire network ' - group: cloud-resources-public-access - name: 494b03d3-bf40-4464-8524-7c56ad0700ed - pretty_name: EC2 Sensitive Port Is Publicly Exposed - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html - 4950837c-0ce5-4e42-9bee-a25eae73740b: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Check if Pod Security Policies allow containers to share the host - network namespace. ' - group: cloud-weak-configuration - name: 4950837c-0ce5-4e42-9bee-a25eae73740b - pretty_name: PSP Allows Containers To Share The Host Network Namespace - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#host_network - 49e30ac8-f58e-4222-b488-3dcb90158ec1: - categories: - - ALL - - boost-baseline - description: 'Redis Cache resource should not allow non-SSL connections. ' - group: top10-crypto-failures - name: 49e30ac8-f58e-4222-b488-3dcb90158ec1 - pretty_name: Redis Cache Allows Non SSL Connections - recommended: true - ref: https://www.pulumi.com/registry/packages/azure-native/api-docs/cache/redis/#enablenonsslport_yaml - 4a1e6b34-1008-4e61-a5f2-1f7c276f8d14: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'AWS Security Group Ingress CIDR should not be open to the world ' - group: cloud-resources-public-access - name: 4a1e6b34-1008-4e61-a5f2-1f7c276f8d14 - pretty_name: Unrestricted Security Group Ingress - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html - 4a1f3d75-ab73-41b2-83e7-06a93dc3a75a: - categories: - - ALL - - boost-baseline - description: 'There is a ''securityScheme'' using implicit flow on OAuth2, which - is deprecated ' - group: cloud-insecure-iam - name: 4a1f3d75-ab73-41b2-83e7-06a93dc3a75a - pretty_name: Implicit Flow in OAuth2 (v3) - recommended: true - ref: https://swagger.io/specification/#oauth-flow-object - 4a20ebac-1060-4c81-95d1-1f7f620e983b: - categories: - - ALL - - boost-baseline - description: 'Each namespace should have a LimitRange policy associated to ensure - that resource allocations of Pods, Containers and PersistentVolumeClaims do - not exceed the defined boundaries ' - group: cloud-weak-configuration - name: 4a20ebac-1060-4c81-95d1-1f7f620e983b - pretty_name: Pod or Container Without LimitRange - recommended: true - ref: https://kubernetes.io/docs/concepts/policy/limit-range/ - 4a800e14-c94a-442d-9067-5a2e9f6c0a4c: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'ELB Predefined or Custom Security Policies must not use weak ciphers, - to reduce the risk of the SSL connection between the client and the load balancer - being exploited. That means the ''name'' of ''policy_attributes'' must not coincide - with any of a predefined list of weak ciphers. ' - group: top10-crypto-failures - name: 4a800e14-c94a-442d-9067-5a2e9f6c0a4c - pretty_name: ELB Using Weak Ciphers - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/load_balancer_policy - 4a8daf95-709d-4a36-9132-d3e19878fa34: - categories: - - ALL - - boost-baseline - description: 'The API Endpoint type in API Gateway should be set to PRIVATE so - it''s not exposed to the public internet ' - group: cloud-resources-public-access - name: 4a8daf95-709d-4a36-9132-d3e19878fa34 - pretty_name: API Gateway Endpoint Config is Not Private - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-restapi-endpointconfiguration.html#cfn-apigateway-restapi-endpointconfiguration-types - 4a8fc9a2-2b2f-4b3f-aa8d-401425872034: - categories: - - ALL - - boost-baseline - description: 'Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS - strongly recommends against using NotPrincipal in the same policy statement - as Effect: Allow. ' - group: cloud-insecure-iam - name: 4a8fc9a2-2b2f-4b3f-aa8d-401425872034 - pretty_name: SQS Queue Policy Allows NotPrincipal - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-policy.html - 4a9e0f00-0765-4f72-a0d4-d31110b78279: - categories: - - ALL - - boost-baseline - description: 'Public Network Access should be disabled for Azure Cognitive Search ' - group: cloud-resources-public-access - name: 4a9e0f00-0765-4f72-a0d4-d31110b78279 - pretty_name: Azure Cognitive Search Public Network Access Enabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/search_service#public_network_access_enabled - 4ab10c48-bedb-4deb-8f3b-ff12783b61de: - categories: - - ALL - - boost-baseline - description: 'API Gateway should have X-Ray Tracing enabled ' - group: top10-security-logging-monitoring-failures - name: 4ab10c48-bedb-4deb-8f3b-ff12783b61de - pretty_name: API Gateway X-Ray Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-stage.html#cfn-apigateway-stage-tracingenabled - 4ac0e2b7-d2d2-4af7-8799-e8de6721ccda: - categories: - - ALL - - boost-baseline - description: 'CPU limits should be set because if the system has CPU time free, - a container is guaranteed to be allocated as much CPU as it requests ' - group: cloud-insecure-iam - name: 4ac0e2b7-d2d2-4af7-8799-e8de6721ccda - pretty_name: CPU Limits Not Set - recommended: true - ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - 4ae8af91-5108-42cb-9471-3bdbe596eac9: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'S3 Buckets should not have all permissions, as to prevent leaking - private information to the entire internet or allow unauthorized data tampering - / deletion. This means the ''Effect'' must not be ''Allow'' when the ''Action'' - is ''*'', for all Principals. ' - group: cloud-insecure-iam - name: 4ae8af91-5108-42cb-9471-3bdbe596eac9 - pretty_name: S3 Bucket With All Permissions - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html - 4b410d24-1cbe-4430-a632-62c9a931cf1c: - categories: - - ALL - - boost-baseline - description: 'Use of Curl or Wget should be done instead of Add to fetch packages - from remote URLs due to the use of Add being strongly discouraged ' - group: top10-insecure-design - name: 4b410d24-1cbe-4430-a632-62c9a931cf1c - pretty_name: Curl or Wget Instead of Add - recommended: true - ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/ - 4b6012e7-7176-46e4-8108-e441785eae57: - categories: - - ALL - - boost-baseline - description: 'EBS volumes should be encrypted ' - group: top10-crypto-failures - name: 4b6012e7-7176-46e4-8108-e441785eae57 - pretty_name: EBS Volume Encryption Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_vol_module.html#parameter-encrypted - 4b82202a-b18e-4891-a1eb-a0989850bbb3: - categories: - - ALL - description: 'A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed - to provide reliable, many-to-many, asynchronous messaging between applications. - Publisher applications can send messages to a ''topic'' and other applications - can subscribe to that topic to receive the messages. ' - group: supply-chain-missing-artifact-integrity-verification - name: 4b82202a-b18e-4891-a1eb-a0989850bbb3 - pretty_name: BOM - GCP PST - ref: https://kics.io/ - 4ba74f01-aba5-4be2-83bc-be79ff1a3b92: - categories: - - ALL - - boost-baseline - description: 'AWS Serverless Function should not share IAM Role to ensure it will - have the minimum privileges needed to perform the required tasks ' - group: cloud-weak-configuration - name: 4ba74f01-aba5-4be2-83bc-be79ff1a3b92 - pretty_name: Serverless Function Without Unique IAM Role - recommended: true - ref: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-role - 4bb06fa1-2114-4a00-b7b5-6aeab8b896f0: - categories: - - ALL - - boost-baseline - description: 'The retain_stacks should be enabled to keep the Stack upon deleting - the stack instance from the stack group ' - group: top10-software-data-integrity-failures - name: 4bb06fa1-2114-4a00-b7b5-6aeab8b896f0 - pretty_name: ROS Stack Retention Disabled - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ros_stack_instance#retain_stacks - 4bb76f17-3d63-4529-bdca-2b454529d774: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Checks if logging is enabled for CloudTrail. ' - group: top10-security-logging-monitoring-failures - name: 4bb76f17-3d63-4529-bdca-2b454529d774 - pretty_name: CloudTrail Logging Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#enable_logging - 4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9: - categories: - - ALL - - boost-baseline - description: 'S3 Bucket policy should not accept HTTP Requests ' - group: top10-crypto-failures - name: 4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9 - pretty_name: S3 Bucket Policy Accepts HTTP Requests - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy#policy - 4bcbcd52-3028-469f-bc14-02c7dbba2df2: - categories: - - ALL - - boost-baseline - description: 'Property ''allowEmptyValue'' should be only defined for query parameters - and formData parameters ' - group: top10-insecure-design - name: 4bcbcd52-3028-469f-bc14-02c7dbba2df2 - pretty_name: Property 'allowEmptyValue' Improperly Defined (v3) - recommended: true - ref: https://swagger.io/specification/#parameter-object - 4bd15dd9-8d5e-4008-8532-27eb0c3706d3: - categories: - - ALL - - boost-baseline - description: 'ElastiCache should have Redis enabled, since it covers Compliance - Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take - a look at ''https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'' ' - group: top10-crypto-failures - name: 4bd15dd9-8d5e-4008-8532-27eb0c3706d3 - pretty_name: Redis Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster#engine - 4bd21e68-38c1-4d58-acdc-6a14b203237f: - categories: - - ALL - - boost-baseline - description: 'AWS DynamoDB Tables should have server-side encryption ' - group: top10-crypto-failures - name: 4bd21e68-38c1-4d58-acdc-6a14b203237f - pretty_name: DynamoDB Table Not Encrypted - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-dynamodb-table-ssespecification.html - 4beaf898-9f8b-4237-89e2-5ffdc7ee6006: - categories: - - ALL - - boost-baseline - description: 'Ensure a log metric filter and alarm exist for security group changes ' - group: top10-security-logging-monitoring-failures - name: 4beaf898-9f8b-4237-89e2-5ffdc7ee6006 - pretty_name: Cloudwatch Security Group Changes Alarm Missing - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern - 4c137350-7307-4803-8c04-17c09a7a9fcf: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'The AWS Root Account must not have active access keys associated, - which means if there are access keys associated to the Root Account, they must - be inactive. ' - group: cloud-weak-configuration - name: 4c137350-7307-4803-8c04-17c09a7a9fcf - pretty_name: Root Account Has Active Access Keys - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html - 4c18a45b-4ab1-4790-9f83-399ac695f1e5: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Ensure a log metric filter and alarm exist for unauthorized API - calls ' - group: top10-security-logging-monitoring-failures - name: 4c18a45b-4ab1-4790-9f83-399ac695f1e5 - pretty_name: CloudWatch Unauthorized Access Alarm Missing - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern - 4c415497-7410-4559-90e8-f2c8ac64ee38: - categories: - - ALL - - boost-baseline - description: 'Containers must not be allowed to run with root privileges, which - means the attributes ''privileged'' and ''allow_privilege_escalation'' must - be set to false, ''run_as_user.rule'' must be set to ''MustRunAsNonRoot'', and - adding the root group must be forbidden ' - group: top10-insecure-design - name: 4c415497-7410-4559-90e8-f2c8ac64ee38 - pretty_name: Root Containers Admitted - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#run_as_user - 4c7ebcb2-eae2-461e-bc83-456ee2d4f694: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Kubernetes Engine Clusters must have Stackdriver Logging enabled, - which means the attribute ''logging_service'' must either be undefined or set - to ''logging.googleapis.com/kubernetes'' ' - group: top10-security-logging-monitoring-failures - name: 4c7ebcb2-eae2-461e-bc83-456ee2d4f694 - pretty_name: Stackdriver Logging Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#logging_service - 4cac7ace-b0fb-477d-830d-65395d9109d9: - categories: - - ALL - - boost-baseline - description: 'Schema Object reference must always point to ''#/components/schemas'' ' - group: top10-insecure-design - name: 4cac7ace-b0fb-477d-830d-65395d9109d9 - pretty_name: Schema Object Incorrect Ref (v3) - recommended: true - ref: https://swagger.io/specification/#schema-object - 4cd8de87-b595-48b6-ab3c-1904567135ab: - categories: - - ALL - - boost-baseline - description: 'Encoding Map Key should not define a ''Content-Type'' in the ''headers'' - field. If so, it will be ignored. ' - group: top10-insecure-design - name: 4cd8de87-b595-48b6-ab3c-1904567135ab - pretty_name: Encoding Header 'Content-Type' Improperly Defined - recommended: true - ref: https://swagger.io/specification/#media-type-object - 4cdc88e6-c0c8-4081-a639-bb3a557cbedf: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Amazon Elasticsearch does not have encryption for its domains enabled. - To prevent such a scenario, update the attribute ''EnforceHTTPS'' to true. ' - group: cloud-resources-public-access - name: 4cdc88e6-c0c8-4081-a639-bb3a557cbedf - pretty_name: Elasticsearch with HTTPS disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticsearch-domain-domainendpointoptions.html - 4d080822-5ee2-49a4-8984-68f3d4c890fc: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Make sure that for all keys the expiration date is set ' - group: cloud-weak-secrets-management - name: 4d080822-5ee2-49a4-8984-68f3d4c890fc - pretty_name: Key Expiration Not Set - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key - 4d2cf896-c053-4be5-9c95-8b4771112f29: - categories: - - ALL - - boost-baseline - description: 'Secure parameters should not have hardcoded default value ' - group: cloud-weak-secrets-management - name: 4d2cf896-c053-4be5-9c95-8b4771112f29 - pretty_name: Hardcoded SecureString Parameter Default Value - recommended: true - ref: https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-test-cases#secure-parameters-cant-have-hardcoded-default - 4d32780f-43a4-424a-a06d-943c543576a5: - categories: - - ALL - - boost-baseline - description: 'IoT Policy should not allow Action to be set as * ' - group: cloud-insecure-iam - name: 4d32780f-43a4-424a-a06d-943c543576a5 - pretty_name: IoT Policy Allows Action as Wildcard - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iot-policy.html - 4d3817db-dd35-4de4-a80d-3867157e7f7f: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Anonymous, public read access to a container and its blobs are enabled - in Azure Blob Storage ' - group: cloud-insecure-iam - name: 4d3817db-dd35-4de4-a80d-3867157e7f7f - pretty_name: Storage Container Is Publicly Accessible - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_storageblob_module.html#parameter-public_access - 4d424558-c6d1-453c-be98-9a7f877abd9a: - categories: - - ALL - - boost-baseline - description: 'Serverless should have endpointType set to ''PRIVATE''. This way, - it''s not exposed to the public internet ' - group: cloud-resources-public-access - name: 4d424558-c6d1-453c-be98-9a7f877abd9a - pretty_name: Serverless API Endpoint Config Not Private - recommended: true - ref: https://www.serverless.com/framework/docs/providers/aws/events/apigateway#configuring-endpoint-types - 4d46ff3b-7160-41d1-a310-71d6d370b08f: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Amazon ECS Task Definition does not have encryption for data at - transit enabled. To prevent such a scenario, enable the attribute ''transit_encryption'' ' - group: top10-crypto-failures - name: 4d46ff3b-7160-41d1-a310-71d6d370b08f - pretty_name: ECS Task Definition Volume Not Encrypted - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition#transit_encryption - 4d522e7b-f938-4d51-a3b1-974ada528bd3: - categories: - - ALL - - boost-baseline - description: 'Log Profile Categories should be set to ''Write'', ''Delete'', and/or - ''Action'' ' - group: top10-security-logging-monitoring-failures - name: 4d522e7b-f938-4d51-a3b1-974ada528bd3 - pretty_name: Log Profile Incorrect Category - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/2016-03-01/logprofiles?tabs=json#logprofileproperties-object - 4d7ee40f-fc5d-427d-8cac-dffbe22d42d1: - categories: - - ALL - - boost-baseline - description: 'When using kube-apiserver command, the ''authorization-mode'' flag - should have ''Node'' mode ' - group: cloud-weak-configuration - name: 4d7ee40f-fc5d-427d-8cac-dffbe22d42d1 - pretty_name: Authorization Mode Node Not Set - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ - 4d8681a2-3d30-4c89-8070-08acd142748e: - categories: - - ALL - - boost-baseline - description: 'CloudTrail log file validation should be enabled to determine whether - a log file has not been tampered ' - group: top10-security-logging-monitoring-failures - name: 4d8681a2-3d30-4c89-8070-08acd142748e - pretty_name: CloudTrail Log File Validation Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html - 4d9f44c6-2f4a-4317-9bb5-267adbea0232: - categories: - - ALL - - boost-baseline - description: 'Control groups restrict the access processes and containers have - to system resources such as CPU, RAM, IOPS and network. Not having a cgroup - well configured may prove to be a security fault. ' - group: supply-chain-cicd-weak-configuration - name: 4d9f44c6-2f4a-4317-9bb5-267adbea0232 - pretty_name: Cgroup Not Default - recommended: true - ref: https://docs.docker.com/compose/compose-file/compose-file-v3/#cgroup_parent - 4de9de27-254e-424f-bd70-4c1e95790838: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Launch Configurations should have the data in the volumes encrypted. - To encrypt the data, the ''encrypted'' parameter should be set to true in each - volume ' - group: top10-crypto-failures - name: 4de9de27-254e-424f-bd70-4c1e95790838 - pretty_name: Launch Configuration Is Not Encrypted - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#encrypted - 4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'API Gateway should have a Security Policy defined and use TLS 1.2. ' - group: cloud-weak-configuration - name: 4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b - pretty_name: API Gateway Without Security Policy - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_domain_name#security_policy - 4e203a65-c8d8-49a2-b749-b124d43c9dc1: - categories: - - ALL - - boost-baseline - description: 'Sees if Docker Daemon Socket is not exposed to Containers ' - group: cloud-insecure-iam - name: 4e203a65-c8d8-49a2-b749-b124d43c9dc1 - pretty_name: Docker Daemon Socket is Exposed to Containers - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_path - 4e67c0ae-38a0-47f4-a50c-f0c9b75826df: - categories: - - ALL - description: 'A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, - serverless, key-value NoSQL database designed to run high-performance applications - at any scale. ' - group: supply-chain-missing-artifact-integrity-verification - name: 4e67c0ae-38a0-47f4-a50c-f0c9b75826df - pretty_name: BOM - AWS DynamoDB - ref: https://kics.io/ - 4e74cf4f-ff65-4c1a-885c-67ab608206ce: - categories: - - ALL - - boost-baseline - description: 'Verifies if Kubernetes workload''s host port is specified ' - group: cloud-resources-public-access - name: 4e74cf4f-ff65-4c1a-885c-67ab608206ce - pretty_name: Workload Host Port Not Specified - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_port - 4e88adee-a8eb-4605-a78d-9fb1096e3091: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'RDS should not run in public subnet ' - group: cloud-resources-public-access - name: 4e88adee-a8eb-4605-a78d-9fb1096e3091 - pretty_name: RDS Associated with Public Subnet - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-dbsubnetgroupname - 4eb5f791-c861-4afd-9f94-f2a6a3fe49cb: - categories: - - ALL - - boost-baseline - description: 'Check if any MQ Broker is not publicly accessible ' - group: cloud-weak-configuration - name: 4eb5f791-c861-4afd-9f94-f2a6a3fe49cb - pretty_name: MQ Broker Is Publicly Accessible - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mq_broker - 4f0908b9-eb66-433f-9145-134274e1e944: - categories: - - ALL - - boost-baseline - description: 'NAT gateways are recommended, and not the default route which permits - all traffic, in Route Tables. ' - group: cloud-weak-configuration - name: 4f0908b9-eb66-433f-9145-134274e1e944 - pretty_name: RouterTable with Default Routing - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-route-table.html - 4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a: - categories: - - ALL - - boost-baseline - description: Head should define at least one success response (200 or 202) - group: cloud-resources-public-access - name: 4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a - pretty_name: Success Response Code Undefined for Head Operation (v2) - recommended: true - ref: https://swagger.io/specification/v2/#operation-object - 4f31dd9f-2cc3-4751-9b53-67e4af83dac0: - categories: - - ALL - - boost-baseline - description: 'The hosts process namespace should not be shared by containers ' - group: cloud-insecure-iam - name: 4f31dd9f-2cc3-4751-9b53-67e4af83dac0 - pretty_name: Host Namespace is Shared - recommended: true - ref: https://docs.docker.com/compose/compose-file/compose-file-v3/#pid - 4f615f3e-fb9c-4fad-8b70-2e9f781806ce: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'The IP address in a DB Security Group must not have more than 256 - hosts. ' - group: cloud-resources-public-access - name: 4f615f3e-fb9c-4fad-8b70-2e9f781806ce - pretty_name: DB Security Group Open To Large Scope - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_security_group - 4fa66806-0dd9-4f8d-9480-3174d39c7c91: - categories: - - ALL - - boost-baseline - description: 'S3 bucket without ignore public ACL ' - group: cloud-weak-configuration - name: 4fa66806-0dd9-4f8d-9480-3174d39c7c91 - pretty_name: S3 Bucket Without Ignore Public ACL - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block - 4fbfee74-8186-40d5-a24e-4baa76a855de: - categories: - - ALL - - boost-baseline - description: 'AWS SQS Queue Policy should not allow NotAction since the actions - specified in this element are the only actions in that are limited ' - group: cloud-insecure-iam - name: 4fbfee74-8186-40d5-a24e-4baa76a855de - pretty_name: SQS Queue Policy Allows NotAction - recommended: true - ref: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notaction.html - 500ce696-d501-41dd-86eb-eceb011a386f: - categories: - - ALL - - boost-baseline - description: 'The Schema Object should not be empty to avoid accepting any JSON - values ' - group: cloud-weak-configuration - name: 500ce696-d501-41dd-86eb-eceb011a386f - pretty_name: Schema Object is Empty (v3) - recommended: true - ref: https://swagger.io/specification/#schema-object - 507df964-ad97-4035-ab14-94a82eabdfdd: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Cloud storage bucket should have logging enabled ' - group: top10-security-logging-monitoring-failures - name: 507df964-ad97-4035-ab14-94a82eabdfdd - pretty_name: Cloud Storage Bucket Logging Not Enabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_storage_bucket_module.html#parameter-logging - 5089d055-53ff-421b-9482-a5267bdce629: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Firewall rule allowing unrestricted access to Redis from other Azure - sources ' - group: cloud-resources-public-access - name: 5089d055-53ff-421b-9482-a5267bdce629 - pretty_name: Redis Publicly Accessible - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/redis_firewall_rule - 50cb6c3b-c878-4b88-b50e-d1421bada9e8: - categories: - - ALL - - boost-baseline - description: 'Check if the Google compute firewall allows unrestricted RDP access. - Allowed ports should not contain RDP port 3389 ' - group: cloud-resources-public-access - name: 50cb6c3b-c878-4b88-b50e-d1421bada9e8 - pretty_name: RDP Access Is Not Restricted - recommended: true - ref: https://cloud.google.com/compute/docs/reference/rest/v1/firewalls - 50de3b5b-6465-4e06-a9b0-b4c2ba34326b: - categories: - - ALL - - boost-baseline - description: 'The header object should have schema defined ' - group: cloud-resources-public-access - name: 50de3b5b-6465-4e06-a9b0-b4c2ba34326b - pretty_name: Header Object Without Schema - recommended: true - ref: https://swagger.io/specification/#header-object - 510d5810-9a30-443a-817d-5c1fa527b110: - categories: - - ALL - - boost-baseline - description: 'TLS Connection should use strong Cipher Suites ' - group: top10-crypto-failures - name: 510d5810-9a30-443a-817d-5c1fa527b110 - pretty_name: Weak TLS Cipher Suites - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/ - 51978067-3b22-4c29-aaf3-96bf0bc28897: - categories: - - ALL - - boost-baseline - description: The header Parameter should not be named as 'Content-Type'. If so, - it will be ignored. - group: top10-insecure-design - name: 51978067-3b22-4c29-aaf3-96bf0bc28897 - pretty_name: Header Parameter Named as 'Content-Type' (v2) - recommended: true - ref: https://swagger.io/specification/v2/#parameterObject - 51bed0ac-a8ae-407a-895e-90c6cb0610ce: - categories: - - ALL - - boost-baseline - description: 'Pod Security Policy allows containers to share the host IPC namespace ' - group: cloud-weak-configuration - name: 51bed0ac-a8ae-407a-895e-90c6cb0610ce - pretty_name: PSP Allows Sharing Host IPC - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#host_ipc - 522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba: - categories: - - ALL - - boost-baseline - description: 'The permission to create pods in a cluster should be restricted - because it allows privilege escalation. ' - group: cloud-insecure-iam - name: 522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba - pretty_name: Permissive Access to Create Pods - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role#rule - 525b53be-62ed-4244-b4df-41aecfcb4071: - categories: - - ALL - - boost-baseline - description: 'App Service should have ''http2_enabled'' enabled ' - group: cloud-weak-configuration - name: 525b53be-62ed-4244-b4df-41aecfcb4071 - pretty_name: App Service HTTP2 Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#http2_enabled - 52790cad-d60d-41d5-8483-146f9f21208d: - categories: - - ALL - - boost-baseline - description: 'AWS API Gateway should have cache clustering enabled ' - group: cloud-weak-configuration - name: 52790cad-d60d-41d5-8483-146f9f21208d - pretty_name: API Gateway Cache Cluster Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-stage.html#cfn-apigateway-stage-cacheclusterenabled - 52c0d841-60d6-4a81-88dd-c35fef36d315: - categories: - - ALL - - boost-baseline - description: 'The field authorizationUrl on implicit or authorizationCode fields - from OAuth must be a valid URL ' - group: cloud-insecure-iam - name: 52c0d841-60d6-4a81-88dd-c35fef36d315 - pretty_name: Invalid OAuth2 Authorization URL (v3) - recommended: true - ref: https://swagger.io/specification/#oauth-flow-object - 52d70f2e-3257-474c-b3dc-8ad9ba6a061a: - categories: - - ALL - - boost-baseline - description: 'Kubelet argument --rotate-certificates should be true ' - group: cloud-weak-secrets-management - name: 52d70f2e-3257-474c-b3dc-8ad9ba6a061a - pretty_name: Kubelet Client Periodic Certificate Switch Disabled - recommended: true - ref: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ - 52f04a44-6bfa-4c41-b1d3-4ae99a2de05c: - categories: - - ALL - - boost-baseline - description: 'VPC Subnet should not assign public IP ' - group: cloud-resources-public-access - name: 52f04a44-6bfa-4c41-b1d3-4ae99a2de05c - pretty_name: VPC Subnet Assigns Public IP - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch - 52ffcfa6-6c70-4ea6-8376-d828d3961669: - categories: - - ALL - - boost-baseline - description: 'CloudTrail log file validation should be enabled to determine whether - a log file has not been tampered ' - group: top10-security-logging-monitoring-failures - name: 52ffcfa6-6c70-4ea6-8376-d828d3961669 - pretty_name: CloudTrail Log File Validation Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#enable_log_file_validation - 5308a7a8-06f8-45ac-bf10-791fe21de46e: - categories: - - ALL - - boost-baseline - description: 'Workload is mounting a volume with sensitive OS Directory ' - group: cloud-weak-configuration - name: 5308a7a8-06f8-45ac-bf10-791fe21de46e - pretty_name: Workload Mounting With Sensitive OS Directory - recommended: true - ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ - 530e8291-2f22-4bab-b7ea-306f1bc2a308: - categories: - - ALL - - boost-baseline - description: 'Azure SQL Server must avoid using predictable Active Directory Administrator - Account names, like ''Admin'', which means the attribute ''ad_user'' must be - set to a name that is not easy to predict ' - group: top10-insecure-design - name: 530e8291-2f22-4bab-b7ea-306f1bc2a308 - pretty_name: SQL Server Predictable Active Directory Account Name - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_adserviceprincipal_module.html - 5330b503-3319-44ff-9b1c-00ee873f728a: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'The CIDR IP should not be a public interface ' - group: cloud-weak-configuration - name: 5330b503-3319-44ff-9b1c-00ee873f728a - pretty_name: EC2 Group Has Public Interface - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html - 533a0d13-6e89-4551-ae33-bce14e5849c1: - categories: - - ALL - - boost-baseline - description: API Keys should not be transported over network - group: cloud-insecure-iam - name: 533a0d13-6e89-4551-ae33-bce14e5849c1 - pretty_name: API Key Exposed In Global Security (v2) - recommended: true - ref: https://swagger.io/specification/v2/#securityDefinitionsObject - 53bce6a8-5492-4b1b-81cf-664385f0c4bf: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'S3 Buckets must not allow Get Action From All Principals, as to - prevent leaking private information to the entire internet or allow unauthorized - data tampering / deletion. This means the ''Effect'' must not be ''Allow'' when - the ''Action'' is Get, for all Principals. ' - group: cloud-insecure-iam - name: 53bce6a8-5492-4b1b-81cf-664385f0c4bf - pretty_name: S3 Bucket Allows Get Action From All Principals - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html - 5400f379-a347-4bdd-a032-446465fdcc6f: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Trusted Microsoft Services should be enabled for Storage Account - access ' - group: cloud-resources-public-access - name: 5400f379-a347-4bdd-a032-446465fdcc6f - pretty_name: Trusted Microsoft Services Not Enabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#bypass - 54229498-850b-4f78-b3a7-218d24ef2c37: - categories: - - ALL - description: 'A list of Elasticache resources found. Amazon ElastiCache is a fully - managed, in-memory caching service supporting flexible, real-time use cases. - You can use ElastiCache for caching, which accelerates application and database - performance, or as a primary data store for use cases that don''t require durability - like session stores, gaming leaderboards, streaming, and analytics. ElastiCache - is compatible with Redis and Memcached. ' - group: supply-chain-missing-artifact-integrity-verification - name: 54229498-850b-4f78-b3a7-218d24ef2c37 - pretty_name: BOM - AWS Elasticache - ref: https://kics.io/ - 54378d69-dd7c-4b08-a43e-80d563396857: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Public AWS MSK allows anyone to interact with the Apache Kafka broker, - therefore increasing the opportunity for malicious activity. To prevent such - a scenario, it is recommended for AWS MSK to not be publicly accessible ' - group: cloud-insecure-iam - name: 54378d69-dd7c-4b08-a43e-80d563396857 - pretty_name: MSK Broker Is Publicly Accessible - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/msk_cluster#public_access - 543e38f4-1eee-479e-8eb0-15257013aa0a: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Global security definition must not have empty objects ' - group: cloud-insecure-iam - name: 543e38f4-1eee-479e-8eb0-15257013aa0a - pretty_name: Global security field has an empty object (v3) - recommended: true - ref: https://swagger.io/specification/#security-requirement-object - 54c417bf-c762-48b9-9d31-b3d87047e3f0: - categories: - - ALL - - boost-baseline - description: 'Check if port 2383 on TCP is publicly accessible by checking the - CIDR block range that can access it. ' - group: cloud-resources-public-access - name: 54c417bf-c762-48b9-9d31-b3d87047e3f0 - pretty_name: SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group - 5527dcfc-94f9-4bf6-b7d4-1b78850cf41f: - categories: - - ALL - - boost-baseline - description: 'ElastiCache should be launched in a Virtual Private Cloud (VPC) ' - group: cloud-resources-public-access - name: 5527dcfc-94f9-4bf6-b7d4-1b78850cf41f - pretty_name: ElastiCache Without VPC - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/elasticache_module.html#parameter-cache_subnet_group - 5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Containers should not run with allowPrivilegeEscalation in order - to prevent them from gaining more privileges than their parent process ' - group: cloud-weak-configuration - name: 5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d - pretty_name: Privilege Escalation Allowed - recommended: true - ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - 559439b2-3e9c-4739-ac46-17e3b24ec215: - categories: - - ALL - - boost-baseline - description: 'The API Endpoint type in API Gateway should be set to PRIVATE so - it''s not exposed to the public internet ' - group: cloud-resources-public-access - name: 559439b2-3e9c-4739-ac46-17e3b24ec215 - pretty_name: API Gateway Endpoint Config is Not Private - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/aws_api_gateway_module.html - 55975007-f6e7-4134-83c3-298f1fe4b519: - categories: - - ALL - - boost-baseline - description: 'SQL Server alert email should be enabled ' - group: top10-insecure-design - name: 55975007-f6e7-4134-83c3-298f1fe4b519 - pretty_name: SQL Server Alert Email Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server_security_alert_policy#email_account_admins - 55af1353-2f62-4fa0-a8e1-a210ca2708f5: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Checks if the connection between CloudFront and the viewer is encrypted ' - group: top10-crypto-failures - name: 55af1353-2f62-4fa0-a8e1-a210ca2708f5 - pretty_name: Cloudfront Viewer Protocol Policy Allows HTTP - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution - 561710b1-b845-4562-95ce-2397a05ccef4: - categories: - - ALL - - boost-baseline - description: 'The template path must have a corresponding path parameter for a - given operation ' - group: top10-insecure-design - name: 561710b1-b845-4562-95ce-2397a05ccef4 - pretty_name: Template Path With No Corresponding Path Parameter (v3) - recommended: true - ref: https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.2.md#pathTemplating - 562952e4-0348-4dea-9826-44f3a2c6117b: - categories: - - ALL - - boost-baseline - description: 'Not specifying the package version can cause failures due to unanticipated - changes in required packages ' - group: supply-chain-scm-weak-configuration - name: 562952e4-0348-4dea-9826-44f3a2c6117b - pretty_name: Zypper Install Without Version - recommended: true - ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run - 564b70f8-41cd-4690-aff8-bb53add86bc9: - categories: - - ALL - - boost-baseline - description: 'Network Watcher Flow Log Retention Policy should be enabled and - the recommended number of days for the retention should be higher than 90 ' - group: top10-security-logging-monitoring-failures - name: 564b70f8-41cd-4690-aff8-bb53add86bc9 - pretty_name: Unrecommended Network Watcher Flow Log Retention Policy - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2019-11-01/networkwatchers/flowlogs?tabs=json#retentionpolicyparameters-object - 568a4d22-3517-44a6-a7ad-6a7eed88722c: - categories: - - ALL - - boost-baseline - description: 'S3 bucket should have versioning enabled ' - group: top10-security-logging-monitoring-failures - name: 568a4d22-3517-44a6-a7ad-6a7eed88722c - pretty_name: S3 Bucket Without Versioning - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning - 568cc372-ca64-420d-9015-ee347d00d288: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'User Data should not contain a base64 encoded private key. If so, - anyone can decode the private key easily ' - group: top10-crypto-failures - name: 568cc372-ca64-420d-9015-ee347d00d288 - pretty_name: User Data Contains Encoded Private Key - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-as-launchconfig.html - 56a585f5-555c-48b2-8395-e64e4740a9cf: - categories: - - ALL - - boost-baseline - description: 'Ensure a log metric filter and alarm exist for disabling or scheduled - deletion of customer created CMK ' - group: top10-security-logging-monitoring-failures - name: 56a585f5-555c-48b2-8395-e64e4740a9cf - pretty_name: CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK - Alarm Missing - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern - 56dad03e-e94f-4dd6-93a4-c253a03ff7a0: - categories: - - ALL - - boost-baseline - description: 'Cosmos DB Account must have a mapping of tags. ' - group: supply-chain-cicd-weak-configuration - name: 56dad03e-e94f-4dd6-93a4-c253a03ff7a0 - pretty_name: Cosmos DB Account Without Tags - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_account - 56f6a008-1b14-4af4-b9b2-ab7cf7e27641: - categories: - - ALL - - boost-baseline - description: 'DocDB logging should be enabled ' - group: top10-security-logging-monitoring-failures - name: 56f6a008-1b14-4af4-b9b2-ab7cf7e27641 - pretty_name: DocDB Logging Is Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#enabled_cloudwatch_logs_exports - 571254d8-aa6a-432e-9725-535d3ef04d69: - categories: - - ALL - - boost-baseline - description: 'Group with privilege escalation by actions ''lambda:UpdateFunctionCode'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 571254d8-aa6a-432e-9725-535d3ef04d69 - pretty_name: Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy - 5744cbb8-5946-4b75-a196-ade44449525b: - categories: - - ALL - - boost-baseline - description: 'Deployments targeted by HorizontalPodAutoscaler should not have - a statically configured replica count set ' - group: top10-insecure-design - name: 5744cbb8-5946-4b75-a196-ade44449525b - pretty_name: HPA Targeted Deployments With Configured Replica Count - recommended: true - ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/ - 574e8d82-1db2-4b9c-b526-e320ede9a9ff: - categories: - - ALL - - boost-baseline - description: 'All Alerts should be enabled in SQL Database Server SecurityAlerts - Policy Properties ' - group: top10-insecure-design - name: 574e8d82-1db2-4b9c-b526-e320ede9a9ff - pretty_name: SQL Server Database With Alerts Disabled - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/servers/databases/securityalertpolicies?tabs=json - 575a2155-6af1-4026-b1af-d5bc8fe2a904: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'IAM policy should not grant full permissions to resources from the - get-go, instead of granting permissions gradually as necessary. ' - group: cloud-insecure-iam - name: 575a2155-6af1-4026-b1af-d5bc8fe2a904 - pretty_name: IAM Policy Grants Full Permissions - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy - 577ac19c-6a77-46d7-9f14-e049cdd15ec2: - categories: - - ALL - - boost-baseline - description: 'CPU requests should be set to ensure the sum of the resource requests - of the scheduled Containers is less than the capacity of the node ' - group: cloud-insecure-iam - name: 577ac19c-6a77-46d7-9f14-e049cdd15ec2 - pretty_name: CPU Requests Not Set - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#requests - 579a0727-9c29-4d58-8195-fc5802a8bdb4: - categories: - - ALL - - boost-baseline - description: 'GKE cluster nodes must be launched with Shielded VM enabled, which - means the attribute ''enable_shielded_nodes'' must be set to ''true''. ' - group: cloud-weak-configuration - name: 579a0727-9c29-4d58-8195-fc5802a8bdb4 - pretty_name: Shielded GKE Nodes Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#enable_shielded_nodes - 57b12981-3816-4c31-b190-a1e614361dd2: - categories: - - ALL - - boost-baseline - description: 'Allowing to run lambda function using public API Gateway ' - group: cloud-insecure-iam - name: 57b12981-3816-4c31-b190-a1e614361dd2 - pretty_name: Public Lambda via API Gateway - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html - 57b9893d-33b1-4419-bcea-a717ea87e139: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'S3 Buckets should not be readable to any authenticated user ' - group: cloud-insecure-iam - name: 57b9893d-33b1-4419-bcea-a717ea87e139 - pretty_name: S3 Bucket ACL Allows Read to Any Authenticated User - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#acl - 57ced4b9-6ba4-487b-8843-b65562b90c77: - categories: - - ALL - - boost-baseline - - boost-hardened - description: '''SSH'' (TCP:22) should not be public in AWS Security Group ' - group: cloud-resources-public-access - name: 57ced4b9-6ba4-487b-8843-b65562b90c77 - pretty_name: Security Group With Unrestricted Access To SSH - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html - 5813ef56-fa94-406a-b35d-977d4a56ff2b: - categories: - - ALL - - boost-baseline - description: 'API Gateway should have X-Ray Tracing enabled ' - group: top10-security-logging-monitoring-failures - name: 5813ef56-fa94-406a-b35d-977d4a56ff2b - pretty_name: API Gateway X-Ray Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage#xray_tracing_enabled - 581dae78-307d-45d5-aae4-fe2b0db267a5: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Azurerm Container Registry should contain associated locks, which - means ''azure_rm_lock.managed_resource_id'' or ''azure_rm_lock.resource_group'' - association should be defined ' - group: cloud-weak-configuration - name: 581dae78-307d-45d5-aae4-fe2b0db267a5 - pretty_name: Azure Container Registry With No Locks - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_lock_module.html - 583053b7-e632-46f0-b989-f81ff8045385: - categories: - - ALL - - boost-baseline - description: 'Image tag must be defined and not be empty or equal to latest. ' - group: supply-chain-scm-weak-configuration - name: 583053b7-e632-46f0-b989-f81ff8045385 - pretty_name: Invalid Image Tag - recommended: true - ref: https://kubernetes.io/docs/concepts/containers/images/#updating-images - 5864d189-ee9a-4009-ac0c-8a582e6b7919: - categories: - - ALL - - boost-baseline - description: 'Ensure a log metric filter and alarm exist for AWS Management Console - authentication failures ' - group: top10-security-logging-monitoring-failures - name: 5864d189-ee9a-4009-ac0c-8a582e6b7919 - pretty_name: CloudWatch Management Console Auth Failed Alarm Missing - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern - 5864fb39-d719-4182-80e2-89dbe627be63: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Amazon DMS is publicly accessible, therefore exposing possible sensitive - information. To prevent such a scenario, update the attribute ''PubliclyAccessible'' - to false. ' - group: cloud-insecure-iam - name: 5864fb39-d719-4182-80e2-89dbe627be63 - pretty_name: Amazon DMS Replication Instance Is Publicly Accessible - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dms-replicationinstance.html - 586abcee-9653-462d-ad7b-2638a32bd6e6: - categories: - - ALL - - boost-baseline - - boost-hardened - description: All paths should have security scheme, if it is omitted, global security - field should be defined - group: cloud-insecure-iam - name: 586abcee-9653-462d-ad7b-2638a32bd6e6 - pretty_name: No Global And Operation Security Defined (v2) - recommended: true - ref: https://swagger.io/specification/v2/#security-requirement-object - 587d5d82-70cf-449b-9817-f60f9bccb88c: - categories: - - ALL - - boost-baseline - description: 'Minimize the admission of containers wishing to share the host process - ID namespace ' - group: cloud-weak-configuration - name: 587d5d82-70cf-449b-9817-f60f9bccb88c - pretty_name: Container Host Pid Is True - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_pid - 58876b44-a690-4e9f-9214-7735fa0dd15d: - categories: - - ALL - - boost-baseline - description: 'Cronjobs must have a configured deadline, which means the attribute - ''starting_deadline_seconds'' must be defined ' - group: cloud-insecure-iam - name: 58876b44-a690-4e9f-9214-7735fa0dd15d - pretty_name: CronJob Deadline Not Configured - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cron_job#starting_deadline_seconds - 58b35504-0287-4154-bf69-02c0573deab8: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Sagemaker endpoint configuration should encrypt data ' - group: top10-crypto-failures - name: 58b35504-0287-4154-bf69-02c0573deab8 - pretty_name: Sagemaker Endpoint Configuration Encryption Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sagemaker_endpoint_configuration#kms_key_arn - 58f06434-a88c-4f74-826c-db7e10cc7def: - categories: - - ALL - - boost-baseline - description: 'The field ''content'' of the request body object should be set to - ''multipart'' or ''application/x-www-form-urlencoded'' when field ''encoding'' - is set. ' - group: top10-insecure-design - name: 58f06434-a88c-4f74-826c-db7e10cc7def - pretty_name: Request Body Object With Incorrect Media Type - recommended: true - ref: https://swagger.io/specification/#media-type-object - 5906092d-5f74-490d-9a03-78febe0f65e1: - categories: - - ALL - - boost-baseline - description: 'Repositories must be set to private, which means the attribute ''visibility'' - must be set to ''private'' and/or the attribute ''private'' must be set to true - (the attribute ''visibility'' overrides ''private'') ' - group: cloud-weak-configuration - name: 5906092d-5f74-490d-9a03-78febe0f65e1 - pretty_name: GitHub Repository Set To Public - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-codestar-githubrepository.html - 5907595b-5b6d-4142-b173-dbb0e73fbff8: - categories: - - ALL - - boost-baseline - description: 'Expose only the ports that your application needs and avoid exposing - ports like SSH (22) ' - group: top10-insecure-design - name: 5907595b-5b6d-4142-b173-dbb0e73fbff8 - pretty_name: Exposing Port 22 (SSH) - recommended: true - ref: https://sysdig.com/blog/dockerfile-best-practices/ - 590d878b-abdc-428f-895a-e2b68a0e1998: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'AWS Security Group should not have an unknown port exposed to the - entire Internet ' - group: cloud-resources-public-access - name: 590d878b-abdc-428f-895a-e2b68a0e1998 - pretty_name: Unknown Port Exposed To Internet - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group - 5915c20f-dffa-4cee-b5d4-f457ddc0151a: - categories: - - ALL - - boost-baseline - description: 'All array fields should not be empty ' - group: top10-insecure-design - name: 5915c20f-dffa-4cee-b5d4-f457ddc0151a - pretty_name: Empty Array - recommended: true - ref: https://swagger.io/specification/ - 591ade62-d6b0-4580-b1ae-209f80ba1cd9: - categories: - - ALL - - boost-baseline - description: 'A Kubernetes Pod should have a Service Account defined so to restrict - Kubernetes API access, which means the attribute ''serviceAccountName'' should - be defined and not empty. ' - group: cloud-weak-configuration - name: 591ade62-d6b0-4580-b1ae-209f80ba1cd9 - pretty_name: Service Account Name Undefined Or Empty - recommended: true - ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ - 592ad21d-ad9b-46c6-8d2d-fad09d62a942: - categories: - - ALL - - boost-baseline - description: 'The permission to create pods in a cluster should be restricted - because it allows privilege escalation. ' - group: cloud-insecure-iam - name: 592ad21d-ad9b-46c6-8d2d-fad09d62a942 - pretty_name: Permissive Access to Create Pods - recommended: true - ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping - 59312e8a-a64e-41e7-a252-618533dd1ea8: - categories: - - ALL - - boost-baseline - description: 'All outputs should contain a valid description. ' - group: top10-insecure-design - name: 59312e8a-a64e-41e7-a252-618533dd1ea8 - pretty_name: Output Without Description - recommended: true - ref: https://www.terraform.io/docs/language/values/outputs.html#description-output-value-documentation - 594c198b-4d79-41b8-9b36-fde13348b619: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'A sensitive port, such as port 23 or port 110, is open for the whole - network in either TCP or UDP protocol ' - group: cloud-resources-public-access - name: 594c198b-4d79-41b8-9b36-fde13348b619 - pretty_name: Sensitive Port Is Exposed To Entire Network - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule - 594f54e7-f744-45ab-93e4-c6dbaf6cd571: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'AWS S3 Storage should be protected with SSE (Server-Side Encryption) ' - group: top10-crypto-failures - name: 594f54e7-f744-45ab-93e4-c6dbaf6cd571 - pretty_name: S3 Bucket Without Server-side-encryption - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html - 59571246-3f62-4965-a96f-c7d97e269351: - categories: - - ALL - - boost-baseline - description: 'Verifies if the Google Project Auto Create Network is Disabled ' - group: cloud-weak-configuration - name: 59571246-3f62-4965-a96f-c7d97e269351 - pretty_name: Google Project Auto Create Network Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project - 599318f2-6653-4569-9e21-041d06c63a89: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Azure Kubernetes Service (AKS) API should not be exposed to the - internet ' - group: cloud-weak-configuration - name: 599318f2-6653-4569-9e21-041d06c63a89 - pretty_name: AKS Private Cluster Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#private_cluster_enabled - 59a849c2-1127-4023-85a5-ef906dcd458c: - categories: - - ALL - description: 'A list of SQS resources specified. Amazon Simple Queue Service (SQS) - is a fully managed message queuing service that enables you to decouple and - scale microservices, distributed systems, and serverless applications. ' - group: supply-chain-missing-artifact-integrity-verification - name: 59a849c2-1127-4023-85a5-ef906dcd458c - pretty_name: BOM - AWS SQS - ref: https://kics.io/ - 59acb56b-2b10-4c2c-ba38-f2223c3f5cfc: - categories: - - ALL - - boost-baseline - description: 'Make sure for SQL Servers that Auditing Retention is greater than - 90 days ' - group: top10-security-logging-monitoring-failures - name: 59acb56b-2b10-4c2c-ba38-f2223c3f5cfc - pretty_name: Small MSSQL Server Audit Retention - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_server - 59c2f769-7cc2-49c8-a3de-4e211135cfab: - categories: - - ALL - - boost-baseline - description: 'Property ''allowEmptyValue'' is ignored in the following cases: - {sytle: simple, explode: false}, {sytle: simple, explode: true}, {sytle: spaceDelimited, - explode: false}, {sytle: pipeDelimited, explode: false}, and {sytle: deepObject, - explode: true} ' - group: top10-insecure-design - name: 59c2f769-7cc2-49c8-a3de-4e211135cfab - pretty_name: Property 'allowEmptyValue' Ignored - recommended: true - ref: https://swagger.io/specification/#parameter-object - 59cb3da7-f206-4ae6-b827-7abf0a9cab9d: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Port 3389 (Remote Desktop) is exposed to the Internet ' - group: cloud-resources-public-access - name: 59cb3da7-f206-4ae6-b827-7abf0a9cab9d - pretty_name: Network Security Group With Unrestricted Access To RDP - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2020-07-01/networksecuritygroups?tabs=json#securityrulepropertiesformat-object - 59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Roles defined in Serverless files should not have policies granting - full administrative privileges. ' - group: cloud-insecure-iam - name: 59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd - pretty_name: Serverless Role With Full Privileges - recommended: true - ref: https://www.serverless.com/framework/docs/providers/aws/guide/iam - 5a2486aa-facf-477d-a5c1-b010789459ce: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'EC2 Instance should not have a public IP address. ' - group: cloud-resources-public-access - name: 5a2486aa-facf-477d-a5c1-b010789459ce - pretty_name: EC2 Instance Has Public IP - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#associate_public_ip_address - 5a443297-19d4-4381-9e5b-24faf947ec22: - categories: - - ALL - - boost-baseline - description: 'Expired SSL/TLS certificates should be removed ' - group: cloud-insecure-iam - name: 5a443297-19d4-4381-9e5b-24faf947ec22 - pretty_name: Certificate Has Expired - recommended: true - ref: https://docs.ansible.com/ansible/2.10/collections/community/aws/aws_acm_module.html - 5aea1d7e-b834-4749-b143-2c7ec3bd5922: - categories: - - ALL - - boost-baseline - description: 'Tag External Documentation URL should be a valid URL ' - group: top10-insecure-design - name: 5aea1d7e-b834-4749-b143-2c7ec3bd5922 - pretty_name: Invalid Tag External Documentation URL (v3) - recommended: true - ref: https://swagger.io/specification/#external-documentation-object - 5b033ec8-f079-4323-b5c8-99d4620433a9: - categories: - - ALL - - boost-baseline - description: 'EMR SecurityConfiguration should enable and properly configure encryption - at rest and in transit. ' - group: top10-crypto-failures - name: 5b033ec8-f079-4323-b5c8-99d4620433a9 - pretty_name: EMR Security Configuration Encryption Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-emr-securityconfiguration.html - 5b48c507-0d1f-41b0-a630-76817c6b4189: - categories: - - ALL - - boost-baseline - description: 'Alexa ASK Skill AuthenticationConfiguration RefreshToken should - not be a plaintext string ' - group: cloud-weak-secrets-management - name: 5b48c507-0d1f-41b0-a630-76817c6b4189 - pretty_name: RefreshToken Is Exposed - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ask-skill.html#cfn-ask-skill-authenticationconfiguration - 5b4d4aee-ac94-4810-9611-833636e5916d: - categories: - - ALL - - boost-baseline - description: 'Role with privilege escalation by actions ''iam:CreateAccessKey'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 5b4d4aee-ac94-4810-9611-833636e5916d - pretty_name: Role With Privilege Escalation By Actions 'iam:CreateAccessKey' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy - 5b6d53dd-3ba3-4269-b4d7-f82e880e43c3: - categories: - - ALL - - boost-baseline - description: 'In case of an unresponsive container, a Liveness Probe can help - your application become more available since it restarts the container. However, - it can lead to cascading failures. Define one if you really need it ' - group: top10-insecure-design - name: 5b6d53dd-3ba3-4269-b4d7-f82e880e43c3 - pretty_name: Liveness Probe Is Not Defined - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#liveness_probe - 5b8d7527-de8e-4114-b9dd-9d988f1f418f: - categories: - - ALL - - boost-baseline - description: 'Ensure a log metric filter and alarm exist for AWS Config configuration - changes ' - group: top10-security-logging-monitoring-failures - name: 5b8d7527-de8e-4114-b9dd-9d988f1f418f - pretty_name: CloudWatch AWS Config Configuration Changes Alarm Missing - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern - 5b9d237a-57d5-4177-be0e-71434b0fef47: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'The KMS key has a policy that is too permissive, as it provides - the AWS account owner with access to all AWS KMS operations, therefore violating - the principle of least privilege. ' - group: cloud-weak-configuration - name: 5b9d237a-57d5-4177-be0e-71434b0fef47 - pretty_name: KMS Key With Full Permissions - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/aws_kms_module.html - 5ba316a9-c466-4ec1-8d5b-bc6107dc9a92: - categories: - - ALL - - boost-baseline - description: 'Check if SNS topic name is set for CloudTrail ' - group: top10-security-logging-monitoring-failures - name: 5ba316a9-c466-4ec1-8d5b-bc6107dc9a92 - pretty_name: CloudTrail SNS Topic Name Undefined - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html - 5ba6229c-8057-433e-91d0-21cf13569ca9: - categories: - - ALL - - boost-baseline - description: 'Check if the Amazon Organizations ensure that all features are enabled - to achieve full control over the use of AWS services and actions across multiple - AWS accounts using Service Control Policies (SCPs). ' - group: cloud-weak-configuration - name: 5ba6229c-8057-433e-91d0-21cf13569ca9 - pretty_name: Service Control Policies Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy - 5baa92d2-d8ee-4c75-88a4-52d9d8bb8067: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Kubernetes Engine Clusters must have Legacy Authorization set to - disabled, which means the attribute ''enable_legacy_abac'' must not be true ' - group: cloud-weak-configuration - name: 5baa92d2-d8ee-4c75-88a4-52d9d8bb8067 - pretty_name: GKE Legacy Authorization Enabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster - 5beacce3-4020-4a3d-9e1d-a36f953df630: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'RDS Storage should be encrypted, which means the attribute ''StorageEncrypted'' - should be set to ''true'' ' - group: top10-crypto-failures - name: 5beacce3-4020-4a3d-9e1d-a36f953df630 - pretty_name: RDS Storage Not Encrypted - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html - 5c0003fb-9aa0-42c1-9da3-eb0e332bef21: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Check if secure ciphers aren''t used in CloudFront ' - group: top10-crypto-failures - name: 5c0003fb-9aa0-42c1-9da3-eb0e332bef21 - pretty_name: Secure Ciphers Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution - 5c0b06d5-b7a4-484c-aeb0-75a836269ff0: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Checks if logging is enabled for CloudTrail. ' - group: top10-security-logging-monitoring-failures - name: 5c0b06d5-b7a4-484c-aeb0-75a836269ff0 - pretty_name: CloudTrail Logging Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#cfn-cloudtrail-trail-islogging - 5c281bf8-d9bb-47f2-b909-3f6bb11874ad: - categories: - - ALL - - boost-baseline - description: 'Service type should not be NodePort ' - group: cloud-resources-public-access - name: 5c281bf8-d9bb-47f2-b909-3f6bb11874ad - pretty_name: Service Type is NodePort - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service#type - 5c666ed9-b586-49ab-9873-c495a833b705: - categories: - - ALL - - boost-baseline - description: 'AWS Elasticsearch should ensure IAM Authentication ' - group: cloud-insecure-iam - name: 5c666ed9-b586-49ab-9873-c495a833b705 - pretty_name: Elasticsearch Without IAM Authentication - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticsearch-domain.html#cfn-elasticsearch-domain-accesspolicies - 5c6b727b-1382-4629-8ba9-abd1365e5610: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'AWS Redshift Clusters must not be publicly accessible. Check if - ''publicly_accessible'' field is true (default is false) ' - group: cloud-weak-configuration - name: 5c6b727b-1382-4629-8ba9-abd1365e5610 - pretty_name: Redshift Publicly Accessible - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/redshift_module.html - 5c6dd5e7-1fe0-4cae-8f81-4c122717cef3: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'AWS Kinesis Server data at rest should have Server Side Encryption - (SSE) enabled ' - group: top10-crypto-failures - name: 5c6dd5e7-1fe0-4cae-8f81-4c122717cef3 - pretty_name: Kinesis SSE Not Configured - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream#server_side_encryption - 5c80db8e-03f5-43a2-b4af-1f3f87018157: - categories: - - ALL - - boost-baseline - description: 'Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) ' - group: cloud-insecure-iam - name: 5c80db8e-03f5-43a2-b4af-1f3f87018157 - pretty_name: Role Definition Allows Custom Role Creation - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_roledefinition_module.html#parameter-permissions/actions - 5c822443-e1ea-46b8-84eb-758ec602e844: - categories: - - ALL - - boost-baseline - description: 'Azure Virtual Network subnet must be configured with a Network Security - Group, which means the attribute ''security_group'' must be defined and not - empty ' - group: cloud-weak-configuration - name: 5c822443-e1ea-46b8-84eb-758ec602e844 - pretty_name: Security Group is Not Configured - recommended: true - ref: https://www.terraform.io/docs/providers/azure/r/virtual_network.html - 5d29effc-5d68-481f-9721-d74e5919226b: - categories: - - ALL - - boost-baseline - - boost-hardened - description: Security object for operations, if defined, must define a security - scheme, otherwise it should be considered an error - group: cloud-insecure-iam - name: 5d29effc-5d68-481f-9721-d74e5919226b - pretty_name: Security Field On Operations Has An Empty Array (v2) - recommended: true - ref: https://swagger.io/specification/v2/#operation-object - 5d3c1807-acb3-4bb0-be4e-0440230feeaf: - categories: - - ALL - - boost-baseline - description: 'Checks if CloudWatch Metrics is Enabled ' - group: top10-security-logging-monitoring-failures - name: 5d3c1807-acb3-4bb0-be4e-0440230feeaf - pretty_name: CloudWatch Metrics Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cw-alarm.html - 5d89db57-8b51-4b38-bb76-b9bd42bd40f0: - categories: - - ALL - - boost-baseline - description: 'ElastiCache should not use the default port (an attacker can easily - guess the port). For engine set to Redis, the default port is 6379. The Memcached - default port is 11211 ' - group: cloud-resources-public-access - name: 5d89db57-8b51-4b38-bb76-b9bd42bd40f0 - pretty_name: ElastiCache Using Default Port - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster#port - 5d9e3164-9265-470c-9a10-57ae454ac0c7: - categories: - - ALL - - boost-baseline - description: 'Logs delivered by CloudTrail should be encrypted using KMS to increase - security of your CloudTrail ' - group: top10-crypto-failures - name: 5d9e3164-9265-470c-9a10-57ae454ac0c7 - pretty_name: CloudTrail Log Files Not Encrypted With KMS - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#kms_key_id - 5da47109-f8d6-4585-9e2b-96a8958a12f5: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'When using kube-apiserver command, the ''basic-auth-file'' flag - should not be set ' - group: cloud-insecure-iam - name: 5da47109-f8d6-4585-9e2b-96a8958a12f5 - pretty_name: Basic Auth File Is Set - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ - 5e0fb613-ba9b-44c3-88f0-b44188466bfd: - categories: - - ALL - - boost-baseline - description: 'Ram Account Password Policy should have ''require_uppercase_characters'' - set to true ' - group: cloud-weak-secrets-management - name: 5e0fb613-ba9b-44c3-88f0-b44188466bfd - pretty_name: RAM Account Password Policy Not Require at Least one Uppercase Character - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#require_uppercase_characters - 5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275: - categories: - - ALL - - boost-baseline - description: 'OpenAPI Object should contain all of its required fields ' - group: top10-insecure-design - name: 5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275 - pretty_name: Object Without Required Property (v2) - recommended: true - ref: https://swagger.io/specification/v2/ - 5e6c9c68-8a82-408e-8749-ddad78cbb9c5: - categories: - - ALL - - boost-baseline - description: 'It''s considered a best practice for AWS Security Group to have - a description ' - group: top10-insecure-design - name: 5e6c9c68-8a82-408e-8749-ddad78cbb9c5 - pretty_name: Security Group Rule Without Description - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html - 5e7acff5-095b-40ac-9073-ac2e4ad8a512: - categories: - - ALL - - boost-baseline - description: 'IAM policy should not apply directly to users, should be with a - group ' - group: top10-insecure-design - name: 5e7acff5-095b-40ac-9073-ac2e4ad8a512 - pretty_name: IAM Policies Without Groups - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-policy - 5e92d816-2177-4083-85b4-f61b4f7176d9: - categories: - - ALL - - boost-baseline - description: 'Allowing to run lambda function using public API Gateway ' - group: cloud-insecure-iam - name: 5e92d816-2177-4083-85b4-f61b4f7176d9 - pretty_name: Public Lambda via API Gateway - recommended: true - ref: https://docs.ansible.com/ansible/2.4/lambda_policy_module.html - 5ea61624-3733-4a3a-8ca4-b96fec9c5aeb: - categories: - - ALL - - boost-baseline - description: 'Operation External Documentation URL should be a valid URL ' - group: top10-insecure-design - name: 5ea61624-3733-4a3a-8ca4-b96fec9c5aeb - pretty_name: Invalid Operation External Documentation URL (v3) - recommended: true - ref: https://swagger.io/specification/#external-documentation-object - 5ea624e4-c8b1-4bb3-87a4-4235a776adcc: - categories: - - ALL - - boost-baseline - description: 'SNS topic Publicity should not have ''Effect: Allow'' and argument - ''NotAction'' at the same time. If it has ''Effect: Allow'', the argument stated - should be ''Action''. ' - group: cloud-insecure-iam - name: 5ea624e4-c8b1-4bb3-87a4-4235a776adcc - pretty_name: SNS Topic Publicity Has Allow and NotAction Simultaneously - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy - 5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'The CA certificate Identifier must be ''rds-ca-2019''. ' - group: top10-crypto-failures - name: 5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce - pretty_name: CA Certificate Identifier Is Outdated - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-ca_certificate_identifier - 5ef61c88-bbb4-4725-b1df-55d23c9676bb: - categories: - - ALL - - boost-baseline - description: 'DNSSEC must be enabled for Cloud DNS ' - group: cloud-weak-configuration - name: 5ef61c88-bbb4-4725-b1df-55d23c9676bb - pretty_name: Cloud DNS Without DNSSEC - recommended: true - ref: https://www.terraform.io/docs/providers/google/d/dns_managed_zone.html - 5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f: - categories: - - ALL - - boost-baseline - description: Operations responses should have a default response defined - group: cloud-resources-public-access - name: 5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f - pretty_name: Default Response Undefined On Operations (v2) - recommended: true - ref: https://swagger.io/specification/v2/#responses-object - 5f4735ce-b9ba-4d95-a089-a37a767b716f: - categories: - - ALL - - boost-baseline - description: 'CPU limits should be set because if the system has CPU time free, - a container is guaranteed to be allocated as much CPU as it requests ' - group: cloud-insecure-iam - name: 5f4735ce-b9ba-4d95-a089-a37a767b716f - pretty_name: CPU Limits Not Set - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#limits - 5f670f9d-b1b4-4c90-8618-2288f1ab9676: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'NAS File System should have encryption provided by user KMS ' - group: top10-crypto-failures - name: 5f670f9d-b1b4-4c90-8618-2288f1ab9676 - pretty_name: NAS File System Without KMS - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/nas_file_system#kms_key_id - 5f700072-b7ce-4e84-b3f3-497bf1c24a4d: - categories: - - ALL - - boost-baseline - description: 'DMS Endpoint password must not be a plaintext string or a Ref to - a Parameter with a Default value. ' - group: cloud-weak-secrets-management - name: 5f700072-b7ce-4e84-b3f3-497bf1c24a4d - pretty_name: DMS Endpoint Password Exposed - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dms-endpoint.html - 5f89001f-6dd9-49ff-9b15-d8cd71b617f4: - categories: - - ALL - - boost-baseline - description: 'Kubelet argument --make-iptables-util-chains should be true ' - group: cloud-resources-public-access - name: 5f89001f-6dd9-49ff-9b15-d8cd71b617f4 - pretty_name: Kubelet Not Managing Ip Tables - recommended: true - ref: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ - 5fa731ea-e844-47a6-a1e8-abc25e95847e: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical - vulnerability ' - group: supply-chain-scm-weak-configuration - name: 5fa731ea-e844-47a6-a1e8-abc25e95847e - pretty_name: Vulnerable OpenSSL Version - recommended: true - ref: https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html - 5fb49a69-8d46-4495-a2f8-9c8c622b2b6e: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'S3 Bucket Object should have server-side encryption enabled ' - group: top10-crypto-failures - name: 5fb49a69-8d46-4495-a2f8-9c8c622b2b6e - pretty_name: S3 Bucket Object Not Encrypted - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_object#server_side_encryption - 60224630-175a-472a-9e23-133827040766: - categories: - - ALL - - boost-baseline - description: 'It''s considered a best practice for an EC2 instance to use an EBS - optimized instance. This provides the best performance for your EBS volumes - by minimizing contention between Amazon EBS I/O and other traffic from your - instance ' - group: top10-insecure-design - name: 60224630-175a-472a-9e23-133827040766 - pretty_name: EC2 Not EBS Optimized - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#ebs_optimized - 60263b4a-6801-4587-911d-919c37ed733b: - categories: - - ALL - - boost-baseline - description: 'Group with privilege escalation by actions ''iam:PutUserPolicy'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 60263b4a-6801-4587-911d-919c37ed733b - pretty_name: Group With Privilege Escalation By Actions 'iam:PutUserPolicy' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy - 60587dbd-6b67-432e-90f7-a8cf1892d968: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Alicloud Security Group Rule should not allow all ports or all protocols - to the public ' - group: cloud-resources-public-access - name: 60587dbd-6b67-432e-90f7-a8cf1892d968 - pretty_name: Public Security Group Rule All Ports or Protocols - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/security_group_rule#cidr_ip - 609839ae-bd81-4375-9910-5bce72ae7b92: - categories: - - ALL - - boost-baseline - description: 'Make sure that for MSSQL Servers, that ''Auditing'' is set to ''On'' ' - group: top10-security-logging-monitoring-failures - name: 609839ae-bd81-4375-9910-5bce72ae7b92 - pretty_name: MSSQL Server Auditing Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server - 609cd557-66b4-41fa-8edd-2abc6c7cfd08: - categories: - - ALL - - boost-baseline - description: Path object should have at least one operation object defined - group: top10-insecure-design - name: 609cd557-66b4-41fa-8edd-2abc6c7cfd08 - pretty_name: Path Without Operation (v2) - recommended: true - ref: https://swagger.io/specification/v2/#pathItemObject - 60a05ede-0a68-4d0d-a58f-f538cf55ff79: - categories: - - ALL - - boost-baseline - description: 'AWS Serverless API should have cache clustering enabled ' - group: cloud-weak-configuration - name: 60a05ede-0a68-4d0d-a58f-f538cf55ff79 - pretty_name: Serverless API Cache Cluster Disabled - recommended: true - ref: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-cacheclusterenabled - 60af03ff-a421-45c8-b214-6741035476fa: - categories: - - ALL - - boost-baseline - description: 'Kubernetes container should have resource limitations defined such - as CPU and memory ' - group: cloud-weak-configuration - name: 60af03ff-a421-45c8-b214-6741035476fa - pretty_name: Container Resources Limits Undefined - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod - 60b5f56b-66ff-4e1c-9b62-5753e16825bc: - categories: - - ALL - - boost-baseline - description: 'Put should define at least one success response (200, 201, 202 or - 204) ' - group: cloud-resources-public-access - name: 60b5f56b-66ff-4e1c-9b62-5753e16825bc - pretty_name: Success Response Code Undefined for Put Operation (v3) - recommended: true - ref: https://swagger.io/specification/#operation-object - 60bfbb8a-c72f-467f-a6dd-a46b7d612789: - categories: - - ALL - - boost-baseline - description: 'ECR should have an image tag be immutable. This prevents image tags - from being overwritten. ' - group: cloud-weak-configuration - name: 60bfbb8a-c72f-467f-a6dd-a46b7d612789 - pretty_name: ECR Image Tag Not Immutable - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_ecr_module.html - 60fb6621-9f02-473b-9424-ba9a825747d3: - categories: - - ALL - - boost-baseline - description: 'Link object ''OperationId'' should not have both ''operationId'' - and ''operationRef'' defined since they are mutually exclusive. ' - group: top10-insecure-design - name: 60fb6621-9f02-473b-9424-ba9a825747d3 - pretty_name: Link Object With Both 'operationId' And 'operationRef' - recommended: true - ref: https://swagger.io/specification/#link-object - 6107c530-7178-464a-88bc-df9cdd364ac8: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'OSS Bucket should have ip restricted access ' - group: cloud-resources-public-access - name: 6107c530-7178-464a-88bc-df9cdd364ac8 - pretty_name: OSS Bucket Ip Restriction Disabled - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#policy - 610e266e-6c12-4bca-9925-1ed0cd29742b: - categories: - - ALL - - boost-baseline - description: 'Attribute ''security_opt'' should be defined. ' - group: cloud-insecure-iam - name: 610e266e-6c12-4bca-9925-1ed0cd29742b - pretty_name: Security Opt Not Set - recommended: true - ref: https://docs.docker.com/compose/compose-file/compose-file-v3/#security_opt - 611ab018-c4aa-4ba2-b0f6-a448337509a6: - categories: - - ALL - - boost-baseline - description: 'Namespaces like ''default'', ''kube-system'' or ''kube-public'' - should not be used ' - group: cloud-weak-configuration - name: 611ab018-c4aa-4ba2-b0f6-a448337509a6 - pretty_name: Using Unrecommended Namespace - recommended: true - ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/ - 6172e7ab-d2b7-45f8-a7db-1603931d8ba3: - categories: - - ALL - - boost-baseline - description: Responses Object should not be empty - group: top10-insecure-design - name: 6172e7ab-d2b7-45f8-a7db-1603931d8ba3 - pretty_name: Responses Object Is Empty (v2) - recommended: true - ref: https://swagger.io/specification/v2/#responsesObject - 617ef6ff-711e-4bd7-94ae-e965911b1b40: - categories: - - ALL - - boost-baseline - description: 'Verifies if Google Project IAM Binding Service Account doesn''t - have an Account User or Token Creator Role associated ' - group: cloud-insecure-iam - name: 617ef6ff-711e-4bd7-94ae-e965911b1b40 - pretty_name: Google Project IAM Binding Service Account has Token Creator or Account - User Role - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_binding - 61a94903-3cd3-4780-88ec-fc918819b9c8: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'ELB Predefined or Custom Security Policies must not use insecure - protocols, to reduce the risk of the SSL connection between the client and the - load balancer being exploited. That means the ELB Listeners must not have Policies - that posses Protocols that coincide with any of a predefined list of insecure - protocols. ' - group: top10-crypto-failures - name: 61a94903-3cd3-4780-88ec-fc918819b9c8 - pretty_name: ELB Using Insecure Protocols - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb.html - 61c3cb8b-0715-47e4-b788-86dde40dd2db: - categories: - - ALL - - boost-baseline - description: 'Check if the Kubernetes Dashboard is enabled. ' - group: cloud-weak-configuration - name: 61c3cb8b-0715-47e4-b788-86dde40dd2db - pretty_name: Dashboard Is Enabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster - 61cf9883-1752-4768-b18c-0d57f2737709: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0 ' - group: cloud-resources-public-access - name: 61cf9883-1752-4768-b18c-0d57f2737709 - pretty_name: EKS Cluster Has Public Access CIDRs - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster - 61d1a2d0-4db8-405a-913d-5d2ce49dff6f: - categories: - - ALL - - boost-baseline - description: 'EC2 Instances should be configured under a VPC network. AWS VPCs - provide the controls to facilitate a formal process for approving and testing - all network connections and changes to the firewall and router configurations. ' - group: cloud-weak-configuration - name: 61d1a2d0-4db8-405a-913d-5d2ce49dff6f - pretty_name: Instance With No VPC - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_module.html - 62232513-b16f-4010-83d7-51d0e1d45426: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'OSS Bucket should have public access disabled ' - group: cloud-insecure-iam - name: 62232513-b16f-4010-83d7-51d0e1d45426 - pretty_name: OSS Bucket Public Access Enabled - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#acl - 625abc0e-f980-4ac9-a775-f7519ee34296: - categories: - - ALL - - boost-baseline - description: 'API Gateway Deployment should have access log setting defined when - connected to an API Gateway Stage. ' - group: top10-security-logging-monitoring-failures - name: 625abc0e-f980-4ac9-a775-f7519ee34296 - pretty_name: API Gateway Deployment Without Access Log Setting - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_deployment - 62c8cf50-87f0-4295-a974-8184ed78fe02: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Master authorized networks must be enabled in GKE clusters ' - group: cloud-resources-public-access - name: 62c8cf50-87f0-4295-a974-8184ed78fe02 - pretty_name: GKE Master Authorized Networks Disabled - recommended: true - ref: https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters - 62d52544-82ef-4b75-8308-cad49d50212b: - categories: - - ALL - - boost-baseline - description: Schema of the JSON object should have 'type' defined. - group: cloud-weak-configuration - name: 62d52544-82ef-4b75-8308-cad49d50212b - pretty_name: JSON Object Schema Without Type (v2) - recommended: true - ref: https://swagger.io/specification/v2/#schemaObject - 63ae3638-a38c-4ff4-b616-6e1f72a31a6a: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Cloud Storage Buckets must not be anonymously or publicly accessible, - which means the subattribute ''entity'' from attributes ''acl'' and ''defaultObjectAcl'' - must not be ''allUsers'' or ''allAuthenticatedUsers'' ' - group: cloud-insecure-iam - name: 63ae3638-a38c-4ff4-b616-6e1f72a31a6a - pretty_name: Cloud Storage Anonymous or Publicly Accessible - recommended: true - ref: https://cloud.google.com/storage/docs/json_api/v1/buckets - 63ebcb19-2739-4d3f-aa5c-e8bbb9b85281: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'EKS Cluster should be encrypted ' - group: top10-crypto-failures - name: 63ebcb19-2739-4d3f-aa5c-e8bbb9b85281 - pretty_name: EKS Cluster Encryption Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#encryption_config - 6425c98b-ca4e-41fe-896a-c78772c131f8: - categories: - - ALL - - boost-baseline - description: 'PostgreSQL Server Infrastructure Encryption should be enabled ' - group: top10-crypto-failures - name: 6425c98b-ca4e-41fe-896a-c78772c131f8 - pretty_name: PostgreSQL Server Infrastructure Encryption Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_server#infrastructure_encryption_enabled - 6452c424-1d92-4deb-bb18-a03e95d579c4: - categories: - - ALL - - boost-baseline - description: 'Not specifying the package version can cause failures due to unanticipated - changes in required packages ' - group: supply-chain-scm-weak-configuration - name: 6452c424-1d92-4deb-bb18-a03e95d579c4 - pretty_name: Yum install Without Version - recommended: true - ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run - 647de8aa-5a42-41b5-9faf-22136f117380: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'RDS must not be defined with public interface, which means the attribute - ''PubliclyAccessible'' must be set to false. ' - group: cloud-weak-configuration - name: 647de8aa-5a42-41b5-9faf-22136f117380 - pretty_name: RDS DB Instance Publicly Accessible - recommended: true - ref: https://www.pulumi.com/registry/packages/aws/api-docs/rds/instance/#publiclyaccessible_yaml - 64a222aa-7793-4e40-915f-4b302c76e4d4: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket - Access Control List in order to prevent AWS accounts or IAM users to modify - access control permissions to the bucket. ' - group: cloud-insecure-iam - name: 64a222aa-7793-4e40-915f-4b302c76e4d4 - pretty_name: S3 Bucket ACL Grants WRITE_ACP Permission - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl - 64ab651b-f5b2-4af0-8c89-ddd03c4d0e61: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'If algorithm is AES256 then the master key is null, empty or undefined, - otherwise the master key is required ' - group: top10-crypto-failures - name: 64ab651b-f5b2-4af0-8c89-ddd03c4d0e61 - pretty_name: S3 Bucket SSE Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-serversideencryptionbydefault.html - 656880aa-1388-488f-a6d4-8f73c23149b2: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'RDS Database Cluster Encryption should be enabled ' - group: top10-crypto-failures - name: 656880aa-1388-488f-a6d4-8f73c23149b2 - pretty_name: RDS Database Cluster not Encrypted - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_cluster_snapshot - 65844ba3-03a1-40a8-b3dd-919f122e8c95: - categories: - - ALL - - boost-baseline - description: 'RDS DBCluster should have storage encrypted set to true ' - group: top10-crypto-failures - name: 65844ba3-03a1-40a8-b3dd-919f122e8c95 - pretty_name: RDS Storage Encryption Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html#cfn-rds-dbcluster-storageencrypted - 65905cec-d691-4320-b320-2000436cb696: - categories: - - ALL - - boost-baseline - - boost-hardened - description: '''SSH'' (TCP:22) should not be public in AWS Security Group ' - group: cloud-resources-public-access - name: 65905cec-d691-4320-b320-2000436cb696 - pretty_name: Security Group With Unrestricted Access To SSH - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group - 65c1bc7a-4835-4ac4-a2b6-13d310b0648d: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Kubernetes Clusters must be configured with labels, which means - the attribute ''resource_labels'' must be defined ' - group: cloud-weak-configuration - name: 65c1bc7a-4835-4ac4-a2b6-13d310b0648d - pretty_name: Cluster Labels Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster - 65d07da5-9af5-44df-8983-52d2e6f24c44: - categories: - - ALL - - boost-baseline - description: 'CloudTrail should be integrated with CloudWatch ' - group: top10-security-logging-monitoring-failures - name: 65d07da5-9af5-44df-8983-52d2e6f24c44 - pretty_name: CloudTrail Not Integrated With CloudWatch - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html - 660360d3-9ca7-46d1-b147-3acc4002953f: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Cloud SQL Database Instance should have SLL enabled ' - group: top10-crypto-failures - name: 660360d3-9ca7-46d1-b147-3acc4002953f - pretty_name: SQL DB Instance With SSL Disabled - recommended: true - ref: https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/instances - 663062e9-473d-4e87-99bc-6f3684b3df40: - categories: - - ALL - - boost-baseline - description: 'Azure SQL Server''s Admin account login must avoid using names like - ''Admin'', that are too predictable, which means the attribute ''admin_username'' - must be set to a name that is not easy to predict ' - group: top10-insecure-design - name: 663062e9-473d-4e87-99bc-6f3684b3df40 - pretty_name: SQL Server Predictable Admin Account Name - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_sqlserver_module.html - 663c442d-f918-4f62-b096-0bf5dcbeb655: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Security object for operations, if defined, must define a security - scheme, otherwise it should be considered an error ' - group: cloud-insecure-iam - name: 663c442d-f918-4f62-b096-0bf5dcbeb655 - pretty_name: Security Field On Operations Has An Empty Array (v3) - recommended: true - ref: https://swagger.io/specification/#operation-object - 66477506-6abb-49ed-803d-3fa174cd5f6a: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Launch Configurations should have the data in the volumes encrypted. - To encrypt the data, the ''encrypted'' parameter should be set to true in each - volume ' - group: top10-crypto-failures - name: 66477506-6abb-49ed-803d-3fa174cd5f6a - pretty_name: Launch Configuration Is Not Encrypted - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/ec2_lc_module.html - 66505003-7aba-45a1-8d83-5162d5706ef5: - categories: - - ALL - - boost-baseline - description: 'Ram policies should not be attached to users ' - group: cloud-insecure-iam - name: 66505003-7aba-45a1-8d83-5162d5706ef5 - pretty_name: Ram Policy Attached to User - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_user_policy_attachment - 6685d912-d81f-4cfa-95ad-e316ea31c989: - categories: - - ALL - - boost-baseline - description: 'DirectoryService SimpleAD password must not be a plaintext string - or a Ref to a Parameter with a Default value. ' - group: cloud-weak-secrets-management - name: 6685d912-d81f-4cfa-95ad-e316ea31c989 - pretty_name: Directory Service Simple AD Password Exposed - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-directoryservice-simplead.html - 66c6f96f-2d9e-417e-a998-9058aeeecd44: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'S3 Buckets must not allow List Action From All Principals, as to - prevent leaking private information to the entire internet or allow unauthorized - data tampering / deletion. This means the ''Effect'' must not be ''Allow'' when - the ''Action'' is List, for all Principals. ' - group: cloud-insecure-iam - name: 66c6f96f-2d9e-417e-a998-9058aeeecd44 - pretty_name: S3 Bucket Allows List Action From All Principals - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy - 66cd88ac-9ddf-424a-b77e-e55e17630bee: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Batch Job Definition should not have Privileged Container Properties ' - group: cloud-weak-configuration - name: 66cd88ac-9ddf-424a-b77e-e55e17630bee - pretty_name: Batch Job Definition With Privileged Container Properties - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/batch_job_definition - 66dae697-507b-4aef-be18-eec5bd707f33: - categories: - - ALL - - boost-baseline - description: 'VM instance should have OSLogin enabled ' - group: cloud-weak-configuration - name: 66dae697-507b-4aef-be18-eec5bd707f33 - pretty_name: OSLogin Is Disabled In VM Instance - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html - 66f130d9-b81d-4e8e-9b08-da74b9c891df: - categories: - - ALL - - boost-baseline - description: 'Amazon EKS control plane logging don''t enabled for all log types ' - group: top10-security-logging-monitoring-failures - name: 66f130d9-b81d-4e8e-9b08-da74b9c891df - pretty_name: Missing Cluster Log Types - recommended: true - ref: https://www.terraform.io/docs/providers/aws/r/eks_cluster.html - 66f2d8f9-a911-4ced-ae27-34f09690bb2c: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'No security group should allow unrestricted egress access ' - group: cloud-resources-public-access - name: 66f2d8f9-a911-4ced-ae27-34f09690bb2c - pretty_name: Security Groups Allows Unrestricted Outbound Traffic - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html - 671211c5-5d2a-4e97-8867-30fc28b02216: - categories: - - ALL - - boost-baseline - description: 'An API Key should be required on a method request. ' - group: cloud-insecure-iam - name: 671211c5-5d2a-4e97-8867-30fc28b02216 - pretty_name: API Gateway Method Does Not Contains An API Key - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method - 6726dcc0-5ff5-459d-b473-a780bef7665c: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'If algorithm is AES256 then the master key is null, empty or undefined, - otherwise the master key is required ' - group: top10-crypto-failures - name: 6726dcc0-5ff5-459d-b473-a780bef7665c - pretty_name: S3 Bucket SSE Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#server_side_encryption_configuration - 678fd659-96f2-454a-a2a0-c2571f83a4a3: - categories: - - ALL - - boost-baseline - description: 'Check if the Google compute firewall allows unrestricted RDP access. - Allowed ports should not contain RDP port 3389 ' - group: cloud-resources-public-access - name: 678fd659-96f2-454a-a2a0-c2571f83a4a3 - pretty_name: RDP Access Is Not Restricted - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall - 6797f581-0433-4768-ae3e-7ceb2f8b138e: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Azure Instances should use SSH Key instead of basic authentication ' - group: top10-insecure-design - name: 6797f581-0433-4768-ae3e-7ceb2f8b138e - pretty_name: Azure Instance Using Basic Authentication - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.compute/virtualmachines?tabs=json#linuxconfiguration-object - 67bfdff1-31ce-4525-b564-e94368735360: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'NAS File System must be encrypted ' - group: top10-crypto-failures - name: 67bfdff1-31ce-4525-b564-e94368735360 - pretty_name: NAS File System Not Encrypted - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/nas_file_system#encrypt_type - 67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae: - categories: - - ALL - - boost-baseline - description: 'Leaving the last user as root can cause security risks. Change to - another user after running the commands the need privileges ' - group: top10-insecure-design - name: 67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae - pretty_name: Last User Is 'root' - recommended: true - ref: https://docs.docker.com/engine/reference/builder/#user - 68a51e22-ae5a-4d48-8e87-b01a323605c9: - categories: - - ALL - - boost-baseline - description: "This query is used to ensure that build stages are named. This way\ - \ even if the Dockerfile is re-ordered, the COPY instruction doesn\u2019t break. " - group: supply-chain-cicd-weak-configuration - name: 68a51e22-ae5a-4d48-8e87-b01a323605c9 - pretty_name: Using Unnamed Build Stages - recommended: true - ref: https://docs.docker.com/develop/develop-images/multistage-build/ - 68b6a789-82f8-4cfd-85de-e95332fe6a61: - categories: - - ALL - - boost-baseline - description: 'Check if any MQ Broker is not publicly accessible ' - group: cloud-weak-configuration - name: 68b6a789-82f8-4cfd-85de-e95332fe6a61 - pretty_name: MQ Broker Is Publicly Accessible - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-amazonmq-broker.html#cfn-amazonmq-broker-publiclyaccessible - 68e5fcac-390c-4939-a373-6074b7be7c71: - categories: - - ALL - - boost-baseline - description: 'Security Scheme HTTP should not be using basic authentication ' - group: cloud-insecure-iam - name: 68e5fcac-390c-4939-a373-6074b7be7c71 - pretty_name: Security Scheme Using HTTP Basic - recommended: true - ref: https://swagger.io/specification/#security-scheme-object - 68eb4bf3-f9bf-463d-b5cf-e029bb446d2e: - categories: - - ALL - - boost-baseline - description: 'It''s considered a best practice for all rules in AWS Security Group - to have a description ' - group: top10-insecure-design - name: 68eb4bf3-f9bf-463d-b5cf-e029bb446d2e - pretty_name: Security Group Rule Without Description - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group#description - 6938958b-3f1a-451c-909b-baeee14bdc97: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'There can only be one ENTRYPOINT instruction in a Dockerfile. Only - the last ENTRYPOINT instruction in the Dockerfile will have an effect ' - group: supply-chain-cicd-weak-configuration - name: 6938958b-3f1a-451c-909b-baeee14bdc97 - pretty_name: Multiple ENTRYPOINT Instructions Listed - recommended: true - ref: https://docs.docker.com/engine/reference/builder/#entrypoint - 6952a7e0-6e48-4285-bbc1-27c64e60f888: - categories: - - ALL - - boost-baseline - description: 'Schema External Documentation URL should be a valid URL ' - group: top10-insecure-design - name: 6952a7e0-6e48-4285-bbc1-27c64e60f888 - pretty_name: Invalid Schema External Documentation URL (v3) - recommended: true - ref: https://swagger.io/specification/#external-documentation-object - 698a464e-bb3e-4ba8-ab5e-e6599b7644a0: - categories: - - ALL - - boost-baseline - description: 'Components parameters definitions should be referenced or removed - from Open API definition ' - group: top10-insecure-design - name: 698a464e-bb3e-4ba8-ab5e-e6599b7644a0 - pretty_name: Components Parameter Definition Is Unused - recommended: true - ref: https://swagger.io/specification/#components-object - 698ed579-b239-4f8f-a388-baa4bcb13ef8: - categories: - - ALL - - boost-baseline - description: 'Check containers periodically to see if they are running properly. ' - group: top10-insecure-design - name: 698ed579-b239-4f8f-a388-baa4bcb13ef8 - pretty_name: Healthcheck Not Set - recommended: true - ref: https://docs.docker.com/compose/compose-file/compose-file-v3/#healthcheck - 6998389e-66b2-473d-8d05-c8d71ac4d04d: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Array schema should have the field ''maxItems'' set ' - group: cloud-weak-configuration - name: 6998389e-66b2-473d-8d05-c8d71ac4d04d - pretty_name: Array Without Maximum Number of Items (v3) - recommended: true - ref: https://swagger.io/specification/#schema-object - 69b5d7da-a5db-4db9-a42e-90b65d0efb0b: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'ActionTrail Trail OSS Bucket should not be publicly accessible ' - group: top10-security-logging-monitoring-failures - name: 69b5d7da-a5db-4db9-a42e-90b65d0efb0b - pretty_name: ActionTrail Trail OSS Bucket is Publicly Accessible - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/actiontrail_trail - 69bbc5e3-0818-4150-89cc-1e989b48f23b: - categories: - - ALL - - boost-baseline - description: 'Ingress Controllers should not expose workload in order to avoid - vulnerabilities and DoS attacks ' - group: cloud-weak-configuration - name: 69bbc5e3-0818-4150-89cc-1e989b48f23b - pretty_name: Ingress Controller Exposes Workload - recommended: true - ref: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/ - 69d7aefd-149d-47b8-8d89-1c2181a8067b: - categories: - - ALL - - boost-baseline - description: 'The path parameter must have a corresponding template path for a - given operation ' - group: top10-insecure-design - name: 69d7aefd-149d-47b8-8d89-1c2181a8067b - pretty_name: Path Parameter With No Corresponding Template Path (v3) - recommended: true - ref: https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.2.md#pathTemplating - 69e7c320-b65d-41bb-be02-d63ecc0bcc9d: - categories: - - ALL - - boost-baseline - description: 'ECR Repository should have Policies attached to it ' - group: top10-insecure-design - name: 69e7c320-b65d-41bb-be02-d63ecc0bcc9d - pretty_name: ECR Repository Without Policy - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy - 69f72007-502e-457b-bd2d-5012e31ac049: - categories: - - ALL - - boost-baseline - description: 'Check if any firewall rule allows too many hosts to access Redis - Cache. ' - group: cloud-resources-public-access - name: 69f72007-502e-457b-bd2d-5012e31ac049 - pretty_name: Firewall Rule Allows Too Many Hosts To Access Redis Cache - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_rediscachefirewallrule_module.html - 6a2c219f-da5e-4745-941e-5ea8cde23356: - categories: - - ALL - - boost-baseline - description: 'Example reference should exists on components field ' - group: top10-insecure-design - name: 6a2c219f-da5e-4745-941e-5ea8cde23356 - pretty_name: Example JSON Reference Does Not Exists - recommended: true - ref: https://swagger.io/specification/#components-object - 6a3201a5-1630-494b-b294-3129d06b0eca: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'SQL Database Server Firewall endIpAddress should not be ''255.255.255.255'' - when startIpAddress is ''0.0.0.0'' since this allows all IPS ' - group: cloud-resources-public-access - name: 6a3201a5-1630-494b-b294-3129d06b0eca - pretty_name: SQL Database Server Firewall Allows All IPS - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2014-04-01/servers/firewallrules?tabs=json - 6a4080ae-79bd-42f6-a924-8f534c1c018b: - categories: - - ALL - - boost-baseline - description: 'Google Compute Subnetwork should have Private Google Access enabled, - which means ''private_ip_google_access'' should be set to yes ' - group: cloud-resources-public-access - name: 6a4080ae-79bd-42f6-a924-8f534c1c018b - pretty_name: Google Compute Subnetwork with Private Google Access Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_subnetwork_module.html#parameter-private_ip_google_access - 6a647814-def5-4b85-88f5-897c19f509cd: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'AWS Redshift Cluster should be encrypted. Check if ''encrypted'' - field is false or undefined (default is false) ' - group: top10-crypto-failures - name: 6a647814-def5-4b85-88f5-897c19f509cd - pretty_name: Redshift Not Encrypted - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_cluster#encrypted - 6a68bebe-c021-492e-8ddb-55b0567fb768: - categories: - - ALL - - boost-baseline - description: 'When using kube-apiserver command, the ''--enable-admission-plugins'' - flag should have ''SecurityContextDeny'' plugin and the plugin should be correctly - configured in AdmissionControl Config file when ''PodSecurityPolicy'' plugin - is not set ' - group: cloud-weak-configuration - name: 6a68bebe-c021-492e-8ddb-55b0567fb768 - pretty_name: Security Context Deny Admission Control Plugin Not Set - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ - 6a6d7e56-c913-4549-b5c5-5221e624d2ec: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'S3 Buckets should not have all permissions, as to prevent leaking - private information to the entire internet or allow unauthorized data tampering - / deletion. This means the ''Effect'' must not be ''Allow'' when the ''Action'' - is ''*'', for all Principals. ' - group: cloud-insecure-iam - name: 6a6d7e56-c913-4549-b5c5-5221e624d2ec - pretty_name: S3 Bucket With All Permissions - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html#parameter-policy - 6ad087d7-a509-4b20-b853-9ef6f5ebaa98: - categories: - - ALL - - boost-baseline - description: 'CloudTrail multi region should be enabled, which means attribute - ''is_multi_region_trail'' should be set to true ' - group: top10-security-logging-monitoring-failures - name: 6ad087d7-a509-4b20-b853-9ef6f5ebaa98 - pretty_name: CloudTrail Multi Region Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html#parameter-is_multi_region_trail - 6b2739db-9c49-4db7-b980-7816e0c248c1: - categories: - - ALL - - boost-baseline - description: 'The API Endpoint type in API Gateway should be set to PRIVATE so - it''s not exposed to the public internet ' - group: cloud-resources-public-access - name: 6b2739db-9c49-4db7-b980-7816e0c248c1 - pretty_name: API Gateway Endpoint Config is Not Private - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api - 6b376af8-cfe8-49ab-a08d-f32de23661a4: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'For clarity and reliability, you should always use absolute paths - for your WORKDIR ' - group: supply-chain-cicd-weak-configuration - name: 6b376af8-cfe8-49ab-a08d-f32de23661a4 - pretty_name: WORKDIR Path Not Absolute - recommended: true - ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#workdir - 6b5b0313-771b-4319-ad7a-122ee78700ef: - categories: - - ALL - - boost-baseline - description: 'AWS Serverless API should set API Endpoint Config type to ''PRIVATE''. - This way, it''s not exposed to the public internet ' - group: cloud-resources-public-access - name: 6b5b0313-771b-4319-ad7a-122ee78700ef - pretty_name: Serverless API Endpoint Config Not Private - recommended: true - ref: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-endpointconfiguration - 6b610c50-99fb-4ef0-a5f3-e312fd945bc3: - categories: - - ALL - - boost-baseline - description: 'CPU limits should be set because if the system has CPU time free, - a container is guaranteed to be allocated as much CPU as it requests ' - group: cloud-insecure-iam - name: 6b610c50-99fb-4ef0-a5f3-e312fd945bc3 - pretty_name: Cpus Not Limited - recommended: true - ref: https://docs.docker.com/compose/compose-file/compose-file-v3/#resources - 6b6874fe-4c2f-4eea-8b90-7cceaa4a125e: - categories: - - ALL - - boost-baseline - description: 'Ensure a log metric filter and alarm exist for network gateways - changes ' - group: top10-security-logging-monitoring-failures - name: 6b6874fe-4c2f-4eea-8b90-7cceaa4a125e - pretty_name: CloudWatch Network Gateways Changes Alarm Missing - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern - 6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a: - categories: - - ALL - - boost-baseline - description: 'Container should not share the host network namespace ' - group: cloud-insecure-iam - name: 6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a - pretty_name: Shared Host Network Namespace - recommended: true - ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ - 6b76f589-9713-44ab-97f5-59a3dba1a285: - categories: - - ALL - - boost-baseline - description: 'Components request bodies definitions should be referenced or removed - from Open API definition ' - group: top10-insecure-design - name: 6b76f589-9713-44ab-97f5-59a3dba1a285 - pretty_name: Components Request Body Definition Is Unused - recommended: true - ref: https://swagger.io/specification/#components-object - 6b896afb-ca07-467a-b256-1a0077a1c08e: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Roles and ClusterRoles with wildcard RBAC permissions provide excessive - rights to the Kubernetes API and should be avoided. The principle of least privilege - recommends to specify only the set of needed objects and actions ' - group: cloud-insecure-iam - name: 6b896afb-ca07-467a-b256-1a0077a1c08e - pretty_name: RBAC Wildcard In Rule - recommended: true - ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ - 6c131358-c54d-419b-9dd6-1f7dd41d180c: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Ensure that AWS ECS clusters are encrypted. Data encryption at rest, - prevents unauthorized users from accessing sensitive data on your AWS ECS clusters - and associated cache storage systems. ' - group: top10-crypto-failures - name: 6c131358-c54d-419b-9dd6-1f7dd41d180c - pretty_name: ECS Cluster Not Encrypted At Rest - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-taskdefinition.html - 6c2d627c-de0f-45fb-b33d-dad9bffbb421: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Cloud storage bucket should have logging enabled ' - group: top10-security-logging-monitoring-failures - name: 6c2d627c-de0f-45fb-b33d-dad9bffbb421 - pretty_name: Cloud Storage Bucket Logging Not Enabled - recommended: true - ref: https://doc.crds.dev/github.com/crossplane/provider-gcp/storage.gcp.crossplane.io/Bucket/v1alpha3@v0.21.0#spec-logging - 6c35d2c6-09f2-4e5c-a094-e0e91327071d: - categories: - - ALL - - boost-baseline - description: '500, 429 and 400 responses should be defined for all operations, - except head operation. 415 response should be defined for the post, put, and - patch operations. 404 response should be defined for the get, put, head, delete - operations. 200 response should be defined for options operation. 401 and 403 - response should be defined for all operations when the security field is defined. ' - group: cloud-resources-public-access - name: 6c35d2c6-09f2-4e5c-a094-e0e91327071d - pretty_name: Response Code Missing (v3) - recommended: true - ref: https://swagger.io/specification/#operation-object - 6c7cfec3-c686-4ed2-bf58-a1ec054b63fc: - categories: - - ALL - - boost-baseline - description: 'Redis Cache resource should not allow non-SSL connections. ' - group: top10-crypto-failures - name: 6c7cfec3-c686-4ed2-bf58-a1ec054b63fc - pretty_name: Redis Cache Allows Non SSL Connections - recommended: true - ref: https://doc.crds.dev/github.com/crossplane/provider-azure/cache.azure.crossplane.io/Redis/v1beta1@v0.19.0#spec-forProvider-enableNonSslPort - 6c8d51af-218d-4bfb-94a9-94eabaa0703a: - categories: - - ALL - - boost-baseline - description: 'S3 bucket without ignore public ACL ' - group: cloud-weak-configuration - name: 6c8d51af-218d-4bfb-94a9-94eabaa0703a - pretty_name: S3 Bucket Without Ignore Public ACL - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-publicaccessblockconfiguration.html - 6ccb85d7-0420-4907-9380-50313f80946b: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Kubernetes Clusters must be created with Private Clusters enabled, - meaning the ''private_cluster_config'' must be defined and the attributes ''enable_private_nodes'' - and ''enable_private_endpoint'' must be true ' - group: cloud-weak-configuration - name: 6ccb85d7-0420-4907-9380-50313f80946b - pretty_name: Private Cluster Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster - 6cf42c97-facd-4fda-b8af-ea4529123355: - categories: - - ALL - - boost-baseline - description: '--protect-kernel-defaults should be set to true ' - group: cloud-weak-configuration - name: 6cf42c97-facd-4fda-b8af-ea4529123355 - pretty_name: Kubelet Protect Kernel Defaults Set To False - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/ - 6cf4c3a7-ceb0-4475-8892-3745b84be24a: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'DNSSEC should not use the RSASHA1 algorithm ' - group: top10-crypto-failures - name: 6cf4c3a7-ceb0-4475-8892-3745b84be24a - pretty_name: DNSSEC Using RSASHA1 - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_dns_managed_zone_module.html#return-dnssecConfig/defaultKeySpecs/algorithm - 6d087495-2a42-4735-abf7-02ef5660a7e6: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Amazon Elastic Filesystem should have filesystem encryption enabled - using KMS CMK customer-managed keys instead of AWS managed-keys ' - group: top10-crypto-failures - name: 6d087495-2a42-4735-abf7-02ef5660a7e6 - pretty_name: EFS Without KMS - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-efs-filesystem.html - 6d173be7-545a-46c6-a81d-2ae52ed1605d: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Check if Tiller is deployed. ' - group: cloud-weak-configuration - name: 6d173be7-545a-46c6-a81d-2ae52ed1605d - pretty_name: Tiller (Helm v2) Is Deployed - recommended: true - ref: https://kubernetes.io/docs/concepts/containers/images/ - 6d19ce0f-b3d8-4128-ac3d-1064e0f00494: - categories: - - ALL - - boost-baseline - description: 'All AWS CloudFront distributions should be integrated with the Web - Application Firewall (AWS WAF) service ' - group: cloud-resources-public-access - name: 6d19ce0f-b3d8-4128-ac3d-1064e0f00494 - pretty_name: CloudFront Without WAF - recommended: true - ref: https://doc.crds.dev/github.com/crossplane/provider-aws/cloudfront.aws.crossplane.io/Distribution/v1alpha1@v0.29.0#spec-forProvider-distributionConfig-webACLID - 6d23d87e-1c5b-4308-b224-92624300f29b: - categories: - - ALL - - boost-baseline - description: 'User with privilege escalation by actions ''iam:AttachGroupPolicy'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 6d23d87e-1c5b-4308-b224-92624300f29b - pretty_name: User With Privilege Escalation By Actions 'iam:AttachGroupPolicy' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy - 6d2e0790-cc3d-4c74-b973-d4e8b09f4455: - categories: - - ALL - - boost-baseline - description: 'All global schemas definitions should be in use ' - group: top10-insecure-design - name: 6d2e0790-cc3d-4c74-b973-d4e8b09f4455 - pretty_name: Global Schema Definition Not Being Used - recommended: true - ref: https://swagger.io/specification/v2/#definitionsObject - 6d34aff3-fdd2-460c-8190-756a3b4969e8: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'SQL Instance should not have Contained Database Authentication On ' - group: cloud-weak-configuration - name: 6d34aff3-fdd2-460c-8190-756a3b4969e8 - pretty_name: Cloud SQL Instance With Contained Database Authentication On - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags - 6d64f311-3da6-45f3-80f1-14db9771ea40: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'WebAcl DefaultAction should not be ALLOW ' - group: cloud-weak-configuration - name: 6d64f311-3da6-45f3-80f1-14db9771ea40 - pretty_name: Permissive Web ACL Default Action - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-waf-webacl.html - 6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'DNSSEC should not use the RSASHA1 algorithm ' - group: top10-crypto-failures - name: 6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35 - pretty_name: DNSSEC Using RSASHA1 - recommended: true - ref: https://cloud.google.com/dns/docs/reference/v1/managedZones - 6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8: - categories: - - ALL - - boost-baseline - description: 'Container should not use secrets as environment variables ' - group: cloud-weak-secrets-management - name: 6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8 - pretty_name: Secrets As Environment Variables - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#secret_key_ref - 6db03a91-f933-4f13-ab38-a8b87a7de54d: - categories: - - ALL - - boost-baseline - description: 'ElastiCache Nodes should be created across multi az, which means - ''az_mode'' should be set to ''cross-az'' in multi nodes cluster ' - group: top10-insecure-design - name: 6db03a91-f933-4f13-ab38-a8b87a7de54d - pretty_name: ElastiCache Nodes Not Created Across Multi AZ - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster - 6db52fa6-d4da-4608-908a-89f0c59e743e: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Ensure MSK Cluster encryption in rest and transit is enabled ' - group: top10-crypto-failures - name: 6db52fa6-d4da-4608-908a-89f0c59e743e - pretty_name: MSK Cluster Encryption Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/msk_cluster#encryption_info - 6db6e0c2-32a3-4a2e-93b5-72c35f4119db: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'When a COPY command has more than two arguments, the last one should - end with a slash ' - group: supply-chain-cicd-weak-configuration - name: 6db6e0c2-32a3-4a2e-93b5-72c35f4119db - pretty_name: Copy With More Than Two Arguments Not Ending With Slash - recommended: true - ref: https://docs.docker.com/engine/reference/builder/#copy - 6deb34e2-5d9c-499a-801b-ea6d9eda894f: - categories: - - ALL - - boost-baseline - description: 'User with privilege escalation by actions ''iam:UpdateLoginProfile'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 6deb34e2-5d9c-499a-801b-ea6d9eda894f - pretty_name: User With Privilege Escalation By Actions 'iam:UpdateLoginProfile' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy - 6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97: - categories: - - ALL - - boost-baseline - description: 'Make sure that retain_stack is enabled to keep the Stack and it''s - associated resources during resource destruction ' - group: top10-software-data-integrity-failures - name: 6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97 - pretty_name: Stack Retention Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance#stack_set_name - 6e19193a-8753-436d-8a09-76dcff91bb03: - categories: - - ALL - - boost-baseline - description: 'Need to use -y to avoid manual input ''yum install -y '' ' - group: supply-chain-scm-weak-configuration - name: 6e19193a-8753-436d-8a09-76dcff91bb03 - pretty_name: Yum Install Allows Manual Input - recommended: true - ref: https://docs.docker.com/engine/reference/builder/#run - 6e2b1ec1-1eca-4eb7-9d4d-2882680b4811: - categories: - - ALL - - boost-baseline - description: 'VM Instance should block project-wide SSH keys ' - group: cloud-weak-secrets-management - name: 6e2b1ec1-1eca-4eb7-9d4d-2882680b4811 - pretty_name: Project-wide SSH Keys Are Enabled In VM Instances - recommended: true - ref: https://cloud.google.com/compute/docs/reference/rest/v1/instances - 6e3fd2ed-5c83-4c68-9679-7700d224d379: - categories: - - ALL - - boost-baseline - description: 'It''s considered a best practice when using Application Load Balancers - to drop invalid header fields ' - group: top10-insecure-design - name: 6e3fd2ed-5c83-4c68-9679-7700d224d379 - pretty_name: ALB Not Dropping Invalid Headers - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#drop_invalid_header_fields - 6e856af2-62d7-4ba2-adc1-73b62cef9cc1: - categories: - - ALL - - boost-baseline - - boost-hardened - description: '''SSH'' (TCP:22) should not be public in AWS Security Group ' - group: cloud-resources-public-access - name: 6e856af2-62d7-4ba2-adc1-73b62cef9cc1 - pretty_name: Security Group With Unrestricted Access To SSH - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html - 6e8849c1-3aa7-40e3-9063-b85ee300f29f: - categories: - - ALL - - boost-baseline - description: 'Amazon Simple Queue Service (SQS) queue should protect the contents - of their messages using Server-Side Encryption (SSE) ' - group: top10-crypto-failures - name: 6e8849c1-3aa7-40e3-9063-b85ee300f29f - pretty_name: SQS With SSE Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue - 6e96ed39-bf45-4089-99ba-f1fe7cf6966f: - categories: - - ALL - - boost-baseline - description: 500, 429 and 400 responses should be defined for all operations, - except head operation. 415 response should be defined for the post, put, and - patch operations. 404 response should be defined for the get, put, head, delete - operations. 200 response should be defined for options operation. 401 and 403 - response should be defined for all operations when the security field is defined. - group: cloud-resources-public-access - name: 6e96ed39-bf45-4089-99ba-f1fe7cf6966f - pretty_name: Response Code Missing (v2) - recommended: true - ref: https://swagger.io/specification/v2/#operation-object - 6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d: - categories: - - ALL - - boost-baseline - description: 'SimpleDB Domain resource should not be declared ' - group: cloud-insecure-iam - name: 6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d - pretty_name: SDB Domain Declared As A Resource - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-simpledb.html - 6ef03ff6-a2bd-483c-851f-631f248bc0ea: - categories: - - ALL - description: 'A list of RDS resources found. Amazon Relational Database Service - (Amazon RDS) is a collection of managed services that makes it simple to set - up, operate, and scale databases in the cloud. ' - group: supply-chain-missing-artifact-integrity-verification - name: 6ef03ff6-a2bd-483c-851f-631f248bc0ea - pretty_name: BOM - AWS RDS - ref: https://kics.io/ - 6f5f5444-1422-495f-81ef-24cefd61ed2c: - categories: - - ALL - - boost-baseline - description: 'Password policy password_reuse_prevention doesn''t exist or is equal - to 0 ' - group: top10-insecure-design - name: 6f5f5444-1422-495f-81ef-24cefd61ed2c - pretty_name: Password Without Reuse Prevention - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html#parameter-pw_reuse_prevent - 6fa44721-ef21-41c6-8665-330d59461163: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'S3 Buckets must not allow Delete Action From All Principals, as - to prevent leaking private information to the entire internet or allow unauthorized - data tampering / deletion. This means the ''Effect'' must not be ''Allow'' when - the ''Action'' is Delete, for all Principals. ' - group: cloud-insecure-iam - name: 6fa44721-ef21-41c6-8665-330d59461163 - pretty_name: S3 Bucket Allows Delete Action From All Principals - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html - 70111098-7f85-48f0-b1b4-e4261cf5f61b: - categories: - - ALL - - boost-baseline - description: '''Microsoft.Web/sites'' should have ''Http20Enabled'' enabled ' - group: cloud-resources-public-access - name: 70111098-7f85-48f0-b1b4-e4261cf5f61b - pretty_name: Website with 'Http20Enabled' Disabled - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.web/sites?tabs=json#siteproperties-object - 704dadd3-54fc-48ac-b6a0-02f170011473: - categories: - - ALL - - boost-baseline - description: 'Make sure that Amazon GuardDuty is Enabled ' - group: top10-security-logging-monitoring-failures - name: 704dadd3-54fc-48ac-b6a0-02f170011473 - pretty_name: GuardDuty Detector Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_detector#example-usage - 704fcc44-a58f-4af5-82e2-93f2a58ef918: - categories: - - ALL - - boost-baseline - description: 'As a best practice, it is better to assign an IAM Role to a group - than to a user ' - group: top10-insecure-design - name: 704fcc44-a58f-4af5-82e2-93f2a58ef918 - pretty_name: User with IAM Role - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/iam_policy#role - 7081f85c-b94d-40fd-8b45-a4f1cac75e46: - categories: - - ALL - - boost-baseline - description: 'IAM Access Key should not be active for root users ' - group: cloud-insecure-iam - name: 7081f85c-b94d-40fd-8b45-a4f1cac75e46 - pretty_name: IAM Access Key Is Exposed - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key - 70919c0b-2548-4e6b-8d7a-3d84ab6dabba: - categories: - - ALL - - boost-baseline - description: 'OSS Bucket should have versioning enabled ' - group: top10-software-data-integrity-failures - name: 70919c0b-2548-4e6b-8d7a-3d84ab6dabba - pretty_name: OSS Bucket Versioning Disabled - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#versioning - 709e6da6-fa1f-44cc-8f17-7f25f96dadbe: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Amazon SageMaker''s Notebook Instance must have its Data Encryption - enabled, which means the attribute ''KmsKeyId'' must be defined not empty or - null. ' - group: top10-crypto-failures - name: 709e6da6-fa1f-44cc-8f17-7f25f96dadbe - pretty_name: SageMaker Data Encryption Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sagemaker-notebookinstance.html - 70b42736-efee-4bce-80d5-50358ed94990: - categories: - - ALL - - boost-baseline - description: 'Group with privilege escalation by actions ''iam:AttachGroupPolicy'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 70b42736-efee-4bce-80d5-50358ed94990 - pretty_name: Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy - 70cb518c-d990-46f6-bc05-44a5041493d6: - categories: - - ALL - - boost-baseline - description: 'User with privilege escalation by actions ''iam:AttachUserPolicy'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 70cb518c-d990-46f6-bc05-44a5041493d6 - pretty_name: User With Privilege Escalation By Actions 'iam:AttachUserPolicy' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy - 70d3873e-d537-46e5-ac3b-4e48fbdd29b4: - categories: - - ALL - - boost-baseline - description: API Keys should not be sent as cleartext over an unencrypted channel - group: cloud-insecure-iam - name: 70d3873e-d537-46e5-ac3b-4e48fbdd29b4 - pretty_name: Cleartext API Key In Global Security (v2) - recommended: true - ref: https://swagger.io/specification/v2/#securityDefinitionsObject - 71397b34-1d50-4ee1-97cb-c96c34676f74: - categories: - - ALL - - boost-baseline - description: 'AWS Lambda functions should have TracingConfig enabled. For this, - property ''tracing_mode'' should have the value ''Active'' ' - group: top10-security-logging-monitoring-failures - name: 71397b34-1d50-4ee1-97cb-c96c34676f74 - pretty_name: Lambda Functions Without X-Ray Tracing - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/lambda_module.html - 71493c8b-3014-404c-9802-078b74496fb7: - categories: - - ALL - - boost-baseline - description: 'Amplify App BasicAuthConfig Password must not be a plaintext string - or a Ref to a Parameter with a Default value. ' - group: cloud-weak-secrets-management - name: 71493c8b-3014-404c-9802-078b74496fb7 - pretty_name: Amplify App Basic Auth Config Password Exposed - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-amplify-app-basicauthconfig.html - 71beb6ab-8b70-4816-a9ac-a0ff1fb22a62: - categories: - - ALL - - boost-baseline - description: Schema Object should have all required properties defined - group: top10-insecure-design - name: 71beb6ab-8b70-4816-a9ac-a0ff1fb22a62 - pretty_name: Properties Missing Required Property (v2) - recommended: true - ref: https://swagger.io/specification/v2/#schemaObject - 71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Exposing UNIX ports out of range from 0 to 65535 ' - group: top10-insecure-design - name: 71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e - pretty_name: UNIX Ports Out Of Range - recommended: true - ref: https://docs.docker.com/engine/reference/builder/#expose - 71ea648a-d31a-4b5a-a589-5674243f1c33: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'AWS Security Group should not have public port wide ' - group: cloud-resources-public-access - name: 71ea648a-d31a-4b5a-a589-5674243f1c33 - pretty_name: Public Port Wide - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html - 722b0f24-5a64-4cca-aa96-cfc26b7e3a5b: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'AWS Security Group should not have an unknown port exposed to the - entire Internet ' - group: cloud-resources-public-access - name: 722b0f24-5a64-4cca-aa96-cfc26b7e3a5b - pretty_name: Unknown Port Exposed To Internet - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html - 7249e3b0-9231-4af3-bc5f-5daf4988ecbf: - categories: - - ALL - - boost-baseline - description: 'StatefulSets should be assigned with a PodDisruptionBudget to ensure - high availability ' - group: top10-insecure-design - name: 7249e3b0-9231-4af3-bc5f-5daf4988ecbf - pretty_name: StatefulSet Without PodDisruptionBudget - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/stateful_set#selector - 727c4fd4-d604-4df6-a179-7713d3c85e20: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Elastic File System (EFS) must be encrypted ' - group: top10-crypto-failures - name: 727c4fd4-d604-4df6-a179-7713d3c85e20 - pretty_name: EFS Not Encrypted - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/efs_module.html#parameter-encrypt - 72840c35-3876-48be-900d-f21b2f0c2ea1: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Elastic File System (EFS) must be encrypted ' - group: top10-crypto-failures - name: 72840c35-3876-48be-900d-f21b2f0c2ea1 - pretty_name: EFS Not Encrypted - recommended: true - ref: https://doc.crds.dev/github.com/crossplane/provider-aws/efs.aws.crossplane.io/FileSystem/v1alpha1@v0.29.0#spec-forProvider-encrypted - 7289eebd-a477-4064-8ad4-3c044bd70b00: - categories: - - ALL - - boost-baseline - description: 'Google Compute Network should not use a firewall rule that allows - port range ' - group: cloud-resources-public-access - name: 7289eebd-a477-4064-8ad4-3c044bd70b00 - pretty_name: Google Compute Network Using Firewall Rule that Allows Port Range - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_firewall_module.html#parameter-allowed - 729ebb15-8060-40f7-9017-cb72676a5487: - categories: - - ALL - - boost-baseline - description: 'Make sure that for PostgreSQL Database, server parameter ''log_duration'' - is set to ''ON'' ' - group: top10-security-logging-monitoring-failures - name: 729ebb15-8060-40f7-9017-cb72676a5487 - pretty_name: PostgreSQL Log Duration Not Set - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_postgresqlconfiguration_module.html - 72a931c2-12f5-40d1-93cc-47bff2f7aa2a: - categories: - - ALL - - boost-baseline - description: 'AWS CloudWatch Logs for APIs is not enabled ' - group: top10-security-logging-monitoring-failures - name: 72a931c2-12f5-40d1-93cc-47bff2f7aa2a - pretty_name: API Gateway With CloudWatch Logging Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/cloudwatchlogs_log_group_module.html#ansible-collections-community-aws-cloudwatchlogs-log-group-module - 72ceb736-0aee-43ea-a191-3a69ab135681: - categories: - - ALL - - boost-baseline - description: 'ROS Stack should have a stack policy in order to protect stack resources - from and during update actions ' - group: cloud-insecure-iam - name: 72ceb736-0aee-43ea-a191-3a69ab135681 - pretty_name: No ROS Stack Policy - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ros_stack - 72d259ca-9741-48dd-9f62-eb11f2936b37: - categories: - - ALL - - boost-baseline - description: 'The header Parameter should not be named as ''Content-Type''. If - so, it will be ignored. ' - group: top10-insecure-design - name: 72d259ca-9741-48dd-9f62-eb11f2936b37 - pretty_name: Header Parameter Named as 'Content-Type' (v3) - recommended: true - ref: https://swagger.io/specification/#parameter-object - 730675f9-52ed-49b6-8ead-0acb5dd7df7f: - categories: - - ALL - - boost-baseline - description: 'Checks for dangerous permissions in Action statements in an SQS - Queue Policy. This is deemed a potential security risk as it would allow various - attacks to the queue ' - group: cloud-insecure-iam - name: 730675f9-52ed-49b6-8ead-0acb5dd7df7f - pretty_name: SQS Policy With Public Access - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy - 7307579a-3abb-46ad-9ce5-2a915634d5c8: - categories: - - ALL - - boost-baseline - description: 'PodSecurityPolicy should not have added capabilities ' - group: cloud-weak-configuration - name: 7307579a-3abb-46ad-9ce5-2a915634d5c8 - pretty_name: PSP With Added Capabilities - recommended: true - ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ - 730a5951-2760-407a-b032-dd629b55c23a: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'ELB Predefined or Custom Security Policies must not use insecure - protocols, to reduce the risk of the SSL connection between the client and the - load balancer being exploited. That means the ''SslPolicy'' of ''listeners'' - must not coincide with any of a predefined list of insecure protocols. ' - group: top10-crypto-failures - name: 730a5951-2760-407a-b032-dd629b55c23a - pretty_name: ELB Using Insecure Protocols - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/elb_application_lb_module.html - 7350fa23-dcf7-4938-916d-6a60b0c73b50: - categories: - - ALL - - boost-baseline - description: 'AWS Key Management Service (KMS) must only possess usable Customer - Master Keys (CMK), which means the CMKs must have the attribute ''is_enabled'' - set to true ' - group: top10-insecure-design - name: 7350fa23-dcf7-4938-916d-6a60b0c73b50 - pretty_name: CMK Is Unusable - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key#is_enabled - 737a0dd9-0aaa-4145-8118-f01778262b8a: - categories: - - ALL - - boost-baseline - description: 'Default service accounts should not be actively used ' - group: cloud-weak-configuration - name: 737a0dd9-0aaa-4145-8118-f01778262b8a - pretty_name: Default Service Account In Use - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account#automount_service_account_token - 7384dfb2-fcd1-4fbf-91cd-6c44c318c33c: - categories: - - ALL - - boost-baseline - description: 'Check if any apt-get installs don''t use ''--no-install-recommends'' - flag to avoid installing additional packages. ' - group: supply-chain-scm-weak-configuration - name: 7384dfb2-fcd1-4fbf-91cd-6c44c318c33c - pretty_name: APT-GET Not Avoiding Additional Packages - recommended: true - ref: https://docs.docker.com/engine/reference/builder/#run - 73980e43-f399-4fcc-a373-658228f7adf7: - categories: - - ALL - - boost-baseline - description: 'Amplify App Access Token must not be in a plain text string or referenced - in a parameter as a default value. ' - group: cloud-weak-secrets-management - name: 73980e43-f399-4fcc-a373-658228f7adf7 - pretty_name: Amplify App Access Token Exposed - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-amplify-app.html - 73c3bc54-3cc6-4c0a-b30a-e19f2abfc951: - categories: - - ALL - - boost-baseline - description: 'The Body Parameter Object should have the attribute ''schema'' defined ' - group: top10-insecure-design - name: 73c3bc54-3cc6-4c0a-b30a-e19f2abfc951 - pretty_name: Non Body Parameter Without Schema - recommended: true - ref: https://swagger.io/specification/v2/#parameterObject - 73d59e76-a12c-4b74-a3d8-d3e1e19c25b3: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Ensure Amazon EKS Node group has implict SSH access ' - group: cloud-resources-public-access - name: 73d59e76-a12c-4b74-a3d8-d3e1e19c25b3 - pretty_name: EKS node group remote access - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-nodegroup.html - 73e251f0-363d-4e53-86e2-0a93592437eb: - categories: - - ALL - - boost-baseline - description: 'When using kube-apiserver command, the ''audit-log-path'' flag should - be defined ' - group: top10-security-logging-monitoring-failures - name: 73e251f0-363d-4e53-86e2-0a93592437eb - pretty_name: Audit Log Path Not Set - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ - 73e42469-3a86-4f39-ad78-098f325b4e9f: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Make sure that for MySQL Database Server, ''Enforce SSL connection'' - is enabled ' - group: top10-crypto-failures - name: 73e42469-3a86-4f39-ad78-098f325b4e9f - pretty_name: MySQL SSL Connection Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_server - 73fb21a1-b19a-45b1-b648-b47b1678681e: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Kubernetes Clusters must use the default OAuth authentication, which - means ''master_auth'' must either be undefined or have ''client_certificate_config'' - with the attribute ''issue_client_certificate'' equal to false ' - group: cloud-weak-configuration - name: 73fb21a1-b19a-45b1-b648-b47b1678681e - pretty_name: Legacy Client Certificate Auth Enabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster - 741f1291-47ac-4a85-a07b-3d32a9d6bd3e: - categories: - - ALL - - boost-baseline - description: 'It''s considered a best practice to have point in time recovery - enabled for DynamoDB Table ' - group: top10-insecure-design - name: 741f1291-47ac-4a85-a07b-3d32a9d6bd3e - pretty_name: DynamoDB Table Point In Time Recovery Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table#point_in_time_recovery - 74581e3b-1d55-4323-a139-5959a7b3abc5: - categories: - - ALL - - boost-baseline - - boost-hardened - description: Security object for operations should not be empty object or has - any empty object definition - group: cloud-insecure-iam - name: 74581e3b-1d55-4323-a139-5959a7b3abc5 - pretty_name: Security Field On Operations Has An Empty Object Definition (v2) - recommended: true - ref: https://swagger.io/specification/v2/#operation-object - 74703c89-0ea2-49ab-a7db-bf04f19f5a57: - categories: - - ALL - - boost-baseline - - boost-hardened - description: Global security field should be defined to prevent API to have insecure - paths and have this rules defined on securityDefinitions - group: cloud-insecure-iam - name: 74703c89-0ea2-49ab-a7db-bf04f19f5a57 - pretty_name: Global Security Field Is Undefined (v2) - recommended: true - ref: https://swagger.io/specification/v2/#securityRequirementObject - 74a18d1a-cf02-4a31-8791-ed0967ad7fdc: - categories: - - ALL - - boost-baseline - description: 'AWS Cognito UserPool should have MFA (Multi-Factor Authentication) - defined to users ' - group: top10-insecure-design - name: 74a18d1a-cf02-4a31-8791-ed0967ad7fdc - pretty_name: Cognito UserPool Without MFA - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html - 750b40be-4bac-4f59-bdc4-1ca0e6c3450e: - categories: - - ALL - - boost-baseline - description: 'Every defined property must be unique throughout the whole API ' - group: top10-insecure-design - name: 750b40be-4bac-4f59-bdc4-1ca0e6c3450e - pretty_name: Property Not Unique - recommended: true - ref: https://swagger.io/specification/v2/#schemaObject - 750f6448-27c0-49f8-a153-b81735c1e19c: - categories: - - ALL - - boost-baseline - description: 'When ''collectionformat'' is defined as ''multi'', ''in'' field - must be ''query'' or ''formData'' ' - group: top10-insecure-design - name: 750f6448-27c0-49f8-a153-b81735c1e19c - pretty_name: Multi 'collectionformat' Not Valid For 'in' Parameter - recommended: true - ref: https://swagger.io/specification/v2/#parameterObject - 75418eb9-39ec-465f-913c-6f2b6a80dc77: - categories: - - ALL - - boost-baseline - description: 'Check if the Google compute firewall allows unrestricted RDP access. - Allowed ports should not contain RDP port 3389 ' - group: cloud-resources-public-access - name: 75418eb9-39ec-465f-913c-6f2b6a80dc77 - pretty_name: RDP Access Is Not Restricted - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_firewall_module.html - 75480b31-f349-4b9a-861f-bce19588e674: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'S3 Buckets should not be readable to any authenticated user ' - group: cloud-insecure-iam - name: 75480b31-f349-4b9a-861f-bce19588e674 - pretty_name: S3 Bucket ACL Allows Read to Any Authenticated User - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/aws_s3_module.html#parameter-permission - 75be209d-1948-41f6-a8c8-e22dd0121134: - categories: - - ALL - - boost-baseline - description: 'Amazon ECR image repositories shouldn''t have public access ' - group: cloud-insecure-iam - name: 75be209d-1948-41f6-a8c8-e22dd0121134 - pretty_name: ECR Repository Is Publicly Accessible - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecr-repository.html - 75ec6890-83af-4bf1-9f16-e83726df0bd0: - categories: - - ALL - - boost-baseline - description: 'Lambda permission may be misconfigured if the action field is not - filled in by ''lambda:InvokeFunction'' ' - group: top10-insecure-design - name: 75ec6890-83af-4bf1-9f16-e83726df0bd0 - pretty_name: Lambda Permission Misconfigured - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission - 7674a686-e4b1-4a95-83d4-1fd53c623d84: - categories: - - ALL - - boost-baseline - description: 'Check if AWS config rules do not identify Encrypted Volumes as a - source. ' - group: top10-crypto-failures - name: 7674a686-e4b1-4a95-83d4-1fd53c623d84 - pretty_name: Config Rule For Encrypted Volumes Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/aws_config_rule_module.html#parameter-source/identifier - 768aab52-2504-4a2f-a3e3-329d5a679848: - categories: - - ALL - - boost-baseline - description: 'When using kube-apiserver command, the ''--audit-log-maxbackup'' - flag should be defined and set to 10 or more files ' - group: top10-security-logging-monitoring-failures - name: 768aab52-2504-4a2f-a3e3-329d5a679848 - pretty_name: Audit Log Maxbackup Not Properly Set - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ - 76976de7-c7b1-4f64-a94f-90c1345914c2: - categories: - - ALL - - boost-baseline - description: 'ElastiCache Replication Group encryption should be enabled at Rest ' - group: top10-crypto-failures - name: 76976de7-c7b1-4f64-a94f-90c1345914c2 - pretty_name: ElastiCache Replication Group Not Encrypted At Rest - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_replication_group#at_rest_encryption_enabled - 76ddf32c-85b1-4808-8935-7eef8030ab36: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Batch Job Definition should not have Privileged Container Properties ' - group: cloud-weak-configuration - name: 76ddf32c-85b1-4808-8935-7eef8030ab36 - pretty_name: Batch Job Definition With Privileged Container Properties - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-batch-jobdefinition.html - 77276d82-4f45-4cf1-8e2b-4d345b936228: - categories: - - ALL - - boost-baseline - description: 'A security scheme is allowing basic authentication credentials to - be transported over network ' - group: cloud-insecure-iam - name: 77276d82-4f45-4cf1-8e2b-4d345b936228 - pretty_name: Global Security Scheme Using Basic Authentication - recommended: true - ref: https://swagger.io/specification/#security-scheme-object - 773116aa-2e6d-416f-bd85-f0301cc05d76: - categories: - - ALL - - boost-baseline - description: 'Security Definition Object should not allow ''password'' Flow in - OAuth2 authentication ' - group: cloud-insecure-iam - name: 773116aa-2e6d-416f-bd85-f0301cc05d76 - pretty_name: Security Definitions Allows Password Flow - recommended: true - ref: https://swagger.io/specification/v2/#securitySchemeObject - 7750fcca-dd03-4d38-b663-4b70289bcfd4: - categories: - - ALL - - boost-baseline - description: 'Flow logs enable capturing information about IP traffic flowing - in and out of the network security groups. Network Security Group Flow Logs - must be enabled with retention period greater than or equal to 90 days. This - is important, because these logs are used to check for anomalies and give information - of suspected breaches ' - group: cloud-weak-configuration - name: 7750fcca-dd03-4d38-b663-4b70289bcfd4 - pretty_name: Small Flow Logs Retention Period - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_watcher_flow_log - 7772bb8c-c0f3-42d4-8e4e-f1b8939ad085: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'The S3 Bucket should not be associated with a policy statement that - grants access to any principal ' - group: cloud-insecure-iam - name: 7772bb8c-c0f3-42d4-8e4e-f1b8939ad085 - pretty_name: S3 Bucket Access to Any Principal - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html - 77783205-c4ca-4f80-bb80-c777f267c547: - categories: - - ALL - - boost-baseline - description: 'Check if apt-get calls use the flag -y to avoid user manual input. ' - group: supply-chain-scm-weak-configuration - name: 77783205-c4ca-4f80-bb80-c777f267c547 - pretty_name: APT-GET Missing '-y' To Avoid Manual Input - recommended: true - ref: https://docs.docker.com/engine/reference/builder/#run - 7782d4b3-e23e-432b-9742-d9528432e771: - categories: - - ALL - - boost-baseline - description: 'Group with privilege escalation by actions ''iam:SetDefaultPolicyVersion'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 7782d4b3-e23e-432b-9742-d9528432e771 - pretty_name: Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy - 77b6f1e2-bde4-4a6a-ae7e-a40659ff1576: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'NetworkACL Entries are reusing or overlapping ports which may create - ineffective rules ' - group: cloud-resources-public-access - name: 77b6f1e2-bde4-4a6a-ae7e-a40659ff1576 - pretty_name: EC2 Network ACL Overlapping Ports - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-networkaclentry-portrange.html - 77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Cloud Storage Bucket is anonymously or publicly accessible ' - group: cloud-insecure-iam - name: 77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc - pretty_name: Cloud Storage Bucket Is Publicly Accessible - recommended: true - ref: https://cloud.google.com/storage/docs/json_api/v1/bucketAccessControls - 78055456-f670-4d2e-94d5-392d1cf4f5e4: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'The load balancer of the application with a sensitive port connection - is exposed to the entire internet. ' - group: cloud-resources-public-access - name: 78055456-f670-4d2e-94d5-392d1cf4f5e4 - pretty_name: ELB Sensitive Port Is Exposed To Entire Network - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb.html - 7814ddda-e758-4a56-8be3-289a81ded929: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Cloud Storage Bucket should have versioning enabled ' - group: top10-security-logging-monitoring-failures - name: 7814ddda-e758-4a56-8be3-289a81ded929 - pretty_name: Cloud Storage Bucket Versioning Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_storage_bucket_module.html#parameter-versioning - 783860a3-6dca-4c8b-81d0-7b62769ccbca: - categories: - - ALL - - boost-baseline - description: 'API Gateway Deployment should have API Gateway UsagePlan defined - and associated. ' - group: top10-security-logging-monitoring-failures - name: 783860a3-6dca-4c8b-81d0-7b62769ccbca - pretty_name: API Gateway Deployment Without API Gateway UsagePlan Associated - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-deployment.html - 78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07: - categories: - - ALL - - boost-baseline - description: The field 'default' of Schema/Parameter/Header Object should be consistent - with the schema's/parameter's/header's type - group: top10-insecure-design - name: 78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07 - pretty_name: Default Invalid (v2) - recommended: true - ref: https://swagger.io/specification/v2/#schemaObject - 78f1ec6f-5659-41ea-bd48-d0a142dce4f2: - categories: - - ALL - - boost-baseline - description: 'Group with privilege escalation by actions ''iam:UpdateAssumeRolePolicy'' - and ''sts:AssumeRole'' and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 78f1ec6f-5659-41ea-bd48-d0a142dce4f2 - pretty_name: Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' - And 'sts:AssumeRole' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy - 79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92: - categories: - - ALL - - boost-baseline - description: 'Email notifications about new security alerts, should be set to - ''On'', and be sent to persons with specific RBAC roles on the subscription ' - group: cloud-resources-public-access - name: 79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92 - pretty_name: Email Notifications Disabled - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.security/securitycontacts - 79d745f0-d5f3-46db-9504-bef73e9fd528: - categories: - - ALL - - boost-baseline - description: 'ECS Service should have at least 1 task running ' - group: top10-insecure-design - name: 79d745f0-d5f3-46db-9504-bef73e9fd528 - pretty_name: ECS Service Without Running Tasks - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html#cfn-ecs-service-deploymentconfiguration - 7a01dfbd-da62-4165-aed7-71349ad42ab4: - categories: - - ALL - - boost-baseline - description: 'Response reference should exists on components field ' - group: top10-insecure-design - name: 7a01dfbd-da62-4165-aed7-71349ad42ab4 - pretty_name: Response JSON Reference Does Not Exists (v3) - recommended: true - ref: https://swagger.io/specification/#components-object - 7a1ee8a9-71be-4b11-bb70-efb62d16863b: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'ssl_action parameter should be set to Open for RDS instances ' - group: cloud-resources-public-access - name: 7a1ee8a9-71be-4b11-bb70-efb62d16863b - pretty_name: RDS Instance SSL Action Disabled - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#ssl_action - 7a70eed6-de3a-4da2-94da-a2bbc8fe2a48: - categories: - - ALL - - boost-baseline - description: 'IAM password should have the required symbols ' - group: top10-insecure-design - name: 7a70eed6-de3a-4da2-94da-a2bbc8fe2a48 - pretty_name: IAM Password Without Symbol - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy - 7ab33ac0-e4a3-418f-a673-50da4e34df21: - categories: - - ALL - - boost-baseline - description: 'Make sure that for Postgre SQL Database Server, parameter ''log_checkpoints'' - is set to ''ON'' ' - group: top10-security-logging-monitoring-failures - name: 7ab33ac0-e4a3-418f-a673-50da4e34df21 - pretty_name: PostgreSQL Log Checkpoints Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_postgresqlconfiguration_module.html - 7af1c447-c014-4f05-bd8b-ebe3a15734ac: - categories: - - ALL - - boost-baseline - description: 'Check if port 2383 on TCP is publicly accessible by checking the - CIDR block range that can access it. ' - group: cloud-resources-public-access - name: 7af1c447-c014-4f05-bd8b-ebe3a15734ac - pretty_name: SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html - 7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2: - categories: - - ALL - - boost-baseline - description: 'Check if any ElasticSearch domain isn''t encrypted with KMS. ' - group: top10-crypto-failures - name: 7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2 - pretty_name: ElasticSearch Encryption With KMS Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain - 7af43613-6bb9-4a0e-8c4d-1314b799425e: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'S3 Buckets must not allow Actions From All Principals, as to prevent - leaking private information to the entire internet or allow unauthorized data - tampering / deletion. This means the ''Effect'' must not be ''Allow'' when there - are All Principals ' - group: cloud-insecure-iam - name: 7af43613-6bb9-4a0e-8c4d-1314b799425e - pretty_name: S3 Bucket Access to Any Principal - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy - 7b47138f-ec0e-47dc-8516-e7728fe3cc17: - categories: - - ALL - - boost-baseline - description: 'Make sure that for PostgreSQL Database, server parameter ''log_connections'' - is set to ''ON'' ' - group: top10-security-logging-monitoring-failures - name: 7b47138f-ec0e-47dc-8516-e7728fe3cc17 - pretty_name: PostgreSQL Log Connections Not Set - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_postgresqlconfiguration_module.html - 7b590235-1ff4-421b-b9ff-5227134be9bb: - categories: - - ALL - - boost-baseline - description: 'AWS CloudFront distributions should have logging enabled to collect - all viewer requests, which means the attribute ''logging'' must be defined with - ''enabled'' set to true ' - group: top10-security-logging-monitoring-failures - name: 7b590235-1ff4-421b-b9ff-5227134be9bb - pretty_name: CloudFront Logging Disabled - recommended: true - ref: https://doc.crds.dev/github.com/crossplane/provider-aws/cloudfront.aws.crossplane.io/Distribution/v1alpha1@v0.29.0#spec-forProvider-distributionConfig-logging - 7c25f361-7c66-44bf-9b69-022acd5eb4bd: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Key Vault should have ''enableSoftDelete'' and ''enablePurgeProtection'' - set to true ' - group: top10-software-data-integrity-failures - name: 7c25f361-7c66-44bf-9b69-022acd5eb4bd - pretty_name: Key Vault Not Recoverable - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/2019-09-01/vaults?tabs=json#vaultproperties-object - 7c81d34c-8e5a-402b-9798-9f442630e678: - categories: - - ALL - - boost-baseline - description: 'Images should be specified together with their digests to ensure - integrity ' - group: cloud-weak-configuration - name: 7c81d34c-8e5a-402b-9798-9f442630e678 - pretty_name: Image Without Digest - recommended: true - ref: https://kubernetes.io/docs/concepts/containers/images/#updating-images - 7c96920c-6fd0-449d-9a52-0aa431b6beaf: - categories: - - ALL - - boost-baseline - description: 'Role with privilege escalation by actions ''iam:AttachUserPolicy'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 7c96920c-6fd0-449d-9a52-0aa431b6beaf - pretty_name: Role With Privilege Escalation By Actions 'iam:AttachUserPolicy' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy - 7c98538a-81c6-444b-bf04-e60bc3ceeec0: - categories: - - ALL - - boost-baseline - description: 'Instances must not have IP forwarding enabled, which means the attribute - ''canIpForward'' must not be true ' - group: cloud-resources-public-access - name: 7c98538a-81c6-444b-bf04-e60bc3ceeec0 - pretty_name: IP Forwarding Enabled - recommended: true - ref: https://cloud.google.com/compute/docs/reference/rest/v1/instances - 7cc6c791-5f68-4816-a564-b9b699f9d26e: - categories: - - ALL - - boost-baseline - description: 'ElastiCache should not use the default port (an attacker can easily - guess the port). For engine set to Redis, the default port is 6379. The Memcached - default port is 11211 ' - group: cloud-resources-public-access - name: 7cc6c791-5f68-4816-a564-b9b699f9d26e - pretty_name: ElastiCache Using Default Port - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/elasticache_module.html#parameter-cache_port - 7d544dad-8a6c-431c-84c1-5f07fe9afc0e: - categories: - - ALL - - boost-baseline - description: 'Group with privilege escalation by actions ''glue:CreateDevEndpoint'' - and ''iam:PassRole'' and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 7d544dad-8a6c-431c-84c1-5f07fe9afc0e - pretty_name: Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' - And 'iam:PassRole' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy - 7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Cloud SQL instances should not be publicly accessible. ' - group: cloud-weak-configuration - name: 7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b - pretty_name: SQL DB Instance Publicly Accessible - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html - 7db727c1-1720-468e-b80e-06697f71e09e: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'ECS Services must not have Admin roles, which means the attribute - ''role'' must not be an admin role ' - group: cloud-insecure-iam - name: 7db727c1-1720-468e-b80e-06697f71e09e - pretty_name: ECS Service Admin Role Is Present - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_service_module.html - 7db8bd7e-9772-478c-9ec5-4bc202c5686f: - categories: - - ALL - - boost-baseline - description: 'OSS Bucket should have lifecycle rule enabled and set to true ' - group: top10-software-data-integrity-failures - name: 7db8bd7e-9772-478c-9ec5-4bc202c5686f - pretty_name: OSS Bucket Lifecycle Rule Disabled - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#lifecycle_rule - 7dbba512-e244-42dc-98bb-422339827967: - categories: - - ALL - - boost-baseline - description: 'Check if CloudWatch logging is disabled for Route53 hosted zones ' - group: top10-security-logging-monitoring-failures - name: 7dbba512-e244-42dc-98bb-422339827967 - pretty_name: CloudWatch Logging Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_query_log - 7dfb316c-a6c2-454d-b8a2-97f147b0c0ff: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'AWS DB Instance should have its storage encrypted by setting the - parameter to ''true''. The storage_encrypted default value is ''false''. ' - group: top10-crypto-failures - name: 7dfb316c-a6c2-454d-b8a2-97f147b0c0ff - pretty_name: DB Instance Storage Not Encrypted - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html - 7e4a6e76-568d-43ef-8c4e-36dea481bff1: - categories: - - ALL - - boost-baseline - description: 'EC2 Instances should not be configured under a default VPC network ' - group: cloud-resources-public-access - name: 7e4a6e76-568d-43ef-8c4e-36dea481bff1 - pretty_name: EC2 Instance Using Default VPC - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#subnet_id - 7ebc9038-0bde-479a-acc4-6ed7b6758899: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'The KMS key has a policy that is too permissive, as it provides - the AWS account owner with access to all AWS KMS operations, therefore violating - the principle of least privilege. ' - group: cloud-weak-configuration - name: 7ebc9038-0bde-479a-acc4-6ed7b6758899 - pretty_name: KMS Key With Full Permissions - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key - 7ebd323c-31b7-4e5b-b26f-de5e9e477af8: - categories: - - ALL - - boost-baseline - description: 'The ''-y'' or ''--assumeyes'' flag should be added when invoking - dnf install. If omitted, it can cause the command to fail during the build process, - because dnf would expect manual input. ' - group: supply-chain-scm-weak-configuration - name: 7ebd323c-31b7-4e5b-b26f-de5e9e477af8 - pretty_name: Missing Flag From Dnf Install - recommended: true - ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run - 7ef7d141-9fbb-4679-a977-fd0883436906: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Kubernetes Engine Clusters must have Master Authentication set to - enabled, which means the attribute ''masterAuth'' must have the subattributes - ''username'' and ''password'' defined and not empty ' - group: cloud-weak-configuration - name: 7ef7d141-9fbb-4679-a977-fd0883436906 - pretty_name: Cluster Master Authentication Disabled - recommended: true - ref: https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.locations.clusters - 7f0a8696-7159-4337-ad0d-8a3ab4a78195: - categories: - - ALL - - boost-baseline - description: 'MariaDB Server Public Network Access should be disabled ' - group: cloud-resources-public-access - name: 7f0a8696-7159-4337-ad0d-8a3ab4a78195 - pretty_name: MariaDB Server Public Network Access Enabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mariadb_server#public_network_access_enabled - 7f15962a-d862-451c-ac9b-84ec13747aa6: - categories: - - ALL - - boost-baseline - description: Schema/Parameter/Header Object properties should not contain 'enum' - and schema keywords - group: top10-insecure-design - name: 7f15962a-d862-451c-ac9b-84ec13747aa6 - pretty_name: Object Using Enum With Keyword (v2) - recommended: true - ref: https://swagger.io/specification/v2/#schemaObject - 7f203940-39c4-4ea7-91ee-7aba16bca9e2: - categories: - - ALL - - boost-baseline - description: 'Property ''allowReserved'' should be only defined for query parameters ' - group: top10-insecure-design - name: 7f203940-39c4-4ea7-91ee-7aba16bca9e2 - pretty_name: Property 'allowReserved' Improperly Defined - recommended: true - ref: https://swagger.io/specification/#parameter-object - 7f384a5f-b5a2-4d84-8ca3-ee0a5247becb: - categories: - - ALL - - boost-baseline - description: 'Check if any ECS cluster has not defined proper roles for services'' - task definitions. ' - group: cloud-insecure-iam - name: 7f384a5f-b5a2-4d84-8ca3-ee0a5247becb - pretty_name: Empty Roles For ECS Cluster Task Definitions - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html - 7f65be75-90ab-4036-8c2a-410aef7bb650: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'AWS Kinesis Stream should have SSE (Server Side Encryption) defined ' - group: top10-crypto-failures - name: 7f65be75-90ab-4036-8c2a-410aef7bb650 - pretty_name: Kinesis SSE Not Configured - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kinesis-stream.html - 7f79f858-fbe8-4186-8a2c-dfd0d958a40f: - categories: - - ALL - - boost-baseline - description: 'Check if IAM Access Key is active for some user besides ''root'' ' - group: cloud-insecure-iam - name: 7f79f858-fbe8-4186-8a2c-dfd0d958a40f - pretty_name: IAM Access Key Is Exposed - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/iam_module.html - 7f8843f0-9ea5-42b4-a02b-753055113195: - categories: - - ALL - - boost-baseline - description: 'Geo Restriction feature should be enabled, to restrict or allow - users in specific locations accessing web application content ' - group: top10-insecure-design - name: 7f8843f0-9ea5-42b4-a02b-753055113195 - pretty_name: Geo Restriction Disabled - recommended: true - ref: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/georestrictions.html - 7f8f1b60-43df-4c28-aa21-fb836dbd8071: - categories: - - ALL - - boost-baseline - description: 'API Gateway Stage should have API Gateway UsagePlan defined and - associated. ' - group: cloud-insecure-iam - name: 7f8f1b60-43df-4c28-aa21-fb836dbd8071 - pretty_name: API Gateway Stage Without API Gateway UsagePlan Associated - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-stage.html - 7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a: - categories: - - ALL - - boost-baseline - description: 'Operations file parameters consumes must be ''multipart/form-data'', - ''application/x-www-form-urlencoded'' or both ' - group: top10-insecure-design - name: 7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a - pretty_name: File Parameter With Wrong Consumes Property - recommended: true - ref: https://swagger.io/specification/v2/#operation-object - 7fd0d461-5b8c-4815-898c-f2b4b117eb28: - categories: - - ALL - - boost-baseline - description: 'API Gateway REST API should have an API Gateway Authorizer ' - group: cloud-insecure-iam - name: 7fd0d461-5b8c-4815-898c-f2b4b117eb28 - pretty_name: API Gateway Without Configured Authorizer - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-authorizer.html - 7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'It''s not recommended to use plaintext environment variables for - sensitive information, such as credential data. ' - group: top10-crypto-failures - name: 7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892 - pretty_name: ECS Task Definition Container With Plaintext Password - recommended: true - ref: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#container_definition_environment - 800fa019-49dd-421b-9042-7331fdd83fa2: - categories: - - ALL - - boost-baseline - description: 'ConfigRule should enforce access keys to be rotated within 90 days. ' - group: cloud-weak-secrets-management - name: 800fa019-49dd-421b-9042-7331fdd83fa2 - pretty_name: High Access Key Rotation Period - recommended: true - ref: https://docs.amazonaws.cn/en_us/config/latest/developerguide/access-keys-rotated.html - 8010e17a-00e9-4635-a692-90d6bcec68bd: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Check if default security group does not restrict all inbound and - outbound traffic. ' - group: cloud-resources-public-access - name: 8010e17a-00e9-4635-a692-90d6bcec68bd - pretty_name: Default Security Groups With Unrestricted Traffic - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html - 801f0c6a-a834-4467-89c6-ddecffb46b5a: - categories: - - ALL - - boost-baseline - description: 'Link reference should exists on components field ' - group: top10-insecure-design - name: 801f0c6a-a834-4467-89c6-ddecffb46b5a - pretty_name: Link JSON Reference Does Not Exists - recommended: true - ref: https://swagger.io/specification/#components-object - 8055dec2-efb8-4fe6-8837-d9bed6ff202a: - categories: - - ALL - - boost-baseline - description: 'User with privilege escalation by actions ''lambda:CreateFunction'' - and ''iam:PassRole'' and ''lambda:InvokeFunction'' and Resource set to ''*''. - For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 8055dec2-efb8-4fe6-8837-d9bed6ff202a - pretty_name: User With Privilege Escalation By Actions 'lambda:CreateFunction' - And 'iam:PassRole' And 'lambda:InvokeFunction' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy - 80908a75-586b-4c61-ab04-490f4f4525b8: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Check if the ELB is setup with SSL or HTTPS for secure communication ' - group: top10-crypto-failures - name: 80908a75-586b-4c61-ab04-490f4f4525b8 - pretty_name: ELB Without Secure Protocol - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb.html - 809f77f8-d10e-4842-a84f-3be7b6ff1190: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'ELB Predefined or Custom Security Policies must not use weak ciphers, - to reduce the risk of the SSL connection between the client and the load balancer - being exploited. That means the ELB Listeners must not have Policies that posses - Ciphers that coincide with any of a predefined list of weak ciphers. ' - group: top10-crypto-failures - name: 809f77f8-d10e-4842-a84f-3be7b6ff1190 - pretty_name: ELB Using Weak Ciphers - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb.html - 80b15fb1-6207-40f4-a803-6915ae619a03: - categories: - - ALL - - boost-baseline - description: 'DNSSEC must be enabled for Cloud DNS ' - group: cloud-weak-configuration - name: 80b15fb1-6207-40f4-a803-6915ae619a03 - pretty_name: Cloud DNS Without DNSSEC - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_dns_managed_zone_module.html#return-dnssecConfig/state - 80b7ac3f-d2b7-4577-9b10-df7913497162: - categories: - - ALL - - boost-baseline - description: 'EBS volumes should be encrypted ' - group: top10-crypto-failures - name: 80b7ac3f-d2b7-4577-9b10-df7913497162 - pretty_name: EBS Volume Encryption Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-ebs-volume.html - 80d45af4-4920-4236-a56e-b7ef419d1941: - categories: - - ALL - - boost-baseline - description: 'API Gateway Stage should have Access Logging Settings defined ' - group: top10-security-logging-monitoring-failures - name: 80d45af4-4920-4236-a56e-b7ef419d1941 - pretty_name: API Gateway Stage Access Logging Settings Not Defined - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-stage.html#cfn-apigatewayv2-stage-accesslogsettings - 80f93444-b240-4ebb-a4c6-5c40b76c04ea: - categories: - - ALL - - boost-baseline - description: 'Pod Security Policy allows containers to share the host IPC namespace ' - group: cloud-weak-configuration - name: 80f93444-b240-4ebb-a4c6-5c40b76c04ea - pretty_name: PSP Allows Sharing Host IPC - recommended: true - ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ - 811762c8-2e99-4f70-88f9-a63875a953b1: - categories: - - ALL - - boost-baseline - description: Schema Object should not be have a required property that is not - defined on properties - group: top10-insecure-design - name: 811762c8-2e99-4f70-88f9-a63875a953b1 - pretty_name: Schema Has A Required Property Undefined (v2) - recommended: true - ref: https://swagger.io/specification/v2/#schemaObject - 815021c8-a50c-46d9-b192-24f71072c400: - categories: - - ALL - - boost-baseline - description: 'Paths object may be empty due to ACL constraints, meaning they are - not exposed ' - group: top10-insecure-design - name: 815021c8-a50c-46d9-b192-24f71072c400 - pretty_name: Paths Object is Empty (v3) - recommended: true - ref: https://swagger.io/specification/#paths-object - 8152e0cf-d2f0-47ad-96d5-d003a76eabd1: - categories: - - ALL - - boost-baseline - description: 'AWS Lambda functions should have TracingConfig enabled. For this, - property ''tracing_Config.mode'' should have the value ''Active'' ' - group: top10-security-logging-monitoring-failures - name: 8152e0cf-d2f0-47ad-96d5-d003a76eabd1 - pretty_name: Lambda Functions Without X-Ray Tracing - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function#tracing_config - 816ea8cf-d589-442d-a917-2dd0ce0e45e3: - categories: - - ALL - - boost-baseline - description: 'SQS policy allows ALL (*) actions ' - group: cloud-insecure-iam - name: 816ea8cf-d589-442d-a917-2dd0ce0e45e3 - pretty_name: SQS Policy Allows All Actions - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy - 8173d5eb-96b5-4aa6-a71b-ecfa153c123d: - categories: - - ALL - - boost-baseline - description: 'CloudTrail multi region should be enabled, which means attributes - ''is_multi_region_trail'' and ''include_global_service_events'' should be enabled ' - group: top10-security-logging-monitoring-failures - name: 8173d5eb-96b5-4aa6-a71b-ecfa153c123d - pretty_name: CloudTrail Multi Region Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#is_multi_region_trail - 818f38ed-8446-4132-9c03-474d49e10195: - categories: - - ALL - - boost-baseline - description: 'SNS topic Publicity should not have ''Effect: Allow'' and argument - ''NotAction'' at the same time. If it has ''Effect: Allow'', the argument stated - should be ''Action''. ' - group: cloud-insecure-iam - name: 818f38ed-8446-4132-9c03-474d49e10195 - pretty_name: SNS Topic Publicity Has Allow and NotAction Simultaneously - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-sns-policy - 819d50fd-1cdf-45c3-9936-be408aaad93e: - categories: - - ALL - - boost-baseline - description: 'Make sure that the ''Standard'' pricing tiers were selected. ' - group: cloud-weak-configuration - name: 819d50fd-1cdf-45c3-9936-be408aaad93e - pretty_name: Security Center Pricing Tier Is Not Standard - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/security_center_subscription_pricing - 81ce9394-013d-4731-8fcc-9d229b474073: - categories: - - ALL - - boost-baseline - description: 'Verifies if Alicloud Container Service Node Pool Auto Repair is - Enabled. This service periodically checks for failing nodes and repairs them - to ensure a smooth running state. ' - group: cloud-weak-configuration - name: 81ce9394-013d-4731-8fcc-9d229b474073 - pretty_name: CS Kubernetes Node Pool Auto Repair Disabled - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/cs_kubernetes_node_pool#auto_repair - 8212e2d7-e683-49bc-bf78-d6799075c5a7: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Compute instances shouldn''t be accessible from the Internet. ' - group: cloud-resources-public-access - name: 8212e2d7-e683-49bc-bf78-d6799075c5a7 - pretty_name: Compute Instance Is Publicly Accessible - recommended: true - ref: https://cloud.google.com/compute/docs/reference/rest/v1/instances - 8263f146-5e03-43e0-9cfe-db960d56d1e7: - categories: - - ALL - - boost-baseline - description: 'Ensure Storage Account is using the latest version of TLS encryption ' - group: top10-crypto-failures - name: 8263f146-5e03-43e0-9cfe-db960d56d1e7 - pretty_name: Storage Account Not Using Latest TLS Encryption Version - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account - 826abb30-3cd5-4e0b-a93b-67729b4f7e63: - categories: - - ALL - - boost-baseline - description: 'Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes - secrets are dangerous and should be avoided. In case of compromise, attackers - could abuse these roles to access sensitive data, such as passwords, tokens - and keys ' - group: cloud-insecure-iam - name: 826abb30-3cd5-4e0b-a93b-67729b4f7e63 - pretty_name: RBAC Roles with Read Secrets Permissions - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role#rule - 8275fab0-68ec-4705-bbf4-86975edb170e: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'API Gateway should have a Security Policy defined and use TLS 1.2. ' - group: cloud-weak-configuration - name: 8275fab0-68ec-4705-bbf4-86975edb170e - pretty_name: API Gateway Without Security Policy - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html#cfn-apigateway-domainname-securitypolicy - 829ce3b8-065c-41a3-ad57-e0accfea82d2: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'AWS Security Group should not have an unknown port exposed to the - entire Internet ' - group: cloud-resources-public-access - name: 829ce3b8-065c-41a3-ad57-e0accfea82d2 - pretty_name: Unknown Port Exposed To Internet - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html - 829f1c60-2bab-44c6-8a21-5cd9d39a2c82: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Compute instances shouldn''t be accessible from the Internet. ' - group: cloud-resources-public-access - name: 829f1c60-2bab-44c6-8a21-5cd9d39a2c82 - pretty_name: Compute Instance Is Publicly Accessible - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html#parameter-network_interfaces/access_configs - 83103dff-d57f-42a8-bd81-40abab64c1a7: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'BigQuery dataset is anonymously or publicly accessible. Attribute - access.specialGroup should not contain ''allAuthenticatedUsers'' ' - group: cloud-insecure-iam - name: 83103dff-d57f-42a8-bd81-40abab64c1a7 - pretty_name: BigQuery Dataset Is Public - recommended: true - ref: https://cloud.google.com/bigquery/docs/reference/rest/v2/datasets - 83130a07-235b-4a80-918b-a370e53f0bd9: - categories: - - ALL - - boost-baseline - description: 'Azure App Service should have App Service Authentication set ' - group: cloud-insecure-iam - name: 83130a07-235b-4a80-918b-a370e53f0bd9 - pretty_name: App Service Authentication Is Not Set - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.web/sites/config-web?tabs=json - 8320826e-7a9c-4b0b-9535-578333193432: - categories: - - ALL - - boost-baseline - description: 'Roles or ClusterRoles with RBAC permissions ''bind'' or ''escalate'' - allow subjects to create new bindings with other roles. This is dangerous, as - users with these privileges can bind to roles that may exceed their own privileges ' - group: cloud-insecure-iam - name: 8320826e-7a9c-4b0b-9535-578333193432 - pretty_name: RBAC Roles Allow Privilege Escalation - recommended: true - ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#restrictions-on-role-binding-creation-or-update - 835a4f2f-df43-437d-9943-545ccfc55961: - categories: - - ALL - - boost-baseline - description: 'Azure Front Door WAF should be enabled ' - group: cloud-resources-public-access - name: 835a4f2f-df43-437d-9943-545ccfc55961 - pretty_name: Azure Front Door WAF Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/frontdoor#web_application_firewall_policy_link_id - 835d5497-a526-4aea-a23f-98a9afd1635f: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'S3 Buckets should not be readable to any authenticated user ' - group: cloud-insecure-iam - name: 835d5497-a526-4aea-a23f-98a9afd1635f - pretty_name: S3 Bucket ACL Allows Read to Any Authenticated User - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html - 837e033c-4717-40bd-807e-6abaa30161b7: - categories: - - ALL - - boost-baseline - description: 'AWS CloudFormation should have stack notifications enabled to be - notified when an event occurs ' - group: top10-security-logging-monitoring-failures - name: 837e033c-4717-40bd-807e-6abaa30161b7 - pretty_name: Stack Notifications Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stack.html - 83957b81-39c1-4191-8e12-671d2ce14354: - categories: - - ALL - - boost-baseline - description: 'IAM password should have at least one uppercase letter ' - group: top10-insecure-design - name: 83957b81-39c1-4191-8e12-671d2ce14354 - pretty_name: IAM Password Without Uppercase Letter - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html - 839f238f-2e3a-4a72-b945-8abdf91af955: - categories: - - ALL - - boost-baseline - description: 'IAM user resource Login Profile Password should have at least one - number ' - group: top10-insecure-design - name: 839f238f-2e3a-4a72-b945-8abdf91af955 - pretty_name: IAM Password Without Number - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user - 83a229ba-483e-47c6-8db7-dc96969bce5a: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Ensure that ''Threat Detection'' is enabled for Azure SQL Database ' - group: cloud-insecure-iam - name: 83a229ba-483e-47c6-8db7-dc96969bce5a - pretty_name: SQL Database Audit Disabled - recommended: true - ref: https://www.terraform.io/docs/providers/azurerm/r/sql_database.html - 83bf5aca-138a-498e-b9cd-ad5bc5e117b4: - categories: - - ALL - - boost-baseline - description: 'Neptune database cluster storage should have encryption enabled ' - group: top10-crypto-failures - name: 83bf5aca-138a-498e-b9cd-ad5bc5e117b4 - pretty_name: Neptune Database Cluster Encryption Disabled - recommended: true - ref: https://doc.crds.dev/github.com/crossplane/provider-aws/neptune.aws.crossplane.io/DBCluster/v1alpha1@v0.29.0#spec-forProvider-storageEncrypted - 83c5fa4c-e098-48fc-84ee-0a537287ddd2: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Security groups allow ingress from 0.0.0.0/0 ' - group: cloud-resources-public-access - name: 83c5fa4c-e098-48fc-84ee-0a537287ddd2 - pretty_name: Unrestricted Security Group Ingress - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html - 845acfbe-3e10-4b8e-b656-3b404d36dfb2: - categories: - - ALL - - boost-baseline - description: 'Service type should not be NodePort ' - group: cloud-resources-public-access - name: 845acfbe-3e10-4b8e-b656-3b404d36dfb2 - pretty_name: Service Type is NodePort - recommended: true - ref: https://kubernetes.io/docs/concepts/services-networking/service/ - 846646e3-2af1-428c-ac5d-271eccfa6faf: - categories: - - ALL - - boost-baseline - description: 'Group with privilege escalation by actions ''iam:CreateAccessKey'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 846646e3-2af1-428c-ac5d-271eccfa6faf - pretty_name: Group With Privilege Escalation By Actions 'iam:CreateAccessKey' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy - 84c826c9-1893-4b34-8cdd-db97645b4bf3: - categories: - - ALL - - boost-baseline - description: 'Path object should have at least one operation object defined ' - group: top10-insecure-design - name: 84c826c9-1893-4b34-8cdd-db97645b4bf3 - pretty_name: Path Without Operation (v3) - recommended: true - ref: https://swagger.io/specification/#path-item-object - 84d36481-fd63-48cb-838e-635c44806ec2: - categories: - - ALL - - boost-baseline - description: 'Verifies that Google Project IAM Member Service Account doesn''t - have an Admin Role associated ' - group: cloud-insecure-iam - name: 84d36481-fd63-48cb-838e-635c44806ec2 - pretty_name: Google Project IAM Member Service Account Has Admin Role - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_member - 85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7: - categories: - - ALL - - boost-baseline - description: 'Cross-Account IAM Assume Role Policy should require external ID - or MFA to protect cross-account access ' - group: cloud-insecure-iam - name: 85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7 - pretty_name: Cross-Account IAM Assume Role Policy Without ExternalId or MFA - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-assumerolepolicydocument - 857f8808-e96a-4ba8-a9b7-f2d4ec6cad94: - categories: - - ALL - - boost-baseline - description: 'RDS instance should have automatic minor upgrades enabled, which - means the attribute ''auto_minor_version_upgrade'' must be set to true. ' - group: top10-insecure-design - name: 857f8808-e96a-4ba8-a9b7-f2d4ec6cad94 - pretty_name: Automatic Minor Upgrades Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-auto_minor_version_upgrade - 85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3: - categories: - - ALL - - boost-baseline - description: 'Check if any network policy is not targeting any pod. ' - group: cloud-resources-public-access - name: 85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3 - pretty_name: Network Policy Is Not Targeting Any Pod - recommended: true - ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ - 85da374f-b00f-4832-9d44-84a1ca1e89f8: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Azure App Service should only enforce FTPS when ''ftps_state'' is - enabled ' - group: cloud-weak-configuration - name: 85da374f-b00f-4832-9d44-84a1ca1e89f8 - pretty_name: App Service FTPS Enforce Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#ftps_state - 860ba89b-b8de-4e72-af54-d6aee4138a69: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'S3 bucket allows public policy ' - group: cloud-insecure-iam - name: 860ba89b-b8de-4e72-af54-d6aee4138a69 - pretty_name: S3 Bucket Allows Public Policy - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-publicaccessblockconfiguration.html - 862fe4bf-3eec-4767-a517-40f378886b88: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'AWS Kinesis Streams and metadata should be protected with KMS ' - group: top10-crypto-failures - name: 862fe4bf-3eec-4767-a517-40f378886b88 - pretty_name: Kinesis Not Encrypted With KMS - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_stream - 86571149-eef3-4280-a645-01e60df854b0: - categories: - - ALL - description: 'A list of EBS resources found. Amazon Elastic Block Store (Amazon - EBS) is an easy-to-use, scalable, high-performance block-storage service designed - for Amazon Elastic Compute Cloud (Amazon EC2). ' - group: supply-chain-missing-artifact-integrity-verification - name: 86571149-eef3-4280-a645-01e60df854b0 - pretty_name: BOM - AWS EBS - ref: https://kics.io/ - 8657197e-3f87-4694-892b-8144701d83c1: - categories: - - ALL - - boost-baseline - description: 'Check if Readiness Probe is not configured. ' - group: top10-insecure-design - name: 8657197e-3f87-4694-892b-8144701d83c1 - pretty_name: Readiness Probe Is Not Configured - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#readiness_probe - 86733e01-a435-4bd5-a8b0-5108be9dc1e4: - categories: - - ALL - - boost-baseline - description: The Header Response should not be named as 'Content-Type', 'Authorization' - or 'Accept'. If so, it will be ignored. - group: top10-insecure-design - name: 86733e01-a435-4bd5-a8b0-5108be9dc1e4 - pretty_name: Header Response Name Is Invalid (v2) - recommended: true - ref: https://swagger.io/specification/v2/#response-object - 8697a1a4-82c6-4603-8ac8-57529756744e: - categories: - - ALL - - boost-baseline - - boost-hardened - description: Schema/Parameter array items type should be defined - group: cloud-weak-configuration - name: 8697a1a4-82c6-4603-8ac8-57529756744e - pretty_name: Array Items Has No Type (v2) - recommended: true - ref: https://swagger.io/specification/v2/#format - 869e7fb4-30f0-4bdb-b360-ad548f337f2f: - categories: - - ALL - - boost-baseline - description: 'Redis Cache resources should not allow non-SSL connections ' - group: cloud-weak-configuration - name: 869e7fb4-30f0-4bdb-b360-ad548f337f2f - pretty_name: Redis Cache Allows Non SSL Connections - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_rediscache_module.html - 86a248ab-0e01-4564-a82a-878303e253bb: - categories: - - ALL - - boost-baseline - description: 'Check if ElasticSearch encryption is disabled at Rest ' - group: top10-crypto-failures - name: 86a248ab-0e01-4564-a82a-878303e253bb - pretty_name: ElasticSearch Not Encrypted At Rest - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticsearch-domain.html#cfn-elasticsearch-domain-encryptionatrestoptions - 86a947ea-f577-4efb-a8b0-5fc00257d521: - categories: - - ALL - - boost-baseline - description: 'A non kube-system workload should not have hostPath mounted ' - group: cloud-insecure-iam - name: 86a947ea-f577-4efb-a8b0-5fc00257d521 - pretty_name: Non Kube System Pod With Host Mount - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod - 86b0efa7-4901-4edd-a37a-c034bec6645a: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Checks if the SQS Queue is exposed ' - group: cloud-insecure-iam - name: 86b0efa7-4901-4edd-a37a-c034bec6645a - pretty_name: SQS Queue Exposed - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/sqs_queue_module.html#parameter-policy - 86b1fa30-9790-4980-994d-a27e0f6f27c1: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Cleartext credentials over unencrypted channel should not be accepted - for the operation ' - group: cloud-insecure-iam - name: 86b1fa30-9790-4980-994d-a27e0f6f27c1 - pretty_name: Cleartext Credentials With Basic Authentication For Operation - recommended: true - ref: https://swagger.io/specification/#operation-object - 86e3702f-c868-44b2-b61d-ea5316c18110: - categories: - - ALL - - boost-baseline - description: 'Operations responses should have a default response defined ' - group: cloud-resources-public-access - name: 86e3702f-c868-44b2-b61d-ea5316c18110 - pretty_name: Default Response Undefined On Operations (v3) - recommended: true - ref: https://swagger.io/specification/#responses-object - 86f92117-eed8-4614-9c6c-b26da20ff37f: - categories: - - ALL - - boost-baseline - description: 'Azure Container Service (AKS) instance should have role-based access - control (RBAC) enabled ' - group: cloud-insecure-iam - name: 86f92117-eed8-4614-9c6c-b26da20ff37f - pretty_name: AKS RBAC Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#role_based_access_control - 87065ef8-de9b-40d8-9753-f4a4303e27a4: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Privileged containers lack essential security restrictions and should - be avoided by removing the ''privileged'' flag or by changing its value to false ' - group: cloud-weak-configuration - name: 87065ef8-de9b-40d8-9753-f4a4303e27a4 - pretty_name: Container Is Privileged - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#privileged - 87482183-a8e7-4e42-a566-7a23ec231c16: - categories: - - ALL - - boost-baseline - description: 'AWS Security Group Ingress should have a single port ' - group: cloud-resources-public-access - name: 87482183-a8e7-4e42-a566-7a23ec231c16 - pretty_name: Security Group Ingress With Port Range - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html - 874d68a3-bfbe-4a4b-aaa0-9e74d7da634b: - categories: - - ALL - - boost-baseline - description: 'The certificate should use a RSA key with a length equal to or higher - than 256 bytes ' - group: cloud-weak-configuration - name: 874d68a3-bfbe-4a4b-aaa0-9e74d7da634b - pretty_name: Certificate RSA Key Bytes Lower Than 256 - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api - 87554eef-154d-411d-bdce-9dbd91e56851: - categories: - - ALL - - boost-baseline - description: 'PodSecurityPolicy should not allow privilege escalation ' - group: cloud-weak-configuration - name: 87554eef-154d-411d-bdce-9dbd91e56851 - pretty_name: PSP Allows Privilege Escalation - recommended: true - ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ - 8810968b-4b15-421d-918b-d91eb4bb8d1d: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Kubernetes Clusters must be configured with labels, which means - the attribute ''resourceLabels'' must be defined ' - group: cloud-weak-configuration - name: 8810968b-4b15-421d-918b-d91eb4bb8d1d - pretty_name: Cluster Labels Disabled - recommended: true - ref: https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters - 881696a8-68c5-4073-85bc-7c38a3deb854: - categories: - - ALL - - boost-baseline - description: 'Make sure Soft Delete is enabled for Key Vault ' - group: top10-software-data-integrity-failures - name: 881696a8-68c5-4073-85bc-7c38a3deb854 - pretty_name: Key Vault Soft Delete Is Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_keyvault_module.html#parameter-enable_soft_delete - 881a6e71-c2a7-4fe2-b9c3-dfcf08895331: - categories: - - ALL - - boost-baseline - description: 'Examples values and fields should be compliant with the schema type ' - group: top10-insecure-design - name: 881a6e71-c2a7-4fe2-b9c3-dfcf08895331 - pretty_name: Example Not Compliant With Schema Type (v3) - recommended: true - ref: https://swagger.io/specification/#example-object - 8833f180-96f1-46f4-9147-849aafa56029: - categories: - - ALL - - boost-baseline - description: 'EC2 Instances should not be configured under a default VPC network ' - group: cloud-resources-public-access - name: 8833f180-96f1-46f4-9147-849aafa56029 - pretty_name: EC2 Instance Using Default VPC - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_module.html#parameter-vpc_subnet_id - 88541597-6f88-42c8-bac6-7e0b855e8ff6: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'OSS Bucket should not allow list action from all principals, as - to prevent leaking private information to the entire internet or allow unauthorized - data tampering/deletion. This means the ''Effect'' must not be ''Allow'' when - the ''Action'' contains ''List'', for all Principals. ' - group: cloud-insecure-iam - name: 88541597-6f88-42c8-bac6-7e0b855e8ff6 - pretty_name: OSS Bucket Allows List Action From All Principals - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#policy - 88d55d94-315d-4564-beee-d2d725feab11: - categories: - - ALL - - boost-baseline - description: 'SageMaker must have disabled internet access and root access for - Creating Notebook Instances. ' - group: cloud-weak-configuration - name: 88d55d94-315d-4564-beee-d2d725feab11 - pretty_name: SageMaker Enabling Internet Access - recommended: true - ref: https://docs.aws.amazon.com/sagemaker/latest/dg/security_iam_id-based-policy-examples.html#sagemaker-condition-nbi-lockdown - 88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'IAM Database Auth Enabled should be configured to true when using - compatible engine and version ' - group: top10-crypto-failures - name: 88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6 - pretty_name: IAM Database Auth Not Enabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#iam_database_authentication_enabled - 89143358-cec6-49f5-9392-920c591c669c: - categories: - - ALL - - boost-baseline - description: 'Ram Account Password Policy should have ''require_lowercase_characters'' - set to true ' - group: cloud-weak-secrets-management - name: 89143358-cec6-49f5-9392-920c591c669c - pretty_name: Ram Account Password Policy Not Require At Least one Lowercase Character - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#require_lowercase_characters - 89561b03-cb35-44a9-a7e9-8356e71606f4: - categories: - - ALL - - boost-baseline - description: 'User with privilege escalation by actions ''ec2:RunInstances'' and - ''iam:PassRole'' and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 89561b03-cb35-44a9-a7e9-8356e71606f4 - pretty_name: User With Privilege Escalation By Actions 'ec2:RunInstances' And - 'iam:PassRole' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy - 895a5a95-3756-4b04-9924-2f3bc93181bd: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'When using kube-apiserver commands, the ''--etcd-certfile'' and - ''--etcd-keyfile'' flags should be defined ' - group: cloud-resources-public-access - name: 895a5a95-3756-4b04-9924-2f3bc93181bd - pretty_name: Etcd TLS Certificate Not Properly Configured - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ - 895ed0d9-6fec-4567-8614-d7a74b599a53: - categories: - - ALL - description: 'A list of Dataflow resources found. Unified stream and batch data - processing that''s serverless, fast, and cost-effective. ' - group: supply-chain-missing-artifact-integrity-verification - name: 895ed0d9-6fec-4567-8614-d7a74b599a53 - pretty_name: BOM - GCP Dataflow - ref: https://kics.io/ - 89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a: - categories: - - ALL - - boost-baseline - description: 'Check if IAM account password has the reuse password configured - with 24 ' - group: top10-insecure-design - name: 89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a - pretty_name: Password Without Reuse Prevention - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy#password_reuse_prevention - 89827c57-5a8a-49eb-9731-976a606d70db: - categories: - - ALL - - boost-baseline - description: 'Workspaces should have encryption enabled ' - group: top10-crypto-failures - name: 89827c57-5a8a-49eb-9731-976a606d70db - pretty_name: Workspace Without Encryption - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-workspaces-workspace.html - 89afe3f0-4681-4ce3-89ed-896cebd4277c: - categories: - - ALL - - boost-baseline - description: 'PostgreSQL database instance should have a ''log_checkpoints'' flag - with its value set to ''on'' ' - group: top10-security-logging-monitoring-failures - name: 89afe3f0-4681-4ce3-89ed-896cebd4277c - pretty_name: PostgreSQL log_checkpoints Flag Not Set To ON - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags - 89b79fe5-49bd-4d39-84ce-55f5fc6f7764: - categories: - - ALL - - boost-baseline - description: 'SQL Database Server should contain emails to be notified in the - event of a Security Alert ' - group: top10-insecure-design - name: 89b79fe5-49bd-4d39-84ce-55f5fc6f7764 - pretty_name: SQL Alert Policy Without Emails - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/servers/databases/securityalertpolicies?tabs=json - 89f84a1e-75f8-47c5-83b5-bee8e2de4168: - categories: - - ALL - - boost-baseline - description: 'Monitoring log profile captures all the activities (Action, Write, - Delete) ' - group: top10-security-logging-monitoring-failures - name: 89f84a1e-75f8-47c5-83b5-bee8e2de4168 - pretty_name: Monitoring Log Profile Without All Activities - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_monitorlogprofile_module.html - 89fe890f-b480-460c-8b6b-7d8b1468adb4: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Audit Logging Configuration is defective ' - group: top10-security-logging-monitoring-failures - name: 89fe890f-b480-460c-8b6b-7d8b1468adb4 - pretty_name: IAM Audit Not Properly Configured - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_audit_config - 8a301064-c291-4b20-adcb-403fe7fd95fd: - categories: - - ALL - - boost-baseline - description: 'Using the command RUN to override the default shell instead of the - SHELL command leads to inefficiencies. It also does not make sense since Docker - provides the SHELL command for this exact purpose. ' - group: top10-insecure-design - name: 8a301064-c291-4b20-adcb-403fe7fd95fd - pretty_name: Changing Default Shell Using RUN Command - recommended: true - ref: https://docs.docker.com/engine/reference/builder/#shell - 8a6d36cd-0bc6-42b7-92c4-67acc8576861: - categories: - - ALL - - boost-baseline - description: 'EC2 Instances should be configured under a VPC network. AWS VPCs - provide the controls to facilitate a formal process for approving and testing - all network connections and changes to the firewall and router configurations. ' - group: cloud-weak-configuration - name: 8a6d36cd-0bc6-42b7-92c4-67acc8576861 - pretty_name: Instance With No VPC - recommended: true - ref: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-vpc.html - 8a893e46-e267-485a-8690-51f39951de58: - categories: - - ALL - - boost-baseline - description: 'The node image should be Container-Optimized OS(COS) ' - group: cloud-weak-configuration - name: 8a893e46-e267-485a-8690-51f39951de58 - pretty_name: COS Node Image Not Used - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#node_config - 8ada6e80-0ade-439e-b176-0b28f6bce35a: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Avoid RUN with sudo command as it leads to unpredictable behavior ' - group: cloud-weak-configuration - name: 8ada6e80-0ade-439e-b176-0b28f6bce35a - pretty_name: Run Using Sudo - recommended: true - ref: https://docs.docker.com/engine/reference/builder/#run - 8aee4754-970d-4c5f-8142-a49dfe388b1a: - categories: - - ALL - - boost-baseline - description: 'Every defined Server Variable Object should be used in a Service - URL. ' - group: top10-insecure-design - name: 8aee4754-970d-4c5f-8142-a49dfe388b1a - pretty_name: Server Object Variable Not Used - recommended: true - ref: https://swagger.io/specification/#server-variable-object - 8af270ce-298b-4405-9922-82a10aee7a4f: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Global security field should be defined to prevent API to have insecure - paths and have this rules defined on securitySchemes ' - group: cloud-insecure-iam - name: 8af270ce-298b-4405-9922-82a10aee7a4f - pretty_name: Global Security Field Is Undefined (v3) - recommended: true - ref: https://swagger.io/specification/#security-requirement-object - 8af7162d-6c98-482f-868e-0d33fb675ca8: - categories: - - ALL - - boost-baseline - description: 'The host''s user namespace should not be shared. ' - group: cloud-insecure-iam - name: 8af7162d-6c98-482f-868e-0d33fb675ca8 - pretty_name: Shared Host User Namespace - recommended: true - ref: https://docs.docker.com/compose/compose-file/compose-file-v3/#userns_mode - 8b042c30-e441-453f-b162-7696982ebc58: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Make sure that on PostgreSQL Geo Redundant Backups is enabled ' - group: top10-software-data-integrity-failures - name: 8b042c30-e441-453f-b162-7696982ebc58 - pretty_name: Geo Redundancy Is Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_server - 8b1b1e67-6248-4dca-bbad-93486bb181c0: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Ensure a log metric filter and alarm exist for root acount usage ' - group: top10-security-logging-monitoring-failures - name: 8b1b1e67-6248-4dca-bbad-93486bb181c0 - pretty_name: CloudWatch Root Account Use Missing - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern - 8b36775e-183d-4d46-b0f7-96a6f34a723f: - categories: - - ALL - - boost-baseline - description: 'Containers should be configured with an AppArmor profile to enforce - fine-grained access control over low-level system resources ' - group: cloud-insecure-iam - name: 8b36775e-183d-4d46-b0f7-96a6f34a723f - pretty_name: Missing AppArmor Profile - recommended: true - ref: https://kubernetes.io/docs/tutorials/clusters/apparmor/ - 8b862ca9-0fbd-4959-ad72-b6609bdaa22d: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Check if there is any Tiller Service present ' - group: cloud-weak-configuration - name: 8b862ca9-0fbd-4959-ad72-b6609bdaa22d - pretty_name: Tiller Service Is Not Deleted - recommended: true - ref: https://kubernetes.io/docs/concepts/services-networking/service - 8bbb242f-6e38-4127-86d4-d8f0b2687ae2: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'AWS AMI Encryption is not enabled ' - group: top10-crypto-failures - name: 8bbb242f-6e38-4127-86d4-d8f0b2687ae2 - pretty_name: AMI Not Encrypted - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami - 8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d: - categories: - - ALL - - boost-baseline - description: 'IAM password should have the required minimum length ' - group: top10-insecure-design - name: 8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d - pretty_name: IAM Password Without Minimum Length - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html - 8bfbf7ab-d5e8-4100-8618-798956e101e0: - categories: - - ALL - - boost-baseline - description: 'User with privilege escalation by actions ''iam:PutGroupPolicy'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 8bfbf7ab-d5e8-4100-8618-798956e101e0 - pretty_name: User With Privilege Escalation By Actions 'iam:PutGroupPolicy' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy - 8bfed1c6-2d59-4924-bc7f-9b9d793ed0df: - categories: - - ALL - - boost-baseline - description: 'The map content property of the parameter object should only contain - one entry ' - group: top10-insecure-design - name: 8bfed1c6-2d59-4924-bc7f-9b9d793ed0df - pretty_name: Parameter Object Content With Multiple Entries - recommended: true - ref: https://swagger.io/specification/#parameter-object - 8c0695d8-2378-4cd6-8243-7fd5894fa574: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'OSS Bucket should not allow delete action from all principals, as - to prevent leaking private information to the entire internet or allow unauthorized - data tampering/deletion. This means the ''Effect'' must not be ''Allow'' when - the ''Action'' is DeleteBucket, for all Principals. ' - group: cloud-insecure-iam - name: 8c0695d8-2378-4cd6-8243-7fd5894fa574 - pretty_name: OSS Bucket Allows Delete Action From All Principals - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#policy - 8c3bedf1-c570-4c3b-b414-d068cd39a00c: - categories: - - ALL - - boost-baseline - description: 'Azure Kubernetes Service should have the proper network policy configuration - to ensure the principle of least privileges, which means that ''network_profile.network_policy'' - should be defined ' - group: cloud-weak-configuration - name: 8c3bedf1-c570-4c3b-b414-d068cd39a00c - pretty_name: AKS Network Policy Misconfigured - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_aks_module.html#parameter-network_profile/network_policy - 8c415f6f-7b90-4a27-a44a-51047e1506f9: - categories: - - ALL - - boost-baseline - description: 'Make sure the AWS RDS configuration has automatic backup configured. - If the retention period is equal to 0 there is no backup ' - group: top10-software-data-integrity-failures - name: 8c415f6f-7b90-4a27-a44a-51047e1506f9 - pretty_name: RDS With Backup Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html - 8c81d6c0-716b-49ec-afa5-2d62da4e3f3c: - categories: - - ALL - - boost-baseline - description: 'String schema should restrict the pattern ' - group: cloud-weak-configuration - name: 8c81d6c0-716b-49ec-afa5-2d62da4e3f3c - pretty_name: String Schema with Broad Pattern (v3) - recommended: true - ref: https://swagger.io/specification/#schema-object - 8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85: - categories: - - ALL - - boost-baseline - description: 'String schema should have ''maxLength'' defined. ' - group: cloud-weak-configuration - name: 8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85 - pretty_name: Maximum Length Undefined (v3) - recommended: true - ref: https://swagger.io/specification/#schema-object - 8c849af7-a399-46f7-a34c-32d3dc96f1fc: - categories: - - ALL - - boost-baseline - description: 'ElastiCache should be launched in a Virtual Private Cloud (VPC) ' - group: cloud-resources-public-access - name: 8c849af7-a399-46f7-a34c-32d3dc96f1fc - pretty_name: ElastiCache Without VPC - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster#subnet_group_name - 8c84f75e-5048-4926-a4cb-33e7b3431300: - categories: - - ALL - - boost-baseline - description: 'The header Parameter should not be named as ''Authorization''. If - so, it will be ignored. ' - group: top10-insecure-design - name: 8c84f75e-5048-4926-a4cb-33e7b3431300 - pretty_name: Header Parameter Named as 'Authorization' (v3) - recommended: true - ref: https://swagger.io/specification/#parameter-object - 8cf4671a-cf3d-46fc-8389-21e7405063a2: - categories: - - ALL - - boost-baseline - description: 'A StatefulSet requests volume storage. ' - group: supply-chain-cicd-weak-configuration - name: 8cf4671a-cf3d-46fc-8389-21e7405063a2 - pretty_name: StatefulSet Requests Storage - recommended: true - ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/ - 8d03993b-8384-419b-a681-d1f55149397c: - categories: - - ALL - - boost-baseline - description: 'EC2 instances should not use default security group(s) ' - group: cloud-insecure-iam - name: 8d03993b-8384-419b-a681-d1f55149397c - pretty_name: EC2 Instance Using Default Security Group - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_module.html#parameter-group - 8d0921d6-4131-461f-a253-99e873f8f77e: - categories: - - ALL - - boost-baseline - description: 'Any variable used in the Service URL should be defined in the Service - Object through ''variables''. ' - group: top10-insecure-design - name: 8d0921d6-4131-461f-a253-99e873f8f77e - pretty_name: Server URL Uses Undefined Variables - recommended: true - ref: https://swagger.io/specification/#server-object - 8d29754a-2a18-460d-a1ba-9509f8d359da: - categories: - - ALL - - boost-baseline - description: 'IAM Access Analyzer should be enabled and configured to continuously - monitor resource permissions ' - group: top10-insecure-design - name: 8d29754a-2a18-460d-a1ba-9509f8d359da - pretty_name: IAM Access Analyzer Not Enabled - recommended: true - ref: https://docs.amazonaws.cn/en_us/AWSCloudFormation/latest/UserGuide/aws-resource-accessanalyzer-analyzer.html - 8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56: - categories: - - ALL - - boost-baseline - description: 'RDS does not have any kind of logger ' - group: top10-security-logging-monitoring-failures - name: 8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56 - pretty_name: RDS Without Logging - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#enabled_cloudwatch_logs_exports - 8db5544e-4874-4baa-9322-e9f75a2d219e: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Components'' securityScheme field must have a valid scheme ' - group: cloud-insecure-iam - name: 8db5544e-4874-4baa-9322-e9f75a2d219e - pretty_name: Field 'securityScheme' On Components Is Undefined - recommended: true - ref: https://swagger.io/specification/#security-scheme-object - 8dd0ff1f-0da4-48df-9bb3-7f338ae36a40: - categories: - - ALL - - boost-baseline - description: 'It''s considered a best practice for an EC2 instance to use an EBS - optimized instance. This provides the best performance for your EBS volumes - by minimizing contention between Amazon EBS I/O and other traffic from your - instance ' - group: top10-insecure-design - name: 8dd0ff1f-0da4-48df-9bb3-7f338ae36a40 - pretty_name: EC2 Not EBS Optimized - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html#cfn-ec2-instance-ebsoptimized - 8df8e857-bd59-44fa-9f4c-d77594b95b46: - categories: - - ALL - - boost-baseline - description: 'AWS Lambda Functions must have associated tags. ' - group: cloud-weak-configuration - name: 8df8e857-bd59-44fa-9f4c-d77594b95b46 - pretty_name: Lambda Function Without Tags - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html - 8e3063f4-b511-45c3-b030-f3b0c9131951: - categories: - - ALL - - boost-baseline - description: 'IAM Password should have at least one lowercase letter ' - group: top10-insecure-design - name: 8e3063f4-b511-45c3-b030-f3b0c9131951 - pretty_name: IAM Password Without Lowercase Letter - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html - 8e75e431-449f-49e9-b56a-c8f1378025cf: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Role Assignment should limit guest user permissions ' - group: cloud-insecure-iam - name: 8e75e431-449f-49e9-b56a-c8f1378025cf - pretty_name: Role Assignment Not Limit Guest User Permissions - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment - 8e94dced-9bcc-4203-8eb7-7e41202b2505: - categories: - - ALL - - boost-baseline - description: 'AWS Auto Scaling Groups must have associated ELBs to ensure high - availability and improve application performance. This means the attribute ''load_balancers'' - must be defined and not empty. ' - group: top10-insecure-design - name: 8e94dced-9bcc-4203-8eb7-7e41202b2505 - pretty_name: Auto Scaling Group With No Associated ELB - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group#load_balancers - 8ed0bfce-f780-46d4-b086-21c3628f09ad: - categories: - - ALL - - boost-baseline - description: 'SES policy should not allow IAM actions to all principals ' - group: cloud-insecure-iam - name: 8ed0bfce-f780-46d4-b086-21c3628f09ad - pretty_name: SES Policy With Allowed IAM Actions - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/aws_ses_identity_policy_module.html#parameter-policy - 8f3c16b3-354d-45db-8ad5-5066778a9485: - categories: - - ALL - - boost-baseline - description: 'Group with privilege escalation by actions ''glue:UpdateDevEndpoint'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 8f3c16b3-354d-45db-8ad5-5066778a9485 - pretty_name: Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy - 8f75840d-9ee7-42f3-b203-b40e3979eb12: - categories: - - ALL - - boost-baseline - description: 'Role with privilege escalation by actions ''iam:PutUserPolicy'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 8f75840d-9ee7-42f3-b203-b40e3979eb12 - pretty_name: Role With Privilege Escalation By Actions 'iam:PutUserPolicy' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy - 8f957abd-9703-413d-87d3-c578950a753c: - categories: - - ALL - - boost-baseline - description: 'IAM Group should have at least one user associated ' - group: cloud-insecure-iam - name: 8f957abd-9703-413d-87d3-c578950a753c - pretty_name: IAM Group Without Users - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html - 8f98334a-99aa-4d85-b72a-1399ca010413: - categories: - - ALL - - boost-baseline - description: 'OSS Bucket should have transfer acceleration enabled ' - group: top10-insecure-design - name: 8f98334a-99aa-4d85-b72a-1399ca010413 - pretty_name: OSS Bucket Transfer Acceleration Disabled - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#transfer_acceleration - 8fa9ceea-881f-4ef0-b0b8-728f589699a7: - categories: - - ALL - - boost-baseline - description: 'Role Definitions should not allow custom subscription role creation - (actions set to ''*'' or ''Microsoft.Authorization/roleDefinitions/write'') ' - group: cloud-insecure-iam - name: 8fa9ceea-881f-4ef0-b0b8-728f589699a7 - pretty_name: Role Definitions Allow Custom Subscription Role Creation - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/roledefinitions?tabs=json#permission-object - 8fdb08a0-a868-4fdf-9c27-ccab0237f1ab: - categories: - - ALL - - boost-baseline - description: 'ElastiCache Redis cluster should have ''snapshot_retention_limit'' - higher than 0 ' - group: top10-software-data-integrity-failures - name: 8fdb08a0-a868-4fdf-9c27-ccab0237f1ab - pretty_name: ElastiCache Redis Cluster Without Backup - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster#snapshot_retention_limit - 8fe1846f-52cc-4413-ace9-1933d7d23672: - categories: - - ALL - - boost-baseline - description: 'The Parameter Object should have the attribute ''schema'' defined ' - group: cloud-weak-configuration - name: 8fe1846f-52cc-4413-ace9-1933d7d23672 - pretty_name: Parameter Object Without Schema - recommended: true - ref: https://swagger.io/specification/#parameter-object - 8fe6d18a-ad4c-4397-8884-e3a9da57f4c9: - categories: - - ALL - - boost-baseline - description: The field 'enum' of Schema Object should be consistent with the schema's - type - group: top10-insecure-design - name: 8fe6d18a-ad4c-4397-8884-e3a9da57f4c9 - pretty_name: Schema Enum Invalid (v2) - recommended: true - ref: https://swagger.io/specification/v2/#schema-object - 90120147-f2e7-4fda-bb21-6fa9109afd63: - categories: - - ALL - - boost-baseline - - boost-hardened - description: '''Microsoft.DBforMySQL/servers'' should enforce SSL ' - group: cloud-resources-public-access - name: 90120147-f2e7-4fda-bb21-6fa9109afd63 - pretty_name: MySQL Server SSL Enforcement Disabled - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.dbformysql/servers?tabs=json#serverpropertiesforcreate-object - 9025b2b3-e554-4842-ba87-db7aeec36d35: - categories: - - ALL - - boost-baseline - description: 'Checks if the ECR Image has been scanned ' - group: top10-crypto-failures - name: 9025b2b3-e554-4842-ba87-db7aeec36d35 - pretty_name: Unscanned ECR Image - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecr-repository.html#cfn-ecr-repository-imagescanningconfiguration - 9038b526-4c19-4928-bca2-c03d503bdb79: - categories: - - ALL - - boost-baseline - description: 'Compute instances must be launched with Shielded VM enabled, which - means the attribute ''shieldedInstanceConfig'' must be defined and its sub attributes - ''enableSecureBoot'', ''enableVtpm'' and ''enableIntegrityMonitoring'' must - be set to true ' - group: cloud-weak-configuration - name: 9038b526-4c19-4928-bca2-c03d503bdb79 - pretty_name: Shielded VM Disabled - recommended: true - ref: https://cloud.google.com/compute/docs/reference/rest/v1/instances - 90501b1b-cded-4cc1-9e8b-206b85cda317: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Checks if any static websites are hosted on buckets. Even static - websites can be a liability when poorly configured. ' - group: cloud-weak-configuration - name: 90501b1b-cded-4cc1-9e8b-206b85cda317 - pretty_name: S3 Static Website Host Enabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-websiteconfiguration.html - 905f4741-f965-45c1-98db-f7a00a0e5c73: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'SNS Topic Policy should not allow any principal to access ' - group: cloud-insecure-iam - name: 905f4741-f965-45c1-98db-f7a00a0e5c73 - pretty_name: SNS Topic is Publicly Accessible - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/sns_topic_module.html - 9073f073-5d60-4b46-b569-0d6baa80ed95: - categories: - - ALL - - boost-baseline - description: '''Microsoft.Storage/storageAccounts'' should force the use of HTTPS ' - group: cloud-resources-public-access - name: 9073f073-5d60-4b46-b569-0d6baa80ed95 - pretty_name: Storage Account Allows Default Network Access - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?tabs=json#storageaccountpropertiescreateparameters-object - 9127f0d9-2310-42e7-866f-5fd9d20dcbad: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'A Kubernetes Cluster must not allow unsafe sysctls, to prevent a - pod from having any influence on any other pod on the node, harming the node''s - health or gaining CPU or memory resources outside of the resource limits of - a pod. This means ''spec.securityContext.sysctls'' must not specify unsafe sysctls - and the attribute ''allowedUnsafeSysctls'' must be undefined. ' - group: cloud-weak-configuration - name: 9127f0d9-2310-42e7-866f-5fd9d20dcbad - pretty_name: Cluster Allows Unsafe Sysctls - recommended: true - ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ - 9192e0f9-eca5-4056-9282-ae2a736a4088: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Kubernetes Clusters must have Pod Security Policy controller enabled, - which means there must be a ''pod_security_policy_config'' with the ''enabled'' - attribute equal to true ' - group: cloud-weak-configuration - name: 9192e0f9-eca5-4056-9282-ae2a736a4088 - pretty_name: Pod Security Policy Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster - 91bea7b8-0c31-4863-adc9-93f6177266c4: - categories: - - ALL - - boost-baseline - description: 'AWS CloudFormation should have a template defined through the attribute - template_url or attribute template_body ' - group: supply-chain-cicd-weak-configuration - name: 91bea7b8-0c31-4863-adc9-93f6177266c4 - pretty_name: Stack Without Template - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack - 91dacd0e-d189-4a9c-8272-5999a3cc32d9: - categories: - - ALL - - boost-baseline - description: 'Pod Security Policy allows containers to share the host process - ID namespace ' - group: cloud-weak-configuration - name: 91dacd0e-d189-4a9c-8272-5999a3cc32d9 - pretty_name: PSP Allows Sharing Host PID - recommended: true - ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ - 91f16d09-689e-4926-aca7-155157f634ed: - categories: - - ALL - - boost-baseline - description: 'ECS Service should have at least 1 task running ' - group: top10-insecure-design - name: 91f16d09-689e-4926-aca7-155157f634ed - pretty_name: ECS Service Without Running Tasks - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service - 92302b47-b0cc-46cb-a28f-5610ecda140b: - categories: - - ALL - - boost-baseline - - boost-hardened - description: '''Microsoft.Web/sites'' should have client certificate authentication - enabled ' - group: cloud-resources-public-access - name: 92302b47-b0cc-46cb-a28f-5610ecda140b - pretty_name: Website with Client Certificate Auth Disabled - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.web/sites?tabs=json#siteproperties-object - 9232306a-f839-40aa-b3ef-b352001da9a5: - categories: - - ALL - - boost-baseline - description: 'S3 bucket should have versioning enabled ' - group: top10-security-logging-monitoring-failures - name: 9232306a-f839-40aa-b3ef-b352001da9a5 - pretty_name: S3 Bucket Without Versioning - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html#parameter-versioning - 9239c289-9e4c-4d92-8be1-9d506057c971: - categories: - - ALL - - boost-baseline - description: 'License Object URL should be a valid URL ' - group: top10-insecure-design - name: 9239c289-9e4c-4d92-8be1-9d506057c971 - pretty_name: Invalid License URL (v3) - recommended: true - ref: https://swagger.io/specification/#license-object - 9296f1cc-7a40-45de-bd41-f31745488a0e: - categories: - - ALL - - boost-baseline - description: 'Amazon Simple Queue Service (SQS) queue should protect the contents - of their messages using Server-Side Encryption (SSE) ' - group: top10-crypto-failures - name: 9296f1cc-7a40-45de-bd41-f31745488a0e - pretty_name: SQS With SSE Disabled - recommended: true - ref: https://doc.crds.dev/github.com/crossplane/provider-aws/sqs.aws.crossplane.io/Queue/v1beta1@v0.29.0#spec-forProvider-kmsMasterKeyId - 92d65c51-5d82-4507-a2a1-d252e9706855: - categories: - - ALL - - boost-baseline - description: 'Alicloud ROS Stack should have a template defined through the attribute - template_url or attribute template_body ' - group: supply-chain-cicd-weak-configuration - name: 92d65c51-5d82-4507-a2a1-d252e9706855 - pretty_name: ROS Stack Without Template - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ros_stack - 92e4464a-4139-4d57-8742-b5acc0347680: - categories: - - ALL - - boost-baseline - description: 'Google Project IAM Policy should not assign a KMS admin role and - CryptoKey role to the same member ' - group: cloud-insecure-iam - name: 92e4464a-4139-4d57-8742-b5acc0347680 - pretty_name: KMS Admin and CryptoKey Roles In Use - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#policy_data - 92fe237e-074c-4262-81a4-2077acb928c1: - categories: - - ALL - - boost-baseline - description: 'A sensitive port, such as port 23 or port 110, is open for a wide - private network in either TCP or UDP protocol ' - group: cloud-resources-public-access - name: 92fe237e-074c-4262-81a4-2077acb928c1 - pretty_name: Sensitive Port Is Exposed To Wide Private Network - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group - 9307a2ed-35c2-413d-94de-a1a0682c2158: - categories: - - ALL - - boost-baseline - description: 'Microsoft.ContainerService/managedClusters should have enableRBAC - set to true ' - group: cloud-insecure-iam - name: 9307a2ed-35c2-413d-94de-a1a0682c2158 - pretty_name: AKS Cluster RBAC Disabled - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.containerservice/managedclusters?tabs=json - 934613fe-b12c-4e5a-95f5-c1dcdffac1ff: - categories: - - ALL - - boost-baseline - description: 'AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, - store, and access log events ' - group: top10-security-logging-monitoring-failures - name: 934613fe-b12c-4e5a-95f5-c1dcdffac1ff - pretty_name: CloudWatch Without Retention Period Specified - recommended: true - ref: https://doc.crds.dev/github.com/crossplane/provider-aws/cloudwatchlogs.aws.crossplane.io/LogGroup/v1alpha1@v0.29.0#spec-forProvider-retentionInDays - 9356962e-4a4f-4d06-ac59-dc8008775eaa: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Gmail accounts are being used instead of corporate credentials ' - group: cloud-weak-configuration - name: 9356962e-4a4f-4d06-ac59-dc8008775eaa - pretty_name: Not Proper Email Account In Use - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_binding - 9391103a-d8d7-4671-ac5d-606ba7ccb0ac: - categories: - - ALL - - boost-baseline - description: 'When using etcd commands, the ''--client-cert-auth'' flag should - be defined ' - group: cloud-weak-secrets-management - name: 9391103a-d8d7-4671-ac5d-606ba7ccb0ac - pretty_name: Etcd Client Certificate Authentication Set To False - recommended: true - ref: https://etcd.io/docs/v3.4/op-guide/security/ - 93d88cf7-f078-46a8-8ddc-178e03aeacf1: - categories: - - ALL - - boost-baseline - description: 'Specifying a package version allows to reduce failures due to unanticipated - changes in required packages. ' - group: supply-chain-scm-weak-configuration - name: 93d88cf7-f078-46a8-8ddc-178e03aeacf1 - pretty_name: Missing Version Specification In dnf install - recommended: true - ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/ - 94690d79-b3b0-43de-b656-84ebef5753e5: - categories: - - ALL - - boost-baseline - description: 'AWS CloudFront distributions should have logging enabled to collect - all viewer requests, which means the attribute ''logging_config'' should be - defined ' - group: top10-security-logging-monitoring-failures - name: 94690d79-b3b0-43de-b656-84ebef5753e5 - pretty_name: CloudFront Logging Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution - 9488c451-074e-4cd3-aee3-7db6104f542c: - categories: - - ALL - - boost-baseline - description: 'AWS Lambda functions should have TracingConfig enabled. For this, - property ''tracingConfig.mode'' should have the value ''Active'' ' - group: top10-security-logging-monitoring-failures - name: 9488c451-074e-4cd3-aee3-7db6104f542c - pretty_name: Lambda Functions Without X-Ray Tracing - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-tracingconfig.html - 949376f1-f560-4c6d-a016-63424ca931bb: - categories: - - ALL - - boost-baseline - description: Schema discriminator property should be a string - group: top10-insecure-design - name: 949376f1-f560-4c6d-a016-63424ca931bb - pretty_name: Schema Discriminator Property Not String (v2) - recommended: true - ref: https://swagger.io/specification/v2/#schema-object - 94b76ea5-e074-4ca2-8a03-c5a606e30645: - categories: - - ALL - - boost-baseline - description: 'Kubernetes APIs evolve over time and are sometimes removed with - newer releases. To prevent incompatibilities when upgrading Kubernetes, deprecated - APIs should be replaced with newer and more stable API versions. ' - group: top10-insecure-design - name: 94b76ea5-e074-4ca2-8a03-c5a606e30645 - pretty_name: Object Is Using A Deprecated API Version - recommended: true - ref: https://kubernetes.io/docs/reference/using-api/deprecation-guide/ - 94fbe150-27e3-4eba-9ca6-af32865e4503: - categories: - - ALL - - boost-baseline - description: 'User with privilege escalation by actions ''glue:CreateDevEndpoint'' - and ''iam:PassRole'' and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 94fbe150-27e3-4eba-9ca6-af32865e4503 - pretty_name: User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' - And 'iam:PassRole' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy - 9513a694-aa0d-41d8-be61-3271e056f36b: - categories: - - ALL - - boost-baseline - description: 'Using ADD to load external installation scripts could lead to an - evil web server leveraging this and loading a malicious script. ' - group: supply-chain-scm-weak-configuration - name: 9513a694-aa0d-41d8-be61-3271e056f36b - pretty_name: Add Instead of Copy - recommended: true - ref: https://docs.docker.com/engine/reference/builder/#add - 953b3cdb-ce13-428a-aa12-318726506661: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'IAM policies shouldn''t allow full administrative privileges (for - all resources) ' - group: cloud-insecure-iam - name: 953b3cdb-ce13-428a-aa12-318726506661 - pretty_name: IAM Policies With Full Privileges - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html - 95588189-1abd-4df1-9588-b0a5034f9e87: - categories: - - ALL - - boost-baseline - description: 'Containers should be configured with AppArmor for any application - to reduce its potential attack ' - group: cloud-insecure-iam - name: 95588189-1abd-4df1-9588-b0a5034f9e87 - pretty_name: Missing App Armor Config - recommended: true - ref: https://www.pulumi.com/registry/packages/kubernetes/api-docs/core/v1/pod/#objectmeta - 95601b9a-7fe8-4aee-9b58-d36fd9382dfc: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Kubernetes Engine Clusters must have Stackdriver Logging enabled, - which means the attribute ''loggingService'' must be defined and different from - ''none'' ' - group: top10-security-logging-monitoring-failures - name: 95601b9a-7fe8-4aee-9b58-d36fd9382dfc - pretty_name: Stackdriver Logging Disabled - recommended: true - ref: https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters - 9564406d-e761-4e61-b8d7-5926e3ab8e79: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'The IP address in a DB Security Group should not be ''0.0.0.0/0'' - (IPv4) or ''::/0'' (IPv6). If so, any IP can access it ' - group: cloud-resources-public-access - name: 9564406d-e761-4e61-b8d7-5926e3ab8e79 - pretty_name: DB Security Group With Public Scope - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html - 9587c890-0524-40c2-9ce2-663af7c2f063: - categories: - - ALL - - boost-baseline - description: 'When using kube-apiserver command, the ''--disable-admission-plugins'' - flag should not have ''ServiceAccount'' plugin ' - group: cloud-insecure-iam - name: 9587c890-0524-40c2-9ce2-663af7c2f063 - pretty_name: Service Account Admission Control Plugin Disabled - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ - 961ce567-a16d-4d7d-9027-f0ec2628a555: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Make sure that for PosgreSQL, the ''Enforce SSL connection'' is - set to ''ENABLED'' ' - group: top10-crypto-failures - name: 961ce567-a16d-4d7d-9027-f0ec2628a555 - pretty_name: SSL Enforce Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_postgresqlserver_module.html#parameter-enforce_ssl - 962fa01e-b791-4dcc-b04a-4a3e7389be5e: - categories: - - ALL - - boost-baseline - description: 'Components schemas definitions should be referenced or removed from - Open API definition ' - group: top10-insecure-design - name: 962fa01e-b791-4dcc-b04a-4a3e7389be5e - pretty_name: Components Schema Definition Is Unused - recommended: true - ref: https://swagger.io/specification/#components-object - 9630336b-3fed-4096-8173-b9afdfe346a7: - categories: - - ALL - - boost-baseline - description: 'Checks if the ECR Image has been scanned ' - group: top10-crypto-failures - name: 9630336b-3fed-4096-8173-b9afdfe346a7 - pretty_name: Unscanned ECR Image - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#scan_on_push - 965a043f-5f3c-4d0a-be72-d9ce12fdb4d6: - categories: - - ALL - - boost-baseline - description: Put should define at least one success response (200, 201, 202 or - 204) - group: cloud-resources-public-access - name: 965a043f-5f3c-4d0a-be72-d9ce12fdb4d6 - pretty_name: Success Response Code Undefined for Put Operation (v2) - recommended: true - ref: https://swagger.io/specification/v2/#operation-object - 965a08d7-ef86-4f14-8792-4a3b2098937e: - categories: - - ALL - - boost-baseline - description: 'When installing a package, its pin version should be defined ' - group: supply-chain-scm-weak-configuration - name: 965a08d7-ef86-4f14-8792-4a3b2098937e - pretty_name: Apt Get Install Pin Version Not Defined - recommended: true - ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/ - 965e8830-2bec-4b9b-a7f0-24dbc200a68f: - categories: - - ALL - - boost-baseline - description: 'This query confirms if Google Compute SSL Policy Weak Chyper Suits - is Enabled, to do so we need to check if TLS is TLS_1_2, because other version - have Weak Chypers ' - group: top10-crypto-failures - name: 965e8830-2bec-4b9b-a7f0-24dbc200a68f - pretty_name: Google Compute SSL Policy Weak Cipher In Use - recommended: true - ref: https://www.pulumi.com/registry/packages/gcp/api-docs/compute/sslpolicy/#mintlsversion_yaml - 9670f240-7b4d-4955-bd93-edaa9fa38b58: - categories: - - ALL - - boost-baseline - description: 'The property ''url'' in the Path Server Object should only allow - ''HTTPS'' protocols to ensure an encrypted connection ' - group: top10-crypto-failures - name: 9670f240-7b4d-4955-bd93-edaa9fa38b58 - pretty_name: Path Server Object Uses HTTP (v3) - recommended: true - ref: https://swagger.io/specification/#server-object - 96729c6b-7400-4d9e-9807-17f00cdde4d2: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'All paths should have security scheme, if it is omitted, global - security field should be defined ' - group: cloud-insecure-iam - name: 96729c6b-7400-4d9e-9807-17f00cdde4d2 - pretty_name: No Global And Operation Security Defined (v3) - recommended: true - ref: https://swagger.io/specification/#security-requirement-object - 967575e5-eb44-4c24-aadb-7e33608ed30a: - categories: - - ALL - - boost-baseline - description: The Schema Object should not be empty to avoid accepting any JSON - values - group: cloud-weak-configuration - name: 967575e5-eb44-4c24-aadb-7e33608ed30a - pretty_name: Schema Object is Empty (v2) - recommended: true - ref: https://swagger.io/specification/v2/#schemaObject - 967eb3e6-26fc-497d-8895-6428beb6e8e2: - categories: - - ALL - - boost-baseline - description: 'Elasticsearch Domain encryption should be enabled node to node ' - group: top10-crypto-failures - name: 967eb3e6-26fc-497d-8895-6428beb6e8e2 - pretty_name: Elasticsearch Domain Not Encrypted Node To Node - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain#node_to_node_encryption - 96beb800-566f-49a9-a0ea-dbdf4bc80429: - categories: - - ALL - - boost-baseline - description: 'Each field on Open API specification which accepts ''$ref'', infers - that field is using a reference object, which has only ''$ref'' key ' - group: top10-insecure-design - name: 96beb800-566f-49a9-a0ea-dbdf4bc80429 - pretty_name: JSON '$ref' alongside other properties (v3) - recommended: true - ref: https://swagger.io/specification/#reference-object - 96e8183b-e985-457b-90cd-61c0503a3369: - categories: - - ALL - - boost-baseline - description: 'Global Accelerator should have flow logs enabled ' - group: top10-security-logging-monitoring-failures - name: 96e8183b-e985-457b-90cd-61c0503a3369 - pretty_name: Global Accelerator Flow Logs Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/globalaccelerator_accelerator#flow_logs_enabled - 96ed3526-0179-4c73-b1b2-372fde2e0d13: - categories: - - ALL - - boost-baseline - description: 'It isn''t recommended to use resources in default VPC ' - group: top10-security-logging-monitoring-failures - name: 96ed3526-0179-4c73-b1b2-372fde2e0d13 - pretty_name: Default VPC Exists - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_vpc - 96fe318e-d631-4156-99fa-9080d57280ae: - categories: - - ALL - - boost-baseline - description: 'Periodically newer versions are released for PHP software either - due to security flaws or to include additional functionality. Using the latest - PHP version for web apps is recommended in order to take advantage of security - fixes, if any, and/or additional functionalities of the newer version. ' - group: top10-insecure-design - name: 96fe318e-d631-4156-99fa-9080d57280ae - pretty_name: App Service Without Latest PHP Version - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#php_version - 970d224d-b42a-416b-81f9-8f4dfe70c4bc: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'The AWS Root Account must not have active access keys associated, - which means if there are access keys associated to the Root Account, they must - be inactive. ' - group: cloud-weak-configuration - name: 970d224d-b42a-416b-81f9-8f4dfe70c4bc - pretty_name: Root Account Has Active Access Keys - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key - 970ed7a2-0aca-4425-acf1-0453c9ecbca1: - categories: - - ALL - - boost-baseline - description: 'Group with privilege escalation by actions ''iam:AddUserToGroup'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 970ed7a2-0aca-4425-acf1-0453c9ecbca1 - pretty_name: Group With Privilege Escalation By Actions 'iam:AddUserToGroup' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy - 97707503-a22c-4cd7-b7c0-f088fa7cf830: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'AWS AMI Encryption is not enabled ' - group: top10-crypto-failures - name: 97707503-a22c-4cd7-b7c0-f088fa7cf830 - pretty_name: AMI Not Encrypted - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_ami_module.html - 97cb0688-369a-4d26-b1f7-86c4c91231bc: - categories: - - ALL - - boost-baseline - description: 'ECS Cluster should enable container insights ' - group: top10-security-logging-monitoring-failures - name: 97cb0688-369a-4d26-b1f7-86c4c91231bc - pretty_name: ECS Cluster with Container Insights Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_cluster#setting - 97e94d17-e2c7-4109-a53b-6536ac1bb64e: - categories: - - ALL - - boost-baseline - description: 'The number of gateways attached should not approach or go beyond - the limit of 3, in a particular VPC ' - group: top10-insecure-design - name: 97e94d17-e2c7-4109-a53b-6536ac1bb64e - pretty_name: VPC Attached With Too Many Gateways - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpc-gateway-attachment.html - 97fa667a-d05b-4f16-9071-58b939f34751: - categories: - - ALL - - boost-baseline - description: 'Google Compute Engine VM instances should not enable serial ports. - When enabled, anyone can access your VM, if they know the username, project - ID, SSH key, instance name and zone ' - group: cloud-resources-public-access - name: 97fa667a-d05b-4f16-9071-58b939f34751 - pretty_name: Serial Ports Are Enabled For VM Instances - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance - 98295b32-ec09-4b5b-89a9-39853197f914: - categories: - - ALL - - boost-baseline - description: 'Schema reference should exists on definitions field ' - group: top10-insecure-design - name: 98295b32-ec09-4b5b-89a9-39853197f914 - pretty_name: Schema JSON Reference Does Not Exists (v2) - recommended: true - ref: https://swagger.io/specification/v2/#definitionsObject - 982aa526-6970-4c59-8b9b-2ce7e019fe36: - categories: - - ALL - - boost-baseline - description: 'AWS CloudWatch Logs for APIs should be enabled and using the naming - convention described in documentation ' - group: top10-security-logging-monitoring-failures - name: 982aa526-6970-4c59-8b9b-2ce7e019fe36 - pretty_name: API Gateway With CloudWatch Logging Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage#managing-the-api-logging-cloudwatch-log-group - 9850d621-7485-44f7-8bdd-b3cf426315cf: - categories: - - ALL - - boost-baseline - description: 'IAM password should have the required minimum length ' - group: top10-insecure-design - name: 9850d621-7485-44f7-8bdd-b3cf426315cf - pretty_name: IAM Password Without Minimum Length - recommended: true - ref: https://www.pulumi.com/registry/packages/aws/api-docs/iam/accountpasswordpolicy/#minimumpasswordlength_yaml - 98a8f708-121b-455b-ae2f-da3fb59d17e1: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'If the CORS (Cross-Origin Resource Sharing) rule is defined in an - S3 bucket, it should be secure ' - group: cloud-weak-configuration - name: 98a8f708-121b-455b-ae2f-da3fb59d17e1 - pretty_name: S3 Bucket with Unsecured CORS Rule - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#cors_rule - 98ce8b81-7707-4734-aa39-627c6db3d84b: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'When using etcd commands, the ''--auto-tls'' should be set to false ' - group: cloud-weak-secrets-management - name: 98ce8b81-7707-4734-aa39-627c6db3d84b - pretty_name: Auto TLS Set To True - recommended: true - ref: https://etcd.io/docs/v3.4/op-guide/security/ - 98d59056-f745-4ef5-8613-32bca8d40b7e: - categories: - - ALL - - boost-baseline - description: 'Neptune database cluster storage should have encryption enabled ' - group: top10-crypto-failures - name: 98d59056-f745-4ef5-8613-32bca8d40b7e - pretty_name: Neptune Database Cluster Encryption Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/neptune_cluster#storage_encrypted - 98e04ca0-34f5-4c74-8fec-d2e611ce2790: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Kubernetes Engine Clusters must have Network Policy enabled, meaning - that the attribute ''network_policy.enabled'' must be true and the attribute - ''addons_config.network_policy_config.disabled'' must be false ' - group: cloud-weak-configuration - name: 98e04ca0-34f5-4c74-8fec-d2e611ce2790 - pretty_name: Network Policy Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html - 990eaf09-d6f1-4c3c-b174-a517b1de8917: - categories: - - ALL - - boost-baseline - description: 'Responses Object should not be empty ' - group: top10-insecure-design - name: 990eaf09-d6f1-4c3c-b174-a517b1de8917 - pretty_name: Responses Object Is Empty (v3) - recommended: true - ref: https://swagger.io/specification/#responses-object - 99614418-f82b-4852-a9ae-5051402b741c: - categories: - - ALL - - boost-baseline - description: 'The MAINTAINER instruction sets the Author field of the generated - images. The LABEL instruction is a much more flexible version of this and you - should use it instead, as it enables setting any metadata you require, and can - be viewed easily ' - group: top10-insecure-design - name: 99614418-f82b-4852-a9ae-5051402b741c - pretty_name: MAINTAINER Instruction Being Used - recommended: true - ref: https://docs.docker.com/engine/reference/builder/#maintainer-deprecated - 99733b39-6413-4ed8-8acf-dc7cdc9b4e51: - categories: - - ALL - - boost-baseline - - boost-hardened - description: API Keys should not be sent as cleartext over an unencrypted channel - group: cloud-insecure-iam - name: 99733b39-6413-4ed8-8acf-dc7cdc9b4e51 - pretty_name: Cleartext API Key In Operation Security (v2) - recommended: true - ref: https://swagger.io/specification/v2/#securityDefinitionsObject - 99eb2c95-2040-4104-9e7c-e16f7474d218: - categories: - - ALL - - boost-baseline - - boost-hardened - description: Array schema/parameter should have the field 'maxItems' set - group: cloud-weak-configuration - name: 99eb2c95-2040-4104-9e7c-e16f7474d218 - pretty_name: Array Without Maximum Number of Items (v2) - recommended: true - ref: https://swagger.io/specification/v2/#parameterObject - 9a205ba3-0dd1-42eb-8d54-2ffec836b51a: - categories: - - ALL - - boost-baseline - description: 'Role with privilege escalation by actions ''iam:CreateLoginProfile'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 9a205ba3-0dd1-42eb-8d54-2ffec836b51a - pretty_name: Role With Privilege Escalation By Actions 'iam:CreateLoginProfile' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy - 9a4ef195-74b9-4c58-b8ed-2b2fe4353a75: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Default Security Group attached to every VPC should restrict all - traffic ' - group: cloud-resources-public-access - name: 9a4ef195-74b9-4c58-b8ed-2b2fe4353a75 - pretty_name: VPC Default Security Group Accepts All Traffic - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group - 9aa32890-ac1a-45ee-81ca-5164e2098556: - categories: - - ALL - - boost-baseline - description: 'Containers need to have NET_RAW or All as drop capabilities ' - group: cloud-weak-configuration - name: 9aa32890-ac1a-45ee-81ca-5164e2098556 - pretty_name: NET_RAW Capabilities Disabled for PSP - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#required_drop_capabilities - 9aa6e95c-d964-4239-a3a8-9f37a3c5a31f: - categories: - - ALL - - boost-baseline - description: 'Using an scope on global security field that is undefined on ''securityDefinitions'' - can be defined by an attacker ' - group: cloud-insecure-iam - name: 9aa6e95c-d964-4239-a3a8-9f37a3c5a31f - pretty_name: Undefined Scope 'securityDefinition' On Global 'security' Field - recommended: true - ref: https://swagger.io/specification/v2/#security-scheme-object - 9b09dee1-f09b-4013-91d2-158fa4695f4b: - categories: - - ALL - - boost-baseline - description: 'Azure Kubernetes Service should have logging to Azure Monitoring - enabled. ' - group: top10-security-logging-monitoring-failures - name: 9b09dee1-f09b-4013-91d2-158fa4695f4b - pretty_name: AKS Logging To Azure Monitoring Is Disabled - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.containerservice/managedclusters?tabs=json#managedclusteraddonprofile - 9b0ffadc-a61f-4c2a-b1e6-68fab60f6267: - categories: - - ALL - - boost-baseline - description: 'Group with privilege escalation by actions ''cloudformation:CreateStack'' - and ''iam:PassRole'' and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 9b0ffadc-a61f-4c2a-b1e6-68fab60f6267 - pretty_name: Group With Privilege Escalation By Actions 'cloudformation:CreateStack' - And 'iam:PassRole' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy - 9b18fc19-7fb8-49b1-8452-9c757c70f926: - categories: - - ALL - - boost-baseline - description: 'ElastiCache Nodes should be created across multi az, which means - ''AZMode'' should be set to ''cross-az'' in multi nodes cluster ' - group: top10-insecure-design - name: 9b18fc19-7fb8-49b1-8452-9c757c70f926 - pretty_name: ElastiCache Nodes Not Created Across Multi AZ - recommended: true - ref: https://www.pulumi.com/registry/packages/aws/api-docs/elasticache/cluster/#azmode_yaml - 9b633f3b-c94b-4fbb-a65b-1a4e9134fb63: - categories: - - ALL - - boost-baseline - description: Get should define at least one success response (200 or 202) - group: cloud-resources-public-access - name: 9b633f3b-c94b-4fbb-a65b-1a4e9134fb63 - pretty_name: Success Response Code Undefined for Get Operation (v2) - recommended: true - ref: https://swagger.io/specification/v2/#operation-object - 9b6a3f5b-5fd6-40ee-9bc0-ed604911212d: - categories: - - ALL - - boost-baseline - description: 'Checks for dangerous permissions in Action statements in an SQS - Queue Policy. This is deemed a potential security risk as it would allow various - attacks to the queue ' - group: cloud-insecure-iam - name: 9b6a3f5b-5fd6-40ee-9bc0-ed604911212d - pretty_name: SQS Policy With Public Access - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-policy.html - 9b6b0f38-92a2-41f9-b881-3a1083d99f1b: - categories: - - ALL - - boost-baseline - description: 'Some POSIX commands and interactive utilities shouldn''t run inside - a Docker Container ' - group: supply-chain-scm-weak-configuration - name: 9b6b0f38-92a2-41f9-b881-3a1083d99f1b - pretty_name: Run Utilities And POSIX Commands - recommended: true - ref: https://docs.docker.com/engine/reference/builder/#run - 9b83114b-b2a1-4534-990d-06da015e47aa: - categories: - - ALL - - boost-baseline - description: 'Lambda permission may be misconfigured if the action field is not - filled in by ''lambda:InvokeFunction'' ' - group: top10-insecure-design - name: 9b83114b-b2a1-4534-990d-06da015e47aa - pretty_name: Lambda Permission Misconfigured - recommended: true - ref: https://docs.aws.amazon.com/pt_br/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html - 9b877bd8-94b4-4c10-a060-8e0436cc09fa: - categories: - - ALL - - boost-baseline - description: 'User with privilege escalation by actions ''glue:UpdateDevEndpoint'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: 9b877bd8-94b4-4c10-a060-8e0436cc09fa - pretty_name: User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy - 9ba198e0-fef4-464a-8a4d-75ea55300de7: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Neptune Cluster Instance should not be publicly accessible ' - group: cloud-insecure-iam - name: 9ba198e0-fef4-464a-8a4d-75ea55300de7 - pretty_name: Neptune Cluster Instance is Publicly Accessible - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/neptune_cluster_instance#publicly_accessible - 9bae49be-0aa3-4de5-bab2-4c3a069e40cd: - categories: - - ALL - - boost-baseline - description: 'Instruction ''RUN update'' should always be followed by '' install'' - in the same RUN statement ' - group: supply-chain-cicd-weak-configuration - name: 9bae49be-0aa3-4de5-bab2-4c3a069e40cd - pretty_name: Update Instruction Alone - recommended: true - ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run - 9bb3c639-5edf-458c-8ee5-30c17c7d671d: - categories: - - ALL - - boost-baseline - description: 'Azure Function App should have ''client_cert_mode'' set to required ' - group: cloud-weak-configuration - name: 9bb3c639-5edf-458c-8ee5-30c17c7d671d - pretty_name: Function App Client Certificates Unrequired - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#client_cert_mode - 9c238c97-1991-4c0b-9c7d-6c7912e1dc7c: - categories: - - ALL - - boost-baseline - description: 'API Keys should not be sent as cleartext over an unencrypted channel ' - group: cloud-insecure-iam - name: 9c238c97-1991-4c0b-9c7d-6c7912e1dc7c - pretty_name: Cleartext API Key In Global Security (v3) - recommended: true - ref: https://swagger.io/specification/#security-scheme-object - 9c301481-e6ec-44f7-8a49-8ec63e2969ea: - categories: - - ALL - - boost-baseline - description: 'Make sure that for MSSQL Server, the Auditing Retention is greater - than 90 days ' - group: top10-security-logging-monitoring-failures - name: 9c301481-e6ec-44f7-8a49-8ec63e2969ea - pretty_name: Small MSSQL Audit Retention Period - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server - 9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae: - categories: - - ALL - - boost-baseline - description: 'Components responses definitions should be referenced or removed - from Open API definition ' - group: top10-insecure-design - name: 9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae - pretty_name: Components Response Definition Is Unused - recommended: true - ref: https://swagger.io/specification/#components-object - 9c7028d9-04c2-45be-b8b2-1188ccaefb36: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'SageMaker Notebook must be placed in a VPC ' - group: cloud-resources-public-access - name: 9c7028d9-04c2-45be-b8b2-1188ccaefb36 - pretty_name: SageMaker Notebook Not Placed In VPC - recommended: true - ref: https://docs.aws.amazon.com/sagemaker/latest/dg/security_iam_id-based-policy-examples.html#sagemaker-condition-nbi-lockdown - 9cf25d62-0b96-42c8-b66d-998cd6ee5bb8: - categories: - - ALL - - boost-baseline - description: 'IAM user resource Login Profile Password should have at least one - number ' - group: top10-insecure-design - name: 9cf25d62-0b96-42c8-b66d-998cd6ee5bb8 - pretty_name: IAM Password Without Number - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html - 9cf718ce-46f9-430e-89ec-c456f8b469ee: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'User Data Shell Script must be encoded ' - group: top10-crypto-failures - name: 9cf718ce-46f9-430e-89ec-c456f8b469ee - pretty_name: User Data Shell Script Is Encoded - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#user_data_base64 - 9d0d4512-1959-43a2-a17f-72360ff06d1b: - categories: - - ALL - - boost-baseline - description: 'Ensure a log metric filter and alarm exist for VPC changes ' - group: top10-security-logging-monitoring-failures - name: 9d0d4512-1959-43a2-a17f-72360ff06d1b - pretty_name: CloudWatch VPC Changes Alarm Missing - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern - 9d13b150-a2ab-42a1-b6f4-142e41f81e52: - categories: - - ALL - - boost-baseline - description: 'KmsMasterKeyId attribute should not be undefined ' - group: cloud-weak-secrets-management - name: 9d13b150-a2ab-42a1-b6f4-142e41f81e52 - pretty_name: SNS Topic Without KmsMasterKeyId - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sns-topic.html - 9d43040e-e703-4e16-8bfe-8d4da10fa7e6: - categories: - - ALL - - boost-baseline - description: 'A Pod''s Containers must have the same CPU requests as limits set, - which is recommended to avoid resource DDOS of the node during spikes. This - means the ''requests.cpu'' must equal ''limits.cpu'', and both be defined. ' - group: cloud-insecure-iam - name: 9d43040e-e703-4e16-8bfe-8d4da10fa7e6 - pretty_name: Container CPU Requests Not Equal To It's Limits - recommended: true - ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - 9d47956b-29cd-43b1-9e6e-b39a4d484353: - categories: - - ALL - - boost-baseline - description: Non-Array Schema should not have 'items' defined - group: top10-insecure-design - name: 9d47956b-29cd-43b1-9e6e-b39a4d484353 - pretty_name: Non-Array Schema With Items (v2) - recommended: true - ref: https://swagger.io/specification/v2/#schema-object - 9d967a2b-9d64-41a6-abea-dfc4960299bd: - categories: - - ALL - - boost-baseline - description: 'Schema of the JSON object should have properties defined and ''additionalProperties'' - set to false. ' - group: cloud-weak-configuration - name: 9d967a2b-9d64-41a6-abea-dfc4960299bd - pretty_name: JSON Object Schema Without Properties (v3) - recommended: true - ref: https://swagger.io/specification/#schema-object - 9dab0179-433d-4dff-af8f-0091025691df: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Azure Function App should only enforce FTPS when ''ftps_state'' - is enabled ' - group: cloud-weak-configuration - name: 9dab0179-433d-4dff-af8f-0091025691df - pretty_name: Function App FTPS Enforce Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#ftps_state - 9db38e87-f6aa-4b5e-a1ec-7266df259409: - categories: - - ALL - - boost-baseline - description: 'Make sure that alerts notifications are set to ''On'' in the Azure - Security Center Contact ' - group: top10-security-logging-monitoring-failures - name: 9db38e87-f6aa-4b5e-a1ec-7266df259409 - pretty_name: Email Alerts Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/security_center_contact - 9df7f78f-ebe3-432e-ac3b-b67189c15518: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Kubernetes Engine Clusters must have Master Authentication set to - enabled, which means the attribute ''master_auth'' must have the subattributes - ''username'' and ''password'' defined and not empty ' - group: cloud-weak-configuration - name: 9df7f78f-ebe3-432e-ac3b-b67189c15518 - pretty_name: Cluster Master Authentication Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html - 9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'GCP SQL Instance should not have Cross DB Ownership Chaining On ' - group: cloud-weak-configuration - name: 9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f - pretty_name: Cloud SQL Instance With Cross DB Ownership Chaining On - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags - 9e8c89b3-7997-4d15-93e4-7911b9db99fd: - categories: - - ALL - - boost-baseline - description: 'Check if any ECS service has inline policies attached, which are - embedded directly into an entity (user, group,...), instead of the equivalent - recommended managed policies. ' - group: cloud-weak-configuration - name: 9e8c89b3-7997-4d15-93e4-7911b9db99fd - pretty_name: Inline Policies Are Attached To ECS Service - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html - 9ec311bf-dfd9-421f-8498-0b063c8bc552: - categories: - - ALL - - boost-baseline - description: 'AWS IAM Users should not have access to console ' - group: cloud-insecure-iam - name: 9ec311bf-dfd9-421f-8498-0b063c8bc552 - pretty_name: IAM User With Access To Console - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_login_profile - 9ecb6b21-18bc-4aa7-bd07-db20f1c746db: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Specifying credentials in the template itself is probably not safe - to do. ' - group: top10-crypto-failures - name: 9ecb6b21-18bc-4aa7-bd07-db20f1c746db - pretty_name: CloudFormation Specifying Credentials Not Safe - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-authentication.html - 9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8: - categories: - - ALL - description: 'A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed - to provide reliable, many-to-many, asynchronous messaging between applications. - Publisher applications can send messages to a ''topic'' and other applications - can subscribe to that topic to receive the messages. ' - group: supply-chain-missing-artifact-integrity-verification - name: 9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8 - pretty_name: BOM - GCP PST - ref: https://kics.io/ - 9ef08939-ea40-489c-8851-667870b2ef50: - categories: - - ALL - - boost-baseline - description: 'The ROS Stack Notifications should be defined and populated to receive - stack related events ' - group: top10-security-logging-monitoring-failures - name: 9ef08939-ea40-489c-8851-667870b2ef50 - pretty_name: ROS Stack Notifications Disabled - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ros_stack#notification_urls - 9ef7d25d-9764-4224-9968-fa321c56ef76: - categories: - - ALL - - boost-baseline - description: 'Unchangeable passwords in AWS password policy ' - group: cloud-weak-configuration - name: 9ef7d25d-9764-4224-9968-fa321c56ef76 - pretty_name: AWS Password Policy With Unchangeable Passwords - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy - 9efb0b2d-89c9-41a3-91ca-dcc0aec911fd: - categories: - - ALL - - boost-baseline - description: 'Always tag the version of an image explicitly ' - group: supply-chain-scm-weak-configuration - name: 9efb0b2d-89c9-41a3-91ca-dcc0aec911fd - pretty_name: Image Version Not Explicit - recommended: true - ref: https://docs.docker.com/engine/reference/builder/#from - 9f34885e-c08f-4d13-a7d1-cf190c5bd268: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Check if the redis version is compliant with the necessary AWS PCI - DSS requirements ' - group: top10-crypto-failures - name: 9f34885e-c08f-4d13-a7d1-cf190c5bd268 - pretty_name: Redis Not Compliant - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/elasticache_module.html#parameter-cache_engine_version - 9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d: - categories: - - ALL - - boost-baseline - description: 'AWS Config Configuration Aggregator All Regions must be set to True ' - group: top10-security-logging-monitoring-failures - name: 9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d - pretty_name: Configuration Aggregator to All Regions Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-configurationaggregator.html - 9f40c07e-699e-4410-8856-3ba0f2e3a2dd: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'The CA certificate Identifier must be ''rds-ca-2019''. ' - group: top10-crypto-failures - name: 9f40c07e-699e-4410-8856-3ba0f2e3a2dd - pretty_name: CA Certificate Identifier Is Outdated - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance - 9f4a9409-9c60-4671-be96-9716dbf63db1: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Network_Mode should be ''awsvpc'' in ecs_task_definition. AWS VPCs - provides the controls to facilitate a formal process for approving and testing - all network connections and changes to the firewall and router configurations ' - group: cloud-weak-configuration - name: 9f4a9409-9c60-4671-be96-9716dbf63db1 - pretty_name: ECS Task Definition Network Mode Not Recommended - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition#network_mode - 9f85c3f6-26fd-4007-938a-2e0cb0100980: - categories: - - ALL - - boost-baseline - description: 'Roles or ClusterRoles with the permission ''impersonate'' allow - subjects to assume the rights of other users, groups, or service accounts. In - case of compromise, attackers may abuse this sudo-like functionality to achieve - privilege escalation ' - group: cloud-insecure-iam - name: 9f85c3f6-26fd-4007-938a-2e0cb0100980 - pretty_name: RBAC Roles with Impersonate Permission - recommended: true - ref: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation - 9f88c88d-824d-4d9a-b985-e22977046042: - categories: - - ALL - - boost-baseline - description: 'Objects should not accept ''additionalProperties'' if it is possible ' - group: cloud-weak-configuration - name: 9f88c88d-824d-4d9a-b985-e22977046042 - pretty_name: Additional Properties Too Permissive - recommended: true - ref: https://swagger.io/specification/#schema-object - 9fcd0a0a-9b6f-4670-a215-d94e6bf3f184: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'IAM Database Auth Enabled should be configured to true when using - compatible engine and version ' - group: top10-crypto-failures - name: 9fcd0a0a-9b6f-4670-a215-d94e6bf3f184 - pretty_name: IAM Database Auth Not Enabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-enableiamdatabaseauthentication - 9fedee41-2e6d-4091-b011-4a16b4c18c70: - categories: - - ALL - - boost-baseline - description: Post should define at least one success response (200, 201, 202 or - 204) - group: cloud-resources-public-access - name: 9fedee41-2e6d-4091-b011-4a16b4c18c70 - pretty_name: Success Response Code Undefined for Post Operation (v2) - recommended: true - ref: https://swagger.io/specification/v2/#operation-object - ASP_Best_Coding_Practice_Aptca_Methods_Call_Non_Aptca_Methods: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - owasp-top-10 - description: Points out the situation where a method adorned with AllowPartiallyTrustedCallersAttribute - (APTCA) invokes a method without APTCA, thereby exposing potential elevation - of privileges threats. - group: top10-insecure-design - name: ASP_Best_Coding_Practice_Aptca_Methods_Call_Non_Aptca_Methods - pretty_name: Aptca Methods Call Non Aptca Methods - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Best_Coding_Practice_Dynamic_SQL_Queries: - categories: - - cwe-89 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: ASP_Best_Coding_Practice_Dynamic_SQL_Queries - pretty_name: Dynamic SQL Queries - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Best_Coding_Practice_Empty_Catch: - categories: - - cwe-390 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product detects a specific error, but takes no actions to handle - the error. - group: top10-insecure-design - name: ASP_Best_Coding_Practice_Empty_Catch - pretty_name: Empty Catch - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Best_Coding_Practice_Hardcoded_Absolute_Path: - categories: - - cwe-426 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product searches for critical resources using an externally-supplied - search path that can point to resources that are not under the product's direct - control. - group: top10-software-data-integrity-failures - name: ASP_Best_Coding_Practice_Hardcoded_Absolute_Path - pretty_name: Hardcoded Absolute Path - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Best_Coding_Practice_Hardcoded_Connection_String: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-top-25 - - cwe-798 - description: The product contains hard-coded credentials, such as a password or - cryptographic key, which it uses for its own inbound authentication, outbound - communication to external components, or encryption of internal data. - group: top10-id-authn-failures - name: ASP_Best_Coding_Practice_Hardcoded_Connection_String - pretty_name: Hardcoded Connection String - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Best_Coding_Practice_Just_One_of_Equals_and_Hash_code_Defined: - categories: - - ALL - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - cwe-581 - description: The product does not maintain equal hashcodes for equal objects. - group: top10-insecure-design - name: ASP_Best_Coding_Practice_Just_One_of_Equals_and_Hash_code_Defined - pretty_name: Just One of Equals and Hash code Defined - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Best_Coding_Practice_Missing_XML_Validation: - categories: - - cwe-112 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product accepts XML from an untrusted source but does not validate - the XML against the proper schema. - group: top10-insecure-design - name: ASP_Best_Coding_Practice_Missing_XML_Validation - pretty_name: Missing XML Validation - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Best_Coding_Practice_NULL_Argument_to_Equals: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - owasp-top-10 - description: Passing a null argument to the Equals method, which could potentially - lead to a NullReferenceException at runtime. - group: top10-insecure-design - name: ASP_Best_Coding_Practice_NULL_Argument_to_Equals - pretty_name: NULL Argument to Equals - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Best_Coding_Practice_Pages_Without_Global_Error_Handler: - categories: - - owasp-top-10 - - cwe-544 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product does not use a standardized method for handling errors - throughout the code, which might introduce inconsistent error handling and resultant - weaknesses. - group: top10-insecure-design - name: ASP_Best_Coding_Practice_Pages_Without_Global_Error_Handler - pretty_name: Pages Without Global Error Handler - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Best_Coding_Practice_PersistSecurityInfo_is_True: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - owasp-top-10 - description: When PersistSecurityInfo is set to True in a connection string, sensitive - information like passwords persist in memory, exposing it to potential security - breaches. - group: top10-insecure-design - name: ASP_Best_Coding_Practice_PersistSecurityInfo_is_True - pretty_name: PersistSecurityInfo is True - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Best_Coding_Practice_Sockets_in_WebApp: - categories: - - boost-baseline - - owasp-top-10 - - checkmarx-best-coding-practices - - cwe-246 - - ALL - description: The J2EE application directly uses sockets instead of using framework - method calls. - group: top10-insecure-design - name: ASP_Best_Coding_Practice_Sockets_in_WebApp - pretty_name: Sockets in WebApp - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Best_Coding_Practice_Threads_in_WebApp: - categories: - - ALL - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - cwe-383 - description: Thread management in a Web application is forbidden in some circumstances - and is always highly error prone. - group: top10-insecure-design - name: ASP_Best_Coding_Practice_Threads_in_WebApp - pretty_name: Threads in WebApp - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Best_Coding_Practice_Unclosed_Objects: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - owasp-top-10 - description: Unclosed system resources (such as connections, files, or other types - of system resources) lead to resource leakage, resulting in possible performance - degradation or application crashes. - group: top10-insecure-design - name: ASP_Best_Coding_Practice_Unclosed_Objects - pretty_name: Unclosed Objects - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Best_Coding_Practice_Unvalidated_Arguments_Of_Public_Methods: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - owasp-top-10 - description: Public methods' arguments are not validated, opening potential threats - of insecure data handling, injection attacks, or unintended behavior. - group: top10-insecure-design - name: ASP_Best_Coding_Practice_Unvalidated_Arguments_Of_Public_Methods - pretty_name: Unvalidated Arguments Of Public Methods - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Best_Coding_Practice_Use_of_System_Output_Stream: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - owasp-top-10 - description: Direct interaction with the System output stream can potentially - expose sensitive information or critical system details, increasing vulnerability - to potential security breaches. - group: top10-insecure-design - name: ASP_Best_Coding_Practice_Use_of_System_Output_Stream - pretty_name: Use of System Output Stream - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Best_Coding_Practice_Visible_Fields: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - owasp-top-10 - description: Fields of a class are excessively visible, leading to potential encapsulation - violations or unintended state changes. Fields should be private or protected - and accessed via properties or methods to maintain proper encapsulation. - group: top10-insecure-design - name: ASP_Best_Coding_Practice_Visible_Fields - pretty_name: Visible Fields - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Heuristic_Heuristic_2nd_Order_SQL_Injection: - categories: - - checkmarx-heuristic - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: ASP_Heuristic_Heuristic_2nd_Order_SQL_Injection - pretty_name: Heuristic 2nd Order SQL Injection - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Heuristic_Heuristic_CSRF: - categories: - - checkmarx-heuristic - - cwe-352 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The web application does not, or can not, sufficiently verify whether - a well-formed, valid, consistent request was intentionally provided by the user - who submitted the request. - group: top10-injection - name: ASP_Heuristic_Heuristic_CSRF - pretty_name: Heuristic CSRF - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Heuristic_Heuristic_DB_Parameter_Tampering: - categories: - - checkmarx-heuristic - - owasp-top-10 - - cwe-284 - - boost-baseline - - ALL - description: The product does not restrict or incorrectly restricts access to - a resource from an unauthorized actor. - group: top10-broken-access-control - name: ASP_Heuristic_Heuristic_DB_Parameter_Tampering - pretty_name: Heuristic DB Parameter Tampering - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Heuristic_Heuristic_Parameter_Tampering: - categories: - - checkmarx-heuristic - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: ASP_Heuristic_Heuristic_Parameter_Tampering - pretty_name: Heuristic Parameter Tampering - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Heuristic_Heuristic_SQL_Injection: - categories: - - checkmarx-heuristic - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: ASP_Heuristic_Heuristic_SQL_Injection - pretty_name: Heuristic SQL Injection - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Heuristic_Heuristic_Stored_XSS: - categories: - - checkmarx-heuristic - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: ASP_Heuristic_Heuristic_Stored_XSS - pretty_name: Heuristic Stored XSS - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_High_Risk_Code_Injection: - categories: - - boost-hardened - - cwe-94 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: ASP_High_Risk_Code_Injection - pretty_name: Code Injection - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_High_Risk_Command_Injection: - categories: - - boost-hardened - - cwe-77 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of a command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended command when it - is sent to a downstream component. - group: top10-injection - name: ASP_High_Risk_Command_Injection - pretty_name: Command Injection - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_High_Risk_Connection_String_Injection: - categories: - - boost-hardened - - owasp-top-10 - - cwe-99 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product receives input from an upstream component, but it does - not restrict or incorrectly restricts the input before it is used as an identifier - for a resource that may be outside the intended sphere of control. - group: top10-injection - name: ASP_High_Risk_Connection_String_Injection - pretty_name: Connection String Injection - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_High_Risk_Dangerous_File_Upload: - categories: - - boost-hardened - - cwe-434 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product allows the attacker to upload or transfer files of dangerous - types that can be automatically processed within the product's environment. - group: top10-insecure-design - name: ASP_High_Risk_Dangerous_File_Upload - pretty_name: Dangerous File Upload - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_High_Risk_LDAP_Injection: - categories: - - boost-hardened - - cwe-90 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product constructs all or part of an LDAP query using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended LDAP query when - it is sent to a downstream component. - group: top10-injection - name: ASP_High_Risk_LDAP_Injection - pretty_name: LDAP Injection - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_High_Risk_Reflected_XSS_All_Clients: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: ASP_High_Risk_Reflected_XSS_All_Clients - pretty_name: Reflected XSS All Clients - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_High_Risk_Resource_Injection: - categories: - - boost-hardened - - owasp-top-10 - - cwe-99 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product receives input from an upstream component, but it does - not restrict or incorrectly restricts the input before it is used as an identifier - for a resource that may be outside the intended sphere of control. - group: top10-injection - name: ASP_High_Risk_Resource_Injection - pretty_name: Resource Injection - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_High_Risk_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: ASP_High_Risk_SQL_Injection - pretty_name: SQL Injection - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_High_Risk_Second_Order_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: ASP_High_Risk_Second_Order_SQL_Injection - pretty_name: Second Order SQL Injection - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_High_Risk_Stored_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: ASP_High_Risk_Stored_XSS - pretty_name: Stored XSS - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_High_Risk_UTF7_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: ASP_High_Risk_UTF7_XSS - pretty_name: UTF7 XSS - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_High_Risk_XPath_Injection: - categories: - - boost-hardened - - cwe-643 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product uses external input to dynamically construct an XPath - expression used to retrieve data from an XML database, but it does not neutralize - or incorrectly neutralizes that input. This allows an attacker to control the - structure of the query. - group: top10-injection - name: ASP_High_Risk_XPath_Injection - pretty_name: XPath Injection - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Low_Visibility_Blind_SQL_Injections: - categories: - - checkmarx-low-visibility - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: ASP_Low_Visibility_Blind_SQL_Injections - pretty_name: Blind SQL Injections - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Low_Visibility_Cleansing_Canonicalization_and_Comparison_Errors: - categories: - - cwe-171 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: Improper handling of data within protection mechanisms that attempt - to perform neutralization for untrusted data. - group: top10-injection - name: ASP_Low_Visibility_Cleansing_Canonicalization_and_Comparison_Errors - pretty_name: Cleansing Canonicalization and Comparison Errors - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Low_Visibility_Client_Side_Only_Validation: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-602 - description: The product is composed of a server that relies on the client to - implement a mechanism that is intended to protect the server. - group: top10-insecure-design - name: ASP_Low_Visibility_Client_Side_Only_Validation - pretty_name: Client Side Only Validation - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Low_Visibility_Hardcoded_password_in_Connection_String: - categories: - - boost-baseline - - ALL - - cwe-547 - - checkmarx-low-visibility - description: The product uses hard-coded constants instead of symbolic names for - security-critical values, which increases the likelihood of mistakes during - code maintenance or security policy change. - group: top10-security-misconfiguration - name: ASP_Low_Visibility_Hardcoded_password_in_Connection_String - pretty_name: Hardcoded password in Connection String - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Low_Visibility_Impersonation_Issue: - categories: - - boost-baseline - - ALL - - checkmarx-low-visibility - - cwe-520 - description: Allowing a .NET application to run at potentially escalated levels - of access to the underlying operating and file systems can be dangerous and - result in various forms of attacks. - group: top10-security-misconfiguration - name: ASP_Low_Visibility_Impersonation_Issue - pretty_name: Impersonation Issue - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Low_Visibility_Improper_Exception_Handling: - categories: - - cwe-248 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: An exception is thrown from a function, but it is not caught. - group: top10-insecure-design - name: ASP_Low_Visibility_Improper_Exception_Handling - pretty_name: Improper Exception Handling - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Low_Visibility_Improper_Resource_Shutdown_or_Release: - categories: - - cwe-404 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not release or incorrectly releases a resource before - it is made available for re-use. - group: top10-insecure-design - name: ASP_Low_Visibility_Improper_Resource_Shutdown_or_Release - pretty_name: Improper Resource Shutdown or Release - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Low_Visibility_Improper_Session_Management: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-201 - - boost-baseline - - ALL - description: The code transmits data to another actor, but a portion of the data - includes sensitive information that should not be accessible to that actor. - group: top10-broken-access-control - name: ASP_Low_Visibility_Improper_Session_Management - pretty_name: Improper Session Management - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Low_Visibility_Improper_Transaction_Handling: - categories: - - cwe-460 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not clean up its state or incorrectly cleans up - its state when an exception is thrown, leading to unexpected state or control - flow. - group: top10-insecure-design - name: ASP_Low_Visibility_Improper_Transaction_Handling - pretty_name: Improper Transaction Handling - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Low_Visibility_Information_Exposure_Through_an_Error_Message: - categories: - - cwe-209 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product generates an error message that includes sensitive information - about its environment, users, or associated data. - group: top10-insecure-design - name: ASP_Low_Visibility_Information_Exposure_Through_an_Error_Message - pretty_name: Information Exposure Through an Error Message - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Low_Visibility_Information_Leak_Through_Persistent_Cookies: - categories: - - cwe-539 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The web application uses persistent cookies, but the cookies contain - sensitive information. - group: top10-insecure-design - name: ASP_Low_Visibility_Information_Leak_Through_Persistent_Cookies - pretty_name: Information Leak Through Persistent Cookies - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Low_Visibility_Insecure_Randomness: - categories: - - cwe-330 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses insufficiently random numbers or values in a security - context that depends on unpredictable numbers. - group: top10-crypto-failures - name: ASP_Low_Visibility_Insecure_Randomness - pretty_name: Insecure Randomness - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Low_Visibility_Insufficiently_Protected_Credentials: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-522 - description: The product transmits or stores authentication credentials, but it - uses an insecure method that is susceptible to unauthorized interception and/or - retrieval. - group: top10-insecure-design - name: ASP_Low_Visibility_Insufficiently_Protected_Credentials - pretty_name: Insufficiently Protected Credentials - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Low_Visibility_JavaScript_Hijacking: - categories: - - cwe-352 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The web application does not, or can not, sufficiently verify whether - a well-formed, valid, consistent request was intentionally provided by the user - who submitted the request. - group: top10-injection - name: ASP_Low_Visibility_JavaScript_Hijacking - pretty_name: JavaScript Hijacking - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Low_Visibility_Leaving_Temporary_Files: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-376 - description: Related to the handling of files within a software system. - group: top10-broken-access-control - name: ASP_Low_Visibility_Leaving_Temporary_Files - pretty_name: Leaving Temporary Files - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Low_Visibility_Log_Forging: - categories: - - boost-baseline - - ALL - - cwe-117 - - checkmarx-low-visibility - description: The product does not neutralize or incorrectly neutralizes output - that is written to logs. - group: top10-security-logging-monitoring-failures - name: ASP_Low_Visibility_Log_Forging - pretty_name: Log Forging - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Low_Visibility_Open_Redirect: - categories: - - checkmarx-low-visibility - - cwe-601 - - owasp-top-10 - - boost-baseline - - ALL - description: A web application accepts a user-controlled input that specifies - a link to an external site, and uses that link in a Redirect. This simplifies - phishing attacks. - group: top10-broken-access-control - name: ASP_Low_Visibility_Open_Redirect - pretty_name: Open Redirect - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Low_Visibility_Script_Poisoning: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-20 - - boost-baseline - - ALL - - cwe-top-25 - description: The product receives input or data, but it does not validate or incorrectly - validates that the input has the properties that are required to process the - data safely and correctly. - group: top10-injection - name: ASP_Low_Visibility_Script_Poisoning - pretty_name: Script Poisoning - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Low_Visibility_Server_Code_In_Client_Comment: - categories: - - cwe-615 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: 'While adding general comments is very useful, some programmers tend - to leave important data, such as: filenames related to the web application, - old links or links which were not meant to be browsed by users, old code fragments, - etc.' - group: top10-insecure-design - name: ASP_Low_Visibility_Server_Code_In_Client_Comment - pretty_name: Server Code In Client Comment - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Low_Visibility_Session_Clearing_Problems: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-613 - description: According to WASC, "Insufficient Session Expiration is when a web - site permits an attacker to reuse old session credentials or session IDs for - authorization." - group: top10-id-authn-failures - name: ASP_Low_Visibility_Session_Clearing_Problems - pretty_name: Session Clearing Problems - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Low_Visibility_Session_Poisoning: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: ASP_Low_Visibility_Session_Poisoning - pretty_name: Session Poisoning - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Low_Visibility_Thread_Safety_Issue: - categories: - - cwe-567 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not properly synchronize shared data, such as static - variables across threads, which can lead to undefined behavior and unpredictable - data changes. - group: top10-insecure-design - name: ASP_Low_Visibility_Thread_Safety_Issue - pretty_name: Thread Safety Issue - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables: - categories: - - cwe-501 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product mixes trusted and untrusted data in the same data structure - or structured message. - group: top10-insecure-design - name: ASP_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables - pretty_name: Trust Boundary Violation in Session Variables - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Low_Visibility_URL_Canonicalization_Issue: - categories: - - cwe-647 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product defines policy namespaces and makes authorization decisions - based on the assumption that a URL is canonical. This can allow a non-canonical - URL to bypass the authorization. - group: top10-injection - name: ASP_Low_Visibility_URL_Canonicalization_Issue - pretty_name: URL Canonicalization Issue - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Low_Visibility_Use_Of_Hardcoded_Password: - categories: - - ALL - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - cwe-259 - description: The product contains a hard-coded password, which it uses for its - own inbound authentication or for outbound communication to external components. - group: top10-id-authn-failures - name: ASP_Low_Visibility_Use_Of_Hardcoded_Password - pretty_name: Use Of Hardcoded Password - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Low_Visibility_XSS_Evasion_Attack: - categories: - - cwe-79 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: ASP_Low_Visibility_XSS_Evasion_Attack - pretty_name: XSS Evasion Attack - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Medium_Threat_CSRF: - categories: - - checkmarx-medium-threat - - cwe-352 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The web application does not, or can not, sufficiently verify whether - a well-formed, valid, consistent request was intentionally provided by the user - who submitted the request. - group: top10-injection - name: ASP_Medium_Threat_CSRF - pretty_name: CSRF - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Medium_Threat_DB_Parameter_Tampering: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-284 - - boost-baseline - - ALL - description: The product does not restrict or incorrectly restricts access to - a resource from an unauthorized actor. - group: top10-broken-access-control - name: ASP_Medium_Threat_DB_Parameter_Tampering - pretty_name: DB Parameter Tampering - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Medium_Threat_DoS_by_Sleep: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The product performs an iteration or loop without sufficiently limiting - the number of times that the loop is executed. - group: top10-insecure-design - name: ASP_Medium_Threat_DoS_by_Sleep - pretty_name: DoS by Sleep - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Medium_Threat_HTTP_Response_Splitting: - categories: - - checkmarx-medium-threat - - cwe-113 - - owasp-top-10 - - boost-baseline - - ALL - description: The product receives data from an HTTP agent/component (e.g., web - server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes - CR and LF characters before the data is included in outgoing HTTP headers. - group: top10-injection - name: ASP_Medium_Threat_HTTP_Response_Splitting - pretty_name: HTTP Response Splitting - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Medium_Threat_Improper_Locking: - categories: - - checkmarx-medium-threat - - cwe-667 - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not properly acquire or release a lock on a resource, - leading to unexpected resource state changes and behaviors. - group: top10-insecure-design - name: ASP_Medium_Threat_Improper_Locking - pretty_name: Improper Locking - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Medium_Threat_Parameter_Tampering: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: ASP_Medium_Threat_Parameter_Tampering - pretty_name: Parameter Tampering - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Medium_Threat_Path_Traversal: - categories: - - ALL - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - cwe-22 - - cwe-top-25 - description: The product uses external input to construct a pathname that is intended - to identify a file or directory that is located underneath a restricted parent - directory, but the product does not properly neutralize special elements within - the pathname that can cause the pathname to resolve to a location that is outside - of the restricted directory. - group: top10-broken-access-control - name: ASP_Medium_Threat_Path_Traversal - pretty_name: Path Traversal - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Medium_Threat_Privacy_Violation: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-359 - description: The product does not properly prevent a person's private, personal - information from being accessed by actors who either (1) are not explicitly - authorized to access the information or (2) do not have the implicit consent - of the person about whom the information is collected. - group: top10-broken-access-control - name: ASP_Medium_Threat_Privacy_Violation - pretty_name: Privacy Violation - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Medium_Threat_Reflected_XSS_Specific_Clients: - categories: - - checkmarx-medium-threat - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: ASP_Medium_Threat_Reflected_XSS_Specific_Clients - pretty_name: Reflected XSS Specific Clients - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Medium_Threat_SQL_Injection_Evasion_Attack: - categories: - - checkmarx-medium-threat - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: ASP_Medium_Threat_SQL_Injection_Evasion_Attack - pretty_name: SQL Injection Evasion Attack - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Medium_Threat_Stored_Code_Injection: - categories: - - checkmarx-medium-threat - - cwe-94 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: ASP_Medium_Threat_Stored_Code_Injection - pretty_name: Stored Code Injection - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Medium_Threat_Unclosed_Connection: - categories: - - cwe-404 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not release or incorrectly releases a resource before - it is made available for re-use. - group: top10-insecure-design - name: ASP_Medium_Threat_Unclosed_Connection - pretty_name: Unclosed Connection - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Medium_Threat_Untrusted_Activex: - categories: - - checkmarx-medium-threat - - cwe-618 - - owasp-top-10 - - boost-baseline - - ALL - description: An ActiveX control is intended for use in a web browser, but it exposes - dangerous methods that perform actions that are outside of the browser's security - model (e.g. the zone or domain). - group: top10-vulnerable-components - name: ASP_Medium_Threat_Untrusted_Activex - pretty_name: Untrusted Activex - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ASP_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key: - categories: - - cwe-321 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The use of a hard-coded cryptographic key significantly increases - the possibility that encrypted data may be recovered. - group: top10-crypto-failures - name: ASP_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key - pretty_name: Use of Hard coded Cryptographic Key - ASP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Code_Quality_Async_Future_Method_Inside_Loops: - categories: - - boost-baseline - - ALL - - checkmarx-force-com-code-quality - - owasp-top-10 - description: Async future methods are executed inside loops, which may lead to - governor limit exceptions due to an excessive number of future calls in Salesforce's - Apex code. - group: top10-insecure-design - name: Apex_Force_com_Code_Quality_Async_Future_Method_Inside_Loops - pretty_name: Async Future Method Inside Loops - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Code_Quality_Bulkify_Apex_Methods_Using_Collections_In_Methods: - categories: - - boost-baseline - - ALL - - checkmarx-force-com-code-quality - - owasp-top-10 - description: Apex methods are not utilizing collections (lists, sets, or maps) - to process bulk data, which can result in inefficient SOQL queries, negatively - impacting the code performance in Salesforce. - group: top10-insecure-design - name: Apex_Force_com_Code_Quality_Bulkify_Apex_Methods_Using_Collections_In_Methods - pretty_name: Bulkify Apex Methods Using Collections In Methods - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Code_Quality_DML_Statements_Inside_Loops: - categories: - - boost-baseline - - ALL - - checkmarx-force-com-code-quality - - owasp-top-10 - description: In an Apex Salesforce.com codebase, DML operations are present inside - loop constructs, which may cause exceeding the governor limit, leading to inefficient - code execution. - group: top10-insecure-design - name: Apex_Force_com_Code_Quality_DML_Statements_Inside_Loops - pretty_name: DML Statements Inside Loops - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Code_Quality_HTTP_Callouts: - categories: - - boost-baseline - - ALL - - checkmarx-force-com-code-quality - - owasp-top-10 - description: Uncertified HTTP callouts are used in Apex code, which can expose - sensitive business data and lead to insecure interactions with third-party services. - group: top10-insecure-design - name: Apex_Force_com_Code_Quality_HTTP_Callouts - pretty_name: HTTP Callouts - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Code_Quality_Hardcoded_Messages: - categories: - - boost-baseline - - ALL - - cwe-547 - - checkmarx-force-com-code-quality - description: The product uses hard-coded constants instead of symbolic names for - security-critical values, which increases the likelihood of mistakes during - code maintenance or security policy change. - group: top10-security-misconfiguration - name: Apex_Force_com_Code_Quality_Hardcoded_Messages - pretty_name: Hardcoded Messages - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Code_Quality_Hardcoding_Ids: - categories: - - boost-baseline - - ALL - - checkmarx-force-com-code-quality - - owasp-top-10 - description: Salesforce object IDs are hardcoded in the Apex source code, risking - loss of data access or integrity when records or objects are changed, removed, - or migrated to other Salesforce instances. - group: top10-insecure-design - name: Apex_Force_com_Code_Quality_Hardcoding_Ids - pretty_name: Hardcoding Ids - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Code_Quality_Hardcoding_Of_Trigger_New: - categories: - - boost-baseline - - ALL - - checkmarx-force-com-code-quality - - owasp-top-10 - description: The code contains hardcoded references to Trigger.new, which limits - its reusability and adaptability, making it less maintainable and potentially - problematic if changes in data structure occur. - group: top10-insecure-design - name: Apex_Force_com_Code_Quality_Hardcoding_Of_Trigger_New - pretty_name: Hardcoding Of Trigger New - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Code_Quality_Hardcoding_Of_Trigger_Old: - categories: - - boost-baseline - - ALL - - checkmarx-force-com-code-quality - - owasp-top-10 - description: Direct references to Trigger.old in Apex Code may lead to unexpected - behavior or errors during updates and deletions, as this means hardcoding values - destined to change with every transaction. - group: top10-insecure-design - name: Apex_Force_com_Code_Quality_Hardcoding_Of_Trigger_Old - pretty_name: Hardcoding Of Trigger Old - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Code_Quality_Hardcoding_References_To_Static_Resources: - categories: - - boost-baseline - - ALL - - checkmarx-force-com-code-quality - - owasp-top-10 - description: The rule identifies instances of hardcoded references to static resources - within Apex code, which can result in maintenance issues and reduce the code's - ability to adapt to changes. - group: top10-insecure-design - name: Apex_Force_com_Code_Quality_Hardcoding_References_To_Static_Resources - pretty_name: Hardcoding References To Static Resources - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Code_Quality_Multiple_Forms_In_Visualforce_Page: - categories: - - boost-baseline - - ALL - - checkmarx-force-com-code-quality - - owasp-top-10 - description: Visualforce pages contain multiple forms, which may lead to conflicting - actions or unintuitive user experiences due to mishandled form submissions or - redundant code. - group: top10-insecure-design - name: Apex_Force_com_Code_Quality_Multiple_Forms_In_Visualforce_Page - pretty_name: Multiple Forms In Visualforce Page - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Code_Quality_Multiple_Trigger_On_same_sObject: - categories: - - boost-baseline - - ALL - - checkmarx-force-com-code-quality - - owasp-top-10 - description: Multiple triggers are defined on the same 'sObject' in Apex code, - possibly leading to unpredictable execution order and potential recursive behavior - issues. - group: top10-insecure-design - name: Apex_Force_com_Code_Quality_Multiple_Trigger_On_same_sObject - pretty_name: Multiple Trigger On same sObject - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Code_Quality_Queries_With_No_Where_Or_Limit_Clause: - categories: - - boost-baseline - - ALL - - checkmarx-force-com-code-quality - - owasp-top-10 - description: Salesforce Apex queries or SOQL statements lack 'WHERE' or 'LIMIT' - clauses, potentially causing data overload and performance issues. - group: top10-insecure-design - name: Apex_Force_com_Code_Quality_Queries_With_No_Where_Or_Limit_Clause - pretty_name: Queries With No Where Or Limit Clause - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Code_Quality_SOSL_SOQL_Statments_Inside_Loops: - categories: - - boost-baseline - - ALL - - checkmarx-force-com-code-quality - - owasp-top-10 - description: Highlights instances of SOSL/SOQL queries placed inside loops which - may result in governor limit exceptions in Apex Force.com code. - group: top10-insecure-design - name: Apex_Force_com_Code_Quality_SOSL_SOQL_Statments_Inside_Loops - pretty_name: SOSL SOQL Statments Inside Loops - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Code_Quality_Test_Assert_Without_Message: - categories: - - boost-baseline - - ALL - - checkmarx-force-com-code-quality - - owasp-top-10 - description: Unit test assertions in Apex code lack custom error messages, reducing - the ability to express specific failure conditions for better test maintainability - and readability. - group: top10-insecure-design - name: Apex_Force_com_Code_Quality_Test_Assert_Without_Message - pretty_name: Test Assert Without Message - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Code_Quality_Test_Methods_With_No_Assert: - categories: - - boost-baseline - - ALL - - checkmarx-force-com-code-quality - - owasp-top-10 - description: An Apex test method lacks 'System.assert()', 'System.assertEquals()' - or 'System.assertNotEquals()' calls, which may inhibit proper validation of - the code's functionality. - group: top10-insecure-design - name: Apex_Force_com_Code_Quality_Test_Methods_With_No_Assert - pretty_name: Test Methods With No Assert - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Code_Quality_Unused_Variable: - categories: - - checkmarx-force-com-code-quality - - owasp-top-10 - - cwe-563 - - boost-baseline - - ALL - description: The variable's value is assigned but never used, making it a dead - store. - group: top10-insecure-design - name: Apex_Force_com_Code_Quality_Unused_Variable - pretty_name: Unused Variable - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Code_Quality_Use_Of_Ajax_Toolkit: - categories: - - boost-baseline - - ALL - - checkmarx-force-com-code-quality - - owasp-top-10 - description: Identifies use of the Salesforce AJAX Toolkit within Apex code, which - is deprecated and can lead to functionality issues in Salesforce apps. - group: top10-insecure-design - name: Apex_Force_com_Code_Quality_Use_Of_Ajax_Toolkit - pretty_name: Use Of Ajax Toolkit - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Code_Quality_Use_of_Hard_Coded_Cryptographic_Key: - categories: - - cwe-321 - - checkmarx-force-com-code-quality - - owasp-top-10 - - boost-baseline - - ALL - description: The use of a hard-coded cryptographic key significantly increases - the possibility that encrypted data may be recovered. - group: top10-crypto-failures - name: Apex_Force_com_Code_Quality_Use_of_Hard_Coded_Cryptographic_Key - pretty_name: Use of Hard Coded Cryptographic Key - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Critical_Security_Risk_Reflected_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - checkmarx-force-com-critical-risk - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Apex_Force_com_Critical_Security_Risk_Reflected_XSS - pretty_name: Reflected XSS - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Critical_Security_Risk_Resource_Injection: - categories: - - boost-hardened - - owasp-top-10 - - cwe-99 - - checkmarx-force-com-critical-risk - - boost-baseline - - ALL - description: The product receives input from an upstream component, but it does - not restrict or incorrectly restricts the input before it is used as an identifier - for a resource that may be outside the intended sphere of control. - group: top10-injection - name: Apex_Force_com_Critical_Security_Risk_Resource_Injection - pretty_name: Resource Injection - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Critical_Security_Risk_SOQL_SOSL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - checkmarx-force-com-critical-risk - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Apex_Force_com_Critical_Security_Risk_SOQL_SOSL_Injection - pretty_name: SOQL SOSL Injection - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Critical_Security_Risk_Stored_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - checkmarx-force-com-critical-risk - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Apex_Force_com_Critical_Security_Risk_Stored_XSS - pretty_name: Stored XSS - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Serious_Security_Risk_CRUD_Delete: - categories: - - checkmarx-force-com-serious-risk - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: Apex_Force_com_Serious_Security_Risk_CRUD_Delete - pretty_name: CRUD Delete - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Serious_Security_Risk_CSRF: - categories: - - checkmarx-force-com-serious-risk - - cwe-352 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The web application does not, or can not, sufficiently verify whether - a well-formed, valid, consistent request was intentionally provided by the user - who submitted the request. - group: top10-injection - name: Apex_Force_com_Serious_Security_Risk_CSRF - pretty_name: CSRF - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Serious_Security_Risk_CSRF_With_VF_Call: - categories: - - checkmarx-force-com-serious-risk - - cwe-352 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The web application does not, or can not, sufficiently verify whether - a well-formed, valid, consistent request was intentionally provided by the user - who submitted the request. - group: top10-injection - name: Apex_Force_com_Serious_Security_Risk_CSRF_With_VF_Call - pretty_name: CSRF With VF Call - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Serious_Security_Risk_Cookies_Scoping: - categories: - - boost-baseline - - ALL - - checkmarx-force-com-serious-risk - - owasp-top-10 - description: Cookies are not properly scoped, leaving sensitive user data susceptible - to potential theft or manipulation via cross-site scripting (XSS) or cross-site - request forgery (CSRF) attacks. - group: top10-broken-access-control - name: Apex_Force_com_Serious_Security_Risk_Cookies_Scoping - pretty_name: Cookies Scoping - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Serious_Security_Risk_Dangerous_Methods: - categories: - - cwe-243 - - checkmarx-force-com-serious-risk - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses the chroot() system call to create a jail, but does - not change the working directory afterward. This does not prevent access to - files outside of the jail. - group: top10-vulnerable-components - name: Apex_Force_com_Serious_Security_Risk_Dangerous_Methods - pretty_name: Dangerous Methods - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Serious_Security_Risk_Dereferenced_Field: - categories: - - boost-baseline - - ALL - - checkmarx-force-com-serious-risk - - owasp-top-10 - description: Accesses a field by dereferencing a potentially null pointer, exposing - an Apex Force.com application to serious security risks including null dereference - exceptions or unintended behavior. - group: top10-broken-access-control - name: Apex_Force_com_Serious_Security_Risk_Dereferenced_Field - pretty_name: Dereferenced Field - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Serious_Security_Risk_FLS_Create: - categories: - - checkmarx-force-com-serious-risk - - owasp-top-10 - - cwe-285 - - boost-baseline - - ALL - description: The product does not perform or incorrectly performs an authorization - check when an actor attempts to access a resource or perform an action. - group: top10-broken-access-control - name: Apex_Force_com_Serious_Security_Risk_FLS_Create - pretty_name: FLS Create - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Serious_Security_Risk_FLS_Create_Partial: - categories: - - checkmarx-force-com-serious-risk - - owasp-top-10 - - cwe-285 - - boost-baseline - - ALL - description: The product does not perform or incorrectly performs an authorization - check when an actor attempts to access a resource or perform an action. - group: top10-broken-access-control - name: Apex_Force_com_Serious_Security_Risk_FLS_Create_Partial - pretty_name: FLS Create Partial - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Serious_Security_Risk_FLS_Read: - categories: - - checkmarx-force-com-serious-risk - - owasp-top-10 - - cwe-285 - - boost-baseline - - ALL - description: The product does not perform or incorrectly performs an authorization - check when an actor attempts to access a resource or perform an action. - group: top10-broken-access-control - name: Apex_Force_com_Serious_Security_Risk_FLS_Read - pretty_name: FLS Read - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Serious_Security_Risk_FLS_Update: - categories: - - checkmarx-force-com-serious-risk - - owasp-top-10 - - cwe-285 - - boost-baseline - - ALL - description: The product does not perform or incorrectly performs an authorization - check when an actor attempts to access a resource or perform an action. - group: top10-broken-access-control - name: Apex_Force_com_Serious_Security_Risk_FLS_Update - pretty_name: FLS Update - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Serious_Security_Risk_FLS_Update_Partial: - categories: - - checkmarx-force-com-serious-risk - - owasp-top-10 - - cwe-285 - - boost-baseline - - ALL - description: The product does not perform or incorrectly performs an authorization - check when an actor attempts to access a resource or perform an action. - group: top10-broken-access-control - name: Apex_Force_com_Serious_Security_Risk_FLS_Update_Partial - pretty_name: FLS Update Partial - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Serious_Security_Risk_Frame_Spoofing: - categories: - - checkmarx-force-com-serious-risk - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Apex_Force_com_Serious_Security_Risk_Frame_Spoofing - pretty_name: Frame Spoofing - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Serious_Security_Risk_HttpSplitting: - categories: - - checkmarx-force-com-serious-risk - - cwe-113 - - owasp-top-10 - - boost-baseline - - ALL - description: The product receives data from an HTTP agent/component (e.g., web - server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes - CR and LF characters before the data is included in outgoing HTTP headers. - group: top10-injection - name: Apex_Force_com_Serious_Security_Risk_HttpSplitting - pretty_name: HttpSplitting - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Serious_Security_Risk_Insecure_Cookie: - categories: - - boost-baseline - - cwe-614 - - checkmarx-force-com-serious-risk - - ALL - description: The Secure attribute for sensitive cookies in HTTPS sessions is not - set, which could cause the user agent to send those cookies in plaintext over - an HTTP session. - group: top10-security-misconfiguration - name: Apex_Force_com_Serious_Security_Risk_Insecure_Cookie - pretty_name: Insecure Cookie - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Serious_Security_Risk_Insecure_Endpoint: - categories: - - checkmarx-force-com-serious-risk - - owasp-top-10 - - cwe-319 - - boost-baseline - - ALL - description: The product transmits sensitive or security-critical data in cleartext - in a communication channel that can be sniffed by unauthorized actors. - group: top10-insecure-design - name: Apex_Force_com_Serious_Security_Risk_Insecure_Endpoint - pretty_name: Insecure Endpoint - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Serious_Security_Risk_Sharing: - categories: - - checkmarx-force-com-serious-risk - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: Apex_Force_com_Serious_Security_Risk_Sharing - pretty_name: Sharing - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Serious_Security_Risk_Sharing_With_Controller: - categories: - - checkmarx-force-com-serious-risk - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: Apex_Force_com_Serious_Security_Risk_Sharing_With_Controller - pretty_name: Sharing With Controller - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Serious_Security_Risk_URL_Redirection_Attack: - categories: - - checkmarx-force-com-serious-risk - - cwe-601 - - owasp-top-10 - - boost-baseline - - ALL - description: A web application accepts a user-controlled input that specifies - a link to an external site, and uses that link in a Redirect. This simplifies - phishing attacks. - group: top10-broken-access-control - name: Apex_Force_com_Serious_Security_Risk_URL_Redirection_Attack - pretty_name: URL Redirection Attack - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Force_com_Serious_Security_Risk_inputText_Ignoring_FLS: - categories: - - boost-baseline - - ALL - - checkmarx-force-com-serious-risk - - owasp-top-10 - description: The 'inputText' function in Apex ignores Field-Level Security settings - (FLS), which can result in unauthorized data access or modification on Salesforce's - Force.com platform. - group: top10-injection - name: Apex_Force_com_Serious_Security_Risk_inputText_Ignoring_FLS - pretty_name: inputText Ignoring FLS - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_ISV_Quality_Rules_ActionPoller_Frequency_Check: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-isv-quality-rules - description: The reRender frequency for actionPoller in Apex is set too high, - potentially causing performance issues due to excessive server load. - group: top10-insecure-design - name: Apex_ISV_Quality_Rules_ActionPoller_Frequency_Check - pretty_name: ActionPoller Frequency Check - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_ISV_Quality_Rules_Ajax_Toolkit_From_VF: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-isv-quality-rules - description: Visualforce components utilize the Ajax Toolkit, instead of standard - Visualforce Ajax or Apex, potentially resulting in performance degradation or - limited support issues. - group: top10-insecure-design - name: Apex_ISV_Quality_Rules_Ajax_Toolkit_From_VF - pretty_name: Ajax Toolkit From VF - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_ISV_Quality_Rules_Batch_Apex_exists: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-isv-quality-rules - description: Batch Apex is present in the codebase, which may lead to performance - issues when processing large data volumes. - group: top10-insecure-design - name: Apex_ISV_Quality_Rules_Batch_Apex_exists - pretty_name: Batch Apex exists - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_ISV_Quality_Rules_Batch_Apex_makes_outbound_call: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-isv-quality-rules - description: Outbound calls are made within a Batch Apex, which may cause scalability - issues due to governor limits on Salesforce's outbound HTTP callouts. - group: top10-insecure-design - name: Apex_ISV_Quality_Rules_Batch_Apex_makes_outbound_call - pretty_name: Batch Apex makes outbound call - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_ISV_Quality_Rules_DmlOptions_Set_To_False: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-isv-quality-rules - description: The Database DML operation in Apex code has the 'DmlOptions' parameter - set to 'false', neglecting potential record locking contention considerations - in bulk data manipulation scenarios. - group: top10-insecure-design - name: Apex_ISV_Quality_Rules_DmlOptions_Set_To_False - pretty_name: DmlOptions Set To False - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_ISV_Quality_Rules_Empty_Catch_Blocks: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-isv-quality-rules - description: Catches exceptions without handling them, leading to potential unaddressed - errors and application instability. - group: top10-insecure-design - name: Apex_ISV_Quality_Rules_Empty_Catch_Blocks - pretty_name: Empty Catch Blocks - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_ISV_Quality_Rules_Empty_IfStmt: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-isv-quality-rules - description: An 'if' statement in the Apex code does not contain any executable - statements, making it redundant and possibly indicative of incomplete or incorrect - logic. - group: top10-insecure-design - name: Apex_ISV_Quality_Rules_Empty_IfStmt - pretty_name: Empty IfStmt - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_ISV_Quality_Rules_Empty_Methods: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-isv-quality-rules - description: The code contains methods that are empty or lack substantive content, - which might be unintentional leftovers from incomplete development or refactoring - and can introduce confusion and maintenance issues. - group: top10-insecure-design - name: Apex_ISV_Quality_Rules_Empty_Methods - pretty_name: Empty Methods - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_ISV_Quality_Rules_Empty_WhileStmt: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-isv-quality-rules - description: A 'while' statement in the APEX code has an empty body, causing an - infinite loop that can result in script execution and performance problems. - group: top10-insecure-design - name: Apex_ISV_Quality_Rules_Empty_WhileStmt - pretty_name: Empty WhileStmt - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_ISV_Quality_Rules_Find_Exposed_Test_Data: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-isv-quality-rules - description: Exposed test data in Apex classes may lead to leakage of sensitive - information, violating the Salesforce ISV (Independent Software Vendor) best - practices. - group: top10-insecure-design - name: Apex_ISV_Quality_Rules_Find_Exposed_Test_Data - pretty_name: Find Exposed Test Data - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_ISV_Quality_Rules_Future_exists: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-isv-quality-rules - description: The Apex code contains @future annotation, possibly adding complexity - to transaction control flow and leading to unexpected order of execution. - group: top10-insecure-design - name: Apex_ISV_Quality_Rules_Future_exists - pretty_name: Future exists - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_ISV_Quality_Rules_Old_API_Version: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-isv-quality-rules - description: The Salesforce Apex code under examination employs an outdated API - version, which may result in deprecated or unavailable functionality and suboptimal - performance or compatibility issues. - group: top10-insecure-design - name: Apex_ISV_Quality_Rules_Old_API_Version - pretty_name: Old API Version - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_ISV_Quality_Rules_Outbound_Email_Send: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-isv-quality-rules - description: Apex code to send outbound emails is employed, which may lead to - uncontrolled distribution of sensitive data or exhaustion of email sending limits. - group: top10-insecure-design - name: Apex_ISV_Quality_Rules_Outbound_Email_Send - pretty_name: Outbound Email Send - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_ISV_Quality_Rules_Report_with_no_Filter: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-isv-quality-rules - description: Apex reports without assigned filters can return an excessively broad - data set, potentially causing performance issues or disclosing sensitive information. - group: top10-insecure-design - name: Apex_ISV_Quality_Rules_Report_with_no_Filter - pretty_name: Report with no Filter - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_ISV_Quality_Rules_SOQL_Dynamic_null_in_Where: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-isv-quality-rules - description: The SOQL query uses a dynamic 'null' in its WHERE clause, which may - lead to inconsistent results or potential vulnerabilities in Apex code. - group: top10-insecure-design - name: Apex_ISV_Quality_Rules_SOQL_Dynamic_null_in_Where - pretty_name: SOQL Dynamic null in Where - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_ISV_Quality_Rules_SOQL_Formula_in_Where: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-isv-quality-rules - description: In Salesforce Apex code, a SOQL query uses a formula field within - the WHERE clause, causing unpredictable behavior and potential performance issues - while querying data. - group: top10-insecure-design - name: Apex_ISV_Quality_Rules_SOQL_Formula_in_Where - pretty_name: SOQL Formula in Where - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_ISV_Quality_Rules_SOQL_Hardcoded_null_in_Where: - categories: - - checkmarx-isv-quality-rules - - cwe-1067 - - owasp-top-10 - - boost-baseline - - ALL - description: The product contains a data query against an SQL table or view that - is configured in a way that does not utilize an index and may cause sequential - searches to be performed. - group: top10-insecure-design - name: Apex_ISV_Quality_Rules_SOQL_Hardcoded_null_in_Where - pretty_name: SOQL Hardcoded null in Where - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_ISV_Quality_Rules_SOQL_Relationship_in_Where: - categories: - - checkmarx-isv-quality-rules - - cwe-1067 - - owasp-top-10 - - boost-baseline - - ALL - description: The product contains a data query against an SQL table or view that - is configured in a way that does not utilize an index and may cause sequential - searches to be performed. - group: top10-insecure-design - name: Apex_ISV_Quality_Rules_SOQL_Relationship_in_Where - pretty_name: SOQL Relationship in Where - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_ISV_Quality_Rules_SOQL_With_All_Fields: - categories: - - checkmarx-isv-quality-rules - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: Apex_ISV_Quality_Rules_SOQL_With_All_Fields - pretty_name: SOQL With All Fields - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_ISV_Quality_Rules_SOQL_with_All_Fields_in_Loop: - categories: - - checkmarx-isv-quality-rules - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: Apex_ISV_Quality_Rules_SOQL_with_All_Fields_in_Loop - pretty_name: SOQL with All Fields in Loop - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_ISV_Quality_Rules_SOSL_With_Where_Clause: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-isv-quality-rules - description: The SOSL (Salesforce Object Search Language) query includes a WHERE - clause, which can lead to performance issues due to query inefficiency. - group: top10-insecure-design - name: Apex_ISV_Quality_Rules_SOSL_With_Where_Clause - pretty_name: SOSL With Where Clause - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_ISV_Quality_Rules_Warn_About_Viewstate_Size_Limit: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-isv-quality-rules - description: Alerts developers when ViewState usage in Salesforce's Apex code - surpasses the size limit, helping to avoid performance issues and exceptions - at runtime. - group: top10-insecure-design - name: Apex_ISV_Quality_Rules_Warn_About_Viewstate_Size_Limit - pretty_name: Warn About Viewstate Size Limit - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_ISV_Quality_Rules_Workflow_sends_Emails: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-isv-quality-rules - description: Workflow rules in Apex cause automatic email transmission, which - could disrupt service through excessive messaging, violate data privacy regulations - or result in unintended information disclosure. - group: top10-insecure-design - name: Apex_ISV_Quality_Rules_Workflow_sends_Emails - pretty_name: Workflow sends Emails - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Low_Visibility_Escape_False_Warning: - categories: - - boost-baseline - - ALL - - checkmarx-low-visibility - - owasp-top-10 - description: The Visualforce markup includes an unescaped merge field, "&{!...}", - which could make the application vulnerable to Cross-Site Scripting (XSS) attacks - due to rendering of untrusted data as real HTML content. - group: top10-injection - name: Apex_Low_Visibility_Escape_False_Warning - pretty_name: Escape False Warning - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Low_Visibility_Hardcoded_Password: - categories: - - ALL - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - cwe-259 - description: The product contains a hard-coded password, which it uses for its - own inbound authentication or for outbound communication to external components. - group: top10-id-authn-failures - name: Apex_Low_Visibility_Hardcoded_Password - pretty_name: Hardcoded Password - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Low_Visibility_Parameter_Tampering: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: Apex_Low_Visibility_Parameter_Tampering - pretty_name: Parameter Tampering - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Low_Visibility_Password_misuse: - categories: - - boost-baseline - - ALL - - checkmarx-low-visibility - - owasp-top-10 - description: Sensitive data, such as passwords, are exposed in Salesforce Apex - code due to being hard-coded, log-printed, or misused in a publicly visible - or easily accessible manner. - group: top10-id-authn-failures - name: Apex_Low_Visibility_Password_misuse - pretty_name: Password misuse - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Low_Visibility_Potential_Frame_Injection: - categories: - - boost-baseline - - ALL - - checkmarx-low-visibility - - owasp-top-10 - description: Apex code lacks frame options in HTTP response headers, making it - prone to clickjacking attacks via potential frame injection. - group: top10-injection - name: Apex_Low_Visibility_Potential_Frame_Injection - pretty_name: Potential Frame Injection - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Low_Visibility_Potential_URL_Redirection_Attack: - categories: - - checkmarx-low-visibility - - cwe-601 - - owasp-top-10 - - boost-baseline - - ALL - description: A web application accepts a user-controlled input that specifies - a link to an external site, and uses that link in a Redirect. This simplifies - phishing attacks. - group: top10-broken-access-control - name: Apex_Low_Visibility_Potential_URL_Redirection_Attack - pretty_name: Potential URL Redirection Attack - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Low_Visibility_Privacy_Violation: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-359 - description: The product does not properly prevent a person's private, personal - information from being accessed by actors who either (1) are not explicitly - authorized to access the information or (2) do not have the implicit consent - of the person about whom the information is collected. - group: top10-broken-access-control - name: Apex_Low_Visibility_Privacy_Violation - pretty_name: Privacy Violation - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Low_Visibility_Second_Order_SOQL_SOSL_Injection: - categories: - - checkmarx-low-visibility - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Apex_Low_Visibility_Second_Order_SOQL_SOSL_Injection - pretty_name: Second Order SOQL SOSL Injection - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm: - categories: - - cwe-327 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a broken or risky cryptographic algorithm or protocol. - group: top10-crypto-failures - name: Apex_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm - pretty_name: Use of Broken or Risky Cryptographic Algorithm - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apex_Low_Visibility_Verbose_Error_Reporting: - categories: - - cwe-209 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product generates an error message that includes sensitive information - about its environment, users, or associated data. - group: top10-insecure-design - name: Apex_Low_Visibility_Verbose_Error_Reporting - pretty_name: Verbose Error Reporting - Apex - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apple_Secure_Coding_Guide_Buffer_Size_Literal: - categories: - - cwe-118 - - checkmarx-secure-coding-guide - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not restrict or incorrectly restricts operations - within the boundaries of a resource that is accessed using an index or pointer, - such as memory or files. - group: top10-insecure-design - name: Apple_Secure_Coding_Guide_Buffer_Size_Literal - pretty_name: Buffer Size Literal - Apple - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apple_Secure_Coding_Guide_Buffer_Size_Literal_Condition: - categories: - - cwe-118 - - checkmarx-secure-coding-guide - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not restrict or incorrectly restricts operations - within the boundaries of a resource that is accessed using an index or pointer, - such as memory or files. - group: top10-insecure-design - name: Apple_Secure_Coding_Guide_Buffer_Size_Literal_Condition - pretty_name: Buffer Size Literal Condition - Apple - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apple_Secure_Coding_Guide_Buffer_Size_Literal_Overflow: - categories: - - boost-hardened - - checkmarx-secure-coding-guide - - owasp-top-10 - - boost-baseline - - ALL - - cwe-788 - description: The product reads or writes to a buffer using an index or pointer - that references a memory location after the end of the buffer. - group: top10-insecure-design - name: Apple_Secure_Coding_Guide_Buffer_Size_Literal_Overflow - pretty_name: Buffer Size Literal Overflow - Apple - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apple_Secure_Coding_Guide_Improper_Implementation_of_NSSecureCoding: - categories: - - boost-hardened - - boost-baseline - - checkmarx-secure-coding-guide - - owasp-top-10 - - cwe-502 - - ALL - - cwe-top-25 - description: The product deserializes untrusted data without sufficiently verifying - that the resulting data will be valid. - group: top10-software-data-integrity-failures - name: Apple_Secure_Coding_Guide_Improper_Implementation_of_NSSecureCoding - pretty_name: Improper Implementation of NSSecureCoding - Apple - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apple_Secure_Coding_Guide_Jailbrake_File_Referenced_By_Name: - categories: - - checkmarx-secure-coding-guide - - owasp-top-10 - - cwe-668 - - boost-baseline - - ALL - description: The product exposes a resource to the wrong control sphere, providing - unintended actors with inappropriate access to the resource. - group: top10-broken-access-control - name: Apple_Secure_Coding_Guide_Jailbrake_File_Referenced_By_Name - pretty_name: Jailbrake File Referenced By Name - Apple - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apple_Secure_Coding_Guide_Jailbreak_Unchecked_File_Operation_Result_Code: - categories: - - cwe-252 - - checkmarx-secure-coding-guide - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not check the return value from a method or function, - which can prevent it from detecting unexpected states and conditions. - group: top10-insecure-design - name: Apple_Secure_Coding_Guide_Jailbreak_Unchecked_File_Operation_Result_Code - pretty_name: Jailbreak Unchecked File Operation Result Code - Apple - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apple_Secure_Coding_Guide_NSPredicate_Injection: - categories: - - boost-hardened - - cwe-134 - - checkmarx-secure-coding-guide - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a function that accepts a format string as an argument, - but the format string originates from an external source. - group: top10-insecure-design - name: Apple_Secure_Coding_Guide_NSPredicate_Injection - pretty_name: NSPredicate Injection - Apple - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apple_Secure_Coding_Guide_NSPredicate_Injection_Via_Deserialization: - categories: - - boost-hardened - - boost-baseline - - checkmarx-secure-coding-guide - - owasp-top-10 - - cwe-502 - - ALL - - cwe-top-25 - description: The product deserializes untrusted data without sufficiently verifying - that the resulting data will be valid. - group: top10-software-data-integrity-failures - name: Apple_Secure_Coding_Guide_NSPredicate_Injection_Via_Deserialization - pretty_name: NSPredicate Injection Via Deserialization - Apple - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apple_Secure_Coding_Guide_Path_Manipulation: - categories: - - checkmarx-secure-coding-guide - - cwe-73 - - owasp-top-10 - - boost-baseline - - ALL - description: The product allows user input to control or influence paths or file - names that are used in filesystem operations. - group: top10-insecure-design - name: Apple_Secure_Coding_Guide_Path_Manipulation - pretty_name: Path Manipulation - Apple - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apple_Secure_Coding_Guide_Signed_Memory_Arithmetic: - categories: - - boost-hardened - - cwe-190 - - checkmarx-secure-coding-guide - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product performs a calculation that can produce an integer overflow - or wraparound, when the logic assumes that the resulting value will always be - larger than the original value. This can introduce other weaknesses when the - calculation is used for resource management or execution control. - group: top10-insecure-design - name: Apple_Secure_Coding_Guide_Signed_Memory_Arithmetic - pretty_name: Signed Memory Arithmetic - Apple - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apple_Secure_Coding_Guide_UDP_Protocol_Used: - categories: - - checkmarx-secure-coding-guide - - owasp-top-10 - - cwe-398 - - boost-baseline - - ALL - description: Indicates that the product has not been carefully developed or maintained. - group: top10-insecure-design - name: Apple_Secure_Coding_Guide_UDP_Protocol_Used - pretty_name: UDP Protocol Used - Apple - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apple_Secure_Coding_Guide_URL_Injection: - categories: - - cwe-74 - - checkmarx-secure-coding-guide - - owasp-top-10 - - boost-baseline - - ALL - description: The product constructs all or part of a command, data structure, - or record using externally-influenced input from an upstream component, but - it does not neutralize or incorrectly neutralizes special elements that could - modify how it is parsed or interpreted when it is sent to a downstream component. - group: top10-injection - name: Apple_Secure_Coding_Guide_URL_Injection - pretty_name: URL Injection - Apple - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apple_Secure_Coding_Guide_Unchecked_CString_Convertion: - categories: - - cwe-252 - - checkmarx-secure-coding-guide - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not check the return value from a method or function, - which can prevent it from detecting unexpected states and conditions. - group: top10-insecure-design - name: Apple_Secure_Coding_Guide_Unchecked_CString_Convertion - pretty_name: Unchecked CString Convertion - Apple - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apple_Secure_Coding_Guide_Unscrubbed_Secret: - categories: - - checkmarx-secure-coding-guide - - owasp-top-10 - - cwe-226 - - boost-baseline - - ALL - description: The product releases a resource such as memory or a file so that - it can be made available for reuse, but it does not clear or "zeroize" the information - contained in the resource before the product performs a critical state transition - or makes the resource available for reuse by other entities. - group: top10-insecure-design - name: Apple_Secure_Coding_Guide_Unscrubbed_Secret - pretty_name: Unscrubbed Secret - Apple - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Apple_Secure_Coding_Guide_Unsecure_Deserialization: - categories: - - boost-hardened - - boost-baseline - - checkmarx-secure-coding-guide - - owasp-top-10 - - cwe-502 - - ALL - - cwe-top-25 - description: The product deserializes untrusted data without sufficiently verifying - that the resulting data will be valid. - group: top10-software-data-integrity-failures - name: Apple_Secure_Coding_Guide_Unsecure_Deserialization - pretty_name: Unsecure Deserialization - Apple - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Best_Coding_Practice_Buffer_Size_Literal: - categories: - - cwe-118 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product does not restrict or incorrectly restricts operations - within the boundaries of a resource that is accessed using an index or pointer, - such as memory or files. - group: top10-insecure-design - name: CPP_Best_Coding_Practice_Buffer_Size_Literal - pretty_name: Buffer Size Literal - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Best_Coding_Practice_Buffer_Size_Literal_Condition: - categories: - - cwe-118 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product does not restrict or incorrectly restricts operations - within the boundaries of a resource that is accessed using an index or pointer, - such as memory or files. - group: top10-insecure-design - name: CPP_Best_Coding_Practice_Buffer_Size_Literal_Condition - pretty_name: Buffer Size Literal Condition - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Best_Coding_Practice_Buffer_Size_Literal_Overflow: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-788 - description: The product reads or writes to a buffer using an index or pointer - that references a memory location after the end of the buffer. - group: top10-insecure-design - name: CPP_Best_Coding_Practice_Buffer_Size_Literal_Overflow - pretty_name: Buffer Size Literal Overflow - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Best_Coding_Practice_Dead_Code: - categories: - - cwe-561 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product contains dead code, which can never be executed. - group: top10-insecure-design - name: CPP_Best_Coding_Practice_Dead_Code - pretty_name: Dead Code - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception: - categories: - - cwe-396 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Catching overly broad exceptions promotes complex error handling - code that is more likely to contain security vulnerabilities. - group: top10-insecure-design - name: CPP_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception - pretty_name: Declaration Of Catch For Generic Exception - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Best_Coding_Practice_Detection_of_Error_Condition_Without_Action: - categories: - - cwe-390 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product detects a specific error, but takes no actions to handle - the error. - group: top10-insecure-design - name: CPP_Best_Coding_Practice_Detection_of_Error_Condition_Without_Action - pretty_name: Detection of Error Condition Without Action - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Best_Coding_Practice_Empty_Methods: - categories: - - owasp-top-10 - - cwe-398 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Indicates that the product has not been carefully developed or maintained. - group: top10-insecure-design - name: CPP_Best_Coding_Practice_Empty_Methods - pretty_name: Empty Methods - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere: - categories: - - owasp-top-10 - - cwe-493 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product has a critical public variable that is not final, which - allows the variable to be modified to contain unexpected values. - group: top10-insecure-design - name: CPP_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere - pretty_name: Exposure of Resource to Wrong Sphere - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Best_Coding_Practice_GOTO_Statement: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-699 - description: Using GOTO statements is considered a poor coding practice as it - makes the code harder to understand and maintain. The flow of the logic is less - clear with GOTO jumps, versus the more structured control flow of if/else statements, - loops, etc. GOTO usage can also lead to spaghetti code that is tangled and difficult - to follow. For cleaner, more maintainable code, GOTO statements should be avoided - in favor of alternate structured programming constructs. - group: top10-insecure-design - name: CPP_Best_Coding_Practice_GOTO_Statement - pretty_name: GOTO Statement - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Best_Coding_Practice_Hardcoded_Absolute_Path: - categories: - - cwe-426 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product searches for critical resources using an externally-supplied - search path that can point to resources that are not under the product's direct - control. - group: top10-software-data-integrity-failures - name: CPP_Best_Coding_Practice_Hardcoded_Absolute_Path - pretty_name: Hardcoded Absolute Path - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Best_Coding_Practice_Magic_Numbers: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - owasp-top-10 - description: Numeric constants (known as 'magic numbers') are used directly in - the source code, making it hard to maintain and understand. Such numbers should - be replaced with named constants. - group: top10-insecure-design - name: CPP_Best_Coding_Practice_Magic_Numbers - pretty_name: Magic Numbers - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Best_Coding_Practice_Methods_Without_ReturnType: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: C++ methods are defined without a return type, which can lead to - undefined behavior or misinterpretation of method purpose. - group: top10-insecure-design - name: CPP_Best_Coding_Practice_Methods_Without_ReturnType - pretty_name: Methods Without ReturnType - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Best_Coding_Practice_Non_Private_Static_Constructors: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - owasp-top-10 - description: A static constructor in C++ isn't private, which could potentially - allow unintended class instantiation and alteration of class states. - group: top10-insecure-design - name: CPP_Best_Coding_Practice_Non_Private_Static_Constructors - pretty_name: Non Private Static Constructors - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Best_Coding_Practice_Reliance_On_Untrusted_Inputs_In_Security_Decision: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-807 - description: The product uses a protection mechanism that relies on the existence - or values of an input, but the input can be modified by an untrusted actor in - a way that bypasses the protection mechanism. - group: top10-insecure-design - name: CPP_Best_Coding_Practice_Reliance_On_Untrusted_Inputs_In_Security_Decision - pretty_name: Reliance On Untrusted Inputs In Security Decision - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Best_Coding_Practice_Unused_Variable: - categories: - - owasp-top-10 - - cwe-563 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The variable's value is assigned but never used, making it a dead - store. - group: top10-insecure-design - name: CPP_Best_Coding_Practice_Unused_Variable - pretty_name: Unused Variable - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Best_Coding_Practice_Unvalidated_Arguments_Of_Public_Methods: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - owasp-top-10 - description: Public methods in C++ code neglect to validate arguments before use, - increasing the risk of unauthorized data access and manipulation. - group: top10-insecure-design - name: CPP_Best_Coding_Practice_Unvalidated_Arguments_Of_Public_Methods - pretty_name: Unvalidated Arguments Of Public Methods - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Buffer_Overflow_Buffer_Improper_Index_Access: - categories: - - checkmarx-buffer-overflow - - cwe-129 - - boost-hardened - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses untrusted input when calculating or using an array - index, but the product does not validate or incorrectly validates the index - to ensure the index references a valid position within the array. - group: top10-insecure-design - name: CPP_Buffer_Overflow_Buffer_Improper_Index_Access - pretty_name: Buffer Improper Index Access - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Buffer_Overflow_Buffer_Overflow_AddressOfLocalVarReturned: - categories: - - checkmarx-buffer-overflow - - cwe-562 - - owasp-top-10 - - boost-baseline - - ALL - description: A function returns the address of a stack variable, which will cause - unintended program behavior, typically in the form of a crash. - group: top10-injection - name: CPP_Buffer_Overflow_Buffer_Overflow_AddressOfLocalVarReturned - pretty_name: Buffer Overflow AddressOfLocalVarReturned - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Buffer_Overflow_Buffer_Overflow_IndexFromInput: - categories: - - ALL - - boost-hardened - - checkmarx-buffer-overflow - - owasp-top-10 - - boost-baseline - - cwe-787 - - cwe-top-25 - description: The product writes data past the end, or before the beginning, of - the intended buffer. - group: top10-injection - name: CPP_Buffer_Overflow_Buffer_Overflow_IndexFromInput - pretty_name: Buffer Overflow IndexFromInput - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Buffer_Overflow_Buffer_Overflow_Indexes: - categories: - - checkmarx-buffer-overflow - - boost-hardened - - owasp-top-10 - - cwe-120 - - boost-baseline - - ALL - description: The product copies an input buffer to an output buffer without verifying - that the size of the input buffer is less than the size of the output buffer, - leading to a buffer overflow. - group: top10-injection - name: CPP_Buffer_Overflow_Buffer_Overflow_Indexes - pretty_name: Buffer Overflow Indexes - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Buffer_Overflow_Buffer_Overflow_LongString: - categories: - - checkmarx-buffer-overflow - - boost-hardened - - owasp-top-10 - - cwe-120 - - boost-baseline - - ALL - description: The product copies an input buffer to an output buffer without verifying - that the size of the input buffer is less than the size of the output buffer, - leading to a buffer overflow. - group: top10-injection - name: CPP_Buffer_Overflow_Buffer_Overflow_LongString - pretty_name: Buffer Overflow LongString - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Buffer_Overflow_Buffer_Overflow_Loops: - categories: - - checkmarx-buffer-overflow - - cwe-193 - - owasp-top-10 - - boost-baseline - - ALL - description: A product calculates or uses an incorrect maximum or minimum value - that is 1 more, or 1 less, than the correct value. - group: top10-injection - name: CPP_Buffer_Overflow_Buffer_Overflow_Loops - pretty_name: Buffer Overflow Loops - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Buffer_Overflow_Buffer_Overflow_Loops_Old: - categories: - - checkmarx-buffer-overflow - - cwe-193 - - owasp-top-10 - - boost-baseline - - ALL - description: A product calculates or uses an incorrect maximum or minimum value - that is 1 more, or 1 less, than the correct value. - group: top10-injection - name: CPP_Buffer_Overflow_Buffer_Overflow_Loops_Old - pretty_name: Buffer Overflow Loops Old - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Buffer_Overflow_Buffer_Overflow_LowBound: - categories: - - checkmarx-buffer-overflow - - boost-hardened - - owasp-top-10 - - cwe-120 - - boost-baseline - - ALL - description: The product copies an input buffer to an output buffer without verifying - that the size of the input buffer is less than the size of the output buffer, - leading to a buffer overflow. - group: top10-injection - name: CPP_Buffer_Overflow_Buffer_Overflow_LowBound - pretty_name: Buffer Overflow LowBound - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Buffer_Overflow_Buffer_Overflow_OutOfBound: - categories: - - checkmarx-buffer-overflow - - boost-hardened - - owasp-top-10 - - cwe-120 - - boost-baseline - - ALL - description: The product copies an input buffer to an output buffer without verifying - that the size of the input buffer is less than the size of the output buffer, - leading to a buffer overflow. - group: top10-injection - name: CPP_Buffer_Overflow_Buffer_Overflow_OutOfBound - pretty_name: Buffer Overflow OutOfBound - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Buffer_Overflow_Buffer_Overflow_StrcpyStrcat: - categories: - - checkmarx-buffer-overflow - - boost-hardened - - owasp-top-10 - - cwe-120 - - boost-baseline - - ALL - description: The product copies an input buffer to an output buffer without verifying - that the size of the input buffer is less than the size of the output buffer, - leading to a buffer overflow. - group: top10-injection - name: CPP_Buffer_Overflow_Buffer_Overflow_StrcpyStrcat - pretty_name: Buffer Overflow StrcpyStrcat - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Buffer_Overflow_Buffer_Overflow_Unbounded_Buffer: - categories: - - checkmarx-buffer-overflow - - boost-hardened - - owasp-top-10 - - cwe-120 - - boost-baseline - - ALL - description: The product copies an input buffer to an output buffer without verifying - that the size of the input buffer is less than the size of the output buffer, - leading to a buffer overflow. - group: top10-injection - name: CPP_Buffer_Overflow_Buffer_Overflow_Unbounded_Buffer - pretty_name: Buffer Overflow Unbounded Buffer - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Buffer_Overflow_Buffer_Overflow_Unbounded_Format: - categories: - - checkmarx-buffer-overflow - - boost-hardened - - owasp-top-10 - - cwe-120 - - boost-baseline - - ALL - description: The product copies an input buffer to an output buffer without verifying - that the size of the input buffer is less than the size of the output buffer, - leading to a buffer overflow. - group: top10-injection - name: CPP_Buffer_Overflow_Buffer_Overflow_Unbounded_Format - pretty_name: Buffer Overflow Unbounded Format - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Buffer_Overflow_Buffer_Overflow_Wrong_Buffer_Size: - categories: - - checkmarx-buffer-overflow - - boost-hardened - - owasp-top-10 - - boost-baseline - - ALL - - cwe-131 - description: The product does not correctly calculate the size to be used when - allocating a buffer, which could lead to a buffer overflow. - group: top10-injection - name: CPP_Buffer_Overflow_Buffer_Overflow_Wrong_Buffer_Size - pretty_name: Buffer Overflow Wrong Buffer Size - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Buffer_Overflow_Buffer_Overflow_boundcpy_WrongSizeParam: - categories: - - checkmarx-buffer-overflow - - owasp-top-10 - - boost-baseline - - ALL - - cwe-121 - description: A stack-based buffer overflow condition is a condition where the - buffer being overwritten is allocated on the stack (i.e., is a local variable - or, rarely, a parameter to a function). - group: top10-injection - name: CPP_Buffer_Overflow_Buffer_Overflow_boundcpy_WrongSizeParam - pretty_name: Buffer Overflow boundcpy WrongSizeParam - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Buffer_Overflow_Buffer_Overflow_boundedcpy: - categories: - - checkmarx-buffer-overflow - - boost-hardened - - owasp-top-10 - - cwe-120 - - boost-baseline - - ALL - description: The product copies an input buffer to an output buffer without verifying - that the size of the input buffer is less than the size of the output buffer, - leading to a buffer overflow. - group: top10-injection - name: CPP_Buffer_Overflow_Buffer_Overflow_boundedcpy - pretty_name: Buffer Overflow boundedcpy - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Buffer_Overflow_Buffer_Overflow_boundedcpy2: - categories: - - checkmarx-buffer-overflow - - owasp-top-10 - - cwe-120 - - boost-baseline - - ALL - description: The product copies an input buffer to an output buffer without verifying - that the size of the input buffer is less than the size of the output buffer, - leading to a buffer overflow. - group: top10-injection - name: CPP_Buffer_Overflow_Buffer_Overflow_boundedcpy2 - pretty_name: Buffer Overflow boundedcpy2 - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Buffer_Overflow_Buffer_Overflow_cin: - categories: - - checkmarx-buffer-overflow - - boost-hardened - - owasp-top-10 - - cwe-120 - - boost-baseline - - ALL - description: The product copies an input buffer to an output buffer without verifying - that the size of the input buffer is less than the size of the output buffer, - leading to a buffer overflow. - group: top10-injection - name: CPP_Buffer_Overflow_Buffer_Overflow_cin - pretty_name: Buffer Overflow cin - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Buffer_Overflow_Buffer_Overflow_cpycat: - categories: - - checkmarx-buffer-overflow - - boost-hardened - - owasp-top-10 - - cwe-120 - - boost-baseline - - ALL - description: The product copies an input buffer to an output buffer without verifying - that the size of the input buffer is less than the size of the output buffer, - leading to a buffer overflow. - group: top10-injection - name: CPP_Buffer_Overflow_Buffer_Overflow_cpycat - pretty_name: Buffer Overflow cpycat - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Buffer_Overflow_Buffer_Overflow_fgets: - categories: - - checkmarx-buffer-overflow - - boost-hardened - - owasp-top-10 - - cwe-120 - - boost-baseline - - ALL - description: The product copies an input buffer to an output buffer without verifying - that the size of the input buffer is less than the size of the output buffer, - leading to a buffer overflow. - group: top10-injection - name: CPP_Buffer_Overflow_Buffer_Overflow_fgets - pretty_name: Buffer Overflow fgets - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Buffer_Overflow_Buffer_Overflow_scanf: - categories: - - checkmarx-buffer-overflow - - boost-hardened - - owasp-top-10 - - cwe-120 - - boost-baseline - - ALL - description: The product copies an input buffer to an output buffer without verifying - that the size of the input buffer is less than the size of the output buffer, - leading to a buffer overflow. - group: top10-injection - name: CPP_Buffer_Overflow_Buffer_Overflow_scanf - pretty_name: Buffer Overflow scanf - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Buffer_Overflow_Buffer_Overflow_sizeof: - categories: - - checkmarx-buffer-overflow - - boost-hardened - - owasp-top-10 - - cwe-120 - - boost-baseline - - ALL - description: The product copies an input buffer to an output buffer without verifying - that the size of the input buffer is less than the size of the output buffer, - leading to a buffer overflow. - group: top10-injection - name: CPP_Buffer_Overflow_Buffer_Overflow_sizeof - pretty_name: Buffer Overflow sizeof - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Buffer_Overflow_Buffer_Overflow_unbounded: - categories: - - checkmarx-buffer-overflow - - boost-hardened - - owasp-top-10 - - cwe-120 - - boost-baseline - - ALL - description: The product copies an input buffer to an output buffer without verifying - that the size of the input buffer is less than the size of the output buffer, - leading to a buffer overflow. - group: top10-injection - name: CPP_Buffer_Overflow_Buffer_Overflow_unbounded - pretty_name: Buffer Overflow unbounded - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Buffer_Overflow_Format_String_Attack: - categories: - - boost-hardened - - checkmarx-buffer-overflow - - cwe-134 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a function that accepts a format string as an argument, - but the format string originates from an external source. - group: top10-injection - name: CPP_Buffer_Overflow_Format_String_Attack - pretty_name: Format String Attack - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Buffer_Overflow_Improper_Null_Termination: - categories: - - cwe-170 - - checkmarx-buffer-overflow - - boost-hardened - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not terminate or incorrectly terminates a string - or array with a null character or equivalent terminator. - group: top10-insecure-design - name: CPP_Buffer_Overflow_Improper_Null_Termination - pretty_name: Improper Null Termination - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Buffer_Overflow_Missing_Precision: - categories: - - checkmarx-buffer-overflow - - owasp-top-10 - - cwe-120 - - boost-baseline - - ALL - description: The product copies an input buffer to an output buffer without verifying - that the size of the input buffer is less than the size of the output buffer, - leading to a buffer overflow. - group: top10-insecure-design - name: CPP_Buffer_Overflow_Missing_Precision - pretty_name: Missing Precision - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Buffer_Overflow_MultiByte_String_Length: - categories: - - checkmarx-buffer-overflow - - owasp-top-10 - - cwe-135 - - boost-baseline - - ALL - description: The product does not correctly calculate the length of strings that - can contain wide or multi-byte characters. - group: top10-injection - name: CPP_Buffer_Overflow_MultiByte_String_Length - pretty_name: MultiByte String Length - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Buffer_Overflow_Off_by_One_Error: - categories: - - checkmarx-buffer-overflow - - boost-hardened - - cwe-193 - - owasp-top-10 - - boost-baseline - - ALL - description: A product calculates or uses an incorrect maximum or minimum value - that is 1 more, or 1 less, than the correct value. - group: top10-injection - name: CPP_Buffer_Overflow_Off_by_One_Error - pretty_name: Off by One Error - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Buffer_Overflow_Off_by_One_Error_in_Arrays: - categories: - - checkmarx-buffer-overflow - - boost-hardened - - cwe-193 - - owasp-top-10 - - boost-baseline - - ALL - description: A product calculates or uses an incorrect maximum or minimum value - that is 1 more, or 1 less, than the correct value. - group: top10-injection - name: CPP_Buffer_Overflow_Off_by_One_Error_in_Arrays - pretty_name: Off by One Error in Arrays - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Buffer_Overflow_Off_by_One_Error_in_Loops: - categories: - - checkmarx-buffer-overflow - - cwe-193 - - owasp-top-10 - - boost-baseline - - ALL - description: A product calculates or uses an incorrect maximum or minimum value - that is 1 more, or 1 less, than the correct value. - group: top10-injection - name: CPP_Buffer_Overflow_Off_by_One_Error_in_Loops - pretty_name: Off by One Error in Loops - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Buffer_Overflow_Off_by_One_Error_in_Methods: - categories: - - checkmarx-buffer-overflow - - cwe-193 - - owasp-top-10 - - boost-baseline - - ALL - description: A product calculates or uses an incorrect maximum or minimum value - that is 1 more, or 1 less, than the correct value. - group: top10-injection - name: CPP_Buffer_Overflow_Off_by_One_Error_in_Methods - pretty_name: Off by One Error in Methods - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Buffer_Overflow_Open_SSL_HeartBleed: - categories: - - checkmarx-buffer-overflow - - boost-hardened - - owasp-top-10 - - cwe-120 - - boost-baseline - - ALL - description: The product copies an input buffer to an output buffer without verifying - that the size of the input buffer is less than the size of the output buffer, - leading to a buffer overflow. - group: top10-injection - name: CPP_Buffer_Overflow_Open_SSL_HeartBleed - pretty_name: Open SSL HeartBleed - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Buffer_Overflow_Potential_Precision_Problem: - categories: - - checkmarx-buffer-overflow - - owasp-top-10 - - cwe-120 - - boost-baseline - - ALL - description: The product copies an input buffer to an output buffer without verifying - that the size of the input buffer is less than the size of the output buffer, - leading to a buffer overflow. - group: top10-injection - name: CPP_Buffer_Overflow_Potential_Precision_Problem - pretty_name: Potential Precision Problem - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Buffer_Overflow_String_Termination_Error: - categories: - - cwe-170 - - checkmarx-buffer-overflow - - boost-hardened - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not terminate or incorrectly terminates a string - or array with a null character or equivalent terminator. - group: top10-injection - name: CPP_Buffer_Overflow_String_Termination_Error - pretty_name: String Termination Error - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Buffer_Overflow_String_Termination_cin: - categories: - - cwe-170 - - checkmarx-buffer-overflow - - boost-hardened - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not terminate or incorrectly terminates a string - or array with a null character or equivalent terminator. - group: top10-injection - name: CPP_Buffer_Overflow_String_Termination_cin - pretty_name: String Termination cin - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Heuristic_Freed_Pointer_Not_Set_To_Null: - categories: - - checkmarx-heuristic - - owasp-top-10 - - cwe-476 - - boost-baseline - - ALL - - cwe-top-25 - description: A NULL pointer dereference occurs when the application dereferences - a pointer that it expects to be valid, but is NULL, typically causing a crash - or exit. - group: top10-insecure-design - name: CPP_Heuristic_Freed_Pointer_Not_Set_To_Null - pretty_name: Freed Pointer Not Set To Null - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Heuristic_Heuristic_2nd_Order_Buffer_Overflow_malloc: - categories: - - checkmarx-heuristic - - owasp-top-10 - - cwe-120 - - boost-baseline - - ALL - description: The product copies an input buffer to an output buffer without verifying - that the size of the input buffer is less than the size of the output buffer, - leading to a buffer overflow. - group: top10-injection - name: CPP_Heuristic_Heuristic_2nd_Order_Buffer_Overflow_malloc - pretty_name: Heuristic 2nd Order Buffer Overflow malloc - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Heuristic_Heuristic_2nd_Order_Buffer_Overflow_read: - categories: - - checkmarx-heuristic - - owasp-top-10 - - cwe-120 - - boost-baseline - - ALL - description: The product copies an input buffer to an output buffer without verifying - that the size of the input buffer is less than the size of the output buffer, - leading to a buffer overflow. - group: top10-injection - name: CPP_Heuristic_Heuristic_2nd_Order_Buffer_Overflow_read - pretty_name: Heuristic 2nd Order Buffer Overflow read - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Heuristic_Heuristic_2nd_Order_SQL_Injection: - categories: - - checkmarx-heuristic - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: CPP_Heuristic_Heuristic_2nd_Order_SQL_Injection - pretty_name: Heuristic 2nd Order SQL Injection - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Heuristic_Heuristic_Buffer_Improper_Index_Access: - categories: - - cwe-129 - - checkmarx-heuristic - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses untrusted input when calculating or using an array - index, but the product does not validate or incorrectly validates the index - to ensure the index references a valid position within the array. - group: top10-insecure-design - name: CPP_Heuristic_Heuristic_Buffer_Improper_Index_Access - pretty_name: Heuristic Buffer Improper Index Access - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Heuristic_Heuristic_Buffer_Overflow_malloc: - categories: - - checkmarx-heuristic - - owasp-top-10 - - cwe-120 - - boost-baseline - - ALL - description: The product copies an input buffer to an output buffer without verifying - that the size of the input buffer is less than the size of the output buffer, - leading to a buffer overflow. - group: top10-injection - name: CPP_Heuristic_Heuristic_Buffer_Overflow_malloc - pretty_name: Heuristic Buffer Overflow malloc - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Heuristic_Heuristic_Buffer_Overflow_read: - categories: - - checkmarx-heuristic - - owasp-top-10 - - cwe-120 - - boost-baseline - - ALL - description: The product copies an input buffer to an output buffer without verifying - that the size of the input buffer is less than the size of the output buffer, - leading to a buffer overflow. - group: top10-injection - name: CPP_Heuristic_Heuristic_Buffer_Overflow_read - pretty_name: Heuristic Buffer Overflow read - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Heuristic_Heuristic_CGI_Stored_XSS: - categories: - - checkmarx-heuristic - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: CPP_Heuristic_Heuristic_CGI_Stored_XSS - pretty_name: Heuristic CGI Stored XSS - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Heuristic_Heuristic_DB_Parameter_Tampering: - categories: - - checkmarx-heuristic - - owasp-top-10 - - cwe-284 - - boost-baseline - - ALL - description: The product does not restrict or incorrectly restricts access to - a resource from an unauthorized actor. - group: top10-broken-access-control - name: CPP_Heuristic_Heuristic_DB_Parameter_Tampering - pretty_name: Heuristic DB Parameter Tampering - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Heuristic_Heuristic_NULL_Pointer_Dereference1: - categories: - - checkmarx-heuristic - - owasp-top-10 - - cwe-476 - - boost-baseline - - ALL - - cwe-top-25 - description: A NULL pointer dereference occurs when the application dereferences - a pointer that it expects to be valid, but is NULL, typically causing a crash - or exit. - group: top10-insecure-design - name: CPP_Heuristic_Heuristic_NULL_Pointer_Dereference1 - pretty_name: Heuristic NULL Pointer Dereference1 - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Heuristic_Heuristic_NULL_Pointer_Dereference2: - categories: - - checkmarx-heuristic - - owasp-top-10 - - cwe-476 - - boost-baseline - - ALL - - cwe-top-25 - description: A NULL pointer dereference occurs when the application dereferences - a pointer that it expects to be valid, but is NULL, typically causing a crash - or exit. - group: top10-insecure-design - name: CPP_Heuristic_Heuristic_NULL_Pointer_Dereference2 - pretty_name: Heuristic NULL Pointer Dereference2 - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Heuristic_Heuristic_Parameter_Tampering: - categories: - - checkmarx-heuristic - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: CPP_Heuristic_Heuristic_Parameter_Tampering - pretty_name: Heuristic Parameter Tampering - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Heuristic_Heuristic_SQL_Injection: - categories: - - checkmarx-heuristic - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: CPP_Heuristic_Heuristic_SQL_Injection - pretty_name: Heuristic SQL Injection - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Heuristic_Heuristic_Unchecked_Return_Value: - categories: - - cwe-252 - - checkmarx-heuristic - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not check the return value from a method or function, - which can prevent it from detecting unexpected states and conditions. - group: top10-insecure-design - name: CPP_Heuristic_Heuristic_Unchecked_Return_Value - pretty_name: Heuristic Unchecked Return Value - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Heuristic_Potential_Off_by_One_Error_in_Loops: - categories: - - cwe-193 - - checkmarx-heuristic - - owasp-top-10 - - boost-baseline - - ALL - description: A product calculates or uses an incorrect maximum or minimum value - that is 1 more, or 1 less, than the correct value. - group: top10-injection - name: CPP_Heuristic_Potential_Off_by_One_Error_in_Loops - pretty_name: Potential Off by One Error in Loops - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_High_Risk_CGI_Reflected_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: CPP_High_Risk_CGI_Reflected_XSS - pretty_name: CGI Reflected XSS - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_High_Risk_CGI_Stored_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: CPP_High_Risk_CGI_Stored_XSS - pretty_name: CGI Stored XSS - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_High_Risk_Command_Injection: - categories: - - boost-hardened - - cwe-77 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of a command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended command when it - is sent to a downstream component. - group: top10-injection - name: CPP_High_Risk_Command_Injection - pretty_name: Command Injection - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_High_Risk_Connection_String_Injection: - categories: - - boost-hardened - - owasp-top-10 - - cwe-99 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product receives input from an upstream component, but it does - not restrict or incorrectly restricts the input before it is used as an identifier - for a resource that may be outside the intended sphere of control. - group: top10-injection - name: CPP_High_Risk_Connection_String_Injection - pretty_name: Connection String Injection - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_High_Risk_LDAP_Injection: - categories: - - boost-hardened - - cwe-90 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product constructs all or part of an LDAP query using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended LDAP query when - it is sent to a downstream component. - group: top10-injection - name: CPP_High_Risk_LDAP_Injection - pretty_name: LDAP Injection - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_High_Risk_Process_Control: - categories: - - boost-hardened - - owasp-top-10 - - cwe-114 - - boost-baseline - - ALL - - checkmarx-high-risk - description: Executing commands or loading libraries from an untrusted source - or in an untrusted environment can cause an application to execute malicious - commands (and payloads) on behalf of an attacker. - group: top10-injection - name: CPP_High_Risk_Process_Control - pretty_name: Process Control - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_High_Risk_Resource_Injection: - categories: - - boost-hardened - - owasp-top-10 - - cwe-99 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product receives input from an upstream component, but it does - not restrict or incorrectly restricts the input before it is used as an identifier - for a resource that may be outside the intended sphere of control. - group: top10-injection - name: CPP_High_Risk_Resource_Injection - pretty_name: Resource Injection - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_High_Risk_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: CPP_High_Risk_SQL_Injection - pretty_name: SQL Injection - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Insecure_Credential_Storage_Comparison_Timing_Attack: - categories: - - owasp-top-10 - - checkmarx-insecure-credential-storage - - boost-baseline - - ALL - - cwe-208 - description: Two separate operations in a product require different amounts of - time to complete, in a way that is observable to an actor and reveals security-relevant - information about the state of the product, such as whether a particular operation - was successful or not. - group: top10-insecure-design - name: CPP_Insecure_Credential_Storage_Comparison_Timing_Attack - pretty_name: Comparison Timing Attack - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Insecure_Credential_Storage_Insecure_Scrypt_Parameters: - categories: - - owasp-top-10 - - checkmarx-insecure-credential-storage - - boost-baseline - - ALL - - cwe-522 - description: The product transmits or stores authentication credentials, but it - uses an insecure method that is susceptible to unauthorized interception and/or - retrieval. - group: top10-insecure-design - name: CPP_Insecure_Credential_Storage_Insecure_Scrypt_Parameters - pretty_name: Insecure Scrypt Parameters - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Insecure_Credential_Storage_Insufficient_BCrypt_Cost: - categories: - - owasp-top-10 - - checkmarx-insecure-credential-storage - - boost-baseline - - ALL - - cwe-522 - description: The product transmits or stores authentication credentials, but it - uses an insecure method that is susceptible to unauthorized interception and/or - retrieval. - group: top10-insecure-design - name: CPP_Insecure_Credential_Storage_Insufficient_BCrypt_Cost - pretty_name: Insufficient BCrypt Cost - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Insecure_Credential_Storage_Insufficient_Output_Length: - categories: - - owasp-top-10 - - checkmarx-insecure-credential-storage - - boost-baseline - - ALL - - cwe-522 - description: The product transmits or stores authentication credentials, but it - uses an insecure method that is susceptible to unauthorized interception and/or - retrieval. - group: top10-insecure-design - name: CPP_Insecure_Credential_Storage_Insufficient_Output_Length - pretty_name: Insufficient Output Length - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Insecure_Credential_Storage_PBKDF2_Insufficient_Iteration_Count: - categories: - - owasp-top-10 - - checkmarx-insecure-credential-storage - - boost-baseline - - ALL - - cwe-522 - description: The product transmits or stores authentication credentials, but it - uses an insecure method that is susceptible to unauthorized interception and/or - retrieval. - group: top10-insecure-design - name: CPP_Insecure_Credential_Storage_PBKDF2_Insufficient_Iteration_Count - pretty_name: PBKDF2 Insufficient Iteration Count - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Insecure_Credential_Storage_PBKDF2_Weak_Salt_Value: - categories: - - owasp-top-10 - - checkmarx-insecure-credential-storage - - boost-baseline - - ALL - - cwe-522 - description: The product transmits or stores authentication credentials, but it - uses an insecure method that is susceptible to unauthorized interception and/or - retrieval. - group: top10-insecure-design - name: CPP_Insecure_Credential_Storage_PBKDF2_Weak_Salt_Value - pretty_name: PBKDF2 Weak Salt Value - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Insecure_Credential_Storage_Scrypt_Weak_Salt_Value: - categories: - - owasp-top-10 - - checkmarx-insecure-credential-storage - - boost-baseline - - ALL - - cwe-522 - description: The product transmits or stores authentication credentials, but it - uses an insecure method that is susceptible to unauthorized interception and/or - retrieval. - group: top10-insecure-design - name: CPP_Insecure_Credential_Storage_Scrypt_Weak_Salt_Value - pretty_name: Scrypt Weak Salt Value - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Insecure_Credential_Storage_Weak_Mechanism: - categories: - - owasp-top-10 - - checkmarx-insecure-credential-storage - - boost-baseline - - ALL - - cwe-522 - description: The product transmits or stores authentication credentials, but it - uses an insecure method that is susceptible to unauthorized interception and/or - retrieval. - group: top10-insecure-design - name: CPP_Insecure_Credential_Storage_Weak_Mechanism - pretty_name: Weak Mechanism - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Integer_Overflow_Boolean_Overflow: - categories: - - cwe-190 - - owasp-top-10 - - checkmarx-integer-overflow - - boost-baseline - - ALL - - cwe-top-25 - description: The product performs a calculation that can produce an integer overflow - or wraparound, when the logic assumes that the resulting value will always be - larger than the original value. This can introduce other weaknesses when the - calculation is used for resource management or execution control. - group: top10-injection - name: CPP_Integer_Overflow_Boolean_Overflow - pretty_name: Boolean Overflow - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Integer_Overflow_Char_Overflow: - categories: - - cwe-190 - - owasp-top-10 - - checkmarx-integer-overflow - - boost-baseline - - ALL - - cwe-top-25 - description: The product performs a calculation that can produce an integer overflow - or wraparound, when the logic assumes that the resulting value will always be - larger than the original value. This can introduce other weaknesses when the - calculation is used for resource management or execution control. - group: top10-injection - name: CPP_Integer_Overflow_Char_Overflow - pretty_name: Char Overflow - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Integer_Overflow_Float_Overflow: - categories: - - cwe-190 - - owasp-top-10 - - checkmarx-integer-overflow - - boost-baseline - - ALL - - cwe-top-25 - description: The product performs a calculation that can produce an integer overflow - or wraparound, when the logic assumes that the resulting value will always be - larger than the original value. This can introduce other weaknesses when the - calculation is used for resource management or execution control. - group: top10-injection - name: CPP_Integer_Overflow_Float_Overflow - pretty_name: Float Overflow - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Integer_Overflow_Get_Right_Assignment: - categories: - - cwe-190 - - owasp-top-10 - - checkmarx-integer-overflow - - boost-baseline - - ALL - - cwe-top-25 - description: The product performs a calculation that can produce an integer overflow - or wraparound, when the logic assumes that the resulting value will always be - larger than the original value. This can introduce other weaknesses when the - calculation is used for resource management or execution control. - group: top10-injection - name: CPP_Integer_Overflow_Get_Right_Assignment - pretty_name: Get Right Assignment - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Integer_Overflow_Integer_Overflow: - categories: - - cwe-190 - - owasp-top-10 - - checkmarx-integer-overflow - - boost-baseline - - ALL - - cwe-top-25 - description: The product performs a calculation that can produce an integer overflow - or wraparound, when the logic assumes that the resulting value will always be - larger than the original value. This can introduce other weaknesses when the - calculation is used for resource management or execution control. - group: top10-injection - name: CPP_Integer_Overflow_Integer_Overflow - pretty_name: Integer Overflow - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Integer_Overflow_Long_Overflow: - categories: - - cwe-190 - - owasp-top-10 - - checkmarx-integer-overflow - - boost-baseline - - ALL - - cwe-top-25 - description: The product performs a calculation that can produce an integer overflow - or wraparound, when the logic assumes that the resulting value will always be - larger than the original value. This can introduce other weaknesses when the - calculation is used for resource management or execution control. - group: top10-injection - name: CPP_Integer_Overflow_Long_Overflow - pretty_name: Long Overflow - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Integer_Overflow_Short_Overflow: - categories: - - cwe-190 - - owasp-top-10 - - checkmarx-integer-overflow - - boost-baseline - - ALL - - cwe-top-25 - description: The product performs a calculation that can produce an integer overflow - or wraparound, when the logic assumes that the resulting value will always be - larger than the original value. This can introduce other weaknesses when the - calculation is used for resource management or execution control. - group: top10-injection - name: CPP_Integer_Overflow_Short_Overflow - pretty_name: Short Overflow - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Integer_Overflow_Type_Conversion_Error: - categories: - - cwe-681 - - owasp-top-10 - - checkmarx-integer-overflow - - boost-baseline - - ALL - description: When converting from one data type to another, such as long to integer, - data can be omitted or translated in a way that produces unexpected values. - If the resulting values are used in a sensitive context, then dangerous behaviors - may occur. - group: top10-injection - name: CPP_Integer_Overflow_Type_Conversion_Error - pretty_name: Type Conversion Error - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Integer_Overflow_Wrong_Size_t_Allocation: - categories: - - cwe-789 - - owasp-top-10 - - checkmarx-integer-overflow - - boost-baseline - - ALL - description: The product allocates memory based on an untrusted, large size value, - but it does not ensure that the size is within expected limits, allowing arbitrary - amounts of memory to be allocated. - group: top10-injection - name: CPP_Integer_Overflow_Wrong_Size_t_Allocation - pretty_name: Wrong Size t Allocation - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Low_Visibility_Arithmetic_Operation_On_Boolean: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-398 - - boost-baseline - - ALL - description: Indicates that the product has not been carefully developed or maintained. - group: top10-insecure-design - name: CPP_Low_Visibility_Arithmetic_Operation_On_Boolean - pretty_name: Arithmetic Operation On Boolean - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Low_Visibility_Blind_SQL_Injections: - categories: - - checkmarx-low-visibility - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: CPP_Low_Visibility_Blind_SQL_Injections - pretty_name: Blind SQL Injections - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Low_Visibility_Creation_of_chroot_Jail_without_Changing_Working_Directory: - categories: - - cwe-243 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses the chroot() system call to create a jail, but does - not change the working directory afterward. This does not prevent access to - files outside of the jail. - group: top10-insecure-design - name: CPP_Low_Visibility_Creation_of_chroot_Jail_without_Changing_Working_Directory - pretty_name: Creation of chroot Jail without Changing Working Directory - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Low_Visibility_Deprecated_CRT_Functions_VS2005: - categories: - - cwe-477 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The code uses deprecated or obsolete functions, which suggests that - the code has not been actively reviewed or maintained. - group: top10-insecure-design - name: CPP_Low_Visibility_Deprecated_CRT_Functions_VS2005 - pretty_name: Deprecated CRT Functions VS2005 - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Low_Visibility_Exposure_of_System_Data_to_Unauthorized_Control_Sphere: - categories: - - checkmarx-low-visibility - - cwe-497 - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not properly prevent sensitive system-level information - from being accessed by unauthorized actors who do not have the same level of - access to the underlying system as the product does. - group: top10-broken-access-control - name: CPP_Low_Visibility_Exposure_of_System_Data_to_Unauthorized_Control_Sphere - pretty_name: Exposure of System Data to Unauthorized Control Sphere - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Low_Visibility_Heap_Inspection: - categories: - - cwe-244 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: Using realloc() to resize buffers that store sensitive information - can leave the sensitive information exposed to attack, because it is not removed - from memory. - group: top10-broken-access-control - name: CPP_Low_Visibility_Heap_Inspection - pretty_name: Heap Inspection - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Low_Visibility_Improper_Exception_Handling: - categories: - - cwe-248 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: An exception is thrown from a function, but it is not caught. - group: top10-insecure-design - name: CPP_Low_Visibility_Improper_Exception_Handling - pretty_name: Improper Exception Handling - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Low_Visibility_Improper_Resource_Access_Authorization: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-285 - - boost-baseline - - ALL - description: The product does not perform or incorrectly performs an authorization - check when an actor attempts to access a resource or perform an action. - group: top10-broken-access-control - name: CPP_Low_Visibility_Improper_Resource_Access_Authorization - pretty_name: Improper Resource Access Authorization - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Low_Visibility_Improper_Resource_Shutdown_or_Release: - categories: - - cwe-404 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not release or incorrectly releases a resource before - it is made available for re-use. - group: top10-insecure-design - name: CPP_Low_Visibility_Improper_Resource_Shutdown_or_Release - pretty_name: Improper Resource Shutdown or Release - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Low_Visibility_Improper_Transaction_Handling: - categories: - - cwe-460 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not clean up its state or incorrectly cleans up - its state when an exception is thrown, leading to unexpected state or control - flow. - group: top10-insecure-design - name: CPP_Low_Visibility_Improper_Transaction_Handling - pretty_name: Improper Transaction Handling - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Low_Visibility_Inconsistent_Implementations: - categories: - - cwe-474 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The code uses a function that has inconsistent implementations across - operating systems and versions. - group: top10-insecure-design - name: CPP_Low_Visibility_Inconsistent_Implementations - pretty_name: Inconsistent Implementations - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Low_Visibility_Incorrect_Permission_Assignment_For_Critical_Resources: - categories: - - cwe-732 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product specifies permissions for a security-critical resource - in a way that allows that resource to be read or modified by unintended actors. - group: top10-broken-access-control - name: CPP_Low_Visibility_Incorrect_Permission_Assignment_For_Critical_Resources - pretty_name: Incorrect Permission Assignment For Critical Resources - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Low_Visibility_Information_Exposure_Through_Comments: - categories: - - cwe-615 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: 'While adding general comments is very useful, some programmers tend - to leave important data, such as: filenames related to the web application, - old links or links which were not meant to be browsed by users, old code fragments, - etc.' - group: top10-broken-access-control - name: CPP_Low_Visibility_Information_Exposure_Through_Comments - pretty_name: Information Exposure Through Comments - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Low_Visibility_Information_Exposure_Through_an_Error_Message: - categories: - - cwe-209 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product generates an error message that includes sensitive information - about its environment, users, or associated data. - group: top10-insecure-design - name: CPP_Low_Visibility_Information_Exposure_Through_an_Error_Message - pretty_name: Information Exposure Through an Error Message - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Low_Visibility_Insecure_Temporary_File: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-377 - - boost-baseline - - ALL - description: Creating and using insecure temporary files can leave application - and system data vulnerable to attack. - group: top10-broken-access-control - name: CPP_Low_Visibility_Insecure_Temporary_File - pretty_name: Insecure Temporary File - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Low_Visibility_Insufficiently_Protected_Credentials: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-522 - description: The product transmits or stores authentication credentials, but it - uses an insecure method that is susceptible to unauthorized interception and/or - retrieval. - group: top10-insecure-design - name: CPP_Low_Visibility_Insufficiently_Protected_Credentials - pretty_name: Insufficiently Protected Credentials - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Low_Visibility_Leaving_Temporary_Files: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-376 - description: Related to the handling of files within a software system. - group: top10-broken-access-control - name: CPP_Low_Visibility_Leaving_Temporary_Files - pretty_name: Leaving Temporary Files - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Low_Visibility_Leftover_Debug_Code: - categories: - - cwe-489 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product is deployed to unauthorized actors with debugging code - still enabled or active, which can create unintended entry points or expose - sensitive information. - group: top10-insecure-design - name: CPP_Low_Visibility_Leftover_Debug_Code - pretty_name: Leftover Debug Code - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Low_Visibility_Log_Forging: - categories: - - boost-baseline - - ALL - - cwe-117 - - checkmarx-low-visibility - description: The product does not neutralize or incorrectly neutralizes output - that is written to logs. - group: top10-security-logging-monitoring-failures - name: CPP_Low_Visibility_Log_Forging - pretty_name: Log Forging - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Low_Visibility_NULL_Pointer_Dereference: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-476 - - boost-baseline - - ALL - - cwe-top-25 - description: A NULL pointer dereference occurs when the application dereferences - a pointer that it expects to be valid, but is NULL, typically causing a crash - or exit. - group: top10-insecure-design - name: CPP_Low_Visibility_NULL_Pointer_Dereference - pretty_name: NULL Pointer Dereference - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Low_Visibility_Potential_Path_Traversal: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-36 - - boost-baseline - - ALL - description: The product uses external input to construct a pathname that should - be within a restricted directory, but it does not properly neutralize absolute - path sequences such as "/abs/path" that can resolve to a location that is outside - of that directory. - group: top10-broken-access-control - name: CPP_Low_Visibility_Potential_Path_Traversal - pretty_name: Potential Path Traversal - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Low_Visibility_Privacy_Violation: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-359 - description: The product does not properly prevent a person's private, personal - information from being accessed by actors who either (1) are not explicitly - authorized to access the information or (2) do not have the implicit consent - of the person about whom the information is collected. - group: top10-broken-access-control - name: CPP_Low_Visibility_Privacy_Violation - pretty_name: Privacy Violation - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Low_Visibility_Reliance_on_DNS_Lookups_in_a_Decision: - categories: - - cwe-350 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product performs reverse DNS resolution on an IP address to obtain - the hostname and make a security decision, but it does not properly ensure that - the IP address is truly associated with the hostname. - group: top10-insecure-design - name: CPP_Low_Visibility_Reliance_on_DNS_Lookups_in_a_Decision - pretty_name: Reliance on DNS Lookups in a Decision - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Low_Visibility_Sizeof_Pointer_Argument: - categories: - - cwe-467 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The code calls sizeof() on a malloced pointer type, which always - returns the wordsize/8. This can produce an unexpected result if the programmer - intended to determine how much memory has been allocated. - group: top10-insecure-design - name: CPP_Low_Visibility_Sizeof_Pointer_Argument - pretty_name: Sizeof Pointer Argument - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Low_Visibility_Stored_Blind_SQL_Injections: - categories: - - checkmarx-low-visibility - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: CPP_Low_Visibility_Stored_Blind_SQL_Injections - pretty_name: Stored Blind SQL Injections - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Low_Visibility_TOCTOU: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-367 - description: The product checks the state of a resource before using that resource, - but the resource's state can change between the check and the use in a way that - invalidates the results of the check. This can cause the product to perform - invalid actions when the resource is in an unexpected state. - group: top10-insecure-design - name: CPP_Low_Visibility_TOCTOU - pretty_name: TOCTOU - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Low_Visibility_Unchecked_Array_Index: - categories: - - cwe-129 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses untrusted input when calculating or using an array - index, but the product does not validate or incorrectly validates the index - to ensure the index references a valid position within the array. - group: top10-insecure-design - name: CPP_Low_Visibility_Unchecked_Array_Index - pretty_name: Unchecked Array Index - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Low_Visibility_Unchecked_Return_Value: - categories: - - cwe-252 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not check the return value from a method or function, - which can prevent it from detecting unexpected states and conditions. - group: top10-insecure-design - name: CPP_Low_Visibility_Unchecked_Return_Value - pretty_name: Unchecked Return Value - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Low_Visibility_Undefined_Behavior: - categories: - - ALL - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - cwe-475 - description: The behavior of this function is undefined unless its control parameter - is set to a specific value. - group: top10-insecure-design - name: CPP_Low_Visibility_Undefined_Behavior - pretty_name: Undefined Behavior - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Low_Visibility_Unreleased_Resource_Leak: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-411 - - boost-baseline - - ALL - description: Relates to improper handling of locks that are used to control access - to resources. - group: top10-broken-access-control - name: CPP_Low_Visibility_Unreleased_Resource_Leak - pretty_name: Unreleased Resource Leak - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Low_Visibility_Use_Of_Deprecated_Class: - categories: - - cwe-477 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The code uses deprecated or obsolete functions, which suggests that - the code has not been actively reviewed or maintained. - group: top10-insecure-design - name: CPP_Low_Visibility_Use_Of_Deprecated_Class - pretty_name: Use Of Deprecated Class - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Low_Visibility_Use_Of_Hardcoded_Password: - categories: - - ALL - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - cwe-259 - description: The product contains a hard-coded password, which it uses for its - own inbound authentication or for outbound communication to external components. - group: top10-id-authn-failures - name: CPP_Low_Visibility_Use_Of_Hardcoded_Password - pretty_name: Use Of Hardcoded Password - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Low_Visibility_Use_of_Insufficiently_Random_Values: - categories: - - cwe-330 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses insufficiently random numbers or values in a security - context that depends on unpredictable numbers. - group: top10-crypto-failures - name: CPP_Low_Visibility_Use_of_Insufficiently_Random_Values - pretty_name: Use of Insufficiently Random Values - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Low_Visibility_Use_of_Obsolete_Functions: - categories: - - cwe-477 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The code uses deprecated or obsolete functions, which suggests that - the code has not been actively reviewed or maintained. - group: top10-insecure-design - name: CPP_Low_Visibility_Use_of_Obsolete_Functions - pretty_name: Use of Obsolete Functions - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Low_Visibility_Use_of_Sizeof_On_a_Pointer_Type: - categories: - - cwe-467 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The code calls sizeof() on a malloced pointer type, which always - returns the wordsize/8. This can produce an unexpected result if the programmer - intended to determine how much memory has been allocated. - group: top10-insecure-design - name: CPP_Low_Visibility_Use_of_Sizeof_On_a_Pointer_Type - pretty_name: Use of Sizeof On a Pointer Type - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R00_01_03_Find_Unused_Variables: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: Unused variables in C++ code are identified, serving as potential - indicators of incomplete program logic and unnecessary memory usage. - group: top10-insecure-design - name: CPP_MISRA_CPP_R00_01_03_Find_Unused_Variables - pretty_name: R00 01 03 Find Unused Variables - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R00_01_05_Find_Unused_Typedefs: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: Typedef declarations that are never used in the code are identified, - indicating inefficient coding practices and unnecessary complexity. - group: top10-insecure-design - name: CPP_MISRA_CPP_R00_01_05_Find_Unused_Typedefs - pretty_name: R00 01 05 Find Unused Typedefs - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R00_01_10_Find_Unused_Defined_Functions: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: Identifies defined functions within the C++ code that are not being - invoked or referenced anywhere, implying potential dead code and violating the - MISRA C++ Rule (R00.01.10). - group: top10-insecure-design - name: CPP_MISRA_CPP_R00_01_10_Find_Unused_Defined_Functions - pretty_name: R00 01 10 Find Unused Defined Functions - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R00_01_11_Find_Unused_Parameters: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: Unused parameters present in a function definition, in violation - of MISRA C++ Rule 0-1-11, are identified and flagged. - group: top10-insecure-design - name: CPP_MISRA_CPP_R00_01_11_Find_Unused_Parameters - pretty_name: R00 01 11 Find Unused Parameters - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R00_01_12_Find_Virtual_Unused_Parameters: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: Virtual functions in C++ code that contain unused parameters, violating - Rule 00-1-12 of the MISRA C++ guidelines. - group: top10-insecure-design - name: CPP_MISRA_CPP_R00_01_12_Find_Virtual_Unused_Parameters - pretty_name: R00 01 12 Find Virtual Unused Parameters - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R02_03_01_Trigraphs: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: Trigraph sequences are present in the code, which violate MISRA C++ - Rule 02.03.01, and can impact the readability and maintainability of the code. - group: top10-insecure-design - name: CPP_MISRA_CPP_R02_03_01_Trigraphs - pretty_name: R02 03 01 Trigraphs - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R02_05_01_Digraphs: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: The use of digraphs and trigraphs, alternates for C++ graphical characters, - violates MISRA C++ Rule 02.05.01 as these can potentially cause confusion or - misinterpretation. - group: top10-insecure-design - name: CPP_MISRA_CPP_R02_05_01_Digraphs - pretty_name: R02 05 01 Digraphs - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R02_07_02_Code_Commented_Out: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: Code segments are found to be commented out, potentially causing - confusion and violating MISRA-C++ rule 2.7.2, which recommends against this - practice. - group: top10-insecure-design - name: CPP_MISRA_CPP_R02_07_02_Code_Commented_Out - pretty_name: R02 07 02 Code Commented Out - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R02_07_03_Code_CPP_Commented_Out: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: Identifies sections of C++ code that have been commented out, which - may indicate outdated or erroneous code segments that can lead to confusion - during future code maintenance. - group: top10-insecure-design - name: CPP_MISRA_CPP_R02_07_03_Code_CPP_Commented_Out - pretty_name: R02 07 03 Code CPP Commented Out - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R02_10_02_Identifiers_Hide_Outer_Scope_Identifiers: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: An identifier in a localized scope hides an identifier in an outer - scope, which could cause confusion and unexpected outcomes as per the MISRA - C++ Rule R02.10.2. - group: top10-insecure-design - name: CPP_MISRA_CPP_R02_10_02_Identifiers_Hide_Outer_Scope_Identifiers - pretty_name: R02 10 02 Identifiers Hide Outer Scope Identifiers - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R02_10_03_Typedef_Name_Reused: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: The same name is reused for different 'typedef' declarations, violating - rule 2.10.3 of MISRA C++, which recommends unique identifiers for independent - declarations to prevent naming conflicts and confusion. - group: top10-insecure-design - name: CPP_MISRA_CPP_R02_10_03_Typedef_Name_Reused - pretty_name: R02 10 03 Typedef Name Reused - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R02_10_04_Class_Enum_Union_Names_Reused: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: Names of class types, enumeration types, and union types should be - unique, ensuring clarity and reducing potential ambiguity or misunderstanding - in the code. Reusing these names can compromise code readability and maintainability. - group: top10-insecure-design - name: CPP_MISRA_CPP_R02_10_04_Class_Enum_Union_Names_Reused - pretty_name: R02 10 04 Class Enum Union Names Reused - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R02_10_05_Non_Member_Static_Name_Reuse: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: The reuse of names of non-member, non-class static objects between - translation units may cause confusion or unexpected behavior, violating Rule - 02.10.5 of the MISRA C++ guidelines. - group: top10-insecure-design - name: CPP_MISRA_CPP_R02_10_05_Non_Member_Static_Name_Reuse - pretty_name: R02 10 05 Non Member Static Name Reuse - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R02_13_01_Non_ISO_Escapes: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: In violation of MISRA C++:2008 rule 2-13-1, text strings and characters - contain escape sequences that are not defined in the ISO C++ standard. This - may lead to inconsistent behavior across different platforms or compilers. - group: top10-insecure-design - name: CPP_MISRA_CPP_R02_13_01_Non_ISO_Escapes - pretty_name: R02 13 01 Non ISO Escapes - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R02_13_02_Non_Zero_Octal_Constant: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: In C++ code, a non-zero octal constant has been used, which is a - violation of MISRA C++ Rule 2.13.2, that suggests not using such constants to - avoid errors and confusion. - group: top10-insecure-design - name: CPP_MISRA_CPP_R02_13_02_Non_Zero_Octal_Constant - pretty_name: R02 13 02 Non Zero Octal Constant - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R02_13_03_U_Suffix_Not_Applied_To_Unsigned_Hex_Oct: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: Unsigned hexadecimal or octal constants lack a 'U' suffix, which - can lead to data loss if the constant's value exceeds the range of its type. - Compliance with MISRA C++ Rule 02.13.03 is not maintained. - group: top10-insecure-design - name: CPP_MISRA_CPP_R02_13_03_U_Suffix_Not_Applied_To_Unsigned_Hex_Oct - pretty_name: R02 13 03 U Suffix Not Applied To Unsigned Hex Oct - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R02_13_04_Literal_Suffix_Uppercase: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: A violation occurs when there's a usage of lowercase letter 'u' or - 'l' for integral literal suffixes. Following MISRA C++ Rule 2.13.4, these should - be in uppercase to avoid the risk of confusion with numbers '1' and '0'. - group: top10-insecure-design - name: CPP_MISRA_CPP_R02_13_04_Literal_Suffix_Uppercase - pretty_name: R02 13 04 Literal Suffix Uppercase - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R03_01_03_Find_Arrays_Without_Size: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: Identifies arrays declared without specifying an explicit size in - the definition, a violation of MISRA C++ Rule 3-1-3. Such undefined array sizes - may result in indeterminate behavior and vulnerabilities. - group: top10-insecure-design - name: CPP_MISRA_CPP_R03_01_03_Find_Arrays_Without_Size - pretty_name: R03 01 03 Find Arrays Without Size - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R03_02_01_Identical_Function_and_Object_Decl_Def: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: Functionally declared and defined in different files must have matching - parameter lists and return types to promote consistency and prevent potential - run-time errors. - group: top10-insecure-design - name: CPP_MISRA_CPP_R03_02_01_Identical_Function_and_Object_Decl_Def - pretty_name: R03 02 01 Identical Function and Object Decl Def - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R03_04_01_Obj_Defined_Outside_Minimal_Scope: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: An object definition occurs outside its minimal necessary scope in - reference to Rule MISRA C++:2008, 3-4-1, breaching the principle of limiting - object visibility to the least possible extent. - group: top10-insecure-design - name: CPP_MISRA_CPP_R03_04_01_Obj_Defined_Outside_Minimal_Scope - pretty_name: R03 04 01 Obj Defined Outside Minimal Scope - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R03_09_02_Non_Typedef_Basic_Types: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: Non-typedef'd basic types are used in the code, violating MISRA C++ - Rule 3-9-2, which requires a typedef to be used instead. This might lead to - portability issues across different platforms. - group: top10-insecure-design - name: CPP_MISRA_CPP_R03_09_02_Non_Typedef_Basic_Types - pretty_name: R03 09 02 Non Typedef Basic Types - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R04_10_01_NULL_As_An_Integer_Value: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: 'The rule identifies violations of MISRA C++: 2008 Rule 4-10-1, which - warns against using NULL as an integer value, preventing possible data corruption - or unexpected behaviors.' - group: top10-insecure-design - name: CPP_MISRA_CPP_R04_10_01_NULL_As_An_Integer_Value - pretty_name: R04 10 01 NULL As An Integer Value - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R04_10_02_Literal_Zero_As_Null_Pointer_Constant: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: A literal zero is used instead of the null pointer constant in C++ - code, violating rule R04.10.02 of the Motor Industry Reliability Association's - (MISRA) C++ coding guidelines. This may lead to unexpected behavior and increased - vulnerability to bugs. - group: top10-insecure-design - name: CPP_MISRA_CPP_R04_10_02_Literal_Zero_As_Null_Pointer_Constant - pretty_name: R04 10 02 Literal Zero As Null Pointer Constant - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R05_00_07_Improper_Explicit_Floating_Integral_Conversion_Of_Expression: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: An explicit conversion of an expression from a floating-point type - to an integer type occurs in a manner that is inconsistent with the MISRA C++ - Rule R05-00-07. This could lead to unexpected behavior or numerical inaccuracies. - group: top10-insecure-design - name: CPP_MISRA_CPP_R05_00_07_Improper_Explicit_Floating_Integral_Conversion_Of_Expression - pretty_name: R05 00 07 Improper Explicit Floating Integral Conversion Of Expression - - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R05_00_10_Bitwise_Operator_On_Unsigned_Char_Short_Types: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: A bitwise operator is applied to an unsigned char or short type, - violating MISRA C++ Rule 5.0.10, which could lead to unintended data manipulation - or improper system behavior. - group: top10-insecure-design - name: CPP_MISRA_CPP_R05_00_10_Bitwise_Operator_On_Unsigned_Char_Short_Types - pretty_name: R05 00 10 Bitwise Operator On Unsigned Char Short Types - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R05_00_11_Plain_Char_Type_Usage: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: The use of plain 'char' type is detected in the code. According to - MISRA C++ Rule 05-0-11, 'char' should be avoided due to its undefined signedness, - which can lead to unpredictable behavior. It recommends using 'signed char' - or 'unsigned char' explicitly instead. - group: top10-insecure-design - name: CPP_MISRA_CPP_R05_00_11_Plain_Char_Type_Usage - pretty_name: R05 00 11 Plain Char Type Usage - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R05_00_12_Not_Plain_Char_Type_Usage: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: The rule targets the code where plain "char" type is used, which - is a violation of MISRA C++ Rule 5-0-12 that mandates use of explicit "signed" - or "unsigned" char type to avoid unexpected behavior due to sign extension. - group: top10-insecure-design - name: CPP_MISRA_CPP_R05_00_12_Not_Plain_Char_Type_Usage - pretty_name: R05 00 12 Not Plain Char Type Usage - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R05_00_21_Bitwise_Operator_On_Signed_Type: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: Bitwise operators are applied on a signed integer data type, violating - the MISRA C++:2008 Rule 5-0-21, which could cause unexpected results due to - sign extension. - group: top10-insecure-design - name: CPP_MISRA_CPP_R05_00_21_Bitwise_Operator_On_Signed_Type - pretty_name: R05 00 21 Bitwise Operator On Signed Type - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R05_02_01_AND_OR_Operands_Not_As_Postfix_Expressions: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: Logical AND (&&) and OR (||) operations use operands other than postfix - expressions, violating Rule 05-2-1 of the Motor Industry Software Reliability - Association (MISRA) C++ guidelines. - group: top10-insecure-design - name: CPP_MISRA_CPP_R05_02_01_AND_OR_Operands_Not_As_Postfix_Expressions - pretty_name: R05 02 01 AND OR Operands Not As Postfix Expressions - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R05_02_10_Using_Of_Incremental_And_Decrimental_Operators: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: The rule identifies usage of incremental and decremental operators - (++ and --) within C++ expressions, which may lead to unpredictable program - behavior due to operation sequencing issues as per the MISRA C++ guidelines. - group: top10-insecure-design - name: CPP_MISRA_CPP_R05_02_10_Using_Of_Incremental_And_Decrimental_Operators - pretty_name: R05 02 10 Using Of Incremental And Decrimental Operators - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R05_02_11_Find_Special_Operator_Overloads: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: Searches for instances where special operators, such as assignment - '=', copy constructor, and destructor, are overloaded without certain conditions. - The absence of these conditions can lead to unexpected behavior and erroneous - results. - group: top10-insecure-design - name: CPP_MISRA_CPP_R05_02_11_Find_Special_Operator_Overloads - pretty_name: R05 02 11 Find Special Operator Overloads - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R05_03_02_Unary_Minus_Operator_On_Unsigned_Type: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: The unary minus operator is applied to an unsigned type, a violation - of rule 05-03-02 of the Motor Industry Software Reliability Association (MISRA) - guidelines for C++, thereby negating a value that was originally positive or - zero. - group: top10-insecure-design - name: CPP_MISRA_CPP_R05_03_02_Unary_Minus_Operator_On_Unsigned_Type - pretty_name: R05 03 02 Unary Minus Operator On Unsigned Type - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R05_03_03_Overloading_Reference_Oper: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: Overloading the reference operator, &, is disallowed under MISRA - C++ Rule 5-3-3. This practice might introduce unexpected behaviors due to operator - precedence. - group: top10-insecure-design - name: CPP_MISRA_CPP_R05_03_03_Overloading_Reference_Oper - pretty_name: R05 03 03 Overloading Reference Oper - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R05_18_01_Comma_Operator_Used: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: Indicates the usage of the comma operator outside of a for loop or - in any scenario where a function-call sequence cannot be guaranteed, violating - the MISRA C++ 2008 Rule 5-18-1. - group: top10-insecure-design - name: CPP_MISRA_CPP_R05_18_01_Comma_Operator_Used - pretty_name: R05 18 01 Comma Operator Used - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R06_02_01_Assignment_in_Sub_Expr: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: Assignment operators should not be used inside sub-expressions in - order to avoid potential ambiguity and unexpected outcomes, as per the MISRA - CPP guideline R06.02.01. - group: top10-insecure-design - name: CPP_MISRA_CPP_R06_02_01_Assignment_in_Sub_Expr - pretty_name: R06 02 01 Assignment in Sub Expr - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R06_02_02_FloatingPt_Equality_Inequality_Testing: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: "Checks for the use of the equality (==) or inequality (!=) operators\ - \ to directly compare floating-point numbers, which can result in unreliable\ - \ behavior due to precision errors. This violation could corrupt the program\u2019\ - s logic. Adherence to the 'Relational or Equality Operators with Floating Type'\ - \ rule from the MISRA C++ 2008 standard is enforced." - group: top10-insecure-design - name: CPP_MISRA_CPP_R06_02_02_FloatingPt_Equality_Inequality_Testing - pretty_name: R06 02 02 FloatingPt Equality Inequality Testing - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R06_03_01_Not_Compound_Switch_Or_Iteration_Statement: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: A switch or iteration statement body that's not a compound statement - is present in the code, contradicting MISRA C++ Rule 6-3-1 and potentially leading - to unexpected behavior. - group: top10-insecure-design - name: CPP_MISRA_CPP_R06_03_01_Not_Compound_Switch_Or_Iteration_Statement - pretty_name: R06 03 01 Not Compound Switch Or Iteration Statement - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R06_04_01_Not_Compound_If_Or_Else: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: The body of an 'if' or an 'else' statement is not a compound statement. - This can lead to visibility and maintenance issues as per MISRA C++:2008 Rule - 6-4-1. - group: top10-insecure-design - name: CPP_MISRA_CPP_R06_04_01_Not_Compound_If_Or_Else - pretty_name: R06 04 01 Not Compound If Or Else - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R06_04_02_If_Else_If_Not_Ending_With_Else: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: An 'if else' and 'else if' statement chain does not end with an 'else' - statement, violating MISRA C++ rule 06-04-02, which can lead to unexpected results - if none of the conditions are met. - group: top10-insecure-design - name: CPP_MISRA_CPP_R06_04_02_If_Else_If_Not_Ending_With_Else - pretty_name: R06 04 02 If Else If Not Ending With Else - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R06_04_04_Case_Not_Enclosed_By_Compound_Switch: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: A 'case' label in a 'switch' statement is not enclosed by braces - ({ }), which is a violation of MISRA C++ Rule 6-4-4 and can lead to unintended - execution flow or variable scope issues. - group: top10-insecure-design - name: CPP_MISRA_CPP_R06_04_04_Case_Not_Enclosed_By_Compound_Switch - pretty_name: R06 04 04 Case Not Enclosed By Compound Switch - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R06_04_05_Non_Empty_Switch_Clause_Without_Break_or_Throw: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: Non-empty switch cases in C++ code that lack a terminating break - or throw statement, violating MISRA C++ Rule 6-4-5 and potentially causing unintended - fall-through behavior. - group: top10-insecure-design - name: CPP_MISRA_CPP_R06_04_05_Non_Empty_Switch_Clause_Without_Break_or_Throw - pretty_name: R06 04 05 Non Empty Switch Clause Without Break or Throw - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R06_04_06_Non_Default_Final_Clause_In_Switch_Statement: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: The rule identifies when the switch control structure does not end - with a default label as the last clause, violating MISRA C++ Rule 6-4-6, which - is designed to ensure predictability when none of the cases match. - group: top10-insecure-design - name: CPP_MISRA_CPP_R06_04_06_Non_Default_Final_Clause_In_Switch_Statement - pretty_name: R06 04 06 Non Default Final Clause In Switch Statement - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R06_04_07_Find_Switch_Condition_Bool: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: The rule identifies instances where a switch statement's controlling - expression in C++ code is of type bool, violating MISRA C++ 2008 Rule 6-4-7. - group: top10-insecure-design - name: CPP_MISRA_CPP_R06_04_07_Find_Switch_Condition_Bool - pretty_name: R06 04 07 Find Switch Condition Bool - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R06_05_01_Single_Non_Float_LC: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: A non-floating literal constant should hold a single character and - no more, as dictated by MISRA C++ Rule 06-05-01. This helps avoid ambiguity - and potential coding errors. - group: top10-insecure-design - name: CPP_MISRA_CPP_R06_05_01_Single_Non_Float_LC - pretty_name: R06 05 01 Single Non Float LC - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R06_05_02_Loop_Counter_Modify: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: Loop counters are subjected to modifications within the loop body, - in violation of MISRA C++ Rule 6-5-2, which can result in unpredictable loop - behavior. - group: top10-insecure-design - name: CPP_MISRA_CPP_R06_05_02_Loop_Counter_Modify - pretty_name: R06 05 02 Loop Counter Modify - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R06_05_03_Change_Lc_In_St_And_Cond: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: A loop counter is being modified inside a conditional or switch statement, - violating the MISRA C++ Rule R06-05-03, thus leading to potential control flow - issues. - group: top10-insecure-design - name: CPP_MISRA_CPP_R06_05_03_Change_Lc_In_St_And_Cond - pretty_name: R06 05 03 Change Lc In St And Cond - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R06_05_04_Incremental_Modified: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: The modification of iteration variables inside loop bodies contradicts - the MISRA C++:2008 Rule 6-5-4, potentially leading to unexpected behavior and - difficult-to-detect bugs. - group: top10-insecure-design - name: CPP_MISRA_CPP_R06_05_04_Incremental_Modified - pretty_name: R06 05 04 Incremental Modified - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R06_05_05_Lcv_Change_In_For_Stmt: - categories: - - boost-baseline - - owasp-top-10 - - ALL - - checkmarx-misra-cpp - description: Loop counter variables are modified in the body of a 'for' loop, - which violates rule 6-5-5 of MISRA C++, leading to potential logic errors or - infinite loops. - group: top10-insecure-design - name: CPP_MISRA_CPP_R06_05_05_Lcv_Change_In_For_Stmt - pretty_name: R06 05 05 Lcv Change In For Stmt - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R06_05_06_Bool_Lcv_Change: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: An assignment to a boolean local constant variable results in an - attempt to modify its immutable value, violating MISRA C++ Rule 6-5-6. - group: top10-insecure-design - name: CPP_MISRA_CPP_R06_05_06_Bool_Lcv_Change - pretty_name: R06 05 06 Bool Lcv Change - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R06_06_02_Backward_Use_Of_Goto: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: The rule identifies instances where 'goto' statements are used to - jump back in a C++ program, which is a violation of MISRA guideline 6-6-2 and - can lead to unclear and hard-to-maintain code. - group: top10-insecure-design - name: CPP_MISRA_CPP_R06_06_02_Backward_Use_Of_Goto - pretty_name: R06 06 02 Backward Use Of Goto - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R06_06_03_Continue_In_Legal_For: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: The 'continue' statement is used within a 'for' loop that does not - contain exactly one iteration-expression, in violation of MISRA CPP R06 06 03 - guideline. This could affect code correctness and predictability. - group: top10-insecure-design - name: CPP_MISRA_CPP_R06_06_03_Continue_In_Legal_For - pretty_name: R06 06 03 Continue In Legal For - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R06_06_04_One_GoTo_Break_In_Iteration: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: Each iteration statement (for, while, do) must only contain at most - one 'break' or 'goto' statement to ensure code readability and avoid logical - errors. This rule enforces restrictions based on MISRA C++ Rule 6-6-4. - group: top10-insecure-design - name: CPP_MISRA_CPP_R06_06_04_One_GoTo_Break_In_Iteration - pretty_name: R06 06 04 One GoTo Break In Iteration - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R06_06_05_Single_Point_Exit_At_Function_End: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: Checks for C++ functions not adhering to the MISRA-CPP:2008 compliance - statement Rule 6-6-5, which stipulates that a function must only have a single - point of exit at the end. Non-compliance can lead to difficult-to-read code - and maintenance issues. - group: top10-insecure-design - name: CPP_MISRA_CPP_R06_06_05_Single_Point_Exit_At_Function_End - pretty_name: R06 06 05 Single Point Exit At Function End - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R07_01_01_Declare_Const_if_not_Modified: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: An object, once defined, does not have its value changed or does - not call a non-const function. It should be declared as 'const' to enforce its - read-only use, as per MISRA C++ Rule 7.1.1. - group: top10-insecure-design - name: CPP_MISRA_CPP_R07_01_01_Declare_Const_if_not_Modified - pretty_name: R07 01 01 Declare Const if not Modified - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R07_01_02_Declare_Ref_Const_if_not_Modified: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: References that don't modify referred objects should be declared - as constant to ensure code reliability and maintainability based on MISRA C++ - guidelines. - group: top10-insecure-design - name: CPP_MISRA_CPP_R07_01_02_Declare_Ref_Const_if_not_Modified - pretty_name: R07 01 02 Declare Ref Const if not Modified - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R07_03_01_Definitions_in_Global_Namespace: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: Objects or functions are directly defined within the global namespace, - violating rule 7.3.1 of MISRA C++. This is a harmful practice as it can cause - name clashes and decrease the readability of the code. - group: top10-insecure-design - name: CPP_MISRA_CPP_R07_03_01_Definitions_in_Global_Namespace - pretty_name: R07 03 01 Definitions in Global Namespace - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R07_03_02_Find_non_Global_Mains: - categories: - - boost-baseline - - owasp-top-10 - - ALL - - checkmarx-misra-cpp - description: Identifies non-global main functions in C++ codebase, violating MISRA - C++ Rule 7-3-2 that requires all main functions to have global scope. - group: top10-insecure-design - name: CPP_MISRA_CPP_R07_03_02_Find_non_Global_Mains - pretty_name: R07 03 02 Find non Global Mains - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R07_03_03_Unnamed_NS_in_Headers: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: Unnamed namespaces in header files are prohibited according to the - MISRA C++:2008 Rule 7-3-3 to prevent unintentional linkage disparities and to - promote code clarity. - group: top10-insecure-design - name: CPP_MISRA_CPP_R07_03_03_Unnamed_NS_in_Headers - pretty_name: R07 03 03 Unnamed NS in Headers - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R07_03_04_Find_Using_Directives: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: Locates 'using' directives in C++ code that can lead to name clashes - and unpredictable behavior, violating MISRA C++ Rule 7-3-4. - group: top10-insecure-design - name: CPP_MISRA_CPP_R07_03_04_Find_Using_Directives - pretty_name: R07 03 04 Find Using Directives - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R07_03_05_Multiple_Declarations_After_Using: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: 'In contravention of MISRA C++: Rule 7-3-5, the code contains multiple - declarations after the ''using'' directive, adding complexity and posing potential - ambiguity risks.' - group: top10-insecure-design - name: CPP_MISRA_CPP_R07_03_05_Multiple_Declarations_After_Using - pretty_name: R07 03 05 Multiple Declarations After Using - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R07_03_06_Find_Using_in_Headers: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: Identifies instances where 'using' directives (namespace and/or type - aliases) are utilized within C++ header files, a violation of MISRA C++ Rule - 7-3-6 that can hinder code maintainability and risk unexpected conflicts. - group: top10-insecure-design - name: CPP_MISRA_CPP_R07_03_06_Find_Using_in_Headers - pretty_name: R07 03 06 Find Using in Headers - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R07_05_02_Address_Assignment_out_of_Scope: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: An address is assigned to a pointer that points to an object going - out of scope, resulting in a dangling pointer, which violates the MISRA C++ - Rule 7-5-2. - group: top10-insecure-design - name: CPP_MISRA_CPP_R07_05_02_Address_Assignment_out_of_Scope - pretty_name: R07 05 02 Address Assignment out of Scope - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R07_05_03_Return_Parameter_Passed_by_Ref: - categories: - - ALL - - owasp-top-10 - - boost-baseline - - checkmarx-misra-cpp - description: There is a return-value parameter passed by nonconst reference, violating - the MISRA C++:2008 Rule 7-5-3, which risks unpredictable and undefined behavior - in the application. - group: top10-insecure-design - name: CPP_MISRA_CPP_R07_05_03_Return_Parameter_Passed_by_Ref - pretty_name: R07 05 03 Return Parameter Passed by Ref - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R07_05_04_Recursion_Exists: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: In C++, functions or recursive algorithms are present, violating - rule 7.5.4 of MISRA (Motor Industry Software Reliability Association) C++ standards, - which prohibit recursion to prevent stack overflow. - group: top10-insecure-design - name: CPP_MISRA_CPP_R07_05_04_Recursion_Exists - pretty_name: R07 05 04 Recursion Exists - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R08_00_01_Find_Multiple_Declarators: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: A single statement contains multiple declarators, a practice that - leads to more complex code and potential misunderstandings, violating MISRA-CPP:2008 - Rule 8.0.1. - group: top10-insecure-design - name: CPP_MISRA_CPP_R08_00_01_Find_Multiple_Declarators - pretty_name: R08 00 01 Find Multiple Declarators - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R08_04_01_Function_With_Variable_Number_Of_Arguments: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: A function in C++ code takes a variable number of arguments, violating - MISRA C++:2008 Rule 8-4-1, which can introduce indeterminacy and make code less - reliable and maintainable. - group: top10-insecure-design - name: CPP_MISRA_CPP_R08_04_01_Function_With_Variable_Number_Of_Arguments - pretty_name: R08 04 01 Function With Variable Number Of Arguments - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R08_04_03_Explicit_Return_Throw: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: If a function has multiple exit points, none of them should be an - explicit call to 'throw' or 'return' within a 'try' block or a function-try-block, - for adherence to the MISRA-CPP R08-04-03 guideline. - group: top10-insecure-design - name: CPP_MISRA_CPP_R08_04_03_Explicit_Return_Throw - pretty_name: R08 04 03 Explicit Return Throw - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R08_05_01_Uninitialized_Variable_Use: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: The use of a variable before it has been initialized, thus violating - the MISRA C++ Rule 08-05-01, which can lead to undefined behavior in the software. - group: top10-insecure-design - name: CPP_MISRA_CPP_R08_05_01_Uninitialized_Variable_Use - pretty_name: R08 05 01 Uninitialized Variable Use - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R09_05_01_Use_Of_Union: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: Union data types are in violation of rule 9-5-1 of the MISRA-CPP - guidelines, as they can lead to unpredictable behavior due to the overlapping - storage of multiple data variables. - group: top10-insecure-design - name: CPP_MISRA_CPP_R09_05_01_Use_Of_Union - pretty_name: R09 05 01 Use Of Union - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R09_06_02_bool_Unsigned_Signed_Bit_Field: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: A violation of the MISRA C++:2008 Rule 9-6-2 occurs when a bit field - is declared with a type different from bool, signed int, or unsigned int, leading - to potential interoperability, portability or data integrity issues. - group: top10-insecure-design - name: CPP_MISRA_CPP_R09_06_02_bool_Unsigned_Signed_Bit_Field - pretty_name: R09 06 02 bool Unsigned Signed Bit Field - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R09_06_03_Enum_Bit_Fields: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: Enums are used as bit-fields in this code, which is a violation of - MISRA C++ Rule 9-6-3. Enumerations should not be used in this manner as it may - result in unpredictable behavior. - group: top10-insecure-design - name: CPP_MISRA_CPP_R09_06_03_Enum_Bit_Fields - pretty_name: R09 06 03 Enum Bit Fields - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R09_06_04_Bit_Fields_Length: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: A violation of the MISRA C++ 2008 Rule 9-6-4 occurs when a bit field - of an integer type has a length that exceeds the number of bits in the width - of the type. - group: top10-insecure-design - name: CPP_MISRA_CPP_R09_06_04_Bit_Fields_Length - pretty_name: R09 06 04 Bit Fields Length - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R10_01_01_Find_Virtual_Base_Classes: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: Highlights instances where a base class is made virtual, violating - the MISRA C++:2008 Rule 10-01-01, which prohibits such usage to maintain program - predictability and avoid unintended behaviors. - group: top10-insecure-design - name: CPP_MISRA_CPP_R10_01_01_Find_Virtual_Base_Classes - pretty_name: R10 01 01 Find Virtual Base Classes - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R10_03_02_Find_Override_Without_Virtual: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: Identifies situations in C++ code where a derived class function - attempts to override a base class function without using the 'virtual' keyword, - violating MISRA C++:2008 Rule 10-3-2. - group: top10-insecure-design - name: CPP_MISRA_CPP_R10_03_02_Find_Override_Without_Virtual - pretty_name: R10 03 02 Find Override Without Virtual - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R10_03_03_Redeclare_Function_as_Pure: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: A function previously declared with a side effect is redeclared as - 'pure' (without side effects), in violation of MISRA C++ Rule 10-3-3, resulting - in possible unexpected behavior. - group: top10-insecure-design - name: CPP_MISRA_CPP_R10_03_03_Redeclare_Function_as_Pure - pretty_name: R10 03 03 Redeclare Function as Pure - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R12_01_03_Find_non_Explicit_Constructor: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: A constructor that can be called with a single argument is not explicitly - marked as 'explicit', which could lead to unintentional implicit conversions. - group: top10-insecure-design - name: CPP_MISRA_CPP_R12_01_03_Find_non_Explicit_Constructor - pretty_name: R12 01 03 Find non Explicit Constructor - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R15_00_02_Throw_Pointers: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: Violates MISRA C++ Rule 15-0-2, where pointers or references are - thrown as exceptions, increasing the risk of memory safety issues. - group: top10-insecure-design - name: CPP_MISRA_CPP_R15_00_02_Throw_Pointers - pretty_name: R15 00 02 Throw Pointers - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R15_00_03_Goto_Label_Inside_TryCatch: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: Labels from a 'goto' statement are being used inside a 'try' or 'catch' - block, a violation of MISRA C++:2008 Rule 15-0-3. This may lead to unpredictable - program flow and potential errors. - group: top10-insecure-design - name: CPP_MISRA_CPP_R15_00_03_Goto_Label_Inside_TryCatch - pretty_name: R15 00 03 Goto Label Inside TryCatch - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R15_01_02_No_Explicit_Null_Throw: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: A null pointer is being explicitly thrown, which violates rule 15.1.2 - of the MISRA C++ guidelines, potentially causing undefined program behavior. - group: top10-insecure-design - name: CPP_MISRA_CPP_R15_01_02_No_Explicit_Null_Throw - pretty_name: R15 01 02 No Explicit Null Throw - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R15_01_03_Empty_Throw_Outside_Catch: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: An empty throw statement occurs outside a catch block in C++, violating - MISRA-CPP rule 15-1-3. This can cause unexpected behavior due to incorrect exception - propagation. - group: top10-insecure-design - name: CPP_MISRA_CPP_R15_01_03_Empty_Throw_Outside_Catch - pretty_name: R15 01 03 Empty Throw Outside Catch - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R15_03_02_Catch_All_In_Main: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: In a C++ program, the main function lacks a catch-all exception handler. - This contravenes the MISRA C++:2008 Rule 15-3-2, which requires such a handler - to ensure unhandled exceptions do not terminate the program abruptly. - group: top10-insecure-design - name: CPP_MISRA_CPP_R15_03_02_Catch_All_In_Main - pretty_name: R15 03 02 Catch All In Main - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R15_03_03_Accessing_Non_Static_Mem_In_Ctr_Dtr: - categories: - - ALL - - owasp-top-10 - - boost-baseline - - checkmarx-misra-cpp - description: The constructors and destructors of a class are accessing non-static - members, thereby violating the MISRA C++ Rule 15.3.3. Violations of this rule - pose potential risks related to unexpected object states and behavior. - group: top10-insecure-design - name: CPP_MISRA_CPP_R15_03_03_Accessing_Non_Static_Mem_In_Ctr_Dtr - pretty_name: R15 03 03 Accessing Non Static Mem In Ctr Dtr - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R15_03_07_Catch_All_Final: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: 'A catch-all handler is used as the final exception handler in a - try-catch block, contravening MISRA (Motor Industry Software Reliability Association) - C++ standard R15.03.07 that stipulates specific exception types should be caught - to maintain robust error handling. - - ' - group: top10-insecure-design - name: CPP_MISRA_CPP_R15_03_07_Catch_All_Final - pretty_name: R15 03 07 Catch All Final - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R15_05_01_Statements_Outside_TryCatch_Dtr: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: All branch paths involving a function or method should end with a - return statement, ensuring exception handling. Non-compliance with this rule - may result in unexpected program behavior in C++. - group: top10-insecure-design - name: CPP_MISRA_CPP_R15_05_01_Statements_Outside_TryCatch_Dtr - pretty_name: R15 05 01 Statements Outside TryCatch Dtr - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R16_00_02_Define_Only_in_Global_Namespace: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: All '#define' and '#undef' directives should only be used within - the global namespace to ensure a consistent macro environment and avoid possible - naming conflicts. - group: top10-insecure-design - name: CPP_MISRA_CPP_R16_00_02_Define_Only_in_Global_Namespace - pretty_name: R16 00 02 Define Only in Global Namespace - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R16_00_03_Use_Of_Undef_Directive: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: There's an usage of the '#undef' directive, violating MISRA C++ Rule - 16-0-3, which states to avoid such directives to prevent potential issues with - symbol resolution or unexpected behavior. - group: top10-insecure-design - name: CPP_MISRA_CPP_R16_00_03_Use_Of_Undef_Directive - pretty_name: R16 00 03 Use Of Undef Directive - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R16_00_04_Function_Like_Macros_Shall_Not_Be_Defined: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: The use of function-like macros is prohibited to prevent unforeseen - side effects, as part of compliance with the MISRA C++:2008 Rule 16-0-4. - group: top10-insecure-design - name: CPP_MISRA_CPP_R16_00_04_Function_Like_Macros_Shall_Not_Be_Defined - pretty_name: R16 00 04 Function Like Macros Shall Not Be Defined - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R16_00_05_No_Tokens_In_Func_Like_Macro: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: Function-like macros must not contain any tokens other than the parameter - list in their definition to ensure code maintainability and reduce confusion. - group: top10-insecure-design - name: CPP_MISRA_CPP_R16_00_05_No_Tokens_In_Func_Like_Macro - pretty_name: R16 00 05 No Tokens In Func Like Macro - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R16_00_07_Undefined_Macro_Identifiers: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: A preprocessor directive uses a macro identifier that is not defined - at the time of use, violating MISRA C++:2008 Rule 16-0-7. This may result in - undefined behavior, causing unpredictable program output or runtime errors. - group: top10-insecure-design - name: CPP_MISRA_CPP_R16_00_07_Undefined_Macro_Identifiers - pretty_name: R16 00 07 Undefined Macro Identifiers - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R16_00_08_Sharp_Before_Preprocessing_Token: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: A preprocessing directive is not immediately preceded by a '#' character. - This is a violation of MISRA C++:2008 Rule 16-0-8, potentially leading to syntax - errors. - group: top10-insecure-design - name: CPP_MISRA_CPP_R16_00_08_Sharp_Before_Preprocessing_Token - pretty_name: R16 00 08 Sharp Before Preprocessing Token - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R16_01_01_Defined_Standart_Forms: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-misra-cpp - description: 'C++ functions are defined using standard forms - no macros or #define - compiler directives are employed, ensuring compliance with MISRA rule R16.01.01.' - group: top10-insecure-design - name: CPP_MISRA_CPP_R16_01_01_Defined_Standart_Forms - pretty_name: R16 01 01 Defined Standart Forms - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R16_01_02_Preprocessor_If_And_Else_Operators_Reside_In_Different_Files: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: Preprocessor `#if` and corresponding `#else` or `#elif` operators - are split between separate source files, violating MISRA C++ Rule 16-1-2 and - potentially compromising code integrity and readability. - group: top10-insecure-design - name: CPP_MISRA_CPP_R16_01_02_Preprocessor_If_And_Else_Operators_Reside_In_Different_Files - pretty_name: R16 01 02 Preprocessor If And Else Operators Reside In Different - Files - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R16_02_06_Include_Directive_In_Wrong_Format: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: C++ code violates the MISRA C++:2008 Rule 16-2-6, where the format - of an '#include' directive does not adhere to the proper format, resulting in - potential compilation issues. - group: top10-insecure-design - name: CPP_MISRA_CPP_R16_02_06_Include_Directive_In_Wrong_Format - pretty_name: R16 02 06 Include Directive In Wrong Format - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R16_03_02_Pound_Preprocessor_Operator_Is_Used: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: The '#' (pound) preprocessor operator is employed in the code, violating - MISRA C++ Rule 16-3-2 which prohibits the use of this operator to prevent potential - confusions and mistakes in macro expansions. - group: top10-insecure-design - name: CPP_MISRA_CPP_R16_03_02_Pound_Preprocessor_Operator_Is_Used - pretty_name: R16 03 02 Pound Preprocessor Operator Is Used - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R17_00_01_Standard_Library_Redefined_Or_Undefined: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: The C++ Standard Library functions are redefined or undefined, breaking - compliance with MISRA C++ Rule 17-0-1 and potentially causing unpredictable - behavior. - group: top10-insecure-design - name: CPP_MISRA_CPP_R17_00_01_Standard_Library_Redefined_Or_Undefined - pretty_name: R17 00 01 Standard Library Redefined Or Undefined - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R17_00_02_Standard_Library_Macros_Reuse: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: In C++ code, macro identifiers from Standard Library are reused, - violating MISRA C++ Rule 17-0-2, potentially causing naming conflicts and unpredictable - behavior. - group: top10-insecure-design - name: CPP_MISRA_CPP_R17_00_02_Standard_Library_Macros_Reuse - pretty_name: R17 00 02 Standard Library Macros Reuse - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R17_00_03_Standard_Library_Functions_Override: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: Indicates the redefinition or override of a standard library function, - which breaches Rule 17-0-3 of the Motor Industry Software Reliability Association - (MISRA) guidelines for C++, leading to unpredictable behavior or a security - vulnerability. - group: top10-insecure-design - name: CPP_MISRA_CPP_R17_00_03_Standard_Library_Functions_Override - pretty_name: R17 00 03 Standard Library Functions Override - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R18_00_04_Ctime: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: The C-time function from the C Standard Library is used, violating - MISRA C++ Rule 18-0-4, which recommends the use of C++ date/time abstraction - from the C++ Standard Library for safety and maintainability. - group: top10-insecure-design - name: CPP_MISRA_CPP_R18_00_04_Ctime - pretty_name: R18 00 04 Ctime - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R18_00_05_Unbounded_Functions_Of_Library_CString: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: The rule targets the use of unbounded functions from the CString - library in C++ programming, as they can introduce potential buffer overflow - vulnerabilities. This adheres to the MISRA C++ Compliance rule 18-0-5. - group: top10-insecure-design - name: CPP_MISRA_CPP_R18_00_05_Unbounded_Functions_Of_Library_CString - pretty_name: R18 00 05 Unbounded Functions Of Library CString - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R18_04_01_Dynamic_Heap_Memory_Allocation: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: Dynamic heap memory allocation functions such as malloc(), realloc(), - calloc(), and free() are used in the code, violating MISRA C++ Rule 18-4-1. - This usage can risk memory leakage or illegal memory access. - group: top10-injection - name: CPP_MISRA_CPP_R18_04_01_Dynamic_Heap_Memory_Allocation - pretty_name: R18 04 01 Dynamic Heap Memory Allocation - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_CPP_R18_07_01_Csignal: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-misra-cpp - description: The C standard library function 'signal' is employed in a C++ context. - This usage violates rule 18-0-1 of the MISRA C++ guidelines, which advocates - against the inclusion of C library functions for robust and secure C++ code. - group: top10-insecure-design - name: CPP_MISRA_CPP_R18_07_01_Csignal - pretty_name: R18 07 01 Csignal - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R01_04_Emergent_Features_Shall_Not_Be_Used: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: In compliance with MISRA C 2012 Rule 1.4, emergent features in C++ - should not be utilized, as these may lead to unpredictable program behavior, - lesser portability, and/or increased vulnerability to security breaches. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R01_04_Emergent_Features_Shall_Not_Be_Used - pretty_name: R01 04 Emergent Features Shall Not Be Used - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R02_X_Unused_Code: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Any unused, superfluous, or unreachable code within a C++ program, - a violation of MISRA C:2012 Rule 2.x directive, which could compromise the reliability - and maintainability of the code. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R02_X_Unused_Code - pretty_name: R02 X Unused Code - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R03_X_Comments: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: C++ comments that do not comply with the 'R03_X' rule from the MISRA - C 2012 guidelines are detected. This includes cases where C-style comments (/*...*/), - are used rather than the recommended C++ comments (//...), potentially obscuring - code readability and introducing structural hazards. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R03_X_Comments - pretty_name: R03 X Comments - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R04_X_Character_Sets: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Only standard ASCII characters and escape sequences should be used - in character and string literals, as per the MISRA C 2012 guideline R04.X, in - order to ensure portability and avoid reliance on specific character set encoding. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R04_X_Character_Sets - pretty_name: R04 X Character Sets - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R05_X_Identifiers: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Identifiers which should comply with specific naming conventions - as stated in MISRA C 2012 Rule 5.x are not adhering to those conventions, leading - to possibly unclear code. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R05_X_Identifiers - pretty_name: R05 X Identifiers - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R06_X_Bitfields: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Bits in non-integral bit fields are accessed, violating the MISRA - C 2012 rule 6.x, which states that bit-fields should only be defined to be of - type unsigned int or signed int. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R06_X_Bitfields - pretty_name: R06 X Bitfields - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R07_01_Octal_Constans_Shall_Not_Be_Used: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Octal constants are prohibited as per MISRA C 2012 Rule 07.01 to - avoid confusion with decimal values in C++ code. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R07_01_Octal_Constans_Shall_Not_Be_Used - pretty_name: R07 01 Octal Constans Shall Not Be Used - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R07_02_U_Or_u_Suffix_Shall_Be_Applied_To_All_Unsigned_Type_Integers: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Unsigned integer constants should be suffixed with "U" or "u" to - ensure clear representation of their unsigned nature, avoiding possible misinterpretation - and inappropriate type casting. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R07_02_U_Or_u_Suffix_Shall_Be_Applied_To_All_Unsigned_Type_Integers - pretty_name: R07 02 U Or u Suffix Shall Be Applied To All Unsigned Type Integers - - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R07_03_Lowercase_l_Shall_Not_Be_Used_In_A_Literal_Suffix: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: In a constant suffix, the lowercase letter 'l' shall not be used - due to its potential for confusion with the numeral '1', violating MISRA C:2012 - Rule 07.03. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R07_03_Lowercase_l_Shall_Not_Be_Used_In_A_Literal_Suffix - pretty_name: R07 03 Lowercase l Shall Not Be Used In A Literal Suffix - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R07_04_String_Literal_Should_Be_Assigned_To_Pointer_To_Const_Char: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: String literals are assigned to a pointer to non-const char, violating - MISRA C 2012 Rule 07.04. This may inadvertently alter string literals, causing - unexpected behavior or bugs. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R07_04_String_Literal_Should_Be_Assigned_To_Pointer_To_Const_Char - pretty_name: R07 04 String Literal Should Be Assigned To Pointer To Const Char - - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R08_02_Function_Prototype_With_Named_Parameters: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Identifies C++ function prototypes that do not name the parameters, - violating MISRA C++ 2012 Rule 8.2, which stipulates that all parameters in function - prototypes should be named to indicate their usage. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R08_02_Function_Prototype_With_Named_Parameters - pretty_name: R08 02 Function Prototype With Named Parameters - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R08_03_Functions_Have_Same_Name: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Two or more functions have been given identical names, a violation - of MISRA C 2012 Rule 08.03, potentially creating ambiguity and misleading the - compiler. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R08_03_Functions_Have_Same_Name - pretty_name: R08 03 Functions Have Same Name - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R08_04_Compatible_Declaration_Shall_Be_Visible: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: When a function or an object is used, its compatible declaration - must be visible in its scope, adhering to Rule 08.04 of MISRA C 2012 to ensure - type safety. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R08_04_Compatible_Declaration_Shall_Be_Visible - pretty_name: R08 04 Compatible Declaration Shall Be Visible - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R08_05_External_Objects_Shall_Be_Declared_Once: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: External objects in C++ code should be declared only once to comply - with the MISRA C 2012 R08.05 rule, avoiding any confusion or errors due to multiple - declarations. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R08_05_External_Objects_Shall_Be_Declared_Once - pretty_name: R08 05 External Objects Shall Be Declared Once - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R08_06_Single_External_Definition_Per_External_Identifier: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Ensures that each identifier with external linkage is associated - with exactly one definition within the entire program, in accordance with Rule - 8.6 of MISRA C 2012 guidelines. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R08_06_Single_External_Definition_Per_External_Identifier - pretty_name: R08 06 Single External Definition Per External Identifier - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R08_07_Function_And_Objects_Should_Not_Use_Extern_When_Referenced_In_One_File: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Functions and objects are defined as 'extern' while being referenced - only in a single file, violating MISRA C:2012 Rule 08.07, which can lead to - potential linkage and maintainability issues. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R08_07_Function_And_Objects_Should_Not_Use_Extern_When_Referenced_In_One_File - pretty_name: R08 07 Function And Objects Should Not Use Extern When Referenced - In One File - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R08_08_Static_Shall_Be_Used_In_All_Internal_Linkage_Declarations: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: All internal linkage declarations must use the 'static' keyword in - accordance with the MISRA C 2012 Rule 08.08 to prevent potential linkage and - name collision issues. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R08_08_Static_Shall_Be_Used_In_All_Internal_Linkage_Declarations - pretty_name: R08 08 Static Shall Be Used In All Internal Linkage Declarations - - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R08_09_Identifiers_Should_Be_Defined_At_Block_Scope: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Ensures that identifiers in C++ are defined at the smallest block - scope possible, conforming to MISRA C 2012 Rule 08.09 which aims to improve - code readability and maintainability. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R08_09_Identifiers_Should_Be_Defined_At_Block_Scope - pretty_name: R08 09 Identifiers Should Be Defined At Block Scope - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R08_10_Inline_Function_Shall_Be_Declared_With_Static: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: An inline function in C++ doesn't have 'static' declaration, violating - rule 8.10 of MISRA C 2012 standards, leading to potential clashes in function - names and unpredictable behavior. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R08_10_Inline_Function_Shall_Be_Declared_With_Static - pretty_name: R08 10 Inline Function Shall Be Declared With Static - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R08_11_Extern_Array_Shall_Be_Declared_With_Determined_Size: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: External array declarations must include a defined size to ensure - compliance with MISRA C 2012 Rule 08.11 and avoid potential runtime issues. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R08_11_Extern_Array_Shall_Be_Declared_With_Determined_Size - pretty_name: R08 11 Extern Array Shall Be Declared With Determined Size - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R08_12_Value_Implicitly_Specified_Of_Enumeration_Constant_Shall_Be_Unique: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Enumerated constant values specified implicitly must be unique in - compliance with MISRA C 2012 Rule 8.12, to ensure clear differentiation between - enumeration items. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R08_12_Value_Implicitly_Specified_Of_Enumeration_Constant_Shall_Be_Unique - pretty_name: R08 12 Value Implicitly Specified Of Enumeration Constant Shall Be - Unique - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R08_13_Pointer_Should_Point_Const: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: A pointer does not point to 'const', breaking the MISRA C 2012 Rule - 8.13 guideline, which can lead to unforeseen side effects or code vulnerabilities - due to accidental modification of data. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R08_13_Pointer_Should_Point_Const - pretty_name: R08 13 Pointer Should Point Const - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R08_14_Restrict_Type_Qualifier: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: The rule R08.14 in the MISRA C 2012 guidelines, precisely checks - if the restrict type qualifier does not refer to an object with static storage - duration or a function parameter declared as array or function type in the C++ - code. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R08_14_Restrict_Type_Qualifier - pretty_name: R08 14 Restrict Type Qualifier - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R09_01_Value_Not_Read_Before_Being_Set: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: A variable's value is being overwritten without prior usage, violating - the MISRA C:2012 Rule 9.1 which states that every value, which is read, must - be set explicitly beforehand. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R09_01_Value_Not_Read_Before_Being_Set - pretty_name: R09 01 Value Not Read Before Being Set - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R09_02_to_03_Array_Initializer_Validation: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Array initializers must not contain more initializers than the dimension - of the array, and the provided initializer must be compatible with the declared - type to meet MISRA C 2012 Rules 09.02 and 09.03. Violations may result in unexpected - program behavior. - group: top10-injection - name: CPP_MISRA_C_2012_R09_02_to_03_Array_Initializer_Validation - pretty_name: R09 02 to 03 Array Initializer Validation - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R10_01_Operands_Shall_Not_Be_Of_An_Inappropriate_Essential_Type: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Operands within an expression are of an inappropriate essential type, - violating the MISRA C 2012 Rule 10.1, which aims to ensure correct and safe - usage of operands in C++ code. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R10_01_Operands_Shall_Not_Be_Of_An_Inappropriate_Essential_Type - pretty_name: R10 01 Operands Shall Not Be Of An Inappropriate Essential Type - - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R10_02_Char_Type_Shall_Not_Be_Used_Inappropriately_In_Operations: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Character types should not be used inappropriately in arithmetic - operations to avoid unexpected results due to implicit type conversion, adhering - to the MISRA C 2012 Rule 10.2. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R10_02_Char_Type_Shall_Not_Be_Used_Inappropriately_In_Operations - pretty_name: R10 02 Char Type Shall Not Be Used Inappropriately In Operations - - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R10_03_Value_Of_An_Expression_Assigned_To_Inappropriate_Essential_Type: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: An expression's value is assigned to a data type with inappropriate - essential type, contradicting MISRA C 2012 Rule 10.3, which can lead to unexpected - behavior due to data loss or incorrect value interpretation. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R10_03_Value_Of_An_Expression_Assigned_To_Inappropriate_Essential_Type - pretty_name: R10 03 Value Of An Expression Assigned To Inappropriate Essential - Type - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R10_04_Binary_Operator_Operands_With_Same_Type: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Binary operators that operate on a basic type should have operands - of the same type, as required by MISRA C 2012 Rule 10.4, to ensure type consistency - and prevent unexpected behavior during execution. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R10_04_Binary_Operator_Operands_With_Same_Type - pretty_name: R10 04 Binary Operator Operands With Same Type - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R10_05_Value_Of_An_Expression_Cast_To_Inappropriate_Essential_Type: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: A violation occurs when the value of an expression is cast to an - inappropriate essential type according to the MISRA C 2012 standard rule R10.05, - thereby increasing the risk of incorrect program behavior. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R10_05_Value_Of_An_Expression_Cast_To_Inappropriate_Essential_Type - pretty_name: R10 05 Value Of An Expression Cast To Inappropriate Essential Type - - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R10_06_to_08_Composite_Expressions: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Verifies that C++ code adheres to MISRA C 2012 rules 10.6, 10.7, - and 10.8, ensuring type consistency of composite expressions to prevent integer - overflows and underflows. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R10_06_to_08_Composite_Expressions - pretty_name: R10 06 to 08 Composite Expressions - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R11_X_Pointer_Type_Conversions: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: R11.x Pointer Type Conversions detects violations of MISRA C 2012 - Rule 11.x, which prohibits conversions between pointer types that may lead to - an incompatible or unexpected type interpretation, possibly causing code behavior - inconsistencies. - group: top10-vulnerable-components - name: CPP_MISRA_C_2012_R11_X_Pointer_Type_Conversions - pretty_name: R11 X Pointer Type Conversions - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R12_01_Explicit_Operator_Precedence: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: An issue with operator precedence in a C++ code line occurs when - one expression consists of intertwined operators without the use of parentheses - for explicit precedence, resulting in possible ambiguity or unexpected outcomes - in line with the MISRA C 2012 Rule 12.1. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R12_01_Explicit_Operator_Precedence - pretty_name: R12 01 Explicit Operator Precedence - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R12_02_Right_Operand_Of_Shift_Operator_Out_Of_Range: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: The right-hand operand of a shift operator in C++ code exceeds the - width in bits of the essential type of the left-hand operand, violating the - MISRA C++ 2012 Rule 12.02, which can lead to unpredictable values or data loss. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R12_02_Right_Operand_Of_Shift_Operator_Out_Of_Range - pretty_name: R12 02 Right Operand Of Shift Operator Out Of Range - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R12_03_Comma_Operator_Shall_Not_Be_Used: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Prohibits the use of the comma operator, except in functions and - arrays, as stated in rule R12.03 of the MISRA C 2012 guidelines to prevent ambiguous - or unexpected results in C++ programming. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R12_03_Comma_Operator_Shall_Not_Be_Used - pretty_name: R12 03 Comma Operator Shall Not Be Used - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R12_04_Unsigned_Integer_Wrap_Around: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Unsigned integer values are used in such a way that could result - in wrap-around, violating the MISRA C 2012 guideline R12.04 for reliable and - secure coding. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R12_04_Unsigned_Integer_Wrap_Around - pretty_name: R12 04 Unsigned Integer Wrap Around - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R12_05_Sizeof_Operand_Not_Array_Of_Type: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: The 'sizeof' operator is used with an operand that is not an array - of type, in violation of MISRA C 2012 Rule 12.5. This may result in unintended - calculation of object memory size. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R12_05_Sizeof_Operand_Not_Array_Of_Type - pretty_name: R12 05 Sizeof Operand Not Array Of Type - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R13_X_Side_Effects: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Side effects in an expression are not sequenced properly, resulting - in unreliable operation under the MISRA C++:2008 Rule 13.x. This could lead - to undefined or unpredictable behaviors. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R13_X_Side_Effects - pretty_name: R13 X Side Effects - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R14_X_Control_Statement_Expressions: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Control mechanisms in C++ programming, such as if-else and switch-case - statements, contain expressions that do not resolve to Boolean values as per - MISRA C 2012, Rule 14.x, increasing the chance of unintended program behavior. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R14_X_Control_Statement_Expressions - pretty_name: R14 X Control Statement Expressions - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R15_01_to_03_Goto_Usage_Constraints: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Enforces MISRA C:2012 rules 15.1 to 15.3, which together prohibit - usage of 'goto' statements for branch and iteration control, limiting its role - for error handling in C++. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R15_01_to_03_Goto_Usage_Constraints - pretty_name: R15 01 to 03 Goto Usage Constraints - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R15_04_Iteration_Single_Exit_Point: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Iteration statements must have at most one break statement exiting - the loop, per MISRA C 2012 Rule 15.4, thus enforcing a single point of exit - for greater control flow clarity in C++ programming. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R15_04_Iteration_Single_Exit_Point - pretty_name: R15 04 Iteration Single Exit Point - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R15_05_Function_Single_Exit_Point: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Functions should have a single exit point at the end, ensuring program - flow isn't disrupted and handling resources more efficiently, per MISRA C 2012 - Rule 15.5. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R15_05_Function_Single_Exit_Point - pretty_name: R15 05 Function Single Exit Point - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R15_06_Statement_Body_Shall_Be_Compound: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: The body of an iteration statement, selection statement, or a `catch` - clause in a function definition or at block scope isn't a compound statement, - violating MISRA C 2012 Rule 15.06. This may result in unexpected logic flow, - making the code hard to modify and error-prone. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R15_06_Statement_Body_Shall_Be_Compound - pretty_name: R15 06 Statement Body Shall Be Compound - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R15_07_If_Else_If_Constructs_Not_Ending_With_Else: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: This rule checks if 'if-else if' construct in C++ code complies with - MISRA C 2012 Rule 15.07, which states that the construct must end with an 'else' - clause to avoid unintended behavior. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R15_07_If_Else_If_Constructs_Not_Ending_With_Else - pretty_name: R15 07 If Else If Constructs Not Ending With Else - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R16_X_Switches: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Switch-case constructs in C/C++ code are not adhering to MISRA 2012 - Rule 16.X, which requires a default label to end all switch statements to avoid - potential issues if none of the case matches. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R16_X_Switches - pretty_name: R16 X Switches - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R17_01_StdArg_Shall_Not_Be_Used: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: The standard header is used within the code, violating - Rule 17.1 of MISRA C 2012, which prohibits the use of variable argument functions. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R17_01_StdArg_Shall_Not_Be_Used - pretty_name: R17 01 StdArg Shall Not Be Used - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R17_02_No_Recursion: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: The code violates Rule 17.2 of MISRA C 2012 standard as it contains - recursion, either direct or indirect, which might lead to unpredictable program - behavior. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R17_02_No_Recursion - pretty_name: R17 02 No Recursion - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R17_03_Function_Shall_Not_Be_Declared_Implicitly: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: "The program uses a function that has been declared implicitly, violating\ - \ the MISRA C 2012 Rule 17.03\u2014increasing potential for undeclared or mistyped\ - \ function names to cause malfunction or behave unpredictably." - group: top10-insecure-design - name: CPP_MISRA_C_2012_R17_03_Function_Shall_Not_Be_Declared_Implicitly - pretty_name: R17 03 Function Shall Not Be Declared Implicitly - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R17_04_Non_Void_Has_Valid_Return: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Every non-void function must have a return statement with an expression, - ensuring that a return value is specified, conforming to MISRA C 2012 Rule 17.4. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R17_04_Non_Void_Has_Valid_Return - pretty_name: R17 04 Non Void Has Valid Return - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R17_05_to_06_Functions_With_Array_Parameter: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Enforces MISRA C 2012 directives 17.05 and 17.06 to ensure that a - function does not take an array as a parameter, but rather a pointer to its - first element, safeguarding critical memory portions used by the array. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R17_05_to_06_Functions_With_Array_Parameter - pretty_name: R17 05 to 06 Functions With Array Parameter - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R17_07_Value_Returned_By_Non_Void_Function_Shall_Be_Used: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: In compliance with MISRA C 2012 Rule 17.07, the value returned by - a function with a non-void return type must be utilized, preventing potential - logical errors or inconsistencies. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R17_07_Value_Returned_By_Non_Void_Function_Shall_Be_Used - pretty_name: R17 07 Value Returned By Non Void Function Shall Be Used - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R17_08_Function_Parameter_Should_Not_Be_Modified: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Function parameters in the C++ language are altered or modified, - which violates rule 17.08 of MISRA C 2012, potentially leading to unpredictable - program behavior. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R17_08_Function_Parameter_Should_Not_Be_Modified - pretty_name: R17 08 Function Parameter Should Not Be Modified - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R18_04_Pointer_Arithmetic: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Misuse of pointer arithmetic tends to violate rule 18.4 of MISRA - C 2012, suggesting that subtraction or addition operators should not be applied - to pointer values, which could lead to overflow and underflow memory bugs. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R18_04_Pointer_Arithmetic - pretty_name: R18 04 Pointer Arithmetic - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R18_05_Pointer_Nesting: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Declarations of pointer types used in nesting do not exceed two levels, - adhering to the MISRA C 2012 Rule 18.5, to prevent complexities in interpreting - sequences of indirections. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R18_05_Pointer_Nesting - pretty_name: R18 05 Pointer Nesting - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R18_06_Automatic_Storage_Addresses_Shall_Not_Be_Copied: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: The rule ensures that the addresses of objects with automatic storage - duration are not copied to other objects, as per MISRA C 2012 Rule 18.06. Doing - so could lead to usage of an invalid address if the automatic storage has expired. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R18_06_Automatic_Storage_Addresses_Shall_Not_Be_Copied - pretty_name: R18 06 Automatic Storage Addresses Shall Not Be Copied - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R18_07_to_08_Variable_Length_And_Flexible_Arrays: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Variable length arrays and flexible array members are prohibited, - adhering to guidelines R18.07 and R18.08 from MISRA-C:2012 rules, thus ensuring - predictability and reliability of the code. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R18_07_to_08_Variable_Length_And_Flexible_Arrays - pretty_name: R18 07 to 08 Variable Length And Flexible Arrays - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R19_X_Overlapping_Storage: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Identifies cases in C++ code where two pointers are used to simultaneously - manipulate the same memory space, a violation of rule 19.x of the MISRA C 2012 - standard, leading to potential undefined behavior or data integrity issues. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R19_X_Overlapping_Storage - pretty_name: R19 X Overlapping Storage - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R20_01_Include_Directive_Precedence: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: When a '#include' directive is used in a file, it fails to respect - the inclusion precedence outlined by MISRA C 2012 Rule 20.1, possibly disrupting - the sequence of headers and leading to unpredictable results. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R20_01_Include_Directive_Precedence - pretty_name: R20 01 Include Directive Precedence - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R20_02_Invalid_Include_Names: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Include file names must be a sequence of valid (ISO 646 Basic) source - characters, excluding NUL, and do not contain a UCN encoding a character that - can't appear in an ISO/IEC 646:1991 source file. This promotes code portability - and maintainability. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R20_02_Invalid_Include_Names - pretty_name: R20 02 Invalid Include Names - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R20_03_Includes_In_Wrong_Format: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Violates MISRA C 2012 Rule 20.3, which stipulates that the '#include' - directive must not use an angle-bracket form when including system library files - and a double-quote form when including user-defined files. Non-compliance may - lead to unexpected preprocessor behavior. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R20_03_Includes_In_Wrong_Format - pretty_name: R20 03 Includes In Wrong Format - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R20_04_Macros_With_Keyword_Name: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Macro identifiers align with C++ language keyword names, which violates - MISRA C 2012 Rule 20.04 and can lead to confusing or misleading code. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R20_04_Macros_With_Keyword_Name - pretty_name: R20 04 Macros With Keyword Name - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R20_05_Undef_Shall_Not_Be_Used: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: The '#undef' directive is utilized in the code, violating Rule 20.5 - of the MISRA C 2012 standard, which forbids the use of this directive in C programming - to avoid inconsistencies in symbol definitions. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R20_05_Undef_Shall_Not_Be_Used - pretty_name: R20 05 Undef Shall Not Be Used - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R20_10_to_12_Preprocessor_Concatenation_Operations: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: The preprocessor concatenation operations do not comply with MISRA - C 2012 Rules R20.10 to R20.12, implying a risk in misinterpretation of the combined - tokens. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R20_10_to_12_Preprocessor_Concatenation_Operations - pretty_name: R20 10 to 12 Preprocessor Concatenation Operations - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R20_13_Valid_PreProcessor_Directives: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: 'Ensures compliance with MISRA C 2012 Rule 20.13: Every preprocessor - directive in the code must be a valid and well-formed directive as per the standard. - Invalid or ill-formed directives can cause undefined behavior or compilation - errors.' - group: top10-insecure-design - name: CPP_MISRA_C_2012_R20_13_Valid_PreProcessor_Directives - pretty_name: R20 13 Valid PreProcessor Directives - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R20_14_Preprocessor_IF_Else_In_Same_File: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: An 'if' directive and an 'else' directive from a pair of conditional - inclusion preprocessor directives are not part of the same file in C++, violating - MISRA C 2012 Rule 20.14. This can cause inconsistent code behavior due to different - preprocessing conditions. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R20_14_Preprocessor_IF_Else_In_Same_File - pretty_name: R20 14 Preprocessor IF Else In Same File - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R21_01_to_12_Usage_of_C_Standard_Library: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Checks for the usage of C Standard Library functions not permissible - under MISRA C:2012 rules 21.1 to 21.12, to guarantee safety, reliability, and - portability. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R21_01_to_12_Usage_of_C_Standard_Library - pretty_name: R21 01 to 12 Usage of C Standard Library - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R21_13_to_20_C_Standard_Library_Types: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Checks for the use of C standard library types, as dictated by MISRA - C:2012 Rules 21.13 to 21.20, which pose potential code safety and reliability - hazards. - group: top10-insecure-design - name: CPP_MISRA_C_2012_R21_13_to_20_C_Standard_Library_Types - pretty_name: R21 13 to 20 C Standard Library Types - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_2012_R22_X_Resources: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: 'Violates directive 4.13 of MISRA C 2012 guidelines: do not rely - on undefined or unspecified behavior of any kind, including memory allocation - routines, file handling, signals, and exceptions.' - group: top10-insecure-design - name: CPP_MISRA_C_2012_R22_X_Resources - pretty_name: R22 X Resources - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R02_02_CPP_Comment_Style: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Enforces the use of "/* ... */" style for multi-line comments in - C++ code instead of using a sequence of single line comments with "//", in accordance - with the MISRA C++:2008 rule set (Rule 2-2-2). - group: top10-insecure-design - name: CPP_MISRA_C_R02_02_CPP_Comment_Style - pretty_name: R02 02 CPP Comment Style - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R02_03_Nested_Comments: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Detects the presence of nested comments in C++ code, a violation - of MISRA C:2004 Rule 2.3, which may lead to misinterpretation and ambiguity - during code analysis. - group: top10-insecure-design - name: CPP_MISRA_C_R02_03_Nested_Comments - pretty_name: R02 03 Nested Comments - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R02_04_Code_Commented_Out: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Sections of code are commented out, violating Rule 02.04 of the MISRA - C guidelines, which could indicate unfinished work or obsolete logic. - group: top10-insecure-design - name: CPP_MISRA_C_R02_04_Code_Commented_Out - pretty_name: R02 04 Code Commented Out - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R03_04_Not_Explained_Pragma_Usage: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Code contains '#pragma' directives that are not explained with adjacent - comments, thereby violating MISRA C rule 03.04, which deems it necessary to - provide explanations for each '#pragma' usage. - group: top10-insecure-design - name: CPP_MISRA_C_R03_04_Not_Explained_Pragma_Usage - pretty_name: R03 04 Not Explained Pragma Usage - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R04_01_Non_ISO_Escape_Sequences: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Non-standard escape sequences are used in the program, violating - rule R04.01 of the MISRA C guidelines, which requires all escape sequences to - comply with the ISO 9899:1999 standard. - group: top10-insecure-design - name: CPP_MISRA_C_R04_01_Non_ISO_Escape_Sequences - pretty_name: R04 01 Non ISO Escape Sequences - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R04_02_Trigraphs: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Trigraph sequences are used in the code, violating the MISRA C Rule - 04.02, which discourages their usage owing to possible confusion and misinterpretation. - group: top10-insecure-design - name: CPP_MISRA_C_R04_02_Trigraphs - pretty_name: R04 02 Trigraphs - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R05_01_Identifiers_Length_Violation: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Identifier names in a C or C++ file exceed the recommended length - specified by the MISRA-C coding standard, potentially leading to legibility - and maintainability issues. - group: top10-insecure-design - name: CPP_MISRA_C_R05_01_Identifiers_Length_Violation - pretty_name: R05 01 Identifiers Length Violation - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R05_02_Identifiers_Hiding_Outer_Scope_Identifiers: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Identifiers in an inner scope are used that hide identifiers in an - outer scope, which may lead to confusion and errors, contradicting the MISRA - C rule 05.02. - group: top10-insecure-design - name: CPP_MISRA_C_R05_02_Identifiers_Hiding_Outer_Scope_Identifiers - pretty_name: R05 02 Identifiers Hiding Outer Scope Identifiers - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R05_03_Typedef_Name_Reused: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: The same name is used for different 'typedef' entities within the - same codebase, violating MISRA C Rule 5.3, thus leading to potential code ambiguities. - group: top10-insecure-design - name: CPP_MISRA_C_R05_03_Typedef_Name_Reused - pretty_name: R05 03 Typedef Name Reused - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R05_04_Tag_Name_Reused: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: A tag name is being reused for different types within the same scope, - violating the MISRA C Rule 05.04, and potentially leading to type confusion. - group: top10-insecure-design - name: CPP_MISRA_C_R05_04_Tag_Name_Reused - pretty_name: R05 04 Tag Name Reused - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R05_05_Identifier_With_Static_Storage_Reused: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: An identifier with the static storage class specification appears - more than once within the same scope, contravening rule 05.05 of the Motor Industry - Software Reliability Association (MISRA) guidelines for C programming language. - group: top10-insecure-design - name: CPP_MISRA_C_R05_05_Identifier_With_Static_Storage_Reused - pretty_name: R05 05 Identifier With Static Storage Reused - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R05_07_Identifier_Name_Reused: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: A single identifier name has been used for more than one entity within - a scope, violating the MISRA C Rule 5.7 and leading to possible confusion and - error. - group: top10-insecure-design - name: CPP_MISRA_C_R05_07_Identifier_Name_Reused - pretty_name: R05 07 Identifier Name Reused - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R06_01_Plain_Char_Type_Usage: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: The use of 'plain char' type, which doesn't specify signedness, is - not compliant with MISRA C Rule 6.1 and may lead to unexpected behavior in C++. - This rule advises using 'signed char' or 'unsigned char' instead. - group: top10-insecure-design - name: CPP_MISRA_C_R06_01_Plain_Char_Type_Usage - pretty_name: R06 01 Plain Char Type Usage - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R06_02_Not_Plain_Char_Type_Usage: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Identifies instances in C++ code where plain 'char' type is used, - in violation of MISRA C++ Rule 6-2-1 which recommends using 'signed' or 'unsigned' - qualifiers for improved portability and predictability. - group: top10-insecure-design - name: CPP_MISRA_C_R06_02_Not_Plain_Char_Type_Usage - pretty_name: R06 02 Not Plain Char Type Usage - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R06_03_Non_Typedefd_Basic_Types: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Basic types in C++ code like int, char, etc., are used directly instead - of through a typedef declaration, violating MISRA C Rule 6.3. This could lead - to portability issues across different platforms. - group: top10-insecure-design - name: CPP_MISRA_C_R06_03_Non_Typedefd_Basic_Types - pretty_name: R06 03 Non Typedefd Basic Types - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R06_04_Bit_Fields_Type: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Bit fields should only be defined with `unsigned int` or `signed - int` types, helping to prevent unexpected behavior or data corruption due to - compiler-specific implementations. - group: top10-insecure-design - name: CPP_MISRA_C_R06_04_Bit_Fields_Type - pretty_name: R06 04 Bit Fields Type - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R06_05_Bit_Fields_Length: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: A bit-field declaration with a size greater than the intended bit - width may cause unintended results and violates MISRA C:2004 Rule 6.5. - group: top10-insecure-design - name: CPP_MISRA_C_R06_05_Bit_Fields_Length - pretty_name: R06 05 Bit Fields Length - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R07_01_Non_Zero_Octal_Constant: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: An octal constant (other than zero) is being used which could lead - to confusion or errors, violating MISRA C rule 07.01. - group: top10-insecure-design - name: CPP_MISRA_C_R07_01_Non_Zero_Octal_Constant - pretty_name: R07 01 Non Zero Octal Constant - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R08_03_Identical_Function_Decl_Def: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: The type of a standard library function is not identical in a function - declaration and its corresponding definition, violating MISRA-C rule 08.03 and - creating potential consistency issues. - group: top10-insecure-design - name: CPP_MISRA_C_R08_03_Identical_Function_Decl_Def - pretty_name: R08 03 Identical Function Decl Def - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R08_05_Object_Function_In_Header_File: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Objects or functions are used in a header file (.h file), conflicting - with MISRA C's Rule 08.05, which prohibits declaring such entities in header - files to prevent potential re-declaration errors and namespace pollution. - group: top10-insecure-design - name: CPP_MISRA_C_R08_05_Object_Function_In_Header_File - pretty_name: R08 05 Object Function In Header File - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R08_07_Block_Scope_Obj_If_Used_By_Single_Function: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Objects with block scope should not be declared in the block if they - are only used by a single function, as outlined in MISRA C:2004, Rule 8.7, to - improve code readability and maintainability. - group: top10-insecure-design - name: CPP_MISRA_C_R08_07_Block_Scope_Obj_If_Used_By_Single_Function - pretty_name: R08 07 Block Scope Obj If Used By Single Function - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R08_08_External_Objects_Declared_Once: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: An externally linked object is declared more than once, causing redundancy - and potentially leading to unpredictable behavior, in violation of MISRA C rule - 08.08. - group: top10-insecure-design - name: CPP_MISRA_C_R08_08_External_Objects_Declared_Once - pretty_name: R08 08 External Objects Declared Once - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R09_03_Initializing_Non_First_And_Not_All_Members_In_Enum: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Enum elements in C++ are not initialized following the first member - and all elements are not consistently initialized, contravening MISRA C rule - 09.03 and potentially leading to invalid enum member values. - group: top10-insecure-design - name: CPP_MISRA_C_R09_03_Initializing_Non_First_And_Not_All_Members_In_Enum - pretty_name: R09 03 Initializing Non First And Not All Members In Enum - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R10_06_U_Suffix_Not_Applied_To_Unsigned_Const: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: 'In C or C++ programming, unsigned constants must explicitly carry - the ''U'' suffix, as per MISRA C : Rule 10.6. This rule identifies when the - ''U'' suffix is not applied to an unsigned constant, which may lead to unexpected - behavior or type mismatches.' - group: top10-insecure-design - name: CPP_MISRA_C_R10_06_U_Suffix_Not_Applied_To_Unsigned_Const - pretty_name: R10 06 U Suffix Not Applied To Unsigned Const - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R12_05_AND_OR_Operands_Not_As_Primary_Expressions: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: The rule checks for situations where logical '&&' and '||' operators - don't have primary expressions as operands, which is a violation of MISRA C - Rule 12.05. This could lead to unexpected behaviors due to operator precedence - misunderstandings. - group: top10-insecure-design - name: CPP_MISRA_C_R12_05_AND_OR_Operands_Not_As_Primary_Expressions - pretty_name: R12 05 AND OR Operands Not As Primary Expressions - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R12_07_Bitwise_Operator_On_Signed_Type: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Bitwise operators are applied to signed data types in C++, violating - MISRA C guideline (Rule 12.07). This could lead to unpredictable behavior due - to sign extension. - group: top10-insecure-design - name: CPP_MISRA_C_R12_07_Bitwise_Operator_On_Signed_Type - pretty_name: R12 07 Bitwise Operator On Signed Type - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R12_09_Unary_Minus_Operator_On_Unsigned_Type: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Applies the unary minus operator to an unsigned type, which, according - to MISRA C Rule 12.9, can result in undefined behavior due to wrapping around - zero. - group: top10-insecure-design - name: CPP_MISRA_C_R12_09_Unary_Minus_Operator_On_Unsigned_Type - pretty_name: R12 09 Unary Minus Operator On Unsigned Type - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R12_10_Comma_Operator_Used: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: The comma operator is being used in an expression. According to the - Motor Industry Software Reliability Association (MISRA) C rule 12.10, this is - not advised due to its potential to impact the order of operations and lead - to unexpected outcomes. - group: top10-insecure-design - name: CPP_MISRA_C_R12_10_Comma_Operator_Used - pretty_name: R12 10 Comma Operator Used - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R12_12_Floating_Point_Bit_Underlying_Representation_Used: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Floating point values are treated as though they have an underlying - bit representation, violating MISRA C rule 12.12, which can lead to unexpected - results or undefined behavior. - group: top10-insecure-design - name: CPP_MISRA_C_R12_12_Floating_Point_Bit_Underlying_Representation_Used - pretty_name: R12 12 Floating Point Bit Underlying Representation Used - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R12_13_Using_Of_Incremental_And_Decrimental_Operators: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: The rule indicates the usage of increment (++) and decrement (--) - operators, which is not compliant with MISRA C guideline 12.13 due to potential - unpredictability of execution order. - group: top10-insecure-design - name: CPP_MISRA_C_R12_13_Using_Of_Incremental_And_Decrimental_Operators - pretty_name: R12 13 Using Of Incremental And Decrimental Operators - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R13_01_Assignment_Operators_In_Boolean_Expressions: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Assignment operators are used improperly within boolean expressions, - violating MISRA C Rule 13.01. This could lead to unpredictable software behavior. - group: top10-insecure-design - name: CPP_MISRA_C_R13_01_Assignment_Operators_In_Boolean_Expressions - pretty_name: R13 01 Assignment Operators In Boolean Expressions - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R13_03_Floating_Point_Equality_Or_Inequality: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Compares floating point numbers for equality or inequality, which - contradicts MISRA C R13.03 due to potential inaccuracies in floating point storage - and computation. - group: top10-insecure-design - name: CPP_MISRA_C_R13_03_Floating_Point_Equality_Or_Inequality - pretty_name: R13 03 Floating Point Equality Or Inequality - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R13_04_Floating_Points_Objects_In_For_Control: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Floating point objects are being used in for loop control structures, - which is a violation of MISRA C rule 13.04. This can lead to unpredictable behavior - due to the imprecise nature of floating point numbers. - group: top10-insecure-design - name: CPP_MISRA_C_R13_04_Floating_Points_Objects_In_For_Control - pretty_name: R13 04 Floating Points Objects In For Control - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R13_06_Loop_Iterator_Modified_In_Loop_Body: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Violates MISRA C Rule 13.06 as the loop iterator is modified in the - body of the loop, which may lead to unpredictable iteration behaviors. - group: top10-insecure-design - name: CPP_MISRA_C_R13_06_Loop_Iterator_Modified_In_Loop_Body - pretty_name: R13 06 Loop Iterator Modified In Loop Body - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R14_04_Use_Of_Goto: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Refers to the use of 'goto' statement in C++ which violates the MISRA - C 2004 Rule 14.4, deeming it as non-compliant due to potential control flow - disruption. - group: top10-insecure-design - name: CPP_MISRA_C_R14_04_Use_Of_Goto - pretty_name: R14 04 Use Of Goto - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R14_05_Use_Of_Continue: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: The 'continue' statement is used in iteration statements, which contradicts - rule 14.05 of the MISRA C guidelines, recommending against its use for better - predictability and understandability of the code. - group: top10-insecure-design - name: CPP_MISRA_C_R14_05_Use_Of_Continue - pretty_name: R14 05 Use Of Continue - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R14_06_Multiple_Breaks_In_Iteration_Statement: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Indicates the presence of multiple break statements within a loop - or iteration, which violates MISRA C Rule 14.06 and disrupts expected control - flow. - group: top10-insecure-design - name: CPP_MISRA_C_R14_06_Multiple_Breaks_In_Iteration_Statement - pretty_name: R14 06 Multiple Breaks In Iteration Statement - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R14_07_Single_Point_Exit_At_Function_End: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Functions must have a single point of exit at the end, maintaining - only one return statement, as per the MISRA C:2012 Rule 14.7, to improve readability - and manageability of the code. - group: top10-insecure-design - name: CPP_MISRA_C_R14_07_Single_Point_Exit_At_Function_End - pretty_name: R14 07 Single Point Exit At Function End - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R14_08_Not_Compound_Switch_Or_Iteration_Statement: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: The last statement of a switch case or an iteration directive is - not a compound statement, which contradicts the MISRA C rule 14.08 guideline - and can lead to potential logical errors. - group: top10-insecure-design - name: CPP_MISRA_C_R14_08_Not_Compound_Switch_Or_Iteration_Statement - pretty_name: R14 08 Not Compound Switch Or Iteration Statement - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R14_09_Not_Compound_If_Or_Else: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: An 'if' or 'else if' conditional statement, containing a non-compound - statement as its body, must be enclosed in braces {}. Violating this requirement - in the C++ language as stipulated by MISRA C standard can lead to misunderstanding - or error. - group: top10-insecure-design - name: CPP_MISRA_C_R14_09_Not_Compound_If_Or_Else - pretty_name: R14 09 Not Compound If Or Else - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R14_10_If_Else_If_Not_Ending_With_Else: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: 'An ''if'' / ''else if'' construct is not ending with an ''else'' - clause, violating MISRA C''s Rule 14.10 and potentially leading to unanticipated - behavior under certain conditions. - - ' - group: top10-insecure-design - name: CPP_MISRA_C_R14_10_If_Else_If_Not_Ending_With_Else - pretty_name: R14 10 If Else If Not Ending With Else - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R15_01_Case_Not_Enclosed_By_Compound_Switch: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: A case in a switch statement is not enclosed by braces, violating - the MISRA C Rule 15.1, thus possibly causing unexpected fall-through behavior. - group: top10-insecure-design - name: CPP_MISRA_C_R15_01_Case_Not_Enclosed_By_Compound_Switch - pretty_name: R15 01 Case Not Enclosed By Compound Switch - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R15_02_Non_Empty_Switch_Clause_Without_Break: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: A non-empty switch clause lacks a 'break' statement. According to - the MISRA C Guidelines (Rule 15.2), this may lead to unintended execution of - adjacent switch clauses. - group: top10-insecure-design - name: CPP_MISRA_C_R15_02_Non_Empty_Switch_Clause_Without_Break - pretty_name: R15 02 Non Empty Switch Clause Without Break - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R15_03_Non_Default_Final_Clause_In_Switch_Statement: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: A 'switch' statement in C++ does not have a 'default' clause as the - last clause, violating the MISRA C Rule 15.03 and potentially leading to unexpected - behavior. - group: top10-insecure-design - name: CPP_MISRA_C_R15_03_Non_Default_Final_Clause_In_Switch_Statement - pretty_name: R15 03 Non Default Final Clause In Switch Statement - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R15_05_No_Cases_in_Switch_Statement: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: A switch statement doesn't include any case labels, negating its - purpose; as per MISRA C Rule 15.5, this renders the code non-compliant with - best practice. - group: top10-insecure-design - name: CPP_MISRA_C_R15_05_No_Cases_in_Switch_Statement - pretty_name: R15 05 No Cases in Switch Statement - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R16_01_Function_With_Variable_Number_Of_Arguments: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Functions with a variable number of arguments are used, in violation - of MISRA C Rule 16.01. This can lead to potential security and stability issues. - group: top10-insecure-design - name: CPP_MISRA_C_R16_01_Function_With_Variable_Number_Of_Arguments - pretty_name: R16 01 Function With Variable Number Of Arguments - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R16_02_Recursion_Exists: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: The rule identifies uses of recursion within C++ code, a practice - prohibited by the MISRA C standard due to the possible risks of stack overflow. - group: top10-insecure-design - name: CPP_MISRA_C_R16_02_Recursion_Exists - pretty_name: R16 02 Recursion Exists - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R16_03_Function_Prototype_Without_Identifiers: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Violation of MISRA C Rule 16.3, indicating a function prototype is - declared without specifying parameter identifiers, which may lead to confusion - or mistakes during code maintenance. - group: top10-insecure-design - name: CPP_MISRA_C_R16_03_Function_Prototype_Without_Identifiers - pretty_name: R16 03 Function Prototype Without Identifiers - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R16_04_Different_Identifiers_In_Function_Definition_And_Prototype: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: The identifiers in a function prototype don't match those in its - function definition, violating rule R16.04 of the Motor Industry Software Reliability - Association (MISRA) C guidelines. - group: top10-insecure-design - name: CPP_MISRA_C_R16_04_Different_Identifiers_In_Function_Definition_And_Prototype - pretty_name: R16 04 Different Identifiers In Function Definition And Prototype - - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R16_05_Function_Prototype_Declaration_Without_Parameters: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: A function prototype declaration without parameters presents ambiguity - and potential misuse opportunities, violating the MISRA C rule (16.05), which - requires clear parameter specification. - group: top10-insecure-design - name: CPP_MISRA_C_R16_05_Function_Prototype_Declaration_Without_Parameters - pretty_name: R16 05 Function Prototype Declaration Without Parameters - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R16_06_Function_Invoke_Arg_Number_Not_Match_Function_Def_Number: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: 'A function is invoked with a number of arguments that does not match - the number of parameters in its declaration, violating MISRA C rule R16.06. - This could cause unexpected behavior or program crashes. - - ' - group: top10-insecure-design - name: CPP_MISRA_C_R16_06_Function_Invoke_Arg_Number_Not_Match_Function_Def_Number - pretty_name: R16 06 Function Invoke Arg Number Not Match Function Def Number - - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R16_07_Parameter_Pointer_To_Const_Where_Not_Modified: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Parameters of a function that are pointers to non-const should be - pointers to const if they are not modified, to maintain data integrity and prevent - unintentional changes. This rule ensures adherence to MISRA C Rule 16.07. - group: top10-insecure-design - name: CPP_MISRA_C_R16_07_Parameter_Pointer_To_Const_Where_Not_Modified - pretty_name: R16 07 Parameter Pointer To Const Where Not Modified - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R16_08_Non_Explicit_Return_Statement_In_Non_Void_Function: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Non-void functions in C++ lack an explicit return statement, violating - MISRA C Rule 16.08, which may cause unpredictable program behavior due to undefined - return values. - group: top10-insecure-design - name: CPP_MISRA_C_R16_08_Non_Explicit_Return_Statement_In_Non_Void_Function - pretty_name: R16 08 Non Explicit Return Statement In Non Void Function - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R16_09_Using_Function_Identifier_Not_Call_Or_Pointer: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: The function identifier is being used inappropriately, i.e., not - as a function call or pointer to function, which violates MISRA C Rule 16.09. - group: top10-insecure-design - name: CPP_MISRA_C_R16_09_Using_Function_Identifier_Not_Call_Or_Pointer - pretty_name: R16 09 Using Function Identifier Not Call Or Pointer - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R18_04_Use_Of_Union: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: The rule identifies the use of 'union' data types in C++. According - to MISRA C guidelines (Rule 18.4), unions should not be used due to potential - issues with data corruption and indeterminate values. - group: top10-insecure-design - name: CPP_MISRA_C_R18_04_Use_Of_Union - pretty_name: R18 04 Use Of Union - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R19_01_Non_Prepocessor_Command_Before_Include_In_File: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: A non-preprocessor command appears before a '#include' directive - in a file, which violates the MISRA C:2004 Rule 19.1, making the code prone - to unexpected behavior or errors. - group: top10-insecure-design - name: CPP_MISRA_C_R19_01_Non_Prepocessor_Command_Before_Include_In_File - pretty_name: R19 01 Non Prepocessor Command Before Include In File - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R19_02_Non_Standard_Chars_In_Header_File_Name: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Header file names include non-standard characters, violating Rule - 19.2 of MISRA C which states that standardized or expanded identifiers should - be used for header file names to avoid potential compatibility issues. - group: top10-insecure-design - name: CPP_MISRA_C_R19_02_Non_Standard_Chars_In_Header_File_Name - pretty_name: R19 02 Non Standard Chars In Header File Name - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R19_03_Include_Directive_In_Wrong_Format: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: The '#include' directive format does not adhere to the MISRA C 2012 - Rule 19.3, advocating that all '#include' directives should be located in either - the file scope or a function scope, and never inside a block scope. - group: top10-insecure-design - name: CPP_MISRA_C_R19_03_Include_Directive_In_Wrong_Format - pretty_name: R19 03 Include Directive In Wrong Format - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R19_05_Using_Define_Or_Undef_Directive_In_Block: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: The code violates MISRA C Rule 19.5 by using '#define' or '#undef' - directive within a function or block scope, which can cause unpredictable behavior - or difficulties in code maintenance. - group: top10-insecure-design - name: CPP_MISRA_C_R19_05_Using_Define_Or_Undef_Directive_In_Block - pretty_name: R19 05 Using Define Or Undef Directive In Block - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R19_06_Use_Of_Undef_Derective: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: An '#undef' directive is used within a source file, causing potential - discrepancies and undefined behaviour in the compiled program, a violation of - the MISRA C 2012 Rule 19.6. - group: top10-insecure-design - name: CPP_MISRA_C_R19_06_Use_Of_Undef_Derective - pretty_name: R19 06 Use Of Undef Derective - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R19_12_Multiple_Pound_Or_Double_Pound_In_Same_Macro: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: A C++ macro utilizes multiple '#' or '##' preprocessor operators, - violating MISRA-C rule 19.12 for safe and reliable code in embedded systems. - group: top10-insecure-design - name: CPP_MISRA_C_R19_12_Multiple_Pound_Or_Double_Pound_In_Same_Macro - pretty_name: R19 12 Multiple Pound Or Double Pound In Same Macro - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R19_13_Pound_Preprocessor_Operator_Is_Used: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: The C++ preprocessor operator (#) is in use, contradicting the MISRA - C rule 19.13, which outlaws the utilization of this operator as a measure against - accidental macro undefined behavior. - group: top10-insecure-design - name: CPP_MISRA_C_R19_13_Pound_Preprocessor_Operator_Is_Used - pretty_name: R19 13 Pound Preprocessor Operator Is Used - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R19_17_Preprocessor_If_And_Else_Operators_Reside_In_Different_Files: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: In the examined C++ code, a preprocessor '#if' operator and its corresponding - '#else' operator are located in separate files, which is a violation of the - MISRA C Rule 19.17. This situation can lead to control flow confusion and inconsistent - conditional compilation. - group: top10-insecure-design - name: CPP_MISRA_C_R19_17_Preprocessor_If_And_Else_Operators_Reside_In_Different_Files - pretty_name: R19 17 Preprocessor If And Else Operators Reside In Different Files - - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R20_05_Using_Errno_Indicator_From_Errno_H: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: The rule indicates the use of the 'errno' indicator from the 'errno.h' - library in C++, which is a direct violation of the MISRA C:2012 Rule 20.5, stressing - against such usage due to its global accessibility from different threads, potentially - causing unexpected behavior. - group: top10-insecure-design - name: CPP_MISRA_C_R20_05_Using_Errno_Indicator_From_Errno_H - pretty_name: R20 05 Using Errno Indicator From Errno H - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R20_06_Using_Offsetof_Macro_From_Stddef_H: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: The use of 'offsetof' macro from 'stddef.h' is not compliant with - the Motor Industry Software Reliability Association's C coding standards (MISRA - C), particularly rule 20.6. The 'offsetof' macro relies on undefined behavior - and hence should be avoided in safety-critical systems. - group: top10-insecure-design - name: CPP_MISRA_C_R20_06_Using_Offsetof_Macro_From_Stddef_H - pretty_name: R20 06 Using Offsetof Macro From Stddef H - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R20_07_Using_Setjmp_Longjmp_Macros_From_Setjmp_H: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: The code uses setjmp/longjmp macros from which is disallowed - by MISRA C Rule 20.7 due to its non-deterministic flow of control. This could - lead to potential bugs and portability issues. - group: top10-insecure-design - name: CPP_MISRA_C_R20_07_Using_Setjmp_Longjmp_Macros_From_Setjmp_H - pretty_name: R20 07 Using Setjmp Longjmp Macros From Setjmp H - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R20_08_Using_Signal_Handling_From_Signal_H: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: The code includes signal handling functionality from 'signal.h', - a violation of the MISRA C Rule 20.08 (The signal handling facilities of - shall not be used), risking unpredictable behavior. - group: top10-insecure-design - name: CPP_MISRA_C_R20_08_Using_Signal_Handling_From_Signal_H - pretty_name: R20 08 Using Signal Handling From Signal H - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R20_09_Using_Input_Output_From_Stdio_H: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Objects from the 'stdio.h' library are used, which is prohibited - by MISRA C guideline (Rule 20.9). This could introduce vulnerabilities associated - with standard Input/Output operations. - group: top10-insecure-design - name: CPP_MISRA_C_R20_09_Using_Input_Output_From_Stdio_H - pretty_name: R20 09 Using Input Output From Stdio H - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R20_10_Using_Atof_Atoi_Atol_Functions_From_Stdlib_H: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Functions atof, atoi, and atol from stdlib.h are used, which violates - Rule 20.10 from the MISRA C Guidelines encouraging use of application-specific - versions of these functions to handle number conversion errors better. - group: top10-insecure-design - name: CPP_MISRA_C_R20_10_Using_Atof_Atoi_Atol_Functions_From_Stdlib_H - pretty_name: R20 10 Using Atof Atoi Atol Functions From Stdlib H - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R20_11_Using_Abort_Exit_Getenv_System_Functions_From_Stdlib_H: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: Functions 'abort', 'exit', 'getenv', and 'system' from 'stdlib.h' - are used, violating MISRA C Rule 20.11 that discourages their usage due to potential - unpredictability in program behavior. - group: top10-insecure-design - name: CPP_MISRA_C_R20_11_Using_Abort_Exit_Getenv_System_Functions_From_Stdlib_H - pretty_name: R20 11 Using Abort Exit Getenv System Functions From Stdlib H - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_MISRA_C_R20_12_Using_Time_Handling_From_Time_H: - categories: - - boost-baseline - - ALL - - checkmarx-misrac - - owasp-top-10 - description: The code employs time handling functions or macros from the 'time.h' - header file, violating MISRA C rule 20.12, which can lead to unpredictable behavior - due to potential inconsistencies in system time settings. - group: top10-insecure-design - name: CPP_MISRA_C_R20_12_Using_Time_Handling_From_Time_H - pretty_name: R20 12 Using Time Handling From Time H - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Medium_Threat_Cleartext_Transmission_Of_Sensitive_Information: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-319 - - boost-baseline - - ALL - description: The product transmits sensitive or security-critical data in cleartext - in a communication channel that can be sniffed by unauthorized actors. - group: top10-broken-access-control - name: CPP_Medium_Threat_Cleartext_Transmission_Of_Sensitive_Information - pretty_name: Cleartext Transmission Of Sensitive Information - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Medium_Threat_DB_Parameter_Tampering: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-284 - - boost-baseline - - ALL - description: The product does not restrict or incorrectly restricts access to - a resource from an unauthorized actor. - group: top10-broken-access-control - name: CPP_Medium_Threat_DB_Parameter_Tampering - pretty_name: DB Parameter Tampering - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Medium_Threat_Dangerous_Functions: - categories: - - cwe-242 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The product calls a function that can never be guaranteed to work - safely. - group: top10-vulnerable-components - name: CPP_Medium_Threat_Dangerous_Functions - pretty_name: Dangerous Functions - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Medium_Threat_Divide_By_Zero: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-369 - - boost-baseline - - ALL - description: The product divides a value by zero. - group: top10-insecure-design - name: CPP_Medium_Threat_Divide_By_Zero - pretty_name: Divide By Zero - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Medium_Threat_DoS_by_Sleep: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The product performs an iteration or loop without sufficiently limiting - the number of times that the loop is executed. - group: top10-insecure-design - name: CPP_Medium_Threat_DoS_by_Sleep - pretty_name: DoS by Sleep - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Medium_Threat_Double_Free: - categories: - - checkmarx-medium-threat - - cwe-415 - - owasp-top-10 - - boost-baseline - - ALL - description: The product calls free() twice on the same memory address, potentially - leading to modification of unexpected memory locations. - group: top10-insecure-design - name: CPP_Medium_Threat_Double_Free - pretty_name: Double Free - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Medium_Threat_Download_of_Code_Without_Integrity_Check: - categories: - - checkmarx-medium-threat - - cwe-494 - - owasp-top-10 - - boost-baseline - - ALL - description: The product downloads source code or an executable from a remote - location and executes the code without sufficiently verifying the origin and - integrity of the code. - group: top10-software-data-integrity-failures - name: CPP_Medium_Threat_Download_of_Code_Without_Integrity_Check - pretty_name: Download of Code Without Integrity Check - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Medium_Threat_Environment_Injection: - categories: - - boost-baseline - - ALL - - checkmarx-medium-threat - - cwe-15 - description: One or more system settings or configuration elements can be externally - controlled by a user. - group: top10-security-misconfiguration - name: CPP_Medium_Threat_Environment_Injection - pretty_name: Environment Injection - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Medium_Threat_Hardcoded_password_in_Connection_String: - categories: - - boost-baseline - - ALL - - cwe-547 - - checkmarx-medium-threat - description: The product uses hard-coded constants instead of symbolic names for - security-critical values, which increases the likelihood of mistakes during - code maintenance or security policy change. - group: top10-security-misconfiguration - name: CPP_Medium_Threat_Hardcoded_password_in_Connection_String - pretty_name: Hardcoded password in Connection String - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Medium_Threat_Improperly_Locked_Memory: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-591 - - boost-baseline - - ALL - description: The product stores sensitive data in memory that is not locked, or - that has been incorrectly locked, which might cause the memory to be written - to swap files on disk by the virtual memory manager. This can make the data - more accessible to external actors. - group: top10-insecure-design - name: CPP_Medium_Threat_Improperly_Locked_Memory - pretty_name: Improperly Locked Memory - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Medium_Threat_Inadequate_Encryption_Strength: - categories: - - ALL - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - cwe-326 - description: The product stores or transmits sensitive data using an encryption - scheme that is theoretically sound, but is not strong enough for the level of - protection required. - group: top10-crypto-failures - name: CPP_Medium_Threat_Inadequate_Encryption_Strength - pretty_name: Inadequate Encryption Strength - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Medium_Threat_Inadequate_Pointer_Validation: - categories: - - cwe-477 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The code uses deprecated or obsolete functions, which suggests that - the code has not been actively reviewed or maintained. - group: top10-injection - name: CPP_Medium_Threat_Inadequate_Pointer_Validation - pretty_name: Inadequate Pointer Validation - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Medium_Threat_MemoryFree_on_StackVariable: - categories: - - cwe-590 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The product calls free() on a pointer to memory that was not allocated - using associated heap allocation functions such as malloc(), calloc(), or realloc(). - group: top10-insecure-design - name: CPP_Medium_Threat_MemoryFree_on_StackVariable - pretty_name: MemoryFree on StackVariable - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Medium_Threat_Memory_Leak: - categories: - - checkmarx-medium-threat - - cwe-401 - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not sufficiently track and release allocated memory - after it has been used, which slowly consumes remaining memory. - group: top10-broken-access-control - name: CPP_Medium_Threat_Memory_Leak - pretty_name: Memory Leak - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Medium_Threat_Parameter_Tampering: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: CPP_Medium_Threat_Parameter_Tampering - pretty_name: Parameter Tampering - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Medium_Threat_Path_Traversal: - categories: - - ALL - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - cwe-22 - - cwe-top-25 - description: The product uses external input to construct a pathname that is intended - to identify a file or directory that is located underneath a restricted parent - directory, but the product does not properly neutralize special elements within - the pathname that can cause the pathname to resolve to a location that is outside - of the restricted directory. - group: top10-broken-access-control - name: CPP_Medium_Threat_Path_Traversal - pretty_name: Path Traversal - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Medium_Threat_Plaintext_Storage_Of_A_Password: - categories: - - cwe-256 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: Storing a password in plaintext may result in a system compromise. - group: top10-insecure-design - name: CPP_Medium_Threat_Plaintext_Storage_Of_A_Password - pretty_name: Plaintext Storage Of A Password - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Medium_Threat_Pointer_Subtraction_Determines_Size: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The product subtracts one pointer from another in order to determine - size, but this calculation can be incorrect if the pointers do not exist in - the same memory chunk. - group: top10-insecure-design - name: CPP_Medium_Threat_Pointer_Subtraction_Determines_Size - pretty_name: Pointer Subtraction Determines Size - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Medium_Threat_Setting_Manipulation: - categories: - - boost-baseline - - ALL - - checkmarx-medium-threat - - cwe-15 - description: One or more system settings or configuration elements can be externally - controlled by a user. - group: top10-security-misconfiguration - name: CPP_Medium_Threat_Setting_Manipulation - pretty_name: Setting Manipulation - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Medium_Threat_Uncontrolled_Recursion: - categories: - - checkmarx-medium-threat - - cwe-674 - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not properly control the amount of recursion that - takes place, consuming excessive resources, such as allocated memory or the - program stack. - group: top10-insecure-design - name: CPP_Medium_Threat_Uncontrolled_Recursion - pretty_name: Uncontrolled Recursion - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Medium_Threat_Use_After_Free: - categories: - - checkmarx-medium-threat - - cwe-top-25 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-416 - description: Referencing memory after it has been freed can cause a program to - crash, use unexpected values, or execute code. - group: top10-insecure-design - name: CPP_Medium_Threat_Use_After_Free - pretty_name: Use After Free - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key: - categories: - - cwe-321 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The use of a hard-coded cryptographic key significantly increases - the possibility that encrypted data may be recovered. - group: top10-crypto-failures - name: CPP_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key - pretty_name: Use of Hard coded Cryptographic Key - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Medium_Threat_Use_of_Uninitialized_Pointer: - categories: - - checkmarx-medium-threat - - cwe-457 - - owasp-top-10 - - boost-baseline - - ALL - description: The code uses a variable that has not been initialized, leading to - unpredictable or unintended results. - group: top10-insecure-design - name: CPP_Medium_Threat_Use_of_Uninitialized_Pointer - pretty_name: Use of Uninitialized Pointer - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Medium_Threat_Use_of_Uninitialized_Variable: - categories: - - checkmarx-medium-threat - - cwe-457 - - owasp-top-10 - - boost-baseline - - ALL - description: The code uses a variable that has not been initialized, leading to - unpredictable or unintended results. - group: top10-insecure-design - name: CPP_Medium_Threat_Use_of_Uninitialized_Variable - pretty_name: Use of Uninitialized Variable - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Medium_Threat_Use_of_Zero_Initialized_Pointer: - categories: - - checkmarx-medium-threat - - cwe-457 - - owasp-top-10 - - boost-baseline - - ALL - description: The code uses a variable that has not been initialized, leading to - unpredictable or unintended results. - group: top10-insecure-design - name: CPP_Medium_Threat_Use_of_Zero_Initialized_Pointer - pretty_name: Use of Zero Initialized Pointer - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Medium_Threat_Use_of_a_One_Way_Hash_without_a_Salt: - categories: - - checkmarx-medium-threat - - cwe-759 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a one-way cryptographic hash against an input that - should not be reversible, such as a password, but the product does not also - use a salt as part of the input. - group: top10-crypto-failures - name: CPP_Medium_Threat_Use_of_a_One_Way_Hash_without_a_Salt - pretty_name: Use of a One Way Hash without a Salt - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Medium_Threat_Wrong_Memory_Allocation: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-131 - description: The product does not correctly calculate the size to be used when - allocating a buffer, which could lead to a buffer overflow. - group: top10-injection - name: CPP_Medium_Threat_Wrong_Memory_Allocation - pretty_name: Wrong Memory Allocation - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Stored_Vulnerabilities_Second_Order_SQL_Injection: - categories: - - checkmarx-stored-vulnerabilities - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: CPP_Stored_Vulnerabilities_Second_Order_SQL_Injection - pretty_name: Second Order SQL Injection - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Stored_Vulnerabilities_Stored_Buffer_Overflow_boundcpy: - categories: - - checkmarx-stored-vulnerabilities - - owasp-top-10 - - cwe-120 - - boost-baseline - - ALL - description: The product copies an input buffer to an output buffer without verifying - that the size of the input buffer is less than the size of the output buffer, - leading to a buffer overflow. - group: top10-injection - name: CPP_Stored_Vulnerabilities_Stored_Buffer_Overflow_boundcpy - pretty_name: Stored Buffer Overflow boundcpy - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Stored_Vulnerabilities_Stored_Buffer_Overflow_cpycat: - categories: - - checkmarx-stored-vulnerabilities - - owasp-top-10 - - cwe-120 - - boost-baseline - - ALL - description: The product copies an input buffer to an output buffer without verifying - that the size of the input buffer is less than the size of the output buffer, - leading to a buffer overflow. - group: top10-injection - name: CPP_Stored_Vulnerabilities_Stored_Buffer_Overflow_cpycat - pretty_name: Stored Buffer Overflow cpycat - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Stored_Vulnerabilities_Stored_Buffer_Overflow_fgets: - categories: - - checkmarx-stored-vulnerabilities - - owasp-top-10 - - cwe-120 - - boost-baseline - - ALL - description: The product copies an input buffer to an output buffer without verifying - that the size of the input buffer is less than the size of the output buffer, - leading to a buffer overflow. - group: top10-injection - name: CPP_Stored_Vulnerabilities_Stored_Buffer_Overflow_fgets - pretty_name: Stored Buffer Overflow fgets - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Stored_Vulnerabilities_Stored_Buffer_Overflow_fscanf: - categories: - - checkmarx-stored-vulnerabilities - - owasp-top-10 - - cwe-120 - - boost-baseline - - ALL - description: The product copies an input buffer to an output buffer without verifying - that the size of the input buffer is less than the size of the output buffer, - leading to a buffer overflow. - group: top10-injection - name: CPP_Stored_Vulnerabilities_Stored_Buffer_Overflow_fscanf - pretty_name: Stored Buffer Overflow fscanf - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Stored_Vulnerabilities_Stored_Command_Injection: - categories: - - cwe-77 - - checkmarx-stored-vulnerabilities - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended command when it - is sent to a downstream component. - group: top10-injection - name: CPP_Stored_Vulnerabilities_Stored_Command_Injection - pretty_name: Stored Command Injection - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Stored_Vulnerabilities_Stored_Connection_String_Injection: - categories: - - checkmarx-stored-vulnerabilities - - owasp-top-10 - - cwe-99 - - boost-baseline - - ALL - description: The product receives input from an upstream component, but it does - not restrict or incorrectly restricts the input before it is used as an identifier - for a resource that may be outside the intended sphere of control. - group: top10-injection - name: CPP_Stored_Vulnerabilities_Stored_Connection_String_Injection - pretty_name: Stored Connection String Injection - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Stored_Vulnerabilities_Stored_DB_Parameter_Tampering: - categories: - - checkmarx-stored-vulnerabilities - - owasp-top-10 - - cwe-284 - - boost-baseline - - ALL - description: The product does not restrict or incorrectly restricts access to - a resource from an unauthorized actor. - group: top10-broken-access-control - name: CPP_Stored_Vulnerabilities_Stored_DB_Parameter_Tampering - pretty_name: Stored DB Parameter Tampering - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Stored_Vulnerabilities_Stored_DoS_by_Sleep: - categories: - - checkmarx-stored-vulnerabilities - - owasp-top-10 - - boost-baseline - - ALL - - cwe-730 - description: Relates to avenues that can cause denial of serivce. - group: top10-insecure-design - name: CPP_Stored_Vulnerabilities_Stored_DoS_by_Sleep - pretty_name: Stored DoS by Sleep - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Stored_Vulnerabilities_Stored_Environment_Injection: - categories: - - boost-baseline - - ALL - - checkmarx-stored-vulnerabilities - - cwe-15 - description: One or more system settings or configuration elements can be externally - controlled by a user. - group: top10-security-misconfiguration - name: CPP_Stored_Vulnerabilities_Stored_Environment_Injection - pretty_name: Stored Environment Injection - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Stored_Vulnerabilities_Stored_Format_String_Attack: - categories: - - cwe-134 - - checkmarx-stored-vulnerabilities - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a function that accepts a format string as an argument, - but the format string originates from an external source. - group: top10-injection - name: CPP_Stored_Vulnerabilities_Stored_Format_String_Attack - pretty_name: Stored Format String Attack - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Stored_Vulnerabilities_Stored_LDAP_Injection: - categories: - - cwe-90 - - checkmarx-stored-vulnerabilities - - owasp-top-10 - - boost-baseline - - ALL - description: The product constructs all or part of an LDAP query using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended LDAP query when - it is sent to a downstream component. - group: top10-injection - name: CPP_Stored_Vulnerabilities_Stored_LDAP_Injection - pretty_name: Stored LDAP Injection - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Stored_Vulnerabilities_Stored_Log_Forging: - categories: - - boost-baseline - - ALL - - cwe-117 - - checkmarx-stored-vulnerabilities - description: The product does not neutralize or incorrectly neutralizes output - that is written to logs. - group: top10-security-logging-monitoring-failures - name: CPP_Stored_Vulnerabilities_Stored_Log_Forging - pretty_name: Stored Log Forging - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Stored_Vulnerabilities_Stored_Parameter_Tampering: - categories: - - checkmarx-stored-vulnerabilities - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: CPP_Stored_Vulnerabilities_Stored_Parameter_Tampering - pretty_name: Stored Parameter Tampering - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Stored_Vulnerabilities_Stored_Path_Traversal: - categories: - - ALL - - checkmarx-stored-vulnerabilities - - owasp-top-10 - - boost-baseline - - cwe-22 - - cwe-top-25 - description: The product uses external input to construct a pathname that is intended - to identify a file or directory that is located underneath a restricted parent - directory, but the product does not properly neutralize special elements within - the pathname that can cause the pathname to resolve to a location that is outside - of the restricted directory. - group: top10-broken-access-control - name: CPP_Stored_Vulnerabilities_Stored_Path_Traversal - pretty_name: Stored Path Traversal - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Stored_Vulnerabilities_Stored_Process_Control: - categories: - - checkmarx-stored-vulnerabilities - - owasp-top-10 - - cwe-114 - - boost-baseline - - ALL - description: Executing commands or loading libraries from an untrusted source - or in an untrusted environment can cause an application to execute malicious - commands (and payloads) on behalf of an attacker. - group: top10-injection - name: CPP_Stored_Vulnerabilities_Stored_Process_Control - pretty_name: Stored Process Control - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Stored_Vulnerabilities_Stored_Resource_Injection: - categories: - - checkmarx-stored-vulnerabilities - - owasp-top-10 - - cwe-99 - - boost-baseline - - ALL - description: The product receives input from an upstream component, but it does - not restrict or incorrectly restricts the input before it is used as an identifier - for a resource that may be outside the intended sphere of control. - group: top10-injection - name: CPP_Stored_Vulnerabilities_Stored_Resource_Injection - pretty_name: Stored Resource Injection - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Weak_Cryptography_Asymmetric_Encryption_Improper_Padding: - categories: - - ALL - - checkmarx-weak-cryptography - - owasp-top-10 - - boost-baseline - - cwe-326 - description: The product stores or transmits sensitive data using an encryption - scheme that is theoretically sound, but is not strong enough for the level of - protection required. - group: top10-crypto-failures - name: CPP_Weak_Cryptography_Asymmetric_Encryption_Improper_Padding - pretty_name: Asymmetric Encryption Improper Padding - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Weak_Cryptography_Asymmetric_Encryption_Insufficient_Key_Size: - categories: - - ALL - - checkmarx-weak-cryptography - - owasp-top-10 - - boost-baseline - - cwe-326 - description: The product stores or transmits sensitive data using an encryption - scheme that is theoretically sound, but is not strong enough for the level of - protection required. - group: top10-crypto-failures - name: CPP_Weak_Cryptography_Asymmetric_Encryption_Insufficient_Key_Size - pretty_name: Asymmetric Encryption Insufficient Key Size - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Weak_Cryptography_Asymmetric_Encryption_RSA_Low_Public_Exponent: - categories: - - ALL - - checkmarx-weak-cryptography - - owasp-top-10 - - boost-baseline - - cwe-326 - description: The product stores or transmits sensitive data using an encryption - scheme that is theoretically sound, but is not strong enough for the level of - protection required. - group: top10-crypto-failures - name: CPP_Weak_Cryptography_Asymmetric_Encryption_RSA_Low_Public_Exponent - pretty_name: Asymmetric Encryption RSA Low Public Exponent - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Weak_Cryptography_Encoding_Used_Instead_of_Encryption: - categories: - - checkmarx-weak-cryptography - - owasp-top-10 - - cwe-311 - - boost-baseline - - ALL - description: The product does not encrypt sensitive or critical information before - storage or transmission. - group: top10-insecure-design - name: CPP_Weak_Cryptography_Encoding_Used_Instead_of_Encryption - pretty_name: Encoding Used Instead of Encryption - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Weak_Cryptography_Hashing_Length_Extension_Attack: - categories: - - ALL - - checkmarx-weak-cryptography - - owasp-top-10 - - boost-baseline - - cwe-326 - description: The product stores or transmits sensitive data using an encryption - scheme that is theoretically sound, but is not strong enough for the level of - protection required. - group: top10-crypto-failures - name: CPP_Weak_Cryptography_Hashing_Length_Extension_Attack - pretty_name: Hashing Length Extension Attack - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Weak_Cryptography_Personal_Information_Without_Encryption: - categories: - - checkmarx-weak-cryptography - - owasp-top-10 - - cwe-311 - - boost-baseline - - ALL - description: The product does not encrypt sensitive or critical information before - storage or transmission. - group: top10-insecure-design - name: CPP_Weak_Cryptography_Personal_Information_Without_Encryption - pretty_name: Personal Information Without Encryption - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Weak_Cryptography_Symmetric_Encryption_Insecure_Cipher_Mode: - categories: - - ALL - - checkmarx-weak-cryptography - - owasp-top-10 - - boost-baseline - - cwe-326 - description: The product stores or transmits sensitive data using an encryption - scheme that is theoretically sound, but is not strong enough for the level of - protection required. - group: top10-crypto-failures - name: CPP_Weak_Cryptography_Symmetric_Encryption_Insecure_Cipher_Mode - pretty_name: Symmetric Encryption Insecure Cipher Mode - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Weak_Cryptography_Symmetric_Encryption_Insecure_Predictable_IV: - categories: - - ALL - - checkmarx-weak-cryptography - - owasp-top-10 - - boost-baseline - - cwe-326 - description: The product stores or transmits sensitive data using an encryption - scheme that is theoretically sound, but is not strong enough for the level of - protection required. - group: top10-crypto-failures - name: CPP_Weak_Cryptography_Symmetric_Encryption_Insecure_Predictable_IV - pretty_name: Symmetric Encryption Insecure Predictable IV - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Weak_Cryptography_Symmetric_Encryption_Insecure_Predictable_Key: - categories: - - ALL - - checkmarx-weak-cryptography - - owasp-top-10 - - boost-baseline - - cwe-326 - description: The product stores or transmits sensitive data using an encryption - scheme that is theoretically sound, but is not strong enough for the level of - protection required. - group: top10-crypto-failures - name: CPP_Weak_Cryptography_Symmetric_Encryption_Insecure_Predictable_Key - pretty_name: Symmetric Encryption Insecure Predictable Key - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Weak_Cryptography_Symmetric_Encryption_Insecure_Static_IV: - categories: - - ALL - - checkmarx-weak-cryptography - - owasp-top-10 - - boost-baseline - - cwe-326 - description: The product stores or transmits sensitive data using an encryption - scheme that is theoretically sound, but is not strong enough for the level of - protection required. - group: top10-crypto-failures - name: CPP_Weak_Cryptography_Symmetric_Encryption_Insecure_Static_IV - pretty_name: Symmetric Encryption Insecure Static IV - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Weak_Cryptography_Symmetric_Encryption_Insecure_Static_Key: - categories: - - ALL - - checkmarx-weak-cryptography - - owasp-top-10 - - boost-baseline - - cwe-326 - description: The product stores or transmits sensitive data using an encryption - scheme that is theoretically sound, but is not strong enough for the level of - protection required. - group: top10-crypto-failures - name: CPP_Weak_Cryptography_Symmetric_Encryption_Insecure_Static_Key - pretty_name: Symmetric Encryption Insecure Static Key - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Weak_Cryptography_Use_Of_Weak_Hashing_Primitive: - categories: - - ALL - - checkmarx-weak-cryptography - - owasp-top-10 - - boost-baseline - - cwe-326 - description: The product stores or transmits sensitive data using an encryption - scheme that is theoretically sound, but is not strong enough for the level of - protection required. - group: top10-crypto-failures - name: CPP_Weak_Cryptography_Use_Of_Weak_Hashing_Primitive - pretty_name: Use Of Weak Hashing Primitive - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CPP_Weak_Cryptography_Weak_Randomness_Biased_Random_Sample: - categories: - - checkmarx-weak-cryptography - - cwe-330 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses insufficiently random numbers or values in a security - context that depends on unpredictable numbers. - group: top10-crypto-failures - name: CPP_Weak_Cryptography_Weak_Randomness_Biased_Random_Sample - pretty_name: Weak Randomness Biased Random Sample - CPP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_Aptca_Methods_Call_Non_Aptca_Methods: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - owasp-top-10 - description: The rule signifies an issue where a C# method, adorned with the AllowPartiallyTrustedCallersAttribute - (APTCA), invokes a method that lacks the same attribute, posing a threat to - privileged access security. - group: top10-insecure-design - name: CSharp_Best_Coding_Practice_Aptca_Methods_Call_Non_Aptca_Methods - pretty_name: Aptca Methods Call Non Aptca Methods - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_Catch_NullPointerException: - categories: - - cwe-395 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Catching NullPointerException should not be used as an alternative - to programmatic checks to prevent dereferencing a null pointer. - group: top10-insecure-design - name: CSharp_Best_Coding_Practice_Catch_NullPointerException - pretty_name: Catch NullPointerException - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception: - categories: - - cwe-396 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Catching overly broad exceptions promotes complex error handling - code that is more likely to contain security vulnerabilities. - group: top10-insecure-design - name: CSharp_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception - pretty_name: Declaration Of Catch For Generic Exception - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_Deprecated_Methods: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - owasp-top-10 - description: Identifies the use of deprecated methods in the C# code which could - result in future compatibility issues or unexpected behavior. - group: top10-insecure-design - name: CSharp_Best_Coding_Practice_Deprecated_Methods - pretty_name: Deprecated Methods - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_Detection_of_Error_Condition_Without_Action: - categories: - - cwe-390 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product detects a specific error, but takes no actions to handle - the error. - group: top10-insecure-design - name: CSharp_Best_Coding_Practice_Detection_of_Error_Condition_Without_Action - pretty_name: Detection of Error Condition Without Action - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_Direct_Use_of_Sockets: - categories: - - boost-baseline - - owasp-top-10 - - checkmarx-best-coding-practices - - cwe-246 - - ALL - description: The J2EE application directly uses sockets instead of using framework - method calls. - group: top10-insecure-design - name: CSharp_Best_Coding_Practice_Direct_Use_of_Sockets - pretty_name: Direct Use of Sockets - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_Dynamic_SQL_Queries: - categories: - - cwe-89 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: CSharp_Best_Coding_Practice_Dynamic_SQL_Queries - pretty_name: Dynamic SQL Queries - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere: - categories: - - owasp-top-10 - - cwe-493 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product has a critical public variable that is not final, which - allows the variable to be modified to contain unexpected values. - group: top10-insecure-design - name: CSharp_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere - pretty_name: Exposure of Resource to Wrong Sphere - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_GetLastWin32Error_Is_Not_Called_After_Pinvoke: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Marshal.GetLastWin32Error method is not being called immediately - after a Platform Invocation Services (PInvoke) call. This may result in the - loss of accurate error information due to overwrite by subsequent external interface - calls. - group: top10-insecure-design - name: CSharp_Best_Coding_Practice_GetLastWin32Error_Is_Not_Called_After_Pinvoke - pretty_name: GetLastWin32Error Is Not Called After Pinvoke - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_Hardcoded_Absolute_Path: - categories: - - cwe-426 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product searches for critical resources using an externally-supplied - search path that can point to resources that are not under the product's direct - control. - group: top10-software-data-integrity-failures - name: CSharp_Best_Coding_Practice_Hardcoded_Absolute_Path - pretty_name: Hardcoded Absolute Path - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_Hardcoded_Connection_String: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-top-25 - - cwe-798 - description: The product contains hard-coded credentials, such as a password or - cryptographic key, which it uses for its own inbound authentication, outbound - communication to external components, or encryption of internal data. - group: top10-id-authn-failures - name: CSharp_Best_Coding_Practice_Hardcoded_Connection_String - pretty_name: Hardcoded Connection String - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_Insufficient_Logging_of_Database_Actions: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - cwe-778 - description: When a security-critical event occurs, the product either does not - record the event or omits important details about the event when logging it. - group: top10-security-logging-monitoring-failures - name: CSharp_Best_Coding_Practice_Insufficient_Logging_of_Database_Actions - pretty_name: Insufficient Logging of Database Actions - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_Insufficient_Logging_of_Exceptions: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - cwe-778 - description: When a security-critical event occurs, the product either does not - record the event or omits important details about the event when logging it. - group: top10-security-logging-monitoring-failures - name: CSharp_Best_Coding_Practice_Insufficient_Logging_of_Exceptions - pretty_name: Insufficient Logging of Exceptions - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_Insufficient_Logging_of_Sensitive_Operations: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - cwe-778 - description: When a security-critical event occurs, the product either does not - record the event or omits important details about the event when logging it. - group: top10-security-logging-monitoring-failures - name: CSharp_Best_Coding_Practice_Insufficient_Logging_of_Sensitive_Operations - pretty_name: Insufficient Logging of Sensitive Operations - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_Just_One_of_Equals_and_Hash_code_Defined: - categories: - - ALL - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - cwe-581 - description: The product does not maintain equal hashcodes for equal objects. - group: top10-insecure-design - name: CSharp_Best_Coding_Practice_Just_One_of_Equals_and_Hash_code_Defined - pretty_name: Just One of Equals and Hash code Defined - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_Leftover_Debug_Code: - categories: - - cwe-489 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product is deployed to unauthorized actors with debugging code - still enabled or active, which can create unintended entry points or expose - sensitive information. - group: top10-insecure-design - name: CSharp_Best_Coding_Practice_Leftover_Debug_Code - pretty_name: Leftover Debug Code - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_Magic_Numbers: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - owasp-top-10 - description: Numerical literals are directly used in the code, instead of being - declared as constants. This makes code less readable and maintainable due to - lack of context or meaning attached to these numbers, known as 'Magic Numbers'. - group: top10-insecure-design - name: CSharp_Best_Coding_Practice_Magic_Numbers - pretty_name: Magic Numbers - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_Missing_XML_Validation: - categories: - - cwe-112 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product accepts XML from an untrusted source but does not validate - the XML against the proper schema. - group: top10-insecure-design - name: CSharp_Best_Coding_Practice_Missing_XML_Validation - pretty_name: Missing XML Validation - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_NULL_Argument_to_Equals: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - owasp-top-10 - description: Invoking the 'Equals' method with a null argument can lead to a NullReferenceException - if the implementation doesn't handle the null condition correctly, causing a - potential program crash. - group: top10-insecure-design - name: CSharp_Best_Coding_Practice_NULL_Argument_to_Equals - pretty_name: NULL Argument to Equals - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_Non_Private_Static_Constructors: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - owasp-top-10 - description: Static constructors in C# that aren't marked as private might lead - to uncontrolled instantiation, affecting program predictability and security. - group: top10-insecure-design - name: CSharp_Best_Coding_Practice_Non_Private_Static_Constructors - pretty_name: Non Private Static Constructors - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_Pages_Without_Global_Error_Handler: - categories: - - owasp-top-10 - - cwe-544 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product does not use a standardized method for handling errors - throughout the code, which might introduce inconsistent error handling and resultant - weaknesses. - group: top10-insecure-design - name: CSharp_Best_Coding_Practice_Pages_Without_Global_Error_Handler - pretty_name: Pages Without Global Error Handler - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_PersistSecurityInfo_is_True: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - owasp-top-10 - description: The property PersistSecurityInfo is set to true, revealing sensitive - information such as a password, in a connection string after the connection - to the database is established. - group: top10-insecure-design - name: CSharp_Best_Coding_Practice_PersistSecurityInfo_is_True - pretty_name: PersistSecurityInfo is True - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_Routed_Deprecated_Code: - categories: - - cwe-477 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The code uses deprecated or obsolete functions, which suggests that - the code has not been actively reviewed or maintained. - group: top10-insecure-design - name: CSharp_Best_Coding_Practice_Routed_Deprecated_Code - pretty_name: Routed Deprecated Code - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_Suspicious_Endpoints: - categories: - - cwe-923 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product establishes a communication channel to (or from) an endpoint - for privileged or protected operations, but it does not properly ensure that - it is communicating with the correct endpoint. - group: top10-insecure-design - name: CSharp_Best_Coding_Practice_Suspicious_Endpoints - pretty_name: Suspicious Endpoints - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_Threads_in_WebApp: - categories: - - ALL - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - cwe-383 - description: Thread management in a Web application is forbidden in some circumstances - and is always highly error prone. - group: top10-insecure-design - name: CSharp_Best_Coding_Practice_Threads_in_WebApp - pretty_name: Threads in WebApp - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_Unchecked_Error_Condition: - categories: - - owasp-top-10 - - cwe-391 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: '[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER' - group: top10-insecure-design - name: CSharp_Best_Coding_Practice_Unchecked_Error_Condition - pretty_name: Unchecked Error Condition - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_Unchecked_Return_Value: - categories: - - cwe-252 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product does not check the return value from a method or function, - which can prevent it from detecting unexpected states and conditions. - group: top10-insecure-design - name: CSharp_Best_Coding_Practice_Unchecked_Return_Value - pretty_name: Unchecked Return Value - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_Unclosed_Objects: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-459 - description: The product does not properly "clean up" and remove temporary or - supporting resources after they have been used. - group: top10-insecure-design - name: CSharp_Best_Coding_Practice_Unclosed_Objects - pretty_name: Unclosed Objects - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_Undocumented_API: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - owasp-top-10 - description: Public methods, classes, or interfaces within the application's API - lack necessary documentation comments, leading to potential misuse or improper - implementation. - group: top10-insecure-design - name: CSharp_Best_Coding_Practice_Undocumented_API - pretty_name: Undocumented API - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_Unsafe_Bidi_Unicode_Data: - categories: - - cwe-94 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: CSharp_Best_Coding_Practice_Unsafe_Bidi_Unicode_Data - pretty_name: Unsafe Bidi Unicode Data - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_Unsafe_Homoglyphs_Unicode_Data: - categories: - - cwe-94 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: CSharp_Best_Coding_Practice_Unsafe_Homoglyphs_Unicode_Data - pretty_name: Unsafe Homoglyphs Unicode Data - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_Unvalidated_Arguments_Of_Public_Methods: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - owasp-top-10 - description: Public methods accept arguments without proper validation, increasing - the potential for harmful or unexpected behavior due to uncontrolled input. - group: top10-insecure-design - name: CSharp_Best_Coding_Practice_Unvalidated_Arguments_Of_Public_Methods - pretty_name: Unvalidated Arguments Of Public Methods - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_Use_Of_Uninitialized_Variables: - categories: - - cwe-457 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The code uses a variable that has not been initialized, leading to - unpredictable or unintended results. - group: top10-insecure-design - name: CSharp_Best_Coding_Practice_Use_Of_Uninitialized_Variables - pretty_name: Use Of Uninitialized Variables - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_Use_of_System_Output_Stream: - categories: - - owasp-top-10 - - cwe-398 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Indicates that the product has not been carefully developed or maintained. - group: top10-insecure-design - name: CSharp_Best_Coding_Practice_Use_of_System_Output_Stream - pretty_name: Use of System Output Stream - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_Using_Of_Index_Instead_Of_Key: - categories: - - owasp-top-10 - - cwe-398 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Indicates that the product has not been carefully developed or maintained. - group: top10-insecure-design - name: CSharp_Best_Coding_Practice_Using_Of_Index_Instead_Of_Key - pretty_name: Using Of Index Instead Of Key - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Best_Coding_Practice_Visible_Pointers: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - owasp-top-10 - description: In the context of C# code, pointers are declared in visible scopes, - leading to potential memory manipulation vulnerabilities. - group: top10-insecure-design - name: CSharp_Best_Coding_Practice_Visible_Pointers - pretty_name: Visible Pointers - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Heuristic_Heuristic_2nd_Order_SQL_Injection: - categories: - - checkmarx-heuristic - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: CSharp_Heuristic_Heuristic_2nd_Order_SQL_Injection - pretty_name: Heuristic 2nd Order SQL Injection - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Heuristic_Heuristic_CSRF: - categories: - - checkmarx-heuristic - - cwe-352 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The web application does not, or can not, sufficiently verify whether - a well-formed, valid, consistent request was intentionally provided by the user - who submitted the request. - group: top10-injection - name: CSharp_Heuristic_Heuristic_CSRF - pretty_name: Heuristic CSRF - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Heuristic_Heuristic_DB_Parameter_Tampering: - categories: - - checkmarx-heuristic - - owasp-top-10 - - cwe-284 - - boost-baseline - - ALL - description: The product does not restrict or incorrectly restricts access to - a resource from an unauthorized actor. - group: top10-broken-access-control - name: CSharp_Heuristic_Heuristic_DB_Parameter_Tampering - pretty_name: Heuristic DB Parameter Tampering - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Heuristic_Heuristic_Parameter_Tampering: - categories: - - checkmarx-heuristic - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: CSharp_Heuristic_Heuristic_Parameter_Tampering - pretty_name: Heuristic Parameter Tampering - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Heuristic_Heuristic_SQL_Injection: - categories: - - checkmarx-heuristic - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: CSharp_Heuristic_Heuristic_SQL_Injection - pretty_name: Heuristic SQL Injection - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Heuristic_Heuristic_Stored_XSS: - categories: - - checkmarx-heuristic - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: CSharp_Heuristic_Heuristic_Stored_XSS - pretty_name: Heuristic Stored XSS - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_High_Risk_Code_Injection: - categories: - - boost-hardened - - cwe-94 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: CSharp_High_Risk_Code_Injection - pretty_name: Code Injection - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_High_Risk_Command_Injection: - categories: - - boost-hardened - - cwe-77 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of a command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended command when it - is sent to a downstream component. - group: top10-injection - name: CSharp_High_Risk_Command_Injection - pretty_name: Command Injection - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_High_Risk_Connection_String_Injection: - categories: - - boost-hardened - - owasp-top-10 - - cwe-99 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product receives input from an upstream component, but it does - not restrict or incorrectly restricts the input before it is used as an identifier - for a resource that may be outside the intended sphere of control. - group: top10-injection - name: CSharp_High_Risk_Connection_String_Injection - pretty_name: Connection String Injection - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_High_Risk_Dangerous_File_Upload: - categories: - - boost-hardened - - cwe-434 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product allows the attacker to upload or transfer files of dangerous - types that can be automatically processed within the product's environment. - group: top10-insecure-design - name: CSharp_High_Risk_Dangerous_File_Upload - pretty_name: Dangerous File Upload - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_High_Risk_Deserialization_of_Untrusted_Data: - categories: - - boost-hardened - - boost-baseline - - owasp-top-10 - - cwe-502 - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product deserializes untrusted data without sufficiently verifying - that the resulting data will be valid. - group: top10-software-data-integrity-failures - name: CSharp_High_Risk_Deserialization_of_Untrusted_Data - pretty_name: Deserialization of Untrusted Data - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_High_Risk_Deserialization_of_Untrusted_Data_MSMQ: - categories: - - boost-hardened - - boost-baseline - - owasp-top-10 - - cwe-502 - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product deserializes untrusted data without sufficiently verifying - that the resulting data will be valid. - group: top10-software-data-integrity-failures - name: CSharp_High_Risk_Deserialization_of_Untrusted_Data_MSMQ - pretty_name: Deserialization of Untrusted Data MSMQ - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_High_Risk_JWT_No_Signature_Verification: - categories: - - boost-hardened - - cwe-287 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: When an actor claims to have a given identity, the product does not - prove or insufficiently proves that the claim is correct. - group: top10-id-authn-failures - name: CSharp_High_Risk_JWT_No_Signature_Verification - pretty_name: JWT No Signature Verification - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_High_Risk_LDAP_Injection: - categories: - - boost-hardened - - cwe-90 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product constructs all or part of an LDAP query using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended LDAP query when - it is sent to a downstream component. - group: top10-injection - name: CSharp_High_Risk_LDAP_Injection - pretty_name: LDAP Injection - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_High_Risk_Reflected_XSS_All_Clients: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: CSharp_High_Risk_Reflected_XSS_All_Clients - pretty_name: Reflected XSS All Clients - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_High_Risk_Resource_Injection: - categories: - - boost-hardened - - owasp-top-10 - - cwe-99 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product receives input from an upstream component, but it does - not restrict or incorrectly restricts the input before it is used as an identifier - for a resource that may be outside the intended sphere of control. - group: top10-injection - name: CSharp_High_Risk_Resource_Injection - pretty_name: Resource Injection - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_High_Risk_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: CSharp_High_Risk_SQL_Injection - pretty_name: SQL Injection - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_High_Risk_Second_Order_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: CSharp_High_Risk_Second_Order_SQL_Injection - pretty_name: Second Order SQL Injection - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_High_Risk_Stored_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: CSharp_High_Risk_Stored_XSS - pretty_name: Stored XSS - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_High_Risk_UTF7_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: CSharp_High_Risk_UTF7_XSS - pretty_name: UTF7 XSS - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_High_Risk_Unsafe_Reflection: - categories: - - boost-hardened - - cwe-470 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product uses external input with reflection to select which classes - or code to use, but it does not sufficiently prevent the input from selecting - improper classes or code. - group: top10-injection - name: CSharp_High_Risk_Unsafe_Reflection - pretty_name: Unsafe Reflection - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_High_Risk_XPath_Injection: - categories: - - boost-hardened - - cwe-643 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product uses external input to dynamically construct an XPath - expression used to retrieve data from an XML database, but it does not neutralize - or incorrectly neutralizes that input. This allows an attacker to control the - structure of the query. - group: top10-injection - name: CSharp_High_Risk_XPath_Injection - pretty_name: XPath Injection - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Blind_SQL_Injections: - categories: - - checkmarx-low-visibility - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: CSharp_Low_Visibility_Blind_SQL_Injections - pretty_name: Blind SQL Injections - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Cleansing_Canonicalization_and_Comparison_Errors: - categories: - - cwe-171 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: Improper handling of data within protection mechanisms that attempt - to perform neutralization for untrusted data. - group: top10-injection - name: CSharp_Low_Visibility_Cleansing_Canonicalization_and_Comparison_Errors - pretty_name: Cleansing Canonicalization and Comparison Errors - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Client_Side_Only_Validation: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-602 - description: The product is composed of a server that relies on the client to - implement a mechanism that is intended to protect the server. - group: top10-insecure-design - name: CSharp_Low_Visibility_Client_Side_Only_Validation - pretty_name: Client Side Only Validation - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Command_Argument_Injection: - categories: - - cwe-88 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product constructs a string for a command to be executed by a - separate component in another control sphere, but it does not properly delimit - the intended arguments, options, or switches within that command string. - group: top10-injection - name: CSharp_Low_Visibility_Command_Argument_Injection - pretty_name: Command Argument Injection - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Cross_Site_History_Manipulation: - categories: - - cwe-203 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product behaves differently or sends different responses under - different circumstances in a way that is observable to an unauthorized actor, - which exposes security-relevant information about the state of the product, - such as whether a particular operation was successful or not. - group: top10-software-data-integrity-failures - name: CSharp_Low_Visibility_Cross_Site_History_Manipulation - pretty_name: Cross Site History Manipulation - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Heap_Inspection: - categories: - - cwe-244 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: Using realloc() to resize buffers that store sensitive information - can leave the sensitive information exposed to attack, because it is not removed - from memory. - group: top10-broken-access-control - name: CSharp_Low_Visibility_Heap_Inspection - pretty_name: Heap Inspection - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Impersonation_Issue: - categories: - - boost-baseline - - ALL - - checkmarx-low-visibility - - cwe-520 - description: Allowing a .NET application to run at potentially escalated levels - of access to the underlying operating and file systems can be dangerous and - result in various forms of attacks. - group: top10-security-misconfiguration - name: CSharp_Low_Visibility_Impersonation_Issue - pretty_name: Impersonation Issue - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Improper_Encoding_Of_Output: - categories: - - cwe-116 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product prepares a structured message for communication with - another component, but encoding or escaping of the data is either missing or - done incorrectly. As a result, the intended structure of the message is not - preserved. - group: top10-injection - name: CSharp_Low_Visibility_Improper_Encoding_Of_Output - pretty_name: Improper Encoding Of Output - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Improper_Exception_Handling: - categories: - - cwe-248 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: An exception is thrown from a function, but it is not caught. - group: top10-insecure-design - name: CSharp_Low_Visibility_Improper_Exception_Handling - pretty_name: Improper Exception Handling - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Improper_Resource_Shutdown_or_Release: - categories: - - cwe-404 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not release or incorrectly releases a resource before - it is made available for re-use. - group: top10-insecure-design - name: CSharp_Low_Visibility_Improper_Resource_Shutdown_or_Release - pretty_name: Improper Resource Shutdown or Release - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Improper_Session_Management: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-201 - - boost-baseline - - ALL - description: The code transmits data to another actor, but a portion of the data - includes sensitive information that should not be accessible to that actor. - group: top10-broken-access-control - name: CSharp_Low_Visibility_Improper_Session_Management - pretty_name: Improper Session Management - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Improper_Transaction_Handling: - categories: - - cwe-460 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not clean up its state or incorrectly cleans up - its state when an exception is thrown, leading to unexpected state or control - flow. - group: top10-insecure-design - name: CSharp_Low_Visibility_Improper_Transaction_Handling - pretty_name: Improper Transaction Handling - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Inappropriate_Encoding_for_Output_Context: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-838 - description: The product uses or specifies an encoding when generating output - to a downstream component, but the specified encoding is not the same as the - encoding that is expected by the downstream component. - group: top10-injection - name: CSharp_Low_Visibility_Inappropriate_Encoding_for_Output_Context - pretty_name: Inappropriate Encoding for Output Context - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Information_Exposure_Through_an_Error_Message: - categories: - - cwe-209 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product generates an error message that includes sensitive information - about its environment, users, or associated data. - group: top10-insecure-design - name: CSharp_Low_Visibility_Information_Exposure_Through_an_Error_Message - pretty_name: Information Exposure Through an Error Message - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Information_Exposure_via_Headers: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-200 - description: The product exposes sensitive information to an actor that is not - explicitly authorized to have access to that information. - group: top10-broken-access-control - name: CSharp_Low_Visibility_Information_Exposure_via_Headers - pretty_name: Information Exposure via Headers - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Information_Leak_Through_Persistent_Cookies: - categories: - - cwe-539 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The web application uses persistent cookies, but the cookies contain - sensitive information. - group: top10-insecure-design - name: CSharp_Low_Visibility_Information_Leak_Through_Persistent_Cookies - pretty_name: Information Leak Through Persistent Cookies - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Insufficiently_Protected_Credentials: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-522 - description: The product transmits or stores authentication credentials, but it - uses an insecure method that is susceptible to unauthorized interception and/or - retrieval. - group: top10-insecure-design - name: CSharp_Low_Visibility_Insufficiently_Protected_Credentials - pretty_name: Insufficiently Protected Credentials - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_JWT_Excessive_Expiration_Time: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-613 - description: According to WASC, "Insufficient Session Expiration is when a web - site permits an attacker to reuse old session credentials or session IDs for - authorization." - group: top10-id-authn-failures - name: CSharp_Low_Visibility_JWT_Excessive_Expiration_Time - pretty_name: JWT Excessive Expiration Time - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_JWT_Use_Of_Hardcoded_Secret: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - - cwe-798 - description: The product contains hard-coded credentials, such as a password or - cryptographic key, which it uses for its own inbound authentication, outbound - communication to external components, or encryption of internal data. - group: top10-id-authn-failures - name: CSharp_Low_Visibility_JWT_Use_Of_Hardcoded_Secret - pretty_name: JWT Use Of Hardcoded Secret - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_JavaScript_Hijacking: - categories: - - cwe-352 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The web application does not, or can not, sufficiently verify whether - a well-formed, valid, consistent request was intentionally provided by the user - who submitted the request. - group: top10-injection - name: CSharp_Low_Visibility_JavaScript_Hijacking - pretty_name: JavaScript Hijacking - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Leaving_Temporary_Files: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-376 - description: Related to the handling of files within a software system. - group: top10-broken-access-control - name: CSharp_Low_Visibility_Leaving_Temporary_Files - pretty_name: Leaving Temporary Files - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Log_Forging: - categories: - - boost-baseline - - ALL - - cwe-117 - - checkmarx-low-visibility - description: The product does not neutralize or incorrectly neutralizes output - that is written to logs. - group: top10-security-logging-monitoring-failures - name: CSharp_Low_Visibility_Log_Forging - pretty_name: Log Forging - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Missing_Content_Security_Policy: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-346 - description: The product does not properly verify that the source of data or communication - is valid. - group: top10-id-authn-failures - name: CSharp_Low_Visibility_Missing_Content_Security_Policy - pretty_name: Missing Content Security Policy - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Missing_Function_Level_Authorization: - categories: - - checkmarx-low-visibility - - cwe-862 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not perform an authorization check when an actor - attempts to access a resource or perform an action. - group: top10-broken-access-control - name: CSharp_Low_Visibility_Missing_Function_Level_Authorization - pretty_name: Missing Function Level Authorization - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Off_By_One_Error: - categories: - - cwe-193 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: A product calculates or uses an incorrect maximum or minimum value - that is 1 more, or 1 less, than the correct value. - group: top10-injection - name: CSharp_Low_Visibility_Off_By_One_Error - pretty_name: Off By One Error - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Open_Redirect: - categories: - - checkmarx-low-visibility - - cwe-601 - - owasp-top-10 - - boost-baseline - - ALL - description: A web application accepts a user-controlled input that specifies - a link to an external site, and uses that link in a Redirect. This simplifies - phishing attacks. - group: top10-broken-access-control - name: CSharp_Low_Visibility_Open_Redirect - pretty_name: Open Redirect - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-346 - description: The product does not properly verify that the source of data or communication - is valid. - group: top10-id-authn-failures - name: CSharp_Low_Visibility_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy - pretty_name: Overly Permissive Cross Origin Resource Sharing Policy - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Password_In_Comment: - categories: - - cwe-615 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: 'While adding general comments is very useful, some programmers tend - to leave important data, such as: filenames related to the web application, - old links or links which were not meant to be browsed by users, old code fragments, - etc.' - group: top10-id-authn-failures - name: CSharp_Low_Visibility_Password_In_Comment - pretty_name: Password In Comment - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Permissive_Content_Security_Policy: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-346 - description: The product does not properly verify that the source of data or communication - is valid. - group: top10-id-authn-failures - name: CSharp_Low_Visibility_Permissive_Content_Security_Policy - pretty_name: Permissive Content Security Policy - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Potential_ReDoS: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: CSharp_Low_Visibility_Potential_ReDoS - pretty_name: Potential ReDoS - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Potential_ReDoS_By_Injection: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: CSharp_Low_Visibility_Potential_ReDoS_By_Injection - pretty_name: Potential ReDoS By Injection - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Potential_ReDoS_In_Code: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: CSharp_Low_Visibility_Potential_ReDoS_In_Code - pretty_name: Potential ReDoS In Code - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Potential_ReDoS_In_Static_Field: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: CSharp_Low_Visibility_Potential_ReDoS_In_Static_Field - pretty_name: Potential ReDoS In Static Field - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Reliance_on_DNS_Lookups_in_a_Decision: - categories: - - cwe-350 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product performs reverse DNS resolution on an IP address to obtain - the hostname and make a security decision, but it does not properly ensure that - the IP address is truly associated with the hostname. - group: top10-insecure-design - name: CSharp_Low_Visibility_Reliance_on_DNS_Lookups_in_a_Decision - pretty_name: Reliance on DNS Lookups in a Decision - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Session_Clearing_Problems: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-613 - description: According to WASC, "Insufficient Session Expiration is when a web - site permits an attacker to reuse old session credentials or session IDs for - authorization." - group: top10-id-authn-failures - name: CSharp_Low_Visibility_Session_Clearing_Problems - pretty_name: Session Clearing Problems - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Session_Poisoning: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: CSharp_Low_Visibility_Session_Poisoning - pretty_name: Session Poisoning - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Stored_Code_Injection: - categories: - - cwe-94 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: CSharp_Low_Visibility_Stored_Code_Injection - pretty_name: Stored Code Injection - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Stored_Command_Argument_Injection: - categories: - - cwe-88 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product constructs a string for a command to be executed by a - separate component in another control sphere, but it does not properly delimit - the intended arguments, options, or switches within that command string. - group: top10-injection - name: CSharp_Low_Visibility_Stored_Command_Argument_Injection - pretty_name: Stored Command Argument Injection - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Thread_Safety_Issue: - categories: - - cwe-567 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not properly synchronize shared data, such as static - variables across threads, which can lead to undefined behavior and unpredictable - data changes. - group: top10-insecure-design - name: CSharp_Low_Visibility_Thread_Safety_Issue - pretty_name: Thread Safety Issue - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables: - categories: - - cwe-501 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product mixes trusted and untrusted data in the same data structure - or structured message. - group: top10-insecure-design - name: CSharp_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables - pretty_name: Trust Boundary Violation in Session Variables - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_URL_Canonicalization_Issue: - categories: - - cwe-647 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product defines policy namespaces and makes authorization decisions - based on the assumption that a URL is canonical. This can allow a non-canonical - URL to bypass the authorization. - group: top10-injection - name: CSharp_Low_Visibility_URL_Canonicalization_Issue - pretty_name: URL Canonicalization Issue - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Unencrypted_Web_Config_File: - categories: - - cwe-312 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product stores sensitive information in cleartext within a resource - that might be accessible to another control sphere. - group: top10-insecure-design - name: CSharp_Low_Visibility_Unencrypted_Web_Config_File - pretty_name: Unencrypted Web Config File - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Use_Of_Broken_Or_Risky_Cryptographic_Algorithm: - categories: - - cwe-327 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a broken or risky cryptographic algorithm or protocol. - group: top10-crypto-failures - name: CSharp_Low_Visibility_Use_Of_Broken_Or_Risky_Cryptographic_Algorithm - pretty_name: Use Of Broken Or Risky Cryptographic Algorithm - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Use_Of_Hardcoded_Password: - categories: - - ALL - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - cwe-259 - description: The product contains a hard-coded password, which it uses for its - own inbound authentication or for outbound communication to external components. - group: top10-id-authn-failures - name: CSharp_Low_Visibility_Use_Of_Hardcoded_Password - pretty_name: Use Of Hardcoded Password - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Use_of_Insufficiently_Random_Values: - categories: - - cwe-330 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses insufficiently random numbers or values in a security - context that depends on unpredictable numbers. - group: top10-crypto-failures - name: CSharp_Low_Visibility_Use_of_Insufficiently_Random_Values - pretty_name: Use of Insufficiently Random Values - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_Use_of_RSA_Algorithm_without_OAEP: - categories: - - ALL - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - cwe-780 - description: The product uses the RSA algorithm but does not incorporate Optimal - Asymmetric Encryption Padding (OAEP), which might weaken the encryption. - group: top10-crypto-failures - name: CSharp_Low_Visibility_Use_of_RSA_Algorithm_without_OAEP - pretty_name: Use of RSA Algorithm without OAEP - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Low_Visibility_XSS_Evasion_Attack: - categories: - - cwe-79 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: CSharp_Low_Visibility_XSS_Evasion_Attack - pretty_name: XSS Evasion Attack - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_Buffer_Overflow: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-120 - - boost-baseline - - ALL - description: The product copies an input buffer to an output buffer without verifying - that the size of the input buffer is less than the size of the output buffer, - leading to a buffer overflow. - group: top10-injection - name: CSharp_Medium_Threat_Buffer_Overflow - pretty_name: Buffer Overflow - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_CGI_XSS: - categories: - - checkmarx-medium-threat - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: CSharp_Medium_Threat_CGI_XSS - pretty_name: CGI XSS - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_CSRF: - categories: - - checkmarx-medium-threat - - cwe-352 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The web application does not, or can not, sufficiently verify whether - a well-formed, valid, consistent request was intentionally provided by the user - who submitted the request. - group: top10-injection - name: CSharp_Medium_Threat_CSRF - pretty_name: CSRF - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_Cookie_Injection: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-20 - - boost-baseline - - ALL - - cwe-top-25 - description: The product receives input or data, but it does not validate or incorrectly - validates that the input has the properties that are required to process the - data safely and correctly. - group: top10-injection - name: CSharp_Medium_Threat_Cookie_Injection - pretty_name: Cookie Injection - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_DB_Parameter_Tampering: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-284 - - boost-baseline - - ALL - description: The product does not restrict or incorrectly restricts access to - a resource from an unauthorized actor. - group: top10-broken-access-control - name: CSharp_Medium_Threat_DB_Parameter_Tampering - pretty_name: DB Parameter Tampering - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_Data_Filter_Injection: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-943 - - boost-baseline - - ALL - description: The product generates a query intended to access or manipulate data - in a data store such as a database, but it does not neutralize or incorrectly - neutralizes special elements that can modify the intended logic of the query. - group: top10-injection - name: CSharp_Medium_Threat_Data_Filter_Injection - pretty_name: Data Filter Injection - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_DoS_by_Sleep: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The product performs an iteration or loop without sufficiently limiting - the number of times that the loop is executed. - group: top10-insecure-design - name: CSharp_Medium_Threat_DoS_by_Sleep - pretty_name: DoS by Sleep - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_Excessive_Data_Exposure: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-201 - - boost-baseline - - ALL - description: The code transmits data to another actor, but a portion of the data - includes sensitive information that should not be accessible to that actor. - group: top10-broken-access-control - name: CSharp_Medium_Threat_Excessive_Data_Exposure - pretty_name: Excessive Data Exposure - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_HTTP_Response_Splitting: - categories: - - checkmarx-medium-threat - - cwe-113 - - owasp-top-10 - - boost-baseline - - ALL - description: The product receives data from an HTTP agent/component (e.g., web - server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes - CR and LF characters before the data is included in outgoing HTTP headers. - group: top10-injection - name: CSharp_Medium_Threat_HTTP_Response_Splitting - pretty_name: HTTP Response Splitting - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_Hardcoded_password_in_Connection_String: - categories: - - boost-baseline - - ALL - - cwe-547 - - checkmarx-medium-threat - description: The product uses hard-coded constants instead of symbolic names for - security-critical values, which increases the likelihood of mistakes during - code maintenance or security policy change. - group: top10-security-misconfiguration - name: CSharp_Medium_Threat_Hardcoded_password_in_Connection_String - pretty_name: Hardcoded password in Connection String - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_HttpOnlyCookies: - categories: - - cwe-1004 - - ALL - - boost-baseline - - checkmarx-medium-threat - description: The product uses a cookie to store sensitive information, but the - cookie is not marked with the HttpOnly flag. - group: top10-security-misconfiguration - name: CSharp_Medium_Threat_HttpOnlyCookies - pretty_name: HttpOnlyCookies - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_Improper_Locking: - categories: - - checkmarx-medium-threat - - cwe-667 - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not properly acquire or release a lock on a resource, - leading to unexpected resource state changes and behaviors. - group: top10-insecure-design - name: CSharp_Medium_Threat_Improper_Locking - pretty_name: Improper Locking - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_Improper_Restriction_of_XXE_Ref: - categories: - - checkmarx-medium-threat - - cwe-611 - - boost-baseline - - ALL - - cwe-top-25 - description: The product processes an XML document that can contain XML entities - with URIs that resolve to documents outside of the intended sphere of control, - causing the product to embed incorrect documents into its output. - group: top10-security-misconfiguration - name: CSharp_Medium_Threat_Improper_Restriction_of_XXE_Ref - pretty_name: Improper Restriction of XXE Ref - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_Insecure_Cookie: - categories: - - boost-baseline - - cwe-614 - - checkmarx-medium-threat - - ALL - description: The Secure attribute for sensitive cookies in HTTPS sessions is not - set, which could cause the user agent to send those cookies in plaintext over - an HTTP session. - group: top10-security-misconfiguration - name: CSharp_Medium_Threat_Insecure_Cookie - pretty_name: Insecure Cookie - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_Insufficient_Connection_String_Encryption: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-522 - description: The product transmits or stores authentication credentials, but it - uses an insecure method that is susceptible to unauthorized interception and/or - retrieval. - group: top10-insecure-design - name: CSharp_Medium_Threat_Insufficient_Connection_String_Encryption - pretty_name: Insufficient Connection String Encryption - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_Integer_Overflow: - categories: - - checkmarx-medium-threat - - cwe-190 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product performs a calculation that can produce an integer overflow - or wraparound, when the logic assumes that the resulting value will always be - larger than the original value. This can introduce other weaknesses when the - calculation is used for resource management or execution control. - group: top10-injection - name: CSharp_Medium_Threat_Integer_Overflow - pretty_name: Integer Overflow - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_JWT_Lack_Of_Expiration_Time: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-613 - description: According to WASC, "Insufficient Session Expiration is when a web - site permits an attacker to reuse old session credentials or session IDs for - authorization." - group: top10-id-authn-failures - name: CSharp_Medium_Threat_JWT_Lack_Of_Expiration_Time - pretty_name: JWT Lack Of Expiration Time - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_JWT_No_Expiration_Time_Validation: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-613 - description: According to WASC, "Insufficient Session Expiration is when a web - site permits an attacker to reuse old session credentials or session IDs for - authorization." - group: top10-id-authn-failures - name: CSharp_Medium_Threat_JWT_No_Expiration_Time_Validation - pretty_name: JWT No Expiration Time Validation - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_JWT_Sensitive_Information_Exposure: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-201 - - boost-baseline - - ALL - description: The code transmits data to another actor, but a portion of the data - includes sensitive information that should not be accessible to that actor. - group: top10-broken-access-control - name: CSharp_Medium_Threat_JWT_Sensitive_Information_Exposure - pretty_name: JWT Sensitive Information Exposure - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_MVC_View_Injection: - categories: - - checkmarx-medium-threat - - cwe-74 - - owasp-top-10 - - boost-baseline - - ALL - description: The product constructs all or part of a command, data structure, - or record using externally-influenced input from an upstream component, but - it does not neutralize or incorrectly neutralizes special elements that could - modify how it is parsed or interpreted when it is sent to a downstream component. - group: top10-injection - name: CSharp_Medium_Threat_MVC_View_Injection - pretty_name: MVC View Injection - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_Missing_Column_Encryption: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-311 - - boost-baseline - - ALL - description: The product does not encrypt sensitive or critical information before - storage or transmission. - group: top10-insecure-design - name: CSharp_Medium_Threat_Missing_Column_Encryption - pretty_name: Missing Column Encryption - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_Missing_HSTS_Header: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-346 - description: The product does not properly verify that the source of data or communication - is valid. - group: top10-id-authn-failures - name: CSharp_Medium_Threat_Missing_HSTS_Header - pretty_name: Missing HSTS Header - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_Missing_Object_Level_Authorization: - categories: - - checkmarx-medium-threat - - cwe-862 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not perform an authorization check when an actor - attempts to access a resource or perform an action. - group: top10-broken-access-control - name: CSharp_Medium_Threat_Missing_Object_Level_Authorization - pretty_name: Missing Object Level Authorization - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_No_Request_Validation: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-20 - - boost-baseline - - ALL - - cwe-top-25 - description: The product receives input or data, but it does not validate or incorrectly - validates that the input has the properties that are required to process the - data safely and correctly. - group: top10-injection - name: CSharp_Medium_Threat_No_Request_Validation - pretty_name: No Request Validation - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_Parameter_Tampering: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: CSharp_Medium_Threat_Parameter_Tampering - pretty_name: Parameter Tampering - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_Path_Traversal: - categories: - - ALL - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - cwe-22 - - cwe-top-25 - description: The product uses external input to construct a pathname that is intended - to identify a file or directory that is located underneath a restricted parent - directory, but the product does not properly neutralize special elements within - the pathname that can cause the pathname to resolve to a location that is outside - of the restricted directory. - group: top10-broken-access-control - name: CSharp_Medium_Threat_Path_Traversal - pretty_name: Path Traversal - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_Persistent_Connection_String: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-257 - - boost-baseline - - ALL - description: The storage of passwords in a recoverable format makes them subject - to password reuse attacks by malicious users. In fact, it should be noted that - recoverable encrypted passwords provide no significant benefit over plaintext - passwords since they are subject not only to reuse by malicious attackers but - also by malicious insiders. If a system administrator can recover a password - directly, or use a brute force search on the available information, the administrator - can use the password on other accounts. - group: top10-insecure-design - name: CSharp_Medium_Threat_Persistent_Connection_String - pretty_name: Persistent Connection String - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_Privacy_Violation: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-359 - description: The product does not properly prevent a person's private, personal - information from being accessed by actors who either (1) are not explicitly - authorized to access the information or (2) do not have the implicit consent - of the person about whom the information is collected. - group: top10-broken-access-control - name: CSharp_Medium_Threat_Privacy_Violation - pretty_name: Privacy Violation - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_Race_Condition_within_a_Thread: - categories: - - checkmarx-medium-threat - - cwe-366 - - owasp-top-10 - - boost-baseline - - ALL - description: If two threads of execution use a resource simultaneously, there - exists the possibility that resources may be used while invalid, in turn making - the state of execution undefined. - group: top10-insecure-design - name: CSharp_Medium_Threat_Race_Condition_within_a_Thread - pretty_name: Race Condition within a Thread - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_ReDoS_By_Regex_Injection: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: CSharp_Medium_Threat_ReDoS_By_Regex_Injection - pretty_name: ReDoS By Regex Injection - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_ReDoS_In_Code: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: CSharp_Medium_Threat_ReDoS_In_Code - pretty_name: ReDoS In Code - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_ReDoS_In_Validation: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: CSharp_Medium_Threat_ReDoS_In_Validation - pretty_name: ReDoS In Validation - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_Reflected_XSS_Specific_Clients: - categories: - - checkmarx-medium-threat - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: CSharp_Medium_Threat_Reflected_XSS_Specific_Clients - pretty_name: Reflected XSS Specific Clients - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_SQL_Injection_Evasion_Attack: - categories: - - checkmarx-medium-threat - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: CSharp_Medium_Threat_SQL_Injection_Evasion_Attack - pretty_name: SQL Injection Evasion Attack - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_SSL_Verification_Bypass: - categories: - - checkmarx-medium-threat - - cwe-599 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses OpenSSL and trusts or uses a certificate without - using the SSL_get_verify_result() function to ensure that the certificate satisfies - all necessary security requirements. - group: top10-software-data-integrity-failures - name: CSharp_Medium_Threat_SSL_Verification_Bypass - pretty_name: SSL Verification Bypass - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_SSRF: - categories: - - checkmarx-medium-threat - - cwe-74 - - owasp-top-10 - - boost-baseline - - ALL - description: The product constructs all or part of a command, data structure, - or record using externally-influenced input from an upstream component, but - it does not neutralize or incorrectly neutralizes special elements that could - modify how it is parsed or interpreted when it is sent to a downstream component. - group: top10-injection - name: CSharp_Medium_Threat_SSRF - pretty_name: SSRF - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_Session_Fixation: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-384 - description: Authenticating a user, or otherwise establishing a new user session, - without invalidating any existing session identifier gives an attacker the opportunity - to steal authenticated sessions. - group: top10-id-authn-failures - name: CSharp_Medium_Threat_Session_Fixation - pretty_name: Session Fixation - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_Stored_Command_Injection: - categories: - - cwe-77 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended command when it - is sent to a downstream component. - group: top10-injection - name: CSharp_Medium_Threat_Stored_Command_Injection - pretty_name: Stored Command Injection - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_Stored_LDAP_Injection: - categories: - - checkmarx-medium-threat - - cwe-90 - - owasp-top-10 - - boost-baseline - - ALL - description: The product constructs all or part of an LDAP query using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended LDAP query when - it is sent to a downstream component. - group: top10-injection - name: CSharp_Medium_Threat_Stored_LDAP_Injection - pretty_name: Stored LDAP Injection - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_Stored_Path_Traversal: - categories: - - ALL - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - cwe-22 - - cwe-top-25 - description: The product uses external input to construct a pathname that is intended - to identify a file or directory that is located underneath a restricted parent - directory, but the product does not properly neutralize special elements within - the pathname that can cause the pathname to resolve to a location that is outside - of the restricted directory. - group: top10-broken-access-control - name: CSharp_Medium_Threat_Stored_Path_Traversal - pretty_name: Stored Path Traversal - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_Stored_XPath_Injection: - categories: - - checkmarx-medium-threat - - cwe-643 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses external input to dynamically construct an XPath - expression used to retrieve data from an XML database, but it does not neutralize - or incorrectly neutralizes that input. This allows an attacker to control the - structure of the query. - group: top10-injection - name: CSharp_Medium_Threat_Stored_XPath_Injection - pretty_name: Stored XPath Injection - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_Unclosed_Connection: - categories: - - cwe-404 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not release or incorrectly releases a resource before - it is made available for re-use. - group: top10-insecure-design - name: CSharp_Medium_Threat_Unclosed_Connection - pretty_name: Unclosed Connection - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_Unsafe_Object_Binding: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-915 - - boost-baseline - - ALL - description: The product receives input from an upstream component that specifies - multiple attributes, properties, or fields that are to be initialized or updated - in an object, but it does not properly control which attributes can be modified. - group: top10-software-data-integrity-failures - name: CSharp_Medium_Threat_Unsafe_Object_Binding - pretty_name: Unsafe Object Binding - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_Use_of_Cryptographically_Weak_PRNG: - categories: - - checkmarx-medium-threat - - cwe-338 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a Pseudo-Random Number Generator (PRNG) in a security - context, but the PRNG's algorithm is not cryptographically strong. - group: top10-crypto-failures - name: CSharp_Medium_Threat_Use_of_Cryptographically_Weak_PRNG - pretty_name: Use of Cryptographically Weak PRNG - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key: - categories: - - cwe-321 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The use of a hard-coded cryptographic key significantly increases - the possibility that encrypted data may be recovered. - group: top10-crypto-failures - name: CSharp_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key - pretty_name: Use of Hard coded Cryptographic Key - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Medium_Threat_Value_Shadowing: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-233 - - boost-baseline - - ALL - description: The product does not properly handle when the expected number of - parameters, fields, or arguments is not provided in input, or if those parameters - are undefined. - group: top10-injection - name: CSharp_Medium_Threat_Value_Shadowing - pretty_name: Value Shadowing - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_WebConfig_CookieLess_Authentication: - categories: - - owasp-top-10 - - checkmarx-web-config - - boost-baseline - - ALL - - cwe-642 - description: The product stores security-critical state information about its - users, or the product itself, in a location that is accessible to unauthorized - actors. - group: top10-insecure-design - name: CSharp_WebConfig_CookieLess_Authentication - pretty_name: CookieLess Authentication - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_WebConfig_CookieLess_Session_State: - categories: - - boost-baseline - - ALL - - checkmarx-web-config - - owasp-top-10 - description: Session state is configured with cookieless enabled in web.config, - leading to possible session hijacking through URL leaks. - group: top10-broken-access-control - name: CSharp_WebConfig_CookieLess_Session_State - pretty_name: CookieLess Session State - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_WebConfig_CustomError: - categories: - - cwe-12 - - owasp-top-10 - - checkmarx-web-config - - boost-baseline - - ALL - description: An ASP .NET application must enable custom error pages in order to - prevent attackers from mining information from the framework's built-in responses. - group: top10-security-misconfiguration - name: CSharp_WebConfig_CustomError - pretty_name: CustomError - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_WebConfig_DebugEnabled: - categories: - - boost-baseline - - ALL - - checkmarx-web-config - - cwe-11 - description: Debugging messages help attackers learn about the system and plan - a form of attack. - group: top10-security-misconfiguration - name: CSharp_WebConfig_DebugEnabled - pretty_name: DebugEnabled - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_WebConfig_Directory_Browse: - categories: - - cwe-548 - - owasp-top-10 - - checkmarx-web-config - - boost-baseline - - ALL - description: A directory listing is inappropriately exposed, yielding potentially - sensitive information to attackers. - group: top10-broken-access-control - name: CSharp_WebConfig_Directory_Browse - pretty_name: Directory Browse - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_WebConfig_Elmah_Enabled: - categories: - - owasp-top-10 - - checkmarx-web-config - - boost-baseline - - ALL - - cwe-213 - description: The product's intended functionality exposes information to certain - actors in accordance with the developer's security policy, but this information - is regarded as sensitive according to the intended security policies of other - stakeholders such as the product's administrator, users, or others whose information - is being processed. - group: top10-insecure-design - name: CSharp_WebConfig_Elmah_Enabled - pretty_name: Elmah Enabled - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_WebConfig_HardcodedCredentials: - categories: - - cwe-489 - - owasp-top-10 - - checkmarx-web-config - - boost-baseline - - ALL - description: The product is deployed to unauthorized actors with debugging code - still enabled or active, which can create unintended entry points or expose - sensitive information. - group: top10-id-authn-failures - name: CSharp_WebConfig_HardcodedCredentials - pretty_name: HardcodedCredentials - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_WebConfig_HttpOnlyCookies_In_Config: - categories: - - cwe-1004 - - ALL - - boost-baseline - - checkmarx-web-config - description: The product uses a cookie to store sensitive information, but the - cookie is not marked with the HttpOnly flag. - group: top10-security-misconfiguration - name: CSharp_WebConfig_HttpOnlyCookies_In_Config - pretty_name: HttpOnlyCookies In Config - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_WebConfig_Missing_X_Frame_Options: - categories: - - owasp-top-10 - - checkmarx-web-config - - cwe-1021 - - boost-baseline - - ALL - description: The web application does not restrict or incorrectly restricts frame - objects or UI layers that belong to another application or domain, which can - lead to user confusion about which interface the user is interacting with. - group: top10-insecure-design - name: CSharp_WebConfig_Missing_X_Frame_Options - pretty_name: Missing X Frame Options - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_WebConfig_NonUniqueFormName: - categories: - - owasp-top-10 - - checkmarx-web-config - - cwe-694 - - boost-baseline - - ALL - description: The product uses multiple resources that can have the same identifier, - in a context in which unique identifiers are required. - group: top10-insecure-design - name: CSharp_WebConfig_NonUniqueFormName - pretty_name: NonUniqueFormName - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_WebConfig_Password_in_Configuration_File: - categories: - - boost-baseline - - ALL - - checkmarx-web-config - - cwe-260 - description: The product stores a password in a configuration file that might - be accessible to actors who do not know the password. - group: top10-security-misconfiguration - name: CSharp_WebConfig_Password_in_Configuration_File - pretty_name: Password in Configuration File - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_WebConfig_RequireSSL: - categories: - - boost-baseline - - cwe-614 - - ALL - - checkmarx-web-config - description: The Secure attribute for sensitive cookies in HTTPS sessions is not - set, which could cause the user agent to send those cookies in plaintext over - an HTTP session. - group: top10-security-misconfiguration - name: CSharp_WebConfig_RequireSSL - pretty_name: RequireSSL - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_WebConfig_SlidingExpiration: - categories: - - owasp-top-10 - - checkmarx-web-config - - boost-baseline - - ALL - - cwe-613 - description: According to WASC, "Insufficient Session Expiration is when a web - site permits an attacker to reuse old session credentials or session IDs for - authorization." - group: top10-id-authn-failures - name: CSharp_WebConfig_SlidingExpiration - pretty_name: SlidingExpiration - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_WebConfig_TraceEnabled: - categories: - - boost-baseline - - owasp-top-10 - - checkmarx-web-config - - cwe-749 - - ALL - description: The product provides an Applications Programming Interface (API) - or similar interface for interaction with external actors, but the interface - includes a dangerous method or function that is not properly restricted. - group: top10-insecure-design - name: CSharp_WebConfig_TraceEnabled - pretty_name: TraceEnabled - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Windows_Phone_Client_Side_Injection: - categories: - - boost-hardened - - checkmarx-windows-phone - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: CSharp_Windows_Phone_Client_Side_Injection - pretty_name: Client Side Injection - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Windows_Phone_Failure_to_Implement_Least_Privilege: - categories: - - ALL - - checkmarx-windows-phone - - owasp-top-10 - - boost-baseline - - cwe-250 - description: The product performs an operation at a privilege level that is higher - than the minimum level required, which creates new weaknesses or amplifies the - consequences of other weaknesses. - group: top10-broken-access-control - name: CSharp_Windows_Phone_Failure_to_Implement_Least_Privilege - pretty_name: Failure to Implement Least Privilege - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Windows_Phone_Hard_Coded_Cryptography_Key: - categories: - - cwe-321 - - checkmarx-windows-phone - - owasp-top-10 - - boost-baseline - - ALL - description: The use of a hard-coded cryptographic key significantly increases - the possibility that encrypted data may be recovered. - group: top10-crypto-failures - name: CSharp_Windows_Phone_Hard_Coded_Cryptography_Key - pretty_name: Hard Coded Cryptography Key - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Windows_Phone_Insecure_Data_Storage: - categories: - - boost-hardened - - cwe-312 - - checkmarx-windows-phone - - owasp-top-10 - - boost-baseline - - ALL - description: The product stores sensitive information in cleartext within a resource - that might be accessible to another control sphere. - group: top10-insecure-design - name: CSharp_Windows_Phone_Insecure_Data_Storage - pretty_name: Insecure Data Storage - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Windows_Phone_Insufficient_Application_Layer_Protect: - categories: - - boost-hardened - - checkmarx-windows-phone - - cwe-311 - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not encrypt sensitive or critical information before - storage or transmission. - group: top10-insecure-design - name: CSharp_Windows_Phone_Insufficient_Application_Layer_Protect - pretty_name: Insufficient Application Layer Protect - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Windows_Phone_Poor_Authorization_and_Authentication: - categories: - - checkmarx-windows-phone - - cwe-287 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: When an actor claims to have a given identity, the product does not - prove or insufficiently proves that the claim is correct. - group: top10-id-authn-failures - name: CSharp_Windows_Phone_Poor_Authorization_and_Authentication - pretty_name: Poor Authorization and Authentication - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - CSharp_Windows_Phone_Side_Channel_Data_Leakage: - categories: - - checkmarx-windows-phone - - owasp-top-10 - - boost-baseline - - ALL - - cwe-200 - description: The product exposes sensitive information to an actor that is not - explicitly authorized to have access to that information. - group: top10-broken-access-control - name: CSharp_Windows_Phone_Side_Channel_Data_Leakage - pretty_name: Side Channel Data Leakage - CSharp - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Cobol_Heuristic_Possible_Module_Injection: - categories: - - checkmarx-heuristic - - owasp-top-10 - - cwe-610 - - boost-baseline - - ALL - description: The product uses an externally controlled name or reference that - resolves to a resource that is outside of the intended control sphere. - group: top10-injection - name: Cobol_Heuristic_Possible_Module_Injection - pretty_name: Possible Module Injection - Cobol - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Cobol_High_Risk_Command_Injection: - categories: - - boost-hardened - - cwe-77 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of a command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended command when it - is sent to a downstream component. - group: top10-injection - name: Cobol_High_Risk_Command_Injection - pretty_name: Command Injection - Cobol - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Cobol_High_Risk_Module_Injection: - categories: - - boost-hardened - - owasp-top-10 - - cwe-610 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product uses an externally controlled name or reference that - resolves to a resource that is outside of the intended control sphere. - group: top10-injection - name: Cobol_High_Risk_Module_Injection - pretty_name: Module Injection - Cobol - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Cobol_High_Risk_Reflected_XSS_All_Clients: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Cobol_High_Risk_Reflected_XSS_All_Clients - pretty_name: Reflected XSS All Clients - Cobol - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Cobol_High_Risk_Resource_Injection: - categories: - - boost-hardened - - owasp-top-10 - - cwe-99 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product receives input from an upstream component, but it does - not restrict or incorrectly restricts the input before it is used as an identifier - for a resource that may be outside the intended sphere of control. - group: top10-injection - name: Cobol_High_Risk_Resource_Injection - pretty_name: Resource Injection - Cobol - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Cobol_High_Risk_Sql_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Cobol_High_Risk_Sql_Injection - pretty_name: Sql Injection - Cobol - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Cobol_Low_Visibility_Information_Leak_Through_Comments: - categories: - - cwe-615 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: 'While adding general comments is very useful, some programmers tend - to leave important data, such as: filenames related to the web application, - old links or links which were not meant to be browsed by users, old code fragments, - etc.' - group: top10-broken-access-control - name: Cobol_Low_Visibility_Information_Leak_Through_Comments - pretty_name: Information Leak Through Comments - Cobol - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Cobol_Low_Visibility_Use_Of_Hardcoded_Password: - categories: - - ALL - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - cwe-259 - description: The product contains a hard-coded password, which it uses for its - own inbound authentication or for outbound communication to external components. - group: top10-id-authn-failures - name: Cobol_Low_Visibility_Use_Of_Hardcoded_Password - pretty_name: Use Of Hardcoded Password - Cobol - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Cobol_Medium_Threat_Ignored_Error_Conditions: - categories: - - cwe-703 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not properly anticipate or handle exceptional conditions - that rarely occur during normal operation of the product. - group: top10-insecure-design - name: Cobol_Medium_Threat_Ignored_Error_Conditions - pretty_name: Ignored Error Conditions - Cobol - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Cobol_Medium_Threat_Path_Traversal: - categories: - - ALL - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - cwe-22 - - cwe-top-25 - description: The product uses external input to construct a pathname that is intended - to identify a file or directory that is located underneath a restricted parent - directory, but the product does not properly neutralize special elements within - the pathname that can cause the pathname to resolve to a location that is outside - of the restricted directory. - group: top10-broken-access-control - name: Cobol_Medium_Threat_Path_Traversal - pretty_name: Path Traversal - Cobol - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Best_Coding_Practice_Encrypted_Sensitive_Information_in_External_Storage: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - owasp-top-10 - description: Sensitive information stored in external storage is not encrypted, - leaving it vulnerable to unauthorized access or data breaches. - group: top10-insecure-design - name: Dart_Mobile_Best_Coding_Practice_Encrypted_Sensitive_Information_in_External_Storage - pretty_name: Encrypted Sensitive Information in External Storage - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Best_Coding_Practice_Unused_Permission: - categories: - - ALL - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - cwe-250 - description: The product performs an operation at a privilege level that is higher - than the minimum level required, which creates new weaknesses or amplifies the - consequences of other weaknesses. - group: top10-insecure-design - name: Dart_Mobile_Best_Coding_Practice_Unused_Permission - pretty_name: Unused Permission - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Best_Coding_Practice_Using_Deprecated_Methods: - categories: - - cwe-477 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The code uses deprecated or obsolete functions, which suggests that - the code has not been actively reviewed or maintained. - group: top10-insecure-design - name: Dart_Mobile_Best_Coding_Practice_Using_Deprecated_Methods - pretty_name: Using Deprecated Methods - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Best_Coding_Practice_WebView_Cache_Information_Leak: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - owasp-top-10 - description: WebView cache data in Dart mobile applications is not properly cleared - or controlled, posing a risk for sensitive information leakage. - group: top10-insecure-design - name: Dart_Mobile_Best_Coding_Practice_WebView_Cache_Information_Leak - pretty_name: WebView Cache Information Leak - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_High_Risk_Resource_Updated_By_URL_Data: - categories: - - boost-hardened - - checkmarx-android - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a handler for a custom URL scheme, but it does not - properly restrict which actors can invoke the handler using the scheme. - group: top10-software-data-integrity-failures - name: Dart_Mobile_High_Risk_Resource_Updated_By_URL_Data - pretty_name: Resource Updated By URL Data - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_High_Risk_Sensitive_Information_Over_HTTP: - categories: - - boost-hardened - - checkmarx-android - - owasp-top-10 - - cwe-319 - - boost-baseline - - ALL - description: The product transmits sensitive or security-critical data in cleartext - in a communication channel that can be sniffed by unauthorized actors. - group: top10-broken-access-control - name: Dart_Mobile_High_Risk_Sensitive_Information_Over_HTTP - pretty_name: Sensitive Information Over HTTP - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_High_Risk_Sensitive_Information_Through_URL_Scheme: - categories: - - boost-hardened - - checkmarx-android - - owasp-top-10 - - cwe-319 - - boost-baseline - - ALL - description: The product transmits sensitive or security-critical data in cleartext - in a communication channel that can be sniffed by unauthorized actors. - group: top10-broken-access-control - name: Dart_Mobile_High_Risk_Sensitive_Information_Through_URL_Scheme - pretty_name: Sensitive Information Through URL Scheme - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_High_Risk_Unencrypted_Sensitive_Information_in_Publicly_Accessible_Cloud_Storage: - categories: - - boost-hardened - - cwe-922 - - checkmarx-android - - owasp-top-10 - - boost-baseline - - ALL - description: The product stores sensitive information without properly limiting - read or write access by unauthorized actors. - group: top10-broken-access-control - name: Dart_Mobile_High_Risk_Unencrypted_Sensitive_Information_in_Publicly_Accessible_Cloud_Storage - pretty_name: Unencrypted Sensitive Information in Publicly Accessible Cloud Storage - - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_High_Risk_Unsafe_Reflection: - categories: - - boost-hardened - - checkmarx-android - - cwe-470 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses external input with reflection to select which classes - or code to use, but it does not sufficiently prevent the input from selecting - improper classes or code. - group: top10-injection - name: Dart_Mobile_High_Risk_Unsafe_Reflection - pretty_name: Unsafe Reflection - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Low_Visibility_App_Transport_Security_Disabled: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-319 - - boost-baseline - - ALL - description: The product transmits sensitive or security-critical data in cleartext - in a communication channel that can be sniffed by unauthorized actors. - group: top10-security-misconfiguration - name: Dart_Mobile_Low_Visibility_App_Transport_Security_Disabled - pretty_name: App Transport Security Disabled - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Low_Visibility_Autocorrection_Keystroke_Logging: - categories: - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - - cwe-359 - description: The product does not properly prevent a person's private, personal - information from being accessed by actors who either (1) are not explicitly - authorized to access the information or (2) do not have the implicit consent - of the person about whom the information is collected. - group: top10-broken-access-control - name: Dart_Mobile_Low_Visibility_Autocorrection_Keystroke_Logging - pretty_name: Autocorrection Keystroke Logging - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Low_Visibility_Encrypted_Sensitive_Information_in_Publicly_Accessible_Cloud_Storage: - categories: - - cwe-922 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - description: The product stores sensitive information without properly limiting - read or write access by unauthorized actors. - group: top10-broken-access-control - name: Dart_Mobile_Low_Visibility_Encrypted_Sensitive_Information_in_Publicly_Accessible_Cloud_Storage - pretty_name: Encrypted Sensitive Information in Publicly Accessible Cloud Storage - - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Low_Visibility_Hardcoded_Password_In_Gradle: - categories: - - ALL - - owasp-top-10 - - checkmarx-android - - boost-baseline - - cwe-259 - description: The product contains a hard-coded password, which it uses for its - own inbound authentication or for outbound communication to external components. - group: top10-id-authn-failures - name: Dart_Mobile_Low_Visibility_Hardcoded_Password_In_Gradle - pretty_name: Hardcoded Password In Gradle - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Low_Visibility_Implicit_Intent_With_Read_Write_Permissions: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-668 - - boost-baseline - - ALL - description: The product exposes a resource to the wrong control sphere, providing - unintended actors with inappropriate access to the resource. - group: top10-broken-access-control - name: Dart_Mobile_Low_Visibility_Implicit_Intent_With_Read_Write_Permissions - pretty_name: Implicit Intent With Read Write Permissions - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Low_Visibility_Improper_Resource_Shutdown_or_Release: - categories: - - cwe-404 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - description: The product does not release or incorrectly releases a resource before - it is made available for re-use. - group: top10-insecure-design - name: Dart_Mobile_Low_Visibility_Improper_Resource_Shutdown_or_Release - pretty_name: Improper Resource Shutdown or Release - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Low_Visibility_Insecure_Android_SDK_Version: - categories: - - cwe-477 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - description: The code uses deprecated or obsolete functions, which suggests that - the code has not been actively reviewed or maintained. - group: top10-vulnerable-components - name: Dart_Mobile_Low_Visibility_Insecure_Android_SDK_Version - pretty_name: Insecure Android SDK Version - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Low_Visibility_Insecure_HTTP_Connections_Enabled: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-319 - - boost-baseline - - ALL - description: The product transmits sensitive or security-critical data in cleartext - in a communication channel that can be sniffed by unauthorized actors. - group: top10-crypto-failures - name: Dart_Mobile_Low_Visibility_Insecure_HTTP_Connections_Enabled - pretty_name: Insecure HTTP Connections Enabled - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Low_Visibility_Missing_Certificate_Pinning: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-295 - - boost-baseline - - ALL - description: The product does not validate, or incorrectly validates, a certificate. - group: top10-id-authn-failures - name: Dart_Mobile_Low_Visibility_Missing_Certificate_Pinning - pretty_name: Missing Certificate Pinning - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Low_Visibility_Missing_Device_Lock_Verification: - categories: - - owasp-top-10 - - cwe-829 - - checkmarx-android - - boost-baseline - - ALL - description: The product imports, requires, or includes executable functionality - (such as a library) from a source that is outside of the intended control sphere. - group: top10-software-data-integrity-failures - name: Dart_Mobile_Low_Visibility_Missing_Device_Lock_Verification - pretty_name: Missing Device Lock Verification - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Low_Visibility_Missing_Root_Or_Jailbreak_Check: - categories: - - cwe-693 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - description: The product does not use or incorrectly uses a protection mechanism - that provides sufficient defense against directed attacks against the product. - group: top10-insecure-design - name: Dart_Mobile_Low_Visibility_Missing_Root_Or_Jailbreak_Check - pretty_name: Missing Root Or Jailbreak Check - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Low_Visibility_No_Installer_Verification_Implemented: - categories: - - cwe-693 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - description: The product does not use or incorrectly uses a protection mechanism - that provides sufficient defense against directed attacks against the product. - group: top10-software-data-integrity-failures - name: Dart_Mobile_Low_Visibility_No_Installer_Verification_Implemented - pretty_name: No Installer Verification Implemented - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Low_Visibility_Parameter_Tampering: - categories: - - owasp-top-10 - - cwe-472 - - checkmarx-android - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: Dart_Mobile_Low_Visibility_Parameter_Tampering - pretty_name: Parameter Tampering - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Low_Visibility_Private_Storage_SQL_Injection: - categories: - - cwe-89 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Dart_Mobile_Low_Visibility_Private_Storage_SQL_Injection - pretty_name: Private Storage SQL Injection - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Low_Visibility_Private_Storage_WebView_JavaScript_Injection: - categories: - - cwe-79 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Dart_Mobile_Low_Visibility_Private_Storage_WebView_JavaScript_Injection - pretty_name: Private Storage WebView JavaScript Injection - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Low_Visibility_Secret_Stored_Outside_of_Keychain: - categories: - - cwe-922 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - description: The product stores sensitive information without properly limiting - read or write access by unauthorized actors. - group: top10-broken-access-control - name: Dart_Mobile_Low_Visibility_Secret_Stored_Outside_of_Keychain - pretty_name: Secret Stored Outside of Keychain - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Low_Visibility_Self_SQL_Injection: - categories: - - cwe-89 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Dart_Mobile_Low_Visibility_Self_SQL_Injection - pretty_name: Self SQL Injection - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Low_Visibility_Self_WebView_JavaScript_Injection: - categories: - - cwe-79 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Dart_Mobile_Low_Visibility_Self_WebView_JavaScript_Injection - pretty_name: Self WebView JavaScript Injection - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Low_Visibility_Unencrypted_Sensitive_Information_in_Internal_Storage: - categories: - - cwe-922 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - description: The product stores sensitive information without properly limiting - read or write access by unauthorized actors. - group: top10-broken-access-control - name: Dart_Mobile_Low_Visibility_Unencrypted_Sensitive_Information_in_Internal_Storage - pretty_name: Unencrypted Sensitive Information in Internal Storage - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Low_Visibility_Unencrypted_Sensitive_Information_in_Temporary_File: - categories: - - owasp-top-10 - - cwe-377 - - checkmarx-android - - boost-baseline - - ALL - description: Creating and using insecure temporary files can leave application - and system data vulnerable to attack. - group: top10-broken-access-control - name: Dart_Mobile_Low_Visibility_Unencrypted_Sensitive_Information_in_Temporary_File - pretty_name: Unencrypted Sensitive Information in Temporary File - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Low_Visibility_Use_Of_Implicit_Intent_For_Sensitive_Communication: - categories: - - cwe-927 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - description: The Android application uses an implicit intent for transmitting - sensitive data to other applications. - group: top10-insecure-design - name: Dart_Mobile_Low_Visibility_Use_Of_Implicit_Intent_For_Sensitive_Communication - pretty_name: Use Of Implicit Intent For Sensitive Communication - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Low_Visibility_Use_of_Native_Language: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-695 - - boost-baseline - - ALL - description: The product uses low-level functionality that is explicitly prohibited - by the framework or specification under which the product is supposed to operate. - group: top10-injection - name: Dart_Mobile_Low_Visibility_Use_of_Native_Language - pretty_name: Use of Native Language - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Low_Visibility_Use_of_Non_Cryptographic_Random: - categories: - - cwe-330 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - description: The product uses insufficiently random numbers or values in a security - context that depends on unpredictable numbers. - group: top10-crypto-failures - name: Dart_Mobile_Low_Visibility_Use_of_Non_Cryptographic_Random - pretty_name: Use of Non Cryptographic Random - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Low_Visibility_User_Information_in_Publicly_Accessible_Storage: - categories: - - cwe-922 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - description: The product stores sensitive information without properly limiting - read or write access by unauthorized actors. - group: top10-broken-access-control - name: Dart_Mobile_Low_Visibility_User_Information_in_Publicly_Accessible_Storage - pretty_name: User Information in Publicly Accessible Storage - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Medium_Threat_Broken_or_Risky_Encryption_Algorithm: - categories: - - cwe-327 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a broken or risky cryptographic algorithm or protocol. - group: top10-crypto-failures - name: Dart_Mobile_Medium_Threat_Broken_or_Risky_Encryption_Algorithm - pretty_name: Broken or Risky Encryption Algorithm - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Medium_Threat_Broken_or_Risky_Hashing_Function: - categories: - - cwe-328 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses an algorithm that produces a digest (output value) - that does not meet security expectations for a hash function that allows an - adversary to reasonably determine the original input (preimage attack), find - another input that can produce the same hash (2nd preimage attack), or find - multiple inputs that evaluate to the same hash (birthday attack). - group: top10-crypto-failures - name: Dart_Mobile_Medium_Threat_Broken_or_Risky_Hashing_Function - pretty_name: Broken or Risky Hashing Function - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Medium_Threat_Communication_Over_HTTP: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-319 - - boost-baseline - - ALL - description: The product transmits sensitive or security-critical data in cleartext - in a communication channel that can be sniffed by unauthorized actors. - group: top10-crypto-failures - name: Dart_Mobile_Medium_Threat_Communication_Over_HTTP - pretty_name: Communication Over HTTP - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Medium_Threat_Encoding_Used_Instead_of_Encryption: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-311 - - boost-baseline - - ALL - description: The product does not encrypt sensitive or critical information before - storage or transmission. - group: top10-insecure-design - name: Dart_Mobile_Medium_Threat_Encoding_Used_Instead_of_Encryption - pretty_name: Encoding Used Instead of Encryption - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Medium_Threat_Improper_Certificate_Validation: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-295 - - boost-baseline - - ALL - description: The product does not validate, or incorrectly validates, a certificate. - group: top10-id-authn-failures - name: Dart_Mobile_Medium_Threat_Improper_Certificate_Validation - pretty_name: Improper Certificate Validation - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Medium_Threat_Information_Exposure_Through_Query_String: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-598 - - boost-baseline - - ALL - description: The web application uses the HTTP GET method to process a request - and includes sensitive information in the query string of that request. - group: top10-insecure-design - name: Dart_Mobile_Medium_Threat_Information_Exposure_Through_Query_String - pretty_name: Information Exposure Through Query String - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Medium_Threat_Insecure_Asymmetric_Cryptographic_Algorithm_Parameters: - categories: - - ALL - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - cwe-326 - description: The product stores or transmits sensitive data using an encryption - scheme that is theoretically sound, but is not strong enough for the level of - protection required. - group: top10-crypto-failures - name: Dart_Mobile_Medium_Threat_Insecure_Asymmetric_Cryptographic_Algorithm_Parameters - pretty_name: Insecure Asymmetric Cryptographic Algorithm Parameters - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Medium_Threat_Insufficiently_Secure_Password_Storage_Algorithm_Parameters: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-522 - description: The product transmits or stores authentication credentials, but it - uses an insecure method that is susceptible to unauthorized interception and/or - retrieval. - group: top10-insecure-design - name: Dart_Mobile_Medium_Threat_Insufficiently_Secure_Password_Storage_Algorithm_Parameters - pretty_name: Insufficiently Secure Password Storage Algorithm Parameters - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Medium_Threat_Pasteboard_Leakage: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-200 - description: The product exposes sensitive information to an actor that is not - explicitly authorized to have access to that information. - group: top10-broken-access-control - name: Dart_Mobile_Medium_Threat_Pasteboard_Leakage - pretty_name: Pasteboard Leakage - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Medium_Threat_Path_Traversal: - categories: - - ALL - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - cwe-22 - - cwe-top-25 - description: The product uses external input to construct a pathname that is intended - to identify a file or directory that is located underneath a restricted parent - directory, but the product does not properly neutralize special elements within - the pathname that can cause the pathname to resolve to a location that is outside - of the restricted directory. - group: top10-broken-access-control - name: Dart_Mobile_Medium_Threat_Path_Traversal - pretty_name: Path Traversal - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Medium_Threat_Poor_Authorization_and_Authentication: - categories: - - checkmarx-medium-threat - - cwe-287 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: When an actor claims to have a given identity, the product does not - prove or insufficiently proves that the claim is correct. - group: top10-id-authn-failures - name: Dart_Mobile_Medium_Threat_Poor_Authorization_and_Authentication - pretty_name: Poor Authorization and Authentication - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Medium_Threat_Public_Storage_SQL_Injection: - categories: - - checkmarx-medium-threat - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Dart_Mobile_Medium_Threat_Public_Storage_SQL_Injection - pretty_name: Public Storage SQL Injection - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Medium_Threat_Public_Storage_WebView_JavaScript_Injection: - categories: - - checkmarx-medium-threat - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Dart_Mobile_Medium_Threat_Public_Storage_WebView_JavaScript_Injection - pretty_name: Public Storage WebView JavaScript Injection - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Medium_Threat_SQL_Injection_from_URL_Scheme_or_Intent: - categories: - - checkmarx-medium-threat - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Dart_Mobile_Medium_Threat_SQL_Injection_from_URL_Scheme_or_Intent - pretty_name: SQL Injection from URL Scheme or Intent - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Medium_Threat_Third_Party_Keyboards_On_Sensitive_Field: - categories: - - boost-baseline - - ALL - - checkmarx-medium-threat - - owasp-top-10 - description: Sensitive input fields in Dart mobile applications allow third-party - keyboards, posing a data leakage risk as these keyboards can capture and send - user input to remote servers. - group: top10-broken-access-control - name: Dart_Mobile_Medium_Threat_Third_Party_Keyboards_On_Sensitive_Field - pretty_name: Third Party Keyboards On Sensitive Field - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Medium_Threat_Unencrypted_Sensitive_Information_in_External_Storage: - categories: - - cwe-922 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The product stores sensitive information without properly limiting - read or write access by unauthorized actors. - group: top10-broken-access-control - name: Dart_Mobile_Medium_Threat_Unencrypted_Sensitive_Information_in_External_Storage - pretty_name: Unencrypted Sensitive Information in External Storage - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Medium_Threat_Use_of_Cryptographically_Weak_PRNG: - categories: - - checkmarx-medium-threat - - cwe-338 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a Pseudo-Random Number Generator (PRNG) in a security - context, but the PRNG's algorithm is not cryptographically strong. - group: top10-crypto-failures - name: Dart_Mobile_Medium_Threat_Use_of_Cryptographically_Weak_PRNG - pretty_name: Use of Cryptographically Weak PRNG - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Medium_Threat_Use_of_Hardcoded_Cryptographic_IV: - categories: - - ALL - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - cwe-326 - description: The product stores or transmits sensitive data using an encryption - scheme that is theoretically sound, but is not strong enough for the level of - protection required. - group: top10-crypto-failures - name: Dart_Mobile_Medium_Threat_Use_of_Hardcoded_Cryptographic_IV - pretty_name: Use of Hardcoded Cryptographic IV - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Medium_Threat_Use_of_Hardcoded_Cryptographic_Key_in_Client: - categories: - - cwe-321 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The use of a hard-coded cryptographic key significantly increases - the possibility that encrypted data may be recovered. - group: top10-crypto-failures - name: Dart_Mobile_Medium_Threat_Use_of_Hardcoded_Cryptographic_Key_in_Client - pretty_name: Use of Hardcoded Cryptographic Key in Client - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Medium_Threat_Use_of_Hardcoded_Salt: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-760 - - boost-baseline - - ALL - description: The product uses a one-way cryptographic hash against an input that - should not be reversible, such as a password, but the product uses a predictable - salt as part of the input. - group: top10-crypto-failures - name: Dart_Mobile_Medium_Threat_Use_of_Hardcoded_Salt - pretty_name: Use of Hardcoded Salt - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Dart_Mobile_Medium_Threat_WebView_JavaScript_Injection_from_URL_Scheme: - categories: - - checkmarx-medium-threat - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Dart_Mobile_Medium_Threat_WebView_JavaScript_Injection_from_URL_Scheme - pretty_name: WebView JavaScript Injection from URL Scheme - Dart - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_AWS_Lambda_AWS_Credentials_Leak: - categories: - - boost-hardened - - checkmarx-server-side-vulnerability - - owasp-top-10 - - boost-baseline - - ALL - - cwe-200 - description: The product exposes sensitive information to an actor that is not - explicitly authorized to have access to that information. - group: top10-broken-access-control - name: Go_AWS_Lambda_AWS_Credentials_Leak - pretty_name: AWS Credentials Leak - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_AWS_Lambda_DynamoDB_NoSQL_Injection: - categories: - - boost-hardened - - checkmarx-server-side-vulnerability - - cwe-74 - - owasp-top-10 - - boost-baseline - - ALL - description: The product constructs all or part of a command, data structure, - or record using externally-influenced input from an upstream component, but - it does not neutralize or incorrectly neutralizes special elements that could - modify how it is parsed or interpreted when it is sent to a downstream component. - group: top10-injection - name: Go_AWS_Lambda_DynamoDB_NoSQL_Injection - pretty_name: DynamoDB NoSQL Injection - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_AWS_Lambda_Hardcoded_AWS_Credentials: - categories: - - checkmarx-server-side-vulnerability - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - - cwe-798 - description: The product contains hard-coded credentials, such as a password or - cryptographic key, which it uses for its own inbound authentication, outbound - communication to external components, or encryption of internal data. - group: top10-id-authn-failures - name: Go_AWS_Lambda_Hardcoded_AWS_Credentials - pretty_name: Hardcoded AWS Credentials - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_AWS_Lambda_Permission_Manipulation_In_S3: - categories: - - checkmarx-server-side-vulnerability - - owasp-top-10 - - cwe-285 - - boost-baseline - - ALL - description: The product does not perform or incorrectly performs an authorization - check when an actor attempts to access a resource or perform an action. - group: top10-broken-access-control - name: Go_AWS_Lambda_Permission_Manipulation_In_S3 - pretty_name: Permission Manipulation In S3 - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_AWS_Lambda_Race_Condition_Global_Scope: - categories: - - checkmarx-server-side-vulnerability - - owasp-top-10 - - boost-baseline - - ALL - description: The code is structured in a way that relies too much on using or - setting global variables throughout various points in the code, instead of preserving - the associated information in a narrower, more local context. - group: top10-insecure-design - name: Go_AWS_Lambda_Race_Condition_Global_Scope - pretty_name: Race Condition Global Scope - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_AWS_Lambda_Unrestricted_Read_S3: - categories: - - checkmarx-server-side-vulnerability - - owasp-top-10 - - cwe-639 - - boost-baseline - - ALL - description: The system's authorization functionality does not prevent one user - from gaining access to another user's data or record by modifying the key value - identifying the data. - group: top10-broken-access-control - name: Go_AWS_Lambda_Unrestricted_Read_S3 - pretty_name: Unrestricted Read S3 - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_AWS_Lambda_Unrestricted_Write_S3: - categories: - - checkmarx-server-side-vulnerability - - owasp-top-10 - - cwe-639 - - boost-baseline - - ALL - description: The system's authorization functionality does not prevent one user - from gaining access to another user's data or record by modifying the key value - identifying the data. - group: top10-broken-access-control - name: Go_AWS_Lambda_Unrestricted_Write_S3 - pretty_name: Unrestricted Write S3 - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_AWS_Lambda_Use_of_Hardcoded_Cryptographic_Key_On_Server: - categories: - - cwe-321 - - checkmarx-server-side-vulnerability - - owasp-top-10 - - boost-baseline - - ALL - description: The use of a hard-coded cryptographic key significantly increases - the possibility that encrypted data may be recovered. - group: top10-crypto-failures - name: Go_AWS_Lambda_Use_of_Hardcoded_Cryptographic_Key_On_Server - pretty_name: Use of Hardcoded Cryptographic Key On Server - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_AWS_Lambda_User_Based_SDK_Configurations: - categories: - - boost-baseline - - ALL - - cwe-15 - - checkmarx-server-side-vulnerability - description: One or more system settings or configuration elements can be externally - controlled by a user. - group: top10-security-misconfiguration - name: Go_AWS_Lambda_User_Based_SDK_Configurations - pretty_name: User Based SDK Configurations - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_High_Risk_CGI_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Go_High_Risk_CGI_XSS - pretty_name: CGI XSS - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_High_Risk_Command_Injection: - categories: - - boost-hardened - - cwe-77 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of a command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended command when it - is sent to a downstream component. - group: top10-injection - name: Go_High_Risk_Command_Injection - pretty_name: Command Injection - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_High_Risk_Connection_String_Injection: - categories: - - boost-hardened - - owasp-top-10 - - cwe-99 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product receives input from an upstream component, but it does - not restrict or incorrectly restricts the input before it is used as an identifier - for a resource that may be outside the intended sphere of control. - group: top10-injection - name: Go_High_Risk_Connection_String_Injection - pretty_name: Connection String Injection - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_High_Risk_Deserialization_of_Untrusted_Data: - categories: - - boost-hardened - - boost-baseline - - owasp-top-10 - - cwe-502 - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product deserializes untrusted data without sufficiently verifying - that the resulting data will be valid. - group: top10-software-data-integrity-failures - name: Go_High_Risk_Deserialization_of_Untrusted_Data - pretty_name: Deserialization of Untrusted Data - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_High_Risk_JWT_No_Signature_Verification: - categories: - - boost-hardened - - cwe-287 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: When an actor claims to have a given identity, the product does not - prove or insufficiently proves that the claim is correct. - group: top10-id-authn-failures - name: Go_High_Risk_JWT_No_Signature_Verification - pretty_name: JWT No Signature Verification - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_High_Risk_Reflected_XSS_All_Clients: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Go_High_Risk_Reflected_XSS_All_Clients - pretty_name: Reflected XSS All Clients - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_High_Risk_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Go_High_Risk_SQL_Injection - pretty_name: SQL Injection - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_High_Risk_Second_Order_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Go_High_Risk_Second_Order_SQL_Injection - pretty_name: Second Order SQL Injection - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_High_Risk_Stored_Command_Injection: - categories: - - boost-hardened - - cwe-77 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of a command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended command when it - is sent to a downstream component. - group: top10-injection - name: Go_High_Risk_Stored_Command_Injection - pretty_name: Stored Command Injection - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_High_Risk_Stored_XSS_All_Clients: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Go_High_Risk_Stored_XSS_All_Clients - pretty_name: Stored XSS All Clients - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_High_Risk_Unsafe_Reflection: - categories: - - boost-hardened - - cwe-470 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product uses external input with reflection to select which classes - or code to use, but it does not sufficiently prevent the input from selecting - improper classes or code. - group: top10-injection - name: Go_High_Risk_Unsafe_Reflection - pretty_name: Unsafe Reflection - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Insecure_Credential_Storage_Insecure_Credential_Storage_Mechanism: - categories: - - owasp-top-10 - - checkmarx-insecure-credential-storage - - boost-baseline - - ALL - - cwe-522 - description: The product transmits or stores authentication credentials, but it - uses an insecure method that is susceptible to unauthorized interception and/or - retrieval. - group: top10-insecure-design - name: Go_Insecure_Credential_Storage_Insecure_Credential_Storage_Mechanism - pretty_name: Insecure Credential Storage Mechanism - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Insecure_Credential_Storage_Insecure_Scrypt_Parameters: - categories: - - owasp-top-10 - - checkmarx-insecure-credential-storage - - boost-baseline - - ALL - - cwe-522 - description: The product transmits or stores authentication credentials, but it - uses an insecure method that is susceptible to unauthorized interception and/or - retrieval. - group: top10-insecure-design - name: Go_Insecure_Credential_Storage_Insecure_Scrypt_Parameters - pretty_name: Insecure Scrypt Parameters - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Insecure_Credential_Storage_Insufficient_Bcrypt_Cost: - categories: - - owasp-top-10 - - checkmarx-insecure-credential-storage - - boost-baseline - - ALL - - cwe-522 - description: The product transmits or stores authentication credentials, but it - uses an insecure method that is susceptible to unauthorized interception and/or - retrieval. - group: top10-insecure-design - name: Go_Insecure_Credential_Storage_Insufficient_Bcrypt_Cost - pretty_name: Insufficient Bcrypt Cost - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Insecure_Credential_Storage_Insufficient_Output_Length: - categories: - - owasp-top-10 - - checkmarx-insecure-credential-storage - - boost-baseline - - ALL - - cwe-522 - description: The product transmits or stores authentication credentials, but it - uses an insecure method that is susceptible to unauthorized interception and/or - retrieval. - group: top10-insecure-design - name: Go_Insecure_Credential_Storage_Insufficient_Output_Length - pretty_name: Insufficient Output Length - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Insecure_Credential_Storage_PBKDF2_Insufficient_Iteration_Count: - categories: - - owasp-top-10 - - checkmarx-insecure-credential-storage - - boost-baseline - - ALL - - cwe-522 - description: The product transmits or stores authentication credentials, but it - uses an insecure method that is susceptible to unauthorized interception and/or - retrieval. - group: top10-insecure-design - name: Go_Insecure_Credential_Storage_PBKDF2_Insufficient_Iteration_Count - pretty_name: PBKDF2 Insufficient Iteration Count - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Insecure_Credential_Storage_PBKDF2_Weak_Salt_Value: - categories: - - owasp-top-10 - - checkmarx-insecure-credential-storage - - boost-baseline - - ALL - - cwe-522 - description: The product transmits or stores authentication credentials, but it - uses an insecure method that is susceptible to unauthorized interception and/or - retrieval. - group: top10-insecure-design - name: Go_Insecure_Credential_Storage_PBKDF2_Weak_Salt_Value - pretty_name: PBKDF2 Weak Salt Value - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Insecure_Credential_Storage_Scrypt_Weak_Salt_Value: - categories: - - owasp-top-10 - - checkmarx-insecure-credential-storage - - boost-baseline - - ALL - - cwe-522 - description: The product transmits or stores authentication credentials, but it - uses an insecure method that is susceptible to unauthorized interception and/or - retrieval. - group: top10-insecure-design - name: Go_Insecure_Credential_Storage_Scrypt_Weak_Salt_Value - pretty_name: Scrypt Weak Salt Value - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Low_Visibility_Command_Argument_Injection: - categories: - - cwe-88 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product constructs a string for a command to be executed by a - separate component in another control sphere, but it does not properly delimit - the intended arguments, options, or switches within that command string. - group: top10-injection - name: Go_Low_Visibility_Command_Argument_Injection - pretty_name: Command Argument Injection - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Low_Visibility_Deprecated_API: - categories: - - cwe-477 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The code uses deprecated or obsolete functions, which suggests that - the code has not been actively reviewed or maintained. - group: top10-insecure-design - name: Go_Low_Visibility_Deprecated_API - pretty_name: Deprecated API - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Low_Visibility_Empty_Password_In_Connection_String: - categories: - - cwe-521 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not require that users should have strong passwords, - which makes it easier for attackers to compromise user accounts. - group: top10-id-authn-failures - name: Go_Low_Visibility_Empty_Password_In_Connection_String - pretty_name: Empty Password In Connection String - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Low_Visibility_Improper_Error_Handling: - categories: - - cwe-248 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: An exception is thrown from a function, but it is not caught. - group: top10-insecure-design - name: Go_Low_Visibility_Improper_Error_Handling - pretty_name: Improper Error Handling - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Low_Visibility_Incorrect_Reflect_Value_Comparison: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product compares object references instead of the contents of - the objects themselves, preventing it from detecting equivalent objects. - group: top10-insecure-design - name: Go_Low_Visibility_Incorrect_Reflect_Value_Comparison - pretty_name: Incorrect Reflect Value Comparison - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Low_Visibility_Log_Forging: - categories: - - boost-baseline - - ALL - - cwe-117 - - checkmarx-low-visibility - description: The product does not neutralize or incorrectly neutralizes output - that is written to logs. - group: top10-security-logging-monitoring-failures - name: Go_Low_Visibility_Log_Forging - pretty_name: Log Forging - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Low_Visibility_Missing_Content_Security_Policy: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-346 - description: The product does not properly verify that the source of data or communication - is valid. - group: top10-id-authn-failures - name: Go_Low_Visibility_Missing_Content_Security_Policy - pretty_name: Missing Content Security Policy - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Low_Visibility_Open_Redirect: - categories: - - checkmarx-low-visibility - - cwe-601 - - owasp-top-10 - - boost-baseline - - ALL - description: A web application accepts a user-controlled input that specifies - a link to an external site, and uses that link in a Redirect. This simplifies - phishing attacks. - group: top10-broken-access-control - name: Go_Low_Visibility_Open_Redirect - pretty_name: Open Redirect - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Low_Visibility_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-346 - description: The product does not properly verify that the source of data or communication - is valid. - group: top10-id-authn-failures - name: Go_Low_Visibility_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy - pretty_name: Overly Permissive Cross Origin Resource Sharing Policy - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Low_Visibility_Permissive_Content_Security_Policy: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-346 - description: The product does not properly verify that the source of data or communication - is valid. - group: top10-id-authn-failures - name: Go_Low_Visibility_Permissive_Content_Security_Policy - pretty_name: Permissive Content Security Policy - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Low_Visibility_Plain_Text_Transport_Layer_in_Server: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-319 - - boost-baseline - - ALL - description: The product transmits sensitive or security-critical data in cleartext - in a communication channel that can be sniffed by unauthorized actors. - group: top10-security-misconfiguration - name: Go_Low_Visibility_Plain_Text_Transport_Layer_in_Server - pretty_name: Plain Text Transport Layer in Server - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Low_Visibility_Race_Condition_In_Cross_Functionality: - categories: - - checkmarx-low-visibility - - cwe-362 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product contains a code sequence that can run concurrently with - other code, and the code sequence requires temporary, exclusive access to a - shared resource, but a timing window exists in which the shared resource can - be modified by another code sequence that is operating concurrently. - group: top10-insecure-design - name: Go_Low_Visibility_Race_Condition_In_Cross_Functionality - pretty_name: Race Condition In Cross Functionality - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Low_Visibility_Stored_Command_Argument_Injection: - categories: - - cwe-88 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product constructs a string for a command to be executed by a - separate component in another control sphere, but it does not properly delimit - the intended arguments, options, or switches within that command string. - group: top10-injection - name: Go_Low_Visibility_Stored_Command_Argument_Injection - pretty_name: Stored Command Argument Injection - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Low_Visibility_Use_Of_Broken_Or_Risky_Cryptographic_Algorithm: - categories: - - cwe-327 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a broken or risky cryptographic algorithm or protocol. - group: top10-crypto-failures - name: Go_Low_Visibility_Use_Of_Broken_Or_Risky_Cryptographic_Algorithm - pretty_name: Use Of Broken Or Risky Cryptographic Algorithm - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Low_Visibility_Use_Of_Unsafe_Package: - categories: - - cwe-242 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product calls a function that can never be guaranteed to work - safely. - group: top10-vulnerable-components - name: Go_Low_Visibility_Use_Of_Unsafe_Package - pretty_name: Use Of Unsafe Package - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Low_Visibility_Use_of_Hardcoded_Password: - categories: - - ALL - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - cwe-259 - description: The product contains a hard-coded password, which it uses for its - own inbound authentication or for outbound communication to external components. - group: top10-id-authn-failures - name: Go_Low_Visibility_Use_of_Hardcoded_Password - pretty_name: Use of Hardcoded Password - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Medium_Threat_Cleartext_Transmission_Of_Sensitive_Information: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-319 - - boost-baseline - - ALL - description: The product transmits sensitive or security-critical data in cleartext - in a communication channel that can be sniffed by unauthorized actors. - group: top10-broken-access-control - name: Go_Medium_Threat_Cleartext_Transmission_Of_Sensitive_Information - pretty_name: Cleartext Transmission Of Sensitive Information - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Medium_Threat_Denial_Of_Service_Resource_Exhaustion: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: Go_Medium_Threat_Denial_Of_Service_Resource_Exhaustion - pretty_name: Denial Of Service Resource Exhaustion - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Medium_Threat_Divide_By_Zero: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-369 - - boost-baseline - - ALL - description: The product divides a value by zero. - group: top10-insecure-design - name: Go_Medium_Threat_Divide_By_Zero - pretty_name: Divide By Zero - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Medium_Threat_Email_Content_Forgery: - categories: - - cwe-116 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The product prepares a structured message for communication with - another component, but encoding or escaping of the data is either missing or - done incorrectly. As a result, the intended structure of the message is not - preserved. - group: top10-injection - name: Go_Medium_Threat_Email_Content_Forgery - pretty_name: Email Content Forgery - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Medium_Threat_Hardcoded_Password_in_Connection_String: - categories: - - boost-baseline - - ALL - - cwe-547 - - checkmarx-medium-threat - description: The product uses hard-coded constants instead of symbolic names for - security-critical values, which increases the likelihood of mistakes during - code maintenance or security policy change. - group: top10-security-misconfiguration - name: Go_Medium_Threat_Hardcoded_Password_in_Connection_String - pretty_name: Hardcoded Password in Connection String - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Medium_Threat_Integer_Overflow: - categories: - - checkmarx-medium-threat - - cwe-190 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product performs a calculation that can produce an integer overflow - or wraparound, when the logic assumes that the resulting value will always be - larger than the original value. This can introduce other weaknesses when the - calculation is used for resource management or execution control. - group: top10-injection - name: Go_Medium_Threat_Integer_Overflow - pretty_name: Integer Overflow - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Medium_Threat_Missing_HSTS_Header: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-346 - description: The product does not properly verify that the source of data or communication - is valid. - group: top10-id-authn-failures - name: Go_Medium_Threat_Missing_HSTS_Header - pretty_name: Missing HSTS Header - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Medium_Threat_Missing_HttpOnly_Cookie: - categories: - - cwe-1004 - - ALL - - boost-baseline - - checkmarx-medium-threat - description: The product uses a cookie to store sensitive information, but the - cookie is not marked with the HttpOnly flag. - group: top10-security-misconfiguration - name: Go_Medium_Threat_Missing_HttpOnly_Cookie - pretty_name: Missing HttpOnly Cookie - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Medium_Threat_Missing_Secure_Cookie: - categories: - - boost-baseline - - cwe-614 - - checkmarx-medium-threat - - ALL - description: The Secure attribute for sensitive cookies in HTTPS sessions is not - set, which could cause the user agent to send those cookies in plaintext over - an HTTP session. - group: top10-security-misconfiguration - name: Go_Medium_Threat_Missing_Secure_Cookie - pretty_name: Missing Secure Cookie - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Medium_Threat_Parameter_Tampering: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: Go_Medium_Threat_Parameter_Tampering - pretty_name: Parameter Tampering - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Medium_Threat_Privacy_Violation: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-359 - description: The product does not properly prevent a person's private, personal - information from being accessed by actors who either (1) are not explicitly - authorized to access the information or (2) do not have the implicit consent - of the person about whom the information is collected. - group: top10-broken-access-control - name: Go_Medium_Threat_Privacy_Violation - pretty_name: Privacy Violation - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Medium_Threat_Race_Condition_Concurrent_Instances: - categories: - - checkmarx-medium-threat - - cwe-366 - - owasp-top-10 - - boost-baseline - - ALL - description: If two threads of execution use a resource simultaneously, there - exists the possibility that resources may be used while invalid, in turn making - the state of execution undefined. - group: top10-insecure-design - name: Go_Medium_Threat_Race_Condition_Concurrent_Instances - pretty_name: Race Condition Concurrent Instances - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Medium_Threat_Reflected_Absolute_Path_Traversal: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-36 - - boost-baseline - - ALL - description: The product uses external input to construct a pathname that should - be within a restricted directory, but it does not properly neutralize absolute - path sequences such as "/abs/path" that can resolve to a location that is outside - of that directory. - group: top10-broken-access-control - name: Go_Medium_Threat_Reflected_Absolute_Path_Traversal - pretty_name: Reflected Absolute Path Traversal - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Medium_Threat_Reflected_Relative_Path_Traversal: - categories: - - checkmarx-medium-threat - - cwe-23 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses external input to construct a pathname that should - be within a restricted directory, but it does not properly neutralize sequences - such as ".." that can resolve to a location that is outside of that directory. - group: top10-broken-access-control - name: Go_Medium_Threat_Reflected_Relative_Path_Traversal - pretty_name: Reflected Relative Path Traversal - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Medium_Threat_SSL_Verification_Bypass: - categories: - - checkmarx-medium-threat - - cwe-599 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses OpenSSL and trusts or uses a certificate without - using the SSL_get_verify_result() function to ensure that the certificate satisfies - all necessary security requirements. - group: top10-software-data-integrity-failures - name: Go_Medium_Threat_SSL_Verification_Bypass - pretty_name: SSL Verification Bypass - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Medium_Threat_SSRF: - categories: - - checkmarx-medium-threat - - cwe-918 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The web server receives a URL or similar request from an upstream - component and retrieves the contents of this URL, but it does not sufficiently - ensure that the request is being sent to the expected destination. - group: top10-server-side-request-forgery - name: Go_Medium_Threat_SSRF - pretty_name: SSRF - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Medium_Threat_Stored_Absolute_Path_Traversal: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-36 - - boost-baseline - - ALL - description: The product uses external input to construct a pathname that should - be within a restricted directory, but it does not properly neutralize absolute - path sequences such as "/abs/path" that can resolve to a location that is outside - of that directory. - group: top10-broken-access-control - name: Go_Medium_Threat_Stored_Absolute_Path_Traversal - pretty_name: Stored Absolute Path Traversal - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Medium_Threat_Stored_Relative_Path_Traversal: - categories: - - checkmarx-medium-threat - - cwe-23 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses external input to construct a pathname that should - be within a restricted directory, but it does not properly neutralize sequences - such as ".." that can resolve to a location that is outside of that directory. - group: top10-broken-access-control - name: Go_Medium_Threat_Stored_Relative_Path_Traversal - pretty_name: Stored Relative Path Traversal - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Medium_Threat_Use_of_Cryptographically_Weak_PRNG: - categories: - - checkmarx-medium-threat - - cwe-338 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a Pseudo-Random Number Generator (PRNG) in a security - context, but the PRNG's algorithm is not cryptographically strong. - group: top10-crypto-failures - name: Go_Medium_Threat_Use_of_Cryptographically_Weak_PRNG - pretty_name: Use of Cryptographically Weak PRNG - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Go_Medium_Threat_Use_of_Weak_RSA_Keys: - categories: - - ALL - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - cwe-326 - description: The product stores or transmits sensitive data using an encryption - scheme that is theoretically sound, but is not strong enough for the level of - protection required. - group: top10-crypto-failures - name: Go_Medium_Threat_Use_of_Weak_RSA_Keys - pretty_name: Use of Weak RSA Keys - Go - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Best_Coding_Practice_Assign_Collection: - categories: - - owasp-top-10 - - cwe-398 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Indicates that the product has not been carefully developed or maintained. - group: top10-insecure-design - name: Groovy_Best_Coding_Practice_Assign_Collection - pretty_name: Assign Collection - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Best_Coding_Practice_Assigning_instead_of_Comparing: - categories: - - cwe-481 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The code uses an operator for assignment when the intention was to - perform a comparison. - group: top10-insecure-design - name: Groovy_Best_Coding_Practice_Assigning_instead_of_Comparing - pretty_name: Assigning instead of Comparing - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Best_Coding_Practice_Comparing_instead_of_Assigning: - categories: - - owasp-top-10 - - cwe-482 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The code uses an operator for comparison when the intention was to - perform an assignment. - group: top10-insecure-design - name: Groovy_Best_Coding_Practice_Comparing_instead_of_Assigning - pretty_name: Comparing instead of Assigning - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception: - categories: - - cwe-396 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Catching overly broad exceptions promotes complex error handling - code that is more likely to contain security vulnerabilities. - group: top10-insecure-design - name: Groovy_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception - pretty_name: Declaration Of Catch For Generic Exception - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Best_Coding_Practice_Declaration_of_Throws_for_Generic_Exception: - categories: - - owasp-top-10 - - cwe-397 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Throwing overly broad exceptions promotes complex error handling - code that is more likely to contain security vulnerabilities. - group: top10-insecure-design - name: Groovy_Best_Coding_Practice_Declaration_of_Throws_for_Generic_Exception - pretty_name: Declaration of Throws for Generic Exception - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Best_Coding_Practice_Deprecated_Groovy_Code: - categories: - - cwe-477 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The code uses deprecated or obsolete functions, which suggests that - the code has not been actively reviewed or maintained. - group: top10-insecure-design - name: Groovy_Best_Coding_Practice_Deprecated_Groovy_Code - pretty_name: Deprecated Groovy Code - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Best_Coding_Practice_Dynamic_SQL_Queries: - categories: - - cwe-89 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Groovy_Best_Coding_Practice_Dynamic_SQL_Queries - pretty_name: Dynamic SQL Queries - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Best_Coding_Practice_Empty_Methods: - categories: - - owasp-top-10 - - cwe-398 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Indicates that the product has not been carefully developed or maintained. - group: top10-insecure-design - name: Groovy_Best_Coding_Practice_Empty_Methods - pretty_name: Empty Methods - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Best_Coding_Practice_Explicit_Calls_To_Methods: - categories: - - owasp-top-10 - - cwe-398 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Indicates that the product has not been carefully developed or maintained. - group: top10-insecure-design - name: Groovy_Best_Coding_Practice_Explicit_Calls_To_Methods - pretty_name: Explicit Calls To Methods - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Best_Coding_Practice_Explicit_Instantiation: - categories: - - owasp-top-10 - - cwe-398 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Indicates that the product has not been carefully developed or maintained. - group: top10-insecure-design - name: Groovy_Best_Coding_Practice_Explicit_Instantiation - pretty_name: Explicit Instantiation - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere: - categories: - - owasp-top-10 - - cwe-493 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product has a critical public variable that is not final, which - allows the variable to be modified to contain unexpected values. - group: top10-insecure-design - name: Groovy_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere - pretty_name: Exposure of Resource to Wrong Sphere - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Best_Coding_Practice_GOTO_Statement: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-699 - description: Using GOTO statements is considered a poor coding practice as it - makes the code harder to understand and maintain. The flow of the logic is less - clear with GOTO jumps, versus the more structured control flow of if/else statements, - loops, etc. GOTO usage can also lead to spaghetti code that is tangled and difficult - to follow. For cleaner, more maintainable code, GOTO statements should be avoided - in favor of alternate structured programming constructs. - group: top10-insecure-design - name: Groovy_Best_Coding_Practice_GOTO_Statement - pretty_name: GOTO Statement - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Best_Coding_Practice_Getter_Method_Could_Be_Property: - categories: - - owasp-top-10 - - cwe-398 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Indicates that the product has not been carefully developed or maintained. - group: top10-insecure-design - name: Groovy_Best_Coding_Practice_Getter_Method_Could_Be_Property - pretty_name: Getter Method Could Be Property - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Best_Coding_Practice_Hardcoded_Absolute_Path: - categories: - - cwe-426 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product searches for critical resources using an externally-supplied - search path that can point to resources that are not under the product's direct - control. - group: top10-software-data-integrity-failures - name: Groovy_Best_Coding_Practice_Hardcoded_Absolute_Path - pretty_name: Hardcoded Absolute Path - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Best_Coding_Practice_Hardcoded_Connection_String: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-top-25 - - cwe-798 - description: The product contains hard-coded credentials, such as a password or - cryptographic key, which it uses for its own inbound authentication, outbound - communication to external components, or encryption of internal data. - group: top10-id-authn-failures - name: Groovy_Best_Coding_Practice_Hardcoded_Connection_String - pretty_name: Hardcoded Connection String - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Best_Coding_Practice_Incorrect_Block_Delimitation: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-483 - description: The code does not explicitly delimit a block that is intended to - contain 2 or more statements, creating a logic error. - group: top10-insecure-design - name: Groovy_Best_Coding_Practice_Incorrect_Block_Delimitation - pretty_name: Incorrect Block Delimitation - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Best_Coding_Practice_Just_One_of_Equals_and_Hash_code_Defined: - categories: - - ALL - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - cwe-581 - description: The product does not maintain equal hashcodes for equal objects. - group: top10-insecure-design - name: Groovy_Best_Coding_Practice_Just_One_of_Equals_and_Hash_code_Defined - pretty_name: Just One of Equals and Hash code Defined - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Best_Coding_Practice_Missing_Default_Case_In_Switch_Statement: - categories: - - cwe-478 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The code does not have a default case in an expression with multiple - conditions, such as a switch statement. - group: top10-insecure-design - name: Groovy_Best_Coding_Practice_Missing_Default_Case_In_Switch_Statement - pretty_name: Missing Default Case In Switch Statement - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Best_Coding_Practice_Omitted_Break_Statement_In_Switch: - categories: - - cwe-484 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product omits a break statement within a switch or similar construct, - causing code associated with multiple conditions to execute. This can cause - problems when the programmer only intended to execute code associated with one - condition. - group: top10-insecure-design - name: Groovy_Best_Coding_Practice_Omitted_Break_Statement_In_Switch - pretty_name: Omitted Break Statement In Switch - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Best_Coding_Practice_Potential_Usage_of_Vulnerable_Log4J: - categories: - - owasp-top-10 - - cwe-400 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: Groovy_Best_Coding_Practice_Potential_Usage_of_Vulnerable_Log4J - pretty_name: Potential Usage of Vulnerable Log4J - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Best_Coding_Practice_Public_Static_Field_Not_Marked_Final: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - cwe-500 - - boost-baseline - - ALL - description: An object contains a public static field that is not marked final, - which might allow it to be modified in unexpected ways. - group: top10-insecure-design - name: Groovy_Best_Coding_Practice_Public_Static_Field_Not_Marked_Final - pretty_name: Public Static Field Not Marked Final - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Best_Coding_Practice_Return_Inside_Finally_Block: - categories: - - cwe-584 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The code has a return statement inside a finally block, which will - cause any thrown exception in the try block to be discarded. - group: top10-insecure-design - name: Groovy_Best_Coding_Practice_Return_Inside_Finally_Block - pretty_name: Return Inside Finally Block - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Best_Coding_Practice_Use_Collect_Many: - categories: - - owasp-top-10 - - cwe-398 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Indicates that the product has not been carefully developed or maintained. - group: top10-insecure-design - name: Groovy_Best_Coding_Practice_Use_Collect_Many - pretty_name: Use Collect Many - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Best_Coding_Practice_Use_Collect_Nested: - categories: - - owasp-top-10 - - cwe-398 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Indicates that the product has not been carefully developed or maintained. - group: top10-insecure-design - name: Groovy_Best_Coding_Practice_Use_Collect_Nested - pretty_name: Use Collect Nested - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Best_Coding_Practice_Use_of_Wrong_Operator_in_String_Comparison: - categories: - - cwe-597 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product uses the wrong operator when comparing a string, such - as using "==" when the .equals() method should be used instead. - group: top10-insecure-design - name: Groovy_Best_Coding_Practice_Use_of_Wrong_Operator_in_String_Comparison - pretty_name: Use of Wrong Operator in String Comparison - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Heuristic_Heuristic_2nd_Order_SQL_Injection: - categories: - - checkmarx-heuristic - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Groovy_Heuristic_Heuristic_2nd_Order_SQL_Injection - pretty_name: Heuristic 2nd Order SQL Injection - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Heuristic_Heuristic_CGI_Stored_XSS: - categories: - - checkmarx-heuristic - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Groovy_Heuristic_Heuristic_CGI_Stored_XSS - pretty_name: Heuristic CGI Stored XSS - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Heuristic_Heuristic_CSRF: - categories: - - checkmarx-heuristic - - cwe-352 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The web application does not, or can not, sufficiently verify whether - a well-formed, valid, consistent request was intentionally provided by the user - who submitted the request. - group: top10-injection - name: Groovy_Heuristic_Heuristic_CSRF - pretty_name: Heuristic CSRF - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Heuristic_Heuristic_DB_Parameter_Tampering: - categories: - - checkmarx-heuristic - - owasp-top-10 - - cwe-284 - - boost-baseline - - ALL - description: The product does not restrict or incorrectly restricts access to - a resource from an unauthorized actor. - group: top10-broken-access-control - name: Groovy_Heuristic_Heuristic_DB_Parameter_Tampering - pretty_name: Heuristic DB Parameter Tampering - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Heuristic_Heuristic_Parameter_Tampering: - categories: - - checkmarx-heuristic - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: Groovy_Heuristic_Heuristic_Parameter_Tampering - pretty_name: Heuristic Parameter Tampering - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Heuristic_Heuristic_SQL_Injection: - categories: - - checkmarx-heuristic - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Groovy_Heuristic_Heuristic_SQL_Injection - pretty_name: Heuristic SQL Injection - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Heuristic_Heuristic_Stored_XSS: - categories: - - checkmarx-heuristic - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Groovy_Heuristic_Heuristic_Stored_XSS - pretty_name: Heuristic Stored XSS - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_High_Risk_Code_Injection: - categories: - - boost-hardened - - cwe-94 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: Groovy_High_Risk_Code_Injection - pretty_name: Code Injection - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_High_Risk_Command_Injection: - categories: - - boost-hardened - - cwe-77 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of a command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended command when it - is sent to a downstream component. - group: top10-injection - name: Groovy_High_Risk_Command_Injection - pretty_name: Command Injection - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_High_Risk_Connection_String_Injection: - categories: - - boost-hardened - - owasp-top-10 - - cwe-99 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product receives input from an upstream component, but it does - not restrict or incorrectly restricts the input before it is used as an identifier - for a resource that may be outside the intended sphere of control. - group: top10-injection - name: Groovy_High_Risk_Connection_String_Injection - pretty_name: Connection String Injection - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_High_Risk_LDAP_Injection: - categories: - - boost-hardened - - cwe-90 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product constructs all or part of an LDAP query using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended LDAP query when - it is sent to a downstream component. - group: top10-injection - name: Groovy_High_Risk_LDAP_Injection - pretty_name: LDAP Injection - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_High_Risk_Reflected_XSS_All_Clients: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Groovy_High_Risk_Reflected_XSS_All_Clients - pretty_name: Reflected XSS All Clients - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_High_Risk_Resource_Injection: - categories: - - boost-hardened - - owasp-top-10 - - cwe-99 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product receives input from an upstream component, but it does - not restrict or incorrectly restricts the input before it is used as an identifier - for a resource that may be outside the intended sphere of control. - group: top10-injection - name: Groovy_High_Risk_Resource_Injection - pretty_name: Resource Injection - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_High_Risk_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Groovy_High_Risk_SQL_Injection - pretty_name: SQL Injection - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_High_Risk_Second_Order_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Groovy_High_Risk_Second_Order_SQL_Injection - pretty_name: Second Order SQL Injection - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_High_Risk_Stored_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Groovy_High_Risk_Stored_XSS - pretty_name: Stored XSS - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_High_Risk_UTF7_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Groovy_High_Risk_UTF7_XSS - pretty_name: UTF7 XSS - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_High_Risk_XPath_Injection: - categories: - - boost-hardened - - cwe-643 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product uses external input to dynamically construct an XPath - expression used to retrieve data from an XML database, but it does not neutralize - or incorrectly neutralizes that input. This allows an attacker to control the - structure of the query. - group: top10-injection - name: Groovy_High_Risk_XPath_Injection - pretty_name: XPath Injection - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Authorization_Bypass_Through_User_Controlled_SQL_PrimaryKey: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-566 - - boost-baseline - - ALL - description: The product uses a database table that includes records that should - not be accessible to an actor, but it executes a SQL statement with a primary - key that can be controlled by that actor. - group: top10-broken-access-control - name: Groovy_Low_Visibility_Authorization_Bypass_Through_User_Controlled_SQL_PrimaryKey - pretty_name: Authorization Bypass Through User Controlled SQL PrimaryKey - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Blind_SQL_Injections: - categories: - - checkmarx-low-visibility - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Groovy_Low_Visibility_Blind_SQL_Injections - pretty_name: Blind SQL Injections - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Channel_Accessible_by_NonEndpoint: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-300 - - boost-baseline - - ALL - description: The product does not adequately verify the identity of actors at - both ends of a communication channel, or does not adequately ensure the integrity - of the channel, in a way that allows the channel to be accessed or influenced - by an actor that is not an endpoint. - group: top10-id-authn-failures - name: Groovy_Low_Visibility_Channel_Accessible_by_NonEndpoint - pretty_name: Channel Accessible by NonEndpoint - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Cleansing_Canonicalization_and_Comparison_Errors: - categories: - - cwe-171 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: Improper handling of data within protection mechanisms that attempt - to perform neutralization for untrusted data. - group: top10-injection - name: Groovy_Low_Visibility_Cleansing_Canonicalization_and_Comparison_Errors - pretty_name: Cleansing Canonicalization and Comparison Errors - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Collapse_of_Data_into_Unsafe_Value: - categories: - - checkmarx-low-visibility - - cwe-182 - - owasp-top-10 - - boost-baseline - - ALL - description: The product filters data in a way that causes it to be reduced or - "collapsed" into an unsafe value that violates an expected security property. - group: top10-injection - name: Groovy_Low_Visibility_Collapse_of_Data_into_Unsafe_Value - pretty_name: Collapse of Data into Unsafe Value - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Creation_of_Temp_File_With_Insecure_Permissions: - categories: - - ALL - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - cwe-378 - description: Opening temporary files without appropriate measures or controls - can leave the file, its contents and any function that it impacts vulnerable - to attack. - group: top10-broken-access-control - name: Groovy_Low_Visibility_Creation_of_Temp_File_With_Insecure_Permissions - pretty_name: Creation of Temp File With Insecure Permissions - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Creation_of_Temp_File_in_Dir_with_Incorrect_Permissions: - categories: - - cwe-379 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product creates a temporary file in a directory whose permissions - allow unintended actors to determine the file's existence or otherwise access - that file. - group: top10-broken-access-control - name: Groovy_Low_Visibility_Creation_of_Temp_File_in_Dir_with_Incorrect_Permissions - pretty_name: Creation of Temp File in Dir with Incorrect Permissions - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Cross_Site_History_Manipulation: - categories: - - cwe-203 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product behaves differently or sends different responses under - different circumstances in a way that is observable to an unauthorized actor, - which exposes security-relevant information about the state of the product, - such as whether a particular operation was successful or not. - group: top10-software-data-integrity-failures - name: Groovy_Low_Visibility_Cross_Site_History_Manipulation - pretty_name: Cross Site History Manipulation - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_DB_Control_of_System_or_Config_Setting: - categories: - - boost-baseline - - ALL - - checkmarx-low-visibility - - cwe-15 - description: One or more system settings or configuration elements can be externally - controlled by a user. - group: top10-security-misconfiguration - name: Groovy_Low_Visibility_DB_Control_of_System_or_Config_Setting - pretty_name: DB Control of System or Config Setting - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Data_Leak_Between_Sessions: - categories: - - checkmarx-low-visibility - - cwe-362 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product contains a code sequence that can run concurrently with - other code, and the code sequence requires temporary, exclusive access to a - shared resource, but a timing window exists in which the shared resource can - be modified by another code sequence that is operating concurrently. - group: top10-broken-access-control - name: Groovy_Low_Visibility_Data_Leak_Between_Sessions - pretty_name: Data Leak Between Sessions - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Divide_By_Zero: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-369 - - boost-baseline - - ALL - description: The product divides a value by zero. - group: top10-insecure-design - name: Groovy_Low_Visibility_Divide_By_Zero - pretty_name: Divide By Zero - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_ESAPI_Same_Password_Repeats_Twice: - categories: - - cwe-521 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not require that users should have strong passwords, - which makes it easier for attackers to compromise user accounts. - group: top10-id-authn-failures - name: Groovy_Low_Visibility_ESAPI_Same_Password_Repeats_Twice - pretty_name: ESAPI Same Password Repeats Twice - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Empty_Password_In_Connection_String: - categories: - - cwe-521 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not require that users should have strong passwords, - which makes it easier for attackers to compromise user accounts. - group: top10-id-authn-failures - name: Groovy_Low_Visibility_Empty_Password_In_Connection_String - pretty_name: Empty Password In Connection String - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Escape_False: - categories: - - cwe-116 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product prepares a structured message for communication with - another component, but encoding or escaping of the data is either missing or - done incorrectly. As a result, the intended structure of the message is not - preserved. - group: top10-injection - name: Groovy_Low_Visibility_Escape_False - pretty_name: Escape False - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Exposure_of_System_Data: - categories: - - checkmarx-low-visibility - - cwe-497 - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not properly prevent sensitive system-level information - from being accessed by unauthorized actors who do not have the same level of - access to the underlying system as the product does. - group: top10-broken-access-control - name: Groovy_Low_Visibility_Exposure_of_System_Data - pretty_name: Exposure of System Data - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Heap_Inspection: - categories: - - cwe-244 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: Using realloc() to resize buffers that store sensitive information - can leave the sensitive information exposed to attack, because it is not removed - from memory. - group: top10-broken-access-control - name: Groovy_Low_Visibility_Heap_Inspection - pretty_name: Heap Inspection - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Improper_Build_Of_Sql_Mapping: - categories: - - checkmarx-low-visibility - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Groovy_Low_Visibility_Improper_Build_Of_Sql_Mapping - pretty_name: Improper Build Of Sql Mapping - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Improper_Exception_Handling: - categories: - - cwe-248 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: An exception is thrown from a function, but it is not caught. - group: top10-insecure-design - name: Groovy_Low_Visibility_Improper_Exception_Handling - pretty_name: Improper Exception Handling - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Improper_Resource_Locking: - categories: - - cwe-413 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not lock or does not correctly lock a resource when - the product must have exclusive access to the resource. - group: top10-insecure-design - name: Groovy_Low_Visibility_Improper_Resource_Locking - pretty_name: Improper Resource Locking - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Improper_Resource_Shutdown_or_Release: - categories: - - cwe-404 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not release or incorrectly releases a resource before - it is made available for re-use. - group: top10-insecure-design - name: Groovy_Low_Visibility_Improper_Resource_Shutdown_or_Release - pretty_name: Improper Resource Shutdown or Release - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Improper_Session_Management: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-201 - - boost-baseline - - ALL - description: The code transmits data to another actor, but a portion of the data - includes sensitive information that should not be accessible to that actor. - group: top10-broken-access-control - name: Groovy_Low_Visibility_Improper_Session_Management - pretty_name: Improper Session Management - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Improper_Transaction_Handling: - categories: - - cwe-460 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not clean up its state or incorrectly cleans up - its state when an exception is thrown, leading to unexpected state or control - flow. - group: top10-insecure-design - name: Groovy_Low_Visibility_Improper_Transaction_Handling - pretty_name: Improper Transaction Handling - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Information_Exposure_Through_Debug_Log: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-534 - - boost-baseline - - ALL - description: This entry has been deprecated because its abstraction was too low-level. - See - group: top10-broken-access-control - name: Groovy_Low_Visibility_Information_Exposure_Through_Debug_Log - pretty_name: Information Exposure Through Debug Log - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Information_Exposure_Through_Server_Log: - categories: - - ALL - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - cwe-533 - description: This entry has been deprecated because its abstraction was too low-level. - See - group: top10-broken-access-control - name: Groovy_Low_Visibility_Information_Exposure_Through_Server_Log - pretty_name: Information Exposure Through Server Log - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Information_Exposure_Through_an_Error_Message: - categories: - - cwe-209 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product generates an error message that includes sensitive information - about its environment, users, or associated data. - group: top10-insecure-design - name: Groovy_Low_Visibility_Information_Exposure_Through_an_Error_Message - pretty_name: Information Exposure Through an Error Message - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Information_Leak_Through_Comments: - categories: - - cwe-615 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: 'While adding general comments is very useful, some programmers tend - to leave important data, such as: filenames related to the web application, - old links or links which were not meant to be browsed by users, old code fragments, - etc.' - group: top10-broken-access-control - name: Groovy_Low_Visibility_Information_Leak_Through_Comments - pretty_name: Information Leak Through Comments - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Information_Leak_Through_Persistent_Cookies: - categories: - - cwe-539 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The web application uses persistent cookies, but the cookies contain - sensitive information. - group: top10-insecure-design - name: Groovy_Low_Visibility_Information_Leak_Through_Persistent_Cookies - pretty_name: Information Leak Through Persistent Cookies - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Information_Leak_Through_Shell_Error_Message: - categories: - - cwe-535 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: A command shell error message indicates that there exists an unhandled - exception in the web application code. In many cases, an attacker can leverage - the conditions that cause these errors in order to gain unauthorized access - to the system. - group: top10-broken-access-control - name: Groovy_Low_Visibility_Information_Leak_Through_Shell_Error_Message - pretty_name: Information Leak Through Shell Error Message - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Insufficient_Session_Expiration: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-613 - description: According to WASC, "Insufficient Session Expiration is when a web - site permits an attacker to reuse old session credentials or session IDs for - authorization." - group: top10-id-authn-failures - name: Groovy_Low_Visibility_Insufficient_Session_Expiration - pretty_name: Insufficient Session Expiration - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Insufficiently_Protected_Credentials: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-522 - description: The product transmits or stores authentication credentials, but it - uses an insecure method that is susceptible to unauthorized interception and/or - retrieval. - group: top10-insecure-design - name: Groovy_Low_Visibility_Insufficiently_Protected_Credentials - pretty_name: Insufficiently Protected Credentials - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Integer_Overflow: - categories: - - cwe-190 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product performs a calculation that can produce an integer overflow - or wraparound, when the logic assumes that the resulting value will always be - larger than the original value. This can introduce other weaknesses when the - calculation is used for resource management or execution control. - group: top10-injection - name: Groovy_Low_Visibility_Integer_Overflow - pretty_name: Integer Overflow - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Integer_Underflow: - categories: - - cwe-191 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product subtracts one value from another, such that the result - is less than the minimum allowable integer value, which produces a value that - is not equal to the correct result. - group: top10-injection - name: Groovy_Low_Visibility_Integer_Underflow - pretty_name: Integer Underflow - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Leaving_Temporary_File: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-376 - description: Related to the handling of files within a software system. - group: top10-broken-access-control - name: Groovy_Low_Visibility_Leaving_Temporary_File - pretty_name: Leaving Temporary File - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Log_Forging: - categories: - - boost-baseline - - ALL - - cwe-117 - - checkmarx-low-visibility - description: The product does not neutralize or incorrectly neutralizes output - that is written to logs. - group: top10-security-logging-monitoring-failures - name: Groovy_Low_Visibility_Log_Forging - pretty_name: Log Forging - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Logic_Time_Bomb: - categories: - - boost-baseline - - ALL - - checkmarx-low-visibility - - cwe-511 - description: The product contains code that is designed to disrupt the legitimate - operation of the product (or its environment) when a certain time passes, or - when a certain logical condition is met. - group: top10-security-logging-monitoring-failures - name: Groovy_Low_Visibility_Logic_Time_Bomb - pretty_name: Logic Time Bomb - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Missing_Password_Field_Masking: - categories: - - checkmarx-low-visibility - - cwe-549 - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not mask passwords during entry, increasing the - potential for attackers to observe and capture passwords. - group: top10-insecure-design - name: Groovy_Low_Visibility_Missing_Password_Field_Masking - pretty_name: Missing Password Field Masking - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Not_Using_a_Random_IV_with_CBC_Mode: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-329 - - boost-baseline - - ALL - description: The product generates and uses a predictable initialization Vector - (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible - to dictionary attacks when they are encrypted under the same key. - group: top10-crypto-failures - name: Groovy_Low_Visibility_Not_Using_a_Random_IV_with_CBC_Mode - pretty_name: Not Using a Random IV with CBC Mode - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Object_Hijack: - categories: - - checkmarx-low-visibility - - cwe-491 - - owasp-top-10 - - boost-baseline - - ALL - description: A class has a cloneable() method that is not declared final, which - allows an object to be created without calling the constructor. This can cause - the object to be in an unexpected state. - group: top10-injection - name: Groovy_Low_Visibility_Object_Hijack - pretty_name: Object Hijack - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Off_by_One_Error: - categories: - - cwe-193 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: A product calculates or uses an incorrect maximum or minimum value - that is 1 more, or 1 less, than the correct value. - group: top10-injection - name: Groovy_Low_Visibility_Off_by_One_Error - pretty_name: Off by One Error - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Open_Redirect: - categories: - - checkmarx-low-visibility - - cwe-601 - - owasp-top-10 - - boost-baseline - - ALL - description: A web application accepts a user-controlled input that specifies - a link to an external site, and uses that link in a Redirect. This simplifies - phishing attacks. - group: top10-broken-access-control - name: Groovy_Low_Visibility_Open_Redirect - pretty_name: Open Redirect - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Parse_Double_DoS: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-730 - description: Relates to avenues that can cause denial of serivce. - group: top10-insecure-design - name: Groovy_Low_Visibility_Parse_Double_DoS - pretty_name: Parse Double DoS - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Plaintext_Storage_in_a_Cookie: - categories: - - boost-baseline - - ALL - - checkmarx-low-visibility - - cwe-315 - description: The product stores sensitive information in cleartext in a cookie. - group: top10-security-misconfiguration - name: Groovy_Low_Visibility_Plaintext_Storage_in_a_Cookie - pretty_name: Plaintext Storage in a Cookie - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Potenial_UTF7_XSS: - categories: - - cwe-79 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Groovy_Low_Visibility_Potenial_UTF7_XSS - pretty_name: Potenial UTF7 XSS - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Potential_ReDoS: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: Groovy_Low_Visibility_Potential_ReDoS - pretty_name: Potential ReDoS - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Potential_ReDoS_By_Injection: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: Groovy_Low_Visibility_Potential_ReDoS_By_Injection - pretty_name: Potential ReDoS By Injection - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Potential_ReDoS_In_Match: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: Groovy_Low_Visibility_Potential_ReDoS_In_Match - pretty_name: Potential ReDoS In Match - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Potential_ReDoS_In_Replace: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: Groovy_Low_Visibility_Potential_ReDoS_In_Replace - pretty_name: Potential ReDoS In Replace - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Potential_ReDoS_In_Static_Field: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: Groovy_Low_Visibility_Potential_ReDoS_In_Static_Field - pretty_name: Potential ReDoS In Static Field - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Public_Static_Final_References_Mutable_Object: - categories: - - cwe-607 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: A public or protected static final field references a mutable object, - which allows the object to be changed by malicious code, or accidentally from - another package. - group: top10-insecure-design - name: Groovy_Low_Visibility_Public_Static_Final_References_Mutable_Object - pretty_name: Public Static Final References Mutable Object - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Race_Condition: - categories: - - checkmarx-low-visibility - - cwe-362 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product contains a code sequence that can run concurrently with - other code, and the code sequence requires temporary, exclusive access to a - shared resource, but a timing window exists in which the shared resource can - be modified by another code sequence that is operating concurrently. - group: top10-insecure-design - name: Groovy_Low_Visibility_Race_Condition - pretty_name: Race Condition - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Race_Condition_Format_Flaw: - categories: - - checkmarx-low-visibility - - cwe-362 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product contains a code sequence that can run concurrently with - other code, and the code sequence requires temporary, exclusive access to a - shared resource, but a timing window exists in which the shared resource can - be modified by another code sequence that is operating concurrently. - group: top10-insecure-design - name: Groovy_Low_Visibility_Race_Condition_Format_Flaw - pretty_name: Race Condition Format Flaw - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Reliance_on_Cookies_in_a_Decision: - categories: - - cwe-784 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a protection mechanism that relies on the existence - or values of a cookie, but it does not properly ensure that the cookie is valid - for the associated user. - group: top10-software-data-integrity-failures - name: Groovy_Low_Visibility_Reliance_on_Cookies_in_a_Decision - pretty_name: Reliance on Cookies in a Decision - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Reliance_on_DNS_Lookups_in_a_Decision: - categories: - - cwe-350 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product performs reverse DNS resolution on an IP address to obtain - the hostname and make a security decision, but it does not properly ensure that - the IP address is truly associated with the hostname. - group: top10-insecure-design - name: Groovy_Low_Visibility_Reliance_on_DNS_Lookups_in_a_Decision - pretty_name: Reliance on DNS Lookups in a Decision - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Reversible_One_Way_Hash: - categories: - - cwe-328 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses an algorithm that produces a digest (output value) - that does not meet security expectations for a hash function that allows an - adversary to reasonably determine the original input (preimage attack), find - another input that can produce the same hash (2nd preimage attack), or find - multiple inputs that evaluate to the same hash (birthday attack). - group: top10-crypto-failures - name: Groovy_Low_Visibility_Reversible_One_Way_Hash - pretty_name: Reversible One Way Hash - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Sensitive_Cookie_in_HTTPS_Session_Without_Secure_Attribute: - categories: - - boost-baseline - - cwe-614 - - checkmarx-low-visibility - - ALL - description: The Secure attribute for sensitive cookies in HTTPS sessions is not - set, which could cause the user agent to send those cookies in plaintext over - an HTTP session. - group: top10-security-misconfiguration - name: Groovy_Low_Visibility_Sensitive_Cookie_in_HTTPS_Session_Without_Secure_Attribute - pretty_name: Sensitive Cookie in HTTPS Session Without Secure Attribute - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Serializable_Class_Containing_Sensitive_Data: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-499 - - boost-baseline - - ALL - description: The code contains a class with sensitive data, but the class does - not explicitly deny serialization. The data can be accessed by serializing the - class through another class. - group: top10-broken-access-control - name: Groovy_Low_Visibility_Serializable_Class_Containing_Sensitive_Data - pretty_name: Serializable Class Containing Sensitive Data - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Spring_defaultHtmlEscape_Not_True: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The Spring configuration property 'defaultHtmlEscape', which prevents - potential cross-site scripting (XSS) vulnerabilities by encoding HTML special - characters, is not set to 'true'. - group: top10-insecure-design - name: Groovy_Low_Visibility_Spring_defaultHtmlEscape_Not_True - pretty_name: Spring defaultHtmlEscape Not True - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Storing_Passwords_in_a_Recoverable_Format: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-257 - - boost-baseline - - ALL - description: The storage of passwords in a recoverable format makes them subject - to password reuse attacks by malicious users. In fact, it should be noted that - recoverable encrypted passwords provide no significant benefit over plaintext - passwords since they are subject not only to reuse by malicious attackers but - also by malicious insiders. If a system administrator can recover a password - directly, or use a brute force search on the available information, the administrator - can use the password on other accounts. - group: top10-insecure-design - name: Groovy_Low_Visibility_Storing_Passwords_in_a_Recoverable_Format - pretty_name: Storing Passwords in a Recoverable Format - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_TOCTOU: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-367 - description: The product checks the state of a resource before using that resource, - but the resource's state can change between the check and the use in a way that - invalidates the results of the check. This can cause the product to perform - invalid actions when the resource is in an unexpected state. - group: top10-insecure-design - name: Groovy_Low_Visibility_TOCTOU - pretty_name: TOCTOU - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables: - categories: - - cwe-501 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product mixes trusted and untrusted data in the same data structure - or structured message. - group: top10-insecure-design - name: Groovy_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables - pretty_name: Trust Boundary Violation in Session Variables - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Uncaught_Exception: - categories: - - cwe-248 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: An exception is thrown from a function, but it is not caught. - group: top10-insecure-design - name: Groovy_Low_Visibility_Uncaught_Exception - pretty_name: Uncaught Exception - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Unchecked_Return_Value_to_NULL_Pointer_Dereference: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-690 - - boost-baseline - - ALL - description: The product does not check for an error after calling a function - that can return with a NULL pointer if the function fails, which leads to a - resultant NULL pointer dereference. - group: top10-insecure-design - name: Groovy_Low_Visibility_Unchecked_Return_Value_to_NULL_Pointer_Dereference - pretty_name: Unchecked Return Value to NULL Pointer Dereference - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Uncontrolled_Format_String: - categories: - - cwe-134 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a function that accepts a format string as an argument, - but the format string originates from an external source. - group: top10-injection - name: Groovy_Low_Visibility_Uncontrolled_Format_String - pretty_name: Uncontrolled Format String - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Uncontrolled_Memory_Allocation: - categories: - - cwe-789 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product allocates memory based on an untrusted, large size value, - but it does not ensure that the size is within expected limits, allowing arbitrary - amounts of memory to be allocated. - group: top10-injection - name: Groovy_Low_Visibility_Uncontrolled_Memory_Allocation - pretty_name: Uncontrolled Memory Allocation - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Unsynchronized_Access_To_Shared_Data: - categories: - - cwe-567 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not properly synchronize shared data, such as static - variables across threads, which can lead to undefined behavior and unpredictable - data changes. - group: top10-insecure-design - name: Groovy_Low_Visibility_Unsynchronized_Access_To_Shared_Data - pretty_name: Unsynchronized Access To Shared Data - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Use_Of_Hardcoded_Password: - categories: - - ALL - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - cwe-259 - description: The product contains a hard-coded password, which it uses for its - own inbound authentication or for outbound communication to external components. - group: top10-id-authn-failures - name: Groovy_Low_Visibility_Use_Of_Hardcoded_Password - pretty_name: Use Of Hardcoded Password - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Use_Of_getenv: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-589 - - boost-baseline - - ALL - description: The product uses an API function that does not exist on all versions - of the target platform. This could cause portability problems or inconsistencies - that allow denial of service or other consequences. - group: top10-injection - name: Groovy_Low_Visibility_Use_Of_getenv - pretty_name: Use Of getenv - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm: - categories: - - cwe-327 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a broken or risky cryptographic algorithm or protocol. - group: top10-crypto-failures - name: Groovy_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm - pretty_name: Use of Broken or Risky Cryptographic Algorithm - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Use_of_Client_Side_Authentication: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-603 - - boost-baseline - - ALL - description: A client/server product performs authentication within client code - but not in server code, allowing server-side authentication to be bypassed via - a modified client that omits the authentication check. - group: top10-id-authn-failures - name: Groovy_Low_Visibility_Use_of_Client_Side_Authentication - pretty_name: Use of Client Side Authentication - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Use_of_Hard_coded_Security_Constants: - categories: - - boost-baseline - - ALL - - cwe-547 - - checkmarx-low-visibility - description: The product uses hard-coded constants instead of symbolic names for - security-critical values, which increases the likelihood of mistakes during - code maintenance or security policy change. - group: top10-security-misconfiguration - name: Groovy_Low_Visibility_Use_of_Hard_coded_Security_Constants - pretty_name: Use of Hard coded Security Constants - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Use_of_RSA_Algorithm_without_OAEP: - categories: - - ALL - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - cwe-780 - description: The product uses the RSA algorithm but does not incorporate Optimal - Asymmetric Encryption Padding (OAEP), which might weaken the encryption. - group: top10-crypto-failures - name: Groovy_Low_Visibility_Use_of_RSA_Algorithm_without_OAEP - pretty_name: Use of RSA Algorithm without OAEP - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Low_Visibility_Using_Referer_Field_for_Authentication: - categories: - - cwe-293 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The referer field in HTTP requests can be easily modified and, as - such, is not a valid means of message integrity checking. - group: top10-id-authn-failures - name: Groovy_Low_Visibility_Using_Referer_Field_for_Authentication - pretty_name: Using Referer Field for Authentication - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_Absolute_Path_Traversal: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-36 - - boost-baseline - - ALL - description: The product uses external input to construct a pathname that should - be within a restricted directory, but it does not properly neutralize absolute - path sequences such as "/abs/path" that can resolve to a location that is outside - of that directory. - group: top10-broken-access-control - name: Groovy_Medium_Threat_Absolute_Path_Traversal - pretty_name: Absolute Path Traversal - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_CGI_Reflected_XSS_All_Clients: - categories: - - checkmarx-medium-threat - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Groovy_Medium_Threat_CGI_Reflected_XSS_All_Clients - pretty_name: CGI Reflected XSS All Clients - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_CGI_Stored_XSS: - categories: - - checkmarx-medium-threat - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Groovy_Medium_Threat_CGI_Stored_XSS - pretty_name: CGI Stored XSS - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_CSRF: - categories: - - checkmarx-medium-threat - - cwe-352 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The web application does not, or can not, sufficiently verify whether - a well-formed, valid, consistent request was intentionally provided by the user - who submitted the request. - group: top10-injection - name: Groovy_Medium_Threat_CSRF - pretty_name: CSRF - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_Cleartext_Submission_of_Sensitive_Information: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-319 - - boost-baseline - - ALL - description: The product transmits sensitive or security-critical data in cleartext - in a communication channel that can be sniffed by unauthorized actors. - group: top10-broken-access-control - name: Groovy_Medium_Threat_Cleartext_Submission_of_Sensitive_Information - pretty_name: Cleartext Submission of Sensitive Information - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_DB_Parameter_Tampering: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-284 - - boost-baseline - - ALL - description: The product does not restrict or incorrectly restricts access to - a resource from an unauthorized actor. - group: top10-broken-access-control - name: Groovy_Medium_Threat_DB_Parameter_Tampering - pretty_name: DB Parameter Tampering - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_Dangerous_File_Inclusion: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-829 - - boost-baseline - - ALL - description: The product imports, requires, or includes executable functionality - (such as a library) from a source that is outside of the intended control sphere. - group: top10-software-data-integrity-failures - name: Groovy_Medium_Threat_Dangerous_File_Inclusion - pretty_name: Dangerous File Inclusion - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_Direct_Use_of_Unsafe_JNI: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-111 - description: When a Java application uses the Java Native Interface (JNI) to call - code written in another programming language, it can expose the application - to weaknesses in that code, even if those weaknesses cannot occur in Java. - group: top10-injection - name: Groovy_Medium_Threat_Direct_Use_of_Unsafe_JNI - pretty_name: Direct Use of Unsafe JNI - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_DoS_by_Sleep: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The product performs an iteration or loop without sufficiently limiting - the number of times that the loop is executed. - group: top10-insecure-design - name: Groovy_Medium_Threat_DoS_by_Sleep - pretty_name: DoS by Sleep - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_External_Control_of_Critical_State_Data: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-642 - description: The product stores security-critical state information about its - users, or the product itself, in a location that is accessible to unauthorized - actors. - group: top10-insecure-design - name: Groovy_Medium_Threat_External_Control_of_Critical_State_Data - pretty_name: External Control of Critical State Data - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_External_Control_of_System_or_Config_Setting: - categories: - - boost-baseline - - ALL - - checkmarx-medium-threat - - cwe-15 - description: One or more system settings or configuration elements can be externally - controlled by a user. - group: top10-security-misconfiguration - name: Groovy_Medium_Threat_External_Control_of_System_or_Config_Setting - pretty_name: External Control of System or Config Setting - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_HTTP_Response_Splitting: - categories: - - checkmarx-medium-threat - - cwe-113 - - owasp-top-10 - - boost-baseline - - ALL - description: The product receives data from an HTTP agent/component (e.g., web - server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes - CR and LF characters before the data is included in outgoing HTTP headers. - group: top10-injection - name: Groovy_Medium_Threat_HTTP_Response_Splitting - pretty_name: HTTP Response Splitting - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_Hardcoded_password_in_Connection_String: - categories: - - boost-baseline - - ALL - - cwe-547 - - checkmarx-medium-threat - description: The product uses hard-coded constants instead of symbolic names for - security-critical values, which increases the likelihood of mistakes during - code maintenance or security policy change. - group: top10-security-misconfiguration - name: Groovy_Medium_Threat_Hardcoded_password_in_Connection_String - pretty_name: Hardcoded password in Connection String - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_HttpOnlyCookies: - categories: - - cwe-1004 - - ALL - - boost-baseline - - checkmarx-medium-threat - description: The product uses a cookie to store sensitive information, but the - cookie is not marked with the HttpOnly flag. - group: top10-security-misconfiguration - name: Groovy_Medium_Threat_HttpOnlyCookies - pretty_name: HttpOnlyCookies - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_HttpOnlyCookies_In_Config: - categories: - - cwe-1004 - - ALL - - boost-baseline - - checkmarx-medium-threat - description: The product uses a cookie to store sensitive information, but the - cookie is not marked with the HttpOnly flag. - group: top10-security-misconfiguration - name: Groovy_Medium_Threat_HttpOnlyCookies_In_Config - pretty_name: HttpOnlyCookies In Config - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_Improper_Locking: - categories: - - checkmarx-medium-threat - - cwe-667 - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not properly acquire or release a lock on a resource, - leading to unexpected resource state changes and behaviors. - group: top10-insecure-design - name: Groovy_Medium_Threat_Improper_Locking - pretty_name: Improper Locking - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_Input_Path_Not_Canonicalized: - categories: - - checkmarx-medium-threat - - cwe-73 - - owasp-top-10 - - boost-baseline - - ALL - description: The product allows user input to control or influence paths or file - names that are used in filesystem operations. - group: top10-insecure-design - name: Groovy_Medium_Threat_Input_Path_Not_Canonicalized - pretty_name: Input Path Not Canonicalized - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_Multiple_Binds_to_the_Same_Port: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-605 - description: When multiple sockets are allowed to bind to the same port, other - services on that port may be stolen or spoofed. - group: top10-insecure-design - name: Groovy_Medium_Threat_Multiple_Binds_to_the_Same_Port - pretty_name: Multiple Binds to the Same Port - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_Parameter_Tampering: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: Groovy_Medium_Threat_Parameter_Tampering - pretty_name: Parameter Tampering - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_Plaintext_Storage_of_a_Password: - categories: - - cwe-256 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: Storing a password in plaintext may result in a system compromise. - group: top10-insecure-design - name: Groovy_Medium_Threat_Plaintext_Storage_of_a_Password - pretty_name: Plaintext Storage of a Password - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_Privacy_Violation: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-359 - description: The product does not properly prevent a person's private, personal - information from being accessed by actors who either (1) are not explicitly - authorized to access the information or (2) do not have the implicit consent - of the person about whom the information is collected. - group: top10-broken-access-control - name: Groovy_Medium_Threat_Privacy_Violation - pretty_name: Privacy Violation - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_Process_Control: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-114 - - boost-baseline - - ALL - description: Executing commands or loading libraries from an untrusted source - or in an untrusted environment can cause an application to execute malicious - commands (and payloads) on behalf of an attacker. - group: top10-injection - name: Groovy_Medium_Threat_Process_Control - pretty_name: Process Control - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_ReDoS_From_Regex_Injection: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: Groovy_Medium_Threat_ReDoS_From_Regex_Injection - pretty_name: ReDoS From Regex Injection - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_ReDoS_In_Match: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: Groovy_Medium_Threat_ReDoS_In_Match - pretty_name: ReDoS In Match - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_ReDoS_In_Pattern: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: Groovy_Medium_Threat_ReDoS_In_Pattern - pretty_name: ReDoS In Pattern - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_ReDoS_In_Replace: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: Groovy_Medium_Threat_ReDoS_In_Replace - pretty_name: ReDoS In Replace - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_Relative_Path_Traversal: - categories: - - checkmarx-medium-threat - - cwe-23 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses external input to construct a pathname that should - be within a restricted directory, but it does not properly neutralize sequences - such as ".." that can resolve to a location that is outside of that directory. - group: top10-broken-access-control - name: Groovy_Medium_Threat_Relative_Path_Traversal - pretty_name: Relative Path Traversal - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_Reliance_on_Cookies_without_Validation: - categories: - - checkmarx-medium-threat - - cwe-565 - - owasp-top-10 - - boost-baseline - - ALL - description: The product relies on the existence or values of cookies when performing - security-critical operations, but it does not properly ensure that the setting - is valid for the associated user. - group: top10-software-data-integrity-failures - name: Groovy_Medium_Threat_Reliance_on_Cookies_without_Validation - pretty_name: Reliance on Cookies without Validation - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_SQL_Injection_Evasion_Attack: - categories: - - checkmarx-medium-threat - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Groovy_Medium_Threat_SQL_Injection_Evasion_Attack - pretty_name: SQL Injection Evasion Attack - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_Same_Seed_in_PRNG: - categories: - - boost-baseline - - checkmarx-medium-threat - - owasp-top-10 - - cwe-336 - - ALL - description: A Pseudo-Random Number Generator (PRNG) uses the same seed each time - the product is initialized. - group: top10-crypto-failures - name: Groovy_Medium_Threat_Same_Seed_in_PRNG - pretty_name: Same Seed in PRNG - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_Session_Fixation: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-384 - description: Authenticating a user, or otherwise establishing a new user session, - without invalidating any existing session identifier gives an attacker the opportunity - to steal authenticated sessions. - group: top10-id-authn-failures - name: Groovy_Medium_Threat_Session_Fixation - pretty_name: Session Fixation - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_Spring_ModelView_Injection: - categories: - - checkmarx-medium-threat - - cwe-74 - - owasp-top-10 - - boost-baseline - - ALL - description: The product constructs all or part of a command, data structure, - or record using externally-influenced input from an upstream component, but - it does not neutralize or incorrectly neutralizes special elements that could - modify how it is parsed or interpreted when it is sent to a downstream component. - group: top10-injection - name: Groovy_Medium_Threat_Spring_ModelView_Injection - pretty_name: Spring ModelView Injection - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_Stored_Absolute_Path_Traversal: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-36 - - boost-baseline - - ALL - description: The product uses external input to construct a pathname that should - be within a restricted directory, but it does not properly neutralize absolute - path sequences such as "/abs/path" that can resolve to a location that is outside - of that directory. - group: top10-broken-access-control - name: Groovy_Medium_Threat_Stored_Absolute_Path_Traversal - pretty_name: Stored Absolute Path Traversal - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_Stored_Command_Injection: - categories: - - cwe-77 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended command when it - is sent to a downstream component. - group: top10-injection - name: Groovy_Medium_Threat_Stored_Command_Injection - pretty_name: Stored Command Injection - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_Stored_LDAP_Injection: - categories: - - checkmarx-medium-threat - - cwe-90 - - owasp-top-10 - - boost-baseline - - ALL - description: The product constructs all or part of an LDAP query using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended LDAP query when - it is sent to a downstream component. - group: top10-injection - name: Groovy_Medium_Threat_Stored_LDAP_Injection - pretty_name: Stored LDAP Injection - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_Stored_Relative_Path_Traversal: - categories: - - checkmarx-medium-threat - - cwe-23 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses external input to construct a pathname that should - be within a restricted directory, but it does not properly neutralize sequences - such as ".." that can resolve to a location that is outside of that directory. - group: top10-broken-access-control - name: Groovy_Medium_Threat_Stored_Relative_Path_Traversal - pretty_name: Stored Relative Path Traversal - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_Unchecked_Input_for_Loop_Condition: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-606 - - boost-baseline - - ALL - description: The product does not properly check inputs that are used for loop - conditions, potentially leading to a denial of service or other consequences - because of excessive looping. - group: top10-insecure-design - name: Groovy_Medium_Threat_Unchecked_Input_for_Loop_Condition - pretty_name: Unchecked Input for Loop Condition - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_Unnormalize_Input_String: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-20 - - boost-baseline - - ALL - - cwe-top-25 - description: The product receives input or data, but it does not validate or incorrectly - validates that the input has the properties that are required to process the - data safely and correctly. - group: top10-injection - name: Groovy_Medium_Threat_Unnormalize_Input_String - pretty_name: Unnormalize Input String - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_Unvalidated_Forwards: - categories: - - checkmarx-medium-threat - - cwe-819 - - owasp-top-10 - - boost-baseline - - ALL - description: Relates to using redirects and forwards that have not been validated. - group: top10-injection - name: Groovy_Medium_Threat_Unvalidated_Forwards - pretty_name: Unvalidated Forwards - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_Use_of_Cryptographically_Weak_PRNG: - categories: - - checkmarx-medium-threat - - cwe-338 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a Pseudo-Random Number Generator (PRNG) in a security - context, but the PRNG's algorithm is not cryptographically strong. - group: top10-crypto-failures - name: Groovy_Medium_Threat_Use_of_Cryptographically_Weak_PRNG - pretty_name: Use of Cryptographically Weak PRNG - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key: - categories: - - cwe-321 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The use of a hard-coded cryptographic key significantly increases - the possibility that encrypted data may be recovered. - group: top10-crypto-failures - name: Groovy_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key - pretty_name: Use of Hard coded Cryptographic Key - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_Use_of_Insufficiently_Random_Values: - categories: - - checkmarx-medium-threat - - cwe-330 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses insufficiently random numbers or values in a security - context that depends on unpredictable numbers. - group: top10-crypto-failures - name: Groovy_Medium_Threat_Use_of_Insufficiently_Random_Values - pretty_name: Use of Insufficiently Random Values - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_Use_of_Native_Language: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-695 - - boost-baseline - - ALL - description: The product uses low-level functionality that is explicitly prohibited - by the framework or specification under which the product is supposed to operate. - group: top10-injection - name: Groovy_Medium_Threat_Use_of_Native_Language - pretty_name: Use of Native Language - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_Use_of_System_exit: - categories: - - checkmarx-medium-threat - - cwe-382 - - owasp-top-10 - - boost-baseline - - ALL - description: A J2EE application uses System.exit(), which also shuts down its - container. - group: top10-insecure-design - name: Groovy_Medium_Threat_Use_of_System_exit - pretty_name: Use of System exit - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_Use_of_a_One_Way_Hash_with_a_Predictable_Salt: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-760 - - boost-baseline - - ALL - description: The product uses a one-way cryptographic hash against an input that - should not be reversible, such as a password, but the product uses a predictable - salt as part of the input. - group: top10-crypto-failures - name: Groovy_Medium_Threat_Use_of_a_One_Way_Hash_with_a_Predictable_Salt - pretty_name: Use of a One Way Hash with a Predictable Salt - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Medium_Threat_Use_of_a_One_Way_Hash_without_a_Salt: - categories: - - checkmarx-medium-threat - - cwe-759 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a one-way cryptographic hash against an input that - should not be reversible, such as a password, but the product does not also - use a salt as part of the input. - group: top10-crypto-failures - name: Groovy_Medium_Threat_Use_of_a_One_Way_Hash_without_a_Salt - pretty_name: Use of a One Way Hash without a Salt - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Stored_Stored_Boundary_Violation: - categories: - - checkmarx-stored - - owasp-top-10 - - cwe-646 - - boost-baseline - - ALL - description: The product allows a file to be uploaded, but it relies on the file - name or extension of the file to determine the appropriate behaviors. This could - be used by attackers to cause the file to be misclassified and processed in - a dangerous fashion. - group: top10-insecure-design - name: Groovy_Stored_Stored_Boundary_Violation - pretty_name: Stored Boundary Violation - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Stored_Stored_Code_Injection: - categories: - - cwe-94 - - checkmarx-stored - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: Groovy_Stored_Stored_Code_Injection - pretty_name: Stored Code Injection - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Stored_Stored_HTTP_Response_Splitting: - categories: - - cwe-113 - - owasp-top-10 - - checkmarx-stored - - boost-baseline - - ALL - description: The product receives data from an HTTP agent/component (e.g., web - server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes - CR and LF characters before the data is included in outgoing HTTP headers. - group: top10-injection - name: Groovy_Stored_Stored_HTTP_Response_Splitting - pretty_name: Stored HTTP Response Splitting - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Stored_Stored_Open_Redirect: - categories: - - cwe-601 - - owasp-top-10 - - checkmarx-stored - - boost-baseline - - ALL - description: A web application accepts a user-controlled input that specifies - a link to an external site, and uses that link in a Redirect. This simplifies - phishing attacks. - group: top10-broken-access-control - name: Groovy_Stored_Stored_Open_Redirect - pretty_name: Stored Open Redirect - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Groovy_Stored_Stored_XPath_Injection: - categories: - - cwe-643 - - owasp-top-10 - - checkmarx-stored - - boost-baseline - - ALL - description: The product uses external input to dynamically construct an XPath - expression used to retrieve data from an XML database, but it does not neutralize - or incorrectly neutralizes that input. This allows an attacker to control the - structure of the query. - group: top10-injection - name: Groovy_Stored_Stored_XPath_Injection - pretty_name: Stored XPath Injection - Groovy - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_AWS_Lambda_DynamoDB_NoSQL_Injection: - categories: - - boost-hardened - - checkmarx-server-side-vulnerability - - cwe-74 - - owasp-top-10 - - boost-baseline - - ALL - description: The product constructs all or part of a command, data structure, - or record using externally-influenced input from an upstream component, but - it does not neutralize or incorrectly neutralizes special elements that could - modify how it is parsed or interpreted when it is sent to a downstream component. - group: top10-injection - name: JavaScript_AWS_Lambda_DynamoDB_NoSQL_Injection - pretty_name: DynamoDB NoSQL Injection - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_AWS_Lambda_Permission_Manipulation_in_S3: - categories: - - checkmarx-server-side-vulnerability - - owasp-top-10 - - cwe-285 - - boost-baseline - - ALL - description: The product does not perform or incorrectly performs an authorization - check when an actor attempts to access a resource or perform an action. - group: top10-broken-access-control - name: JavaScript_AWS_Lambda_Permission_Manipulation_in_S3 - pretty_name: Permission Manipulation in S3 - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_AWS_Lambda_Race_Condition_Concurrent_Instances: - categories: - - checkmarx-server-side-vulnerability - - cwe-366 - - owasp-top-10 - - boost-baseline - - ALL - description: If two threads of execution use a resource simultaneously, there - exists the possibility that resources may be used while invalid, in turn making - the state of execution undefined. - group: top10-insecure-design - name: JavaScript_AWS_Lambda_Race_Condition_Concurrent_Instances - pretty_name: Race Condition Concurrent Instances - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_AWS_Lambda_Unrestricted_Read_S3: - categories: - - checkmarx-server-side-vulnerability - - owasp-top-10 - - cwe-639 - - boost-baseline - - ALL - description: The system's authorization functionality does not prevent one user - from gaining access to another user's data or record by modifying the key value - identifying the data. - group: top10-broken-access-control - name: JavaScript_AWS_Lambda_Unrestricted_Read_S3 - pretty_name: Unrestricted Read S3 - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_AWS_Lambda_Unrestricted_Write_S3: - categories: - - checkmarx-server-side-vulnerability - - owasp-top-10 - - cwe-639 - - boost-baseline - - ALL - description: The system's authorization functionality does not prevent one user - from gaining access to another user's data or record by modifying the key value - identifying the data. - group: top10-broken-access-control - name: JavaScript_AWS_Lambda_Unrestricted_Write_S3 - pretty_name: Unrestricted Write S3 - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_AWS_Lambda_User_Based_SDK_Configurations: - categories: - - boost-baseline - - ALL - - cwe-15 - - checkmarx-server-side-vulnerability - description: One or more system settings or configuration elements can be externally - controlled by a user. - group: top10-security-misconfiguration - name: JavaScript_AWS_Lambda_User_Based_SDK_Configurations - pretty_name: User Based SDK Configurations - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Angular_Angular_Client_DOM_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: JavaScript_Angular_Angular_Client_DOM_XSS - pretty_name: Angular Client DOM XSS - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Angular_Angular_Client_Stored_DOM_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: JavaScript_Angular_Angular_Client_Stored_DOM_XSS - pretty_name: Angular Client Stored DOM XSS - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Angular_Angular_Deprecated_API: - categories: - - cwe-477 - - owasp-top-10 - - boost-baseline - - ALL - description: The code uses deprecated or obsolete functions, which suggests that - the code has not been actively reviewed or maintained. - group: top10-insecure-design - name: JavaScript_Angular_Angular_Deprecated_API - pretty_name: Angular Deprecated API - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Angular_Angular_Improper_Type_Pipe_Usage: - categories: - - cwe-228 - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not handle or incorrectly handles input that is - not syntactically well-formed with respect to the associated specification. - group: top10-insecure-design - name: JavaScript_Angular_Angular_Improper_Type_Pipe_Usage - pretty_name: Angular Improper Type Pipe Usage - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Angular_Angular_Usage_of_Unsafe_DOM_Sanitizer: - categories: - - cwe-116 - - owasp-top-10 - - boost-baseline - - ALL - description: The product prepares a structured message for communication with - another component, but encoding or escaping of the data is either missing or - done incorrectly. As a result, the intended structure of the message is not - preserved. - group: top10-injection - name: JavaScript_Angular_Angular_Usage_of_Unsafe_DOM_Sanitizer - pretty_name: Angular Usage of Unsafe DOM Sanitizer - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Best_Coding_Practice_Avoid_the_Use_of_FinalizationRegistry: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - owasp-top-10 - description: The use of the FinalizationRegistry object in JavaScript is detected, - which may lead to unexpected behavior or memory leaks, as this object allows - managed interaction with garbage collection. - group: top10-insecure-design - name: JavaScript_Best_Coding_Practice_Avoid_the_Use_of_FinalizationRegistry - pretty_name: Avoid the Use of FinalizationRegistry - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Best_Coding_Practice_Avoid_the_Use_of_WeakRef: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - owasp-top-10 - description: Avoid using the WeakRef JavaScript feature, as it poses risks associated - with unintended garbage collection leading to potential memory leaks or unexpected - application behaviors. - group: top10-insecure-design - name: JavaScript_Best_Coding_Practice_Avoid_the_Use_of_WeakRef - pretty_name: Avoid the Use of WeakRef - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Best_Coding_Practice_Hardcoded_Absolute_Path: - categories: - - cwe-426 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product searches for critical resources using an externally-supplied - search path that can point to resources that are not under the product's direct - control. - group: top10-software-data-integrity-failures - name: JavaScript_Best_Coding_Practice_Hardcoded_Absolute_Path - pretty_name: Hardcoded Absolute Path - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Best_Coding_Practice_React_Multiple_Classes_With_Same_Name: - categories: - - owasp-top-10 - - cwe-694 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product uses multiple resources that can have the same identifier, - in a context in which unique identifiers are required. - group: top10-insecure-design - name: JavaScript_Best_Coding_Practice_React_Multiple_Classes_With_Same_Name - pretty_name: React Multiple Classes With Same Name - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Best_Coding_Practice_Use_Of_Multiple_Mixins: - categories: - - owasp-top-10 - - cwe-710 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product does not follow certain coding rules for development, - which can lead to resultant weaknesses or increase the severity of the associated - vulnerabilities. - group: top10-insecure-design - name: JavaScript_Best_Coding_Practice_Use_Of_Multiple_Mixins - pretty_name: Use Of Multiple Mixins - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Cordova_Cordova_Code_Injection: - categories: - - ALL - - cwe-94 - - owasp-top-10 - - boost-baseline - - checkmarx-cordova - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: JavaScript_Cordova_Cordova_Code_Injection - pretty_name: Cordova Code Injection - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Cordova_Cordova_File_Disclosure: - categories: - - cwe-538 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-cordova - description: The product places sensitive information into files or directories - that are accessible to actors who are allowed to have access to the files, but - not to the sensitive information. - group: top10-broken-access-control - name: JavaScript_Cordova_Cordova_File_Disclosure - pretty_name: Cordova File Disclosure - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Cordova_Cordova_File_Manipulation: - categories: - - owasp-top-10 - - cwe-552 - - boost-baseline - - ALL - - checkmarx-cordova - description: The product makes files or directories accessible to unauthorized - actors, even though they should not be. - group: top10-broken-access-control - name: JavaScript_Cordova_Cordova_File_Manipulation - pretty_name: Cordova File Manipulation - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Cordova_Cordova_Insufficient_Domain_Whitelist: - categories: - - cwe-942 - - ALL - - boost-baseline - - checkmarx-cordova - description: The product uses a cross-domain policy file that includes domains - that should not be trusted. - group: top10-security-misconfiguration - name: JavaScript_Cordova_Cordova_Insufficient_Domain_Whitelist - pretty_name: Cordova Insufficient Domain Whitelist - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Cordova_Cordova_Missing_Content_Security_Policy: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-cordova - - cwe-346 - description: The product does not properly verify that the source of data or communication - is valid. - group: top10-id-authn-failures - name: JavaScript_Cordova_Cordova_Missing_Content_Security_Policy - pretty_name: Cordova Missing Content Security Policy - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Cordova_Cordova_Open_Redirect: - categories: - - cwe-601 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-cordova - description: A web application accepts a user-controlled input that specifies - a link to an external site, and uses that link in a Redirect. This simplifies - phishing attacks. - group: top10-broken-access-control - name: JavaScript_Cordova_Cordova_Open_Redirect - pretty_name: Cordova Open Redirect - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Cordova_Cordova_Permissive_Content_Security_Policy: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-cordova - - cwe-346 - description: The product does not properly verify that the source of data or communication - is valid. - group: top10-id-authn-failures - name: JavaScript_Cordova_Cordova_Permissive_Content_Security_Policy - pretty_name: Cordova Permissive Content Security Policy - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Cordova_Cordova_Privacy_Violation: - categories: - - checkmarx-cordova - - owasp-top-10 - - boost-baseline - - ALL - - cwe-359 - description: The product does not properly prevent a person's private, personal - information from being accessed by actors who either (1) are not explicitly - authorized to access the information or (2) do not have the implicit consent - of the person about whom the information is collected. - group: top10-broken-access-control - name: JavaScript_Cordova_Cordova_Privacy_Violation - pretty_name: Cordova Privacy Violation - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_High_Risk_Client_DOM_Code_Injection: - categories: - - boost-hardened - - cwe-94 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: JavaScript_High_Risk_Client_DOM_Code_Injection - pretty_name: Client DOM Code Injection - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_High_Risk_Client_DOM_Stored_Code_Injection: - categories: - - boost-hardened - - cwe-94 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: JavaScript_High_Risk_Client_DOM_Stored_Code_Injection - pretty_name: Client DOM Stored Code Injection - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_High_Risk_Client_DOM_Stored_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: JavaScript_High_Risk_Client_DOM_Stored_XSS - pretty_name: Client DOM Stored XSS - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_High_Risk_Client_DOM_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: JavaScript_High_Risk_Client_DOM_XSS - pretty_name: Client DOM XSS - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_High_Risk_Client_Dynamic_File_Inclusion: - categories: - - boost-hardened - - owasp-top-10 - - cwe-829 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product imports, requires, or includes executable functionality - (such as a library) from a source that is outside of the intended control sphere. - group: top10-software-data-integrity-failures - name: JavaScript_High_Risk_Client_Dynamic_File_Inclusion - pretty_name: Client Dynamic File Inclusion - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_High_Risk_Client_Resource_Injection: - categories: - - boost-hardened - - owasp-top-10 - - cwe-99 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product receives input from an upstream component, but it does - not restrict or incorrectly restricts the input before it is used as an identifier - for a resource that may be outside the intended sphere of control. - group: top10-injection - name: JavaScript_High_Risk_Client_Resource_Injection - pretty_name: Client Resource Injection - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_High_Risk_Client_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: JavaScript_High_Risk_Client_SQL_Injection - pretty_name: Client SQL Injection - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_High_Risk_Client_Second_Order_Sql_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: JavaScript_High_Risk_Client_Second_Order_Sql_Injection - pretty_name: Client Second Order Sql Injection - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_High_Risk_Deserialization_of_Untrusted_Data: - categories: - - boost-hardened - - boost-baseline - - owasp-top-10 - - cwe-502 - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product deserializes untrusted data without sufficiently verifying - that the resulting data will be valid. - group: top10-software-data-integrity-failures - name: JavaScript_High_Risk_Deserialization_of_Untrusted_Data - pretty_name: Deserialization of Untrusted Data - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_High_Risk_Prototype_Pollution: - categories: - - boost-hardened - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product receives input from an upstream component that specifies - attributes that are to be initialized or updated in an object, but it does not - properly control modifications of attributes of the object prototype. - group: top10-injection - name: JavaScript_High_Risk_Prototype_Pollution - pretty_name: Prototype Pollution - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Jelly_Jelly_Injection: - categories: - - boost-hardened - - cwe-94 - - owasp-top-10 - - checkmarx-jelly - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: JavaScript_Jelly_Jelly_Injection - pretty_name: Jelly Injection - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Jelly_Jelly_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - checkmarx-jelly - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: JavaScript_Jelly_Jelly_XSS - pretty_name: Jelly XSS - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Client_Cookies_Inspection: - categories: - - boost-baseline - - ALL - - checkmarx-low-visibility - - cwe-315 - description: The product stores sensitive information in cleartext in a cookie. - group: top10-security-misconfiguration - name: JavaScript_Low_Visibility_Client_Cookies_Inspection - pretty_name: Client Cookies Inspection - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Client_Cross_Session_Contamination: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-488 - description: The product does not sufficiently enforce boundaries between the - states of different sessions, causing data to be provided to, or used by, the - wrong session. - group: top10-broken-access-control - name: JavaScript_Low_Visibility_Client_Cross_Session_Contamination - pretty_name: Client Cross Session Contamination - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Client_DOM_Open_Redirect: - categories: - - checkmarx-low-visibility - - cwe-601 - - owasp-top-10 - - boost-baseline - - ALL - description: A web application accepts a user-controlled input that specifies - a link to an external site, and uses that link in a Redirect. This simplifies - phishing attacks. - group: top10-broken-access-control - name: JavaScript_Low_Visibility_Client_DOM_Open_Redirect - pretty_name: Client DOM Open Redirect - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Client_Empty_Password: - categories: - - ALL - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - cwe-259 - description: The product contains a hard-coded password, which it uses for its - own inbound authentication or for outbound communication to external components. - group: top10-id-authn-failures - name: JavaScript_Low_Visibility_Client_Empty_Password - pretty_name: Client Empty Password - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Client_HTML5_Easy_To_Guess_Database_Name: - categories: - - cwe-330 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses insufficiently random numbers or values in a security - context that depends on unpredictable numbers. - group: top10-crypto-failures - name: JavaScript_Low_Visibility_Client_HTML5_Easy_To_Guess_Database_Name - pretty_name: Client HTML5 Easy To Guess Database Name - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Client_HTML5_Heuristic_Session_Insecure_Storage: - categories: - - cwe-922 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product stores sensitive information without properly limiting - read or write access by unauthorized actors. - group: top10-broken-access-control - name: JavaScript_Low_Visibility_Client_HTML5_Heuristic_Session_Insecure_Storage - pretty_name: Client HTML5 Heuristic Session Insecure Storage - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Client_Hardcoded_Domain: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-829 - - boost-baseline - - ALL - description: The product imports, requires, or includes executable functionality - (such as a library) from a source that is outside of the intended control sphere. - group: top10-software-data-integrity-failures - name: JavaScript_Low_Visibility_Client_Hardcoded_Domain - pretty_name: Client Hardcoded Domain - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Client_Heuristic_Poor_XSS_Validation: - categories: - - cwe-80 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product receives input from an upstream component, but it does - not neutralize or incorrectly neutralizes special characters such as "<", ">", - and "&" that could be interpreted as web-scripting elements when they are sent - to a downstream component that processes web pages. - group: top10-injection - name: JavaScript_Low_Visibility_Client_Heuristic_Poor_XSS_Validation - pretty_name: Client Heuristic Poor XSS Validation - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Client_Insecure_Randomness: - categories: - - cwe-330 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses insufficiently random numbers or values in a security - context that depends on unpredictable numbers. - group: top10-crypto-failures - name: JavaScript_Low_Visibility_Client_Insecure_Randomness - pretty_name: Client Insecure Randomness - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Client_Insufficient_Key_Size: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-310 - description: Related to the design and implementation of data confidentiality - and integrity. Frequently these deal with the use of encoding techniques, encryption - libraries, and hashing algorithms. The weaknesses in this category could lead - to a degradation of the quality data if they are not addressed. - group: top10-crypto-failures - name: JavaScript_Low_Visibility_Client_Insufficient_Key_Size - pretty_name: Client Insufficient Key Size - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Client_JQuery_Deprecated_Symbols: - categories: - - cwe-477 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The code uses deprecated or obsolete functions, which suggests that - the code has not been actively reviewed or maintained. - group: top10-insecure-design - name: JavaScript_Low_Visibility_Client_JQuery_Deprecated_Symbols - pretty_name: Client JQuery Deprecated Symbols - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Client_Located_JQuery_Outdated_Lib_File: - categories: - - cwe-477 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The code uses deprecated or obsolete functions, which suggests that - the code has not been actively reviewed or maintained. - group: top10-vulnerable-components - name: JavaScript_Low_Visibility_Client_Located_JQuery_Outdated_Lib_File - pretty_name: Client Located JQuery Outdated Lib File - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Client_Negative_Content_Length: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-398 - - boost-baseline - - ALL - description: Indicates that the product has not been carefully developed or maintained. - group: top10-injection - name: JavaScript_Low_Visibility_Client_Negative_Content_Length - pretty_name: Client Negative Content Length - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Client_Null_Password: - categories: - - ALL - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - cwe-259 - description: The product contains a hard-coded password, which it uses for its - own inbound authentication or for outbound communication to external components. - group: top10-id-authn-failures - name: JavaScript_Low_Visibility_Client_Null_Password - pretty_name: Client Null Password - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Client_Overly_Permissive_Message_Posting: - categories: - - cwe-942 - - ALL - - boost-baseline - - checkmarx-low-visibility - description: The product uses a cross-domain policy file that includes domains - that should not be trusted. - group: top10-security-misconfiguration - name: JavaScript_Low_Visibility_Client_Overly_Permissive_Message_Posting - pretty_name: Client Overly Permissive Message Posting - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Client_Password_In_Comment: - categories: - - cwe-615 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: 'While adding general comments is very useful, some programmers tend - to leave important data, such as: filenames related to the web application, - old links or links which were not meant to be browsed by users, old code fragments, - etc.' - group: top10-id-authn-failures - name: JavaScript_Low_Visibility_Client_Password_In_Comment - pretty_name: Client Password In Comment - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Client_Password_Weak_Encryption: - categories: - - cwe-261 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: Obscuring a password with a trivial encoding does not protect the - password. - group: top10-crypto-failures - name: JavaScript_Low_Visibility_Client_Password_Weak_Encryption - pretty_name: Client Password Weak Encryption - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Client_Potential_Ad_Hoc_Ajax: - categories: - - cwe-693 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not use or incorrectly uses a protection mechanism - that provides sufficient defense against directed attacks against the product. - group: top10-injection - name: JavaScript_Low_Visibility_Client_Potential_Ad_Hoc_Ajax - pretty_name: Client Potential Ad Hoc Ajax - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Client_Potential_DOM_Open_Redirect: - categories: - - checkmarx-low-visibility - - cwe-601 - - owasp-top-10 - - boost-baseline - - ALL - description: A web application accepts a user-controlled input that specifies - a link to an external site, and uses that link in a Redirect. This simplifies - phishing attacks. - group: top10-broken-access-control - name: JavaScript_Low_Visibility_Client_Potential_DOM_Open_Redirect - pretty_name: Client Potential DOM Open Redirect - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Client_Potential_ReDoS_In_Match: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: JavaScript_Low_Visibility_Client_Potential_ReDoS_In_Match - pretty_name: Client Potential ReDoS In Match - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Client_Potential_ReDoS_In_Replace: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: JavaScript_Low_Visibility_Client_Potential_ReDoS_In_Replace - pretty_name: Client Potential ReDoS In Replace - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Client_Regex_Injection: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-injection - name: JavaScript_Low_Visibility_Client_Regex_Injection - pretty_name: Client Regex Injection - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Client_Remote_File_Inclusion: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-829 - - boost-baseline - - ALL - description: The product imports, requires, or includes executable functionality - (such as a library) from a source that is outside of the intended control sphere. - group: top10-software-data-integrity-failures - name: JavaScript_Low_Visibility_Client_Remote_File_Inclusion - pretty_name: Client Remote File Inclusion - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Client_Server_Empty_Password: - categories: - - ALL - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - cwe-259 - description: The product contains a hard-coded password, which it uses for its - own inbound authentication or for outbound communication to external components. - group: top10-id-authn-failures - name: JavaScript_Low_Visibility_Client_Server_Empty_Password - pretty_name: Client Server Empty Password - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Client_Use_Of_Deprecated_SQL_Database: - categories: - - cwe-937 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: Relates to using components with known vulnerabilities - group: top10-vulnerable-components - name: JavaScript_Low_Visibility_Client_Use_Of_Deprecated_SQL_Database - pretty_name: Client Use Of Deprecated SQL Database - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Client_Use_Of_Iframe_Without_Sandbox: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-829 - - boost-baseline - - ALL - description: The product imports, requires, or includes executable functionality - (such as a library) from a source that is outside of the intended control sphere. - group: top10-software-data-integrity-failures - name: JavaScript_Low_Visibility_Client_Use_Of_Iframe_Without_Sandbox - pretty_name: Client Use Of Iframe Without Sandbox - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Client_Weak_Cryptographic_Hash: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-310 - description: Related to the design and implementation of data confidentiality - and integrity. Frequently these deal with the use of encoding techniques, encryption - libraries, and hashing algorithms. The weaknesses in this category could lead - to a degradation of the quality data if they are not addressed. - group: top10-crypto-failures - name: JavaScript_Low_Visibility_Client_Weak_Cryptographic_Hash - pretty_name: Client Weak Cryptographic Hash - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Client_Weak_Encryption: - categories: - - cwe-327 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a broken or risky cryptographic algorithm or protocol. - group: top10-crypto-failures - name: JavaScript_Low_Visibility_Client_Weak_Encryption - pretty_name: Client Weak Encryption - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Client_Weak_Password_Authentication: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - - cwe-798 - description: The product contains hard-coded credentials, such as a password or - cryptographic key, which it uses for its own inbound authentication, outbound - communication to external components, or encryption of internal data. - group: top10-id-authn-failures - name: JavaScript_Low_Visibility_Client_Weak_Password_Authentication - pretty_name: Client Weak Password Authentication - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Information_Exposure_Through_Query_Strings: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-522 - description: The product transmits or stores authentication credentials, but it - uses an insecure method that is susceptible to unauthorized interception and/or - retrieval. - group: top10-insecure-design - name: JavaScript_Low_Visibility_Information_Exposure_Through_Query_Strings - pretty_name: Information Exposure Through Query Strings - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Insufficiently_Protected_Credentials: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-522 - description: The product transmits or stores authentication credentials, but it - uses an insecure method that is susceptible to unauthorized interception and/or - retrieval. - group: top10-insecure-design - name: JavaScript_Low_Visibility_Insufficiently_Protected_Credentials - pretty_name: Insufficiently Protected Credentials - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Not_Using_a_Random_IV: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-329 - - boost-baseline - - ALL - description: The product generates and uses a predictable initialization Vector - (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible - to dictionary attacks when they are encrypted under the same key. - group: top10-crypto-failures - name: JavaScript_Low_Visibility_Not_Using_a_Random_IV - pretty_name: Not Using a Random IV - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-346 - description: The product does not properly verify that the source of data or communication - is valid. - group: top10-id-authn-failures - name: JavaScript_Low_Visibility_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy - pretty_name: Overly Permissive Cross Origin Resource Sharing Policy - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Potential_Clickjacking_on_Legacy_Browsers: - categories: - - cwe-693 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not use or incorrectly uses a protection mechanism - that provides sufficient defense against directed attacks against the product. - group: top10-injection - name: JavaScript_Low_Visibility_Potential_Clickjacking_on_Legacy_Browsers - pretty_name: Potential Clickjacking on Legacy Browsers - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_React_Deprecated: - categories: - - cwe-477 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The code uses deprecated or obsolete functions, which suggests that - the code has not been actively reviewed or maintained. - group: top10-insecure-design - name: JavaScript_Low_Visibility_React_Deprecated - pretty_name: React Deprecated - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Unsafe_Use_Of_Target_blank: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-1022 - description: The web application produces links to untrusted external sites outside - of its sphere of control, but it does not properly prevent the external site - from modifying security-critical properties of the window.opener object, such - as the location property. - group: top10-insecure-design - name: JavaScript_Low_Visibility_Unsafe_Use_Of_Target_blank - pretty_name: Unsafe Use Of Target blank - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Low_Visibility_Use_Of_Controlled_Input_On_Sensitive_Field: - categories: - - boost-baseline - - ALL - - checkmarx-low-visibility - - owasp-top-10 - description: Sensitive JavaScript fields are being populated with user-controlled - input without sufficient validation or sanitization, exposing potential security - vulnerabilities such as injection attacks. - group: top10-broken-access-control - name: JavaScript_Low_Visibility_Use_Of_Controlled_Input_On_Sensitive_Field - pretty_name: Use Of Controlled Input On Sensitive Field - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Medium_Threat_AngularJS_SCE_Disabled: - categories: - - cwe-116 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The product prepares a structured message for communication with - another component, but encoding or escaping of the data is either missing or - done incorrectly. As a result, the intended structure of the message is not - preserved. - group: top10-injection - name: JavaScript_Medium_Threat_AngularJS_SCE_Disabled - pretty_name: AngularJS SCE Disabled - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Medium_Threat_CSV_Injection: - categories: - - checkmarx-medium-threat - - cwe-74 - - owasp-top-10 - - boost-baseline - - ALL - description: The product constructs all or part of a command, data structure, - or record using externally-influenced input from an upstream component, but - it does not neutralize or incorrectly neutralizes special elements that could - modify how it is parsed or interpreted when it is sent to a downstream component. - group: top10-injection - name: JavaScript_Medium_Threat_CSV_Injection - pretty_name: CSV Injection - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Medium_Threat_Client_CSS_Injection: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-83 - description: The product does not neutralize or incorrectly neutralizes "javascript:" - or other URIs from dangerous attributes within tags, such as onmouseover, onload, - onerror, or style. - group: top10-injection - name: JavaScript_Medium_Threat_Client_CSS_Injection - pretty_name: Client CSS Injection - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Medium_Threat_Client_Cross_Frame_Scripting_Attack: - categories: - - checkmarx-medium-threat - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: JavaScript_Medium_Threat_Client_Cross_Frame_Scripting_Attack - pretty_name: Client Cross Frame Scripting Attack - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Medium_Threat_Client_DB_Parameter_Tampering: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-284 - - boost-baseline - - ALL - description: The product does not restrict or incorrectly restricts access to - a resource from an unauthorized actor. - group: top10-broken-access-control - name: JavaScript_Medium_Threat_Client_DB_Parameter_Tampering - pretty_name: Client DB Parameter Tampering - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Medium_Threat_Client_DOM_CSRF: - categories: - - checkmarx-medium-threat - - cwe-352 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The web application does not, or can not, sufficiently verify whether - a well-formed, valid, consistent request was intentionally provided by the user - who submitted the request. - group: top10-injection - name: JavaScript_Medium_Threat_Client_DOM_CSRF - pretty_name: Client DOM CSRF - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Medium_Threat_Client_DOM_Cookie_Poisoning: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: JavaScript_Medium_Threat_Client_DOM_Cookie_Poisoning - pretty_name: Client DOM Cookie Poisoning - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Medium_Threat_Client_DoS_By_Sleep: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-730 - description: Relates to avenues that can cause denial of serivce. - group: top10-insecure-design - name: JavaScript_Medium_Threat_Client_DoS_By_Sleep - pretty_name: Client DoS By Sleep - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Medium_Threat_Client_HTML5_Information_Exposure: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-200 - description: The product exposes sensitive information to an actor that is not - explicitly authorized to have access to that information. - group: top10-broken-access-control - name: JavaScript_Medium_Threat_Client_HTML5_Information_Exposure - pretty_name: Client HTML5 Information Exposure - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Medium_Threat_Client_HTML5_Insecure_Storage: - categories: - - checkmarx-medium-threat - - cwe-312 - - owasp-top-10 - - boost-baseline - - ALL - description: The product stores sensitive information in cleartext within a resource - that might be accessible to another control sphere. - group: top10-insecure-design - name: JavaScript_Medium_Threat_Client_HTML5_Insecure_Storage - pretty_name: Client HTML5 Insecure Storage - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Medium_Threat_Client_HTML5_Store_Sensitive_data_In_Web_Storage: - categories: - - checkmarx-medium-threat - - cwe-312 - - owasp-top-10 - - boost-baseline - - ALL - description: The product stores sensitive information in cleartext within a resource - that might be accessible to another control sphere. - group: top10-insecure-design - name: JavaScript_Medium_Threat_Client_HTML5_Store_Sensitive_data_In_Web_Storage - pretty_name: Client HTML5 Store Sensitive data In Web Storage - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Medium_Threat_Client_Header_Manipulation: - categories: - - checkmarx-medium-threat - - cwe-113 - - owasp-top-10 - - boost-baseline - - ALL - description: The product receives data from an HTTP agent/component (e.g., web - server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes - CR and LF characters before the data is included in outgoing HTTP headers. - group: top10-injection - name: JavaScript_Medium_Threat_Client_Header_Manipulation - pretty_name: Client Header Manipulation - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Medium_Threat_Client_Path_Manipulation: - categories: - - checkmarx-medium-threat - - cwe-73 - - owasp-top-10 - - boost-baseline - - ALL - description: The product allows user input to control or influence paths or file - names that are used in filesystem operations. - group: top10-insecure-design - name: JavaScript_Medium_Threat_Client_Path_Manipulation - pretty_name: Client Path Manipulation - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Medium_Threat_Client_Potential_Code_Injection: - categories: - - checkmarx-medium-threat - - cwe-94 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: JavaScript_Medium_Threat_Client_Potential_Code_Injection - pretty_name: Client Potential Code Injection - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Medium_Threat_Client_Potential_XSS: - categories: - - checkmarx-medium-threat - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: JavaScript_Medium_Threat_Client_Potential_XSS - pretty_name: Client Potential XSS - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Medium_Threat_Client_Privacy_Violation: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-359 - description: The product does not properly prevent a person's private, personal - information from being accessed by actors who either (1) are not explicitly - authorized to access the information or (2) do not have the implicit consent - of the person about whom the information is collected. - group: top10-broken-access-control - name: JavaScript_Medium_Threat_Client_Privacy_Violation - pretty_name: Client Privacy Violation - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Medium_Threat_Client_ReDoS_From_Regex_Injection: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: JavaScript_Medium_Threat_Client_ReDoS_From_Regex_Injection - pretty_name: Client ReDoS From Regex Injection - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Medium_Threat_Client_ReDoS_In_Match: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: JavaScript_Medium_Threat_Client_ReDoS_In_Match - pretty_name: Client ReDoS In Match - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Medium_Threat_Client_ReDoS_In_Replace: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: JavaScript_Medium_Threat_Client_ReDoS_In_Replace - pretty_name: Client ReDoS In Replace - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Medium_Threat_Client_ReDos_In_RegExp: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: JavaScript_Medium_Threat_Client_ReDos_In_RegExp - pretty_name: Client ReDos In RegExp - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Medium_Threat_Client_Reflected_File_Download: - categories: - - checkmarx-medium-threat - - cwe-425 - - owasp-top-10 - - boost-baseline - - ALL - description: The web application does not adequately enforce appropriate authorization - on all restricted URLs, scripts, or files. - group: top10-broken-access-control - name: JavaScript_Medium_Threat_Client_Reflected_File_Download - pretty_name: Client Reflected File Download - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Medium_Threat_Client_Sandbox_Allows_Scripts_With_Same_Origin: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-829 - - boost-baseline - - ALL - description: The product imports, requires, or includes executable functionality - (such as a library) from a source that is outside of the intended control sphere. - group: top10-software-data-integrity-failures - name: JavaScript_Medium_Threat_Client_Sandbox_Allows_Scripts_With_Same_Origin - pretty_name: Client Sandbox Allows Scripts With Same Origin - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Medium_Threat_Client_Untrusted_Activex: - categories: - - checkmarx-medium-threat - - cwe-618 - - owasp-top-10 - - boost-baseline - - ALL - description: An ActiveX control is intended for use in a web browser, but it exposes - dangerous methods that perform actions that are outside of the browser's security - model (e.g. the zone or domain). - group: top10-vulnerable-components - name: JavaScript_Medium_Threat_Client_Untrusted_Activex - pretty_name: Client Untrusted Activex - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Medium_Threat_Client_Use_Of_JQuery_Deprecated_Version: - categories: - - cwe-477 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The code uses deprecated or obsolete functions, which suggests that - the code has not been actively reviewed or maintained. - group: top10-insecure-design - name: JavaScript_Medium_Threat_Client_Use_Of_JQuery_Deprecated_Version - pretty_name: Client Use Of JQuery Deprecated Version - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Medium_Threat_Client_XPATH_Injection: - categories: - - checkmarx-medium-threat - - cwe-643 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses external input to dynamically construct an XPath - expression used to retrieve data from an XML database, but it does not neutralize - or incorrectly neutralizes that input. This allows an attacker to control the - structure of the query. - group: top10-injection - name: JavaScript_Medium_Threat_Client_XPATH_Injection - pretty_name: Client XPATH Injection - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Medium_Threat_Frameable_Login_Page: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-829 - - boost-baseline - - ALL - description: The product imports, requires, or includes executable functionality - (such as a library) from a source that is outside of the intended control sphere. - group: top10-software-data-integrity-failures - name: JavaScript_Medium_Threat_Frameable_Login_Page - pretty_name: Frameable Login Page - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Medium_Threat_Insecure_Value_of_the_SameSite_Cookie_Attribute_in_Code: - categories: - - checkmarx-medium-threat - - cwe-1275 - - owasp-top-10 - - boost-baseline - - ALL - description: The SameSite attribute for sensitive cookies is not set, or an insecure - value is used. - group: top10-broken-access-control - name: JavaScript_Medium_Threat_Insecure_Value_of_the_SameSite_Cookie_Attribute_in_Code - pretty_name: Insecure Value of the SameSite Cookie Attribute in Code - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Medium_Threat_JWT_Sensitive_Information_Exposure: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-201 - - boost-baseline - - ALL - description: The code transmits data to another actor, but a portion of the data - includes sensitive information that should not be accessible to that actor. - group: top10-broken-access-control - name: JavaScript_Medium_Threat_JWT_Sensitive_Information_Exposure - pretty_name: JWT Sensitive Information Exposure - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Medium_Threat_JWT_Use_Of_Hardcoded_Secret: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - - cwe-798 - description: The product contains hard-coded credentials, such as a password or - cryptographic key, which it uses for its own inbound authentication, outbound - communication to external components, or encryption of internal data. - group: top10-id-authn-failures - name: JavaScript_Medium_Threat_JWT_Use_Of_Hardcoded_Secret - pretty_name: JWT Use Of Hardcoded Secret - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Medium_Threat_Missing_HSTS_Header: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-346 - description: The product does not properly verify that the source of data or communication - is valid. - group: top10-id-authn-failures - name: JavaScript_Medium_Threat_Missing_HSTS_Header - pretty_name: Missing HSTS Header - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Medium_Threat_Unchecked_Input_For_Loop_Condition: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-606 - - boost-baseline - - ALL - description: The product does not properly check inputs that are used for loop - conditions, potentially leading to a denial of service or other consequences - because of excessive looping. - group: top10-insecure-design - name: JavaScript_Medium_Threat_Unchecked_Input_For_Loop_Condition - pretty_name: Unchecked Input For Loop Condition - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Medium_Threat_XML_External_Entities_XXE: - categories: - - checkmarx-medium-threat - - cwe-611 - - boost-baseline - - ALL - - cwe-top-25 - description: The product processes an XML document that can contain XML entities - with URIs that resolve to documents outside of the intended sphere of control, - causing the product to embed incorrect documents into its output. - group: top10-security-misconfiguration - name: JavaScript_Medium_Threat_XML_External_Entities_XXE - pretty_name: XML External Entities XXE - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_ReactNative_Clipboard_Information_Leakage: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - cwe-200 - description: The product exposes sensitive information to an actor that is not - explicitly authorized to have access to that information. - group: top10-broken-access-control - name: JavaScript_ReactNative_Clipboard_Information_Leakage - pretty_name: Clipboard Information Leakage - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_ReactNative_Insecure_Text_Entry: - categories: - - cwe-549 - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not mask passwords during entry, increasing the - potential for attackers to observe and capture passwords. - group: top10-insecure-design - name: JavaScript_ReactNative_Insecure_Text_Entry - pretty_name: Insecure Text Entry - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_ReactNative_Insufficient_Transport_Layer_Security: - categories: - - owasp-top-10 - - cwe-319 - - boost-baseline - - ALL - description: The product transmits sensitive or security-critical data in cleartext - in a communication channel that can be sniffed by unauthorized actors. - group: top10-security-misconfiguration - name: JavaScript_ReactNative_Insufficient_Transport_Layer_Security - pretty_name: Insufficient Transport Layer Security - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_ReactNative_Missing_Root_Or_Jailbreak_Check: - categories: - - cwe-693 - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not use or incorrectly uses a protection mechanism - that provides sufficient defense against directed attacks against the product. - group: top10-insecure-design - name: JavaScript_ReactNative_Missing_Root_Or_Jailbreak_Check - pretty_name: Missing Root Or Jailbreak Check - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_ReactNative_Unencrypted_Sensitive_Data_Storage: - categories: - - cwe-922 - - owasp-top-10 - - boost-baseline - - ALL - description: The product stores sensitive information without properly limiting - read or write access by unauthorized actors. - group: top10-broken-access-control - name: JavaScript_ReactNative_Unencrypted_Sensitive_Data_Storage - pretty_name: Unencrypted Sensitive Data Storage - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_SAPUI5_Client_Manual_CSRF_Token_Handling: - categories: - - cwe-352 - - checkmarx-sapui5 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The web application does not, or can not, sufficiently verify whether - a well-formed, valid, consistent request was intentionally provided by the user - who submitted the request. - group: top10-injection - name: JavaScript_SAPUI5_Client_Manual_CSRF_Token_Handling - pretty_name: Client Manual CSRF Token Handling - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_SAPUI5_Client_Manual_XHR_Handling: - categories: - - cwe-474 - - checkmarx-sapui5 - - owasp-top-10 - - boost-baseline - - ALL - description: The code uses a function that has inconsistent implementations across - operating systems and versions. - group: top10-security-misconfiguration - name: JavaScript_SAPUI5_Client_Manual_XHR_Handling - pretty_name: Client Manual XHR Handling - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_SAPUI5_SAPUI5_Custom_OData_Model: - categories: - - cwe-474 - - checkmarx-sapui5 - - owasp-top-10 - - boost-baseline - - ALL - description: The code uses a function that has inconsistent implementations across - operating systems and versions. - group: top10-software-data-integrity-failures - name: JavaScript_SAPUI5_SAPUI5_Custom_OData_Model - pretty_name: SAPUI5 Custom OData Model - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_SAPUI5_SAPUI5_Deprecated_Symbols: - categories: - - cwe-477 - - checkmarx-sapui5 - - owasp-top-10 - - boost-baseline - - ALL - description: The code uses deprecated or obsolete functions, which suggests that - the code has not been actively reviewed or maintained. - group: top10-insecure-design - name: JavaScript_SAPUI5_SAPUI5_Deprecated_Symbols - pretty_name: SAPUI5 Deprecated Symbols - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_SAPUI5_SAPUI5_Hardcoded_UserId_In_Comments: - categories: - - checkmarx-sapui5 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-200 - description: The product exposes sensitive information to an actor that is not - explicitly authorized to have access to that information. - group: top10-broken-access-control - name: JavaScript_SAPUI5_SAPUI5_Hardcoded_UserId_In_Comments - pretty_name: SAPUI5 Hardcoded UserId In Comments - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_SAPUI5_SAPUI5_OData_Call_Without_Batch_Mode: - categories: - - cwe-474 - - checkmarx-sapui5 - - owasp-top-10 - - boost-baseline - - ALL - description: The code uses a function that has inconsistent implementations across - operating systems and versions. - group: top10-software-data-integrity-failures - name: JavaScript_SAPUI5_SAPUI5_OData_Call_Without_Batch_Mode - pretty_name: SAPUI5 OData Call Without Batch Mode - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_SAPUI5_SAPUI5_Potential_Malicious_File_Upload: - categories: - - cwe-434 - - checkmarx-sapui5 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product allows the attacker to upload or transfer files of dangerous - types that can be automatically processed within the product's environment. - group: top10-insecure-design - name: JavaScript_SAPUI5_SAPUI5_Potential_Malicious_File_Upload - pretty_name: SAPUI5 Potential Malicious File Upload - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_SAPUI5_SAPUI5_Use_Of_Hardcoded_URL: - categories: - - checkmarx-sapui5 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-200 - description: The product exposes sensitive information to an actor that is not - explicitly authorized to have access to that information. - group: top10-broken-access-control - name: JavaScript_SAPUI5_SAPUI5_Use_Of_Hardcoded_URL - pretty_name: SAPUI5 Use Of Hardcoded URL - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Absolute_Path_Traversal: - categories: - - owasp-top-10 - - cwe-36 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - description: The product uses external input to construct a pathname that should - be within a restricted directory, but it does not properly neutralize absolute - path sequences such as "/abs/path" that can resolve to a location that is outside - of that directory. - group: top10-broken-access-control - name: JavaScript_Server_Side_Vulnerabilities_Absolute_Path_Traversal - pretty_name: Absolute Path Traversal - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_CSRF: - categories: - - cwe-352 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - - cwe-top-25 - description: The web application does not, or can not, sufficiently verify whether - a well-formed, valid, consistent request was intentionally provided by the user - who submitted the request. - group: top10-injection - name: JavaScript_Server_Side_Vulnerabilities_CSRF - pretty_name: CSRF - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Cleartext_Storage_Of_Sensitive_Information: - categories: - - cwe-312 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - description: The product stores sensitive information in cleartext within a resource - that might be accessible to another control sphere. - group: top10-insecure-design - name: JavaScript_Server_Side_Vulnerabilities_Cleartext_Storage_Of_Sensitive_Information - pretty_name: Cleartext Storage Of Sensitive Information - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Code_Injection: - categories: - - boost-hardened - - cwe-94 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: JavaScript_Server_Side_Vulnerabilities_Code_Injection - pretty_name: Code Injection - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Command_Injection: - categories: - - boost-hardened - - cwe-77 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - - cwe-top-25 - description: The product constructs all or part of a command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended command when it - is sent to a downstream component. - group: top10-injection - name: JavaScript_Server_Side_Vulnerabilities_Command_Injection - pretty_name: Command Injection - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Comparing_instead_of_Assigning: - categories: - - owasp-top-10 - - cwe-482 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - description: The code uses an operator for comparison when the intention was to - perform an assignment. - group: top10-insecure-design - name: JavaScript_Server_Side_Vulnerabilities_Comparing_instead_of_Assigning - pretty_name: Comparing instead of Assigning - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Cookie_Poisoning: - categories: - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: JavaScript_Server_Side_Vulnerabilities_Cookie_Poisoning - pretty_name: Cookie Poisoning - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Divide_By_Zero: - categories: - - owasp-top-10 - - cwe-369 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - description: The product divides a value by zero. - group: top10-insecure-design - name: JavaScript_Server_Side_Vulnerabilities_Divide_By_Zero - pretty_name: Divide By Zero - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Dynamic_File_Inclusion: - categories: - - owasp-top-10 - - cwe-829 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - description: The product imports, requires, or includes executable functionality - (such as a library) from a source that is outside of the intended control sphere. - group: top10-software-data-integrity-failures - name: JavaScript_Server_Side_Vulnerabilities_Dynamic_File_Inclusion - pretty_name: Dynamic File Inclusion - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Excessive_Data_Exposure: - categories: - - owasp-top-10 - - cwe-201 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - description: The code transmits data to another actor, but a portion of the data - includes sensitive information that should not be accessible to that actor. - group: top10-broken-access-control - name: JavaScript_Server_Side_Vulnerabilities_Excessive_Data_Exposure - pretty_name: Excessive Data Exposure - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Expression_is_Always_False: - categories: - - cwe-570 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - description: The product contains an expression that will always evaluate to false. - group: top10-insecure-design - name: JavaScript_Server_Side_Vulnerabilities_Expression_is_Always_False - pretty_name: Expression is Always False - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Expression_is_Always_True: - categories: - - owasp-top-10 - - cwe-571 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - description: The product contains an expression that will always evaluate to true. - group: top10-insecure-design - name: JavaScript_Server_Side_Vulnerabilities_Expression_is_Always_True - pretty_name: Expression is Always True - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_HTTP_Response_Splitting: - categories: - - cwe-113 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - description: The product receives data from an HTTP agent/component (e.g., web - server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes - CR and LF characters before the data is included in outgoing HTTP headers. - group: top10-injection - name: JavaScript_Server_Side_Vulnerabilities_HTTP_Response_Splitting - pretty_name: HTTP Response Splitting - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Hardcoded_password_in_Connection_String: - categories: - - boost-baseline - - ALL - - cwe-547 - - checkmarx-server-side-vulnerability - description: The product uses hard-coded constants instead of symbolic names for - security-critical values, which increases the likelihood of mistakes during - code maintenance or security policy change. - group: top10-security-misconfiguration - name: JavaScript_Server_Side_Vulnerabilities_Hardcoded_password_in_Connection_String - pretty_name: Hardcoded password in Connection String - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Information_Exposure_Through_Directory_Listing: - categories: - - cwe-548 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - description: A directory listing is inappropriately exposed, yielding potentially - sensitive information to attackers. - group: top10-broken-access-control - name: JavaScript_Server_Side_Vulnerabilities_Information_Exposure_Through_Directory_Listing - pretty_name: Information Exposure Through Directory Listing - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Information_Exposure_Through_Log_Files: - categories: - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - - cwe-532 - description: Information written to log files can be of a sensitive nature and - give valuable guidance to an attacker or expose sensitive user information. - group: top10-security-logging-monitoring-failures - name: JavaScript_Server_Side_Vulnerabilities_Information_Exposure_Through_Log_Files - pretty_name: Information Exposure Through Log Files - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Information_Exposure_Through_an_Error_Message: - categories: - - cwe-209 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - description: The product generates an error message that includes sensitive information - about its environment, users, or associated data. - group: top10-insecure-design - name: JavaScript_Server_Side_Vulnerabilities_Information_Exposure_Through_an_Error_Message - pretty_name: Information Exposure Through an Error Message - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Insecure_Direct_Object_References: - categories: - - boost-hardened - - cwe-813 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - description: Relates to the usage of insecure direct object references. - group: top10-broken-access-control - name: JavaScript_Server_Side_Vulnerabilities_Insecure_Direct_Object_References - pretty_name: Insecure Direct Object References - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Insecure_Storage_of_Sensitive_Data: - categories: - - cwe-933 - - boost-hardened - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - description: Relates to generic security misconfigurations. - group: top10-broken-access-control - name: JavaScript_Server_Side_Vulnerabilities_Insecure_Storage_of_Sensitive_Data - pretty_name: Insecure Storage of Sensitive Data - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_JSON_Hijacking: - categories: - - cwe-352 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - - cwe-top-25 - description: The web application does not, or can not, sufficiently verify whether - a well-formed, valid, consistent request was intentionally provided by the user - who submitted the request. - group: top10-injection - name: JavaScript_Server_Side_Vulnerabilities_JSON_Hijacking - pretty_name: JSON Hijacking - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_JWT_Excessive_Expiration_Time: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - - cwe-613 - description: According to WASC, "Insufficient Session Expiration is when a web - site permits an attacker to reuse old session credentials or session IDs for - authorization." - group: top10-id-authn-failures - name: JavaScript_Server_Side_Vulnerabilities_JWT_Excessive_Expiration_Time - pretty_name: JWT Excessive Expiration Time - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_JWT_Lack_Of_Expiration_Time: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - - cwe-613 - description: According to WASC, "Insufficient Session Expiration is when a web - site permits an attacker to reuse old session credentials or session IDs for - authorization." - group: top10-id-authn-failures - name: JavaScript_Server_Side_Vulnerabilities_JWT_Lack_Of_Expiration_Time - pretty_name: JWT Lack Of Expiration Time - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_JWT_No_Expiration_Time_Validation: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - - cwe-613 - description: According to WASC, "Insufficient Session Expiration is when a web - site permits an attacker to reuse old session credentials or session IDs for - authorization." - group: top10-id-authn-failures - name: JavaScript_Server_Side_Vulnerabilities_JWT_No_Expiration_Time_Validation - pretty_name: JWT No Expiration Time Validation - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_JWT_No_NotBefore_Validation: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - description: The product implements an authentication technique, but it skips - a step that weakens the technique. - group: top10-id-authn-failures - name: JavaScript_Server_Side_Vulnerabilities_JWT_No_NotBefore_Validation - pretty_name: JWT No NotBefore Validation - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_JWT_No_Signature_Verification: - categories: - - boost-hardened - - cwe-287 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - - cwe-top-25 - description: When an actor claims to have a given identity, the product does not - prove or insufficiently proves that the claim is correct. - group: top10-id-authn-failures - name: JavaScript_Server_Side_Vulnerabilities_JWT_No_Signature_Verification - pretty_name: JWT No Signature Verification - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_JWT_Use_Of_None_Algorithm: - categories: - - cwe-287 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - - cwe-top-25 - description: When an actor claims to have a given identity, the product does not - prove or insufficiently proves that the claim is correct. - group: top10-id-authn-failures - name: JavaScript_Server_Side_Vulnerabilities_JWT_Use_Of_None_Algorithm - pretty_name: JWT Use Of None Algorithm - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Log_Forging: - categories: - - boost-baseline - - ALL - - cwe-117 - - checkmarx-server-side-vulnerability - description: The product does not neutralize or incorrectly neutralizes output - that is written to logs. - group: top10-security-logging-monitoring-failures - name: JavaScript_Server_Side_Vulnerabilities_Log_Forging - pretty_name: Log Forging - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Missing_CSP_Header: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - - cwe-346 - description: The product does not properly verify that the source of data or communication - is valid. - group: top10-id-authn-failures - name: JavaScript_Server_Side_Vulnerabilities_Missing_CSP_Header - pretty_name: Missing CSP Header - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Missing_Default_Case_In_Switch_Statement: - categories: - - cwe-478 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - description: The code does not have a default case in an expression with multiple - conditions, such as a switch statement. - group: top10-insecure-design - name: JavaScript_Server_Side_Vulnerabilities_Missing_Default_Case_In_Switch_Statement - pretty_name: Missing Default Case In Switch Statement - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Missing_Encryption_of_Sensitive_Data: - categories: - - owasp-top-10 - - cwe-311 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - description: The product does not encrypt sensitive or critical information before - storage or transmission. - group: top10-insecure-design - name: JavaScript_Server_Side_Vulnerabilities_Missing_Encryption_of_Sensitive_Data - pretty_name: Missing Encryption of Sensitive Data - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_MongoDB_NoSQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: JavaScript_Server_Side_Vulnerabilities_MongoDB_NoSQL_Injection - pretty_name: MongoDB NoSQL Injection - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Null_Password: - categories: - - cwe-252 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - description: The product does not check the return value from a method or function, - which can prevent it from detecting unexpected states and conditions. - group: top10-insecure-design - name: JavaScript_Server_Side_Vulnerabilities_Null_Password - pretty_name: Null Password - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Omitted_Break_Statement_In_Switch: - categories: - - cwe-484 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - description: The product omits a break statement within a switch or similar construct, - causing code associated with multiple conditions to execute. This can cause - problems when the programmer only intended to execute code associated with one - condition. - group: top10-insecure-design - name: JavaScript_Server_Side_Vulnerabilities_Omitted_Break_Statement_In_Switch - pretty_name: Omitted Break Statement In Switch - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Open_Redirect: - categories: - - cwe-601 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - description: A web application accepts a user-controlled input that specifies - a link to an external site, and uses that link in a Redirect. This simplifies - phishing attacks. - group: top10-broken-access-control - name: JavaScript_Server_Side_Vulnerabilities_Open_Redirect - pretty_name: Open Redirect - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Parameter_Tampering: - categories: - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: JavaScript_Server_Side_Vulnerabilities_Parameter_Tampering - pretty_name: Parameter Tampering - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Password_Weak_Encryption: - categories: - - cwe-261 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - description: Obscuring a password with a trivial encoding does not protect the - password. - group: top10-crypto-failures - name: JavaScript_Server_Side_Vulnerabilities_Password_Weak_Encryption - pretty_name: Password Weak Encryption - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Plaintext_Storage_of_a_Password: - categories: - - cwe-256 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - description: Storing a password in plaintext may result in a system compromise. - group: top10-insecure-design - name: JavaScript_Server_Side_Vulnerabilities_Plaintext_Storage_of_a_Password - pretty_name: Plaintext Storage of a Password - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Poor_Database_Access_Control: - categories: - - owasp-top-10 - - cwe-285 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - description: The product does not perform or incorrectly performs an authorization - check when an actor attempts to access a resource or perform an action. - group: top10-broken-access-control - name: JavaScript_Server_Side_Vulnerabilities_Poor_Database_Access_Control - pretty_name: Poor Database Access Control - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Potentially_Vulnerable_To_CSRF: - categories: - - cwe-352 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - - cwe-top-25 - description: The web application does not, or can not, sufficiently verify whether - a well-formed, valid, consistent request was intentionally provided by the user - who submitted the request. - group: top10-injection - name: JavaScript_Server_Side_Vulnerabilities_Potentially_Vulnerable_To_CSRF - pretty_name: Potentially Vulnerable To CSRF - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Privacy_Violation: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - cwe-359 - - checkmarx-server-side-vulnerability - description: The product does not properly prevent a person's private, personal - information from being accessed by actors who either (1) are not explicitly - authorized to access the information or (2) do not have the implicit consent - of the person about whom the information is collected. - group: top10-broken-access-control - name: JavaScript_Server_Side_Vulnerabilities_Privacy_Violation - pretty_name: Privacy Violation - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_ReDoS_in_RegExp: - categories: - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: JavaScript_Server_Side_Vulnerabilities_ReDoS_in_RegExp - pretty_name: ReDoS in RegExp - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Reflected_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: JavaScript_Server_Side_Vulnerabilities_Reflected_XSS - pretty_name: Reflected XSS - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Relative_Path_Traversal: - categories: - - cwe-23 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - description: The product uses external input to construct a pathname that should - be within a restricted directory, but it does not properly neutralize sequences - such as ".." that can resolve to a location that is outside of that directory. - group: top10-broken-access-control - name: JavaScript_Server_Side_Vulnerabilities_Relative_Path_Traversal - pretty_name: Relative Path Traversal - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: JavaScript_Server_Side_Vulnerabilities_SQL_Injection - pretty_name: SQL Injection - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_SSL_Verification_Bypass: - categories: - - cwe-599 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - description: The product uses OpenSSL and trusts or uses a certificate without - using the SSL_get_verify_result() function to ensure that the certificate satisfies - all necessary security requirements. - group: top10-software-data-integrity-failures - name: JavaScript_Server_Side_Vulnerabilities_SSL_Verification_Bypass - pretty_name: SSL Verification Bypass - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_SSRF: - categories: - - cwe-918 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - - cwe-top-25 - description: The web server receives a URL or similar request from an upstream - component and retrieves the contents of this URL, but it does not sufficiently - ensure that the request is being sent to the expected destination. - group: top10-server-side-request-forgery - name: JavaScript_Server_Side_Vulnerabilities_SSRF - pretty_name: SSRF - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Second_Order_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: JavaScript_Server_Side_Vulnerabilities_Second_Order_SQL_Injection - pretty_name: Second Order SQL Injection - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Security_Misconfiguration: - categories: - - cwe-933 - - boost-hardened - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - description: Relates to generic security misconfigurations. - group: top10-security-misconfiguration - name: JavaScript_Server_Side_Vulnerabilities_Security_Misconfiguration - pretty_name: Security Misconfiguration - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Sensitive_Information_Over_HTTP: - categories: - - owasp-top-10 - - cwe-319 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - description: The product transmits sensitive or security-critical data in cleartext - in a communication channel that can be sniffed by unauthorized actors. - group: top10-broken-access-control - name: JavaScript_Server_Side_Vulnerabilities_Sensitive_Information_Over_HTTP - pretty_name: Sensitive Information Over HTTP - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Server_DoS_by_Loop: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - cwe-730 - - checkmarx-server-side-vulnerability - description: Relates to avenues that can cause denial of serivce. - group: top10-insecure-design - name: JavaScript_Server_Side_Vulnerabilities_Server_DoS_by_Loop - pretty_name: Server DoS by Loop - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Server_DoS_by_Sleep: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - cwe-730 - - checkmarx-server-side-vulnerability - description: Relates to avenues that can cause denial of serivce. - group: top10-insecure-design - name: JavaScript_Server_Side_Vulnerabilities_Server_DoS_by_Sleep - pretty_name: Server DoS by Sleep - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Stored_Code_Injection: - categories: - - cwe-94 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: JavaScript_Server_Side_Vulnerabilities_Stored_Code_Injection - pretty_name: Stored Code Injection - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Stored_Path_Traversal: - categories: - - ALL - - owasp-top-10 - - boost-baseline - - cwe-22 - - checkmarx-server-side-vulnerability - - cwe-top-25 - description: The product uses external input to construct a pathname that is intended - to identify a file or directory that is located underneath a restricted parent - directory, but the product does not properly neutralize special elements within - the pathname that can cause the pathname to resolve to a location that is outside - of the restricted directory. - group: top10-broken-access-control - name: JavaScript_Server_Side_Vulnerabilities_Stored_Path_Traversal - pretty_name: Stored Path Traversal - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Stored_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: JavaScript_Server_Side_Vulnerabilities_Stored_XSS - pretty_name: Stored XSS - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Uncontrolled_Format_String: - categories: - - cwe-134 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - description: The product uses a function that accepts a format string as an argument, - but the format string originates from an external source. - group: top10-injection - name: JavaScript_Server_Side_Vulnerabilities_Uncontrolled_Format_String - pretty_name: Uncontrolled Format String - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Unprotected_Cookie: - categories: - - boost-baseline - - cwe-614 - - checkmarx-server-side-vulnerability - - ALL - description: The Secure attribute for sensitive cookies in HTTPS sessions is not - set, which could cause the user agent to send those cookies in plaintext over - an HTTP session. - group: top10-security-misconfiguration - name: JavaScript_Server_Side_Vulnerabilities_Unprotected_Cookie - pretty_name: Unprotected Cookie - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Unrestricted_File_Upload: - categories: - - cwe-434 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - - cwe-top-25 - description: The product allows the attacker to upload or transfer files of dangerous - types that can be automatically processed within the product's environment. - group: top10-insecure-design - name: JavaScript_Server_Side_Vulnerabilities_Unrestricted_File_Upload - pretty_name: Unrestricted File Upload - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Unsafe_Object_Binding: - categories: - - owasp-top-10 - - cwe-915 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - description: The product receives input from an upstream component that specifies - multiple attributes, properties, or fields that are to be initialized or updated - in an object, but it does not properly control which attributes can be modified. - group: top10-software-data-integrity-failures - name: JavaScript_Server_Side_Vulnerabilities_Unsafe_Object_Binding - pretty_name: Unsafe Object Binding - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Use_Of_HTTP_Sensitive_Data_Exposure: - categories: - - owasp-top-10 - - cwe-319 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - description: The product transmits sensitive or security-critical data in cleartext - in a communication channel that can be sniffed by unauthorized actors. - group: top10-broken-access-control - name: JavaScript_Server_Side_Vulnerabilities_Use_Of_HTTP_Sensitive_Data_Exposure - pretty_name: Use Of HTTP Sensitive Data Exposure - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Use_Of_Hardcoded_Password: - categories: - - ALL - - owasp-top-10 - - boost-baseline - - cwe-259 - - checkmarx-server-side-vulnerability - description: The product contains a hard-coded password, which it uses for its - own inbound authentication or for outbound communication to external components. - group: top10-id-authn-failures - name: JavaScript_Server_Side_Vulnerabilities_Use_Of_Hardcoded_Password - pretty_name: Use Of Hardcoded Password - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Use_of_Broken_or_Risky_Cryptographic_Algorithm: - categories: - - cwe-327 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - description: The product uses a broken or risky cryptographic algorithm or protocol. - group: top10-crypto-failures - name: JavaScript_Server_Side_Vulnerabilities_Use_of_Broken_or_Risky_Cryptographic_Algorithm - pretty_name: Use of Broken or Risky Cryptographic Algorithm - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Use_of_Deprecated_or_Obsolete_Functions: - categories: - - cwe-477 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - description: The code uses deprecated or obsolete functions, which suggests that - the code has not been actively reviewed or maintained. - group: top10-insecure-design - name: JavaScript_Server_Side_Vulnerabilities_Use_of_Deprecated_or_Obsolete_Functions - pretty_name: Use of Deprecated or Obsolete Functions - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Server_Side_Vulnerabilities_Use_of_Insufficiently_Random_Values: - categories: - - cwe-330 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-server-side-vulnerability - description: The product uses insufficiently random numbers or values in a security - context that depends on unpredictable numbers. - group: top10-crypto-failures - name: JavaScript_Server_Side_Vulnerabilities_Use_of_Insufficiently_Random_Values - pretty_name: Use of Insufficiently Random Values - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Vue_Declaration_of_Multiple_Vue_Components_per_File: - categories: - - owasp-top-10 - - cwe-710 - - boost-baseline - - ALL - description: The product does not follow certain coding rules for development, - which can lead to resultant weaknesses or increase the severity of the associated - vulnerabilities. - group: top10-insecure-design - name: JavaScript_Vue_Declaration_of_Multiple_Vue_Components_per_File - pretty_name: Declaration of Multiple Vue Components per File - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Vue_Declaration_of_Vue_Component_Data_as_Property: - categories: - - owasp-top-10 - - cwe-710 - - boost-baseline - - ALL - description: The product does not follow certain coding rules for development, - which can lead to resultant weaknesses or increase the severity of the associated - vulnerabilities. - group: top10-insecure-design - name: JavaScript_Vue_Declaration_of_Vue_Component_Data_as_Property - pretty_name: Declaration of Vue Component Data as Property - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Vue_Inconsistent_Component_Top_Level_Elements_Ordering: - categories: - - owasp-top-10 - - cwe-710 - - boost-baseline - - ALL - description: The product does not follow certain coding rules for development, - which can lead to resultant weaknesses or increase the severity of the associated - vulnerabilities. - group: top10-insecure-design - name: JavaScript_Vue_Inconsistent_Component_Top_Level_Elements_Ordering - pretty_name: Inconsistent Component Top Level Elements Ordering - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Vue_Inconsistent_use_of_Directive_Shorthands: - categories: - - owasp-top-10 - - cwe-710 - - boost-baseline - - ALL - description: The product does not follow certain coding rules for development, - which can lead to resultant weaknesses or increase the severity of the associated - vulnerabilities. - group: top10-insecure-design - name: JavaScript_Vue_Inconsistent_use_of_Directive_Shorthands - pretty_name: Inconsistent use of Directive Shorthands - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Vue_Use_of_Implicit_Types_on_Vue_Component_Props: - categories: - - owasp-top-10 - - cwe-710 - - boost-baseline - - ALL - description: The product does not follow certain coding rules for development, - which can lead to resultant weaknesses or increase the severity of the associated - vulnerabilities. - group: top10-insecure-design - name: JavaScript_Vue_Use_of_Implicit_Types_on_Vue_Component_Props - pretty_name: Use of Implicit Types on Vue Component Props - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Vue_Use_of_Single_Word_Named_Vue_Components: - categories: - - owasp-top-10 - - cwe-710 - - boost-baseline - - ALL - description: The product does not follow certain coding rules for development, - which can lead to resultant weaknesses or increase the severity of the associated - vulnerabilities. - group: top10-insecure-design - name: JavaScript_Vue_Use_of_Single_Word_Named_Vue_Components - pretty_name: Use of Single Word Named Vue Components - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Vue_Use_of_vif_and_vfor_On_Same_Element: - categories: - - owasp-top-10 - - cwe-710 - - boost-baseline - - ALL - description: The product does not follow certain coding rules for development, - which can lead to resultant weaknesses or increase the severity of the associated - vulnerabilities. - group: top10-insecure-design - name: JavaScript_Vue_Use_of_vif_and_vfor_On_Same_Element - pretty_name: Use of vif and vfor On Same Element - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_Vue_Vue_DOM_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: JavaScript_Vue_Vue_DOM_XSS - pretty_name: Vue DOM XSS - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_XS_XS_CSRF: - categories: - - checkmarx-xs - - cwe-352 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The web application does not, or can not, sufficiently verify whether - a well-formed, valid, consistent request was intentionally provided by the user - who submitted the request. - group: top10-injection - name: JavaScript_XS_XS_CSRF - pretty_name: XS CSRF - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_XS_XS_Code_Injection: - categories: - - boost-hardened - - checkmarx-xs - - cwe-94 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: JavaScript_XS_XS_Code_Injection - pretty_name: XS Code Injection - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_XS_XS_Log_Injection: - categories: - - boost-baseline - - ALL - - cwe-117 - - checkmarx-xs - description: The product does not neutralize or incorrectly neutralizes output - that is written to logs. - group: top10-security-logging-monitoring-failures - name: JavaScript_XS_XS_Log_Injection - pretty_name: XS Log Injection - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_XS_XS_Open_Redirect: - categories: - - checkmarx-xs - - cwe-601 - - owasp-top-10 - - boost-baseline - - ALL - description: A web application accepts a user-controlled input that specifies - a link to an external site, and uses that link in a Redirect. This simplifies - phishing attacks. - group: top10-broken-access-control - name: JavaScript_XS_XS_Open_Redirect - pretty_name: XS Open Redirect - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_XS_XS_Overly_Permissive_CORS: - categories: - - boost-baseline - - checkmarx-xs - - owasp-top-10 - - cwe-749 - - ALL - description: The product provides an Applications Programming Interface (API) - or similar interface for interaction with external actors, but the interface - includes a dangerous method or function that is not properly restricted. - group: top10-broken-access-control - name: JavaScript_XS_XS_Overly_Permissive_CORS - pretty_name: XS Overly Permissive CORS - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_XS_XS_Parameter_Tampering: - categories: - - checkmarx-xs - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: JavaScript_XS_XS_Parameter_Tampering - pretty_name: XS Parameter Tampering - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_XS_XS_Potentially_Vulnerable_To_Clickjacking: - categories: - - cwe-693 - - checkmarx-xs - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not use or incorrectly uses a protection mechanism - that provides sufficient defense against directed attacks against the product. - group: top10-injection - name: JavaScript_XS_XS_Potentially_Vulnerable_To_Clickjacking - pretty_name: XS Potentially Vulnerable To Clickjacking - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_XS_XS_Reflected_XSS: - categories: - - boost-hardened - - checkmarx-xs - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: JavaScript_XS_XS_Reflected_XSS - pretty_name: XS Reflected XSS - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_XS_XS_Response_Splitting: - categories: - - checkmarx-xs - - cwe-113 - - owasp-top-10 - - boost-baseline - - ALL - description: The product receives data from an HTTP agent/component (e.g., web - server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes - CR and LF characters before the data is included in outgoing HTTP headers. - group: top10-injection - name: JavaScript_XS_XS_Response_Splitting - pretty_name: XS Response Splitting - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_XS_XS_SQL_Injection: - categories: - - boost-hardened - - checkmarx-xs - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: JavaScript_XS_XS_SQL_Injection - pretty_name: XS SQL Injection - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_XS_XS_Second_Order_SQL_Injection: - categories: - - boost-hardened - - checkmarx-xs - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: JavaScript_XS_XS_Second_Order_SQL_Injection - pretty_name: XS Second Order SQL Injection - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_XS_XS_Stored_Code_Injection: - categories: - - boost-hardened - - checkmarx-xs - - cwe-94 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: JavaScript_XS_XS_Stored_Code_Injection - pretty_name: XS Stored Code Injection - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_XS_XS_Stored_XSS: - categories: - - boost-hardened - - checkmarx-xs - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: JavaScript_XS_XS_Stored_XSS - pretty_name: XS Stored XSS - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_XS_XS_Unencrypted_Data_Transfer: - categories: - - checkmarx-xs - - owasp-top-10 - - cwe-319 - - boost-baseline - - ALL - description: The product transmits sensitive or security-critical data in cleartext - in a communication channel that can be sniffed by unauthorized actors. - group: top10-crypto-failures - name: JavaScript_XS_XS_Unencrypted_Data_Transfer - pretty_name: XS Unencrypted Data Transfer - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavaScript_XS_XS_Use_Of_Hardcoded_URL: - categories: - - checkmarx-xs - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - - cwe-798 - description: The product contains hard-coded credentials, such as a password or - cryptographic key, which it uses for its own inbound authentication, outbound - communication to external components, or encryption of internal data. - group: top10-id-authn-failures - name: JavaScript_XS_XS_Use_Of_Hardcoded_URL - pretty_name: XS Use Of Hardcoded URL - JavaScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_AWS_Lambda_AWS_Credentials_Leak: - categories: - - boost-hardened - - checkmarx-server-side-vulnerability - - owasp-top-10 - - boost-baseline - - ALL - - cwe-200 - description: The product exposes sensitive information to an actor that is not - explicitly authorized to have access to that information. - group: top10-broken-access-control - name: Java_AWS_Lambda_AWS_Credentials_Leak - pretty_name: AWS Credentials Leak - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_AWS_Lambda_DynamoDB_NoSQL_Injection: - categories: - - boost-hardened - - checkmarx-server-side-vulnerability - - cwe-74 - - owasp-top-10 - - boost-baseline - - ALL - description: The product constructs all or part of a command, data structure, - or record using externally-influenced input from an upstream component, but - it does not neutralize or incorrectly neutralizes special elements that could - modify how it is parsed or interpreted when it is sent to a downstream component. - group: top10-injection - name: Java_AWS_Lambda_DynamoDB_NoSQL_Injection - pretty_name: DynamoDB NoSQL Injection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_AWS_Lambda_Hardcoded_AWS_Credentials: - categories: - - checkmarx-server-side-vulnerability - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - - cwe-798 - description: The product contains hard-coded credentials, such as a password or - cryptographic key, which it uses for its own inbound authentication, outbound - communication to external components, or encryption of internal data. - group: top10-id-authn-failures - name: Java_AWS_Lambda_Hardcoded_AWS_Credentials - pretty_name: Hardcoded AWS Credentials - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_AWS_Lambda_Permission_Manipulation_in_S3: - categories: - - checkmarx-server-side-vulnerability - - owasp-top-10 - - cwe-285 - - boost-baseline - - ALL - description: The product does not perform or incorrectly performs an authorization - check when an actor attempts to access a resource or perform an action. - group: top10-broken-access-control - name: Java_AWS_Lambda_Permission_Manipulation_in_S3 - pretty_name: Permission Manipulation in S3 - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_AWS_Lambda_Race_Condition_Global_Scope: - categories: - - checkmarx-server-side-vulnerability - - owasp-top-10 - - boost-baseline - - ALL - description: The code is structured in a way that relies too much on using or - setting global variables throughout various points in the code, instead of preserving - the associated information in a narrower, more local context. - group: top10-insecure-design - name: Java_AWS_Lambda_Race_Condition_Global_Scope - pretty_name: Race Condition Global Scope - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_AWS_Lambda_Unrestricted_Delete_S3: - categories: - - checkmarx-server-side-vulnerability - - owasp-top-10 - - cwe-639 - - boost-baseline - - ALL - description: The system's authorization functionality does not prevent one user - from gaining access to another user's data or record by modifying the key value - identifying the data. - group: top10-broken-access-control - name: Java_AWS_Lambda_Unrestricted_Delete_S3 - pretty_name: Unrestricted Delete S3 - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_AWS_Lambda_Unrestricted_Read_S3: - categories: - - checkmarx-server-side-vulnerability - - owasp-top-10 - - cwe-639 - - boost-baseline - - ALL - description: The system's authorization functionality does not prevent one user - from gaining access to another user's data or record by modifying the key value - identifying the data. - group: top10-broken-access-control - name: Java_AWS_Lambda_Unrestricted_Read_S3 - pretty_name: Unrestricted Read S3 - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_AWS_Lambda_Unrestricted_Write_S3: - categories: - - checkmarx-server-side-vulnerability - - owasp-top-10 - - cwe-639 - - boost-baseline - - ALL - description: The system's authorization functionality does not prevent one user - from gaining access to another user's data or record by modifying the key value - identifying the data. - group: top10-broken-access-control - name: Java_AWS_Lambda_Unrestricted_Write_S3 - pretty_name: Unrestricted Write S3 - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_AWS_Lambda_Use_of_Hardcoded_Cryptographic_Key_On_Server: - categories: - - cwe-321 - - checkmarx-server-side-vulnerability - - owasp-top-10 - - boost-baseline - - ALL - description: The use of a hard-coded cryptographic key significantly increases - the possibility that encrypted data may be recovered. - group: top10-crypto-failures - name: Java_AWS_Lambda_Use_of_Hardcoded_Cryptographic_Key_On_Server - pretty_name: Use of Hardcoded Cryptographic Key On Server - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_AWS_Lambda_User_Based_SDK_Configurations: - categories: - - boost-baseline - - ALL - - cwe-15 - - checkmarx-server-side-vulnerability - description: One or more system settings or configuration elements can be externally - controlled by a user. - group: top10-security-misconfiguration - name: Java_AWS_Lambda_User_Based_SDK_Configurations - pretty_name: User Based SDK Configurations - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Accessible_Content_Provider: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-668 - - boost-baseline - - ALL - description: The product exposes a resource to the wrong control sphere, providing - unintended actors with inappropriate access to the resource. - group: top10-broken-access-control - name: Java_Android_Accessible_Content_Provider - pretty_name: Accessible Content Provider - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Allowed_Backup: - categories: - - cwe-530 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - description: A backup file is stored in a directory or archive that is made accessible - to unauthorized actors. - group: top10-broken-access-control - name: Java_Android_Allowed_Backup - pretty_name: Allowed Backup - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Android_Improper_Resource_Shutdown_or_Release: - categories: - - cwe-404 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - description: The product does not release or incorrectly releases a resource before - it is made available for re-use. - group: top10-insecure-design - name: Java_Android_Android_Improper_Resource_Shutdown_or_Release - pretty_name: Android Improper Resource Shutdown or Release - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Client_Side_Injection: - categories: - - cwe-89 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Java_Android_Client_Side_Injection - pretty_name: Client Side Injection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Client_Side_ReDoS: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: Java_Android_Client_Side_ReDoS - pretty_name: Client Side ReDoS - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Copy_Paste_Buffer_Caching: - categories: - - cwe-922 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - description: The product stores sensitive information without properly limiting - read or write access by unauthorized actors. - group: top10-broken-access-control - name: Java_Android_Copy_Paste_Buffer_Caching - pretty_name: Copy Paste Buffer Caching - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Debuggable_App: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-668 - - boost-baseline - - ALL - description: The product exposes a resource to the wrong control sphere, providing - unintended actors with inappropriate access to the resource. - group: top10-broken-access-control - name: Java_Android_Debuggable_App - pretty_name: Debuggable App - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Exported_Content_Provider_Without_Protective_Permissions: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-668 - - boost-baseline - - ALL - description: The product exposes a resource to the wrong control sphere, providing - unintended actors with inappropriate access to the resource. - group: top10-broken-access-control - name: Java_Android_Exported_Content_Provider_Without_Protective_Permissions - pretty_name: Exported Content Provider Without Protective Permissions - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Exported_Service_Without_Permissions: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-668 - - boost-baseline - - ALL - description: The product exposes a resource to the wrong control sphere, providing - unintended actors with inappropriate access to the resource. - group: top10-broken-access-control - name: Java_Android_Exported_Service_Without_Permissions - pretty_name: Exported Service Without Permissions - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Exported_Service_Without_Protective_Permissions: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-668 - - boost-baseline - - ALL - description: The product exposes a resource to the wrong control sphere, providing - unintended actors with inappropriate access to the resource. - group: top10-broken-access-control - name: Java_Android_Exported_Service_Without_Protective_Permissions - pretty_name: Exported Service Without Protective Permissions - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Exposure_Of_Resource_To_Other_Applications: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-668 - - boost-baseline - - ALL - description: The product exposes a resource to the wrong control sphere, providing - unintended actors with inappropriate access to the resource. - group: top10-broken-access-control - name: Java_Android_Exposure_Of_Resource_To_Other_Applications - pretty_name: Exposure Of Resource To Other Applications - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Failure_To_Implement_Least_Privilege: - categories: - - ALL - - owasp-top-10 - - checkmarx-android - - boost-baseline - - cwe-250 - description: The product performs an operation at a privilege level that is higher - than the minimum level required, which creates new weaknesses or amplifies the - consequences of other weaknesses. - group: top10-broken-access-control - name: Java_Android_Failure_To_Implement_Least_Privilege - pretty_name: Failure To Implement Least Privilege - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_General_Android_Find_Request_Permissions: - categories: - - boost-baseline - - ALL - - checkmarx-android - - owasp-top-10 - description: Verifies if an Android application is properly requesting permissions. - The absence or misuse of permission requests can lead to unauthorized access - or functionality misuse. - group: top10-broken-access-control - name: Java_Android_General_Android_Find_Request_Permissions - pretty_name: General Android Find Request Permissions - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Hardcoded_Password_In_Gradle: - categories: - - ALL - - owasp-top-10 - - checkmarx-android - - boost-baseline - - cwe-259 - description: The product contains a hard-coded password, which it uses for its - own inbound authentication or for outbound communication to external components. - group: top10-id-authn-failures - name: Java_Android_Hardcoded_Password_In_Gradle - pretty_name: Hardcoded Password In Gradle - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Implicit_Intent_With_Read_Write_Permissions: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-668 - - boost-baseline - - ALL - description: The product exposes a resource to the wrong control sphere, providing - unintended actors with inappropriate access to the resource. - group: top10-broken-access-control - name: Java_Android_Implicit_Intent_With_Read_Write_Permissions - pretty_name: Implicit Intent With Read Write Permissions - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Improper_Verification_Of_Intent_By_Broadcast_Receiver: - categories: - - cwe-925 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - description: The Android application uses a Broadcast Receiver that receives an - Intent but does not properly verify that the Intent came from an authorized - source. - group: top10-software-data-integrity-failures - name: Java_Android_Improper_Verification_Of_Intent_By_Broadcast_Receiver - pretty_name: Improper Verification Of Intent By Broadcast Receiver - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Information_Leak_Through_Response_Caching: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-524 - - boost-baseline - - ALL - description: The code uses a cache that contains sensitive information, but the - cache can be read by an actor outside of the intended control sphere. - group: top10-broken-access-control - name: Java_Android_Information_Leak_Through_Response_Caching - pretty_name: Information Leak Through Response Caching - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Insecure_Android_SDK_Version: - categories: - - cwe-477 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - description: The code uses deprecated or obsolete functions, which suggests that - the code has not been actively reviewed or maintained. - group: top10-vulnerable-components - name: Java_Android_Insecure_Android_SDK_Version - pretty_name: Insecure Android SDK Version - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Insecure_Data_Storage: - categories: - - cwe-312 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - description: The product stores sensitive information in cleartext within a resource - that might be accessible to another control sphere. - group: top10-insecure-design - name: Java_Android_Insecure_Data_Storage - pretty_name: Insecure Data Storage - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Insecure_Data_Storage_Usage: - categories: - - cwe-312 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - description: The product stores sensitive information in cleartext within a resource - that might be accessible to another control sphere. - group: top10-insecure-design - name: Java_Android_Insecure_Data_Storage_Usage - pretty_name: Insecure Data Storage Usage - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Insecure_HTTP_Connections_Enabled: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-319 - - boost-baseline - - ALL - description: The product transmits sensitive or security-critical data in cleartext - in a communication channel that can be sniffed by unauthorized actors. - group: top10-crypto-failures - name: Java_Android_Insecure_HTTP_Connections_Enabled - pretty_name: Insecure HTTP Connections Enabled - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Insecure_WebView_Usage: - categories: - - boost-hardened - - owasp-top-10 - - cwe-829 - - checkmarx-android - - boost-baseline - - ALL - description: The product imports, requires, or includes executable functionality - (such as a library) from a source that is outside of the intended control sphere. - group: top10-software-data-integrity-failures - name: Java_Android_Insecure_WebView_Usage - pretty_name: Insecure WebView Usage - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Insufficient_Application_Layer_Protect: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-311 - - boost-baseline - - ALL - description: The product does not encrypt sensitive or critical information before - storage or transmission. - group: top10-insecure-design - name: Java_Android_Insufficient_Application_Layer_Protect - pretty_name: Insufficient Application Layer Protect - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Insufficient_Sensitive_Application_Layer: - categories: - - boost-hardened - - owasp-top-10 - - checkmarx-android - - cwe-319 - - boost-baseline - - ALL - description: The product transmits sensitive or security-critical data in cleartext - in a communication channel that can be sniffed by unauthorized actors. - group: top10-broken-access-control - name: Java_Android_Insufficient_Sensitive_Application_Layer - pretty_name: Insufficient Sensitive Application Layer - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Keyboard_Cache_Information_Leak: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-524 - - boost-baseline - - ALL - description: The code uses a cache that contains sensitive information, but the - cache can be read by an actor outside of the intended control sphere. - group: top10-broken-access-control - name: Java_Android_Keyboard_Cache_Information_Leak - pretty_name: Keyboard Cache Information Leak - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Malicious_Program: - categories: - - boost-hardened - - checkmarx-android - - cwe-265 - - boost-baseline - - ALL - description: Improper handling, assignment, or management of privileges. A privilege - is a property of an agent, such as a user. It lets the agent do things that - are not ordinarily allowed. - group: supply-chain-malicious-dependency - name: Java_Android_Malicious_Program - pretty_name: Malicious Program - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Missing_Certificate_Pinning: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-295 - - boost-baseline - - ALL - description: The product does not validate, or incorrectly validates, a certificate. - group: top10-id-authn-failures - name: Java_Android_Missing_Certificate_Pinning - pretty_name: Missing Certificate Pinning - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Missing_Device_Lock_Verification: - categories: - - owasp-top-10 - - cwe-829 - - checkmarx-android - - boost-baseline - - ALL - description: The product imports, requires, or includes executable functionality - (such as a library) from a source that is outside of the intended control sphere. - group: top10-software-data-integrity-failures - name: Java_Android_Missing_Device_Lock_Verification - pretty_name: Missing Device Lock Verification - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Missing_Rooted_Device_Check: - categories: - - cwe-693 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - description: The product does not use or incorrectly uses a protection mechanism - that provides sufficient defense against directed attacks against the product. - group: top10-insecure-design - name: Java_Android_Missing_Rooted_Device_Check - pretty_name: Missing Rooted Device Check - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_No_Installer_Verification_Implemented: - categories: - - owasp-top-10 - - cwe-829 - - checkmarx-android - - boost-baseline - - ALL - description: The product imports, requires, or includes executable functionality - (such as a library) from a source that is outside of the intended control sphere. - group: top10-software-data-integrity-failures - name: Java_Android_No_Installer_Verification_Implemented - pretty_name: No Installer Verification Implemented - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Non_Encrypted_Data_Storage: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-311 - - boost-baseline - - ALL - description: The product does not encrypt sensitive or critical information before - storage or transmission. - group: top10-insecure-design - name: Java_Android_Non_Encrypted_Data_Storage - pretty_name: Non Encrypted Data Storage - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Passing_Non_Encrypted_Data_Between_Activities: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-319 - - boost-baseline - - ALL - description: The product transmits sensitive or security-critical data in cleartext - in a communication channel that can be sniffed by unauthorized actors. - group: top10-crypto-failures - name: Java_Android_Passing_Non_Encrypted_Data_Between_Activities - pretty_name: Passing Non Encrypted Data Between Activities - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Poor_Authorization_and_Authentication: - categories: - - cwe-287 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - - cwe-top-25 - description: When an actor claims to have a given identity, the product does not - prove or insufficiently proves that the claim is correct. - group: top10-id-authn-failures - name: Java_Android_Poor_Authorization_and_Authentication - pretty_name: Poor Authorization and Authentication - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_ProGuard_Obfuscation_Not_In_Use: - categories: - - cwe-693 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - description: The product does not use or incorrectly uses a protection mechanism - that provides sufficient defense against directed attacks against the product. - group: top10-insecure-design - name: Java_Android_ProGuard_Obfuscation_Not_In_Use - pretty_name: ProGuard Obfuscation Not In Use - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Reuse_Of_Cryptographic_Key: - categories: - - cwe-521 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - description: The product does not require that users should have strong passwords, - which makes it easier for attackers to compromise user accounts. - group: top10-id-authn-failures - name: Java_Android_Reuse_Of_Cryptographic_Key - pretty_name: Reuse Of Cryptographic Key - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Screen_Caching: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-524 - - boost-baseline - - ALL - description: The code uses a cache that contains sensitive information, but the - cache can be read by an actor outside of the intended control sphere. - group: top10-broken-access-control - name: Java_Android_Screen_Caching - pretty_name: Screen Caching - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Side_Channel_Data_Leakage: - categories: - - boost-hardened - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - - cwe-200 - description: The product exposes sensitive information to an actor that is not - explicitly authorized to have access to that information. - group: top10-broken-access-control - name: Java_Android_Side_Channel_Data_Leakage - pretty_name: Side Channel Data Leakage - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Unsafe_Permission_Check: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-284 - - boost-baseline - - ALL - description: The product does not restrict or incorrectly restricts access to - a resource from an unauthorized actor. - group: top10-broken-access-control - name: Java_Android_Unsafe_Permission_Check - pretty_name: Unsafe Permission Check - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Unvalidated_Self_Signed_Certificate: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-295 - - boost-baseline - - ALL - description: The product does not validate, or incorrectly validates, a certificate. - group: top10-id-authn-failures - name: Java_Android_Unvalidated_Self_Signed_Certificate - pretty_name: Unvalidated Self Signed Certificate - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Use_Of_Implicit_Intent_For_Sensitive_Communication: - categories: - - cwe-927 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - description: The Android application uses an implicit intent for transmitting - sensitive data to other applications. - group: top10-insecure-design - name: Java_Android_Use_Of_Implicit_Intent_For_Sensitive_Communication - pretty_name: Use Of Implicit Intent For Sensitive Communication - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Use_of_Native_Language: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-695 - - boost-baseline - - ALL - description: The product uses low-level functionality that is explicitly prohibited - by the framework or specification under which the product is supposed to operate. - group: top10-injection - name: Java_Android_Use_of_Native_Language - pretty_name: Use of Native Language - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Use_of_WebView_AddJavascriptInterface: - categories: - - boost-hardened - - boost-baseline - - owasp-top-10 - - checkmarx-android - - cwe-749 - - ALL - description: The product provides an Applications Programming Interface (API) - or similar interface for interaction with external actors, but the interface - includes a dangerous method or function that is not properly restricted. - group: top10-vulnerable-components - name: Java_Android_Use_of_WebView_AddJavascriptInterface - pretty_name: Use of WebView AddJavascriptInterface - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_Weak_Encryption: - categories: - - ALL - - owasp-top-10 - - checkmarx-android - - boost-baseline - - cwe-326 - description: The product stores or transmits sensitive data using an encryption - scheme that is theoretically sound, but is not strong enough for the level of - protection required. - group: top10-crypto-failures - name: Java_Android_Weak_Encryption - pretty_name: Weak Encryption - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Android_WebView_Cache_Information_Leak: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-524 - - boost-baseline - - ALL - description: The code uses a cache that contains sensitive information, but the - cache can be read by an actor outside of the intended control sphere. - group: top10-broken-access-control - name: Java_Android_WebView_Cache_Information_Leak - pretty_name: WebView Cache Information Leak - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Access_Specifier_Manipulation: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - cwe-284 - - boost-baseline - - ALL - description: The product does not restrict or incorrectly restricts access to - a resource from an unauthorized actor. - group: top10-broken-access-control - name: Java_Best_Coding_Practice_Access_Specifier_Manipulation - pretty_name: Access Specifier Manipulation - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Array_Declared_Public_Final_and_Static: - categories: - - cwe-582 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product declares an array public, final, and static, which is - not sufficient to prevent the array's contents from being modified. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Array_Declared_Public_Final_and_Static - pretty_name: Array Declared Public Final and Static - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Assigning_instead_of_Comparing: - categories: - - cwe-481 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The code uses an operator for assignment when the intention was to - perform a comparison. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Assigning_instead_of_Comparing - pretty_name: Assigning instead of Comparing - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Call_to_Thread_run: - categories: - - cwe-572 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product calls a thread's run() method instead of calling start(), - which causes the code to run in the thread of the caller instead of the callee. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Call_to_Thread_run - pretty_name: Call to Thread run - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Catch_NullPointerException: - categories: - - cwe-395 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Catching NullPointerException should not be used as an alternative - to programmatic checks to prevent dereferencing a null pointer. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Catch_NullPointerException - pretty_name: Catch NullPointerException - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Comparing_instead_of_Assigning: - categories: - - owasp-top-10 - - cwe-482 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The code uses an operator for comparison when the intention was to - perform an assignment. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Comparing_instead_of_Assigning - pretty_name: Comparing instead of Assigning - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Comparison_of_Classes_By_Name: - categories: - - cwe-486 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product compares classes by name, which can cause it to use the - wrong class when multiple classes can have the same name. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Comparison_of_Classes_By_Name - pretty_name: Comparison of Classes By Name - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Confusing_Naming: - categories: - - owasp-top-10 - - cwe-710 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product does not follow certain coding rules for development, - which can lead to resultant weaknesses or increase the severity of the associated - vulnerabilities. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Confusing_Naming - pretty_name: Confusing Naming - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Critical_Public_Variable_Without_Final_Modifier: - categories: - - owasp-top-10 - - cwe-493 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product has a critical public variable that is not final, which - allows the variable to be modified to contain unexpected values. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Critical_Public_Variable_Without_Final_Modifier - pretty_name: Critical Public Variable Without Final Modifier - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Dead_Code: - categories: - - cwe-561 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product contains dead code, which can never be executed. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Dead_Code - pretty_name: Dead Code - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception: - categories: - - cwe-396 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Catching overly broad exceptions promotes complex error handling - code that is more likely to contain security vulnerabilities. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception - pretty_name: Declaration Of Catch For Generic Exception - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Declaration_of_Throws_for_Generic_Exception: - categories: - - owasp-top-10 - - cwe-397 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Throwing overly broad exceptions promotes complex error handling - code that is more likely to contain security vulnerabilities. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Declaration_of_Throws_for_Generic_Exception - pretty_name: Declaration of Throws for Generic Exception - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Detection_of_Error_Condition_Without_Action: - categories: - - cwe-390 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product detects a specific error, but takes no actions to handle - the error. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Detection_of_Error_Condition_Without_Action - pretty_name: Detection of Error Condition Without Action - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Direct_Use_of_Sockets: - categories: - - boost-baseline - - owasp-top-10 - - checkmarx-best-coding-practices - - cwe-246 - - ALL - description: The J2EE application directly uses sockets instead of using framework - method calls. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Direct_Use_of_Sockets - pretty_name: Direct Use of Sockets - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Direct_Use_of_Threads: - categories: - - ALL - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - cwe-383 - description: Thread management in a Web application is forbidden in some circumstances - and is always highly error prone. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Direct_Use_of_Threads - pretty_name: Direct Use of Threads - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Dynamic_File_Inclusion: - categories: - - owasp-top-10 - - cwe-829 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product imports, requires, or includes executable functionality - (such as a library) from a source that is outside of the intended control sphere. - group: top10-software-data-integrity-failures - name: Java_Best_Coding_Practice_Dynamic_File_Inclusion - pretty_name: Dynamic File Inclusion - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Dynamic_SQL_Queries: - categories: - - cwe-89 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Java_Best_Coding_Practice_Dynamic_SQL_Queries - pretty_name: Dynamic SQL Queries - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Dynamic_Set_Of_Null_SecurityManager: - categories: - - cwe-274 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product does not handle or incorrectly handles when it has insufficient - privileges to perform an operation, leading to resultant weaknesses. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Dynamic_Set_Of_Null_SecurityManager - pretty_name: Dynamic Set Of Null SecurityManager - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_ESAPI_Banned_API: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - cwe-676 - - boost-baseline - - ALL - description: The product invokes a potentially dangerous function that could introduce - a vulnerability if it is used incorrectly, but the function can also be used - safely. - group: top10-insecure-design - name: Java_Best_Coding_Practice_ESAPI_Banned_API - pretty_name: ESAPI Banned API - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Empty_Methods: - categories: - - owasp-top-10 - - cwe-398 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Indicates that the product has not been carefully developed or maintained. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Empty_Methods - pretty_name: Empty Methods - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Empty_Synchronized_Block: - categories: - - cwe-585 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product contains an empty synchronized block. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Empty_Synchronized_Block - pretty_name: Empty Synchronized Block - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Empty_TryBlocks: - categories: - - cwe-390 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product detects a specific error, but takes no actions to handle - the error. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Empty_TryBlocks - pretty_name: Empty TryBlocks - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Explicit_Call_to_Finalize: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-586 - description: The product makes an explicit call to the finalize() method from - outside the finalizer. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Explicit_Call_to_Finalize - pretty_name: Explicit Call to Finalize - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere: - categories: - - owasp-top-10 - - cwe-493 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product has a critical public variable that is not final, which - allows the variable to be modified to contain unexpected values. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere - pretty_name: Exposure of Resource to Wrong Sphere - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Expression_is_Always_False: - categories: - - cwe-570 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product contains an expression that will always evaluate to false. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Expression_is_Always_False - pretty_name: Expression is Always False - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Expression_is_Always_True: - categories: - - owasp-top-10 - - cwe-571 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product contains an expression that will always evaluate to true. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Expression_is_Always_True - pretty_name: Expression is Always True - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Failure_to_Catch_All_Exceptions_in_Servlet: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - cwe-600 - - boost-baseline - - ALL - description: The Servlet does not catch all exceptions, which may reveal sensitive - debugging information. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Failure_to_Catch_All_Exceptions_in_Servlet - pretty_name: Failure to Catch All Exceptions in Servlet - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_GOTO_Statement: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-699 - description: Using GOTO statements is considered a poor coding practice as it - makes the code harder to understand and maintain. The flow of the logic is less - clear with GOTO jumps, versus the more structured control flow of if/else statements, - loops, etc. GOTO usage can also lead to spaghetti code that is tangled and difficult - to follow. For cleaner, more maintainable code, GOTO statements should be avoided - in favor of alternate structured programming constructs. - group: top10-insecure-design - name: Java_Best_Coding_Practice_GOTO_Statement - pretty_name: GOTO Statement - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Hardcoded_Absolute_Path: - categories: - - cwe-426 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product searches for critical resources using an externally-supplied - search path that can point to resources that are not under the product's direct - control. - group: top10-software-data-integrity-failures - name: Java_Best_Coding_Practice_Hardcoded_Absolute_Path - pretty_name: Hardcoded Absolute Path - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Hardcoded_Connection_String: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-top-25 - - cwe-798 - description: The product contains hard-coded credentials, such as a password or - cryptographic key, which it uses for its own inbound authentication, outbound - communication to external components, or encryption of internal data. - group: top10-id-authn-failures - name: Java_Best_Coding_Practice_Hardcoded_Connection_String - pretty_name: Hardcoded Connection String - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Improper_Initialization: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - cwe-665 - - boost-baseline - - ALL - description: The product does not initialize or incorrectly initializes a resource, - which might leave the resource in an unexpected state when it is accessed or - used. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Improper_Initialization - pretty_name: Improper Initialization - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Incorrect_Block_Delimitation: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-483 - description: The code does not explicitly delimit a block that is intended to - contain 2 or more statements, creating a logic error. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Incorrect_Block_Delimitation - pretty_name: Incorrect Block Delimitation - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Incorrect_Conversion_between_Numeric_Types: - categories: - - cwe-681 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: When converting from one data type to another, such as long to integer, - data can be omitted or translated in a way that produces unexpected values. - If the resulting values are used in a sensitive context, then dangerous behaviors - may occur. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Incorrect_Conversion_between_Numeric_Types - pretty_name: Incorrect Conversion between Numeric Types - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Input_Not_Normalized: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - owasp-top-10 - description: Input data in a Java application is not being normalized, increasing - the risk of data processing errors, security vulnerabilities, and malformed - input exploitation. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Input_Not_Normalized - pretty_name: Input Not Normalized - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Insufficient_Logging_of_Database_Actions: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - cwe-778 - description: When a security-critical event occurs, the product either does not - record the event or omits important details about the event when logging it. - group: top10-security-logging-monitoring-failures - name: Java_Best_Coding_Practice_Insufficient_Logging_of_Database_Actions - pretty_name: Insufficient Logging of Database Actions - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Insufficient_Logging_of_Exceptions: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - cwe-778 - description: When a security-critical event occurs, the product either does not - record the event or omits important details about the event when logging it. - group: top10-security-logging-monitoring-failures - name: Java_Best_Coding_Practice_Insufficient_Logging_of_Exceptions - pretty_name: Insufficient Logging of Exceptions - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Just_One_of_Equals_and_Hash_code_Defined: - categories: - - ALL - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - cwe-581 - description: The product does not maintain equal hashcodes for equal objects. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Just_One_of_Equals_and_Hash_code_Defined - pretty_name: Just One of Equals and Hash code Defined - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Leftover_Debug_Code: - categories: - - cwe-489 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product is deployed to unauthorized actors with debugging code - still enabled or active, which can create unintended entry points or expose - sensitive information. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Leftover_Debug_Code - pretty_name: Leftover Debug Code - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Missing_Default_Case_In_Switch_Statement: - categories: - - cwe-478 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The code does not have a default case in an expression with multiple - conditions, such as a switch statement. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Missing_Default_Case_In_Switch_Statement - pretty_name: Missing Default Case In Switch Statement - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Missing_XML_Validation: - categories: - - cwe-112 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product accepts XML from an untrusted source but does not validate - the XML against the proper schema. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Missing_XML_Validation - pretty_name: Missing XML Validation - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Non_serializable_Object_Stored_in_Session: - categories: - - owasp-top-10 - - cwe-579 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product stores a non-serializable object as an HttpSession attribute, - which can hurt reliability. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Non_serializable_Object_Stored_in_Session - pretty_name: Non serializable Object Stored in Session - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Not_Static_Final_Logger: - categories: - - owasp-top-10 - - cwe-398 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Indicates that the product has not been carefully developed or maintained. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Not_Static_Final_Logger - pretty_name: Not Static Final Logger - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Null_Pointer_Dereference: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - cwe-476 - - boost-baseline - - ALL - - cwe-top-25 - description: A NULL pointer dereference occurs when the application dereferences - a pointer that it expects to be valid, but is NULL, typically causing a crash - or exit. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Null_Pointer_Dereference - pretty_name: Null Pointer Dereference - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Omitted_Break_Statement_In_Switch: - categories: - - cwe-484 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product omits a break statement within a switch or similar construct, - causing code associated with multiple conditions to execute. This can cause - problems when the programmer only intended to execute code associated with one - condition. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Omitted_Break_Statement_In_Switch - pretty_name: Omitted Break Statement In Switch - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Pages_Without_Global_Error_Handler: - categories: - - owasp-top-10 - - cwe-544 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product does not use a standardized method for handling errors - throughout the code, which might introduce inconsistent error handling and resultant - weaknesses. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Pages_Without_Global_Error_Handler - pretty_name: Pages Without Global Error Handler - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Portability_Flaw_In_File_Separator: - categories: - - cwe-474 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The code uses a function that has inconsistent implementations across - operating systems and versions. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Portability_Flaw_In_File_Separator - pretty_name: Portability Flaw In File Separator - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Potential_SpringShell: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - owasp-top-10 - description: Indicates the potential usage of Spring Shell libraries, posing a - risk of code execution vulnerability if unattended commands are exposed to the - user. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Potential_SpringShell - pretty_name: Potential SpringShell - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Potential_Usage_of_Vulnerable_Log4J: - categories: - - owasp-top-10 - - cwe-400 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Potential_Usage_of_Vulnerable_Log4J - pretty_name: Potential Usage of Vulnerable Log4J - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Potentially_Serializable_Class_With_Sensitive_Data: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - cwe-499 - - boost-baseline - - ALL - description: The code contains a class with sensitive data, but the class does - not explicitly deny serialization. The data can be accessed by serializing the - class through another class. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Potentially_Serializable_Class_With_Sensitive_Data - pretty_name: Potentially Serializable Class With Sensitive Data - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Public_Static_Field_Not_Marked_Final: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - cwe-500 - - boost-baseline - - ALL - description: An object contains a public static field that is not marked final, - which might allow it to be modified in unexpected ways. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Public_Static_Field_Not_Marked_Final - pretty_name: Public Static Field Not Marked Final - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Reachable_Assertion: - categories: - - owasp-top-10 - - cwe-617 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product contains an assert() or similar statement that can be - triggered by an attacker, which leads to an application exit or other behavior - that is more severe than necessary. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Reachable_Assertion - pretty_name: Reachable Assertion - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Redirect_Without_Exit: - categories: - - cwe-698 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The web application sends a redirect to another location, but instead - of exiting, it executes additional code. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Redirect_Without_Exit - pretty_name: Redirect Without Exit - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Reliance_On_Untrusted_Inputs_In_Security_Decision: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-807 - description: The product uses a protection mechanism that relies on the existence - or values of an input, but the input can be modified by an untrusted actor in - a way that bypasses the protection mechanism. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Reliance_On_Untrusted_Inputs_In_Security_Decision - pretty_name: Reliance On Untrusted Inputs In Security Decision - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Return_Inside_Finally_Block: - categories: - - cwe-584 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The code has a return statement inside a finally block, which will - cause any thrown exception in the try block to be discarded. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Return_Inside_Finally_Block - pretty_name: Return Inside Finally Block - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Suspicious_Endpoints: - categories: - - cwe-923 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product establishes a communication channel to (or from) an endpoint - for privileged or protected operations, but it does not properly ensure that - it is communicating with the correct endpoint. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Suspicious_Endpoints - pretty_name: Suspicious Endpoints - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Unchecked_Error_Condition: - categories: - - owasp-top-10 - - cwe-391 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: '[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER' - group: top10-insecure-design - name: Java_Best_Coding_Practice_Unchecked_Error_Condition - pretty_name: Unchecked Error Condition - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Unchecked_Return_Value: - categories: - - cwe-252 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product does not check the return value from a method or function, - which can prevent it from detecting unexpected states and conditions. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Unchecked_Return_Value - pretty_name: Unchecked Return Value - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Unclosed_Objects: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-459 - description: The product does not properly "clean up" and remove temporary or - supporting resources after they have been used. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Unclosed_Objects - pretty_name: Unclosed Objects - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Uncontrolled_Recursion: - categories: - - cwe-674 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product does not properly control the amount of recursion that - takes place, consuming excessive resources, such as allocated memory or the - program stack. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Uncontrolled_Recursion - pretty_name: Uncontrolled Recursion - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Undocumented_API: - categories: - - cwe-1059 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product does not contain sufficient technical or engineering - documentation (whether on paper or in electronic form) that contains descriptions - of all the relevant software/hardware elements of the product, such as its usage, - structure, architectural components, interfaces, design, implementation, configuration, - operation, etc. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Undocumented_API - pretty_name: Undocumented API - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Unsafe_BiDi_Unicode_Data: - categories: - - cwe-94 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: Java_Best_Coding_Practice_Unsafe_BiDi_Unicode_Data - pretty_name: Unsafe BiDi Unicode Data - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Unsafe_Homoglyphs_Unicode_Data: - categories: - - cwe-94 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: Java_Best_Coding_Practice_Unsafe_Homoglyphs_Unicode_Data - pretty_name: Unsafe Homoglyphs Unicode Data - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Unused_Variable: - categories: - - owasp-top-10 - - cwe-563 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The variable's value is assigned but never used, making it a dead - store. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Unused_Variable - pretty_name: Unused Variable - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Use_Of_Uninitialized_Variables: - categories: - - cwe-457 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The code uses a variable that has not been initialized, leading to - unpredictable or unintended results. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Use_Of_Uninitialized_Variables - pretty_name: Use Of Uninitialized Variables - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Use_of_Inner_Class_Containing_Sensitive_Data: - categories: - - cwe-492 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Inner classes are translated into classes that are accessible at - package scope and may expose code that the programmer intended to keep private - to attackers. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Use_of_Inner_Class_Containing_Sensitive_Data - pretty_name: Use of Inner Class Containing Sensitive Data - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Use_of_Obsolete_Functions: - categories: - - cwe-477 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The code uses deprecated or obsolete functions, which suggests that - the code has not been actively reviewed or maintained. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Use_of_Obsolete_Functions - pretty_name: Use of Obsolete Functions - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Use_of_System_Output_Stream: - categories: - - owasp-top-10 - - cwe-398 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Indicates that the product has not been carefully developed or maintained. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Use_of_System_Output_Stream - pretty_name: Use of System Output Stream - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Use_of_System_exit: - categories: - - cwe-382 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: A J2EE application uses System.exit(), which also shuts down its - container. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Use_of_System_exit - pretty_name: Use of System exit - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_Use_of_Wrong_Operator_in_String_Comparison: - categories: - - cwe-597 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product uses the wrong operator when comparing a string, such - as using "==" when the .equals() method should be used instead. - group: top10-insecure-design - name: Java_Best_Coding_Practice_Use_of_Wrong_Operator_in_String_Comparison - pretty_name: Use of Wrong Operator in String Comparison - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_clone_Method_Without_super_clone: - categories: - - cwe-580 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product contains a clone() method that does not call super.clone() - to obtain the new object. - group: top10-insecure-design - name: Java_Best_Coding_Practice_clone_Method_Without_super_clone - pretty_name: clone Method Without super clone - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_finalize_Method_Declared_Public: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-583 - description: The product violates secure coding principles for mobile code by - declaring a finalize() method public. - group: top10-insecure-design - name: Java_Best_Coding_Practice_finalize_Method_Declared_Public - pretty_name: finalize Method Declared Public - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Best_Coding_Practice_finalize_Method_Without_super_finalize: - categories: - - cwe-568 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product contains a finalize() method that does not call super.finalize(). - group: top10-insecure-design - name: Java_Best_Coding_Practice_finalize_Method_Without_super_finalize - pretty_name: finalize Method Without super finalize - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Exploitable_Path_Java_Find_Imports: - categories: - - boost-baseline - - ALL - - owasp-top-10 - description: Identifies instances in Java code where unsafe, potentially exploitable - packages or classes are imported, risking security vulnerabilities. - group: top10-injection - name: Java_Exploitable_Path_Java_Find_Imports - pretty_name: Java Find Imports - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Exploitable_Path_Java_Find_Methods: - categories: - - boost-baseline - - ALL - - owasp-top-10 - description: Java code where '.find()' methods are employed could introduce potential - Regular Expression Denial of Service (ReDoS) vulnerabilities if user-supplied - input is not properly sanitized. - group: top10-injection - name: Java_Exploitable_Path_Java_Find_Methods - pretty_name: Java Find Methods - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_GWT_GWT_DOM_XSS: - categories: - - cwe-79 - - owasp-top-10 - - checkmarx-gwt - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Java_GWT_GWT_DOM_XSS - pretty_name: GWT DOM XSS - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_GWT_GWT_Reflected_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - checkmarx-gwt - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Java_GWT_GWT_Reflected_XSS - pretty_name: GWT Reflected XSS - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_GWT_JSON_Hijacking: - categories: - - cwe-352 - - owasp-top-10 - - checkmarx-gwt - - boost-baseline - - ALL - - cwe-top-25 - description: The web application does not, or can not, sufficiently verify whether - a well-formed, valid, consistent request was intentionally provided by the user - who submitted the request. - group: top10-injection - name: Java_GWT_JSON_Hijacking - pretty_name: JSON Hijacking - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Heuristic_Heuristic_2nd_Order_SQL_Injection: - categories: - - checkmarx-heuristic - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Java_Heuristic_Heuristic_2nd_Order_SQL_Injection - pretty_name: Heuristic 2nd Order SQL Injection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Heuristic_Heuristic_CGI_Stored_XSS: - categories: - - checkmarx-heuristic - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Java_Heuristic_Heuristic_CGI_Stored_XSS - pretty_name: Heuristic CGI Stored XSS - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Heuristic_Heuristic_CSRF: - categories: - - checkmarx-heuristic - - cwe-352 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The web application does not, or can not, sufficiently verify whether - a well-formed, valid, consistent request was intentionally provided by the user - who submitted the request. - group: top10-injection - name: Java_Heuristic_Heuristic_CSRF - pretty_name: Heuristic CSRF - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Heuristic_Heuristic_DB_Parameter_Tampering: - categories: - - checkmarx-heuristic - - owasp-top-10 - - cwe-284 - - boost-baseline - - ALL - description: The product does not restrict or incorrectly restricts access to - a resource from an unauthorized actor. - group: top10-broken-access-control - name: Java_Heuristic_Heuristic_DB_Parameter_Tampering - pretty_name: Heuristic DB Parameter Tampering - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Heuristic_Heuristic_Parameter_Tampering: - categories: - - checkmarx-heuristic - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: Java_Heuristic_Heuristic_Parameter_Tampering - pretty_name: Heuristic Parameter Tampering - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Heuristic_Heuristic_SQL_Injection: - categories: - - checkmarx-heuristic - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Java_Heuristic_Heuristic_SQL_Injection - pretty_name: Heuristic SQL Injection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Heuristic_Heuristic_Stored_XSS: - categories: - - checkmarx-heuristic - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Java_Heuristic_Heuristic_Stored_XSS - pretty_name: Heuristic Stored XSS - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_High_Risk_Code_Injection: - categories: - - boost-hardened - - cwe-94 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: Java_High_Risk_Code_Injection - pretty_name: Code Injection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_High_Risk_Command_Injection: - categories: - - boost-hardened - - cwe-77 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of a command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended command when it - is sent to a downstream component. - group: top10-injection - name: Java_High_Risk_Command_Injection - pretty_name: Command Injection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_High_Risk_Connection_String_Injection: - categories: - - boost-hardened - - owasp-top-10 - - cwe-99 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product receives input from an upstream component, but it does - not restrict or incorrectly restricts the input before it is used as an identifier - for a resource that may be outside the intended sphere of control. - group: top10-injection - name: Java_High_Risk_Connection_String_Injection - pretty_name: Connection String Injection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_High_Risk_Deserialization_of_Untrusted_Data: - categories: - - boost-hardened - - boost-baseline - - owasp-top-10 - - cwe-502 - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product deserializes untrusted data without sufficiently verifying - that the resulting data will be valid. - group: top10-software-data-integrity-failures - name: Java_High_Risk_Deserialization_of_Untrusted_Data - pretty_name: Deserialization of Untrusted Data - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_High_Risk_Deserialization_of_Untrusted_Data_in_JMS: - categories: - - boost-hardened - - boost-baseline - - owasp-top-10 - - cwe-502 - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product deserializes untrusted data without sufficiently verifying - that the resulting data will be valid. - group: top10-software-data-integrity-failures - name: Java_High_Risk_Deserialization_of_Untrusted_Data_in_JMS - pretty_name: Deserialization of Untrusted Data in JMS - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_High_Risk_Expression_Language_Injection_EL: - categories: - - boost-hardened - - owasp-top-10 - - cwe-917 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product constructs all or part of an expression language (EL) - statement in a framework such as a Java Server Page (JSP) using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended EL statement before - it is executed. - group: top10-injection - name: Java_High_Risk_Expression_Language_Injection_EL - pretty_name: Expression Language Injection EL - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_High_Risk_Expression_Language_Injection_MVEL: - categories: - - boost-hardened - - owasp-top-10 - - cwe-917 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product constructs all or part of an expression language (EL) - statement in a framework such as a Java Server Page (JSP) using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended EL statement before - it is executed. - group: top10-injection - name: Java_High_Risk_Expression_Language_Injection_MVEL - pretty_name: Expression Language Injection MVEL - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_High_Risk_Expression_Language_Injection_OGNL: - categories: - - boost-hardened - - owasp-top-10 - - cwe-917 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product constructs all or part of an expression language (EL) - statement in a framework such as a Java Server Page (JSP) using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended EL statement before - it is executed. - group: top10-injection - name: Java_High_Risk_Expression_Language_Injection_OGNL - pretty_name: Expression Language Injection OGNL - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_High_Risk_Expression_Language_Injection_SPEL: - categories: - - boost-hardened - - owasp-top-10 - - cwe-917 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product constructs all or part of an expression language (EL) - statement in a framework such as a Java Server Page (JSP) using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended EL statement before - it is executed. - group: top10-injection - name: Java_High_Risk_Expression_Language_Injection_SPEL - pretty_name: Expression Language Injection SPEL - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_High_Risk_JSF_Local_File_Inclusion: - categories: - - boost-hardened - - cwe-98 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The PHP application receives input from an upstream component, but - it does not restrict or incorrectly restricts the input before its usage in - "require," "include," or similar functions. - group: top10-injection - name: Java_High_Risk_JSF_Local_File_Inclusion - pretty_name: JSF Local File Inclusion - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_High_Risk_LDAP_Injection: - categories: - - boost-hardened - - cwe-90 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product constructs all or part of an LDAP query using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended LDAP query when - it is sent to a downstream component. - group: top10-injection - name: Java_High_Risk_LDAP_Injection - pretty_name: LDAP Injection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_High_Risk_Mongo_NoSQL_Injection: - categories: - - boost-hardened - - owasp-top-10 - - cwe-943 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product generates a query intended to access or manipulate data - in a data store such as a database, but it does not neutralize or incorrectly - neutralizes special elements that can modify the intended logic of the query. - group: top10-injection - name: Java_High_Risk_Mongo_NoSQL_Injection - pretty_name: Mongo NoSQL Injection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_High_Risk_Reflected_XSS_All_Clients: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Java_High_Risk_Reflected_XSS_All_Clients - pretty_name: Reflected XSS All Clients - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_High_Risk_Resource_Injection: - categories: - - boost-hardened - - owasp-top-10 - - cwe-99 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product receives input from an upstream component, but it does - not restrict or incorrectly restricts the input before it is used as an identifier - for a resource that may be outside the intended sphere of control. - group: top10-injection - name: Java_High_Risk_Resource_Injection - pretty_name: Resource Injection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_High_Risk_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Java_High_Risk_SQL_Injection - pretty_name: SQL Injection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_High_Risk_Second_Order_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Java_High_Risk_Second_Order_SQL_Injection - pretty_name: Second Order SQL Injection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_High_Risk_Stored_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Java_High_Risk_Stored_XSS - pretty_name: Stored XSS - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_High_Risk_Unsafe_JNDI_Lookup: - categories: - - boost-hardened - - owasp-top-10 - - cwe-20 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product receives input or data, but it does not validate or incorrectly - validates that the input has the properties that are required to process the - data safely and correctly. - group: top10-injection - name: Java_High_Risk_Unsafe_JNDI_Lookup - pretty_name: Unsafe JNDI Lookup - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_High_Risk_Unsafe_Reflection: - categories: - - boost-hardened - - cwe-470 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product uses external input with reflection to select which classes - or code to use, but it does not sufficiently prevent the input from selecting - improper classes or code. - group: top10-injection - name: Java_High_Risk_Unsafe_Reflection - pretty_name: Unsafe Reflection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_High_Risk_XPath_Injection: - categories: - - boost-hardened - - cwe-643 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product uses external input to dynamically construct an XPath - expression used to retrieve data from an XML database, but it does not neutralize - or incorrectly neutralizes that input. This allows an attacker to control the - structure of the query. - group: top10-injection - name: Java_High_Risk_XPath_Injection - pretty_name: XPath Injection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Authorization_Bypass_Through_User_Controlled_SQL_PrimaryKey: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-566 - - boost-baseline - - ALL - description: The product uses a database table that includes records that should - not be accessible to an actor, but it executes a SQL statement with a primary - key that can be controlled by that actor. - group: top10-broken-access-control - name: Java_Low_Visibility_Authorization_Bypass_Through_User_Controlled_SQL_PrimaryKey - pretty_name: Authorization Bypass Through User Controlled SQL PrimaryKey - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Blind_SQL_Injections: - categories: - - checkmarx-low-visibility - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Java_Low_Visibility_Blind_SQL_Injections - pretty_name: Blind SQL Injections - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Channel_Accessible_by_NonEndpoint: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-300 - - boost-baseline - - ALL - description: The product does not adequately verify the identity of actors at - both ends of a communication channel, or does not adequately ensure the integrity - of the channel, in a way that allows the channel to be accessed or influenced - by an actor that is not an endpoint. - group: top10-id-authn-failures - name: Java_Low_Visibility_Channel_Accessible_by_NonEndpoint - pretty_name: Channel Accessible by NonEndpoint - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Citrus_Developer_Mode_Enabled: - categories: - - boost-baseline - - ALL - - checkmarx-low-visibility - - owasp-top-10 - description: The Citrus Developer Mode, a testing tool for Java, has been enabled - in a production setting. This exposes sensitive information and debug data that - could be exploited. - group: top10-vulnerable-components - name: Java_Low_Visibility_Citrus_Developer_Mode_Enabled - pretty_name: Citrus Developer Mode Enabled - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Cleansing_Canonicalization_and_Comparison_Errors: - categories: - - cwe-171 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: Improper handling of data within protection mechanisms that attempt - to perform neutralization for untrusted data. - group: top10-injection - name: Java_Low_Visibility_Cleansing_Canonicalization_and_Comparison_Errors - pretty_name: Cleansing Canonicalization and Comparison Errors - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Collapse_of_Data_into_Unsafe_Value: - categories: - - checkmarx-low-visibility - - cwe-182 - - owasp-top-10 - - boost-baseline - - ALL - description: The product filters data in a way that causes it to be reduced or - "collapsed" into an unsafe value that violates an expected security property. - group: top10-injection - name: Java_Low_Visibility_Collapse_of_Data_into_Unsafe_Value - pretty_name: Collapse of Data into Unsafe Value - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Command_Argument_Injection: - categories: - - cwe-88 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product constructs a string for a command to be executed by a - separate component in another control sphere, but it does not properly delimit - the intended arguments, options, or switches within that command string. - group: top10-injection - name: Java_Low_Visibility_Command_Argument_Injection - pretty_name: Command Argument Injection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Cookie_Overly_Broad_Path: - categories: - - cwe-539 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The web application uses persistent cookies, but the cookies contain - sensitive information. - group: top10-insecure-design - name: Java_Low_Visibility_Cookie_Overly_Broad_Path - pretty_name: Cookie Overly Broad Path - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Creation_of_Temp_File_With_Insecure_Permissions: - categories: - - ALL - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - cwe-378 - description: Opening temporary files without appropriate measures or controls - can leave the file, its contents and any function that it impacts vulnerable - to attack. - group: top10-broken-access-control - name: Java_Low_Visibility_Creation_of_Temp_File_With_Insecure_Permissions - pretty_name: Creation of Temp File With Insecure Permissions - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Creation_of_Temp_File_in_Dir_with_Incorrect_Permissions: - categories: - - cwe-379 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product creates a temporary file in a directory whose permissions - allow unintended actors to determine the file's existence or otherwise access - that file. - group: top10-broken-access-control - name: Java_Low_Visibility_Creation_of_Temp_File_in_Dir_with_Incorrect_Permissions - pretty_name: Creation of Temp File in Dir with Incorrect Permissions - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Cross_Site_History_Manipulation: - categories: - - cwe-203 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product behaves differently or sends different responses under - different circumstances in a way that is observable to an unauthorized actor, - which exposes security-relevant information about the state of the product, - such as whether a particular operation was successful or not. - group: top10-software-data-integrity-failures - name: Java_Low_Visibility_Cross_Site_History_Manipulation - pretty_name: Cross Site History Manipulation - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_DB_Control_of_System_or_Config_Setting: - categories: - - boost-baseline - - ALL - - checkmarx-low-visibility - - cwe-15 - description: One or more system settings or configuration elements can be externally - controlled by a user. - group: top10-security-misconfiguration - name: Java_Low_Visibility_DB_Control_of_System_or_Config_Setting - pretty_name: DB Control of System or Config Setting - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Data_Leak_Between_Sessions: - categories: - - checkmarx-low-visibility - - cwe-362 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product contains a code sequence that can run concurrently with - other code, and the code sequence requires temporary, exclusive access to a - shared resource, but a timing window exists in which the shared resource can - be modified by another code sequence that is operating concurrently. - group: top10-broken-access-control - name: Java_Low_Visibility_Data_Leak_Between_Sessions - pretty_name: Data Leak Between Sessions - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Divide_By_Zero: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-369 - - boost-baseline - - ALL - description: The product divides a value by zero. - group: top10-insecure-design - name: Java_Low_Visibility_Divide_By_Zero - pretty_name: Divide By Zero - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_ESAPI_Same_Password_Repeats_Twice: - categories: - - cwe-521 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not require that users should have strong passwords, - which makes it easier for attackers to compromise user accounts. - group: top10-id-authn-failures - name: Java_Low_Visibility_ESAPI_Same_Password_Repeats_Twice - pretty_name: ESAPI Same Password Repeats Twice - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Empty_Password_In_Connection_String: - categories: - - cwe-521 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not require that users should have strong passwords, - which makes it easier for attackers to compromise user accounts. - group: top10-id-authn-failures - name: Java_Low_Visibility_Empty_Password_In_Connection_String - pretty_name: Empty Password In Connection String - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Escape_False: - categories: - - cwe-116 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product prepares a structured message for communication with - another component, but encoding or escaping of the data is either missing or - done incorrectly. As a result, the intended structure of the message is not - preserved. - group: top10-injection - name: Java_Low_Visibility_Escape_False - pretty_name: Escape False - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Exposure_of_System_Data: - categories: - - checkmarx-low-visibility - - cwe-497 - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not properly prevent sensitive system-level information - from being accessed by unauthorized actors who do not have the same level of - access to the underlying system as the product does. - group: top10-broken-access-control - name: Java_Low_Visibility_Exposure_of_System_Data - pretty_name: Exposure of System Data - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_File_Permissions_World_Readable: - categories: - - cwe-732 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product specifies permissions for a security-critical resource - in a way that allows that resource to be read or modified by unintended actors. - group: top10-broken-access-control - name: Java_Low_Visibility_File_Permissions_World_Readable - pretty_name: File Permissions World Readable - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Heap_Inspection: - categories: - - cwe-244 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: Using realloc() to resize buffers that store sensitive information - can leave the sensitive information exposed to attack, because it is not removed - from memory. - group: top10-broken-access-control - name: Java_Low_Visibility_Heap_Inspection - pretty_name: Heap Inspection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Improper_Build_Of_Sql_Mapping: - categories: - - checkmarx-low-visibility - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Java_Low_Visibility_Improper_Build_Of_Sql_Mapping - pretty_name: Improper Build Of Sql Mapping - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Improper_Exception_Handling: - categories: - - cwe-248 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: An exception is thrown from a function, but it is not caught. - group: top10-insecure-design - name: Java_Low_Visibility_Improper_Exception_Handling - pretty_name: Improper Exception Handling - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Improper_Resource_Access_Authorization: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-285 - - boost-baseline - - ALL - description: The product does not perform or incorrectly performs an authorization - check when an actor attempts to access a resource or perform an action. - group: top10-broken-access-control - name: Java_Low_Visibility_Improper_Resource_Access_Authorization - pretty_name: Improper Resource Access Authorization - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Improper_Resource_Locking: - categories: - - cwe-413 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not lock or does not correctly lock a resource when - the product must have exclusive access to the resource. - group: top10-insecure-design - name: Java_Low_Visibility_Improper_Resource_Locking - pretty_name: Improper Resource Locking - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Improper_Resource_Shutdown_or_Release: - categories: - - cwe-404 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not release or incorrectly releases a resource before - it is made available for re-use. - group: top10-insecure-design - name: Java_Low_Visibility_Improper_Resource_Shutdown_or_Release - pretty_name: Improper Resource Shutdown or Release - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Improper_Session_Management: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-201 - - boost-baseline - - ALL - description: The code transmits data to another actor, but a portion of the data - includes sensitive information that should not be accessible to that actor. - group: top10-broken-access-control - name: Java_Low_Visibility_Improper_Session_Management - pretty_name: Improper Session Management - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Improper_Transaction_Handling: - categories: - - cwe-460 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not clean up its state or incorrectly cleans up - its state when an exception is thrown, leading to unexpected state or control - flow. - group: top10-insecure-design - name: Java_Low_Visibility_Improper_Transaction_Handling - pretty_name: Improper Transaction Handling - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Incorrect_Permission_Assignment_For_Critical_Resources: - categories: - - cwe-732 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product specifies permissions for a security-critical resource - in a way that allows that resource to be read or modified by unintended actors. - group: top10-broken-access-control - name: Java_Low_Visibility_Incorrect_Permission_Assignment_For_Critical_Resources - pretty_name: Incorrect Permission Assignment For Critical Resources - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Information_Exposure_Through_Debug_Log: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-534 - - boost-baseline - - ALL - description: This entry has been deprecated because its abstraction was too low-level. - See - group: top10-broken-access-control - name: Java_Low_Visibility_Information_Exposure_Through_Debug_Log - pretty_name: Information Exposure Through Debug Log - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Information_Exposure_Through_Query_String: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-598 - - boost-baseline - - ALL - description: The web application uses the HTTP GET method to process a request - and includes sensitive information in the query string of that request. - group: top10-insecure-design - name: Java_Low_Visibility_Information_Exposure_Through_Query_String - pretty_name: Information Exposure Through Query String - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Information_Exposure_Through_Server_Log: - categories: - - ALL - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - cwe-533 - description: This entry has been deprecated because its abstraction was too low-level. - See - group: top10-broken-access-control - name: Java_Low_Visibility_Information_Exposure_Through_Server_Log - pretty_name: Information Exposure Through Server Log - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Information_Exposure_Through_an_Error_Message: - categories: - - cwe-209 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product generates an error message that includes sensitive information - about its environment, users, or associated data. - group: top10-insecure-design - name: Java_Low_Visibility_Information_Exposure_Through_an_Error_Message - pretty_name: Information Exposure Through an Error Message - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Information_Leak_Through_Comments: - categories: - - cwe-615 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: 'While adding general comments is very useful, some programmers tend - to leave important data, such as: filenames related to the web application, - old links or links which were not meant to be browsed by users, old code fragments, - etc.' - group: top10-broken-access-control - name: Java_Low_Visibility_Information_Leak_Through_Comments - pretty_name: Information Leak Through Comments - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Information_Leak_Through_Persistent_Cookies: - categories: - - cwe-539 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The web application uses persistent cookies, but the cookies contain - sensitive information. - group: top10-insecure-design - name: Java_Low_Visibility_Information_Leak_Through_Persistent_Cookies - pretty_name: Information Leak Through Persistent Cookies - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Information_Leak_Through_Shell_Error_Message: - categories: - - cwe-535 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: A command shell error message indicates that there exists an unhandled - exception in the web application code. In many cases, an attacker can leverage - the conditions that cause these errors in order to gain unauthorized access - to the system. - group: top10-broken-access-control - name: Java_Low_Visibility_Information_Leak_Through_Shell_Error_Message - pretty_name: Information Leak Through Shell Error Message - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Insufficient_Session_Expiration: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-613 - description: According to WASC, "Insufficient Session Expiration is when a web - site permits an attacker to reuse old session credentials or session IDs for - authorization." - group: top10-id-authn-failures - name: Java_Low_Visibility_Insufficient_Session_Expiration - pretty_name: Insufficient Session Expiration - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Insufficiently_Protected_Credentials: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-522 - description: The product transmits or stores authentication credentials, but it - uses an insecure method that is susceptible to unauthorized interception and/or - retrieval. - group: top10-insecure-design - name: Java_Low_Visibility_Insufficiently_Protected_Credentials - pretty_name: Insufficiently Protected Credentials - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Integer_Overflow: - categories: - - cwe-190 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product performs a calculation that can produce an integer overflow - or wraparound, when the logic assumes that the resulting value will always be - larger than the original value. This can introduce other weaknesses when the - calculation is used for resource management or execution control. - group: top10-injection - name: Java_Low_Visibility_Integer_Overflow - pretty_name: Integer Overflow - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Integer_Underflow: - categories: - - cwe-191 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product subtracts one value from another, such that the result - is less than the minimum allowable integer value, which produces a value that - is not equal to the correct result. - group: top10-injection - name: Java_Low_Visibility_Integer_Underflow - pretty_name: Integer Underflow - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_JWT_Excessive_Expiration_Time: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-613 - description: According to WASC, "Insufficient Session Expiration is when a web - site permits an attacker to reuse old session credentials or session IDs for - authorization." - group: top10-id-authn-failures - name: Java_Low_Visibility_JWT_Excessive_Expiration_Time - pretty_name: JWT Excessive Expiration Time - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_JWT_Use_Of_None_Algorithm: - categories: - - cwe-287 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: When an actor claims to have a given identity, the product does not - prove or insufficiently proves that the claim is correct. - group: top10-id-authn-failures - name: Java_Low_Visibility_JWT_Use_Of_None_Algorithm - pretty_name: JWT Use Of None Algorithm - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Leaving_Temporary_File: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-376 - description: Related to the handling of files within a software system. - group: top10-broken-access-control - name: Java_Low_Visibility_Leaving_Temporary_File - pretty_name: Leaving Temporary File - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Log_Forging: - categories: - - boost-baseline - - ALL - - cwe-117 - - checkmarx-low-visibility - description: The product does not neutralize or incorrectly neutralizes output - that is written to logs. - group: top10-security-logging-monitoring-failures - name: Java_Low_Visibility_Log_Forging - pretty_name: Log Forging - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Logic_Time_Bomb: - categories: - - boost-baseline - - ALL - - checkmarx-low-visibility - - cwe-511 - description: The product contains code that is designed to disrupt the legitimate - operation of the product (or its environment) when a certain time passes, or - when a certain logical condition is met. - group: top10-security-logging-monitoring-failures - name: Java_Low_Visibility_Logic_Time_Bomb - pretty_name: Logic Time Bomb - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Missing_Content_Security_Policy: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-346 - description: The product does not properly verify that the source of data or communication - is valid. - group: top10-id-authn-failures - name: Java_Low_Visibility_Missing_Content_Security_Policy - pretty_name: Missing Content Security Policy - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Missing_Password_Field_Masking: - categories: - - checkmarx-low-visibility - - cwe-549 - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not mask passwords during entry, increasing the - potential for attackers to observe and capture passwords. - group: top10-insecure-design - name: Java_Low_Visibility_Missing_Password_Field_Masking - pretty_name: Missing Password Field Masking - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Missing_X_Frame_Options: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-1021 - - boost-baseline - - ALL - description: The web application does not restrict or incorrectly restricts frame - objects or UI layers that belong to another application or domain, which can - lead to user confusion about which interface the user is interacting with. - group: top10-insecure-design - name: Java_Low_Visibility_Missing_X_Frame_Options - pretty_name: Missing X Frame Options - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Not_Using_a_Random_IV_with_CBC_Mode: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-329 - - boost-baseline - - ALL - description: The product generates and uses a predictable initialization Vector - (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible - to dictionary attacks when they are encrypted under the same key. - group: top10-crypto-failures - name: Java_Low_Visibility_Not_Using_a_Random_IV_with_CBC_Mode - pretty_name: Not Using a Random IV with CBC Mode - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Object_Hijack: - categories: - - checkmarx-low-visibility - - cwe-491 - - owasp-top-10 - - boost-baseline - - ALL - description: A class has a cloneable() method that is not declared final, which - allows an object to be created without calling the constructor. This can cause - the object to be in an unexpected state. - group: top10-injection - name: Java_Low_Visibility_Object_Hijack - pretty_name: Object Hijack - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Off_by_One_Error: - categories: - - cwe-193 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: A product calculates or uses an incorrect maximum or minimum value - that is 1 more, or 1 less, than the correct value. - group: top10-injection - name: Java_Low_Visibility_Off_by_One_Error - pretty_name: Off by One Error - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Open_Redirect: - categories: - - checkmarx-low-visibility - - cwe-601 - - owasp-top-10 - - boost-baseline - - ALL - description: A web application accepts a user-controlled input that specifies - a link to an external site, and uses that link in a Redirect. This simplifies - phishing attacks. - group: top10-broken-access-control - name: Java_Low_Visibility_Open_Redirect - pretty_name: Open Redirect - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-346 - description: The product does not properly verify that the source of data or communication - is valid. - group: top10-id-authn-failures - name: Java_Low_Visibility_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy - pretty_name: Overly Permissive Cross Origin Resource Sharing Policy - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Parse_Double_DoS: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-730 - description: Relates to avenues that can cause denial of serivce. - group: top10-insecure-design - name: Java_Low_Visibility_Parse_Double_DoS - pretty_name: Parse Double DoS - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Password_In_Comment: - categories: - - cwe-615 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: 'While adding general comments is very useful, some programmers tend - to leave important data, such as: filenames related to the web application, - old links or links which were not meant to be browsed by users, old code fragments, - etc.' - group: top10-id-authn-failures - name: Java_Low_Visibility_Password_In_Comment - pretty_name: Password In Comment - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Permissive_Content_Security_Policy: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-346 - description: The product does not properly verify that the source of data or communication - is valid. - group: top10-id-authn-failures - name: Java_Low_Visibility_Permissive_Content_Security_Policy - pretty_name: Permissive Content Security Policy - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Plaintext_Storage_in_a_Cookie: - categories: - - boost-baseline - - ALL - - checkmarx-low-visibility - - cwe-315 - description: The product stores sensitive information in cleartext in a cookie. - group: top10-security-misconfiguration - name: Java_Low_Visibility_Plaintext_Storage_in_a_Cookie - pretty_name: Plaintext Storage in a Cookie - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Portability_Flaw_Locale_Dependent_Comparison: - categories: - - cwe-474 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The code uses a function that has inconsistent implementations across - operating systems and versions. - group: top10-insecure-design - name: Java_Low_Visibility_Portability_Flaw_Locale_Dependent_Comparison - pretty_name: Portability Flaw Locale Dependent Comparison - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Potential_ReDoS: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: Java_Low_Visibility_Potential_ReDoS - pretty_name: Potential ReDoS - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Potential_ReDoS_By_Injection: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: Java_Low_Visibility_Potential_ReDoS_By_Injection - pretty_name: Potential ReDoS By Injection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Potential_ReDoS_In_Match: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: Java_Low_Visibility_Potential_ReDoS_In_Match - pretty_name: Potential ReDoS In Match - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Potential_ReDoS_In_Replace: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: Java_Low_Visibility_Potential_ReDoS_In_Replace - pretty_name: Potential ReDoS In Replace - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Potential_ReDoS_In_Static_Field: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: Java_Low_Visibility_Potential_ReDoS_In_Static_Field - pretty_name: Potential ReDoS In Static Field - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Private_Array_Returned_From_A_Public_Method: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-495 - description: The product has a method that is declared public, but returns a reference - to a private data structure, which could then be modified in unexpected ways. - group: top10-insecure-design - name: Java_Low_Visibility_Private_Array_Returned_From_A_Public_Method - pretty_name: Private Array Returned From A Public Method - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Public_Data_Assigned_to_Private_Array: - categories: - - boost-baseline - - checkmarx-low-visibility - - owasp-top-10 - - cwe-496 - - ALL - description: Assigning public data to a private array is equivalent to giving - public access to the array. - group: top10-insecure-design - name: Java_Low_Visibility_Public_Data_Assigned_to_Private_Array - pretty_name: Public Data Assigned to Private Array - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Public_Static_Final_References_Mutable_Object: - categories: - - cwe-607 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: A public or protected static final field references a mutable object, - which allows the object to be changed by malicious code, or accidentally from - another package. - group: top10-insecure-design - name: Java_Low_Visibility_Public_Static_Final_References_Mutable_Object - pretty_name: Public Static Final References Mutable Object - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Race_Condition: - categories: - - checkmarx-low-visibility - - cwe-362 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product contains a code sequence that can run concurrently with - other code, and the code sequence requires temporary, exclusive access to a - shared resource, but a timing window exists in which the shared resource can - be modified by another code sequence that is operating concurrently. - group: top10-insecure-design - name: Java_Low_Visibility_Race_Condition - pretty_name: Race Condition - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Race_Condition_Format_Flaw: - categories: - - checkmarx-low-visibility - - cwe-362 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product contains a code sequence that can run concurrently with - other code, and the code sequence requires temporary, exclusive access to a - shared resource, but a timing window exists in which the shared resource can - be modified by another code sequence that is operating concurrently. - group: top10-insecure-design - name: Java_Low_Visibility_Race_Condition_Format_Flaw - pretty_name: Race Condition Format Flaw - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Reflected_Environment_Injection: - categories: - - boost-baseline - - ALL - - checkmarx-low-visibility - - cwe-15 - description: One or more system settings or configuration elements can be externally - controlled by a user. - group: top10-security-misconfiguration - name: Java_Low_Visibility_Reflected_Environment_Injection - pretty_name: Reflected Environment Injection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Reliance_on_Cookies_in_a_Decision: - categories: - - cwe-784 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a protection mechanism that relies on the existence - or values of a cookie, but it does not properly ensure that the cookie is valid - for the associated user. - group: top10-software-data-integrity-failures - name: Java_Low_Visibility_Reliance_on_Cookies_in_a_Decision - pretty_name: Reliance on Cookies in a Decision - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Reliance_on_DNS_Lookups_in_a_Decision: - categories: - - cwe-350 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product performs reverse DNS resolution on an IP address to obtain - the hostname and make a security decision, but it does not properly ensure that - the IP address is truly associated with the hostname. - group: top10-insecure-design - name: Java_Low_Visibility_Reliance_on_DNS_Lookups_in_a_Decision - pretty_name: Reliance on DNS Lookups in a Decision - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Reversible_One_Way_Hash: - categories: - - cwe-328 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses an algorithm that produces a digest (output value) - that does not meet security expectations for a hash function that allows an - adversary to reasonably determine the original input (preimage attack), find - another input that can produce the same hash (2nd preimage attack), or find - multiple inputs that evaluate to the same hash (birthday attack). - group: top10-crypto-failures - name: Java_Low_Visibility_Reversible_One_Way_Hash - pretty_name: Reversible One Way Hash - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Sensitive_Cookie_in_HTTPS_Session_Without_Secure_Attribute: - categories: - - boost-baseline - - cwe-614 - - checkmarx-low-visibility - - ALL - description: The Secure attribute for sensitive cookies in HTTPS sessions is not - set, which could cause the user agent to send those cookies in plaintext over - an HTTP session. - group: top10-security-misconfiguration - name: Java_Low_Visibility_Sensitive_Cookie_in_HTTPS_Session_Without_Secure_Attribute - pretty_name: Sensitive Cookie in HTTPS Session Without Secure Attribute - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Serializable_Class_Containing_Sensitive_Data: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-499 - - boost-baseline - - ALL - description: The code contains a class with sensitive data, but the class does - not explicitly deny serialization. The data can be accessed by serializing the - class through another class. - group: top10-broken-access-control - name: Java_Low_Visibility_Serializable_Class_Containing_Sensitive_Data - pretty_name: Serializable Class Containing Sensitive Data - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Stored_Command_Argument_Injection: - categories: - - cwe-88 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product constructs a string for a command to be executed by a - separate component in another control sphere, but it does not properly delimit - the intended arguments, options, or switches within that command string. - group: top10-injection - name: Java_Low_Visibility_Stored_Command_Argument_Injection - pretty_name: Stored Command Argument Injection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Stored_Environment_Injection: - categories: - - boost-baseline - - ALL - - checkmarx-low-visibility - - cwe-15 - description: One or more system settings or configuration elements can be externally - controlled by a user. - group: top10-security-misconfiguration - name: Java_Low_Visibility_Stored_Environment_Injection - pretty_name: Stored Environment Injection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Stored_Log_Forging: - categories: - - boost-baseline - - ALL - - cwe-117 - - checkmarx-low-visibility - description: The product does not neutralize or incorrectly neutralizes output - that is written to logs. - group: top10-security-logging-monitoring-failures - name: Java_Low_Visibility_Stored_Log_Forging - pretty_name: Stored Log Forging - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Storing_Passwords_in_a_Recoverable_Format: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-257 - - boost-baseline - - ALL - description: The storage of passwords in a recoverable format makes them subject - to password reuse attacks by malicious users. In fact, it should be noted that - recoverable encrypted passwords provide no significant benefit over plaintext - passwords since they are subject not only to reuse by malicious attackers but - also by malicious insiders. If a system administrator can recover a password - directly, or use a brute force search on the available information, the administrator - can use the password on other accounts. - group: top10-insecure-design - name: Java_Low_Visibility_Storing_Passwords_in_a_Recoverable_Format - pretty_name: Storing Passwords in a Recoverable Format - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Suspected_XSS: - categories: - - cwe-79 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Java_Low_Visibility_Suspected_XSS - pretty_name: Suspected XSS - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_TOCTOU: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-367 - description: The product checks the state of a resource before using that resource, - but the resource's state can change between the check and the use in a way that - invalidates the results of the check. This can cause the product to perform - invalid actions when the resource is in an unexpected state. - group: top10-insecure-design - name: Java_Low_Visibility_TOCTOU - pretty_name: TOCTOU - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_TruffleHog_HighEntropy_Strings: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - - cwe-798 - description: The product contains hard-coded credentials, such as a password or - cryptographic key, which it uses for its own inbound authentication, outbound - communication to external components, or encryption of internal data. - group: top10-id-authn-failures - name: Java_Low_Visibility_TruffleHog_HighEntropy_Strings - pretty_name: TruffleHog HighEntropy Strings - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_TruffleHog_Regex_Matches: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - - cwe-798 - description: The product contains hard-coded credentials, such as a password or - cryptographic key, which it uses for its own inbound authentication, outbound - communication to external components, or encryption of internal data. - group: top10-id-authn-failures - name: Java_Low_Visibility_TruffleHog_Regex_Matches - pretty_name: TruffleHog Regex Matches - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables: - categories: - - cwe-501 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product mixes trusted and untrusted data in the same data structure - or structured message. - group: top10-insecure-design - name: Java_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables - pretty_name: Trust Boundary Violation in Session Variables - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_UTF7_XSS: - categories: - - cwe-79 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Java_Low_Visibility_UTF7_XSS - pretty_name: UTF7 XSS - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Uncaught_Exception: - categories: - - cwe-248 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: An exception is thrown from a function, but it is not caught. - group: top10-insecure-design - name: Java_Low_Visibility_Uncaught_Exception - pretty_name: Uncaught Exception - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Unchecked_Return_Value_to_NULL_Pointer_Dereference: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-690 - - boost-baseline - - ALL - description: The product does not check for an error after calling a function - that can return with a NULL pointer if the function fails, which leads to a - resultant NULL pointer dereference. - group: top10-insecure-design - name: Java_Low_Visibility_Unchecked_Return_Value_to_NULL_Pointer_Dereference - pretty_name: Unchecked Return Value to NULL Pointer Dereference - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Uncontrolled_Format_String: - categories: - - cwe-134 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a function that accepts a format string as an argument, - but the format string originates from an external source. - group: top10-injection - name: Java_Low_Visibility_Uncontrolled_Format_String - pretty_name: Uncontrolled Format String - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Uncontrolled_Memory_Allocation: - categories: - - cwe-789 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product allocates memory based on an untrusted, large size value, - but it does not ensure that the size is within expected limits, allowing arbitrary - amounts of memory to be allocated. - group: top10-injection - name: Java_Low_Visibility_Uncontrolled_Memory_Allocation - pretty_name: Uncontrolled Memory Allocation - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Unrestricted_File_Upload: - categories: - - cwe-434 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product allows the attacker to upload or transfer files of dangerous - types that can be automatically processed within the product's environment. - group: top10-insecure-design - name: Java_Low_Visibility_Unrestricted_File_Upload - pretty_name: Unrestricted File Upload - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Unsynchronized_Access_To_Shared_Data: - categories: - - cwe-567 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not properly synchronize shared data, such as static - variables across threads, which can lead to undefined behavior and unpredictable - data changes. - group: top10-insecure-design - name: Java_Low_Visibility_Unsynchronized_Access_To_Shared_Data - pretty_name: Unsynchronized Access To Shared Data - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Use_Of_Hardcoded_Password: - categories: - - ALL - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - cwe-259 - description: The product contains a hard-coded password, which it uses for its - own inbound authentication or for outbound communication to external components. - group: top10-id-authn-failures - name: Java_Low_Visibility_Use_Of_Hardcoded_Password - pretty_name: Use Of Hardcoded Password - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Use_Of_Hardcoded_Password_In_Config: - categories: - - boost-baseline - - ALL - - checkmarx-low-visibility - - cwe-260 - description: The product stores a password in a configuration file that might - be accessible to actors who do not know the password. - group: top10-security-misconfiguration - name: Java_Low_Visibility_Use_Of_Hardcoded_Password_In_Config - pretty_name: Use Of Hardcoded Password In Config - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Use_Of_getenv: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-589 - - boost-baseline - - ALL - description: The product uses an API function that does not exist on all versions - of the target platform. This could cause portability problems or inconsistencies - that allow denial of service or other consequences. - group: top10-injection - name: Java_Low_Visibility_Use_Of_getenv - pretty_name: Use Of getenv - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm: - categories: - - cwe-327 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a broken or risky cryptographic algorithm or protocol. - group: top10-crypto-failures - name: Java_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm - pretty_name: Use of Broken or Risky Cryptographic Algorithm - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Use_of_Client_Side_Authentication: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-603 - - boost-baseline - - ALL - description: A client/server product performs authentication within client code - but not in server code, allowing server-side authentication to be bypassed via - a modified client that omits the authentication check. - group: top10-id-authn-failures - name: Java_Low_Visibility_Use_of_Client_Side_Authentication - pretty_name: Use of Client Side Authentication - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Use_of_Hard_coded_Security_Constants: - categories: - - boost-baseline - - ALL - - cwe-547 - - checkmarx-low-visibility - description: The product uses hard-coded constants instead of symbolic names for - security-critical values, which increases the likelihood of mistakes during - code maintenance or security policy change. - group: top10-security-misconfiguration - name: Java_Low_Visibility_Use_of_Hard_coded_Security_Constants - pretty_name: Use of Hard coded Security Constants - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Use_of_Non_Cryptographic_Random: - categories: - - cwe-330 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses insufficiently random numbers or values in a security - context that depends on unpredictable numbers. - group: top10-crypto-failures - name: Java_Low_Visibility_Use_of_Non_Cryptographic_Random - pretty_name: Use of Non Cryptographic Random - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Use_of_RSA_Algorithm_without_OAEP: - categories: - - ALL - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - cwe-780 - description: The product uses the RSA algorithm but does not incorporate Optimal - Asymmetric Encryption Padding (OAEP), which might weaken the encryption. - group: top10-crypto-failures - name: Java_Low_Visibility_Use_of_RSA_Algorithm_without_OAEP - pretty_name: Use of RSA Algorithm without OAEP - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Low_Visibility_Using_Referer_Field_for_Authentication: - categories: - - cwe-293 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The referer field in HTTP requests can be easily modified and, as - such, is not a valid means of message integrity checking. - group: top10-id-authn-failures - name: Java_Low_Visibility_Using_Referer_Field_for_Authentication - pretty_name: Using Referer Field for Authentication - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Absolute_Path_Traversal: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-36 - - boost-baseline - - ALL - description: The product uses external input to construct a pathname that should - be within a restricted directory, but it does not properly neutralize absolute - path sequences such as "/abs/path" that can resolve to a location that is outside - of that directory. - group: top10-broken-access-control - name: Java_Medium_Threat_Absolute_Path_Traversal - pretty_name: Absolute Path Traversal - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_CGI_Reflected_XSS_All_Clients: - categories: - - checkmarx-medium-threat - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Java_Medium_Threat_CGI_Reflected_XSS_All_Clients - pretty_name: CGI Reflected XSS All Clients - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_CGI_Stored_XSS: - categories: - - checkmarx-medium-threat - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Java_Medium_Threat_CGI_Stored_XSS - pretty_name: CGI Stored XSS - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_CSRF: - categories: - - checkmarx-medium-threat - - cwe-352 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The web application does not, or can not, sufficiently verify whether - a well-formed, valid, consistent request was intentionally provided by the user - who submitted the request. - group: top10-injection - name: Java_Medium_Threat_CSRF - pretty_name: CSRF - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Cleartext_Submission_of_Sensitive_Information: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-319 - - boost-baseline - - ALL - description: The product transmits sensitive or security-critical data in cleartext - in a communication channel that can be sniffed by unauthorized actors. - group: top10-broken-access-control - name: Java_Medium_Threat_Cleartext_Submission_of_Sensitive_Information - pretty_name: Cleartext Submission of Sensitive Information - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Client_State_Saving_Method_JSF: - categories: - - checkmarx-medium-threat - - cwe-254 - - owasp-top-10 - - boost-baseline - - ALL - description: The product is saving client state in JavaServer Faces (JSF), potentially - exposing sensitive data that can be tampered with or extracted by an attacker - through the client. - group: top10-insecure-design - name: Java_Medium_Threat_Client_State_Saving_Method_JSF - pretty_name: Client State Saving Method JSF - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_DB_Parameter_Tampering: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-284 - - boost-baseline - - ALL - description: The product does not restrict or incorrectly restricts access to - a resource from an unauthorized actor. - group: top10-broken-access-control - name: Java_Medium_Threat_DB_Parameter_Tampering - pretty_name: DB Parameter Tampering - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Dangerous_File_Inclusion: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-829 - - boost-baseline - - ALL - description: The product imports, requires, or includes executable functionality - (such as a library) from a source that is outside of the intended control sphere. - group: top10-software-data-integrity-failures - name: Java_Medium_Threat_Dangerous_File_Inclusion - pretty_name: Dangerous File Inclusion - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Direct_Use_of_Unsafe_JNI: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-111 - description: When a Java application uses the Java Native Interface (JNI) to call - code written in another programming language, it can expose the application - to weaknesses in that code, even if those weaknesses cannot occur in Java. - group: top10-injection - name: Java_Medium_Threat_Direct_Use_of_Unsafe_JNI - pretty_name: Direct Use of Unsafe JNI - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_DoS_by_Sleep: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The product performs an iteration or loop without sufficiently limiting - the number of times that the loop is executed. - group: top10-insecure-design - name: Java_Medium_Threat_DoS_by_Sleep - pretty_name: DoS by Sleep - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Download_of_Code_Without_Integrity_Check: - categories: - - checkmarx-medium-threat - - cwe-494 - - owasp-top-10 - - boost-baseline - - ALL - description: The product downloads source code or an executable from a remote - location and executes the code without sufficiently verifying the origin and - integrity of the code. - group: top10-software-data-integrity-failures - name: Java_Medium_Threat_Download_of_Code_Without_Integrity_Check - pretty_name: Download of Code Without Integrity Check - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Excessive_Data_Exposure: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-201 - - boost-baseline - - ALL - description: The code transmits data to another actor, but a portion of the data - includes sensitive information that should not be accessible to that actor. - group: top10-broken-access-control - name: Java_Medium_Threat_Excessive_Data_Exposure - pretty_name: Excessive Data Exposure - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_External_Control_of_Critical_State_Data: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-642 - description: The product stores security-critical state information about its - users, or the product itself, in a location that is accessible to unauthorized - actors. - group: top10-insecure-design - name: Java_Medium_Threat_External_Control_of_Critical_State_Data - pretty_name: External Control of Critical State Data - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_External_Control_of_System_or_Config_Setting: - categories: - - boost-baseline - - ALL - - checkmarx-medium-threat - - cwe-15 - description: One or more system settings or configuration elements can be externally - controlled by a user. - group: top10-security-misconfiguration - name: Java_Medium_Threat_External_Control_of_System_or_Config_Setting - pretty_name: External Control of System or Config Setting - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Frameable_Login_Page: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-829 - - boost-baseline - - ALL - description: The product imports, requires, or includes executable functionality - (such as a library) from a source that is outside of the intended control sphere. - group: top10-software-data-integrity-failures - name: Java_Medium_Threat_Frameable_Login_Page - pretty_name: Frameable Login Page - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_HTTP_Response_Splitting: - categories: - - checkmarx-medium-threat - - cwe-113 - - owasp-top-10 - - boost-baseline - - ALL - description: The product receives data from an HTTP agent/component (e.g., web - server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes - CR and LF characters before the data is included in outgoing HTTP headers. - group: top10-injection - name: Java_Medium_Threat_HTTP_Response_Splitting - pretty_name: HTTP Response Splitting - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Hardcoded_password_in_Connection_String: - categories: - - boost-baseline - - ALL - - cwe-547 - - checkmarx-medium-threat - description: The product uses hard-coded constants instead of symbolic names for - security-critical values, which increases the likelihood of mistakes during - code maintenance or security policy change. - group: top10-security-misconfiguration - name: Java_Medium_Threat_Hardcoded_password_in_Connection_String - pretty_name: Hardcoded password in Connection String - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_HttpOnlyCookies: - categories: - - cwe-1004 - - ALL - - boost-baseline - - checkmarx-medium-threat - description: The product uses a cookie to store sensitive information, but the - cookie is not marked with the HttpOnly flag. - group: top10-security-misconfiguration - name: Java_Medium_Threat_HttpOnlyCookies - pretty_name: HttpOnlyCookies - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_HttpOnlyCookies_In_Config: - categories: - - cwe-1004 - - ALL - - boost-baseline - - checkmarx-medium-threat - description: The product uses a cookie to store sensitive information, but the - cookie is not marked with the HttpOnly flag. - group: top10-security-misconfiguration - name: Java_Medium_Threat_HttpOnlyCookies_In_Config - pretty_name: HttpOnlyCookies In Config - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Improper_Locking: - categories: - - checkmarx-medium-threat - - cwe-667 - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not properly acquire or release a lock on a resource, - leading to unexpected resource state changes and behaviors. - group: top10-insecure-design - name: Java_Medium_Threat_Improper_Locking - pretty_name: Improper Locking - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Improper_Restriction_of_Stored_XXE_Ref: - categories: - - checkmarx-medium-threat - - cwe-611 - - boost-baseline - - ALL - - cwe-top-25 - description: The product processes an XML document that can contain XML entities - with URIs that resolve to documents outside of the intended sphere of control, - causing the product to embed incorrect documents into its output. - group: top10-security-misconfiguration - name: Java_Medium_Threat_Improper_Restriction_of_Stored_XXE_Ref - pretty_name: Improper Restriction of Stored XXE Ref - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Improper_Restriction_of_XXE_Ref: - categories: - - checkmarx-medium-threat - - cwe-611 - - boost-baseline - - ALL - - cwe-top-25 - description: The product processes an XML document that can contain XML entities - with URIs that resolve to documents outside of the intended sphere of control, - causing the product to embed incorrect documents into its output. - group: top10-security-misconfiguration - name: Java_Medium_Threat_Improper_Restriction_of_XXE_Ref - pretty_name: Improper Restriction of XXE Ref - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Inadequate_Encryption_Strength: - categories: - - ALL - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - cwe-326 - description: The product stores or transmits sensitive data using an encryption - scheme that is theoretically sound, but is not strong enough for the level of - protection required. - group: top10-crypto-failures - name: Java_Medium_Threat_Inadequate_Encryption_Strength - pretty_name: Inadequate Encryption Strength - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Input_Path_Not_Canonicalized: - categories: - - checkmarx-medium-threat - - cwe-73 - - owasp-top-10 - - boost-baseline - - ALL - description: The product allows user input to control or influence paths or file - names that are used in filesystem operations. - group: top10-insecure-design - name: Java_Medium_Threat_Input_Path_Not_Canonicalized - pretty_name: Input Path Not Canonicalized - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_JSF_CSRF: - categories: - - checkmarx-medium-threat - - cwe-352 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The web application does not, or can not, sufficiently verify whether - a well-formed, valid, consistent request was intentionally provided by the user - who submitted the request. - group: top10-injection - name: Java_Medium_Threat_JSF_CSRF - pretty_name: JSF CSRF - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_JSF_Managed_Bean_PII_Leak: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-359 - description: The product does not properly prevent a person's private, personal - information from being accessed by actors who either (1) are not explicitly - authorized to access the information or (2) do not have the implicit consent - of the person about whom the information is collected. - group: top10-broken-access-control - name: Java_Medium_Threat_JSF_Managed_Bean_PII_Leak - pretty_name: JSF Managed Bean PII Leak - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_JWT_Lack_Of_Expiration_Time: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-613 - description: According to WASC, "Insufficient Session Expiration is when a web - site permits an attacker to reuse old session credentials or session IDs for - authorization." - group: top10-id-authn-failures - name: Java_Medium_Threat_JWT_Lack_Of_Expiration_Time - pretty_name: JWT Lack Of Expiration Time - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_JWT_No_Signature_Verification: - categories: - - checkmarx-medium-threat - - cwe-287 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: When an actor claims to have a given identity, the product does not - prove or insufficiently proves that the claim is correct. - group: top10-id-authn-failures - name: Java_Medium_Threat_JWT_No_Signature_Verification - pretty_name: JWT No Signature Verification - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_JWT_Sensitive_Information_Exposure: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-201 - - boost-baseline - - ALL - description: The code transmits data to another actor, but a portion of the data - includes sensitive information that should not be accessible to that actor. - group: top10-broken-access-control - name: Java_Medium_Threat_JWT_Sensitive_Information_Exposure - pretty_name: JWT Sensitive Information Exposure - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_JWT_Use_Of_Hardcoded_Secret: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - - cwe-798 - description: The product contains hard-coded credentials, such as a password or - cryptographic key, which it uses for its own inbound authentication, outbound - communication to external components, or encryption of internal data. - group: top10-id-authn-failures - name: Java_Medium_Threat_JWT_Use_Of_Hardcoded_Secret - pretty_name: JWT Use Of Hardcoded Secret - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Misconfigured_Deserialization_Filter: - categories: - - boost-baseline - - ALL - - checkmarx-medium-threat - - owasp-top-10 - description: A Java deserialization filter is misconfigured, thereby increasing - the risk of untrusted input being deserialized, which can potentially lead to - arbitrary code execution. - group: top10-security-misconfiguration - name: Java_Medium_Threat_Misconfigured_Deserialization_Filter - pretty_name: Misconfigured Deserialization Filter - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Missing_HSTS_Header: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-346 - description: The product does not properly verify that the source of data or communication - is valid. - group: top10-id-authn-failures - name: Java_Medium_Threat_Missing_HSTS_Header - pretty_name: Missing HSTS Header - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Multiple_Binds_to_the_Same_Port: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-605 - description: When multiple sockets are allowed to bind to the same port, other - services on that port may be stolen or spoofed. - group: top10-insecure-design - name: Java_Medium_Threat_Multiple_Binds_to_the_Same_Port - pretty_name: Multiple Binds to the Same Port - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Parameter_Tampering: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: Java_Medium_Threat_Parameter_Tampering - pretty_name: Parameter Tampering - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Plaintext_Storage_of_a_Password: - categories: - - cwe-256 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: Storing a password in plaintext may result in a system compromise. - group: top10-insecure-design - name: Java_Medium_Threat_Plaintext_Storage_of_a_Password - pretty_name: Plaintext Storage of a Password - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Privacy_Violation: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-359 - description: The product does not properly prevent a person's private, personal - information from being accessed by actors who either (1) are not explicitly - authorized to access the information or (2) do not have the implicit consent - of the person about whom the information is collected. - group: top10-broken-access-control - name: Java_Medium_Threat_Privacy_Violation - pretty_name: Privacy Violation - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Process_Control: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-114 - - boost-baseline - - ALL - description: Executing commands or loading libraries from an untrusted source - or in an untrusted environment can cause an application to execute malicious - commands (and payloads) on behalf of an attacker. - group: top10-injection - name: Java_Medium_Threat_Process_Control - pretty_name: Process Control - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_ReDoS_From_Regex_Injection: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: Java_Medium_Threat_ReDoS_From_Regex_Injection - pretty_name: ReDoS From Regex Injection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_ReDoS_In_Match: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: Java_Medium_Threat_ReDoS_In_Match - pretty_name: ReDoS In Match - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_ReDoS_In_Pattern: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: Java_Medium_Threat_ReDoS_In_Pattern - pretty_name: ReDoS In Pattern - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_ReDoS_In_Replace: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: Java_Medium_Threat_ReDoS_In_Replace - pretty_name: ReDoS In Replace - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Relative_Path_Traversal: - categories: - - checkmarx-medium-threat - - cwe-23 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses external input to construct a pathname that should - be within a restricted directory, but it does not properly neutralize sequences - such as ".." that can resolve to a location that is outside of that directory. - group: top10-broken-access-control - name: Java_Medium_Threat_Relative_Path_Traversal - pretty_name: Relative Path Traversal - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Reliance_on_Cookies_without_Validation: - categories: - - checkmarx-medium-threat - - cwe-565 - - owasp-top-10 - - boost-baseline - - ALL - description: The product relies on the existence or values of cookies when performing - security-critical operations, but it does not properly ensure that the setting - is valid for the associated user. - group: top10-software-data-integrity-failures - name: Java_Medium_Threat_Reliance_on_Cookies_without_Validation - pretty_name: Reliance on Cookies without Validation - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_SQL_Injection_Evasion_Attack: - categories: - - checkmarx-medium-threat - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Java_Medium_Threat_SQL_Injection_Evasion_Attack - pretty_name: SQL Injection Evasion Attack - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_SSL_Verification_Bypass: - categories: - - checkmarx-medium-threat - - cwe-599 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses OpenSSL and trusts or uses a certificate without - using the SSL_get_verify_result() function to ensure that the certificate satisfies - all necessary security requirements. - group: top10-software-data-integrity-failures - name: Java_Medium_Threat_SSL_Verification_Bypass - pretty_name: SSL Verification Bypass - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_SSRF: - categories: - - checkmarx-medium-threat - - cwe-918 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The web server receives a URL or similar request from an upstream - component and retrieves the contents of this URL, but it does not sufficiently - ensure that the request is being sent to the expected destination. - group: top10-server-side-request-forgery - name: Java_Medium_Threat_SSRF - pretty_name: SSRF - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Same_Seed_in_PRNG: - categories: - - boost-baseline - - checkmarx-medium-threat - - owasp-top-10 - - cwe-336 - - ALL - description: A Pseudo-Random Number Generator (PRNG) uses the same seed each time - the product is initialized. - group: top10-crypto-failures - name: Java_Medium_Threat_Same_Seed_in_PRNG - pretty_name: Same Seed in PRNG - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Session_Fixation: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-384 - description: Authenticating a user, or otherwise establishing a new user session, - without invalidating any existing session identifier gives an attacker the opportunity - to steal authenticated sessions. - group: top10-id-authn-failures - name: Java_Medium_Threat_Session_Fixation - pretty_name: Session Fixation - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Stored_Absolute_Path_Traversal: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-36 - - boost-baseline - - ALL - description: The product uses external input to construct a pathname that should - be within a restricted directory, but it does not properly neutralize absolute - path sequences such as "/abs/path" that can resolve to a location that is outside - of that directory. - group: top10-broken-access-control - name: Java_Medium_Threat_Stored_Absolute_Path_Traversal - pretty_name: Stored Absolute Path Traversal - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Stored_Command_Injection: - categories: - - cwe-77 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended command when it - is sent to a downstream component. - group: top10-injection - name: Java_Medium_Threat_Stored_Command_Injection - pretty_name: Stored Command Injection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Stored_LDAP_Injection: - categories: - - checkmarx-medium-threat - - cwe-90 - - owasp-top-10 - - boost-baseline - - ALL - description: The product constructs all or part of an LDAP query using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended LDAP query when - it is sent to a downstream component. - group: top10-injection - name: Java_Medium_Threat_Stored_LDAP_Injection - pretty_name: Stored LDAP Injection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Stored_Relative_Path_Traversal: - categories: - - checkmarx-medium-threat - - cwe-23 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses external input to construct a pathname that should - be within a restricted directory, but it does not properly neutralize sequences - such as ".." that can resolve to a location that is outside of that directory. - group: top10-broken-access-control - name: Java_Medium_Threat_Stored_Relative_Path_Traversal - pretty_name: Stored Relative Path Traversal - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Unchecked_Input_for_Loop_Condition: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-606 - - boost-baseline - - ALL - description: The product does not properly check inputs that are used for loop - conditions, potentially leading to a denial of service or other consequences - because of excessive looping. - group: top10-insecure-design - name: Java_Medium_Threat_Unchecked_Input_for_Loop_Condition - pretty_name: Unchecked Input for Loop Condition - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Unnormalize_Input_String: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-20 - - boost-baseline - - ALL - - cwe-top-25 - description: The product receives input or data, but it does not validate or incorrectly - validates that the input has the properties that are required to process the - data safely and correctly. - group: top10-injection - name: Java_Medium_Threat_Unnormalize_Input_String - pretty_name: Unnormalize Input String - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Unsafe_Object_Binding: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-915 - - boost-baseline - - ALL - description: The product receives input from an upstream component that specifies - multiple attributes, properties, or fields that are to be initialized or updated - in an object, but it does not properly control which attributes can be modified. - group: top10-software-data-integrity-failures - name: Java_Medium_Threat_Unsafe_Object_Binding - pretty_name: Unsafe Object Binding - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Unvalidated_Forwards: - categories: - - checkmarx-medium-threat - - cwe-819 - - owasp-top-10 - - boost-baseline - - ALL - description: Relates to using redirects and forwards that have not been validated. - group: top10-injection - name: Java_Medium_Threat_Unvalidated_Forwards - pretty_name: Unvalidated Forwards - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Unvalidated_SSL_Certificate_Hostname: - categories: - - cwe-297 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The product communicates with a host that provides a certificate, - but the product does not properly ensure that the certificate is actually associated - with that host. - group: top10-id-authn-failures - name: Java_Medium_Threat_Unvalidated_SSL_Certificate_Hostname - pretty_name: Unvalidated SSL Certificate Hostname - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Use_of_Cryptographically_Weak_PRNG: - categories: - - checkmarx-medium-threat - - cwe-338 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a Pseudo-Random Number Generator (PRNG) in a security - context, but the PRNG's algorithm is not cryptographically strong. - group: top10-crypto-failures - name: Java_Medium_Threat_Use_of_Cryptographically_Weak_PRNG - pretty_name: Use of Cryptographically Weak PRNG - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key: - categories: - - cwe-321 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The use of a hard-coded cryptographic key significantly increases - the possibility that encrypted data may be recovered. - group: top10-crypto-failures - name: Java_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key - pretty_name: Use of Hard coded Cryptographic Key - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Use_of_Insufficiently_Random_Values: - categories: - - checkmarx-medium-threat - - cwe-330 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses insufficiently random numbers or values in a security - context that depends on unpredictable numbers. - group: top10-crypto-failures - name: Java_Medium_Threat_Use_of_Insufficiently_Random_Values - pretty_name: Use of Insufficiently Random Values - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Use_of_Native_Language: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-695 - - boost-baseline - - ALL - description: The product uses low-level functionality that is explicitly prohibited - by the framework or specification under which the product is supposed to operate. - group: top10-injection - name: Java_Medium_Threat_Use_of_Native_Language - pretty_name: Use of Native Language - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Use_of_a_One_Way_Hash_with_a_Predictable_Salt: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-760 - - boost-baseline - - ALL - description: The product uses a one-way cryptographic hash against an input that - should not be reversible, such as a password, but the product uses a predictable - salt as part of the input. - group: top10-crypto-failures - name: Java_Medium_Threat_Use_of_a_One_Way_Hash_with_a_Predictable_Salt - pretty_name: Use of a One Way Hash with a Predictable Salt - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_Use_of_a_One_Way_Hash_without_a_Salt: - categories: - - checkmarx-medium-threat - - cwe-759 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a one-way cryptographic hash against an input that - should not be reversible, such as a password, but the product does not also - use a salt as part of the input. - group: top10-crypto-failures - name: Java_Medium_Threat_Use_of_a_One_Way_Hash_without_a_Salt - pretty_name: Use of a One Way Hash without a Salt - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Medium_Threat_XQuery_Injection: - categories: - - boost-baseline - - checkmarx-medium-threat - - owasp-top-10 - - cwe-652 - - ALL - description: The product uses external input to dynamically construct an XQuery - expression used to retrieve data from an XML database, but it does not neutralize - or incorrectly neutralizes that input. This allows an attacker to control the - structure of the query. - group: top10-injection - name: Java_Medium_Threat_XQuery_Injection - pretty_name: XQuery Injection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Potential_Potential_Code_Injection: - categories: - - cwe-94 - - checkmarx-potential - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: Java_Potential_Potential_Code_Injection - pretty_name: Potential Code Injection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Potential_Potential_Command_Injection: - categories: - - cwe-77 - - checkmarx-potential - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended command when it - is sent to a downstream component. - group: top10-injection - name: Java_Potential_Potential_Command_Injection - pretty_name: Potential Command Injection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Potential_Potential_Connection_String_Injection: - categories: - - owasp-top-10 - - checkmarx-potential - - cwe-99 - - boost-baseline - - ALL - description: The product receives input from an upstream component, but it does - not restrict or incorrectly restricts the input before it is used as an identifier - for a resource that may be outside the intended sphere of control. - group: top10-injection - name: Java_Potential_Potential_Connection_String_Injection - pretty_name: Potential Connection String Injection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Potential_Potential_GWT_Reflected_XSS: - categories: - - cwe-79 - - checkmarx-potential - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Java_Potential_Potential_GWT_Reflected_XSS - pretty_name: Potential GWT Reflected XSS - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Potential_Potential_Hardcoded_password_in_Connection_String: - categories: - - boost-baseline - - ALL - - cwe-547 - - checkmarx-potential - description: The product uses hard-coded constants instead of symbolic names for - security-critical values, which increases the likelihood of mistakes during - code maintenance or security policy change. - group: top10-security-misconfiguration - name: Java_Potential_Potential_Hardcoded_password_in_Connection_String - pretty_name: Potential Hardcoded password in Connection String - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Potential_Potential_IO_Reflected_XSS_All_Clients: - categories: - - cwe-79 - - checkmarx-potential - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Java_Potential_Potential_IO_Reflected_XSS_All_Clients - pretty_name: Potential IO Reflected XSS All Clients - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Potential_Potential_I_Reflected_XSS_All_Clients: - categories: - - cwe-79 - - checkmarx-potential - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Java_Potential_Potential_I_Reflected_XSS_All_Clients - pretty_name: Potential I Reflected XSS All Clients - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Potential_Potential_LDAP_Injection: - categories: - - cwe-90 - - owasp-top-10 - - checkmarx-potential - - boost-baseline - - ALL - description: The product constructs all or part of an LDAP query using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended LDAP query when - it is sent to a downstream component. - group: top10-injection - name: Java_Potential_Potential_LDAP_Injection - pretty_name: Potential LDAP Injection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Potential_Potential_O_Reflected_XSS_All_Clients: - categories: - - cwe-79 - - checkmarx-potential - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Java_Potential_Potential_O_Reflected_XSS_All_Clients - pretty_name: Potential O Reflected XSS All Clients - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Potential_Potential_Parameter_Tampering: - categories: - - owasp-top-10 - - checkmarx-potential - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: Java_Potential_Potential_Parameter_Tampering - pretty_name: Potential Parameter Tampering - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Potential_Potential_Resource_Injection: - categories: - - owasp-top-10 - - checkmarx-potential - - cwe-99 - - boost-baseline - - ALL - description: The product receives input from an upstream component, but it does - not restrict or incorrectly restricts the input before it is used as an identifier - for a resource that may be outside the intended sphere of control. - group: top10-injection - name: Java_Potential_Potential_Resource_Injection - pretty_name: Potential Resource Injection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Potential_Potential_SQL_Injection: - categories: - - cwe-89 - - checkmarx-potential - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Java_Potential_Potential_SQL_Injection - pretty_name: Potential SQL Injection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Potential_Potential_Stored_XSS: - categories: - - cwe-79 - - checkmarx-potential - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Java_Potential_Potential_Stored_XSS - pretty_name: Potential Stored XSS - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Potential_Potential_UTF7_XSS: - categories: - - cwe-79 - - checkmarx-potential - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Java_Potential_Potential_UTF7_XSS - pretty_name: Potential UTF7 XSS - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Potential_Potential_Use_of_Hard_coded_Cryptographic_Key: - categories: - - cwe-321 - - owasp-top-10 - - checkmarx-potential - - boost-baseline - - ALL - description: The use of a hard-coded cryptographic key significantly increases - the possibility that encrypted data may be recovered. - group: top10-crypto-failures - name: Java_Potential_Potential_Use_of_Hard_coded_Cryptographic_Key - pretty_name: Potential Use of Hard coded Cryptographic Key - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Potential_Potential_XPath_Injection: - categories: - - cwe-643 - - owasp-top-10 - - checkmarx-potential - - boost-baseline - - ALL - description: The product uses external input to dynamically construct an XPath - expression used to retrieve data from an XML database, but it does not neutralize - or incorrectly neutralizes that input. This allows an attacker to control the - structure of the query. - group: top10-injection - name: Java_Potential_Potential_XPath_Injection - pretty_name: Potential XPath Injection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Potential_Potential_XXE_Injection: - categories: - - boost-baseline - - cwe-776 - - ALL - - checkmarx-potential - description: The product uses XML documents and allows their structure to be defined - with a Document Type Definition (DTD), but it does not properly control the - number of recursive definitions of entities. - group: top10-security-misconfiguration - name: Java_Potential_Potential_XXE_Injection - pretty_name: Potential XXE Injection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Spring_Spring_Argon2_Insecure_Parameters: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - cwe-522 - description: The product transmits or stores authentication credentials, but it - uses an insecure method that is susceptible to unauthorized interception and/or - retrieval. - group: top10-insecure-design - name: Java_Spring_Spring_Argon2_Insecure_Parameters - pretty_name: Spring Argon2 Insecure Parameters - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Spring_Spring_BCrypt_Insecure_Parameters: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - cwe-522 - description: The product transmits or stores authentication credentials, but it - uses an insecure method that is susceptible to unauthorized interception and/or - retrieval. - group: top10-insecure-design - name: Java_Spring_Spring_BCrypt_Insecure_Parameters - pretty_name: Spring BCrypt Insecure Parameters - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Spring_Spring_CSRF: - categories: - - cwe-352 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The web application does not, or can not, sufficiently verify whether - a well-formed, valid, consistent request was intentionally provided by the user - who submitted the request. - group: top10-injection - name: Java_Spring_Spring_CSRF - pretty_name: Spring CSRF - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Spring_Spring_Comparison_Timing_Attack: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - cwe-208 - description: Two separate operations in a product require different amounts of - time to complete, in a way that is observable to an actor and reveals security-relevant - information about the state of the product, such as whether a particular operation - was successful or not. - group: top10-insecure-design - name: Java_Spring_Spring_Comparison_Timing_Attack - pretty_name: Spring Comparison Timing Attack - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Spring_Spring_Missing_Content_Security_Policy: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - cwe-346 - description: The product does not properly verify that the source of data or communication - is valid. - group: top10-id-authn-failures - name: Java_Spring_Spring_Missing_Content_Security_Policy - pretty_name: Spring Missing Content Security Policy - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Spring_Spring_Missing_Expect_CT_Header: - categories: - - cwe-693 - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not use or incorrectly uses a protection mechanism - that provides sufficient defense against directed attacks against the product. - group: top10-insecure-design - name: Java_Spring_Spring_Missing_Expect_CT_Header - pretty_name: Spring Missing Expect CT Header - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Spring_Spring_Missing_Function_Level_Authorization: - categories: - - cwe-862 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not perform an authorization check when an actor - attempts to access a resource or perform an action. - group: top10-broken-access-control - name: Java_Spring_Spring_Missing_Function_Level_Authorization - pretty_name: Spring Missing Function Level Authorization - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Spring_Spring_Missing_HSTS_Header: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - cwe-346 - description: The product does not properly verify that the source of data or communication - is valid. - group: top10-id-authn-failures - name: Java_Spring_Spring_Missing_HSTS_Header - pretty_name: Spring Missing HSTS Header - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Spring_Spring_Missing_Object_Level_Authorization: - categories: - - cwe-862 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not perform an authorization check when an actor - attempts to access a resource or perform an action. - group: top10-broken-access-control - name: Java_Spring_Spring_Missing_Object_Level_Authorization - pretty_name: Spring Missing Object Level Authorization - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Spring_Spring_Missing_XSS_Protection_Header: - categories: - - cwe-693 - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not use or incorrectly uses a protection mechanism - that provides sufficient defense against directed attacks against the product. - group: top10-insecure-design - name: Java_Spring_Spring_Missing_XSS_Protection_Header - pretty_name: Spring Missing XSS Protection Header - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Spring_Spring_Missing_X_Content_Type_Options: - categories: - - cwe-693 - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not use or incorrectly uses a protection mechanism - that provides sufficient defense against directed attacks against the product. - group: top10-insecure-design - name: Java_Spring_Spring_Missing_X_Content_Type_Options - pretty_name: Spring Missing X Content Type Options - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Spring_Spring_Missing_X_Frame_Options: - categories: - - owasp-top-10 - - cwe-1021 - - boost-baseline - - ALL - description: The web application does not restrict or incorrectly restricts frame - objects or UI layers that belong to another application or domain, which can - lead to user confusion about which interface the user is interacting with. - group: top10-insecure-design - name: Java_Spring_Spring_Missing_X_Frame_Options - pretty_name: Spring Missing X Frame Options - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Spring_Spring_ModelView_Injection: - categories: - - cwe-74 - - owasp-top-10 - - boost-baseline - - ALL - description: The product constructs all or part of a command, data structure, - or record using externally-influenced input from an upstream component, but - it does not neutralize or incorrectly neutralizes special elements that could - modify how it is parsed or interpreted when it is sent to a downstream component. - group: top10-injection - name: Java_Spring_Spring_ModelView_Injection - pretty_name: Spring ModelView Injection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Spring_Spring_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - cwe-346 - description: The product does not properly verify that the source of data or communication - is valid. - group: top10-id-authn-failures - name: Java_Spring_Spring_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy - pretty_name: Spring Overly Permissive Cross Origin Resource Sharing Policy - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Spring_Spring_PBKDF2_Insecure_Parameters: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - cwe-522 - description: The product transmits or stores authentication credentials, but it - uses an insecure method that is susceptible to unauthorized interception and/or - retrieval. - group: top10-insecure-design - name: Java_Spring_Spring_PBKDF2_Insecure_Parameters - pretty_name: Spring PBKDF2 Insecure Parameters - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Spring_Spring_Permissive_Content_Security_Policy: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - cwe-346 - description: The product does not properly verify that the source of data or communication - is valid. - group: top10-id-authn-failures - name: Java_Spring_Spring_Permissive_Content_Security_Policy - pretty_name: Spring Permissive Content Security Policy - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Spring_Spring_SCrypt_Insecure_Parameters: - categories: - - owasp-top-10 - - boost-baseline - - ALL - - cwe-522 - description: The product transmits or stores authentication credentials, but it - uses an insecure method that is susceptible to unauthorized interception and/or - retrieval. - group: top10-insecure-design - name: Java_Spring_Spring_SCrypt_Insecure_Parameters - pretty_name: Spring SCrypt Insecure Parameters - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Spring_Spring_Use_Of_Hardcoded_Password: - categories: - - ALL - - owasp-top-10 - - boost-baseline - - cwe-259 - description: The product contains a hard-coded password, which it uses for its - own inbound authentication or for outbound communication to external components. - group: top10-id-authn-failures - name: Java_Spring_Spring_Use_Of_Hardcoded_Password - pretty_name: Spring Use Of Hardcoded Password - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Spring_Spring_Use_of_Broken_or_Risky_Cryptographic_Primitive: - categories: - - cwe-327 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a broken or risky cryptographic algorithm or protocol. - group: top10-crypto-failures - name: Java_Spring_Spring_Use_of_Broken_or_Risky_Cryptographic_Primitive - pretty_name: Spring Use of Broken or Risky Cryptographic Primitive - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Spring_Spring_View_SPEL_Injection: - categories: - - boost-hardened - - owasp-top-10 - - cwe-917 - - boost-baseline - - ALL - description: The product constructs all or part of an expression language (EL) - statement in a framework such as a Java Server Page (JSP) using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended EL statement before - it is executed. - group: top10-injection - name: Java_Spring_Spring_View_SPEL_Injection - pretty_name: Spring View SPEL Injection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Spring_Spring_XSRF: - categories: - - cwe-352 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The web application does not, or can not, sufficiently verify whether - a well-formed, valid, consistent request was intentionally provided by the user - who submitted the request. - group: top10-server-side-request-forgery - name: Java_Spring_Spring_XSRF - pretty_name: Spring XSRF - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Spring_Spring_defaultHtmlEscape_Not_True: - categories: - - owasp-top-10 - - boost-baseline - - ALL - description: The setting for defaultHtmlEscape in the Spring configuration is - not set to "true", presenting a potential cross-site scripting (XSS) vulnerability. - group: top10-insecure-design - name: Java_Spring_Spring_defaultHtmlEscape_Not_True - pretty_name: Spring defaultHtmlEscape Not True - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Stored_Stored_Boundary_Violation: - categories: - - checkmarx-stored - - owasp-top-10 - - cwe-646 - - boost-baseline - - ALL - description: The product allows a file to be uploaded, but it relies on the file - name or extension of the file to determine the appropriate behaviors. This could - be used by attackers to cause the file to be misclassified and processed in - a dangerous fashion. - group: top10-insecure-design - name: Java_Stored_Stored_Boundary_Violation - pretty_name: Stored Boundary Violation - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Stored_Stored_Code_Injection: - categories: - - cwe-94 - - checkmarx-stored - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: Java_Stored_Stored_Code_Injection - pretty_name: Stored Code Injection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Stored_Stored_HTTP_Response_Splitting: - categories: - - cwe-113 - - owasp-top-10 - - checkmarx-stored - - boost-baseline - - ALL - description: The product receives data from an HTTP agent/component (e.g., web - server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes - CR and LF characters before the data is included in outgoing HTTP headers. - group: top10-injection - name: Java_Stored_Stored_HTTP_Response_Splitting - pretty_name: Stored HTTP Response Splitting - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Stored_Stored_Mongo_NoSQL_Injection: - categories: - - owasp-top-10 - - checkmarx-stored - - cwe-943 - - boost-baseline - - ALL - description: The product generates a query intended to access or manipulate data - in a data store such as a database, but it does not neutralize or incorrectly - neutralizes special elements that can modify the intended logic of the query. - group: top10-injection - name: Java_Stored_Stored_Mongo_NoSQL_Injection - pretty_name: Stored Mongo NoSQL Injection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Stored_Stored_Open_Redirect: - categories: - - cwe-601 - - owasp-top-10 - - checkmarx-stored - - boost-baseline - - ALL - description: A web application accepts a user-controlled input that specifies - a link to an external site, and uses that link in a Redirect. This simplifies - phishing attacks. - group: top10-broken-access-control - name: Java_Stored_Stored_Open_Redirect - pretty_name: Stored Open Redirect - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Stored_Stored_XPath_Injection: - categories: - - cwe-643 - - owasp-top-10 - - checkmarx-stored - - boost-baseline - - ALL - description: The product uses external input to dynamically construct an XPath - expression used to retrieve data from an XML database, but it does not neutralize - or incorrectly neutralizes that input. This allows an attacker to control the - structure of the query. - group: top10-injection - name: Java_Stored_Stored_XPath_Injection - pretty_name: Stored XPath Injection - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Struts_Struts2_Action_Field_Without_Validator: - categories: - - cwe-108 - - checkmarx-structs - - owasp-top-10 - - boost-baseline - - ALL - description: Every Action Form must have a corresponding validation form. - group: top10-injection - name: Java_Struts_Struts2_Action_Field_Without_Validator - pretty_name: Struts2 Action Field Without Validator - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Struts_Struts2_Duplicate_Action_Field_Validators: - categories: - - checkmarx-structs - - owasp-top-10 - - cwe-102 - - boost-baseline - - ALL - description: The product uses multiple validation forms with the same name, which - might cause the Struts Validator to validate a form that the programmer does - not expect. - group: top10-insecure-design - name: Java_Struts_Struts2_Duplicate_Action_Field_Validators - pretty_name: Struts2 Duplicate Action Field Validators - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Struts_Struts2_Duplicate_Validators: - categories: - - checkmarx-structs - - owasp-top-10 - - cwe-102 - - boost-baseline - - ALL - description: The product uses multiple validation forms with the same name, which - might cause the Struts Validator to validate a form that the programmer does - not expect. - group: top10-insecure-design - name: Java_Struts_Struts2_Duplicate_Validators - pretty_name: Struts2 Duplicate Validators - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Struts_Struts2_Undeclared_Validator: - categories: - - checkmarx-structs - - owasp-top-10 - - cwe-105 - - boost-baseline - - ALL - description: The product has a form field that is not validated by a corresponding - validation form, which can introduce other weaknesses related to insufficient - input validation. - group: top10-insecure-design - name: Java_Struts_Struts2_Undeclared_Validator - pretty_name: Struts2 Undeclared Validator - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Struts_Struts2_Validation_File_Without_Action: - categories: - - checkmarx-structs - - owasp-top-10 - - cwe-107 - - boost-baseline - - ALL - description: An unused validation form indicates that validation logic is not - up-to-date. - group: top10-injection - name: Java_Struts_Struts2_Validation_File_Without_Action - pretty_name: Struts2 Validation File Without Action - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Struts_Struts2_Validator_Without_Action_Field: - categories: - - cwe-110 - - checkmarx-structs - - owasp-top-10 - - boost-baseline - - ALL - description: Validation fields that do not appear in forms they are associated - with indicate that the validation logic is out of date. - group: top10-injection - name: Java_Struts_Struts2_Validator_Without_Action_Field - pretty_name: Struts2 Validator Without Action Field - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Struts_Struts_Duplicate_Config_Files: - categories: - - checkmarx-structs - - owasp-top-10 - - cwe-694 - - boost-baseline - - ALL - description: The product uses multiple resources that can have the same identifier, - in a context in which unique identifiers are required. - group: top10-insecure-design - name: Java_Struts_Struts_Duplicate_Config_Files - pretty_name: Struts Duplicate Config Files - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Struts_Struts_Duplicate_Form_Bean: - categories: - - checkmarx-structs - - owasp-top-10 - - cwe-694 - - boost-baseline - - ALL - description: The product uses multiple resources that can have the same identifier, - in a context in which unique identifiers are required. - group: top10-insecure-design - name: Java_Struts_Struts_Duplicate_Form_Bean - pretty_name: Struts Duplicate Form Bean - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Struts_Struts_Duplicate_Validation_Files: - categories: - - checkmarx-structs - - owasp-top-10 - - cwe-694 - - boost-baseline - - ALL - description: The product uses multiple resources that can have the same identifier, - in a context in which unique identifiers are required. - group: top10-insecure-design - name: Java_Struts_Struts_Duplicate_Validation_Files - pretty_name: Struts Duplicate Validation Files - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Struts_Struts_Duplicate_Validation_Forms: - categories: - - checkmarx-structs - - owasp-top-10 - - cwe-102 - - boost-baseline - - ALL - description: The product uses multiple validation forms with the same name, which - might cause the Struts Validator to validate a form that the programmer does - not expect. - group: top10-insecure-design - name: Java_Struts_Struts_Duplicate_Validation_Forms - pretty_name: Struts Duplicate Validation Forms - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Struts_Struts_Form_Does_Not_Extend_Validation_Class: - categories: - - checkmarx-structs - - cwe-104 - - owasp-top-10 - - boost-baseline - - ALL - description: If a form bean does not extend an ActionForm subclass of the Validator - framework, it can expose the application to other weaknesses related to insufficient - input validation. - group: top10-injection - name: Java_Struts_Struts_Form_Does_Not_Extend_Validation_Class - pretty_name: Struts Form Does Not Extend Validation Class - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Struts_Struts_Form_Field_Without_Validator: - categories: - - checkmarx-structs - - owasp-top-10 - - cwe-105 - - boost-baseline - - ALL - description: The product has a form field that is not validated by a corresponding - validation form, which can introduce other weaknesses related to insufficient - input validation. - group: top10-injection - name: Java_Struts_Struts_Form_Field_Without_Validator - pretty_name: Struts Form Field Without Validator - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Struts_Struts_Incomplete_Validate_Method_Definition: - categories: - - checkmarx-structs - - owasp-top-10 - - boost-baseline - - ALL - - cwe-103 - description: The product has a validator form that either does not define a validate() - method, or defines a validate() method but does not call super.validate(). - group: top10-injection - name: Java_Struts_Struts_Incomplete_Validate_Method_Definition - pretty_name: Struts Incomplete Validate Method Definition - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Struts_Struts_Mapping_to_Missing_Form_Bean: - categories: - - cwe-457 - - checkmarx-structs - - owasp-top-10 - - boost-baseline - - ALL - description: The code uses a variable that has not been initialized, leading to - unpredictable or unintended results. - group: top10-insecure-design - name: Java_Struts_Struts_Mapping_to_Missing_Form_Bean - pretty_name: Struts Mapping to Missing Form Bean - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Struts_Struts_Missing_Form_Bean_Name: - categories: - - checkmarx-structs - - owasp-top-10 - - cwe-563 - - boost-baseline - - ALL - description: The variable's value is assigned but never used, making it a dead - store. - group: top10-insecure-design - name: Java_Struts_Struts_Missing_Form_Bean_Name - pretty_name: Struts Missing Form Bean Name - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Struts_Struts_Missing_Form_Bean_Type: - categories: - - checkmarx-structs - - owasp-top-10 - - cwe-563 - - boost-baseline - - ALL - description: The variable's value is assigned but never used, making it a dead - store. - group: top10-insecure-design - name: Java_Struts_Struts_Missing_Form_Bean_Type - pretty_name: Struts Missing Form Bean Type - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Struts_Struts_Missing_Forward_Name: - categories: - - cwe-489 - - checkmarx-structs - - owasp-top-10 - - boost-baseline - - ALL - description: The product is deployed to unauthorized actors with debugging code - still enabled or active, which can create unintended entry points or expose - sensitive information. - group: top10-insecure-design - name: Java_Struts_Struts_Missing_Forward_Name - pretty_name: Struts Missing Forward Name - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Struts_Struts_Non_Private_Field_In_ActionForm_Class: - categories: - - checkmarx-structs - - owasp-top-10 - - boost-baseline - - ALL - - cwe-608 - description: An ActionForm class contains a field that has not been declared private, - which can be accessed without using a setter or getter. - group: top10-insecure-design - name: Java_Struts_Struts_Non_Private_Field_In_ActionForm_Class - pretty_name: Struts Non Private Field In ActionForm Class - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Struts_Struts_Thread_Safety_Violation_In_Action_Class: - categories: - - checkmarx-structs - - cwe-362 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product contains a code sequence that can run concurrently with - other code, and the code sequence requires temporary, exclusive access to a - shared resource, but a timing window exists in which the shared resource can - be modified by another code sequence that is operating concurrently. - group: top10-insecure-design - name: Java_Struts_Struts_Thread_Safety_Violation_In_Action_Class - pretty_name: Struts Thread Safety Violation In Action Class - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Struts_Struts_Unused_Action_Form: - categories: - - cwe-489 - - checkmarx-structs - - owasp-top-10 - - boost-baseline - - ALL - description: The product is deployed to unauthorized actors with debugging code - still enabled or active, which can create unintended entry points or expose - sensitive information. - group: top10-insecure-design - name: Java_Struts_Struts_Unused_Action_Form - pretty_name: Struts Unused Action Form - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Struts_Struts_Unused_Validation_Form: - categories: - - checkmarx-structs - - owasp-top-10 - - cwe-107 - - boost-baseline - - ALL - description: An unused validation form indicates that validation logic is not - up-to-date. - group: top10-insecure-design - name: Java_Struts_Struts_Unused_Validation_Form - pretty_name: Struts Unused Validation Form - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Struts_Struts_Unvalidated_Action_Form: - categories: - - cwe-108 - - checkmarx-structs - - owasp-top-10 - - boost-baseline - - ALL - description: Every Action Form must have a corresponding validation form. - group: top10-injection - name: Java_Struts_Struts_Unvalidated_Action_Form - pretty_name: Struts Unvalidated Action Form - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Struts_Struts_Use_of_Relative_Path_in_Config: - categories: - - cwe-21 - - checkmarx-structs - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses external input to construct a pathname that should - be within a restricted directory, but it does not properly neutralize sequences - such as ".." that can resolve to a location that is outside of that directory. - group: top10-security-misconfiguration - name: Java_Struts_Struts_Use_of_Relative_Path_in_Config - pretty_name: Struts Use of Relative Path in Config - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Struts_Struts_Validation_Turned_Off: - categories: - - checkmarx-structs - - owasp-top-10 - - boost-baseline - - ALL - - cwe-109 - description: Automatic filtering via a Struts bean has been turned off, which - disables the Struts Validator and custom validation logic. This exposes the - application to other weaknesses related to insufficient input validation. - group: top10-injection - name: Java_Struts_Struts_Validation_Turned_Off - pretty_name: Struts Validation Turned Off - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Java_Struts_Struts_Validator_Without_Form_Field: - categories: - - cwe-110 - - checkmarx-structs - - owasp-top-10 - - boost-baseline - - ALL - description: Validation fields that do not appear in forms they are associated - with indicate that the validation logic is out of date. - group: top10-injection - name: Java_Struts_Struts_Validator_Without_Form_Field - pretty_name: Struts Validator Without Form Field - Java - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavasScript_Visualforce_Remoting_VF_Remoting_Client_Potential_CSRF: - categories: - - cwe-352 - - checkmarx-visualforce-remoting - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The web application does not, or can not, sufficiently verify whether - a well-formed, valid, consistent request was intentionally provided by the user - who submitted the request. - group: top10-injection - name: JavasScript_Visualforce_Remoting_VF_Remoting_Client_Potential_CSRF - pretty_name: VF Remoting Client Potential CSRF - JavasScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavasScript_Visualforce_Remoting_VF_Remoting_Client_Potential_Code_Injection: - categories: - - cwe-94 - - checkmarx-visualforce-remoting - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: JavasScript_Visualforce_Remoting_VF_Remoting_Client_Potential_Code_Injection - pretty_name: VF Remoting Client Potential Code Injection - JavasScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - JavasScript_Visualforce_Remoting_VF_Remoting_Client_Potential_XSS: - categories: - - cwe-79 - - checkmarx-visualforce-remoting - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: JavasScript_Visualforce_Remoting_VF_Remoting_Client_Potential_XSS - pretty_name: VF Remoting Client Potential XSS - JavasScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Javascript_Kony_Kony_Code_Injection: - categories: - - boost-hardened - - cwe-94 - - owasp-top-10 - - checkmarx-kony - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: Javascript_Kony_Kony_Code_Injection - pretty_name: Kony Code Injection - Javascript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Javascript_Kony_Kony_Deprecated_Functions: - categories: - - cwe-477 - - owasp-top-10 - - checkmarx-kony - - boost-baseline - - ALL - description: The code uses deprecated or obsolete functions, which suggests that - the code has not been actively reviewed or maintained. - group: top10-insecure-design - name: Javascript_Kony_Kony_Deprecated_Functions - pretty_name: Kony Deprecated Functions - Javascript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Javascript_Kony_Kony_Hardcoded_EncryptionKey: - categories: - - cwe-321 - - owasp-top-10 - - checkmarx-kony - - boost-baseline - - ALL - description: The use of a hard-coded cryptographic key significantly increases - the possibility that encrypted data may be recovered. - group: top10-crypto-failures - name: Javascript_Kony_Kony_Hardcoded_EncryptionKey - pretty_name: Kony Hardcoded EncryptionKey - Javascript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Javascript_Kony_Kony_Information_Leakage: - categories: - - boost-hardened - - owasp-top-10 - - checkmarx-kony - - cwe-319 - - boost-baseline - - ALL - description: The product transmits sensitive or security-critical data in cleartext - in a communication channel that can be sniffed by unauthorized actors. - group: top10-broken-access-control - name: Javascript_Kony_Kony_Information_Leakage - pretty_name: Kony Information Leakage - Javascript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Javascript_Kony_Kony_Path_Injection: - categories: - - boost-hardened - - cwe-73 - - owasp-top-10 - - checkmarx-kony - - boost-baseline - - ALL - description: The product allows user input to control or influence paths or file - names that are used in filesystem operations. - group: top10-insecure-design - name: Javascript_Kony_Kony_Path_Injection - pretty_name: Kony Path Injection - Javascript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Javascript_Kony_Kony_Reflected_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - checkmarx-kony - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Javascript_Kony_Kony_Reflected_XSS - pretty_name: Kony Reflected XSS - Javascript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Javascript_Kony_Kony_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - checkmarx-kony - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Javascript_Kony_Kony_SQL_Injection - pretty_name: Kony SQL Injection - Javascript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Javascript_Kony_Kony_Second_Order_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - checkmarx-kony - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Javascript_Kony_Kony_Second_Order_SQL_Injection - pretty_name: Kony Second Order SQL Injection - Javascript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Javascript_Kony_Kony_Stored_Code_Injection: - categories: - - boost-hardened - - cwe-94 - - owasp-top-10 - - checkmarx-kony - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: Javascript_Kony_Kony_Stored_Code_Injection - pretty_name: Kony Stored Code Injection - Javascript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Javascript_Kony_Kony_Stored_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - checkmarx-kony - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Javascript_Kony_Kony_Stored_XSS - pretty_name: Kony Stored XSS - Javascript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Javascript_Kony_Kony_URL_Injection: - categories: - - cwe-601 - - owasp-top-10 - - checkmarx-kony - - boost-baseline - - ALL - description: A web application accepts a user-controlled input that specifies - a link to an external site, and uses that link in a Redirect. This simplifies - phishing attacks. - group: top10-broken-access-control - name: Javascript_Kony_Kony_URL_Injection - pretty_name: Kony URL Injection - Javascript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Javascript_Kony_Kony_Unsecure_Browser_Configuration: - categories: - - boost-hardened - - checkmarx-kony - - boost-baseline - - ALL - - cwe-15 - description: One or more system settings or configuration elements can be externally - controlled by a user. - group: top10-security-misconfiguration - name: Javascript_Kony_Kony_Unsecure_Browser_Configuration - pretty_name: Kony Unsecure Browser Configuration - Javascript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Javascript_Kony_Kony_Unsecure_iOSBrowser_Configuration: - categories: - - boost-hardened - - checkmarx-kony - - boost-baseline - - ALL - - cwe-15 - description: One or more system settings or configuration elements can be externally - controlled by a user. - group: top10-security-misconfiguration - name: Javascript_Kony_Kony_Unsecure_iOSBrowser_Configuration - pretty_name: Kony Unsecure iOSBrowser Configuration - Javascript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Javascript_Kony_Kony_Use_WeakEncryption: - categories: - - ALL - - owasp-top-10 - - checkmarx-kony - - boost-baseline - - cwe-326 - description: The product stores or transmits sensitive data using an encryption - scheme that is theoretically sound, but is not strong enough for the level of - protection required. - group: top10-crypto-failures - name: Javascript_Kony_Kony_Use_WeakEncryption - pretty_name: Kony Use WeakEncryption - Javascript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Javascript_Kony_Kony_Use_WeakHash: - categories: - - cwe-328 - - owasp-top-10 - - checkmarx-kony - - boost-baseline - - ALL - description: The product uses an algorithm that produces a digest (output value) - that does not meet security expectations for a hash function that allows an - adversary to reasonably determine the original input (preimage attack), find - another input that can produce the same hash (2nd preimage attack), or find - multiple inputs that evaluate to the same hash (birthday attack). - group: top10-crypto-failures - name: Javascript_Kony_Kony_Use_WeakHash - pretty_name: Kony Use WeakHash - Javascript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Javascript_Lightning_Lightning_Aura_Attribute_With_Object_Type: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-lightning - description: The Aura component's attribute is defined with an 'Object' type, - which can lead to potential type conflicts and unexpected behaviors due to lack - of strong typing in Salesforce Lightning. - group: top10-insecure-design - name: Javascript_Lightning_Lightning_Aura_Attribute_With_Object_Type - pretty_name: Lightning Aura Attribute With Object Type - Javascript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Javascript_Lightning_Lightning_Component_Bad_Naming: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-lightning - description: Names for Lightning components in JavaScript must start with a lowercase - letter and can contain alphabets, numbers, or underscores, ensuring readability - and compliance with naming conventions. Invalid names complicate future code - maintenance. - group: top10-insecure-design - name: Javascript_Lightning_Lightning_Component_Bad_Naming - pretty_name: Lightning Component Bad Naming - Javascript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Javascript_Lightning_Lightning_DOM_XSS: - categories: - - boost-hardened - - checkmarx-lightning - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Javascript_Lightning_Lightning_DOM_XSS - pretty_name: Lightning DOM XSS - Javascript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Javascript_Lightning_Lightning_Data_Retrieval_Without_Wire_Decorator: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-lightning - description: Lightning data retrieval in a JavaScript file does not use the '@wire' - decorator, leading to potential issues in data synchronization. - group: top10-injection - name: Javascript_Lightning_Lightning_Data_Retrieval_Without_Wire_Decorator - pretty_name: Lightning Data Retrieval Without Wire Decorator - Javascript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Javascript_Lightning_Lightning_Dynamic_Href_In_Anchor_Tag: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-lightning - description: Dynamic href values in anchor tags within Salesforce's Lightning - components are identified, which might result in unsafe redirects or content - injection if not properly validated or sanitzed. - group: top10-injection - name: Javascript_Lightning_Lightning_Dynamic_Href_In_Anchor_Tag - pretty_name: Lightning Dynamic Href In Anchor Tag - Javascript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Javascript_Lightning_Lightning_Stored_XSS: - categories: - - boost-hardened - - checkmarx-lightning - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Javascript_Lightning_Lightning_Stored_XSS - pretty_name: Lightning Stored XSS - Javascript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Javascript_Lightning_Lightning_Use_of_Aura_Component: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-lightning - description: Refers to the occurrence of using Aura components in Lightning Web - Components (LWC), which is discouraged due to potential performance degradation - and maintenance challenges. - group: top10-vulnerable-components - name: Javascript_Lightning_Lightning_Use_of_Aura_Component - pretty_name: Lightning Use of Aura Component - Javascript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Javascript_Lightning_Lightning_Use_of_LWC_Event_Bubbling: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-lightning - description: Event bubbling is improperly used in JavaScript Lightning Web Components - (LWC), which can lead to unintended propagation of events and cause incorrect - or undesired behavior in the application. - group: top10-vulnerable-components - name: Javascript_Lightning_Lightning_Use_of_LWC_Event_Bubbling - pretty_name: Lightning Use of LWC Event Bubbling - Javascript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Javascript_Lightning_Lightning_Use_of_Same_Controller_Method_In_Different_Components: - categories: - - boost-baseline - - ALL - - owasp-top-10 - - checkmarx-lightning - description: Duplicate use of a single Apex controller method in multiple Lightning - components is present. This might lead to unintended functionality coupling, - impacting maintainability and future code modifications. - group: top10-insecure-design - name: Javascript_Lightning_Lightning_Use_of_Same_Controller_Method_In_Different_Components - pretty_name: Lightning Use of Same Controller Method In Different Components - - Javascript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Android_Accessible_Content_Provider: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-668 - - boost-baseline - - ALL - description: The product exposes a resource to the wrong control sphere, providing - unintended actors with inappropriate access to the resource. - group: top10-broken-access-control - name: Kotlin_Android_Accessible_Content_Provider - pretty_name: Accessible Content Provider - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Android_Allowed_Backup: - categories: - - cwe-530 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - description: A backup file is stored in a directory or archive that is made accessible - to unauthorized actors. - group: top10-broken-access-control - name: Kotlin_Android_Allowed_Backup - pretty_name: Allowed Backup - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Android_Client_Side_Injection: - categories: - - cwe-89 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Kotlin_Android_Client_Side_Injection - pretty_name: Client Side Injection - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Android_Client_Side_ReDoS: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: Kotlin_Android_Client_Side_ReDoS - pretty_name: Client Side ReDoS - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Android_Communication_Over_HTTP: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-319 - - boost-baseline - - ALL - description: The product transmits sensitive or security-critical data in cleartext - in a communication channel that can be sniffed by unauthorized actors. - group: top10-crypto-failures - name: Kotlin_Android_Communication_Over_HTTP - pretty_name: Communication Over HTTP - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Android_Copy_Paste_Buffer_Caching: - categories: - - cwe-922 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - description: The product stores sensitive information without properly limiting - read or write access by unauthorized actors. - group: top10-broken-access-control - name: Kotlin_Android_Copy_Paste_Buffer_Caching - pretty_name: Copy Paste Buffer Caching - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Android_Debuggable_App: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-668 - - boost-baseline - - ALL - description: The product exposes a resource to the wrong control sphere, providing - unintended actors with inappropriate access to the resource. - group: top10-broken-access-control - name: Kotlin_Android_Debuggable_App - pretty_name: Debuggable App - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Android_DeviceId_Authentication: - categories: - - ALL - - owasp-top-10 - - checkmarx-android - - boost-baseline - - cwe-259 - description: The product contains a hard-coded password, which it uses for its - own inbound authentication or for outbound communication to external components. - group: top10-id-authn-failures - name: Kotlin_Android_DeviceId_Authentication - pretty_name: DeviceId Authentication - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Android_Exported_Content_Provider_Without_Protective_Permissions: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-668 - - boost-baseline - - ALL - description: The product exposes a resource to the wrong control sphere, providing - unintended actors with inappropriate access to the resource. - group: top10-broken-access-control - name: Kotlin_Android_Exported_Content_Provider_Without_Protective_Permissions - pretty_name: Exported Content Provider Without Protective Permissions - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Android_Exported_Service_Without_Permissions: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-668 - - boost-baseline - - ALL - description: The product exposes a resource to the wrong control sphere, providing - unintended actors with inappropriate access to the resource. - group: top10-broken-access-control - name: Kotlin_Android_Exported_Service_Without_Permissions - pretty_name: Exported Service Without Permissions - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Android_Exported_Service_Without_Protective_Permissions: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-668 - - boost-baseline - - ALL - description: The product exposes a resource to the wrong control sphere, providing - unintended actors with inappropriate access to the resource. - group: top10-broken-access-control - name: Kotlin_Android_Exported_Service_Without_Protective_Permissions - pretty_name: Exported Service Without Protective Permissions - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Android_Failure_to_Implement_Least_Privilege: - categories: - - ALL - - owasp-top-10 - - checkmarx-android - - boost-baseline - - cwe-250 - description: The product performs an operation at a privilege level that is higher - than the minimum level required, which creates new weaknesses or amplifies the - consequences of other weaknesses. - group: top10-broken-access-control - name: Kotlin_Android_Failure_to_Implement_Least_Privilege - pretty_name: Failure to Implement Least Privilege - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Android_Hardcoded_Password_In_Gradle: - categories: - - ALL - - owasp-top-10 - - checkmarx-android - - boost-baseline - - cwe-259 - description: The product contains a hard-coded password, which it uses for its - own inbound authentication or for outbound communication to external components. - group: top10-id-authn-failures - name: Kotlin_Android_Hardcoded_Password_In_Gradle - pretty_name: Hardcoded Password In Gradle - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Android_Implicit_Intent_With_Read_Write_Permissions: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-668 - - boost-baseline - - ALL - description: The product exposes a resource to the wrong control sphere, providing - unintended actors with inappropriate access to the resource. - group: top10-broken-access-control - name: Kotlin_Android_Implicit_Intent_With_Read_Write_Permissions - pretty_name: Implicit Intent With Read Write Permissions - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Android_Improper_Certificate_Validation: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-295 - - boost-baseline - - ALL - description: The product does not validate, or incorrectly validates, a certificate. - group: top10-id-authn-failures - name: Kotlin_Android_Improper_Certificate_Validation - pretty_name: Improper Certificate Validation - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Android_Improper_Verification_Of_Intent_By_Broadcast_Receiver: - categories: - - cwe-925 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - description: The Android application uses a Broadcast Receiver that receives an - Intent but does not properly verify that the Intent came from an authorized - source. - group: top10-software-data-integrity-failures - name: Kotlin_Android_Improper_Verification_Of_Intent_By_Broadcast_Receiver - pretty_name: Improper Verification Of Intent By Broadcast Receiver - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Android_Insecure_Android_SDK_Version: - categories: - - cwe-477 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - description: The code uses deprecated or obsolete functions, which suggests that - the code has not been actively reviewed or maintained. - group: top10-vulnerable-components - name: Kotlin_Android_Insecure_Android_SDK_Version - pretty_name: Insecure Android SDK Version - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Android_Insecure_Cipher_Mode: - categories: - - ALL - - owasp-top-10 - - checkmarx-android - - boost-baseline - - cwe-326 - description: The product stores or transmits sensitive data using an encryption - scheme that is theoretically sound, but is not strong enough for the level of - protection required. - group: top10-crypto-failures - name: Kotlin_Android_Insecure_Cipher_Mode - pretty_name: Insecure Cipher Mode - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Android_Insecure_Data_Storage_Usage: - categories: - - cwe-312 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - description: The product stores sensitive information in cleartext within a resource - that might be accessible to another control sphere. - group: top10-insecure-design - name: Kotlin_Android_Insecure_Data_Storage_Usage - pretty_name: Insecure Data Storage Usage - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Android_Insecure_HTTP_Connections_Enabled: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-319 - - boost-baseline - - ALL - description: The product transmits sensitive or security-critical data in cleartext - in a communication channel that can be sniffed by unauthorized actors. - group: top10-crypto-failures - name: Kotlin_Android_Insecure_HTTP_Connections_Enabled - pretty_name: Insecure HTTP Connections Enabled - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Android_Insecure_Sensitive_Data_Storage: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-295 - - boost-baseline - - ALL - description: The product does not validate, or incorrectly validates, a certificate. - group: top10-id-authn-failures - name: Kotlin_Android_Insecure_Sensitive_Data_Storage - pretty_name: Insecure Sensitive Data Storage - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Android_Insecure_WebView_Usage: - categories: - - boost-hardened - - owasp-top-10 - - cwe-829 - - checkmarx-android - - boost-baseline - - ALL - description: The product imports, requires, or includes executable functionality - (such as a library) from a source that is outside of the intended control sphere. - group: top10-software-data-integrity-failures - name: Kotlin_Android_Insecure_WebView_Usage - pretty_name: Insecure WebView Usage - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Android_Missing_Rooted_Device_Check: - categories: - - cwe-693 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - description: The product does not use or incorrectly uses a protection mechanism - that provides sufficient defense against directed attacks against the product. - group: top10-insecure-design - name: Kotlin_Android_Missing_Rooted_Device_Check - pretty_name: Missing Rooted Device Check - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Android_Non_Encrypted_Data_Storage: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-311 - - boost-baseline - - ALL - description: The product does not encrypt sensitive or critical information before - storage or transmission. - group: top10-insecure-design - name: Kotlin_Android_Non_Encrypted_Data_Storage - pretty_name: Non Encrypted Data Storage - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Android_Passing_Non_Encrypted_Data_Between_Activities: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-319 - - boost-baseline - - ALL - description: The product transmits sensitive or security-critical data in cleartext - in a communication channel that can be sniffed by unauthorized actors. - group: top10-crypto-failures - name: Kotlin_Android_Passing_Non_Encrypted_Data_Between_Activities - pretty_name: Passing Non Encrypted Data Between Activities - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Android_Privacy_Violation: - categories: - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - - cwe-359 - description: The product does not properly prevent a person's private, personal - information from being accessed by actors who either (1) are not explicitly - authorized to access the information or (2) do not have the implicit consent - of the person about whom the information is collected. - group: top10-broken-access-control - name: Kotlin_Android_Privacy_Violation - pretty_name: Privacy Violation - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Android_ProGuard_Obfuscation_Not_In_Use: - categories: - - cwe-693 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - description: The product does not use or incorrectly uses a protection mechanism - that provides sufficient defense against directed attacks against the product. - group: top10-insecure-design - name: Kotlin_Android_ProGuard_Obfuscation_Not_In_Use - pretty_name: ProGuard Obfuscation Not In Use - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Android_Reuse_of_Cryptographic_Key: - categories: - - cwe-521 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - description: The product does not require that users should have strong passwords, - which makes it easier for attackers to compromise user accounts. - group: top10-id-authn-failures - name: Kotlin_Android_Reuse_of_Cryptographic_Key - pretty_name: Reuse of Cryptographic Key - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Android_Screen_Caching: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-524 - - boost-baseline - - ALL - description: The code uses a cache that contains sensitive information, but the - cache can be read by an actor outside of the intended control sphere. - group: top10-broken-access-control - name: Kotlin_Android_Screen_Caching - pretty_name: Screen Caching - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Android_Sensitive_Information_Over_HTTP: - categories: - - boost-hardened - - owasp-top-10 - - checkmarx-android - - cwe-319 - - boost-baseline - - ALL - description: The product transmits sensitive or security-critical data in cleartext - in a communication channel that can be sniffed by unauthorized actors. - group: top10-broken-access-control - name: Kotlin_Android_Sensitive_Information_Over_HTTP - pretty_name: Sensitive Information Over HTTP - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Android_Unsafe_Permission_Check: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-284 - - boost-baseline - - ALL - description: The product does not restrict or incorrectly restricts access to - a resource from an unauthorized actor. - group: top10-broken-access-control - name: Kotlin_Android_Unsafe_Permission_Check - pretty_name: Unsafe Permission Check - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Android_Use_Of_Implicit_Intent_For_Sensitive_Communication: - categories: - - cwe-927 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - description: The Android application uses an implicit intent for transmitting - sensitive data to other applications. - group: top10-insecure-design - name: Kotlin_Android_Use_Of_Implicit_Intent_For_Sensitive_Communication - pretty_name: Use Of Implicit Intent For Sensitive Communication - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Android_Use_of_WebView_AddJavascriptInterface: - categories: - - boost-hardened - - boost-baseline - - owasp-top-10 - - checkmarx-android - - cwe-749 - - ALL - description: The product provides an Applications Programming Interface (API) - or similar interface for interaction with external actors, but the interface - includes a dangerous method or function that is not properly restricted. - group: top10-vulnerable-components - name: Kotlin_Android_Use_of_WebView_AddJavascriptInterface - pretty_name: Use of WebView AddJavascriptInterface - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Android_WebView_Cache_Information_Leak: - categories: - - owasp-top-10 - - checkmarx-android - - cwe-524 - - boost-baseline - - ALL - description: The code uses a cache that contains sensitive information, but the - cache can be read by an actor outside of the intended control sphere. - group: top10-broken-access-control - name: Kotlin_Android_WebView_Cache_Information_Leak - pretty_name: WebView Cache Information Leak - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Android_Webview_DOM_XSS: - categories: - - cwe-79 - - owasp-top-10 - - checkmarx-android - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Kotlin_Android_Webview_DOM_XSS - pretty_name: Webview DOM XSS - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Best_Coding_Practice_Potential_Usage_of_Vulnerable_Log4J: - categories: - - owasp-top-10 - - cwe-400 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: Kotlin_Best_Coding_Practice_Potential_Usage_of_Vulnerable_Log4J - pretty_name: Potential Usage of Vulnerable Log4J - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_High_Risk_Code_Injection: - categories: - - boost-hardened - - cwe-94 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: Kotlin_High_Risk_Code_Injection - pretty_name: Code Injection - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_High_Risk_Command_Injection: - categories: - - boost-hardened - - cwe-77 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of a command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended command when it - is sent to a downstream component. - group: top10-injection - name: Kotlin_High_Risk_Command_Injection - pretty_name: Command Injection - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_High_Risk_Connection_String_Injection: - categories: - - boost-hardened - - owasp-top-10 - - cwe-99 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product receives input from an upstream component, but it does - not restrict or incorrectly restricts the input before it is used as an identifier - for a resource that may be outside the intended sphere of control. - group: top10-injection - name: Kotlin_High_Risk_Connection_String_Injection - pretty_name: Connection String Injection - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_High_Risk_Deserialization_of_Untrusted_Data: - categories: - - boost-hardened - - boost-baseline - - owasp-top-10 - - cwe-502 - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product deserializes untrusted data without sufficiently verifying - that the resulting data will be valid. - group: top10-software-data-integrity-failures - name: Kotlin_High_Risk_Deserialization_of_Untrusted_Data - pretty_name: Deserialization of Untrusted Data - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_High_Risk_Expression_Language_Injection_MVEL: - categories: - - boost-hardened - - owasp-top-10 - - cwe-917 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product constructs all or part of an expression language (EL) - statement in a framework such as a Java Server Page (JSP) using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended EL statement before - it is executed. - group: top10-injection - name: Kotlin_High_Risk_Expression_Language_Injection_MVEL - pretty_name: Expression Language Injection MVEL - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_High_Risk_Expression_Language_Injection_SPEL: - categories: - - boost-hardened - - owasp-top-10 - - cwe-917 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product constructs all or part of an expression language (EL) - statement in a framework such as a Java Server Page (JSP) using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended EL statement before - it is executed. - group: top10-injection - name: Kotlin_High_Risk_Expression_Language_Injection_SPEL - pretty_name: Expression Language Injection SPEL - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_High_Risk_LDAP_Injection: - categories: - - boost-hardened - - cwe-90 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product constructs all or part of an LDAP query using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended LDAP query when - it is sent to a downstream component. - group: top10-injection - name: Kotlin_High_Risk_LDAP_Injection - pretty_name: LDAP Injection - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_High_Risk_Reflected_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Kotlin_High_Risk_Reflected_XSS - pretty_name: Reflected XSS - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_High_Risk_Resource_Injection: - categories: - - boost-hardened - - owasp-top-10 - - cwe-99 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product receives input from an upstream component, but it does - not restrict or incorrectly restricts the input before it is used as an identifier - for a resource that may be outside the intended sphere of control. - group: top10-injection - name: Kotlin_High_Risk_Resource_Injection - pretty_name: Resource Injection - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_High_Risk_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Kotlin_High_Risk_SQL_Injection - pretty_name: SQL Injection - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_High_Risk_Second_Order_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Kotlin_High_Risk_Second_Order_SQL_Injection - pretty_name: Second Order SQL Injection - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_High_Risk_Stored_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Kotlin_High_Risk_Stored_XSS - pretty_name: Stored XSS - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_High_Risk_Unsafe_Reflection: - categories: - - boost-hardened - - cwe-470 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product uses external input with reflection to select which classes - or code to use, but it does not sufficiently prevent the input from selecting - improper classes or code. - group: top10-injection - name: Kotlin_High_Risk_Unsafe_Reflection - pretty_name: Unsafe Reflection - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_High_Risk_XPath_Injection: - categories: - - boost-hardened - - cwe-643 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product uses external input to dynamically construct an XPath - expression used to retrieve data from an XML database, but it does not neutralize - or incorrectly neutralizes that input. This allows an attacker to control the - structure of the query. - group: top10-injection - name: Kotlin_High_Risk_XPath_Injection - pretty_name: XPath Injection - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Low_Visibility_Command_Argument_Injection: - categories: - - cwe-88 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product constructs a string for a command to be executed by a - separate component in another control sphere, but it does not properly delimit - the intended arguments, options, or switches within that command string. - group: top10-injection - name: Kotlin_Low_Visibility_Command_Argument_Injection - pretty_name: Command Argument Injection - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Low_Visibility_Deprecated_API: - categories: - - cwe-477 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The code uses deprecated or obsolete functions, which suggests that - the code has not been actively reviewed or maintained. - group: top10-insecure-design - name: Kotlin_Low_Visibility_Deprecated_API - pretty_name: Deprecated API - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Low_Visibility_JWT_Excessive_Expiration_Time: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-613 - description: According to WASC, "Insufficient Session Expiration is when a web - site permits an attacker to reuse old session credentials or session IDs for - authorization." - group: top10-id-authn-failures - name: Kotlin_Low_Visibility_JWT_Excessive_Expiration_Time - pretty_name: JWT Excessive Expiration Time - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Low_Visibility_JWT_Use_Of_None_Algorithm: - categories: - - cwe-287 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: When an actor claims to have a given identity, the product does not - prove or insufficiently proves that the claim is correct. - group: top10-id-authn-failures - name: Kotlin_Low_Visibility_JWT_Use_Of_None_Algorithm - pretty_name: JWT Use Of None Algorithm - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Low_Visibility_Password_In_Comment: - categories: - - cwe-615 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: 'While adding general comments is very useful, some programmers tend - to leave important data, such as: filenames related to the web application, - old links or links which were not meant to be browsed by users, old code fragments, - etc.' - group: top10-id-authn-failures - name: Kotlin_Low_Visibility_Password_In_Comment - pretty_name: Password In Comment - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Low_Visibility_Stored_Command_Argument_Injection: - categories: - - cwe-88 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product constructs a string for a command to be executed by a - separate component in another control sphere, but it does not properly delimit - the intended arguments, options, or switches within that command string. - group: top10-injection - name: Kotlin_Low_Visibility_Stored_Command_Argument_Injection - pretty_name: Stored Command Argument Injection - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm: - categories: - - cwe-327 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a broken or risky cryptographic algorithm or protocol. - group: top10-crypto-failures - name: Kotlin_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm - pretty_name: Use of Broken or Risky Cryptographic Algorithm - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Low_Visibility_Use_of_Hardcoded_Password: - categories: - - ALL - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - cwe-259 - description: The product contains a hard-coded password, which it uses for its - own inbound authentication or for outbound communication to external components. - group: top10-id-authn-failures - name: Kotlin_Low_Visibility_Use_of_Hardcoded_Password - pretty_name: Use of Hardcoded Password - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Low_Visibility_Use_of_Non_Cryptographic_Random: - categories: - - cwe-330 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses insufficiently random numbers or values in a security - context that depends on unpredictable numbers. - group: top10-crypto-failures - name: Kotlin_Low_Visibility_Use_of_Non_Cryptographic_Random - pretty_name: Use of Non Cryptographic Random - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Low_Visibility_Use_of_RSA_Algorithm_without_OAEP: - categories: - - ALL - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - cwe-780 - description: The product uses the RSA algorithm but does not incorporate Optimal - Asymmetric Encryption Padding (OAEP), which might weaken the encryption. - group: top10-crypto-failures - name: Kotlin_Low_Visibility_Use_of_RSA_Algorithm_without_OAEP - pretty_name: Use of RSA Algorithm without OAEP - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Medium_Threat_HttpOnlyCookies: - categories: - - cwe-1004 - - ALL - - boost-baseline - - checkmarx-medium-threat - description: The product uses a cookie to store sensitive information, but the - cookie is not marked with the HttpOnly flag. - group: top10-security-misconfiguration - name: Kotlin_Medium_Threat_HttpOnlyCookies - pretty_name: HttpOnlyCookies - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Medium_Threat_JWT_Lack_Of_Expiration_Time: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-613 - description: According to WASC, "Insufficient Session Expiration is when a web - site permits an attacker to reuse old session credentials or session IDs for - authorization." - group: top10-id-authn-failures - name: Kotlin_Medium_Threat_JWT_Lack_Of_Expiration_Time - pretty_name: JWT Lack Of Expiration Time - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Medium_Threat_JWT_No_Signature_Verification: - categories: - - checkmarx-medium-threat - - cwe-287 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: When an actor claims to have a given identity, the product does not - prove or insufficiently proves that the claim is correct. - group: top10-id-authn-failures - name: Kotlin_Medium_Threat_JWT_No_Signature_Verification - pretty_name: JWT No Signature Verification - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Medium_Threat_JWT_Sensitive_Information_Exposure: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-201 - - boost-baseline - - ALL - description: The code transmits data to another actor, but a portion of the data - includes sensitive information that should not be accessible to that actor. - group: top10-broken-access-control - name: Kotlin_Medium_Threat_JWT_Sensitive_Information_Exposure - pretty_name: JWT Sensitive Information Exposure - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Medium_Threat_JWT_Use_Of_Hardcoded_Secret: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - - cwe-798 - description: The product contains hard-coded credentials, such as a password or - cryptographic key, which it uses for its own inbound authentication, outbound - communication to external components, or encryption of internal data. - group: top10-id-authn-failures - name: Kotlin_Medium_Threat_JWT_Use_Of_Hardcoded_Secret - pretty_name: JWT Use Of Hardcoded Secret - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Medium_Threat_Plaintext_Storage_of_a_Password: - categories: - - cwe-256 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: Storing a password in plaintext may result in a system compromise. - group: top10-insecure-design - name: Kotlin_Medium_Threat_Plaintext_Storage_of_a_Password - pretty_name: Plaintext Storage of a Password - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Medium_Threat_Same_Seed_in_PRNG: - categories: - - boost-baseline - - checkmarx-medium-threat - - owasp-top-10 - - cwe-336 - - ALL - description: A Pseudo-Random Number Generator (PRNG) uses the same seed each time - the product is initialized. - group: top10-crypto-failures - name: Kotlin_Medium_Threat_Same_Seed_in_PRNG - pretty_name: Same Seed in PRNG - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Medium_Threat_Stored_Command_Injection: - categories: - - cwe-77 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended command when it - is sent to a downstream component. - group: top10-injection - name: Kotlin_Medium_Threat_Stored_Command_Injection - pretty_name: Stored Command Injection - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Medium_Threat_Stored_LDAP_Injection: - categories: - - checkmarx-medium-threat - - cwe-90 - - owasp-top-10 - - boost-baseline - - ALL - description: The product constructs all or part of an LDAP query using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended LDAP query when - it is sent to a downstream component. - group: top10-injection - name: Kotlin_Medium_Threat_Stored_LDAP_Injection - pretty_name: Stored LDAP Injection - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Medium_Threat_Unchecked_Input_for_Loop_Condition: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-606 - - boost-baseline - - ALL - description: The product does not properly check inputs that are used for loop - conditions, potentially leading to a denial of service or other consequences - because of excessive looping. - group: top10-insecure-design - name: Kotlin_Medium_Threat_Unchecked_Input_for_Loop_Condition - pretty_name: Unchecked Input for Loop Condition - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Medium_Threat_Use_of_Cryptographically_Weak_PRNG: - categories: - - checkmarx-medium-threat - - cwe-338 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a Pseudo-Random Number Generator (PRNG) in a security - context, but the PRNG's algorithm is not cryptographically strong. - group: top10-crypto-failures - name: Kotlin_Medium_Threat_Use_of_Cryptographically_Weak_PRNG - pretty_name: Use of Cryptographically Weak PRNG - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Medium_Threat_Use_of_Hardcoded_Cryptographic_Key: - categories: - - cwe-321 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The use of a hard-coded cryptographic key significantly increases - the possibility that encrypted data may be recovered. - group: top10-crypto-failures - name: Kotlin_Medium_Threat_Use_of_Hardcoded_Cryptographic_Key - pretty_name: Use of Hardcoded Cryptographic Key - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Medium_Threat_Use_of_a_One_Way_Hash_with_a_Predictable_Salt: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-760 - - boost-baseline - - ALL - description: The product uses a one-way cryptographic hash against an input that - should not be reversible, such as a password, but the product uses a predictable - salt as part of the input. - group: top10-crypto-failures - name: Kotlin_Medium_Threat_Use_of_a_One_Way_Hash_with_a_Predictable_Salt - pretty_name: Use of a One Way Hash with a Predictable Salt - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Medium_Threat_Use_of_a_One_Way_Hash_without_a_Salt: - categories: - - checkmarx-medium-threat - - cwe-759 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a one-way cryptographic hash against an input that - should not be reversible, such as a password, but the product does not also - use a salt as part of the input. - group: top10-crypto-failures - name: Kotlin_Medium_Threat_Use_of_a_One_Way_Hash_without_a_Salt - pretty_name: Use of a One Way Hash without a Salt - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Kotlin_Spring_Spring_View_Manipulation: - categories: - - boost-hardened - - owasp-top-10 - - cwe-917 - - boost-baseline - - ALL - description: The product constructs all or part of an expression language (EL) - statement in a framework such as a Java Server Page (JSP) using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended EL statement before - it is executed. - group: top10-injection - name: Kotlin_Spring_Spring_View_Manipulation - pretty_name: Spring View Manipulation - Kotlin - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Lua_Best_Coding_Practice_Empty_Methods: - categories: - - owasp-top-10 - - cwe-398 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Indicates that the product has not been carefully developed or maintained. - group: top10-insecure-design - name: Lua_Best_Coding_Practice_Empty_Methods - pretty_name: Empty Methods - Lua - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Best_Coding_Practice_Dead_Code: - categories: - - cwe-561 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product contains dead code, which can never be executed. - group: top10-insecure-design - name: ObjectiveC_Best_Coding_Practice_Dead_Code - pretty_name: Dead Code - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Best_Coding_Practice_Dynamic_SQL_Queries: - categories: - - cwe-89 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: ObjectiveC_Best_Coding_Practice_Dynamic_SQL_Queries - pretty_name: Dynamic SQL Queries - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Best_Coding_Practice_Empty_Methods: - categories: - - owasp-top-10 - - cwe-398 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Indicates that the product has not been carefully developed or maintained. - group: top10-insecure-design - name: ObjectiveC_Best_Coding_Practice_Empty_Methods - pretty_name: Empty Methods - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Best_Coding_Practice_Expression_is_Always_False: - categories: - - cwe-570 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product contains an expression that will always evaluate to false. - group: top10-insecure-design - name: ObjectiveC_Best_Coding_Practice_Expression_is_Always_False - pretty_name: Expression is Always False - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Best_Coding_Practice_Expression_is_Always_True: - categories: - - owasp-top-10 - - cwe-571 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product contains an expression that will always evaluate to true. - group: top10-insecure-design - name: ObjectiveC_Best_Coding_Practice_Expression_is_Always_True - pretty_name: Expression is Always True - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Best_Coding_Practice_Missing_Colon_In_Selector: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-483 - description: The code does not explicitly delimit a block that is intended to - contain 2 or more statements, creating a logic error. - group: top10-insecure-design - name: ObjectiveC_Best_Coding_Practice_Missing_Colon_In_Selector - pretty_name: Missing Colon In Selector - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_High_Risk_App_Transport_Security_Bypass: - categories: - - boost-hardened - - owasp-top-10 - - cwe-319 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product transmits sensitive or security-critical data in cleartext - in a communication channel that can be sniffed by unauthorized actors. - group: top10-security-misconfiguration - name: ObjectiveC_High_Risk_App_Transport_Security_Bypass - pretty_name: App Transport Security Bypass - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_High_Risk_Deserialization_of_Untrusted_Data: - categories: - - boost-hardened - - boost-baseline - - owasp-top-10 - - cwe-502 - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product deserializes untrusted data without sufficiently verifying - that the resulting data will be valid. - group: top10-software-data-integrity-failures - name: ObjectiveC_High_Risk_Deserialization_of_Untrusted_Data - pretty_name: Deserialization of Untrusted Data - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_High_Risk_Information_Exposure_Through_Extension: - categories: - - boost-hardened - - owasp-top-10 - - boost-baseline - - ALL - - cwe-200 - - checkmarx-high-risk - description: The product exposes sensitive information to an actor that is not - explicitly authorized to have access to that information. - group: top10-broken-access-control - name: ObjectiveC_High_Risk_Information_Exposure_Through_Extension - pretty_name: Information Exposure Through Extension - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_High_Risk_Reflected_XSS_All_Clients: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: ObjectiveC_High_Risk_Reflected_XSS_All_Clients - pretty_name: Reflected XSS All Clients - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_High_Risk_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: ObjectiveC_High_Risk_SQL_Injection - pretty_name: SQL Injection - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_High_Risk_Second_Order_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: ObjectiveC_High_Risk_Second_Order_SQL_Injection - pretty_name: Second Order SQL Injection - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_High_Risk_Stored_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: ObjectiveC_High_Risk_Stored_XSS - pretty_name: Stored XSS - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_High_Risk_Third_Party_Keyboards_On_Sensitive_Field: - categories: - - boost-hardened - - owasp-top-10 - - cwe-829 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product imports, requires, or includes executable functionality - (such as a library) from a source that is outside of the intended control sphere. - group: top10-software-data-integrity-failures - name: ObjectiveC_High_Risk_Third_Party_Keyboards_On_Sensitive_Field - pretty_name: Third Party Keyboards On Sensitive Field - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_High_Risk_Universal_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: ObjectiveC_High_Risk_Universal_XSS - pretty_name: Universal XSS - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_High_Risk_Unsafe_Reflection: - categories: - - boost-hardened - - cwe-470 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product uses external input with reflection to select which classes - or code to use, but it does not sufficiently prevent the input from selecting - improper classes or code. - group: top10-injection - name: ObjectiveC_High_Risk_Unsafe_Reflection - pretty_name: Unsafe Reflection - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Low_Visibility_Allowed_Backup: - categories: - - cwe-530 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: A backup file is stored in a directory or archive that is made accessible - to unauthorized actors. - group: top10-broken-access-control - name: ObjectiveC_Low_Visibility_Allowed_Backup - pretty_name: Allowed Backup - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Low_Visibility_Empty_Password: - categories: - - cwe-521 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not require that users should have strong passwords, - which makes it easier for attackers to compromise user accounts. - group: top10-id-authn-failures - name: ObjectiveC_Low_Visibility_Empty_Password - pretty_name: Empty Password - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Low_Visibility_Functions_Apple_Recommends_To_Avoid: - categories: - - cwe-477 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The code uses deprecated or obsolete functions, which suggests that - the code has not been actively reviewed or maintained. - group: top10-vulnerable-components - name: ObjectiveC_Low_Visibility_Functions_Apple_Recommends_To_Avoid - pretty_name: Functions Apple Recommends To Avoid - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Low_Visibility_Heap_Inspection: - categories: - - cwe-244 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: Using realloc() to resize buffers that store sensitive information - can leave the sensitive information exposed to attack, because it is not removed - from memory. - group: top10-broken-access-control - name: ObjectiveC_Low_Visibility_Heap_Inspection - pretty_name: Heap Inspection - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Low_Visibility_Improper_Resource_Shutdown_or_Release: - categories: - - cwe-404 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not release or incorrectly releases a resource before - it is made available for re-use. - group: top10-insecure-design - name: ObjectiveC_Low_Visibility_Improper_Resource_Shutdown_or_Release - pretty_name: Improper Resource Shutdown or Release - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Low_Visibility_Incorrect_Initialization: - categories: - - cwe-456 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not initialize critical variables, which causes - the execution environment to use unexpected values. - group: top10-insecure-design - name: ObjectiveC_Low_Visibility_Incorrect_Initialization - pretty_name: Incorrect Initialization - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Low_Visibility_Information_Exposure_Through_an_Error_Message: - categories: - - cwe-209 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product generates an error message that includes sensitive information - about its environment, users, or associated data. - group: top10-insecure-design - name: ObjectiveC_Low_Visibility_Information_Exposure_Through_an_Error_Message - pretty_name: Information Exposure Through an Error Message - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Low_Visibility_Information_Leak_Through_Response_Caching: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-524 - - boost-baseline - - ALL - description: The code uses a cache that contains sensitive information, but the - cache can be read by an actor outside of the intended control sphere. - group: top10-broken-access-control - name: ObjectiveC_Low_Visibility_Information_Leak_Through_Response_Caching - pretty_name: Information Leak Through Response Caching - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Low_Visibility_Insufficient_Encryption_Key_Size: - categories: - - ALL - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - cwe-326 - description: The product stores or transmits sensitive data using an encryption - scheme that is theoretically sound, but is not strong enough for the level of - protection required. - group: top10-crypto-failures - name: ObjectiveC_Low_Visibility_Insufficient_Encryption_Key_Size - pretty_name: Insufficient Encryption Key Size - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Low_Visibility_Log_Forging: - categories: - - boost-baseline - - ALL - - cwe-117 - - checkmarx-low-visibility - description: The product does not neutralize or incorrectly neutralizes output - that is written to logs. - group: top10-security-logging-monitoring-failures - name: ObjectiveC_Low_Visibility_Log_Forging - pretty_name: Log Forging - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Low_Visibility_Memory_Leak: - categories: - - cwe-401 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not sufficiently track and release allocated memory - after it has been used, which slowly consumes remaining memory. - group: top10-broken-access-control - name: ObjectiveC_Low_Visibility_Memory_Leak - pretty_name: Memory Leak - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Low_Visibility_Missing_Certificate_Pinning: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-295 - - boost-baseline - - ALL - description: The product does not validate, or incorrectly validates, a certificate. - group: top10-id-authn-failures - name: ObjectiveC_Low_Visibility_Missing_Certificate_Pinning - pretty_name: Missing Certificate Pinning - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Low_Visibility_Missing_Device_Lock_Verification: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-829 - - boost-baseline - - ALL - description: The product imports, requires, or includes executable functionality - (such as a library) from a source that is outside of the intended control sphere. - group: top10-software-data-integrity-failures - name: ObjectiveC_Low_Visibility_Missing_Device_Lock_Verification - pretty_name: Missing Device Lock Verification - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Low_Visibility_Missing_Jailbreak_Check: - categories: - - cwe-693 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not use or incorrectly uses a protection mechanism - that provides sufficient defense against directed attacks against the product. - group: top10-insecure-design - name: ObjectiveC_Low_Visibility_Missing_Jailbreak_Check - pretty_name: Missing Jailbreak Check - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Low_Visibility_Null_Password: - categories: - - cwe-252 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not check the return value from a method or function, - which can prevent it from detecting unexpected states and conditions. - group: top10-insecure-design - name: ObjectiveC_Low_Visibility_Null_Password - pretty_name: Null Password - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Low_Visibility_Password_In_Comment: - categories: - - cwe-615 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: 'While adding general comments is very useful, some programmers tend - to leave important data, such as: filenames related to the web application, - old links or links which were not meant to be browsed by users, old code fragments, - etc.' - group: top10-id-authn-failures - name: ObjectiveC_Low_Visibility_Password_In_Comment - pretty_name: Password In Comment - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Low_Visibility_Plain_Text_Transport_Layer: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-311 - - boost-baseline - - ALL - description: The product does not encrypt sensitive or critical information before - storage or transmission. - group: top10-insecure-design - name: ObjectiveC_Low_Visibility_Plain_Text_Transport_Layer - pretty_name: Plain Text Transport Layer - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Low_Visibility_Poor_Authorization_and_Authentication: - categories: - - cwe-287 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: When an actor claims to have a given identity, the product does not - prove or insufficiently proves that the claim is correct. - group: top10-id-authn-failures - name: ObjectiveC_Low_Visibility_Poor_Authorization_and_Authentication - pretty_name: Poor Authorization and Authentication - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Low_Visibility_Potential_ReDoS: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: ObjectiveC_Low_Visibility_Potential_ReDoS - pretty_name: Potential ReDoS - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Low_Visibility_Sensitive_Data_In_Temp_Folders: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-377 - - boost-baseline - - ALL - description: Creating and using insecure temporary files can leave application - and system data vulnerable to attack. - group: top10-broken-access-control - name: ObjectiveC_Low_Visibility_Sensitive_Data_In_Temp_Folders - pretty_name: Sensitive Data In Temp Folders - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Low_Visibility_Third_Party_Keyboard_Enabled: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-829 - - boost-baseline - - ALL - description: The product imports, requires, or includes executable functionality - (such as a library) from a source that is outside of the intended control sphere. - group: top10-software-data-integrity-failures - name: ObjectiveC_Low_Visibility_Third_Party_Keyboard_Enabled - pretty_name: Third Party Keyboard Enabled - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Low_Visibility_Unchecked_Return_Value: - categories: - - cwe-252 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not check the return value from a method or function, - which can prevent it from detecting unexpected states and conditions. - group: top10-insecure-design - name: ObjectiveC_Low_Visibility_Unchecked_Return_Value - pretty_name: Unchecked Return Value - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm: - categories: - - cwe-327 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a broken or risky cryptographic algorithm or protocol. - group: top10-crypto-failures - name: ObjectiveC_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm - pretty_name: Use of Broken or Risky Cryptographic Algorithm - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Low_Visibility_Use_of_Hardcoded_Cryptographic_Key: - categories: - - cwe-321 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The use of a hard-coded cryptographic key significantly increases - the possibility that encrypted data may be recovered. - group: top10-crypto-failures - name: ObjectiveC_Low_Visibility_Use_of_Hardcoded_Cryptographic_Key - pretty_name: Use of Hardcoded Cryptographic Key - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Low_Visibility_Use_of_Hardcoded_Password: - categories: - - ALL - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - cwe-259 - description: The product contains a hard-coded password, which it uses for its - own inbound authentication or for outbound communication to external components. - group: top10-id-authn-failures - name: ObjectiveC_Low_Visibility_Use_of_Hardcoded_Password - pretty_name: Use of Hardcoded Password - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Low_Visibility_Use_of_Insufficiently_Random_Values: - categories: - - cwe-330 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses insufficiently random numbers or values in a security - context that depends on unpredictable numbers. - group: top10-crypto-failures - name: ObjectiveC_Low_Visibility_Use_of_Insufficiently_Random_Values - pretty_name: Use of Insufficiently Random Values - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Low_Visibility_Use_of_Obsolete_Functions: - categories: - - cwe-477 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The code uses deprecated or obsolete functions, which suggests that - the code has not been actively reviewed or maintained. - group: top10-insecure-design - name: ObjectiveC_Low_Visibility_Use_of_Obsolete_Functions - pretty_name: Use of Obsolete Functions - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Low_Visibility_iOS_Improper_Resource_Release_Shutdown: - categories: - - cwe-404 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not release or incorrectly releases a resource before - it is made available for re-use. - group: top10-insecure-design - name: ObjectiveC_Low_Visibility_iOS_Improper_Resource_Release_Shutdown - pretty_name: iOS Improper Resource Release Shutdown - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Medium_Threat_Autocorrection_Keystroke_Logging: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-359 - description: The product does not properly prevent a person's private, personal - information from being accessed by actors who either (1) are not explicitly - authorized to access the information or (2) do not have the implicit consent - of the person about whom the information is collected. - group: top10-broken-access-control - name: ObjectiveC_Medium_Threat_Autocorrection_Keystroke_Logging - pretty_name: Autocorrection Keystroke Logging - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Medium_Threat_Cut_And_Paste_Leakage: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-200 - description: The product exposes sensitive information to an actor that is not - explicitly authorized to have access to that information. - group: top10-broken-access-control - name: ObjectiveC_Medium_Threat_Cut_And_Paste_Leakage - pretty_name: Cut And Paste Leakage - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Medium_Threat_Format_String_Attack: - categories: - - checkmarx-medium-threat - - cwe-134 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a function that accepts a format string as an argument, - but the format string originates from an external source. - group: top10-injection - name: ObjectiveC_Medium_Threat_Format_String_Attack - pretty_name: Format String Attack - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Medium_Threat_Improper_Certificate_Validation: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-295 - - boost-baseline - - ALL - description: The product does not validate, or incorrectly validates, a certificate. - group: top10-id-authn-failures - name: ObjectiveC_Medium_Threat_Improper_Certificate_Validation - pretty_name: Improper Certificate Validation - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Medium_Threat_Information_Exposure_Through_Query_String: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-598 - - boost-baseline - - ALL - description: The web application uses the HTTP GET method to process a request - and includes sensitive information in the query string of that request. - group: top10-insecure-design - name: ObjectiveC_Medium_Threat_Information_Exposure_Through_Query_String - pretty_name: Information Exposure Through Query String - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Medium_Threat_Insecure_Data_Storage: - categories: - - checkmarx-medium-threat - - cwe-312 - - owasp-top-10 - - boost-baseline - - ALL - description: The product stores sensitive information in cleartext within a resource - that might be accessible to another control sphere. - group: top10-insecure-design - name: ObjectiveC_Medium_Threat_Insecure_Data_Storage - pretty_name: Insecure Data Storage - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Medium_Threat_Insufficient_Transport_Layer_Input: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-319 - - boost-baseline - - ALL - description: The product transmits sensitive or security-critical data in cleartext - in a communication channel that can be sniffed by unauthorized actors. - group: top10-security-misconfiguration - name: ObjectiveC_Medium_Threat_Insufficient_Transport_Layer_Input - pretty_name: Insufficient Transport Layer Input - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Medium_Threat_Insufficient_Transport_Layer_Output: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-319 - - boost-baseline - - ALL - description: The product transmits sensitive or security-critical data in cleartext - in a communication channel that can be sniffed by unauthorized actors. - group: top10-security-misconfiguration - name: ObjectiveC_Medium_Threat_Insufficient_Transport_Layer_Output - pretty_name: Insufficient Transport Layer Output - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Medium_Threat_Missing_Encryption_of_Sensitive_Data: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-311 - - boost-baseline - - ALL - description: The product does not encrypt sensitive or critical information before - storage or transmission. - group: top10-insecure-design - name: ObjectiveC_Medium_Threat_Missing_Encryption_of_Sensitive_Data - pretty_name: Missing Encryption of Sensitive Data - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Medium_Threat_Parameter_Tampering: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: ObjectiveC_Medium_Threat_Parameter_Tampering - pretty_name: Parameter Tampering - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Medium_Threat_Path_Traversal: - categories: - - ALL - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - cwe-22 - - cwe-top-25 - description: The product uses external input to construct a pathname that is intended - to identify a file or directory that is located underneath a restricted parent - directory, but the product does not properly neutralize special elements within - the pathname that can cause the pathname to resolve to a location that is outside - of the restricted directory. - group: top10-broken-access-control - name: ObjectiveC_Medium_Threat_Path_Traversal - pretty_name: Path Traversal - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Medium_Threat_ReDoS: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-1333 - description: The product uses a regular expression with an inefficient, possibly - exponential worst-case computational complexity that consumes excessive CPU - cycles. - group: top10-insecure-design - name: ObjectiveC_Medium_Threat_ReDoS - pretty_name: ReDoS - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Medium_Threat_Screen_Caching: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-524 - - boost-baseline - - ALL - description: The code uses a cache that contains sensitive information, but the - cache can be read by an actor outside of the intended control sphere. - group: top10-broken-access-control - name: ObjectiveC_Medium_Threat_Screen_Caching - pretty_name: Screen Caching - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Medium_Threat_Side_Channel_Data_Leakage: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-200 - description: The product exposes sensitive information to an actor that is not - explicitly authorized to have access to that information. - group: top10-broken-access-control - name: ObjectiveC_Medium_Threat_Side_Channel_Data_Leakage - pretty_name: Side Channel Data Leakage - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - ObjectiveC_Medium_Threat_XML_External_Entity: - categories: - - checkmarx-medium-threat - - cwe-611 - - boost-baseline - - ALL - - cwe-top-25 - description: The product processes an XML document that can contain XML entities - with URIs that resolve to documents outside of the intended sphere of control, - causing the product to embed incorrect documents into its output. - group: top10-security-misconfiguration - name: ObjectiveC_Medium_Threat_XML_External_Entity - pretty_name: XML External Entity - ObjectiveC - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_High_Risk_Code_Injection: - categories: - - boost-hardened - - cwe-94 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: PHP_High_Risk_Code_Injection - pretty_name: Code Injection - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_High_Risk_Command_Injection: - categories: - - boost-hardened - - cwe-77 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of a command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended command when it - is sent to a downstream component. - group: top10-injection - name: PHP_High_Risk_Command_Injection - pretty_name: Command Injection - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_High_Risk_File_Disclosure: - categories: - - boost-hardened - - cwe-538 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product places sensitive information into files or directories - that are accessible to actors who are allowed to have access to the files, but - not to the sensitive information. - group: top10-broken-access-control - name: PHP_High_Risk_File_Disclosure - pretty_name: File Disclosure - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_High_Risk_File_Inclusion: - categories: - - boost-hardened - - cwe-98 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The PHP application receives input from an upstream component, but - it does not restrict or incorrectly restricts the input before its usage in - "require," "include," or similar functions. - group: top10-injection - name: PHP_High_Risk_File_Inclusion - pretty_name: File Inclusion - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_High_Risk_File_Manipulation: - categories: - - boost-hardened - - owasp-top-10 - - cwe-552 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product makes files or directories accessible to unauthorized - actors, even though they should not be. - group: top10-broken-access-control - name: PHP_High_Risk_File_Manipulation - pretty_name: File Manipulation - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_High_Risk_LDAP_Injection: - categories: - - boost-hardened - - cwe-90 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product constructs all or part of an LDAP query using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended LDAP query when - it is sent to a downstream component. - group: top10-injection - name: PHP_High_Risk_LDAP_Injection - pretty_name: LDAP Injection - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_High_Risk_Reflected_XSS_All_Clients: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: PHP_High_Risk_Reflected_XSS_All_Clients - pretty_name: Reflected XSS All Clients - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_High_Risk_Reflection_Injection: - categories: - - boost-hardened - - cwe-470 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product uses external input with reflection to select which classes - or code to use, but it does not sufficiently prevent the input from selecting - improper classes or code. - group: top10-injection - name: PHP_High_Risk_Reflection_Injection - pretty_name: Reflection Injection - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_High_Risk_Remote_File_Inclusion: - categories: - - boost-hardened - - owasp-top-10 - - cwe-829 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product imports, requires, or includes executable functionality - (such as a library) from a source that is outside of the intended control sphere. - group: top10-software-data-integrity-failures - name: PHP_High_Risk_Remote_File_Inclusion - pretty_name: Remote File Inclusion - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_High_Risk_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: PHP_High_Risk_SQL_Injection - pretty_name: SQL Injection - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_High_Risk_Second_Order_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: PHP_High_Risk_Second_Order_SQL_Injection - pretty_name: Second Order SQL Injection - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_High_Risk_Stored_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: PHP_High_Risk_Stored_XSS - pretty_name: Stored XSS - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_High_Risk_XPath_Injection: - categories: - - boost-hardened - - cwe-643 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product uses external input to dynamically construct an XPath - expression used to retrieve data from an XML database, but it does not neutralize - or incorrectly neutralizes that input. This allows an attacker to control the - structure of the query. - group: top10-injection - name: PHP_High_Risk_XPath_Injection - pretty_name: XPath Injection - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_Medium_Threat_CSRF: - categories: - - checkmarx-medium-threat - - cwe-352 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The web application does not, or can not, sufficiently verify whether - a well-formed, valid, consistent request was intentionally provided by the user - who submitted the request. - group: top10-injection - name: PHP_Medium_Threat_CSRF - pretty_name: CSRF - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_Medium_Threat_DB_Parameter_Tampering: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-284 - - boost-baseline - - ALL - description: The product does not restrict or incorrectly restricts access to - a resource from an unauthorized actor. - group: top10-broken-access-control - name: PHP_Medium_Threat_DB_Parameter_Tampering - pretty_name: DB Parameter Tampering - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_Medium_Threat_Deserialization_of_Untrusted_Data: - categories: - - boost-baseline - - checkmarx-medium-threat - - owasp-top-10 - - cwe-502 - - ALL - - cwe-top-25 - description: The product deserializes untrusted data without sufficiently verifying - that the resulting data will be valid. - group: top10-software-data-integrity-failures - name: PHP_Medium_Threat_Deserialization_of_Untrusted_Data - pretty_name: Deserialization of Untrusted Data - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_Medium_Threat_DoS_by_Sleep: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The product performs an iteration or loop without sufficiently limiting - the number of times that the loop is executed. - group: top10-insecure-design - name: PHP_Medium_Threat_DoS_by_Sleep - pretty_name: DoS by Sleep - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_Medium_Threat_HTTP_Response_Splitting: - categories: - - checkmarx-medium-threat - - cwe-113 - - owasp-top-10 - - boost-baseline - - ALL - description: The product receives data from an HTTP agent/component (e.g., web - server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes - CR and LF characters before the data is included in outgoing HTTP headers. - group: top10-injection - name: PHP_Medium_Threat_HTTP_Response_Splitting - pretty_name: HTTP Response Splitting - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_Medium_Threat_Header_Injection: - categories: - - checkmarx-medium-threat - - cwe-113 - - owasp-top-10 - - boost-baseline - - ALL - description: The product receives data from an HTTP agent/component (e.g., web - server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes - CR and LF characters before the data is included in outgoing HTTP headers. - group: top10-injection - name: PHP_Medium_Threat_Header_Injection - pretty_name: Header Injection - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_Medium_Threat_HttpOnlyCookies: - categories: - - cwe-1004 - - ALL - - boost-baseline - - checkmarx-medium-threat - description: The product uses a cookie to store sensitive information, but the - cookie is not marked with the HttpOnly flag. - group: top10-security-misconfiguration - name: PHP_Medium_Threat_HttpOnlyCookies - pretty_name: HttpOnlyCookies - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_Medium_Threat_Improper_Control_of_Dynamically_Identified_Variables: - categories: - - checkmarx-medium-threat - - cwe-914 - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not properly restrict reading from or writing to - dynamically-identified variables. - group: top10-insecure-design - name: PHP_Medium_Threat_Improper_Control_of_Dynamically_Identified_Variables - pretty_name: Improper Control of Dynamically Identified Variables - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_Medium_Threat_Improper_Neutralization_of_SQL_Command: - categories: - - checkmarx-medium-threat - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: PHP_Medium_Threat_Improper_Neutralization_of_SQL_Command - pretty_name: Improper Neutralization of SQL Command - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_Medium_Threat_Improper_Restriction_of_Stored_XXE_Ref: - categories: - - checkmarx-medium-threat - - cwe-611 - - boost-baseline - - ALL - - cwe-top-25 - description: The product processes an XML document that can contain XML entities - with URIs that resolve to documents outside of the intended sphere of control, - causing the product to embed incorrect documents into its output. - group: top10-security-misconfiguration - name: PHP_Medium_Threat_Improper_Restriction_of_Stored_XXE_Ref - pretty_name: Improper Restriction of Stored XXE Ref - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_Medium_Threat_Improper_Restriction_of_XXE_Ref: - categories: - - checkmarx-medium-threat - - cwe-611 - - boost-baseline - - ALL - - cwe-top-25 - description: The product processes an XML document that can contain XML entities - with URIs that resolve to documents outside of the intended sphere of control, - causing the product to embed incorrect documents into its output. - group: top10-security-misconfiguration - name: PHP_Medium_Threat_Improper_Restriction_of_XXE_Ref - pretty_name: Improper Restriction of XXE Ref - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_Medium_Threat_Inappropriate_Encoding_for_Output_Context: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-838 - description: The product uses or specifies an encoding when generating output - to a downstream component, but the specified encoding is not the same as the - encoding that is expected by the downstream component. - group: top10-injection - name: PHP_Medium_Threat_Inappropriate_Encoding_for_Output_Context - pretty_name: Inappropriate Encoding for Output Context - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_Medium_Threat_Insecure_Randomness: - categories: - - checkmarx-medium-threat - - cwe-330 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses insufficiently random numbers or values in a security - context that depends on unpredictable numbers. - group: top10-crypto-failures - name: PHP_Medium_Threat_Insecure_Randomness - pretty_name: Insecure Randomness - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_Medium_Threat_Missing_HSTS_Header: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-346 - description: The product does not properly verify that the source of data or communication - is valid. - group: top10-id-authn-failures - name: PHP_Medium_Threat_Missing_HSTS_Header - pretty_name: Missing HSTS Header - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_Medium_Threat_Object_Injection: - categories: - - boost-baseline - - checkmarx-medium-threat - - owasp-top-10 - - cwe-502 - - ALL - - cwe-top-25 - description: The product deserializes untrusted data without sufficiently verifying - that the resulting data will be valid. - group: top10-software-data-integrity-failures - name: PHP_Medium_Threat_Object_Injection - pretty_name: Object Injection - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_Medium_Threat_Open_Redirect: - categories: - - checkmarx-medium-threat - - cwe-601 - - owasp-top-10 - - boost-baseline - - ALL - description: A web application accepts a user-controlled input that specifies - a link to an external site, and uses that link in a Redirect. This simplifies - phishing attacks. - group: top10-broken-access-control - name: PHP_Medium_Threat_Open_Redirect - pretty_name: Open Redirect - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_Medium_Threat_Parameter_Tampering: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: PHP_Medium_Threat_Parameter_Tampering - pretty_name: Parameter Tampering - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_Medium_Threat_Path_Traversal: - categories: - - ALL - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - cwe-22 - - cwe-top-25 - description: The product uses external input to construct a pathname that is intended - to identify a file or directory that is located underneath a restricted parent - directory, but the product does not properly neutralize special elements within - the pathname that can cause the pathname to resolve to a location that is outside - of the restricted directory. - group: top10-broken-access-control - name: PHP_Medium_Threat_Path_Traversal - pretty_name: Path Traversal - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_Medium_Threat_Privacy_Violation: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-359 - description: The product does not properly prevent a person's private, personal - information from being accessed by actors who either (1) are not explicitly - authorized to access the information or (2) do not have the implicit consent - of the person about whom the information is collected. - group: top10-broken-access-control - name: PHP_Medium_Threat_Privacy_Violation - pretty_name: Privacy Violation - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_Medium_Threat_Reflected_File_Download: - categories: - - checkmarx-medium-threat - - cwe-425 - - owasp-top-10 - - boost-baseline - - ALL - description: The web application does not adequately enforce appropriate authorization - on all restricted URLs, scripts, or files. - group: top10-broken-access-control - name: PHP_Medium_Threat_Reflected_File_Download - pretty_name: Reflected File Download - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_Medium_Threat_SSL_Verification_Bypass: - categories: - - checkmarx-medium-threat - - cwe-599 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses OpenSSL and trusts or uses a certificate without - using the SSL_get_verify_result() function to ensure that the certificate satisfies - all necessary security requirements. - group: top10-software-data-integrity-failures - name: PHP_Medium_Threat_SSL_Verification_Bypass - pretty_name: SSL Verification Bypass - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_Medium_Threat_Session_Fixation: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-384 - description: Authenticating a user, or otherwise establishing a new user session, - without invalidating any existing session identifier gives an attacker the opportunity - to steal authenticated sessions. - group: top10-id-authn-failures - name: PHP_Medium_Threat_Session_Fixation - pretty_name: Session Fixation - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_Medium_Threat_Stored_Code_Injection: - categories: - - checkmarx-medium-threat - - cwe-94 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: PHP_Medium_Threat_Stored_Code_Injection - pretty_name: Stored Code Injection - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_Medium_Threat_Stored_Command_Injection: - categories: - - cwe-77 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended command when it - is sent to a downstream component. - group: top10-injection - name: PHP_Medium_Threat_Stored_Command_Injection - pretty_name: Stored Command Injection - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_Medium_Threat_Stored_File_Inclusion: - categories: - - checkmarx-medium-threat - - cwe-98 - - owasp-top-10 - - boost-baseline - - ALL - description: The PHP application receives input from an upstream component, but - it does not restrict or incorrectly restricts the input before its usage in - "require," "include," or similar functions. - group: top10-injection - name: PHP_Medium_Threat_Stored_File_Inclusion - pretty_name: Stored File Inclusion - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_Medium_Threat_Stored_File_Manipulation: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-552 - - boost-baseline - - ALL - description: The product makes files or directories accessible to unauthorized - actors, even though they should not be. - group: top10-broken-access-control - name: PHP_Medium_Threat_Stored_File_Manipulation - pretty_name: Stored File Manipulation - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_Medium_Threat_Stored_LDAP_Injection: - categories: - - checkmarx-medium-threat - - cwe-90 - - owasp-top-10 - - boost-baseline - - ALL - description: The product constructs all or part of an LDAP query using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended LDAP query when - it is sent to a downstream component. - group: top10-injection - name: PHP_Medium_Threat_Stored_LDAP_Injection - pretty_name: Stored LDAP Injection - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_Medium_Threat_Stored_Reflection_Injection: - categories: - - checkmarx-medium-threat - - cwe-470 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses external input with reflection to select which classes - or code to use, but it does not sufficiently prevent the input from selecting - improper classes or code. - group: top10-injection - name: PHP_Medium_Threat_Stored_Reflection_Injection - pretty_name: Stored Reflection Injection - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_Medium_Threat_Stored_Remote_File_Inclusion: - categories: - - checkmarx-medium-threat - - cwe-98 - - owasp-top-10 - - boost-baseline - - ALL - description: The PHP application receives input from an upstream component, but - it does not restrict or incorrectly restricts the input before its usage in - "require," "include," or similar functions. - group: top10-injection - name: PHP_Medium_Threat_Stored_Remote_File_Inclusion - pretty_name: Stored Remote File Inclusion - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_Medium_Threat_Stored_XPath_Injection: - categories: - - checkmarx-medium-threat - - cwe-643 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses external input to dynamically construct an XPath - expression used to retrieve data from an XML database, but it does not neutralize - or incorrectly neutralizes that input. This allows an attacker to control the - structure of the query. - group: top10-injection - name: PHP_Medium_Threat_Stored_XPath_Injection - pretty_name: Stored XPath Injection - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PHP_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key: - categories: - - cwe-321 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The use of a hard-coded cryptographic key significantly increases - the possibility that encrypted data may be recovered. - group: top10-crypto-failures - name: PHP_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key - pretty_name: Use of Hard coded Cryptographic Key - PHP - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PLSQL_Best_Coding_Practice_Unchecked_Error_Condition: - categories: - - owasp-top-10 - - cwe-391 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: '[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER' - group: top10-insecure-design - name: PLSQL_Best_Coding_Practice_Unchecked_Error_Condition - pretty_name: Unchecked Error Condition - PLSQL - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PLSQL_Best_Coding_Practice_Use_of_Potentially_Dangerous_Function: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - cwe-676 - - boost-baseline - - ALL - description: The product invokes a potentially dangerous function that could introduce - a vulnerability if it is used incorrectly, but the function can also be used - safely. - group: top10-insecure-design - name: PLSQL_Best_Coding_Practice_Use_of_Potentially_Dangerous_Function - pretty_name: Use of Potentially Dangerous Function - PLSQL - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PLSQL_High_Risk_Reflected_XSS_All_Clients: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: PLSQL_High_Risk_Reflected_XSS_All_Clients - pretty_name: Reflected XSS All Clients - PLSQL - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PLSQL_High_Risk_Resource_Injection: - categories: - - boost-hardened - - owasp-top-10 - - cwe-99 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product receives input from an upstream component, but it does - not restrict or incorrectly restricts the input before it is used as an identifier - for a resource that may be outside the intended sphere of control. - group: top10-injection - name: PLSQL_High_Risk_Resource_Injection - pretty_name: Resource Injection - PLSQL - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PLSQL_High_Risk_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: PLSQL_High_Risk_SQL_Injection - pretty_name: SQL Injection - PLSQL - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PLSQL_High_Risk_Second_Order_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: PLSQL_High_Risk_Second_Order_SQL_Injection - pretty_name: Second Order SQL Injection - PLSQL - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PLSQL_High_Risk_Stored_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: PLSQL_High_Risk_Stored_XSS - pretty_name: Stored XSS - PLSQL - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PLSQL_Low_Visibility_Authorization_Bypass_Through_User_Controlled_SQL_PrimaryKey: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-566 - - boost-baseline - - ALL - description: The product uses a database table that includes records that should - not be accessible to an actor, but it executes a SQL statement with a primary - key that can be controlled by that actor. - group: top10-broken-access-control - name: PLSQL_Low_Visibility_Authorization_Bypass_Through_User_Controlled_SQL_PrimaryKey - pretty_name: Authorization Bypass Through User Controlled SQL PrimaryKey - PLSQL - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PLSQL_Low_Visibility_Default_Definer_Rights_in_Method_Definition: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-265 - - boost-baseline - - ALL - description: Improper handling, assignment, or management of privileges. A privilege - is a property of an agent, such as a user. It lets the agent do things that - are not ordinarily allowed. - group: top10-insecure-design - name: PLSQL_Low_Visibility_Default_Definer_Rights_in_Method_Definition - pretty_name: Default Definer Rights in Method Definition - PLSQL - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PLSQL_Low_Visibility_Exposure_of_System_Data: - categories: - - checkmarx-low-visibility - - cwe-497 - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not properly prevent sensitive system-level information - from being accessed by unauthorized actors who do not have the same level of - access to the underlying system as the product does. - group: top10-broken-access-control - name: PLSQL_Low_Visibility_Exposure_of_System_Data - pretty_name: Exposure of System Data - PLSQL - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PLSQL_Low_Visibility_Improper_Resource_Shutdown_or_Release: - categories: - - cwe-404 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not release or incorrectly releases a resource before - it is made available for re-use. - group: top10-insecure-design - name: PLSQL_Low_Visibility_Improper_Resource_Shutdown_or_Release - pretty_name: Improper Resource Shutdown or Release - PLSQL - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PLSQL_Low_Visibility_Reversible_One_Way_Hash: - categories: - - cwe-328 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses an algorithm that produces a digest (output value) - that does not meet security expectations for a hash function that allows an - adversary to reasonably determine the original input (preimage attack), find - another input that can produce the same hash (2nd preimage attack), or find - multiple inputs that evaluate to the same hash (birthday attack). - group: top10-crypto-failures - name: PLSQL_Low_Visibility_Reversible_One_Way_Hash - pretty_name: Reversible One Way Hash - PLSQL - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PLSQL_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables: - categories: - - cwe-501 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product mixes trusted and untrusted data in the same data structure - or structured message. - group: top10-insecure-design - name: PLSQL_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables - pretty_name: Trust Boundary Violation in Session Variables - PLSQL - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PLSQL_Low_Visibility_Use_Of_Broken_Or_Risky_Cryptographic_Algorithm: - categories: - - cwe-327 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a broken or risky cryptographic algorithm or protocol. - group: top10-crypto-failures - name: PLSQL_Low_Visibility_Use_Of_Broken_Or_Risky_Cryptographic_Algorithm - pretty_name: Use Of Broken Or Risky Cryptographic Algorithm - PLSQL - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PLSQL_Low_Visibility_Use_Of_Hardcoded_Password: - categories: - - ALL - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - cwe-259 - description: The product contains a hard-coded password, which it uses for its - own inbound authentication or for outbound communication to external components. - group: top10-id-authn-failures - name: PLSQL_Low_Visibility_Use_Of_Hardcoded_Password - pretty_name: Use Of Hardcoded Password - PLSQL - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PLSQL_Medium_Threat_Dangling_Database_Cursor: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-619 - description: If a database cursor is not closed properly, then it could become - accessible to other users while retaining the same privileges that were originally - assigned, leaving the cursor "dangling." - group: top10-injection - name: PLSQL_Medium_Threat_Dangling_Database_Cursor - pretty_name: Dangling Database Cursor - PLSQL - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PLSQL_Medium_Threat_Default_Definer_Rights_in_Package_or_Object_Definition: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-265 - - boost-baseline - - ALL - description: Improper handling, assignment, or management of privileges. A privilege - is a property of an agent, such as a user. It lets the agent do things that - are not ordinarily allowed. - group: top10-insecure-design - name: PLSQL_Medium_Threat_Default_Definer_Rights_in_Package_or_Object_Definition - pretty_name: Default Definer Rights in Package or Object Definition - PLSQL - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PLSQL_Medium_Threat_DoS_By_Sleep: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The product performs an iteration or loop without sufficiently limiting - the number of times that the loop is executed. - group: top10-insecure-design - name: PLSQL_Medium_Threat_DoS_By_Sleep - pretty_name: DoS By Sleep - PLSQL - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PLSQL_Medium_Threat_HTTP_Response_Splitting: - categories: - - checkmarx-medium-threat - - cwe-113 - - owasp-top-10 - - boost-baseline - - ALL - description: The product receives data from an HTTP agent/component (e.g., web - server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes - CR and LF characters before the data is included in outgoing HTTP headers. - group: top10-injection - name: PLSQL_Medium_Threat_HTTP_Response_Splitting - pretty_name: HTTP Response Splitting - PLSQL - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PLSQL_Medium_Threat_Improper_Privilege_Management: - categories: - - checkmarx-medium-threat - - cwe-269 - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not properly assign, modify, track, or check privileges - for an actor, creating an unintended sphere of control for that actor. - group: top10-insecure-design - name: PLSQL_Medium_Threat_Improper_Privilege_Management - pretty_name: Improper Privilege Management - PLSQL - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PLSQL_Medium_Threat_Open_Redirect: - categories: - - checkmarx-medium-threat - - cwe-601 - - owasp-top-10 - - boost-baseline - - ALL - description: A web application accepts a user-controlled input that specifies - a link to an external site, and uses that link in a Redirect. This simplifies - phishing attacks. - group: top10-broken-access-control - name: PLSQL_Medium_Threat_Open_Redirect - pretty_name: Open Redirect - PLSQL - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PLSQL_Medium_Threat_Parameter_Tampering: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: PLSQL_Medium_Threat_Parameter_Tampering - pretty_name: Parameter Tampering - PLSQL - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PLSQL_Medium_Threat_Plaintext_Storage_of_a_Password: - categories: - - cwe-256 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: Storing a password in plaintext may result in a system compromise. - group: top10-insecure-design - name: PLSQL_Medium_Threat_Plaintext_Storage_of_a_Password - pretty_name: Plaintext Storage of a Password - PLSQL - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PLSQL_Medium_Threat_Privacy_Violation: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-359 - description: The product does not properly prevent a person's private, personal - information from being accessed by actors who either (1) are not explicitly - authorized to access the information or (2) do not have the implicit consent - of the person about whom the information is collected. - group: top10-broken-access-control - name: PLSQL_Medium_Threat_Privacy_Violation - pretty_name: Privacy Violation - PLSQL - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - PLSQL_Medium_Threat_Use_of_Insufficiently_Random_Values: - categories: - - checkmarx-medium-threat - - cwe-330 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses insufficiently random numbers or values in a security - context that depends on unpredictable numbers. - group: top10-crypto-failures - name: PLSQL_Medium_Threat_Use_of_Insufficiently_Random_Values - pretty_name: Use of Insufficiently Random Values - PLSQL - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_Best_Coding_Practice_Empty_Methods: - categories: - - owasp-top-10 - - cwe-398 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Indicates that the product has not been carefully developed or maintained. - group: top10-insecure-design - name: Perl_Best_Coding_Practice_Empty_Methods - pretty_name: Empty Methods - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_Best_Coding_Practice_Hardcoded_Absolute_Path: - categories: - - cwe-426 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product searches for critical resources using an externally-supplied - search path that can point to resources that are not under the product's direct - control. - group: top10-software-data-integrity-failures - name: Perl_Best_Coding_Practice_Hardcoded_Absolute_Path - pretty_name: Hardcoded Absolute Path - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_Best_Coding_Practice_Prepending_Leading_Zeroes_To_Integer_Literals: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - cwe-665 - - boost-baseline - - ALL - description: The product does not initialize or incorrectly initializes a resource, - which might leave the resource in an unexpected state when it is accessed or - used. - group: top10-insecure-design - name: Perl_Best_Coding_Practice_Prepending_Leading_Zeroes_To_Integer_Literals - pretty_name: Prepending Leading Zeroes To Integer Literals - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_Best_Coding_Practice_Reusing_Variable_Names_In_Subscopes: - categories: - - owasp-top-10 - - cwe-398 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Indicates that the product has not been carefully developed or maintained. - group: top10-insecure-design - name: Perl_Best_Coding_Practice_Reusing_Variable_Names_In_Subscopes - pretty_name: Reusing Variable Names In Subscopes - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_Best_Coding_Practice_Using_Perl4_Package_Names: - categories: - - cwe-477 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The code uses deprecated or obsolete functions, which suggests that - the code has not been actively reviewed or maintained. - group: top10-insecure-design - name: Perl_Best_Coding_Practice_Using_Perl4_Package_Names - pretty_name: Using Perl4 Package Names - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_Best_Coding_Practice_Using_Subroutine_Prototypes: - categories: - - owasp-top-10 - - cwe-628 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product calls a function, procedure, or routine with arguments - that are not correctly specified, leading to always-incorrect behavior and resultant - weaknesses. - group: top10-insecure-design - name: Perl_Best_Coding_Practice_Using_Subroutine_Prototypes - pretty_name: Using Subroutine Prototypes - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_High_Risk_Code_Injection: - categories: - - boost-hardened - - cwe-94 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: Perl_High_Risk_Code_Injection - pretty_name: Code Injection - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_High_Risk_Command_Injection: - categories: - - boost-hardened - - cwe-77 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of a command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended command when it - is sent to a downstream component. - group: top10-injection - name: Perl_High_Risk_Command_Injection - pretty_name: Command Injection - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_High_Risk_Connection_String_Injection: - categories: - - boost-hardened - - owasp-top-10 - - cwe-99 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product receives input from an upstream component, but it does - not restrict or incorrectly restricts the input before it is used as an identifier - for a resource that may be outside the intended sphere of control. - group: top10-injection - name: Perl_High_Risk_Connection_String_Injection - pretty_name: Connection String Injection - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_High_Risk_LDAP_Injection: - categories: - - boost-hardened - - cwe-90 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product constructs all or part of an LDAP query using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended LDAP query when - it is sent to a downstream component. - group: top10-injection - name: Perl_High_Risk_LDAP_Injection - pretty_name: LDAP Injection - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_High_Risk_Reflected_XSS_All_Clients: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Perl_High_Risk_Reflected_XSS_All_Clients - pretty_name: Reflected XSS All Clients - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_High_Risk_Remote_File_Inclusion: - categories: - - boost-hardened - - owasp-top-10 - - cwe-829 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product imports, requires, or includes executable functionality - (such as a library) from a source that is outside of the intended control sphere. - group: top10-software-data-integrity-failures - name: Perl_High_Risk_Remote_File_Inclusion - pretty_name: Remote File Inclusion - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_High_Risk_Resource_Injection: - categories: - - boost-hardened - - owasp-top-10 - - cwe-99 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product receives input from an upstream component, but it does - not restrict or incorrectly restricts the input before it is used as an identifier - for a resource that may be outside the intended sphere of control. - group: top10-injection - name: Perl_High_Risk_Resource_Injection - pretty_name: Resource Injection - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_High_Risk_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Perl_High_Risk_SQL_Injection - pretty_name: SQL Injection - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_High_Risk_Second_Order_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Perl_High_Risk_Second_Order_SQL_Injection - pretty_name: Second Order SQL Injection - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_High_Risk_Stored_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Perl_High_Risk_Stored_XSS - pretty_name: Stored XSS - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_Low_Visibility_Import_of_Deprecated_Modules: - categories: - - cwe-477 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The code uses deprecated or obsolete functions, which suggests that - the code has not been actively reviewed or maintained. - group: top10-insecure-design - name: Perl_Low_Visibility_Import_of_Deprecated_Modules - pretty_name: Import of Deprecated Modules - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_Low_Visibility_Improper_Filtering_of_Special_Elements: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-790 - description: The product receives data from an upstream component, but does not - filter or incorrectly filters special elements before sending it to a downstream - component. - group: top10-insecure-design - name: Perl_Low_Visibility_Improper_Filtering_of_Special_Elements - pretty_name: Improper Filtering of Special Elements - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_Low_Visibility_Information_Exposure_Through_an_Error_Message: - categories: - - cwe-209 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product generates an error message that includes sensitive information - about its environment, users, or associated data. - group: top10-insecure-design - name: Perl_Low_Visibility_Information_Exposure_Through_an_Error_Message - pretty_name: Information Exposure Through an Error Message - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_Low_Visibility_Log_Forging: - categories: - - boost-baseline - - ALL - - cwe-117 - - checkmarx-low-visibility - description: The product does not neutralize or incorrectly neutralizes output - that is written to logs. - group: top10-security-logging-monitoring-failures - name: Perl_Low_Visibility_Log_Forging - pretty_name: Log Forging - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_Low_Visibility_Not_Checking_Regular_Expressions_Results: - categories: - - cwe-252 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not check the return value from a method or function, - which can prevent it from detecting unexpected states and conditions. - group: top10-insecure-design - name: Perl_Low_Visibility_Not_Checking_Regular_Expressions_Results - pretty_name: Not Checking Regular Expressions Results - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_Low_Visibility_Overloading_Reserved_Keywords_or_Subroutines: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-398 - - boost-baseline - - ALL - description: Indicates that the product has not been carefully developed or maintained. - group: top10-insecure-design - name: Perl_Low_Visibility_Overloading_Reserved_Keywords_or_Subroutines - pretty_name: Overloading Reserved Keywords or Subroutines - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_Low_Visibility_Permissive_Regular_Expression: - categories: - - cwe-625 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a regular expression that does not sufficiently - restrict the set of allowed values. - group: top10-insecure-design - name: Perl_Low_Visibility_Permissive_Regular_Expression - pretty_name: Permissive Regular Expression - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_Low_Visibility_Prohibit_Indirect_Object_Call_Syntax: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-665 - - boost-baseline - - ALL - description: The product does not initialize or incorrectly initializes a resource, - which might leave the resource in an unexpected state when it is accessed or - used. - group: top10-insecure-design - name: Perl_Low_Visibility_Prohibit_Indirect_Object_Call_Syntax - pretty_name: Prohibit Indirect Object Call Syntax - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_Low_Visibility_Signifying_Inheritence_At_Runtime: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-398 - - boost-baseline - - ALL - description: Indicates that the product has not been carefully developed or maintained. - group: top10-insecure-design - name: Perl_Low_Visibility_Signifying_Inheritence_At_Runtime - pretty_name: Signifying Inheritence At Runtime - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_Low_Visibility_Unchecked_Return_Value: - categories: - - cwe-252 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not check the return value from a method or function, - which can prevent it from detecting unexpected states and conditions. - group: top10-insecure-design - name: Perl_Low_Visibility_Unchecked_Return_Value - pretty_name: Unchecked Return Value - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm: - categories: - - cwe-327 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a broken or risky cryptographic algorithm or protocol. - group: top10-crypto-failures - name: Perl_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm - pretty_name: Use of Broken or Risky Cryptographic Algorithm - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_Low_Visibility_Use_of_Deprecated_or_Obsolete_Functions: - categories: - - cwe-477 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The code uses deprecated or obsolete functions, which suggests that - the code has not been actively reviewed or maintained. - group: top10-insecure-design - name: Perl_Low_Visibility_Use_of_Deprecated_or_Obsolete_Functions - pretty_name: Use of Deprecated or Obsolete Functions - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_Low_Visibility_Variables_Outside_The_Scope_of_a_Regex: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-824 - description: The product accesses or uses a pointer that has not been initialized. - group: top10-insecure-design - name: Perl_Low_Visibility_Variables_Outside_The_Scope_of_a_Regex - pretty_name: Variables Outside The Scope of a Regex - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_Medium_Threat_CSRF: - categories: - - checkmarx-medium-threat - - cwe-352 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The web application does not, or can not, sufficiently verify whether - a well-formed, valid, consistent request was intentionally provided by the user - who submitted the request. - group: top10-injection - name: Perl_Medium_Threat_CSRF - pretty_name: CSRF - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_Medium_Threat_DoS_by_Sleep: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The product performs an iteration or loop without sufficiently limiting - the number of times that the loop is executed. - group: top10-insecure-design - name: Perl_Medium_Threat_DoS_by_Sleep - pretty_name: DoS by Sleep - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_Medium_Threat_Improper_Restriction_of_XXE_Ref: - categories: - - checkmarx-medium-threat - - cwe-611 - - boost-baseline - - ALL - - cwe-top-25 - description: The product processes an XML document that can contain XML entities - with URIs that resolve to documents outside of the intended sphere of control, - causing the product to embed incorrect documents into its output. - group: top10-security-misconfiguration - name: Perl_Medium_Threat_Improper_Restriction_of_XXE_Ref - pretty_name: Improper Restriction of XXE Ref - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_Medium_Threat_Missing_Encryption_of_Sensitive_Data: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-311 - - boost-baseline - - ALL - description: The product does not encrypt sensitive or critical information before - storage or transmission. - group: top10-insecure-design - name: Perl_Medium_Threat_Missing_Encryption_of_Sensitive_Data - pretty_name: Missing Encryption of Sensitive Data - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_Medium_Threat_Parameter_Tampering: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: Perl_Medium_Threat_Parameter_Tampering - pretty_name: Parameter Tampering - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_Medium_Threat_Path_Traversal: - categories: - - ALL - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - cwe-22 - - cwe-top-25 - description: The product uses external input to construct a pathname that is intended - to identify a file or directory that is located underneath a restricted parent - directory, but the product does not properly neutralize special elements within - the pathname that can cause the pathname to resolve to a location that is outside - of the restricted directory. - group: top10-broken-access-control - name: Perl_Medium_Threat_Path_Traversal - pretty_name: Path Traversal - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_Medium_Threat_Privacy_Violation: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-359 - description: The product does not properly prevent a person's private, personal - information from being accessed by actors who either (1) are not explicitly - authorized to access the information or (2) do not have the implicit consent - of the person about whom the information is collected. - group: top10-broken-access-control - name: Perl_Medium_Threat_Privacy_Violation - pretty_name: Privacy Violation - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_Medium_Threat_Stored_Code_Injection: - categories: - - checkmarx-medium-threat - - cwe-94 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: Perl_Medium_Threat_Stored_Code_Injection - pretty_name: Stored Code Injection - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_Medium_Threat_Stored_Command_Injection: - categories: - - cwe-77 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended command when it - is sent to a downstream component. - group: top10-injection - name: Perl_Medium_Threat_Stored_Command_Injection - pretty_name: Stored Command Injection - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_Medium_Threat_Stored_LDAP_Injection: - categories: - - checkmarx-medium-threat - - cwe-90 - - owasp-top-10 - - boost-baseline - - ALL - description: The product constructs all or part of an LDAP query using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended LDAP query when - it is sent to a downstream component. - group: top10-injection - name: Perl_Medium_Threat_Stored_LDAP_Injection - pretty_name: Stored LDAP Injection - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_Medium_Threat_Stored_Path_Traversal: - categories: - - ALL - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - cwe-22 - - cwe-top-25 - description: The product uses external input to construct a pathname that is intended - to identify a file or directory that is located underneath a restricted parent - directory, but the product does not properly neutralize special elements within - the pathname that can cause the pathname to resolve to a location that is outside - of the restricted directory. - group: top10-broken-access-control - name: Perl_Medium_Threat_Stored_Path_Traversal - pretty_name: Stored Path Traversal - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_Medium_Threat_Uncontrolled_Format_String: - categories: - - checkmarx-medium-threat - - cwe-134 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a function that accepts a format string as an argument, - but the format string originates from an external source. - group: top10-injection - name: Perl_Medium_Threat_Uncontrolled_Format_String - pretty_name: Uncontrolled Format String - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_Medium_Threat_Uncontrolled_Memory_Allocation: - categories: - - checkmarx-medium-threat - - cwe-789 - - owasp-top-10 - - boost-baseline - - ALL - description: The product allocates memory based on an untrusted, large size value, - but it does not ensure that the size is within expected limits, allowing arbitrary - amounts of memory to be allocated. - group: top10-injection - name: Perl_Medium_Threat_Uncontrolled_Memory_Allocation - pretty_name: Uncontrolled Memory Allocation - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_Medium_Threat_Unprotected_Transport_of_Credentials: - categories: - - checkmarx-medium-threat - - cwe-523 - - owasp-top-10 - - boost-baseline - - ALL - description: Login pages do not use adequate measures to protect the user name - and password while they are in transit from the client to the server. - group: top10-crypto-failures - name: Perl_Medium_Threat_Unprotected_Transport_of_Credentials - pretty_name: Unprotected Transport of Credentials - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_Medium_Threat_Use_Of_Hardcoded_Password: - categories: - - ALL - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - cwe-259 - description: The product contains a hard-coded password, which it uses for its - own inbound authentication or for outbound communication to external components. - group: top10-id-authn-failures - name: Perl_Medium_Threat_Use_Of_Hardcoded_Password - pretty_name: Use Of Hardcoded Password - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Perl_Medium_Threat_Use_of_Two_Argument_Form_of_Open: - categories: - - cwe-77 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended command when it - is sent to a downstream component. - group: top10-injection - name: Perl_Medium_Threat_Use_of_Two_Argument_Form_of_Open - pretty_name: Use of Two Argument Form of Open - Perl - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Php_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception: - categories: - - cwe-396 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Catching overly broad exceptions promotes complex error handling - code that is more likely to contain security vulnerabilities. - group: top10-insecure-design - name: Php_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception - pretty_name: Declaration Of Catch For Generic Exception - Php - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Php_Best_Coding_Practice_Detection_of_Error_Condition_Without_Action: - categories: - - cwe-390 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product detects a specific error, but takes no actions to handle - the error. - group: top10-insecure-design - name: Php_Best_Coding_Practice_Detection_of_Error_Condition_Without_Action - pretty_name: Detection of Error Condition Without Action - Php - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Php_Best_Coding_Practice_Dynamic_SQL_Queries: - categories: - - cwe-89 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Php_Best_Coding_Practice_Dynamic_SQL_Queries - pretty_name: Dynamic SQL Queries - Php - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Php_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere: - categories: - - owasp-top-10 - - cwe-493 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product has a critical public variable that is not final, which - allows the variable to be modified to contain unexpected values. - group: top10-insecure-design - name: Php_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere - pretty_name: Exposure of Resource to Wrong Sphere - Php - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Php_Best_Coding_Practice_Hardcoded_Absolute_Path: - categories: - - cwe-426 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product searches for critical resources using an externally-supplied - search path that can point to resources that are not under the product's direct - control. - group: top10-software-data-integrity-failures - name: Php_Best_Coding_Practice_Hardcoded_Absolute_Path - pretty_name: Hardcoded Absolute Path - Php - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Php_Best_Coding_Practice_Possible_Global_Variable_Overwrite: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - owasp-top-10 - description: A local PHP variable, with the same name as a global variable, is - being written to, thus posing a risk of unintentional global variable overwrite. - group: top10-insecure-design - name: Php_Best_Coding_Practice_Possible_Global_Variable_Overwrite - pretty_name: Possible Global Variable Overwrite - Php - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Php_Best_Coding_Practice_Unchecked_Error_Condition: - categories: - - owasp-top-10 - - cwe-391 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: '[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER' - group: top10-insecure-design - name: Php_Best_Coding_Practice_Unchecked_Error_Condition - pretty_name: Unchecked Error Condition - Php - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Php_Best_Coding_Practice_Unclosed_Objects: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-459 - description: The product does not properly "clean up" and remove temporary or - supporting resources after they have been used. - group: top10-insecure-design - name: Php_Best_Coding_Practice_Unclosed_Objects - pretty_name: Unclosed Objects - Php - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Php_Best_Coding_Practice_Use_Of_Namespace: - categories: - - owasp-top-10 - - cwe-398 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Indicates that the product has not been carefully developed or maintained. - group: top10-insecure-design - name: Php_Best_Coding_Practice_Use_Of_Namespace - pretty_name: Use Of Namespace - Php - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Php_Best_Coding_Practice_Use_Of_Private_Static_Variable: - categories: - - owasp-top-10 - - cwe-398 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Indicates that the product has not been carefully developed or maintained. - group: top10-insecure-design - name: Php_Best_Coding_Practice_Use_Of_Private_Static_Variable - pretty_name: Use Of Private Static Variable - Php - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Php_Best_Coding_Practice_Use_Of_Super_GLOBALS: - categories: - - owasp-top-10 - - cwe-766 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product declares a critical variable, field, or member to be - public when intended security policy requires it to be private. - group: top10-insecure-design - name: Php_Best_Coding_Practice_Use_Of_Super_GLOBALS - pretty_name: Use Of Super GLOBALS - Php - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Php_Low_Visibility_Blind_SQL_Injections: - categories: - - checkmarx-low-visibility - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Php_Low_Visibility_Blind_SQL_Injections - pretty_name: Blind SQL Injections - Php - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Php_Low_Visibility_Cross_Site_History_Manipulation: - categories: - - cwe-203 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product behaves differently or sends different responses under - different circumstances in a way that is observable to an unauthorized actor, - which exposes security-relevant information about the state of the product, - such as whether a particular operation was successful or not. - group: top10-software-data-integrity-failures - name: Php_Low_Visibility_Cross_Site_History_Manipulation - pretty_name: Cross Site History Manipulation - Php - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Php_Low_Visibility_Deprecated_Functions: - categories: - - cwe-477 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The code uses deprecated or obsolete functions, which suggests that - the code has not been actively reviewed or maintained. - group: top10-insecure-design - name: Php_Low_Visibility_Deprecated_Functions - pretty_name: Deprecated Functions - Php - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Php_Low_Visibility_ESAPI_Same_Password_Repeats_Twice: - categories: - - cwe-521 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not require that users should have strong passwords, - which makes it easier for attackers to compromise user accounts. - group: top10-id-authn-failures - name: Php_Low_Visibility_ESAPI_Same_Password_Repeats_Twice - pretty_name: ESAPI Same Password Repeats Twice - Php - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Php_Low_Visibility_Improper_Exception_Handling: - categories: - - cwe-248 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: An exception is thrown from a function, but it is not caught. - group: top10-insecure-design - name: Php_Low_Visibility_Improper_Exception_Handling - pretty_name: Improper Exception Handling - Php - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Php_Low_Visibility_Improper_Transaction_Handling: - categories: - - cwe-460 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not clean up its state or incorrectly cleans up - its state when an exception is thrown, leading to unexpected state or control - flow. - group: top10-insecure-design - name: Php_Low_Visibility_Improper_Transaction_Handling - pretty_name: Improper Transaction Handling - Php - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Php_Low_Visibility_Incorrect_Implementation_of_Authentication_Algorithm: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-303 - - boost-baseline - - ALL - description: The requirements for the product dictate the use of an established - authentication algorithm, but the implementation of the algorithm is incorrect. - group: top10-id-authn-failures - name: Php_Low_Visibility_Incorrect_Implementation_of_Authentication_Algorithm - pretty_name: Incorrect Implementation of Authentication Algorithm - Php - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Php_Low_Visibility_Information_Exposure_Through_an_Error_Message: - categories: - - cwe-209 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product generates an error message that includes sensitive information - about its environment, users, or associated data. - group: top10-insecure-design - name: Php_Low_Visibility_Information_Exposure_Through_an_Error_Message - pretty_name: Information Exposure Through an Error Message - Php - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Php_Low_Visibility_Information_Leak_Through_Persistent_Cookies: - categories: - - cwe-539 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The web application uses persistent cookies, but the cookies contain - sensitive information. - group: top10-insecure-design - name: Php_Low_Visibility_Information_Leak_Through_Persistent_Cookies - pretty_name: Information Leak Through Persistent Cookies - Php - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Php_Low_Visibility_Insufficiently_Protected_Credentials: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-522 - description: The product transmits or stores authentication credentials, but it - uses an insecure method that is susceptible to unauthorized interception and/or - retrieval. - group: top10-insecure-design - name: Php_Low_Visibility_Insufficiently_Protected_Credentials - pretty_name: Insufficiently Protected Credentials - Php - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Php_Low_Visibility_Log_Forging: - categories: - - boost-baseline - - ALL - - cwe-117 - - checkmarx-low-visibility - description: The product does not neutralize or incorrectly neutralizes output - that is written to logs. - group: top10-security-logging-monitoring-failures - name: Php_Low_Visibility_Log_Forging - pretty_name: Log Forging - Php - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Php_Low_Visibility_Possible_Flow_Control: - categories: - - cwe-691 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The code does not sufficiently manage its control flow during execution, - creating conditions in which the control flow can be modified in unexpected - ways. - group: top10-injection - name: Php_Low_Visibility_Possible_Flow_Control - pretty_name: Possible Flow Control - Php - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Php_Low_Visibility_Reliance_on_Cookies_in_a_Decision: - categories: - - cwe-784 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a protection mechanism that relies on the existence - or values of a cookie, but it does not properly ensure that the cookie is valid - for the associated user. - group: top10-software-data-integrity-failures - name: Php_Low_Visibility_Reliance_on_Cookies_in_a_Decision - pretty_name: Reliance on Cookies in a Decision - Php - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Php_Low_Visibility_Reliance_on_DNS_Lookups_in_a_Decision: - categories: - - cwe-350 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product performs reverse DNS resolution on an IP address to obtain - the hostname and make a security decision, but it does not properly ensure that - the IP address is truly associated with the hostname. - group: top10-insecure-design - name: Php_Low_Visibility_Reliance_on_DNS_Lookups_in_a_Decision - pretty_name: Reliance on DNS Lookups in a Decision - Php - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Php_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables: - categories: - - cwe-501 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product mixes trusted and untrusted data in the same data structure - or structured message. - group: top10-insecure-design - name: Php_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables - pretty_name: Trust Boundary Violation in Session Variables - Php - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Php_Low_Visibility_Unsafe_Use_Of_Target_Blank: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-1022 - description: The web application produces links to untrusted external sites outside - of its sphere of control, but it does not properly prevent the external site - from modifying security-critical properties of the window.opener object, such - as the location property. - group: top10-insecure-design - name: Php_Low_Visibility_Unsafe_Use_Of_Target_Blank - pretty_name: Unsafe Use Of Target Blank - Php - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Php_Low_Visibility_Use_Of_Hardcoded_Password: - categories: - - ALL - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - cwe-259 - description: The product contains a hard-coded password, which it uses for its - own inbound authentication or for outbound communication to external components. - group: top10-id-authn-failures - name: Php_Low_Visibility_Use_Of_Hardcoded_Password - pretty_name: Use Of Hardcoded Password - Php - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Php_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm: - categories: - - cwe-327 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a broken or risky cryptographic algorithm or protocol. - group: top10-crypto-failures - name: Php_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm - pretty_name: Use of Broken or Risky Cryptographic Algorithm - Php - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Php_Low_Visibility_XSS_Evasion_Attack: - categories: - - cwe-79 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Php_Low_Visibility_XSS_Evasion_Attack - pretty_name: XSS Evasion Attack - Php - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_AWS_Lambda_AWS_Credentials_Leak: - categories: - - boost-hardened - - checkmarx-server-side-vulnerability - - owasp-top-10 - - boost-baseline - - ALL - description: AWS credentials are exposed within Python AWS Lambda function code, - making them vulnerable to unauthorized access or potential compromise. - group: top10-broken-access-control - name: Python_AWS_Lambda_AWS_Credentials_Leak - pretty_name: AWS Credentials Leak - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_AWS_Lambda_DynamoDB_NoSQL_Injection: - categories: - - boost-hardened - - checkmarx-server-side-vulnerability - - cwe-74 - - owasp-top-10 - - boost-baseline - - ALL - description: The product constructs all or part of a command, data structure, - or record using externally-influenced input from an upstream component, but - it does not neutralize or incorrectly neutralizes special elements that could - modify how it is parsed or interpreted when it is sent to a downstream component. - group: top10-injection - name: Python_AWS_Lambda_DynamoDB_NoSQL_Injection - pretty_name: DynamoDB NoSQL Injection - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_AWS_Lambda_Hardcoded_AWS_Credentials: - categories: - - checkmarx-server-side-vulnerability - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - - cwe-798 - description: The product contains hard-coded credentials, such as a password or - cryptographic key, which it uses for its own inbound authentication, outbound - communication to external components, or encryption of internal data. - group: top10-id-authn-failures - name: Python_AWS_Lambda_Hardcoded_AWS_Credentials - pretty_name: Hardcoded AWS Credentials - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_AWS_Lambda_Permission_Manipulation_in_S3: - categories: - - checkmarx-server-side-vulnerability - - owasp-top-10 - - cwe-285 - - boost-baseline - - ALL - description: The product does not perform or incorrectly performs an authorization - check when an actor attempts to access a resource or perform an action. - group: top10-broken-access-control - name: Python_AWS_Lambda_Permission_Manipulation_in_S3 - pretty_name: Permission Manipulation in S3 - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_AWS_Lambda_Race_Condition_Concurrent_Instances: - categories: - - checkmarx-server-side-vulnerability - - cwe-366 - - owasp-top-10 - - boost-baseline - - ALL - description: If two threads of execution use a resource simultaneously, there - exists the possibility that resources may be used while invalid, in turn making - the state of execution undefined. - group: top10-insecure-design - name: Python_AWS_Lambda_Race_Condition_Concurrent_Instances - pretty_name: Race Condition Concurrent Instances - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_AWS_Lambda_Unrestricted_Read_S3: - categories: - - checkmarx-server-side-vulnerability - - owasp-top-10 - - cwe-639 - - boost-baseline - - ALL - description: The system's authorization functionality does not prevent one user - from gaining access to another user's data or record by modifying the key value - identifying the data. - group: top10-broken-access-control - name: Python_AWS_Lambda_Unrestricted_Read_S3 - pretty_name: Unrestricted Read S3 - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_AWS_Lambda_Unrestricted_Write_S3: - categories: - - checkmarx-server-side-vulnerability - - owasp-top-10 - - cwe-639 - - boost-baseline - - ALL - description: The system's authorization functionality does not prevent one user - from gaining access to another user's data or record by modifying the key value - identifying the data. - group: top10-broken-access-control - name: Python_AWS_Lambda_Unrestricted_Write_S3 - pretty_name: Unrestricted Write S3 - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_AWS_Lambda_Use_of_Hardcoded_Cryptographic_Key_On_Server: - categories: - - cwe-321 - - checkmarx-server-side-vulnerability - - owasp-top-10 - - boost-baseline - - ALL - description: The use of a hard-coded cryptographic key significantly increases - the possibility that encrypted data may be recovered. - group: top10-crypto-failures - name: Python_AWS_Lambda_Use_of_Hardcoded_Cryptographic_Key_On_Server - pretty_name: Use of Hardcoded Cryptographic Key On Server - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_AWS_Lambda_User_Based_SDK_Configurations: - categories: - - boost-baseline - - ALL - - cwe-15 - - checkmarx-server-side-vulnerability - description: One or more system settings or configuration elements can be externally - controlled by a user. - group: top10-security-misconfiguration - name: Python_AWS_Lambda_User_Based_SDK_Configurations - pretty_name: User Based SDK Configurations - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Best_Coding_Practice_Hardcoded_Absolute_Path: - categories: - - cwe-426 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product searches for critical resources using an externally-supplied - search path that can point to resources that are not under the product's direct - control. - group: top10-software-data-integrity-failures - name: Python_Best_Coding_Practice_Hardcoded_Absolute_Path - pretty_name: Hardcoded Absolute Path - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Exploitable_Path_Python_Find_Imports: - categories: - - boost-baseline - - ALL - - owasp-top-10 - description: The code searches for Python imports using an insecure method, such - as os.system or subprocess.Popen, making it susceptible to arbitrary code execution - through shell injection. - group: top10-injection - name: Python_Exploitable_Path_Python_Find_Imports - pretty_name: Python Find Imports - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Exploitable_Path_Python_Find_Methods: - categories: - - boost-baseline - - ALL - - owasp-top-10 - description: The Python 'find' method is used in a way that can potentially lead - to exploitable path inconsistencies or traversal vulnerabilities, creating a - security risk for the application. - group: top10-injection - name: Python_Exploitable_Path_Python_Find_Methods - pretty_name: Python Find Methods - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_High_Risk_Code_Injection: - categories: - - boost-hardened - - cwe-94 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: Python_High_Risk_Code_Injection - pretty_name: Code Injection - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_High_Risk_Command_Injection: - categories: - - boost-hardened - - cwe-77 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of a command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended command when it - is sent to a downstream component. - group: top10-injection - name: Python_High_Risk_Command_Injection - pretty_name: Command Injection - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_High_Risk_Connection_String_Injection: - categories: - - boost-hardened - - owasp-top-10 - - cwe-99 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product receives input from an upstream component, but it does - not restrict or incorrectly restricts the input before it is used as an identifier - for a resource that may be outside the intended sphere of control. - group: top10-injection - name: Python_High_Risk_Connection_String_Injection - pretty_name: Connection String Injection - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_High_Risk_LDAP_Injection: - categories: - - boost-hardened - - cwe-90 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product constructs all or part of an LDAP query using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended LDAP query when - it is sent to a downstream component. - group: top10-injection - name: Python_High_Risk_LDAP_Injection - pretty_name: LDAP Injection - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_High_Risk_Local_File_Inclusion: - categories: - - boost-hardened - - owasp-top-10 - - cwe-829 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product imports, requires, or includes executable functionality - (such as a library) from a source that is outside of the intended control sphere. - group: top10-software-data-integrity-failures - name: Python_High_Risk_Local_File_Inclusion - pretty_name: Local File Inclusion - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_High_Risk_OS_Access_Violation: - categories: - - boost-hardened - - cwe-77 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of a command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended command when it - is sent to a downstream component. - group: top10-injection - name: Python_High_Risk_OS_Access_Violation - pretty_name: OS Access Violation - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_High_Risk_Reflected_XSS_All_Clients: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Python_High_Risk_Reflected_XSS_All_Clients - pretty_name: Reflected XSS All Clients - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_High_Risk_Resource_Injection: - categories: - - boost-hardened - - owasp-top-10 - - cwe-99 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product receives input from an upstream component, but it does - not restrict or incorrectly restricts the input before it is used as an identifier - for a resource that may be outside the intended sphere of control. - group: top10-injection - name: Python_High_Risk_Resource_Injection - pretty_name: Resource Injection - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_High_Risk_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Python_High_Risk_SQL_Injection - pretty_name: SQL Injection - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_High_Risk_Second_Order_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Python_High_Risk_Second_Order_SQL_Injection - pretty_name: Second Order SQL Injection - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_High_Risk_Stored_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Python_High_Risk_Stored_XSS - pretty_name: Stored XSS - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_High_Risk_Unsafe_Deserialization: - categories: - - boost-hardened - - boost-baseline - - owasp-top-10 - - cwe-502 - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product deserializes untrusted data without sufficiently verifying - that the resulting data will be valid. - group: top10-software-data-integrity-failures - name: Python_High_Risk_Unsafe_Deserialization - pretty_name: Unsafe Deserialization - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_High_Risk_XPath_Injection: - categories: - - boost-hardened - - cwe-643 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product uses external input to dynamically construct an XPath - expression used to retrieve data from an XML database, but it does not neutralize - or incorrectly neutralizes that input. This allows an attacker to control the - structure of the query. - group: top10-injection - name: Python_High_Risk_XPath_Injection - pretty_name: XPath Injection - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Low_Visibility_Command_Argument_Injection: - categories: - - cwe-88 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product constructs a string for a command to be executed by a - separate component in another control sphere, but it does not properly delimit - the intended arguments, options, or switches within that command string. - group: top10-injection - name: Python_Low_Visibility_Command_Argument_Injection - pretty_name: Command Argument Injection - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Low_Visibility_Cross_Site_History_Manipulation: - categories: - - cwe-203 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product behaves differently or sends different responses under - different circumstances in a way that is observable to an unauthorized actor, - which exposes security-relevant information about the state of the product, - such as whether a particular operation was successful or not. - group: top10-software-data-integrity-failures - name: Python_Low_Visibility_Cross_Site_History_Manipulation - pretty_name: Cross Site History Manipulation - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Low_Visibility_Debug_Enabled: - categories: - - boost-baseline - - ALL - - checkmarx-low-visibility - - cwe-11 - description: Debugging messages help attackers learn about the system and plan - a form of attack. - group: top10-security-misconfiguration - name: Python_Low_Visibility_Debug_Enabled - pretty_name: Debug Enabled - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Low_Visibility_Django_Improper_Resource_Access_Authorization: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-285 - - boost-baseline - - ALL - description: The product does not perform or incorrectly performs an authorization - check when an actor attempts to access a resource or perform an action. - group: top10-broken-access-control - name: Python_Low_Visibility_Django_Improper_Resource_Access_Authorization - pretty_name: Django Improper Resource Access Authorization - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Low_Visibility_Django_Information_Exposure_Through_an_Error_Message: - categories: - - cwe-209 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product generates an error message that includes sensitive information - about its environment, users, or associated data. - group: top10-insecure-design - name: Python_Low_Visibility_Django_Information_Exposure_Through_an_Error_Message - pretty_name: Django Information Exposure Through an Error Message - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Low_Visibility_Django_Missing_Function_Level_Authorization: - categories: - - checkmarx-low-visibility - - cwe-862 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not perform an authorization check when an actor - attempts to access a resource or perform an action. - group: top10-broken-access-control - name: Python_Low_Visibility_Django_Missing_Function_Level_Authorization - pretty_name: Django Missing Function Level Authorization - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Low_Visibility_Improper_Resource_Shutdown_or_Release: - categories: - - cwe-404 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not release or incorrectly releases a resource before - it is made available for re-use. - group: top10-insecure-design - name: Python_Low_Visibility_Improper_Resource_Shutdown_or_Release - pretty_name: Improper Resource Shutdown or Release - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Low_Visibility_Information_Exposure_Through_an_Error_Message: - categories: - - cwe-209 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product generates an error message that includes sensitive information - about its environment, users, or associated data. - group: top10-insecure-design - name: Python_Low_Visibility_Information_Exposure_Through_an_Error_Message - pretty_name: Information Exposure Through an Error Message - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Low_Visibility_Insufficiently_Protected_Credentials: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-522 - description: The product transmits or stores authentication credentials, but it - uses an insecure method that is susceptible to unauthorized interception and/or - retrieval. - group: top10-insecure-design - name: Python_Low_Visibility_Insufficiently_Protected_Credentials - pretty_name: Insufficiently Protected Credentials - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Low_Visibility_Log_Forging: - categories: - - boost-baseline - - ALL - - cwe-117 - - checkmarx-low-visibility - description: The product does not neutralize or incorrectly neutralizes output - that is written to logs. - group: top10-security-logging-monitoring-failures - name: Python_Low_Visibility_Log_Forging - pretty_name: Log Forging - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Low_Visibility_Missing_Content_Security_Policy: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-346 - description: The product does not properly verify that the source of data or communication - is valid. - group: top10-id-authn-failures - name: Python_Low_Visibility_Missing_Content_Security_Policy - pretty_name: Missing Content Security Policy - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Low_Visibility_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-346 - description: The product does not properly verify that the source of data or communication - is valid. - group: top10-id-authn-failures - name: Python_Low_Visibility_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy - pretty_name: Overly Permissive Cross Origin Resource Sharing Policy - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Low_Visibility_Password_In_Comment: - categories: - - cwe-615 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: 'While adding general comments is very useful, some programmers tend - to leave important data, such as: filenames related to the web application, - old links or links which were not meant to be browsed by users, old code fragments, - etc.' - group: top10-id-authn-failures - name: Python_Low_Visibility_Password_In_Comment - pretty_name: Password In Comment - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Low_Visibility_Permissive_Content_Security_Policy: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-346 - description: The product does not properly verify that the source of data or communication - is valid. - group: top10-id-authn-failures - name: Python_Low_Visibility_Permissive_Content_Security_Policy - pretty_name: Permissive Content Security Policy - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Low_Visibility_ReDoS_Injection: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: Python_Low_Visibility_ReDoS_Injection - pretty_name: ReDoS Injection - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Low_Visibility_Stored_Code_Injection: - categories: - - cwe-94 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: Python_Low_Visibility_Stored_Code_Injection - pretty_name: Stored Code Injection - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Low_Visibility_Stored_Command_Argument_Injection: - categories: - - cwe-88 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product constructs a string for a command to be executed by a - separate component in another control sphere, but it does not properly delimit - the intended arguments, options, or switches within that command string. - group: top10-injection - name: Python_Low_Visibility_Stored_Command_Argument_Injection - pretty_name: Stored Command Argument Injection - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables: - categories: - - cwe-501 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product mixes trusted and untrusted data in the same data structure - or structured message. - group: top10-insecure-design - name: Python_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables - pretty_name: Trust Boundary Violation in Session Variables - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Low_Visibility_Use_Of_Hardcoded_Password: - categories: - - ALL - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - cwe-259 - description: The product contains a hard-coded password, which it uses for its - own inbound authentication or for outbound communication to external components. - group: top10-id-authn-failures - name: Python_Low_Visibility_Use_Of_Hardcoded_Password - pretty_name: Use Of Hardcoded Password - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm: - categories: - - cwe-327 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a broken or risky cryptographic algorithm or protocol. - group: top10-crypto-failures - name: Python_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm - pretty_name: Use of Broken or Risky Cryptographic Algorithm - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Medium_Threat_CSRF: - categories: - - checkmarx-medium-threat - - cwe-352 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The web application does not, or can not, sufficiently verify whether - a well-formed, valid, consistent request was intentionally provided by the user - who submitted the request. - group: top10-injection - name: Python_Medium_Threat_CSRF - pretty_name: CSRF - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Medium_Threat_Communication_Over_HTTP: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-319 - - boost-baseline - - ALL - description: The product transmits sensitive or security-critical data in cleartext - in a communication channel that can be sniffed by unauthorized actors. - group: top10-crypto-failures - name: Python_Medium_Threat_Communication_Over_HTTP - pretty_name: Communication Over HTTP - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Medium_Threat_Cookie_Poisoning: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: Python_Medium_Threat_Cookie_Poisoning - pretty_name: Cookie Poisoning - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Medium_Threat_DB_Parameter_Tampering: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-284 - - boost-baseline - - ALL - description: The product does not restrict or incorrectly restricts access to - a resource from an unauthorized actor. - group: top10-broken-access-control - name: Python_Medium_Threat_DB_Parameter_Tampering - pretty_name: DB Parameter Tampering - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Medium_Threat_Django_Missing_Object_Level_Authorization: - categories: - - checkmarx-medium-threat - - cwe-862 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not perform an authorization check when an actor - attempts to access a resource or perform an action. - group: top10-broken-access-control - name: Python_Medium_Threat_Django_Missing_Object_Level_Authorization - pretty_name: Django Missing Object Level Authorization - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Medium_Threat_DoS_by_Sleep: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The product performs an iteration or loop without sufficiently limiting - the number of times that the loop is executed. - group: top10-insecure-design - name: Python_Medium_Threat_DoS_by_Sleep - pretty_name: DoS by Sleep - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Medium_Threat_Filtering_Sensitive_Logs: - categories: - - boost-baseline - - ALL - - checkmarx-medium-threat - - cwe-532 - description: Information written to log files can be of a sensitive nature and - give valuable guidance to an attacker or expose sensitive user information. - group: top10-security-logging-monitoring-failures - name: Python_Medium_Threat_Filtering_Sensitive_Logs - pretty_name: Filtering Sensitive Logs - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Medium_Threat_Hardcoded_Password_in_Connection_String: - categories: - - boost-baseline - - ALL - - cwe-547 - - checkmarx-medium-threat - description: The product uses hard-coded constants instead of symbolic names for - security-critical values, which increases the likelihood of mistakes during - code maintenance or security policy change. - group: top10-security-misconfiguration - name: Python_Medium_Threat_Hardcoded_Password_in_Connection_String - pretty_name: Hardcoded Password in Connection String - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Medium_Threat_Header_Injection: - categories: - - checkmarx-medium-threat - - cwe-113 - - owasp-top-10 - - boost-baseline - - ALL - description: The product receives data from an HTTP agent/component (e.g., web - server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes - CR and LF characters before the data is included in outgoing HTTP headers. - group: top10-injection - name: Python_Medium_Threat_Header_Injection - pretty_name: Header Injection - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Medium_Threat_HttpOnlyCookies_In_Config: - categories: - - cwe-1004 - - ALL - - boost-baseline - - checkmarx-medium-threat - description: The product uses a cookie to store sensitive information, but the - cookie is not marked with the HttpOnly flag. - group: top10-security-misconfiguration - name: Python_Medium_Threat_HttpOnlyCookies_In_Config - pretty_name: HttpOnlyCookies In Config - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Medium_Threat_Improper_Restriction_of_XXE_Ref: - categories: - - checkmarx-medium-threat - - cwe-611 - - boost-baseline - - ALL - - cwe-top-25 - description: The product processes an XML document that can contain XML entities - with URIs that resolve to documents outside of the intended sphere of control, - causing the product to embed incorrect documents into its output. - group: top10-security-misconfiguration - name: Python_Medium_Threat_Improper_Restriction_of_XXE_Ref - pretty_name: Improper Restriction of XXE Ref - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Medium_Threat_Insecure_Randomness: - categories: - - checkmarx-medium-threat - - cwe-330 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses insufficiently random numbers or values in a security - context that depends on unpredictable numbers. - group: top10-crypto-failures - name: Python_Medium_Threat_Insecure_Randomness - pretty_name: Insecure Randomness - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Medium_Threat_Missing_HSTS_Header: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-346 - description: The product does not properly verify that the source of data or communication - is valid. - group: top10-id-authn-failures - name: Python_Medium_Threat_Missing_HSTS_Header - pretty_name: Missing HSTS Header - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Medium_Threat_Missing_Secure_In_Config: - categories: - - boost-baseline - - cwe-614 - - checkmarx-medium-threat - - ALL - description: The Secure attribute for sensitive cookies in HTTPS sessions is not - set, which could cause the user agent to send those cookies in plaintext over - an HTTP session. - group: top10-security-misconfiguration - name: Python_Medium_Threat_Missing_Secure_In_Config - pretty_name: Missing Secure In Config - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Medium_Threat_Object_Access_Violation: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-610 - - boost-baseline - - ALL - description: The product uses an externally controlled name or reference that - resolves to a resource that is outside of the intended control sphere. - group: top10-injection - name: Python_Medium_Threat_Object_Access_Violation - pretty_name: Object Access Violation - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Medium_Threat_Open_Redirect: - categories: - - checkmarx-medium-threat - - cwe-601 - - owasp-top-10 - - boost-baseline - - ALL - description: A web application accepts a user-controlled input that specifies - a link to an external site, and uses that link in a Redirect. This simplifies - phishing attacks. - group: top10-broken-access-control - name: Python_Medium_Threat_Open_Redirect - pretty_name: Open Redirect - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Medium_Threat_Parameter_Tampering: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: Python_Medium_Threat_Parameter_Tampering - pretty_name: Parameter Tampering - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Medium_Threat_Path_Traversal: - categories: - - ALL - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - cwe-22 - - cwe-top-25 - description: The product uses external input to construct a pathname that is intended - to identify a file or directory that is located underneath a restricted parent - directory, but the product does not properly neutralize special elements within - the pathname that can cause the pathname to resolve to a location that is outside - of the restricted directory. - group: top10-broken-access-control - name: Python_Medium_Threat_Path_Traversal - pretty_name: Path Traversal - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Medium_Threat_Privacy_Violation: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-359 - description: The product does not properly prevent a person's private, personal - information from being accessed by actors who either (1) are not explicitly - authorized to access the information or (2) do not have the implicit consent - of the person about whom the information is collected. - group: top10-broken-access-control - name: Python_Medium_Threat_Privacy_Violation - pretty_name: Privacy Violation - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Medium_Threat_ReDoS_In_Replace: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: Python_Medium_Threat_ReDoS_In_Replace - pretty_name: ReDoS In Replace - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Medium_Threat_SSL_Verification_Bypass: - categories: - - checkmarx-medium-threat - - cwe-599 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses OpenSSL and trusts or uses a certificate without - using the SSL_get_verify_result() function to ensure that the certificate satisfies - all necessary security requirements. - group: top10-software-data-integrity-failures - name: Python_Medium_Threat_SSL_Verification_Bypass - pretty_name: SSL Verification Bypass - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Medium_Threat_SSRF: - categories: - - checkmarx-medium-threat - - cwe-918 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The web server receives a URL or similar request from an upstream - component and retrieves the contents of this URL, but it does not sufficiently - ensure that the request is being sent to the expected destination. - group: top10-server-side-request-forgery - name: Python_Medium_Threat_SSRF - pretty_name: SSRF - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Medium_Threat_Stored_Command_Injection: - categories: - - cwe-77 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended command when it - is sent to a downstream component. - group: top10-injection - name: Python_Medium_Threat_Stored_Command_Injection - pretty_name: Stored Command Injection - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Medium_Threat_Stored_LDAP_Injection: - categories: - - checkmarx-medium-threat - - cwe-90 - - owasp-top-10 - - boost-baseline - - ALL - description: The product constructs all or part of an LDAP query using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended LDAP query when - it is sent to a downstream component. - group: top10-injection - name: Python_Medium_Threat_Stored_LDAP_Injection - pretty_name: Stored LDAP Injection - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Medium_Threat_Unchecked_Input_for_Loop_Condition: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-606 - - boost-baseline - - ALL - description: The product does not properly check inputs that are used for loop - conditions, potentially leading to a denial of service or other consequences - because of excessive looping. - group: top10-insecure-design - name: Python_Medium_Threat_Unchecked_Input_for_Loop_Condition - pretty_name: Unchecked Input for Loop Condition - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Medium_Threat_Uncontrolled_Format_String: - categories: - - checkmarx-medium-threat - - cwe-134 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a function that accepts a format string as an argument, - but the format string originates from an external source. - group: top10-injection - name: Python_Medium_Threat_Uncontrolled_Format_String - pretty_name: Uncontrolled Format String - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Python_Medium_Threat_Use_of_Hardcoded_Cryptographic_Key: - categories: - - cwe-321 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The use of a hard-coded cryptographic key significantly increases - the possibility that encrypted data may be recovered. - group: top10-crypto-failures - name: Python_Medium_Threat_Use_of_Hardcoded_Cryptographic_Key - pretty_name: Use of Hardcoded Cryptographic Key - Python - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - RPG_High_Risk_Buffer_Overrun: - categories: - - boost-hardened - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product reads from a buffer using buffer access mechanisms such - as indexes or pointers that reference memory locations after the targeted buffer. - group: top10-injection - name: RPG_High_Risk_Buffer_Overrun - pretty_name: Buffer Overrun - RPG - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - RPG_High_Risk_Control_Language_Injection: - categories: - - boost-hardened - - cwe-77 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of a command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended command when it - is sent to a downstream component. - group: top10-injection - name: RPG_High_Risk_Control_Language_Injection - pretty_name: Control Language Injection - RPG - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - RPG_High_Risk_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: RPG_High_Risk_SQL_Injection - pretty_name: SQL Injection - RPG - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - RPG_Low_Visibility_Ignored_Error_Conditions: - categories: - - cwe-703 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not properly anticipate or handle exceptional conditions - that rarely occur during normal operation of the product. - group: top10-insecure-design - name: RPG_Low_Visibility_Ignored_Error_Conditions - pretty_name: Ignored Error Conditions - RPG - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - RPG_Low_Visibility_Improper_Resource_Shutdown_or_Release: - categories: - - cwe-404 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not release or incorrectly releases a resource before - it is made available for re-use. - group: top10-insecure-design - name: RPG_Low_Visibility_Improper_Resource_Shutdown_or_Release - pretty_name: Improper Resource Shutdown or Release - RPG - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - RPG_Low_Visibility_Information_Exposure_Through_Dump: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product generates a core dump file in a directory, archive, or - other resource that is stored, transferred, or otherwise made accessible to - unauthorized actors. - group: top10-broken-access-control - name: RPG_Low_Visibility_Information_Exposure_Through_Dump - pretty_name: Information Exposure Through Dump - RPG - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - RPG_Low_Visibility_Integer_Overflow: - categories: - - cwe-190 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product performs a calculation that can produce an integer overflow - or wraparound, when the logic assumes that the resulting value will always be - larger than the original value. This can introduce other weaknesses when the - calculation is used for resource management or execution control. - group: top10-injection - name: RPG_Low_Visibility_Integer_Overflow - pretty_name: Integer Overflow - RPG - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - RPG_Low_Visibility_Library_Search_Order_Hijacking: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a fixed or controlled search path to find resources, - but one or more locations in that path can be under the control of unintended - actors. - group: top10-injection - name: RPG_Low_Visibility_Library_Search_Order_Hijacking - pretty_name: Library Search Order Hijacking - RPG - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - RPG_Low_Visibility_Use_Of_Hardcoded_Password: - categories: - - ALL - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - cwe-259 - description: The product contains a hard-coded password, which it uses for its - own inbound authentication or for outbound communication to external components. - group: top10-id-authn-failures - name: RPG_Low_Visibility_Use_Of_Hardcoded_Password - pretty_name: Use Of Hardcoded Password - RPG - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - RPG_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm: - categories: - - cwe-327 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a broken or risky cryptographic algorithm or protocol. - group: top10-crypto-failures - name: RPG_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm - pretty_name: Use of Broken or Risky Cryptographic Algorithm - RPG - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - RPG_Medium_Threat_DoS_by_Sleep: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The product performs an iteration or loop without sufficiently limiting - the number of times that the loop is executed. - group: top10-insecure-design - name: RPG_Medium_Threat_DoS_by_Sleep - pretty_name: DoS by Sleep - RPG - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - RPG_Medium_Threat_ReDoS: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-1333 - description: The product uses a regular expression with an inefficient, possibly - exponential worst-case computational complexity that consumes excessive CPU - cycles. - group: top10-insecure-design - name: RPG_Medium_Threat_ReDoS - pretty_name: ReDoS - RPG - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - RPG_Medium_Threat_Reflected_Path_Traversal: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-36 - - boost-baseline - - ALL - description: The product uses external input to construct a pathname that should - be within a restricted directory, but it does not properly neutralize absolute - path sequences such as "/abs/path" that can resolve to a location that is outside - of that directory. - group: top10-broken-access-control - name: RPG_Medium_Threat_Reflected_Path_Traversal - pretty_name: Reflected Path Traversal - RPG - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Best_Coding_Practice_Caching_False_In_Production: - categories: - - ALL - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - description: Setting caching to false in a production environment in a Ruby application, - potentially leading to performance degradation. - group: top10-insecure-design - name: Ruby_Best_Coding_Practice_Caching_False_In_Production - pretty_name: Caching False In Production - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception: - categories: - - cwe-396 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Catching overly broad exceptions promotes complex error handling - code that is more likely to contain security vulnerabilities. - group: top10-insecure-design - name: Ruby_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception - pretty_name: Declaration Of Catch For Generic Exception - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Best_Coding_Practice_Dynamic_Render_Path: - categories: - - ALL - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - description: Render paths are determined at runtime in Rails views. This practice - opens the door for potential unauthorized access to files when user-controlled - input is involved, leading to security vulnerabilities. - group: top10-insecure-design - name: Ruby_Best_Coding_Practice_Dynamic_Render_Path - pretty_name: Dynamic Render Path - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Best_Coding_Practice_Dynamic_SQL_Queries: - categories: - - cwe-89 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Ruby_Best_Coding_Practice_Dynamic_SQL_Queries - pretty_name: Dynamic SQL Queries - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Best_Coding_Practice_Global_Variables_Without_Meaningful_Name: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Global variables are assigned names that lack specificity or context. - This makes the code difficult to understand and maintain, increasing the risk - of bugs. - group: top10-insecure-design - name: Ruby_Best_Coding_Practice_Global_Variables_Without_Meaningful_Name - pretty_name: Global Variables Without Meaningful Name - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Best_Coding_Practice_Hardcoded_Absolute_Path: - categories: - - cwe-426 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product searches for critical resources using an externally-supplied - search path that can point to resources that are not under the product's direct - control. - group: top10-software-data-integrity-failures - name: Ruby_Best_Coding_Practice_Hardcoded_Absolute_Path - pretty_name: Hardcoded Absolute Path - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Best_Coding_Practice_Import_Relative_To_File: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Files are being imported using relative paths, which may lead to - unexpected behavior if the file structure changes. Use absolute paths for stability - and compatibility - group: top10-insecure-design - name: Ruby_Best_Coding_Practice_Import_Relative_To_File - pretty_name: Import Relative To File - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Best_Coding_Practice_Unchecked_Error_Condition: - categories: - - owasp-top-10 - - cwe-391 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: '[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER' - group: top10-insecure-design - name: Ruby_Best_Coding_Practice_Unchecked_Error_Condition - pretty_name: Unchecked Error Condition - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Best_Coding_Practice_Unclosed_Objects: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-459 - description: The product does not properly "clean up" and remove temporary or - supporting resources after they have been used. - group: top10-insecure-design - name: Ruby_Best_Coding_Practice_Unclosed_Objects - pretty_name: Unclosed Objects - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Best_Coding_Practice_Use_Of_Global_Variables: - categories: - - owasp-top-10 - - cwe-766 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product declares a critical variable, field, or member to be - public when intended security policy requires it to be private. - group: top10-insecure-design - name: Ruby_Best_Coding_Practice_Use_Of_Global_Variables - pretty_name: Use Of Global Variables - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_High_Risk_Code_Injection: - categories: - - boost-hardened - - cwe-94 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: Ruby_High_Risk_Code_Injection - pretty_name: Code Injection - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_High_Risk_Command_Injection: - categories: - - boost-hardened - - cwe-77 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of a command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended command when it - is sent to a downstream component. - group: top10-injection - name: Ruby_High_Risk_Command_Injection - pretty_name: Command Injection - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_High_Risk_Reflected_XSS_All_Clients: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Ruby_High_Risk_Reflected_XSS_All_Clients - pretty_name: Reflected XSS All Clients - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_High_Risk_Remote_File_Inclusion: - categories: - - boost-hardened - - owasp-top-10 - - cwe-829 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product imports, requires, or includes executable functionality - (such as a library) from a source that is outside of the intended control sphere. - group: top10-software-data-integrity-failures - name: Ruby_High_Risk_Remote_File_Inclusion - pretty_name: Remote File Inclusion - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_High_Risk_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Ruby_High_Risk_SQL_Injection - pretty_name: SQL Injection - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_High_Risk_Second_Order_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Ruby_High_Risk_Second_Order_SQL_Injection - pretty_name: Second Order SQL Injection - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_High_Risk_Stored_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Ruby_High_Risk_Stored_XSS - pretty_name: Stored XSS - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Low_Visibility_Attr_accessible_Not_Set: - categories: - - boost-baseline - - ALL - - checkmarx-low-visibility - - owasp-top-10 - description: The attribute of an Active Record model is not declared as accessible - using 'attr_accessible', allowing potential mass assignment vulnerabilities - in Ruby on Rails applications. - group: top10-security-misconfiguration - name: Ruby_Low_Visibility_Attr_accessible_Not_Set - pretty_name: Attr accessible Not Set - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Low_Visibility_Blind_SQL_Injections: - categories: - - checkmarx-low-visibility - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Ruby_Low_Visibility_Blind_SQL_Injections - pretty_name: Blind SQL Injections - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Low_Visibility_Connection_String_Injection: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-99 - - boost-baseline - - ALL - description: The product receives input from an upstream component, but it does - not restrict or incorrectly restricts the input before it is used as an identifier - for a resource that may be outside the intended sphere of control. - group: top10-injection - name: Ruby_Low_Visibility_Connection_String_Injection - pretty_name: Connection String Injection - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Low_Visibility_Cross_Site_History_Manipulation: - categories: - - cwe-203 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product behaves differently or sends different responses under - different circumstances in a way that is observable to an unauthorized actor, - which exposes security-relevant information about the state of the product, - such as whether a particular operation was successful or not. - group: top10-software-data-integrity-failures - name: Ruby_Low_Visibility_Cross_Site_History_Manipulation - pretty_name: Cross Site History Manipulation - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Low_Visibility_DB_Information_Leak: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-200 - description: The product exposes sensitive information to an actor that is not - explicitly authorized to have access to that information. - group: top10-broken-access-control - name: Ruby_Low_Visibility_DB_Information_Leak - pretty_name: DB Information Leak - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Low_Visibility_Disabling_SAFE_Mode: - categories: - - ALL - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - cwe-250 - description: The product performs an operation at a privilege level that is higher - than the minimum level required, which creates new weaknesses or amplifies the - consequences of other weaknesses. - group: top10-injection - name: Ruby_Low_Visibility_Disabling_SAFE_Mode - pretty_name: Disabling SAFE Mode - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Low_Visibility_Full_Error_Reports_In_Production: - categories: - - cwe-209 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product generates an error message that includes sensitive information - about its environment, users, or associated data. - group: top10-insecure-design - name: Ruby_Low_Visibility_Full_Error_Reports_In_Production - pretty_name: Full Error Reports In Production - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Low_Visibility_Improper_Exception_Handling: - categories: - - cwe-248 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: An exception is thrown from a function, but it is not caught. - group: top10-insecure-design - name: Ruby_Low_Visibility_Improper_Exception_Handling - pretty_name: Improper Exception Handling - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Low_Visibility_Improper_Transaction_Handling: - categories: - - cwe-460 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not clean up its state or incorrectly cleans up - its state when an exception is thrown, leading to unexpected state or control - flow. - group: top10-insecure-design - name: Ruby_Low_Visibility_Improper_Transaction_Handling - pretty_name: Improper Transaction Handling - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Low_Visibility_Information_Exposure_Through_an_Error_Message: - categories: - - cwe-209 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product generates an error message that includes sensitive information - about its environment, users, or associated data. - group: top10-insecure-design - name: Ruby_Low_Visibility_Information_Exposure_Through_an_Error_Message - pretty_name: Information Exposure Through an Error Message - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Low_Visibility_Information_Leak_Through_Persistent_Cookies: - categories: - - cwe-539 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The web application uses persistent cookies, but the cookies contain - sensitive information. - group: top10-insecure-design - name: Ruby_Low_Visibility_Information_Leak_Through_Persistent_Cookies - pretty_name: Information Leak Through Persistent Cookies - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Low_Visibility_Insufficiently_Protected_Credentials: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-522 - description: The product transmits or stores authentication credentials, but it - uses an insecure method that is susceptible to unauthorized interception and/or - retrieval. - group: top10-insecure-design - name: Ruby_Low_Visibility_Insufficiently_Protected_Credentials - pretty_name: Insufficiently Protected Credentials - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Low_Visibility_Interactive_Render_Path: - categories: - - checkmarx-low-visibility - - cwe-73 - - owasp-top-10 - - boost-baseline - - ALL - description: The product allows user input to control or influence paths or file - names that are used in filesystem operations. - group: top10-insecure-design - name: Ruby_Low_Visibility_Interactive_Render_Path - pretty_name: Interactive Render Path - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Low_Visibility_Leftover_Debug_Code: - categories: - - cwe-489 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product is deployed to unauthorized actors with debugging code - still enabled or active, which can create unintended entry points or expose - sensitive information. - group: top10-insecure-design - name: Ruby_Low_Visibility_Leftover_Debug_Code - pretty_name: Leftover Debug Code - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Low_Visibility_Local_File_Inclusion: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-829 - - boost-baseline - - ALL - description: The product imports, requires, or includes executable functionality - (such as a library) from a source that is outside of the intended control sphere. - group: top10-software-data-integrity-failures - name: Ruby_Low_Visibility_Local_File_Inclusion - pretty_name: Local File Inclusion - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Low_Visibility_Log_Forging: - categories: - - boost-baseline - - ALL - - cwe-117 - - checkmarx-low-visibility - description: The product does not neutralize or incorrectly neutralizes output - that is written to logs. - group: top10-security-logging-monitoring-failures - name: Ruby_Low_Visibility_Log_Forging - pretty_name: Log Forging - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Low_Visibility_No_Protection_From_Forgery: - categories: - - cwe-352 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The web application does not, or can not, sufficiently verify whether - a well-formed, valid, consistent request was intentionally provided by the user - who submitted the request. - group: top10-injection - name: Ruby_Low_Visibility_No_Protection_From_Forgery - pretty_name: No Protection From Forgery - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Low_Visibility_No_Session_Expiration: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-613 - description: According to WASC, "Insufficient Session Expiration is when a web - site permits an attacker to reuse old session credentials or session IDs for - authorization." - group: top10-id-authn-failures - name: Ruby_Low_Visibility_No_Session_Expiration - pretty_name: No Session Expiration - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Low_Visibility_Open_Redirect: - categories: - - checkmarx-low-visibility - - cwe-601 - - owasp-top-10 - - boost-baseline - - ALL - description: A web application accepts a user-controlled input that specifies - a link to an external site, and uses that link in a Redirect. This simplifies - phishing attacks. - group: top10-broken-access-control - name: Ruby_Low_Visibility_Open_Redirect - pretty_name: Open Redirect - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Low_Visibility_Personal_Info_In_Session: - categories: - - cwe-539 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The web application uses persistent cookies, but the cookies contain - sensitive information. - group: top10-insecure-design - name: Ruby_Low_Visibility_Personal_Info_In_Session - pretty_name: Personal Info In Session - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables: - categories: - - cwe-501 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product mixes trusted and untrusted data in the same data structure - or structured message. - group: top10-insecure-design - name: Ruby_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables - pretty_name: Trust Boundary Violation in Session Variables - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Low_Visibility_Use_Of_Hardcoded_Password: - categories: - - ALL - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - cwe-259 - description: The product contains a hard-coded password, which it uses for its - own inbound authentication or for outbound communication to external components. - group: top10-id-authn-failures - name: Ruby_Low_Visibility_Use_Of_Hardcoded_Password - pretty_name: Use Of Hardcoded Password - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Low_Visibility_Use_Of_Sanitize_Instead_Of_h: - categories: - - cwe-116 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product prepares a structured message for communication with - another component, but encoding or escaping of the data is either missing or - done incorrectly. As a result, the intended structure of the message is not - preserved. - group: top10-injection - name: Ruby_Low_Visibility_Use_Of_Sanitize_Instead_Of_h - pretty_name: Use Of Sanitize Instead Of h - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Low_Visibility_Use_Of_raw: - categories: - - cwe-116 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product prepares a structured message for communication with - another component, but encoding or escaping of the data is either missing or - done incorrectly. As a result, the intended structure of the message is not - preserved. - group: top10-injection - name: Ruby_Low_Visibility_Use_Of_raw - pretty_name: Use Of raw - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm: - categories: - - cwe-327 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a broken or risky cryptographic algorithm or protocol. - group: top10-crypto-failures - name: Ruby_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm - pretty_name: Use of Broken or Risky Cryptographic Algorithm - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Low_Visibility_Use_of_Dangerous_Functions: - categories: - - cwe-242 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product calls a function that can never be guaranteed to work - safely. - group: top10-vulnerable-components - name: Ruby_Low_Visibility_Use_of_Dangerous_Functions - pretty_name: Use of Dangerous Functions - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Low_Visibility_XSS_Evasion_Attack: - categories: - - cwe-79 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Ruby_Low_Visibility_XSS_Evasion_Attack - pretty_name: XSS Evasion Attack - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Medium_Threat_CSRF: - categories: - - checkmarx-medium-threat - - cwe-352 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The web application does not, or can not, sufficiently verify whether - a well-formed, valid, consistent request was intentionally provided by the user - who submitted the request. - group: top10-injection - name: Ruby_Medium_Threat_CSRF - pretty_name: CSRF - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Medium_Threat_DB_Parameter_Tampering: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-284 - - boost-baseline - - ALL - description: The product does not restrict or incorrectly restricts access to - a resource from an unauthorized actor. - group: top10-broken-access-control - name: Ruby_Medium_Threat_DB_Parameter_Tampering - pretty_name: DB Parameter Tampering - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Medium_Threat_DB_Tampering: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-20 - - boost-baseline - - ALL - - cwe-top-25 - description: The product receives input or data, but it does not validate or incorrectly - validates that the input has the properties that are required to process the - data safely and correctly. - group: top10-injection - name: Ruby_Medium_Threat_DB_Tampering - pretty_name: DB Tampering - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Medium_Threat_DOS_To_Symbol: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-730 - description: Relates to avenues that can cause denial of serivce. - group: top10-insecure-design - name: Ruby_Medium_Threat_DOS_To_Symbol - pretty_name: DOS To Symbol - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Medium_Threat_Dangerous_Send: - categories: - - cwe-77 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended command when it - is sent to a downstream component. - group: top10-injection - name: Ruby_Medium_Threat_Dangerous_Send - pretty_name: Dangerous Send - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Medium_Threat_Default_Routes: - categories: - - boost-baseline - - ALL - - checkmarx-medium-threat - - owasp-top-10 - description: The application is utilizing default routes in Ruby, which may expose - it to unwanted routes and increase the surface for potential attacks. - group: top10-insecure-design - name: Ruby_Medium_Threat_Default_Routes - pretty_name: Default Routes - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Medium_Threat_DoS_by_Sleep: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The product performs an iteration or loop without sufficiently limiting - the number of times that the loop is executed. - group: top10-insecure-design - name: Ruby_Medium_Threat_DoS_by_Sleep - pretty_name: DoS by Sleep - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Medium_Threat_Download_Arbitrary_File: - categories: - - boost-baseline - - ALL - - checkmarx-medium-threat - - owasp-top-10 - description: Involves downloading files from user-controlled sources without validating - or sanitizing their content or origin beforehand, presenting significant security - risks like malicious code execution or unauthorized data access. - group: top10-broken-access-control - name: Ruby_Medium_Threat_Download_Arbitrary_File - pretty_name: Download Arbitrary File - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Medium_Threat_Filtering_Sensitive_Logs: - categories: - - boost-baseline - - ALL - - checkmarx-medium-threat - - cwe-532 - description: Information written to log files can be of a sensitive nature and - give valuable guidance to an attacker or expose sensitive user information. - group: top10-security-logging-monitoring-failures - name: Ruby_Medium_Threat_Filtering_Sensitive_Logs - pretty_name: Filtering Sensitive Logs - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Medium_Threat_Hardcoded_Session_Secret_Token: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - - cwe-798 - description: The product contains hard-coded credentials, such as a password or - cryptographic key, which it uses for its own inbound authentication, outbound - communication to external components, or encryption of internal data. - group: top10-id-authn-failures - name: Ruby_Medium_Threat_Hardcoded_Session_Secret_Token - pretty_name: Hardcoded Session Secret Token - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Medium_Threat_Http_Only_Set_To_False: - categories: - - checkmarx-medium-threat - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Ruby_Medium_Threat_Http_Only_Set_To_False - pretty_name: Http Only Set To False - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Medium_Threat_Insecure_Randomness: - categories: - - checkmarx-medium-threat - - cwe-330 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses insufficiently random numbers or values in a security - context that depends on unpredictable numbers. - group: top10-crypto-failures - name: Ruby_Medium_Threat_Insecure_Randomness - pretty_name: Insecure Randomness - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Medium_Threat_Insufficient_Format_Validation: - categories: - - checkmarx-medium-threat - - cwe-625 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a regular expression that does not sufficiently - restrict the set of allowed values. - group: top10-injection - name: Ruby_Medium_Threat_Insufficient_Format_Validation - pretty_name: Insufficient Format Validation - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Medium_Threat_Nonvalidated_File_Upload: - categories: - - checkmarx-medium-threat - - cwe-434 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product allows the attacker to upload or transfer files of dangerous - types that can be automatically processed within the product's environment. - group: top10-insecure-design - name: Ruby_Medium_Threat_Nonvalidated_File_Upload - pretty_name: Nonvalidated File Upload - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Medium_Threat_Parameter_Tampering: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: Ruby_Medium_Threat_Parameter_Tampering - pretty_name: Parameter Tampering - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Medium_Threat_Path_Traversal: - categories: - - ALL - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - cwe-22 - - cwe-top-25 - description: The product uses external input to construct a pathname that is intended - to identify a file or directory that is located underneath a restricted parent - directory, but the product does not properly neutralize special elements within - the pathname that can cause the pathname to resolve to a location that is outside - of the restricted directory. - group: top10-broken-access-control - name: Ruby_Medium_Threat_Path_Traversal - pretty_name: Path Traversal - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Medium_Threat_Privacy_Violation: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-359 - description: The product does not properly prevent a person's private, personal - information from being accessed by actors who either (1) are not explicitly - authorized to access the information or (2) do not have the implicit consent - of the person about whom the information is collected. - group: top10-broken-access-control - name: Ruby_Medium_Threat_Privacy_Violation - pretty_name: Privacy Violation - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Medium_Threat_Privilege_Escalation: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-285 - - boost-baseline - - ALL - description: The product does not perform or incorrectly performs an authorization - check when an actor attempts to access a resource or perform an action. - group: top10-broken-access-control - name: Ruby_Medium_Threat_Privilege_Escalation - pretty_name: Privilege Escalation - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Medium_Threat_Remote_Code_Execution: - categories: - - checkmarx-medium-threat - - cwe-94 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: Ruby_Medium_Threat_Remote_Code_Execution - pretty_name: Remote Code Execution - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Medium_Threat_SSL_Verification_Bypass: - categories: - - checkmarx-medium-threat - - cwe-599 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses OpenSSL and trusts or uses a certificate without - using the SSL_get_verify_result() function to ensure that the certificate satisfies - all necessary security requirements. - group: top10-software-data-integrity-failures - name: Ruby_Medium_Threat_SSL_Verification_Bypass - pretty_name: SSL Verification Bypass - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Medium_Threat_Short_Session_Key: - categories: - - ALL - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - cwe-326 - description: The product stores or transmits sensitive data using an encryption - scheme that is theoretically sound, but is not strong enough for the level of - protection required. - group: top10-crypto-failures - name: Ruby_Medium_Threat_Short_Session_Key - pretty_name: Short Session Key - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Medium_Threat_Stored_Code_Injection: - categories: - - checkmarx-medium-threat - - cwe-94 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: Ruby_Medium_Threat_Stored_Code_Injection - pretty_name: Stored Code Injection - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Medium_Threat_Unsafe_Mass_Assignment: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-915 - - boost-baseline - - ALL - description: The product receives input from an upstream component that specifies - multiple attributes, properties, or fields that are to be initialized or updated - in an object, but it does not properly control which attributes can be modified. - group: top10-software-data-integrity-failures - name: Ruby_Medium_Threat_Unsafe_Mass_Assignment - pretty_name: Unsafe Mass Assignment - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key: - categories: - - cwe-321 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The use of a hard-coded cryptographic key significantly increases - the possibility that encrypted data may be recovered. - group: top10-crypto-failures - name: Ruby_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key - pretty_name: Use of Hard coded Cryptographic Key - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Vulnerable_Outdated_Versions_Outdated_JSON_GEM_Remote_Code: - categories: - - vulnerable-and-outdated-components - - owasp-top-10 - - cwe-20 - - boost-baseline - - ALL - - cwe-top-25 - description: The product receives input or data, but it does not validate or incorrectly - validates that the input has the properties that are required to process the - data safely and correctly. - group: top10-injection - name: Ruby_Vulnerable_Outdated_Versions_Outdated_JSON_GEM_Remote_Code - pretty_name: Outdated JSON GEM Remote Code - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Vulnerable_Outdated_Versions_Outdated_JSON_Remote_Code_Execution: - categories: - - cwe-94 - - vulnerable-and-outdated-components - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: Ruby_Vulnerable_Outdated_Versions_Outdated_JSON_Remote_Code_Execution - pretty_name: Outdated JSON Remote Code Execution - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Vulnerable_Outdated_Versions_Outdated_Rails_Allows_Bypass_Access_Control: - categories: - - cwe-477 - - vulnerable-and-outdated-components - - owasp-top-10 - - boost-baseline - - ALL - description: The code uses deprecated or obsolete functions, which suggests that - the code has not been actively reviewed or maintained. - group: top10-vulnerable-components - name: Ruby_Vulnerable_Outdated_Versions_Outdated_Rails_Allows_Bypass_Access_Control - pretty_name: Outdated Rails Allows Bypass Access Control - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Vulnerable_Outdated_Versions_Outdated_Rails_Allows_Cross_Site_Request_Forgery: - categories: - - cwe-352 - - vulnerable-and-outdated-components - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The web application does not, or can not, sufficiently verify whether - a well-formed, valid, consistent request was intentionally provided by the user - who submitted the request. - group: top10-vulnerable-components - name: Ruby_Vulnerable_Outdated_Versions_Outdated_Rails_Allows_Cross_Site_Request_Forgery - pretty_name: Outdated Rails Allows Cross Site Request Forgery - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Vulnerable_Outdated_Versions_Outdated_Rails_Allows_DOS_via_ActiveRecord: - categories: - - vulnerable-and-outdated-components - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: Ruby_Vulnerable_Outdated_Versions_Outdated_Rails_Allows_DOS_via_ActiveRecord - pretty_name: Outdated Rails Allows DOS via ActiveRecord - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Vulnerable_Outdated_Versions_Outdated_Rails_Allows_SQL_Injection: - categories: - - vulnerable-and-outdated-components - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Ruby_Vulnerable_Outdated_Versions_Outdated_Rails_Allows_SQL_Injection - pretty_name: Outdated Rails Allows SQL Injection - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Ruby_Vulnerable_Outdated_Versions_Outdated_Rails_Allows_XSS: - categories: - - vulnerable-and-outdated-components - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Ruby_Vulnerable_Outdated_Versions_Outdated_Rails_Allows_XSS - pretty_name: Outdated Rails Allows XSS - Ruby - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Best_Coding_Practice_Potential_Usage_of_Vulnerable_Log4J: - categories: - - owasp-top-10 - - cwe-400 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: Scala_Best_Coding_Practice_Potential_Usage_of_Vulnerable_Log4J - pretty_name: Potential Usage of Vulnerable Log4J - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_High_Risk_Code_Injection: - categories: - - boost-hardened - - cwe-94 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: Scala_High_Risk_Code_Injection - pretty_name: Code Injection - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_High_Risk_Command_Injection: - categories: - - boost-hardened - - cwe-77 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of a command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended command when it - is sent to a downstream component. - group: top10-injection - name: Scala_High_Risk_Command_Injection - pretty_name: Command Injection - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_High_Risk_Connection_String_Injection: - categories: - - boost-hardened - - owasp-top-10 - - cwe-99 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product receives input from an upstream component, but it does - not restrict or incorrectly restricts the input before it is used as an identifier - for a resource that may be outside the intended sphere of control. - group: top10-injection - name: Scala_High_Risk_Connection_String_Injection - pretty_name: Connection String Injection - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_High_Risk_Deserialization_of_Untrusted_Data: - categories: - - boost-hardened - - boost-baseline - - owasp-top-10 - - cwe-502 - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product deserializes untrusted data without sufficiently verifying - that the resulting data will be valid. - group: top10-software-data-integrity-failures - name: Scala_High_Risk_Deserialization_of_Untrusted_Data - pretty_name: Deserialization of Untrusted Data - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_High_Risk_LDAP_Injection: - categories: - - boost-hardened - - cwe-90 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product constructs all or part of an LDAP query using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended LDAP query when - it is sent to a downstream component. - group: top10-injection - name: Scala_High_Risk_LDAP_Injection - pretty_name: LDAP Injection - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_High_Risk_Reflected_XSS_All_Clients: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Scala_High_Risk_Reflected_XSS_All_Clients - pretty_name: Reflected XSS All Clients - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_High_Risk_Resource_Injection: - categories: - - boost-hardened - - owasp-top-10 - - cwe-99 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product receives input from an upstream component, but it does - not restrict or incorrectly restricts the input before it is used as an identifier - for a resource that may be outside the intended sphere of control. - group: top10-injection - name: Scala_High_Risk_Resource_Injection - pretty_name: Resource Injection - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_High_Risk_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Scala_High_Risk_SQL_Injection - pretty_name: SQL Injection - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_High_Risk_Second_Order_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Scala_High_Risk_Second_Order_SQL_Injection - pretty_name: Second Order SQL Injection - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_High_Risk_Stored_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Scala_High_Risk_Stored_XSS - pretty_name: Stored XSS - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_High_Risk_Unsafe_Reflection: - categories: - - boost-hardened - - cwe-470 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product uses external input with reflection to select which classes - or code to use, but it does not sufficiently prevent the input from selecting - improper classes or code. - group: top10-injection - name: Scala_High_Risk_Unsafe_Reflection - pretty_name: Unsafe Reflection - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_High_Risk_XPath_Injection: - categories: - - boost-hardened - - cwe-643 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product uses external input to dynamically construct an XPath - expression used to retrieve data from an XML database, but it does not neutralize - or incorrectly neutralizes that input. This allows an attacker to control the - structure of the query. - group: top10-injection - name: Scala_High_Risk_XPath_Injection - pretty_name: XPath Injection - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Low_Visibility_Akka_Debug_Loglevel_Enabled: - categories: - - boost-baseline - - ALL - - checkmarx-low-visibility - - cwe-15 - description: One or more system settings or configuration elements can be externally - controlled by a user. - group: top10-security-misconfiguration - name: Scala_Low_Visibility_Akka_Debug_Loglevel_Enabled - pretty_name: Akka Debug Loglevel Enabled - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Low_Visibility_Akka_Disabling_Hostname_Verification: - categories: - - boost-baseline - - ALL - - checkmarx-low-visibility - - owasp-top-10 - description: Akka's host name verification is disabled, likely by setting the - 'akka.ssl-config.loose.disableHostnameVerification' configuration to true, which - makes it vulnerable to Man-In-The-Middle (MITM) attacks. - group: top10-software-data-integrity-failures - name: Scala_Low_Visibility_Akka_Disabling_Hostname_Verification - pretty_name: Akka Disabling Hostname Verification - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Low_Visibility_Akka_Encrypt_Data_Disabled: - categories: - - boost-baseline - - ALL - - checkmarx-low-visibility - - cwe-15 - description: One or more system settings or configuration elements can be externally - controlled by a user. - group: top10-security-misconfiguration - name: Scala_Low_Visibility_Akka_Encrypt_Data_Disabled - pretty_name: Akka Encrypt Data Disabled - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Low_Visibility_Akka_Missing_Max_Age: - categories: - - boost-baseline - - ALL - - checkmarx-low-visibility - - cwe-15 - description: One or more system settings or configuration elements can be externally - controlled by a user. - group: top10-security-misconfiguration - name: Scala_Low_Visibility_Akka_Missing_Max_Age - pretty_name: Akka Missing Max Age - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Low_Visibility_Akka_Serialize_Enabled: - categories: - - boost-baseline - - ALL - - checkmarx-low-visibility - - cwe-15 - description: One or more system settings or configuration elements can be externally - controlled by a user. - group: top10-security-misconfiguration - name: Scala_Low_Visibility_Akka_Serialize_Enabled - pretty_name: Akka Serialize Enabled - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Low_Visibility_Akka_Untrusted_Mode_Enabled: - categories: - - boost-baseline - - ALL - - checkmarx-low-visibility - - cwe-15 - description: One or more system settings or configuration elements can be externally - controlled by a user. - group: top10-security-misconfiguration - name: Scala_Low_Visibility_Akka_Untrusted_Mode_Enabled - pretty_name: Akka Untrusted Mode Enabled - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Low_Visibility_Akka_Verbose_Mode_Enabled: - categories: - - cwe-209 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product generates an error message that includes sensitive information - about its environment, users, or associated data. - group: top10-insecure-design - name: Scala_Low_Visibility_Akka_Verbose_Mode_Enabled - pretty_name: Akka Verbose Mode Enabled - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Low_Visibility_Command_Argument_Injection: - categories: - - cwe-88 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product constructs a string for a command to be executed by a - separate component in another control sphere, but it does not properly delimit - the intended arguments, options, or switches within that command string. - group: top10-injection - name: Scala_Low_Visibility_Command_Argument_Injection - pretty_name: Command Argument Injection - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Low_Visibility_Cross_Site_History_Manipulation: - categories: - - cwe-203 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product behaves differently or sends different responses under - different circumstances in a way that is observable to an unauthorized actor, - which exposes security-relevant information about the state of the product, - such as whether a particular operation was successful or not. - group: top10-software-data-integrity-failures - name: Scala_Low_Visibility_Cross_Site_History_Manipulation - pretty_name: Cross Site History Manipulation - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Low_Visibility_Deprecated_API: - categories: - - boost-baseline - - ALL - - checkmarx-low-visibility - - owasp-top-10 - description: Code in Scala utilizes deprecated API elements, indicating potential - breaking changes in future updates due to obsolete functions or methods. - group: top10-insecure-design - name: Scala_Low_Visibility_Deprecated_API - pretty_name: Deprecated API - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Low_Visibility_Heap_Inspection: - categories: - - cwe-244 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: Using realloc() to resize buffers that store sensitive information - can leave the sensitive information exposed to attack, because it is not removed - from memory. - group: top10-broken-access-control - name: Scala_Low_Visibility_Heap_Inspection - pretty_name: Heap Inspection - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Low_Visibility_Integer_Overflow: - categories: - - cwe-190 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product performs a calculation that can produce an integer overflow - or wraparound, when the logic assumes that the resulting value will always be - larger than the original value. This can introduce other weaknesses when the - calculation is used for resource management or execution control. - group: top10-injection - name: Scala_Low_Visibility_Integer_Overflow - pretty_name: Integer Overflow - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Low_Visibility_Not_Using_a_Random_IV_with_CBC_Mode: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-329 - - boost-baseline - - ALL - description: The product generates and uses a predictable initialization Vector - (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible - to dictionary attacks when they are encrypted under the same key. - group: top10-crypto-failures - name: Scala_Low_Visibility_Not_Using_a_Random_IV_with_CBC_Mode - pretty_name: Not Using a Random IV with CBC Mode - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Low_Visibility_Open_Redirect: - categories: - - checkmarx-low-visibility - - cwe-601 - - owasp-top-10 - - boost-baseline - - ALL - description: A web application accepts a user-controlled input that specifies - a link to an external site, and uses that link in a Redirect. This simplifies - phishing attacks. - group: top10-broken-access-control - name: Scala_Low_Visibility_Open_Redirect - pretty_name: Open Redirect - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Low_Visibility_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-346 - description: The product does not properly verify that the source of data or communication - is valid. - group: top10-id-authn-failures - name: Scala_Low_Visibility_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy - pretty_name: Overly Permissive Cross Origin Resource Sharing Policy - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Low_Visibility_Potential_Stored_XSS: - categories: - - cwe-79 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Scala_Low_Visibility_Potential_Stored_XSS - pretty_name: Potential Stored XSS - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm: - categories: - - cwe-327 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a broken or risky cryptographic algorithm or protocol. - group: top10-crypto-failures - name: Scala_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm - pretty_name: Use of Broken or Risky Cryptographic Algorithm - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Low_Visibility_Use_of_Hard_coded_Security_Constants: - categories: - - boost-baseline - - ALL - - cwe-547 - - checkmarx-low-visibility - description: The product uses hard-coded constants instead of symbolic names for - security-critical values, which increases the likelihood of mistakes during - code maintenance or security policy change. - group: top10-security-misconfiguration - name: Scala_Low_Visibility_Use_of_Hard_coded_Security_Constants - pretty_name: Use of Hard coded Security Constants - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Low_Visibility_Use_of_Non_Cryptographic_Random: - categories: - - cwe-330 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses insufficiently random numbers or values in a security - context that depends on unpredictable numbers. - group: top10-crypto-failures - name: Scala_Low_Visibility_Use_of_Non_Cryptographic_Random - pretty_name: Use of Non Cryptographic Random - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Low_Visibility_Use_of_RSA_Algorithm_without_OAEP: - categories: - - ALL - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - cwe-780 - description: The product uses the RSA algorithm but does not incorporate Optimal - Asymmetric Encryption Padding (OAEP), which might weaken the encryption. - group: top10-crypto-failures - name: Scala_Low_Visibility_Use_of_RSA_Algorithm_without_OAEP - pretty_name: Use of RSA Algorithm without OAEP - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Medium_Threat_Absolute_Path_Traversal: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-36 - - boost-baseline - - ALL - description: The product uses external input to construct a pathname that should - be within a restricted directory, but it does not properly neutralize absolute - path sequences such as "/abs/path" that can resolve to a location that is outside - of that directory. - group: top10-broken-access-control - name: Scala_Medium_Threat_Absolute_Path_Traversal - pretty_name: Absolute Path Traversal - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Medium_Threat_CSRF: - categories: - - checkmarx-medium-threat - - cwe-352 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The web application does not, or can not, sufficiently verify whether - a well-formed, valid, consistent request was intentionally provided by the user - who submitted the request. - group: top10-injection - name: Scala_Medium_Threat_CSRF - pretty_name: CSRF - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Medium_Threat_Cleartext_Submission_of_Sensitive_Information: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-319 - - boost-baseline - - ALL - description: The product transmits sensitive or security-critical data in cleartext - in a communication channel that can be sniffed by unauthorized actors. - group: top10-broken-access-control - name: Scala_Medium_Threat_Cleartext_Submission_of_Sensitive_Information - pretty_name: Cleartext Submission of Sensitive Information - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Medium_Threat_DB_Parameter_Tampering: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-284 - - boost-baseline - - ALL - description: The product does not restrict or incorrectly restricts access to - a resource from an unauthorized actor. - group: top10-broken-access-control - name: Scala_Medium_Threat_DB_Parameter_Tampering - pretty_name: DB Parameter Tampering - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Medium_Threat_Dangerous_File_Inclusion: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-829 - - boost-baseline - - ALL - description: The product imports, requires, or includes executable functionality - (such as a library) from a source that is outside of the intended control sphere. - group: top10-software-data-integrity-failures - name: Scala_Medium_Threat_Dangerous_File_Inclusion - pretty_name: Dangerous File Inclusion - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Medium_Threat_DoS_by_Sleep: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The product performs an iteration or loop without sufficiently limiting - the number of times that the loop is executed. - group: top10-insecure-design - name: Scala_Medium_Threat_DoS_by_Sleep - pretty_name: DoS by Sleep - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Medium_Threat_External_XML_Entities_XXE: - categories: - - checkmarx-medium-threat - - cwe-611 - - boost-baseline - - ALL - - cwe-top-25 - description: The product processes an XML document that can contain XML entities - with URIs that resolve to documents outside of the intended sphere of control, - causing the product to embed incorrect documents into its output. - group: top10-security-misconfiguration - name: Scala_Medium_Threat_External_XML_Entities_XXE - pretty_name: External XML Entities XXE - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Medium_Threat_HTTP_Response_Splitting: - categories: - - checkmarx-medium-threat - - cwe-113 - - owasp-top-10 - - boost-baseline - - ALL - description: The product receives data from an HTTP agent/component (e.g., web - server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes - CR and LF characters before the data is included in outgoing HTTP headers. - group: top10-injection - name: Scala_Medium_Threat_HTTP_Response_Splitting - pretty_name: HTTP Response Splitting - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Medium_Threat_Hardcoded_password_in_Connection_String: - categories: - - boost-baseline - - ALL - - cwe-547 - - checkmarx-medium-threat - description: The product uses hard-coded constants instead of symbolic names for - security-critical values, which increases the likelihood of mistakes during - code maintenance or security policy change. - group: top10-security-misconfiguration - name: Scala_Medium_Threat_Hardcoded_password_in_Connection_String - pretty_name: Hardcoded password in Connection String - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Medium_Threat_HttpOnlyCookies: - categories: - - cwe-1004 - - ALL - - boost-baseline - - checkmarx-medium-threat - description: The product uses a cookie to store sensitive information, but the - cookie is not marked with the HttpOnly flag. - group: top10-security-misconfiguration - name: Scala_Medium_Threat_HttpOnlyCookies - pretty_name: HttpOnlyCookies - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Medium_Threat_Improper_Locking: - categories: - - checkmarx-medium-threat - - cwe-667 - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not properly acquire or release a lock on a resource, - leading to unexpected resource state changes and behaviors. - group: top10-insecure-design - name: Scala_Medium_Threat_Improper_Locking - pretty_name: Improper Locking - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Medium_Threat_Inadequate_Encryption_Strength: - categories: - - ALL - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - cwe-326 - description: The product stores or transmits sensitive data using an encryption - scheme that is theoretically sound, but is not strong enough for the level of - protection required. - group: top10-crypto-failures - name: Scala_Medium_Threat_Inadequate_Encryption_Strength - pretty_name: Inadequate Encryption Strength - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Medium_Threat_Missing_Secure_Flag: - categories: - - boost-baseline - - cwe-614 - - checkmarx-medium-threat - - ALL - description: The Secure attribute for sensitive cookies in HTTPS sessions is not - set, which could cause the user agent to send those cookies in plaintext over - an HTTP session. - group: top10-security-misconfiguration - name: Scala_Medium_Threat_Missing_Secure_Flag - pretty_name: Missing Secure Flag - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Medium_Threat_Multiple_Binds_to_the_Same_Port: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-605 - description: When multiple sockets are allowed to bind to the same port, other - services on that port may be stolen or spoofed. - group: top10-insecure-design - name: Scala_Medium_Threat_Multiple_Binds_to_the_Same_Port - pretty_name: Multiple Binds to the Same Port - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Medium_Threat_Parameter_Tampering: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: Scala_Medium_Threat_Parameter_Tampering - pretty_name: Parameter Tampering - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Medium_Threat_Plaintext_Storage_of_a_Password: - categories: - - cwe-256 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: Storing a password in plaintext may result in a system compromise. - group: top10-insecure-design - name: Scala_Medium_Threat_Plaintext_Storage_of_a_Password - pretty_name: Plaintext Storage of a Password - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Medium_Threat_Privacy_Violation: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-359 - description: The product does not properly prevent a person's private, personal - information from being accessed by actors who either (1) are not explicitly - authorized to access the information or (2) do not have the implicit consent - of the person about whom the information is collected. - group: top10-broken-access-control - name: Scala_Medium_Threat_Privacy_Violation - pretty_name: Privacy Violation - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Medium_Threat_ReDoS_From_Regex_Injection: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: Scala_Medium_Threat_ReDoS_From_Regex_Injection - pretty_name: ReDoS From Regex Injection - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Medium_Threat_ReDoS_In_Match: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: Scala_Medium_Threat_ReDoS_In_Match - pretty_name: ReDoS In Match - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Medium_Threat_ReDoS_In_Pattern: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: Scala_Medium_Threat_ReDoS_In_Pattern - pretty_name: ReDoS In Pattern - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Medium_Threat_ReDoS_In_Replace: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-400 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not properly control the allocation and maintenance - of a limited resource, thereby enabling an actor to influence the amount of - resources consumed, eventually leading to the exhaustion of available resources. - group: top10-insecure-design - name: Scala_Medium_Threat_ReDoS_In_Replace - pretty_name: ReDoS In Replace - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Medium_Threat_Relative_Path_Traversal: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-36 - - boost-baseline - - ALL - description: The product uses external input to construct a pathname that should - be within a restricted directory, but it does not properly neutralize absolute - path sequences such as "/abs/path" that can resolve to a location that is outside - of that directory. - group: top10-broken-access-control - name: Scala_Medium_Threat_Relative_Path_Traversal - pretty_name: Relative Path Traversal - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Medium_Threat_SQL_Injection_Evasion_Attack: - categories: - - checkmarx-medium-threat - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Scala_Medium_Threat_SQL_Injection_Evasion_Attack - pretty_name: SQL Injection Evasion Attack - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Medium_Threat_SSL_Verification_Bypass: - categories: - - checkmarx-medium-threat - - cwe-599 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses OpenSSL and trusts or uses a certificate without - using the SSL_get_verify_result() function to ensure that the certificate satisfies - all necessary security requirements. - group: top10-software-data-integrity-failures - name: Scala_Medium_Threat_SSL_Verification_Bypass - pretty_name: SSL Verification Bypass - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Medium_Threat_SSRF: - categories: - - checkmarx-medium-threat - - cwe-918 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The web server receives a URL or similar request from an upstream - component and retrieves the contents of this URL, but it does not sufficiently - ensure that the request is being sent to the expected destination. - group: top10-server-side-request-forgery - name: Scala_Medium_Threat_SSRF - pretty_name: SSRF - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Medium_Threat_Same_Seed_in_PRNG: - categories: - - boost-baseline - - checkmarx-medium-threat - - owasp-top-10 - - cwe-336 - - ALL - description: A Pseudo-Random Number Generator (PRNG) uses the same seed each time - the product is initialized. - group: top10-crypto-failures - name: Scala_Medium_Threat_Same_Seed_in_PRNG - pretty_name: Same Seed in PRNG - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Medium_Threat_Session_Fixation: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-384 - description: Authenticating a user, or otherwise establishing a new user session, - without invalidating any existing session identifier gives an attacker the opportunity - to steal authenticated sessions. - group: top10-id-authn-failures - name: Scala_Medium_Threat_Session_Fixation - pretty_name: Session Fixation - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Medium_Threat_Stored_External_XML_Entities_XXE: - categories: - - checkmarx-medium-threat - - cwe-611 - - boost-baseline - - ALL - - cwe-top-25 - description: The product processes an XML document that can contain XML entities - with URIs that resolve to documents outside of the intended sphere of control, - causing the product to embed incorrect documents into its output. - group: top10-security-misconfiguration - name: Scala_Medium_Threat_Stored_External_XML_Entities_XXE - pretty_name: Stored External XML Entities XXE - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Medium_Threat_Stored_LDAP_Injection: - categories: - - checkmarx-medium-threat - - cwe-90 - - owasp-top-10 - - boost-baseline - - ALL - description: The product constructs all or part of an LDAP query using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended LDAP query when - it is sent to a downstream component. - group: top10-injection - name: Scala_Medium_Threat_Stored_LDAP_Injection - pretty_name: Stored LDAP Injection - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Medium_Threat_Use_of_Cryptographically_Weak_PRNG: - categories: - - checkmarx-medium-threat - - cwe-338 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a Pseudo-Random Number Generator (PRNG) in a security - context, but the PRNG's algorithm is not cryptographically strong. - group: top10-crypto-failures - name: Scala_Medium_Threat_Use_of_Cryptographically_Weak_PRNG - pretty_name: Use of Cryptographically Weak PRNG - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key: - categories: - - cwe-321 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The use of a hard-coded cryptographic key significantly increases - the possibility that encrypted data may be recovered. - group: top10-crypto-failures - name: Scala_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key - pretty_name: Use of Hard coded Cryptographic Key - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Medium_Threat_Use_of_a_One_Way_Hash_with_a_Predictable_Salt: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-760 - - boost-baseline - - ALL - description: The product uses a one-way cryptographic hash against an input that - should not be reversible, such as a password, but the product uses a predictable - salt as part of the input. - group: top10-crypto-failures - name: Scala_Medium_Threat_Use_of_a_One_Way_Hash_with_a_Predictable_Salt - pretty_name: Use of a One Way Hash with a Predictable Salt - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Medium_Threat_Use_of_a_One_Way_Hash_without_a_Salt: - categories: - - checkmarx-medium-threat - - cwe-759 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a one-way cryptographic hash against an input that - should not be reversible, such as a password, but the product does not also - use a salt as part of the input. - group: top10-crypto-failures - name: Scala_Medium_Threat_Use_of_a_One_Way_Hash_without_a_Salt - pretty_name: Use of a One Way Hash without a Salt - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Medium_Threat_XQuery_Injection: - categories: - - boost-baseline - - checkmarx-medium-threat - - owasp-top-10 - - cwe-652 - - ALL - description: The product uses external input to dynamically construct an XQuery - expression used to retrieve data from an XML database, but it does not neutralize - or incorrectly neutralizes that input. This allows an attacker to control the - structure of the query. - group: top10-injection - name: Scala_Medium_Threat_XQuery_Injection - pretty_name: XQuery Injection - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Stored_Stored_Code_Injection: - categories: - - cwe-94 - - checkmarx-stored - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: Scala_Stored_Stored_Code_Injection - pretty_name: Stored Code Injection - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Stored_Stored_HTTP_Response_Splitting: - categories: - - cwe-113 - - owasp-top-10 - - checkmarx-stored - - boost-baseline - - ALL - description: The product receives data from an HTTP agent/component (e.g., web - server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes - CR and LF characters before the data is included in outgoing HTTP headers. - group: top10-injection - name: Scala_Stored_Stored_HTTP_Response_Splitting - pretty_name: Stored HTTP Response Splitting - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Stored_Stored_Open_Redirect: - categories: - - cwe-601 - - owasp-top-10 - - checkmarx-stored - - boost-baseline - - ALL - description: A web application accepts a user-controlled input that specifies - a link to an external site, and uses that link in a Redirect. This simplifies - phishing attacks. - group: top10-broken-access-control - name: Scala_Stored_Stored_Open_Redirect - pretty_name: Stored Open Redirect - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Scala_Stored_Stored_XPath_Injection: - categories: - - cwe-643 - - owasp-top-10 - - checkmarx-stored - - boost-baseline - - ALL - description: The product uses external input to dynamically construct an XPath - expression used to retrieve data from an XML database, but it does not neutralize - or incorrectly neutralizes that input. This allows an attacker to control the - structure of the query. - group: top10-injection - name: Scala_Stored_Stored_XPath_Injection - pretty_name: Stored XPath Injection - Scala - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Best_Coding_Practices_Dynamic_SQL_Queries: - categories: - - cwe-89 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Swift_Best_Coding_Practices_Dynamic_SQL_Queries - pretty_name: Dynamic SQL Queries - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Best_Coding_Practices_Empty_Methods: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - owasp-top-10 - description: Identifies and flags methods in Swift code that are empty, which - may indicate overlooked or incomplete implementation. - group: top10-insecure-design - name: Swift_Best_Coding_Practices_Empty_Methods - pretty_name: Empty Methods - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Best_Coding_Practices_Third_Party_Keyboard_Enabled: - categories: - - owasp-top-10 - - cwe-829 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product imports, requires, or includes executable functionality - (such as a library) from a source that is outside of the intended control sphere. - group: top10-software-data-integrity-failures - name: Swift_Best_Coding_Practices_Third_Party_Keyboard_Enabled - pretty_name: Third Party Keyboard Enabled - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_High_Risk_Information_Exposure_Through_Extension: - categories: - - boost-hardened - - owasp-top-10 - - boost-baseline - - ALL - - cwe-200 - - checkmarx-high-risk - description: The product exposes sensitive information to an actor that is not - explicitly authorized to have access to that information. - group: top10-broken-access-control - name: Swift_High_Risk_Information_Exposure_Through_Extension - pretty_name: Information Exposure Through Extension - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_High_Risk_Resource_Updated_By_URL_Data: - categories: - - boost-hardened - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product uses a handler for a custom URL scheme, but it does not - properly restrict which actors can invoke the handler using the scheme. - group: top10-software-data-integrity-failures - name: Swift_High_Risk_Resource_Updated_By_URL_Data - pretty_name: Resource Updated By URL Data - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_High_Risk_Sensitive_Information_over_HTTP: - categories: - - boost-hardened - - owasp-top-10 - - cwe-319 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product transmits sensitive or security-critical data in cleartext - in a communication channel that can be sniffed by unauthorized actors. - group: top10-broken-access-control - name: Swift_High_Risk_Sensitive_Information_over_HTTP - pretty_name: Sensitive Information over HTTP - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_High_Risk_Third_Party_Keyboards_On_Sensitive_Field: - categories: - - boost-hardened - - owasp-top-10 - - cwe-829 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product imports, requires, or includes executable functionality - (such as a library) from a source that is outside of the intended control sphere. - group: top10-software-data-integrity-failures - name: Swift_High_Risk_Third_Party_Keyboards_On_Sensitive_Field - pretty_name: Third Party Keyboards On Sensitive Field - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_High_Risk_URL_Scheme_Hijacking: - categories: - - boost-hardened - - owasp-top-10 - - cwe-319 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product transmits sensitive or security-critical data in cleartext - in a communication channel that can be sniffed by unauthorized actors. - group: top10-injection - name: Swift_High_Risk_URL_Scheme_Hijacking - pretty_name: URL Scheme Hijacking - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_High_Risk_Unencrypted_Sensitive_Information_in_Publicly_Accessible_iCloud_Storage: - categories: - - boost-hardened - - cwe-312 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product stores sensitive information in cleartext within a resource - that might be accessible to another control sphere. - group: top10-insecure-design - name: Swift_High_Risk_Unencrypted_Sensitive_Information_in_Publicly_Accessible_iCloud_Storage - pretty_name: Unencrypted Sensitive Information in Publicly Accessible iCloud Storage - - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_High_Risk_Unsafe_Reflection: - categories: - - boost-hardened - - cwe-470 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product uses external input with reflection to select which classes - or code to use, but it does not sufficiently prevent the input from selecting - improper classes or code. - group: top10-injection - name: Swift_High_Risk_Unsafe_Reflection - pretty_name: Unsafe Reflection - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Low_Visibility_Allowed_Backup: - categories: - - cwe-530 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: A backup file is stored in a directory or archive that is made accessible - to unauthorized actors. - group: top10-broken-access-control - name: Swift_Low_Visibility_Allowed_Backup - pretty_name: Allowed Backup - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Low_Visibility_App_Transport_Security_Bypass: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-319 - - boost-baseline - - ALL - description: The product transmits sensitive or security-critical data in cleartext - in a communication channel that can be sniffed by unauthorized actors. - group: top10-security-misconfiguration - name: Swift_Low_Visibility_App_Transport_Security_Bypass - pretty_name: App Transport Security Bypass - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Low_Visibility_Encrypted_Sensitive_Information_in_Publicly_Accessible_iCloud_Storage: - categories: - - cwe-922 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product stores sensitive information without properly limiting - read or write access by unauthorized actors. - group: top10-broken-access-control - name: Swift_Low_Visibility_Encrypted_Sensitive_Information_in_Publicly_Accessible_iCloud_Storage - pretty_name: Encrypted Sensitive Information in Publicly Accessible iCloud Storage - - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Low_Visibility_Functions_Apple_Recommends_To_Avoid: - categories: - - cwe-477 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The code uses deprecated or obsolete functions, which suggests that - the code has not been actively reviewed or maintained. - group: top10-vulnerable-components - name: Swift_Low_Visibility_Functions_Apple_Recommends_To_Avoid - pretty_name: Functions Apple Recommends To Avoid - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Low_Visibility_Heap_Inspection: - categories: - - cwe-244 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: Using realloc() to resize buffers that store sensitive information - can leave the sensitive information exposed to attack, because it is not removed - from memory. - group: top10-broken-access-control - name: Swift_Low_Visibility_Heap_Inspection - pretty_name: Heap Inspection - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Low_Visibility_Information_Leak_Through_Response_Caching: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-524 - - boost-baseline - - ALL - description: The code uses a cache that contains sensitive information, but the - cache can be read by an actor outside of the intended control sphere. - group: top10-broken-access-control - name: Swift_Low_Visibility_Information_Leak_Through_Response_Caching - pretty_name: Information Leak Through Response Caching - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Low_Visibility_Insufficient_Encryption_Key_Size: - categories: - - ALL - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - cwe-326 - description: The product stores or transmits sensitive data using an encryption - scheme that is theoretically sound, but is not strong enough for the level of - protection required. - group: top10-crypto-failures - name: Swift_Low_Visibility_Insufficient_Encryption_Key_Size - pretty_name: Insufficient Encryption Key Size - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Low_Visibility_Missing_Certificate_Pinning: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-295 - - boost-baseline - - ALL - description: The product does not validate, or incorrectly validates, a certificate. - group: top10-id-authn-failures - name: Swift_Low_Visibility_Missing_Certificate_Pinning - pretty_name: Missing Certificate Pinning - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Low_Visibility_Missing_Device_Lock_Verification: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-829 - - boost-baseline - - ALL - description: The product imports, requires, or includes executable functionality - (such as a library) from a source that is outside of the intended control sphere. - group: top10-software-data-integrity-failures - name: Swift_Low_Visibility_Missing_Device_Lock_Verification - pretty_name: Missing Device Lock Verification - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Low_Visibility_Missing_Jailbreak_Check: - categories: - - cwe-693 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not use or incorrectly uses a protection mechanism - that provides sufficient defense against directed attacks against the product. - group: top10-insecure-design - name: Swift_Low_Visibility_Missing_Jailbreak_Check - pretty_name: Missing Jailbreak Check - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Low_Visibility_Null_Password: - categories: - - cwe-252 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not check the return value from a method or function, - which can prevent it from detecting unexpected states and conditions. - group: top10-insecure-design - name: Swift_Low_Visibility_Null_Password - pretty_name: Null Password - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Low_Visibility_Parameter_Tampering: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: Swift_Low_Visibility_Parameter_Tampering - pretty_name: Parameter Tampering - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Low_Visibility_Password_In_Comment: - categories: - - cwe-615 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: 'While adding general comments is very useful, some programmers tend - to leave important data, such as: filenames related to the web application, - old links or links which were not meant to be browsed by users, old code fragments, - etc.' - group: top10-id-authn-failures - name: Swift_Low_Visibility_Password_In_Comment - pretty_name: Password In Comment - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Low_Visibility_Private_Storage_SQL_Injection: - categories: - - checkmarx-low-visibility - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Swift_Low_Visibility_Private_Storage_SQL_Injection - pretty_name: Private Storage SQL Injection - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Low_Visibility_Private_Storage_WebView_JavaScript_Injection: - categories: - - cwe-79 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Swift_Low_Visibility_Private_Storage_WebView_JavaScript_Injection - pretty_name: Private Storage WebView JavaScript Injection - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Low_Visibility_Secret_Stored_Outside_of_Keychain: - categories: - - cwe-312 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product stores sensitive information in cleartext within a resource - that might be accessible to another control sphere. - group: top10-insecure-design - name: Swift_Low_Visibility_Secret_Stored_Outside_of_Keychain - pretty_name: Secret Stored Outside of Keychain - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Low_Visibility_Self_SQL_Injection: - categories: - - checkmarx-low-visibility - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Swift_Low_Visibility_Self_SQL_Injection - pretty_name: Self SQL Injection - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Low_Visibility_Self_WebView_JavaScript_Injection: - categories: - - cwe-79 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Swift_Low_Visibility_Self_WebView_JavaScript_Injection - pretty_name: Self WebView JavaScript Injection - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Low_Visibility_Unencrypted_Sensitive_Information_in_Internal_Storage: - categories: - - cwe-312 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product stores sensitive information in cleartext within a resource - that might be accessible to another control sphere. - group: top10-insecure-design - name: Swift_Low_Visibility_Unencrypted_Sensitive_Information_in_Internal_Storage - pretty_name: Unencrypted Sensitive Information in Internal Storage - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm: - categories: - - cwe-327 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a broken or risky cryptographic algorithm or protocol. - group: top10-crypto-failures - name: Swift_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm - pretty_name: Use of Broken or Risky Cryptographic Algorithm - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Low_Visibility_Use_of_Hardcoded_Cryptographic_Key: - categories: - - cwe-321 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The use of a hard-coded cryptographic key significantly increases - the possibility that encrypted data may be recovered. - group: top10-crypto-failures - name: Swift_Low_Visibility_Use_of_Hardcoded_Cryptographic_Key - pretty_name: Use of Hardcoded Cryptographic Key - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Low_Visibility_Use_of_Hardcoded_Password: - categories: - - ALL - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - cwe-259 - description: The product contains a hard-coded password, which it uses for its - own inbound authentication or for outbound communication to external components. - group: top10-id-authn-failures - name: Swift_Low_Visibility_Use_of_Hardcoded_Password - pretty_name: Use of Hardcoded Password - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Low_Visibility_Use_of_Insufficiently_Random_Values: - categories: - - cwe-330 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses insufficiently random numbers or values in a security - context that depends on unpredictable numbers. - group: top10-crypto-failures - name: Swift_Low_Visibility_Use_of_Insufficiently_Random_Values - pretty_name: Use of Insufficiently Random Values - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Low_Visibility_User_Information_in_Publicly_Accessible_iCloud_Storage: - categories: - - cwe-312 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product stores sensitive information in cleartext within a resource - that might be accessible to another control sphere. - group: top10-insecure-design - name: Swift_Low_Visibility_User_Information_in_Publicly_Accessible_iCloud_Storage - pretty_name: User Information in Publicly Accessible iCloud Storage - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Medium_Threat_Autocorrection_Keystroke_Logging: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-359 - description: The product does not properly prevent a person's private, personal - information from being accessed by actors who either (1) are not explicitly - authorized to access the information or (2) do not have the implicit consent - of the person about whom the information is collected. - group: top10-broken-access-control - name: Swift_Medium_Threat_Autocorrection_Keystroke_Logging - pretty_name: Autocorrection Keystroke Logging - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Medium_Threat_Communication_over_HTTP: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-319 - - boost-baseline - - ALL - description: The product transmits sensitive or security-critical data in cleartext - in a communication channel that can be sniffed by unauthorized actors. - group: top10-crypto-failures - name: Swift_Medium_Threat_Communication_over_HTTP - pretty_name: Communication over HTTP - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Medium_Threat_Format_String_Attack: - categories: - - checkmarx-medium-threat - - cwe-134 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a function that accepts a format string as an argument, - but the format string originates from an external source. - group: top10-injection - name: Swift_Medium_Threat_Format_String_Attack - pretty_name: Format String Attack - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Medium_Threat_Improper_Certificate_Validation: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-295 - - boost-baseline - - ALL - description: The product does not validate, or incorrectly validates, a certificate. - group: top10-id-authn-failures - name: Swift_Medium_Threat_Improper_Certificate_Validation - pretty_name: Improper Certificate Validation - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Medium_Threat_Information_Exposure_Through_Query_String: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-598 - - boost-baseline - - ALL - description: The web application uses the HTTP GET method to process a request - and includes sensitive information in the query string of that request. - group: top10-insecure-design - name: Swift_Medium_Threat_Information_Exposure_Through_Query_String - pretty_name: Information Exposure Through Query String - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Medium_Threat_Pasteboard_Leakage: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-200 - description: The product exposes sensitive information to an actor that is not - explicitly authorized to have access to that information. - group: top10-broken-access-control - name: Swift_Medium_Threat_Pasteboard_Leakage - pretty_name: Pasteboard Leakage - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Medium_Threat_Path_Traversal: - categories: - - ALL - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - cwe-22 - - cwe-top-25 - description: The product uses external input to construct a pathname that is intended - to identify a file or directory that is located underneath a restricted parent - directory, but the product does not properly neutralize special elements within - the pathname that can cause the pathname to resolve to a location that is outside - of the restricted directory. - group: top10-broken-access-control - name: Swift_Medium_Threat_Path_Traversal - pretty_name: Path Traversal - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Medium_Threat_Public_Storage_SQL_Injection: - categories: - - checkmarx-medium-threat - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Swift_Medium_Threat_Public_Storage_SQL_Injection - pretty_name: Public Storage SQL Injection - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Medium_Threat_Public_Storage_WebView_JavaScript_Injection: - categories: - - checkmarx-medium-threat - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Swift_Medium_Threat_Public_Storage_WebView_JavaScript_Injection - pretty_name: Public Storage WebView JavaScript Injection - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Medium_Threat_ReDoS: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-1333 - description: The product uses a regular expression with an inefficient, possibly - exponential worst-case computational complexity that consumes excessive CPU - cycles. - group: top10-insecure-design - name: Swift_Medium_Threat_ReDoS - pretty_name: ReDoS - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Medium_Threat_SQL_Injection_From_URL_Scheme: - categories: - - checkmarx-medium-threat - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: Swift_Medium_Threat_SQL_Injection_From_URL_Scheme - pretty_name: SQL Injection From URL Scheme - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Medium_Threat_Screen_Caching: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-524 - - boost-baseline - - ALL - description: The code uses a cache that contains sensitive information, but the - cache can be read by an actor outside of the intended control sphere. - group: top10-broken-access-control - name: Swift_Medium_Threat_Screen_Caching - pretty_name: Screen Caching - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Medium_Threat_Unencrypted_Sensitive_Information_in_External_Storage: - categories: - - checkmarx-medium-threat - - cwe-312 - - owasp-top-10 - - boost-baseline - - ALL - description: The product stores sensitive information in cleartext within a resource - that might be accessible to another control sphere. - group: top10-insecure-design - name: Swift_Medium_Threat_Unencrypted_Sensitive_Information_in_External_Storage - pretty_name: Unencrypted Sensitive Information in External Storage - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Medium_Threat_WebView_JavaScript_Injection_From_URL_Scheme: - categories: - - checkmarx-medium-threat - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: Swift_Medium_Threat_WebView_JavaScript_Injection_From_URL_Scheme - pretty_name: WebView JavaScript Injection From URL Scheme - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - Swift_Medium_Threat_XML_External_Entity: - categories: - - checkmarx-medium-threat - - cwe-611 - - boost-baseline - - ALL - - cwe-top-25 - description: The product processes an XML document that can contain XML entities - with URIs that resolve to documents outside of the intended sphere of control, - causing the product to embed incorrect documents into its output. - group: top10-security-misconfiguration - name: Swift_Medium_Threat_XML_External_Entity - pretty_name: XML External Entity - Swift - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VB6_Heuristic_Heuristic_Parameter_Tampering: - categories: - - checkmarx-heuristic - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: VB6_Heuristic_Heuristic_Parameter_Tampering - pretty_name: Heuristic Parameter Tampering - VB6 - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VB6_Heuristic_Heuristic_SQL_Injection: - categories: - - checkmarx-heuristic - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: VB6_Heuristic_Heuristic_SQL_Injection - pretty_name: Heuristic SQL Injection - VB6 - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VB6_High_Risk_Code_Injection: - categories: - - boost-hardened - - cwe-94 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: VB6_High_Risk_Code_Injection - pretty_name: Code Injection - VB6 - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VB6_High_Risk_Command_Injection: - categories: - - boost-hardened - - cwe-77 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of a command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended command when it - is sent to a downstream component. - group: top10-injection - name: VB6_High_Risk_Command_Injection - pretty_name: Command Injection - VB6 - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VB6_High_Risk_Connection_String_Injection: - categories: - - boost-hardened - - owasp-top-10 - - cwe-99 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product receives input from an upstream component, but it does - not restrict or incorrectly restricts the input before it is used as an identifier - for a resource that may be outside the intended sphere of control. - group: top10-injection - name: VB6_High_Risk_Connection_String_Injection - pretty_name: Connection String Injection - VB6 - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VB6_High_Risk_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: VB6_High_Risk_SQL_Injection - pretty_name: SQL Injection - VB6 - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VB6_High_Risk_Second_Order_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: VB6_High_Risk_Second_Order_SQL_Injection - pretty_name: Second Order SQL Injection - VB6 - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VB6_Low_Visibility_Bounds_Check_Disabled: - categories: - - cwe-118 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not restrict or incorrectly restricts operations - within the boundaries of a resource that is accessed using an index or pointer, - such as memory or files. - group: top10-injection - name: VB6_Low_Visibility_Bounds_Check_Disabled - pretty_name: Bounds Check Disabled - VB6 - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VB6_Low_Visibility_Hardcoded_Absolute_Path: - categories: - - cwe-426 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product searches for critical resources using an externally-supplied - search path that can point to resources that are not under the product's direct - control. - group: top10-software-data-integrity-failures - name: VB6_Low_Visibility_Hardcoded_Absolute_Path - pretty_name: Hardcoded Absolute Path - VB6 - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VB6_Low_Visibility_Improper_Error_Handling: - categories: - - cwe-248 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: An exception is thrown from a function, but it is not caught. - group: top10-insecure-design - name: VB6_Low_Visibility_Improper_Error_Handling - pretty_name: Improper Error Handling - VB6 - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VB6_Low_Visibility_Information_Exposure_Through_an_Error_Message: - categories: - - cwe-209 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product generates an error message that includes sensitive information - about its environment, users, or associated data. - group: top10-insecure-design - name: VB6_Low_Visibility_Information_Exposure_Through_an_Error_Message - pretty_name: Information Exposure Through an Error Message - VB6 - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VB6_Low_Visibility_Insecure_Randomness: - categories: - - cwe-330 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses insufficiently random numbers or values in a security - context that depends on unpredictable numbers. - group: top10-crypto-failures - name: VB6_Low_Visibility_Insecure_Randomness - pretty_name: Insecure Randomness - VB6 - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VB6_Low_Visibility_Insufficiently_Protected_Credentials: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-522 - description: The product transmits or stores authentication credentials, but it - uses an insecure method that is susceptible to unauthorized interception and/or - retrieval. - group: top10-insecure-design - name: VB6_Low_Visibility_Insufficiently_Protected_Credentials - pretty_name: Insufficiently Protected Credentials - VB6 - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VB6_Low_Visibility_Log_Forging: - categories: - - boost-baseline - - ALL - - cwe-117 - - checkmarx-low-visibility - description: The product does not neutralize or incorrectly neutralizes output - that is written to logs. - group: top10-security-logging-monitoring-failures - name: VB6_Low_Visibility_Log_Forging - pretty_name: Log Forging - VB6 - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VB6_Low_Visibility_Stored_Code_Injection: - categories: - - cwe-94 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: VB6_Low_Visibility_Stored_Code_Injection - pretty_name: Stored Code Injection - VB6 - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VB6_Low_Visibility_Use_Of_Hardcoded_Password: - categories: - - ALL - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - cwe-259 - description: The product contains a hard-coded password, which it uses for its - own inbound authentication or for outbound communication to external components. - group: top10-id-authn-failures - name: VB6_Low_Visibility_Use_Of_Hardcoded_Password - pretty_name: Use Of Hardcoded Password - VB6 - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VB6_Medium_Threat_DoS_by_Sleep: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The product performs an iteration or loop without sufficiently limiting - the number of times that the loop is executed. - group: top10-insecure-design - name: VB6_Medium_Threat_DoS_by_Sleep - pretty_name: DoS by Sleep - VB6 - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VB6_Medium_Threat_Hardcoded_password_in_Connection_String: - categories: - - boost-baseline - - ALL - - cwe-547 - - checkmarx-medium-threat - description: The product uses hard-coded constants instead of symbolic names for - security-critical values, which increases the likelihood of mistakes during - code maintenance or security policy change. - group: top10-security-misconfiguration - name: VB6_Medium_Threat_Hardcoded_password_in_Connection_String - pretty_name: Hardcoded password in Connection String - VB6 - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VB6_Medium_Threat_Parameter_Tampering: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: VB6_Medium_Threat_Parameter_Tampering - pretty_name: Parameter Tampering - VB6 - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VB6_Medium_Threat_Path_Traversal: - categories: - - ALL - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - cwe-22 - - cwe-top-25 - description: The product uses external input to construct a pathname that is intended - to identify a file or directory that is located underneath a restricted parent - directory, but the product does not properly neutralize special elements within - the pathname that can cause the pathname to resolve to a location that is outside - of the restricted directory. - group: top10-broken-access-control - name: VB6_Medium_Threat_Path_Traversal - pretty_name: Path Traversal - VB6 - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VB6_Medium_Threat_Privacy_Violation: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-359 - description: The product does not properly prevent a person's private, personal - information from being accessed by actors who either (1) are not explicitly - authorized to access the information or (2) do not have the implicit consent - of the person about whom the information is collected. - group: top10-broken-access-control - name: VB6_Medium_Threat_Privacy_Violation - pretty_name: Privacy Violation - VB6 - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Best_Coding_Practice_Aptca_Methods_Call_Non_Aptca_Methods: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - owasp-top-10 - description: A method in Visual Basic .NET designated with AllowPartiallyTrustedCallersAttribute - (APTCA) invokes a method not marked with APTCA, opening up vulnerabilities for - privilege escalation. - group: top10-insecure-design - name: VbNet_Best_Coding_Practice_Aptca_Methods_Call_Non_Aptca_Methods - pretty_name: Aptca Methods Call Non Aptca Methods - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Best_Coding_Practice_Catch_NullPointerException: - categories: - - cwe-395 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Catching NullPointerException should not be used as an alternative - to programmatic checks to prevent dereferencing a null pointer. - group: top10-insecure-design - name: VbNet_Best_Coding_Practice_Catch_NullPointerException - pretty_name: Catch NullPointerException - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception: - categories: - - cwe-396 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Catching overly broad exceptions promotes complex error handling - code that is more likely to contain security vulnerabilities. - group: top10-insecure-design - name: VbNet_Best_Coding_Practice_Declaration_Of_Catch_For_Generic_Exception - pretty_name: Declaration Of Catch For Generic Exception - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Best_Coding_Practice_Deprecated_Methods: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - owasp-top-10 - description: Code is using methods which have been marked as deprecated, indicating - they might not be supported in future versions and should be replaced with newer - alternatives. - group: top10-insecure-design - name: VbNet_Best_Coding_Practice_Deprecated_Methods - pretty_name: Deprecated Methods - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Best_Coding_Practice_Detection_of_Error_Condition_Without_Action: - categories: - - cwe-390 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product detects a specific error, but takes no actions to handle - the error. - group: top10-insecure-design - name: VbNet_Best_Coding_Practice_Detection_of_Error_Condition_Without_Action - pretty_name: Detection of Error Condition Without Action - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Best_Coding_Practice_Direct_Use_of_Sockets: - categories: - - boost-baseline - - owasp-top-10 - - checkmarx-best-coding-practices - - cwe-246 - - ALL - description: The J2EE application directly uses sockets instead of using framework - method calls. - group: top10-insecure-design - name: VbNet_Best_Coding_Practice_Direct_Use_of_Sockets - pretty_name: Direct Use of Sockets - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Best_Coding_Practice_Dynamic_SQL_Queries: - categories: - - cwe-89 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: VbNet_Best_Coding_Practice_Dynamic_SQL_Queries - pretty_name: Dynamic SQL Queries - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere: - categories: - - owasp-top-10 - - cwe-493 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product has a critical public variable that is not final, which - allows the variable to be modified to contain unexpected values. - group: top10-insecure-design - name: VbNet_Best_Coding_Practice_Exposure_of_Resource_to_Wrong_Sphere - pretty_name: Exposure of Resource to Wrong Sphere - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Best_Coding_Practice_GetLastWin32Error_Is_Not_Called_After_Pinvoke: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Marshaled calls to unmanaged code using Platform Invocation Services - (PInvoke) are not followed by a call to the GetLastError function. This could - lead to overlooked or undetected runtime errors. - group: top10-insecure-design - name: VbNet_Best_Coding_Practice_GetLastWin32Error_Is_Not_Called_After_Pinvoke - pretty_name: GetLastWin32Error Is Not Called After Pinvoke - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Best_Coding_Practice_Hardcoded_Absolute_Path: - categories: - - cwe-426 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product searches for critical resources using an externally-supplied - search path that can point to resources that are not under the product's direct - control. - group: top10-software-data-integrity-failures - name: VbNet_Best_Coding_Practice_Hardcoded_Absolute_Path - pretty_name: Hardcoded Absolute Path - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Best_Coding_Practice_Hardcoded_Connection_String: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-top-25 - - cwe-798 - description: The product contains hard-coded credentials, such as a password or - cryptographic key, which it uses for its own inbound authentication, outbound - communication to external components, or encryption of internal data. - group: top10-id-authn-failures - name: VbNet_Best_Coding_Practice_Hardcoded_Connection_String - pretty_name: Hardcoded Connection String - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Best_Coding_Practice_Just_One_of_Equals_and_Hash_code_Defined: - categories: - - ALL - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - cwe-581 - description: The product does not maintain equal hashcodes for equal objects. - group: top10-insecure-design - name: VbNet_Best_Coding_Practice_Just_One_of_Equals_and_Hash_code_Defined - pretty_name: Just One of Equals and Hash code Defined - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Best_Coding_Practice_Leftover_Debug_Code: - categories: - - cwe-489 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product is deployed to unauthorized actors with debugging code - still enabled or active, which can create unintended entry points or expose - sensitive information. - group: top10-insecure-design - name: VbNet_Best_Coding_Practice_Leftover_Debug_Code - pretty_name: Leftover Debug Code - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Best_Coding_Practice_Magic_Numbers: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - owasp-top-10 - description: Identifies the hard coding of numbers, referred to as "magic numbers," - in Visual Basic .NET code, which can decrease maintainability and readability. - group: top10-insecure-design - name: VbNet_Best_Coding_Practice_Magic_Numbers - pretty_name: Magic Numbers - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Best_Coding_Practice_Missing_XML_Validation: - categories: - - cwe-112 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product accepts XML from an untrusted source but does not validate - the XML against the proper schema. - group: top10-insecure-design - name: VbNet_Best_Coding_Practice_Missing_XML_Validation - pretty_name: Missing XML Validation - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Best_Coding_Practice_NULL_Argument_to_Equals: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - owasp-top-10 - description: Passing a null argument to the 'Equals' method in Visual Basic .Net - might result in a NullReferenceException, causing an application crash. - group: top10-insecure-design - name: VbNet_Best_Coding_Practice_NULL_Argument_to_Equals - pretty_name: NULL Argument to Equals - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Best_Coding_Practice_Non_Private_Static_Constructors: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - owasp-top-10 - description: Non-private static constructors in VB.NET are accessible outside - the class, presenting an opportunity for unintended use or manipulation and - potential security risks. - group: top10-insecure-design - name: VbNet_Best_Coding_Practice_Non_Private_Static_Constructors - pretty_name: Non Private Static Constructors - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Best_Coding_Practice_Pages_Without_Global_Error_Handler: - categories: - - owasp-top-10 - - cwe-544 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product does not use a standardized method for handling errors - throughout the code, which might introduce inconsistent error handling and resultant - weaknesses. - group: top10-insecure-design - name: VbNet_Best_Coding_Practice_Pages_Without_Global_Error_Handler - pretty_name: Pages Without Global Error Handler - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Best_Coding_Practice_PersistSecurityInfo_is_True: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - owasp-top-10 - description: The 'PersistSecurityInfo' property is set to 'True' risking the exposure - of sensitive data such as connection string with passwords in log files or other - external sources. - group: top10-insecure-design - name: VbNet_Best_Coding_Practice_PersistSecurityInfo_is_True - pretty_name: PersistSecurityInfo is True - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Best_Coding_Practice_Threads_in_WebApp: - categories: - - ALL - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - cwe-383 - description: Thread management in a Web application is forbidden in some circumstances - and is always highly error prone. - group: top10-insecure-design - name: VbNet_Best_Coding_Practice_Threads_in_WebApp - pretty_name: Threads in WebApp - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Best_Coding_Practice_Unchecked_Error_Condition: - categories: - - owasp-top-10 - - cwe-391 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: '[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER' - group: top10-insecure-design - name: VbNet_Best_Coding_Practice_Unchecked_Error_Condition - pretty_name: Unchecked Error Condition - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Best_Coding_Practice_Unchecked_Return_Value: - categories: - - cwe-252 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The product does not check the return value from a method or function, - which can prevent it from detecting unexpected states and conditions. - group: top10-insecure-design - name: VbNet_Best_Coding_Practice_Unchecked_Return_Value - pretty_name: Unchecked Return Value - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Best_Coding_Practice_Unclosed_Objects: - categories: - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - - cwe-459 - description: The product does not properly "clean up" and remove temporary or - supporting resources after they have been used. - group: top10-insecure-design - name: VbNet_Best_Coding_Practice_Unclosed_Objects - pretty_name: Unclosed Objects - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Best_Coding_Practice_Unvalidated_Arguments_Of_Public_Methods: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - owasp-top-10 - description: Public methods in VB.NET code accept arguments without conducting - appropriate validation, increasing susceptibility to malicious input exploitation. - group: top10-insecure-design - name: VbNet_Best_Coding_Practice_Unvalidated_Arguments_Of_Public_Methods - pretty_name: Unvalidated Arguments Of Public Methods - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Best_Coding_Practice_Use_Of_Uninitialized_Variables: - categories: - - cwe-457 - - owasp-top-10 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: The code uses a variable that has not been initialized, leading to - unpredictable or unintended results. - group: top10-insecure-design - name: VbNet_Best_Coding_Practice_Use_Of_Uninitialized_Variables - pretty_name: Use Of Uninitialized Variables - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Best_Coding_Practice_Use_of_System_Output_Stream: - categories: - - owasp-top-10 - - cwe-398 - - checkmarx-best-coding-practices - - boost-baseline - - ALL - description: Indicates that the product has not been carefully developed or maintained. - group: top10-insecure-design - name: VbNet_Best_Coding_Practice_Use_of_System_Output_Stream - pretty_name: Use of System Output Stream - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Best_Coding_Practice_Visible_Pointers: - categories: - - boost-baseline - - ALL - - checkmarx-best-coding-practices - - owasp-top-10 - description: Pointers in Visual Basic .NET are visible, posing a risk for unsafe - code execution due to direct memory manipulation. - group: top10-insecure-design - name: VbNet_Best_Coding_Practice_Visible_Pointers - pretty_name: Visible Pointers - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Heuristic_Heuristic_2nd_Order_SQL_Injection: - categories: - - checkmarx-heuristic - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: VbNet_Heuristic_Heuristic_2nd_Order_SQL_Injection - pretty_name: Heuristic 2nd Order SQL Injection - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Heuristic_Heuristic_CSRF: - categories: - - checkmarx-heuristic - - cwe-352 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The web application does not, or can not, sufficiently verify whether - a well-formed, valid, consistent request was intentionally provided by the user - who submitted the request. - group: top10-injection - name: VbNet_Heuristic_Heuristic_CSRF - pretty_name: Heuristic CSRF - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Heuristic_Heuristic_DB_Parameter_Tampering: - categories: - - checkmarx-heuristic - - owasp-top-10 - - cwe-284 - - boost-baseline - - ALL - description: The product does not restrict or incorrectly restricts access to - a resource from an unauthorized actor. - group: top10-broken-access-control - name: VbNet_Heuristic_Heuristic_DB_Parameter_Tampering - pretty_name: Heuristic DB Parameter Tampering - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Heuristic_Heuristic_Parameter_Tampering: - categories: - - checkmarx-heuristic - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: VbNet_Heuristic_Heuristic_Parameter_Tampering - pretty_name: Heuristic Parameter Tampering - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Heuristic_Heuristic_SQL_Injection: - categories: - - checkmarx-heuristic - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: VbNet_Heuristic_Heuristic_SQL_Injection - pretty_name: Heuristic SQL Injection - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Heuristic_Heuristic_Stored_XSS: - categories: - - checkmarx-heuristic - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: VbNet_Heuristic_Heuristic_Stored_XSS - pretty_name: Heuristic Stored XSS - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_High_Risk_Code_Injection: - categories: - - boost-hardened - - cwe-94 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: VbNet_High_Risk_Code_Injection - pretty_name: Code Injection - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_High_Risk_Command_Injection: - categories: - - boost-hardened - - cwe-77 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of a command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended command when it - is sent to a downstream component. - group: top10-injection - name: VbNet_High_Risk_Command_Injection - pretty_name: Command Injection - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_High_Risk_Connection_String_Injection: - categories: - - boost-hardened - - owasp-top-10 - - cwe-99 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product receives input from an upstream component, but it does - not restrict or incorrectly restricts the input before it is used as an identifier - for a resource that may be outside the intended sphere of control. - group: top10-injection - name: VbNet_High_Risk_Connection_String_Injection - pretty_name: Connection String Injection - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_High_Risk_Dangerous_File_Upload: - categories: - - boost-hardened - - cwe-434 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product allows the attacker to upload or transfer files of dangerous - types that can be automatically processed within the product's environment. - group: top10-insecure-design - name: VbNet_High_Risk_Dangerous_File_Upload - pretty_name: Dangerous File Upload - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_High_Risk_LDAP_Injection: - categories: - - boost-hardened - - cwe-90 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product constructs all or part of an LDAP query using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended LDAP query when - it is sent to a downstream component. - group: top10-injection - name: VbNet_High_Risk_LDAP_Injection - pretty_name: LDAP Injection - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_High_Risk_Reflected_XSS_All_Clients: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: VbNet_High_Risk_Reflected_XSS_All_Clients - pretty_name: Reflected XSS All Clients - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_High_Risk_Resource_Injection: - categories: - - boost-hardened - - owasp-top-10 - - cwe-99 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product receives input from an upstream component, but it does - not restrict or incorrectly restricts the input before it is used as an identifier - for a resource that may be outside the intended sphere of control. - group: top10-injection - name: VbNet_High_Risk_Resource_Injection - pretty_name: Resource Injection - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_High_Risk_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: VbNet_High_Risk_SQL_Injection - pretty_name: SQL Injection - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_High_Risk_Second_Order_SQL_Injection: - categories: - - boost-hardened - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: VbNet_High_Risk_Second_Order_SQL_Injection - pretty_name: Second Order SQL Injection - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_High_Risk_Stored_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: VbNet_High_Risk_Stored_XSS - pretty_name: Stored XSS - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_High_Risk_UTF7_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: VbNet_High_Risk_UTF7_XSS - pretty_name: UTF7 XSS - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_High_Risk_XPath_Injection: - categories: - - boost-hardened - - cwe-643 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - description: The product uses external input to dynamically construct an XPath - expression used to retrieve data from an XML database, but it does not neutralize - or incorrectly neutralizes that input. This allows an attacker to control the - structure of the query. - group: top10-injection - name: VbNet_High_Risk_XPath_Injection - pretty_name: XPath Injection - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Low_Visibility_Blind_SQL_Injections: - categories: - - checkmarx-low-visibility - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: VbNet_Low_Visibility_Blind_SQL_Injections - pretty_name: Blind SQL Injections - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Low_Visibility_Cleansing_Canonicalization_and_Comparison_Errors: - categories: - - cwe-171 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: Improper handling of data within protection mechanisms that attempt - to perform neutralization for untrusted data. - group: top10-injection - name: VbNet_Low_Visibility_Cleansing_Canonicalization_and_Comparison_Errors - pretty_name: Cleansing Canonicalization and Comparison Errors - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Low_Visibility_Client_Side_Only_Validation: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-602 - description: The product is composed of a server that relies on the client to - implement a mechanism that is intended to protect the server. - group: top10-insecure-design - name: VbNet_Low_Visibility_Client_Side_Only_Validation - pretty_name: Client Side Only Validation - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Low_Visibility_Cross_Site_History_Manipulation: - categories: - - cwe-203 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product behaves differently or sends different responses under - different circumstances in a way that is observable to an unauthorized actor, - which exposes security-relevant information about the state of the product, - such as whether a particular operation was successful or not. - group: top10-software-data-integrity-failures - name: VbNet_Low_Visibility_Cross_Site_History_Manipulation - pretty_name: Cross Site History Manipulation - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Low_Visibility_Heap_Inspection: - categories: - - cwe-244 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: Using realloc() to resize buffers that store sensitive information - can leave the sensitive information exposed to attack, because it is not removed - from memory. - group: top10-broken-access-control - name: VbNet_Low_Visibility_Heap_Inspection - pretty_name: Heap Inspection - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Low_Visibility_Impersonation_Issue: - categories: - - boost-baseline - - ALL - - checkmarx-low-visibility - - cwe-520 - description: Allowing a .NET application to run at potentially escalated levels - of access to the underlying operating and file systems can be dangerous and - result in various forms of attacks. - group: top10-security-misconfiguration - name: VbNet_Low_Visibility_Impersonation_Issue - pretty_name: Impersonation Issue - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Low_Visibility_Improper_Encoding_Of_Output: - categories: - - cwe-116 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product prepares a structured message for communication with - another component, but encoding or escaping of the data is either missing or - done incorrectly. As a result, the intended structure of the message is not - preserved. - group: top10-injection - name: VbNet_Low_Visibility_Improper_Encoding_Of_Output - pretty_name: Improper Encoding Of Output - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Low_Visibility_Improper_Exception_Handling: - categories: - - cwe-248 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: An exception is thrown from a function, but it is not caught. - group: top10-insecure-design - name: VbNet_Low_Visibility_Improper_Exception_Handling - pretty_name: Improper Exception Handling - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Low_Visibility_Improper_Resource_Shutdown_or_Release: - categories: - - cwe-404 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not release or incorrectly releases a resource before - it is made available for re-use. - group: top10-insecure-design - name: VbNet_Low_Visibility_Improper_Resource_Shutdown_or_Release - pretty_name: Improper Resource Shutdown or Release - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Low_Visibility_Improper_Session_Management: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-201 - - boost-baseline - - ALL - description: The code transmits data to another actor, but a portion of the data - includes sensitive information that should not be accessible to that actor. - group: top10-broken-access-control - name: VbNet_Low_Visibility_Improper_Session_Management - pretty_name: Improper Session Management - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Low_Visibility_Improper_Transaction_Handling: - categories: - - cwe-460 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not clean up its state or incorrectly cleans up - its state when an exception is thrown, leading to unexpected state or control - flow. - group: top10-insecure-design - name: VbNet_Low_Visibility_Improper_Transaction_Handling - pretty_name: Improper Transaction Handling - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Low_Visibility_Information_Exposure_Through_an_Error_Message: - categories: - - cwe-209 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product generates an error message that includes sensitive information - about its environment, users, or associated data. - group: top10-insecure-design - name: VbNet_Low_Visibility_Information_Exposure_Through_an_Error_Message - pretty_name: Information Exposure Through an Error Message - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Low_Visibility_Information_Leak_Through_Persistent_Cookies: - categories: - - cwe-539 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The web application uses persistent cookies, but the cookies contain - sensitive information. - group: top10-insecure-design - name: VbNet_Low_Visibility_Information_Leak_Through_Persistent_Cookies - pretty_name: Information Leak Through Persistent Cookies - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Low_Visibility_Insufficiently_Protected_Credentials: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-522 - description: The product transmits or stores authentication credentials, but it - uses an insecure method that is susceptible to unauthorized interception and/or - retrieval. - group: top10-insecure-design - name: VbNet_Low_Visibility_Insufficiently_Protected_Credentials - pretty_name: Insufficiently Protected Credentials - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Low_Visibility_JavaScript_Hijacking: - categories: - - cwe-352 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The web application does not, or can not, sufficiently verify whether - a well-formed, valid, consistent request was intentionally provided by the user - who submitted the request. - group: top10-injection - name: VbNet_Low_Visibility_JavaScript_Hijacking - pretty_name: JavaScript Hijacking - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Low_Visibility_Leaving_Temporary_Files: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-376 - description: Related to the handling of files within a software system. - group: top10-broken-access-control - name: VbNet_Low_Visibility_Leaving_Temporary_Files - pretty_name: Leaving Temporary Files - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Low_Visibility_Log_Forging: - categories: - - boost-baseline - - ALL - - cwe-117 - - checkmarx-low-visibility - description: The product does not neutralize or incorrectly neutralizes output - that is written to logs. - group: top10-security-logging-monitoring-failures - name: VbNet_Low_Visibility_Log_Forging - pretty_name: Log Forging - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Low_Visibility_Open_Redirect: - categories: - - checkmarx-low-visibility - - cwe-601 - - owasp-top-10 - - boost-baseline - - ALL - description: A web application accepts a user-controlled input that specifies - a link to an external site, and uses that link in a Redirect. This simplifies - phishing attacks. - group: top10-broken-access-control - name: VbNet_Low_Visibility_Open_Redirect - pretty_name: Open Redirect - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Low_Visibility_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-346 - description: The product does not properly verify that the source of data or communication - is valid. - group: top10-id-authn-failures - name: VbNet_Low_Visibility_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy - pretty_name: Overly Permissive Cross Origin Resource Sharing Policy - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Low_Visibility_Session_Clearing_Problems: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-613 - description: According to WASC, "Insufficient Session Expiration is when a web - site permits an attacker to reuse old session credentials or session IDs for - authorization." - group: top10-id-authn-failures - name: VbNet_Low_Visibility_Session_Clearing_Problems - pretty_name: Session Clearing Problems - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Low_Visibility_Session_Poisoning: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: VbNet_Low_Visibility_Session_Poisoning - pretty_name: Session Poisoning - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Low_Visibility_Stored_Code_Injection: - categories: - - cwe-94 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: VbNet_Low_Visibility_Stored_Code_Injection - pretty_name: Stored Code Injection - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Low_Visibility_Thread_Safety_Issue: - categories: - - cwe-567 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not properly synchronize shared data, such as static - variables across threads, which can lead to undefined behavior and unpredictable - data changes. - group: top10-insecure-design - name: VbNet_Low_Visibility_Thread_Safety_Issue - pretty_name: Thread Safety Issue - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables: - categories: - - cwe-501 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product mixes trusted and untrusted data in the same data structure - or structured message. - group: top10-insecure-design - name: VbNet_Low_Visibility_Trust_Boundary_Violation_in_Session_Variables - pretty_name: Trust Boundary Violation in Session Variables - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Low_Visibility_URL_Canonicalization_Issue: - categories: - - cwe-647 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product defines policy namespaces and makes authorization decisions - based on the assumption that a URL is canonical. This can allow a non-canonical - URL to bypass the authorization. - group: top10-injection - name: VbNet_Low_Visibility_URL_Canonicalization_Issue - pretty_name: URL Canonicalization Issue - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Low_Visibility_Use_Of_Hardcoded_Password: - categories: - - ALL - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - cwe-259 - description: The product contains a hard-coded password, which it uses for its - own inbound authentication or for outbound communication to external components. - group: top10-id-authn-failures - name: VbNet_Low_Visibility_Use_Of_Hardcoded_Password - pretty_name: Use Of Hardcoded Password - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm: - categories: - - cwe-327 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses a broken or risky cryptographic algorithm or protocol. - group: top10-crypto-failures - name: VbNet_Low_Visibility_Use_of_Broken_or_Risky_Cryptographic_Algorithm - pretty_name: Use of Broken or Risky Cryptographic Algorithm - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Low_Visibility_XSS_Evasion_Attack: - categories: - - cwe-79 - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: VbNet_Low_Visibility_XSS_Evasion_Attack - pretty_name: XSS Evasion Attack - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Medium_Threat_Buffer_Overflow: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-120 - - boost-baseline - - ALL - description: The product copies an input buffer to an output buffer without verifying - that the size of the input buffer is less than the size of the output buffer, - leading to a buffer overflow. - group: top10-injection - name: VbNet_Medium_Threat_Buffer_Overflow - pretty_name: Buffer Overflow - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Medium_Threat_CGI_XSS: - categories: - - checkmarx-medium-threat - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: VbNet_Medium_Threat_CGI_XSS - pretty_name: CGI XSS - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Medium_Threat_CSRF: - categories: - - checkmarx-medium-threat - - cwe-352 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The web application does not, or can not, sufficiently verify whether - a well-formed, valid, consistent request was intentionally provided by the user - who submitted the request. - group: top10-injection - name: VbNet_Medium_Threat_CSRF - pretty_name: CSRF - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Medium_Threat_DB_Parameter_Tampering: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-284 - - boost-baseline - - ALL - description: The product does not restrict or incorrectly restricts access to - a resource from an unauthorized actor. - group: top10-broken-access-control - name: VbNet_Medium_Threat_DB_Parameter_Tampering - pretty_name: DB Parameter Tampering - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Medium_Threat_Data_Filter_Injection: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-200 - description: The product exposes sensitive information to an actor that is not - explicitly authorized to have access to that information. - group: top10-broken-access-control - name: VbNet_Medium_Threat_Data_Filter_Injection - pretty_name: Data Filter Injection - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Medium_Threat_DoS_by_Sleep: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The product performs an iteration or loop without sufficiently limiting - the number of times that the loop is executed. - group: top10-insecure-design - name: VbNet_Medium_Threat_DoS_by_Sleep - pretty_name: DoS by Sleep - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Medium_Threat_HTTP_Response_Splitting: - categories: - - checkmarx-medium-threat - - cwe-113 - - owasp-top-10 - - boost-baseline - - ALL - description: The product receives data from an HTTP agent/component (e.g., web - server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes - CR and LF characters before the data is included in outgoing HTTP headers. - group: top10-injection - name: VbNet_Medium_Threat_HTTP_Response_Splitting - pretty_name: HTTP Response Splitting - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Medium_Threat_Hardcoded_password_in_Connection_String: - categories: - - boost-baseline - - ALL - - cwe-547 - - checkmarx-medium-threat - description: The product uses hard-coded constants instead of symbolic names for - security-critical values, which increases the likelihood of mistakes during - code maintenance or security policy change. - group: top10-security-misconfiguration - name: VbNet_Medium_Threat_Hardcoded_password_in_Connection_String - pretty_name: Hardcoded password in Connection String - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Medium_Threat_Improper_Locking: - categories: - - checkmarx-medium-threat - - cwe-667 - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not properly acquire or release a lock on a resource, - leading to unexpected resource state changes and behaviors. - group: top10-insecure-design - name: VbNet_Medium_Threat_Improper_Locking - pretty_name: Improper Locking - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Medium_Threat_Integer_Overflow: - categories: - - checkmarx-medium-threat - - cwe-190 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product performs a calculation that can produce an integer overflow - or wraparound, when the logic assumes that the resulting value will always be - larger than the original value. This can introduce other weaknesses when the - calculation is used for resource management or execution control. - group: top10-injection - name: VbNet_Medium_Threat_Integer_Overflow - pretty_name: Integer Overflow - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Medium_Threat_No_Request_Validation: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-20 - - boost-baseline - - ALL - - cwe-top-25 - description: The product receives input or data, but it does not validate or incorrectly - validates that the input has the properties that are required to process the - data safely and correctly. - group: top10-injection - name: VbNet_Medium_Threat_No_Request_Validation - pretty_name: No Request Validation - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Medium_Threat_Parameter_Tampering: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: VbNet_Medium_Threat_Parameter_Tampering - pretty_name: Parameter Tampering - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Medium_Threat_Path_Traversal: - categories: - - ALL - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - cwe-22 - - cwe-top-25 - description: The product uses external input to construct a pathname that is intended - to identify a file or directory that is located underneath a restricted parent - directory, but the product does not properly neutralize special elements within - the pathname that can cause the pathname to resolve to a location that is outside - of the restricted directory. - group: top10-broken-access-control - name: VbNet_Medium_Threat_Path_Traversal - pretty_name: Path Traversal - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Medium_Threat_Privacy_Violation: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-359 - description: The product does not properly prevent a person's private, personal - information from being accessed by actors who either (1) are not explicitly - authorized to access the information or (2) do not have the implicit consent - of the person about whom the information is collected. - group: top10-broken-access-control - name: VbNet_Medium_Threat_Privacy_Violation - pretty_name: Privacy Violation - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Medium_Threat_Reflected_XSS_Specific_Clients: - categories: - - checkmarx-medium-threat - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: VbNet_Medium_Threat_Reflected_XSS_Specific_Clients - pretty_name: Reflected XSS Specific Clients - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Medium_Threat_SQL_Injection_Evasion_Attack: - categories: - - checkmarx-medium-threat - - cwe-89 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of an SQL command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended SQL command when - it is sent to a downstream component. - group: top10-injection - name: VbNet_Medium_Threat_SQL_Injection_Evasion_Attack - pretty_name: SQL Injection Evasion Attack - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Medium_Threat_Stored_Command_Injection: - categories: - - cwe-77 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The product constructs all or part of a command using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended command when it - is sent to a downstream component. - group: top10-injection - name: VbNet_Medium_Threat_Stored_Command_Injection - pretty_name: Stored Command Injection - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Medium_Threat_Stored_LDAP_Injection: - categories: - - checkmarx-medium-threat - - cwe-90 - - owasp-top-10 - - boost-baseline - - ALL - description: The product constructs all or part of an LDAP query using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the intended LDAP query when - it is sent to a downstream component. - group: top10-injection - name: VbNet_Medium_Threat_Stored_LDAP_Injection - pretty_name: Stored LDAP Injection - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Medium_Threat_Stored_XPath_Injection: - categories: - - checkmarx-medium-threat - - cwe-643 - - owasp-top-10 - - boost-baseline - - ALL - description: The product uses external input to dynamically construct an XPath - expression used to retrieve data from an XML database, but it does not neutralize - or incorrectly neutralizes that input. This allows an attacker to control the - structure of the query. - group: top10-injection - name: VbNet_Medium_Threat_Stored_XPath_Injection - pretty_name: Stored XPath Injection - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Medium_Threat_Unclosed_Connection: - categories: - - cwe-404 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The product does not release or incorrectly releases a resource before - it is made available for re-use. - group: top10-insecure-design - name: VbNet_Medium_Threat_Unclosed_Connection - pretty_name: Unclosed Connection - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Medium_Threat_Unsafe_Object_Binding: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-915 - - boost-baseline - - ALL - description: The product receives input from an upstream component that specifies - multiple attributes, properties, or fields that are to be initialized or updated - in an object, but it does not properly control which attributes can be modified. - group: top10-software-data-integrity-failures - name: VbNet_Medium_Threat_Unsafe_Object_Binding - pretty_name: Unsafe Object Binding - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key: - categories: - - cwe-321 - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - description: The use of a hard-coded cryptographic key significantly increases - the possibility that encrypted data may be recovered. - group: top10-crypto-failures - name: VbNet_Medium_Threat_Use_of_Hard_coded_Cryptographic_Key - pretty_name: Use of Hard coded Cryptographic Key - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_Medium_Threat_Value_Shadowing: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-233 - - boost-baseline - - ALL - description: The product does not properly handle when the expected number of - parameters, fields, or arguments is not provided in input, or if those parameters - are undefined. - group: top10-injection - name: VbNet_Medium_Threat_Value_Shadowing - pretty_name: Value Shadowing - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_WebConfig_CookieLess_Authentication: - categories: - - owasp-top-10 - - checkmarx-web-config - - boost-baseline - - ALL - - cwe-642 - description: The product stores security-critical state information about its - users, or the product itself, in a location that is accessible to unauthorized - actors. - group: top10-insecure-design - name: VbNet_WebConfig_CookieLess_Authentication - pretty_name: CookieLess Authentication - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_WebConfig_CookieLess_Session: - categories: - - boost-baseline - - ALL - - checkmarx-web-config - - owasp-top-10 - description: The session state in the web.config file of a VB.NET application - is configured to be cookieless, which may expose Session IDs in the URL, increasing - the risk of session hijacking. - group: top10-broken-access-control - name: VbNet_WebConfig_CookieLess_Session - pretty_name: CookieLess Session - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_WebConfig_CustomError: - categories: - - cwe-12 - - owasp-top-10 - - checkmarx-web-config - - boost-baseline - - ALL - description: An ASP .NET application must enable custom error pages in order to - prevent attackers from mining information from the framework's built-in responses. - group: top10-security-misconfiguration - name: VbNet_WebConfig_CustomError - pretty_name: CustomError - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_WebConfig_DebugEnabled: - categories: - - boost-baseline - - ALL - - checkmarx-web-config - - cwe-11 - description: Debugging messages help attackers learn about the system and plan - a form of attack. - group: top10-security-misconfiguration - name: VbNet_WebConfig_DebugEnabled - pretty_name: DebugEnabled - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_WebConfig_Elmah_Enabled: - categories: - - owasp-top-10 - - checkmarx-web-config - - boost-baseline - - ALL - - cwe-213 - description: The product's intended functionality exposes information to certain - actors in accordance with the developer's security policy, but this information - is regarded as sensitive according to the intended security policies of other - stakeholders such as the product's administrator, users, or others whose information - is being processed. - group: top10-insecure-design - name: VbNet_WebConfig_Elmah_Enabled - pretty_name: Elmah Enabled - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_WebConfig_HardcodedCredentials: - categories: - - cwe-489 - - owasp-top-10 - - checkmarx-web-config - - boost-baseline - - ALL - description: The product is deployed to unauthorized actors with debugging code - still enabled or active, which can create unintended entry points or expose - sensitive information. - group: top10-id-authn-failures - name: VbNet_WebConfig_HardcodedCredentials - pretty_name: HardcodedCredentials - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_WebConfig_HttpOnlyCookies_XSS: - categories: - - cwe-1004 - - boost-hardened - - checkmarx-web-config - - boost-baseline - - ALL - description: The product uses a cookie to store sensitive information, but the - cookie is not marked with the HttpOnly flag. - group: top10-security-misconfiguration - name: VbNet_WebConfig_HttpOnlyCookies_XSS - pretty_name: HttpOnlyCookies XSS - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_WebConfig_Missing_X_Frame_Options: - categories: - - owasp-top-10 - - checkmarx-web-config - - cwe-1021 - - boost-baseline - - ALL - description: The web application does not restrict or incorrectly restricts frame - objects or UI layers that belong to another application or domain, which can - lead to user confusion about which interface the user is interacting with. - group: top10-insecure-design - name: VbNet_WebConfig_Missing_X_Frame_Options - pretty_name: Missing X Frame Options - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_WebConfig_NonUniqueFormName: - categories: - - owasp-top-10 - - checkmarx-web-config - - cwe-694 - - boost-baseline - - ALL - description: The product uses multiple resources that can have the same identifier, - in a context in which unique identifiers are required. - group: top10-insecure-design - name: VbNet_WebConfig_NonUniqueFormName - pretty_name: NonUniqueFormName - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_WebConfig_Password_In_Configuration_File: - categories: - - boost-baseline - - ALL - - checkmarx-web-config - - cwe-260 - description: The product stores a password in a configuration file that might - be accessible to actors who do not know the password. - group: top10-security-misconfiguration - name: VbNet_WebConfig_Password_In_Configuration_File - pretty_name: Password In Configuration File - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_WebConfig_RequireSSL: - categories: - - boost-baseline - - cwe-614 - - ALL - - checkmarx-web-config - description: The Secure attribute for sensitive cookies in HTTPS sessions is not - set, which could cause the user agent to send those cookies in plaintext over - an HTTP session. - group: top10-security-misconfiguration - name: VbNet_WebConfig_RequireSSL - pretty_name: RequireSSL - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_WebConfig_SlidingExpiration: - categories: - - owasp-top-10 - - checkmarx-web-config - - boost-baseline - - ALL - - cwe-613 - description: According to WASC, "Insufficient Session Expiration is when a web - site permits an attacker to reuse old session credentials or session IDs for - authorization." - group: top10-id-authn-failures - name: VbNet_WebConfig_SlidingExpiration - pretty_name: SlidingExpiration - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbNet_WebConfig_TraceEnabled: - categories: - - boost-baseline - - owasp-top-10 - - checkmarx-web-config - - cwe-749 - - ALL - description: The product provides an Applications Programming Interface (API) - or similar interface for interaction with external actors, but the interface - includes a dangerous method or function that is not properly restricted. - group: top10-insecure-design - name: VbNet_WebConfig_TraceEnabled - pretty_name: TraceEnabled - VbNet - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbScript_High_Risk_DOM_Code_Injection: - categories: - - boost-hardened - - cwe-94 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product constructs all or part of a code segment using externally-influenced - input from an upstream component, but it does not neutralize or incorrectly - neutralizes special elements that could modify the syntax or behavior of the - intended code segment. - group: top10-injection - name: VbScript_High_Risk_DOM_Code_Injection - pretty_name: DOM Code Injection - VbScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbScript_High_Risk_DOM_XSS: - categories: - - boost-hardened - - cwe-79 - - owasp-top-10 - - boost-baseline - - ALL - - checkmarx-high-risk - - cwe-top-25 - description: The product does not neutralize or incorrectly neutralizes user-controllable - input before it is placed in output that is used as a web page that is served - to other users. - group: top10-injection - name: VbScript_High_Risk_DOM_XSS - pretty_name: DOM XSS - VbScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbScript_Low_Visibility_Cookies_Inspection: - categories: - - boost-baseline - - ALL - - checkmarx-low-visibility - - cwe-315 - description: The product stores sensitive information in cleartext in a cookie. - group: top10-security-misconfiguration - name: VbScript_Low_Visibility_Cookies_Inspection - pretty_name: Cookies Inspection - VbScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbScript_Low_Visibility_DOM_Open_Redirect: - categories: - - checkmarx-low-visibility - - cwe-601 - - owasp-top-10 - - boost-baseline - - ALL - description: A web application accepts a user-controlled input that specifies - a link to an external site, and uses that link in a Redirect. This simplifies - phishing attacks. - group: top10-broken-access-control - name: VbScript_Low_Visibility_DOM_Open_Redirect - pretty_name: DOM Open Redirect - VbScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbScript_Low_Visibility_Weak_Password_Authentication: - categories: - - checkmarx-low-visibility - - owasp-top-10 - - boost-baseline - - ALL - description: The VBScript code uses a weak password authentication mechanism, - thus exposing it to security vulnerabilities like brute force attacks or credential - leaks. - group: top10-id-authn-failures - name: VbScript_Low_Visibility_Weak_Password_Authentication - pretty_name: Weak Password Authentication - VbScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbScript_Medium_Threat_Client_DoS_By_Sleep: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - boost-baseline - - ALL - - cwe-730 - description: Relates to avenues that can cause denial of serivce. - group: top10-insecure-design - name: VbScript_Medium_Threat_Client_DoS_By_Sleep - pretty_name: Client DoS By Sleep - VbScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbScript_Medium_Threat_Client_Untrusted_Activex: - categories: - - checkmarx-medium-threat - - cwe-618 - - owasp-top-10 - - boost-baseline - - ALL - description: An ActiveX control is intended for use in a web browser, but it exposes - dangerous methods that perform actions that are outside of the browser's security - model (e.g. the zone or domain). - group: top10-vulnerable-components - name: VbScript_Medium_Threat_Client_Untrusted_Activex - pretty_name: Client Untrusted Activex - VbScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbScript_Medium_Threat_DOM_CSRF: - categories: - - checkmarx-medium-threat - - cwe-352 - - owasp-top-10 - - boost-baseline - - ALL - - cwe-top-25 - description: The web application does not, or can not, sufficiently verify whether - a well-formed, valid, consistent request was intentionally provided by the user - who submitted the request. - group: top10-injection - name: VbScript_Medium_Threat_DOM_CSRF - pretty_name: DOM CSRF - VbScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - VbScript_Medium_Threat_DOM_Cookie_Poisoning: - categories: - - checkmarx-medium-threat - - owasp-top-10 - - cwe-472 - - boost-baseline - - ALL - description: The web application does not sufficiently verify inputs that are - assumed to be immutable but are actually externally controllable, such as hidden - form fields. - group: top10-insecure-design - name: VbScript_Medium_Threat_DOM_Cookie_Poisoning - pretty_name: DOM Cookie Poisoning - VbScript - recommended: true - ref: https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html - a05331ee-1653-45cb-91e6-13637a76e4f0: - categories: - - ALL - - boost-baseline - description: 'Deployments should be assigned with a PodDisruptionBudget to ensure - high availability ' - group: top10-insecure-design - name: a05331ee-1653-45cb-91e6-13637a76e4f0 - pretty_name: Deployment Without PodDisruptionBudget - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/deployment#selector - a0ab985d-660b-41f7-ac81-70957ee8e627: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Storage Blob Service Container should not publicly accessible ' - group: cloud-resources-public-access - name: a0ab985d-660b-41f7-ac81-70957ee8e627 - pretty_name: Storage Blob Service Container With Public Access - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts/blobservices/containers?tabs=json#containerproperties-object - a0ae0a4e-712b-4115-8112-51b9eeed9d69: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'AWS Lambda Functions should not have roles with policies granting - full administrative privileges. ' - group: cloud-insecure-iam - name: a0ae0a4e-712b-4115-8112-51b9eeed9d69 - pretty_name: Lambda Functions With Full Privileges - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html - a0bf7382-5d5a-4224-924c-3db8466026c9: - categories: - - ALL - - boost-baseline - description: 'The Server URL should be an absolute URL ' - group: top10-insecure-design - name: a0bf7382-5d5a-4224-924c-3db8466026c9 - pretty_name: Server URL Not Absolute - recommended: true - ref: https://swagger.io/specification/#server-object - a0f1bfe0-741e-473f-b3b2-13e66f856fab: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'S3 Buckets must not allow Put Action From All Principals, as to - prevent leaking private information to the entire internet or allow unauthorized - data tampering / deletion. This means the ''Effect'' must not be ''Allow'' when - the ''Action'' is Put, for all Principals. ' - group: cloud-insecure-iam - name: a0f1bfe0-741e-473f-b3b2-13e66f856fab - pretty_name: S3 Bucket Allows Put Action From All Principals - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html - a1120ee4-a712-42d9-8fb5-22595fed643b: - categories: - - ALL - - boost-baseline - description: 'AWS Elasticsearch should have logs enabled ' - group: top10-security-logging-monitoring-failures - name: a1120ee4-a712-42d9-8fb5-22595fed643b - pretty_name: Elasticsearch Logs Disabled - recommended: true - ref: https://www.pulumi.com/registry/packages/aws/api-docs/elasticsearch/domain/#logpublishingoptions_yaml - a1423864-2fbc-4f46-bfe1-fbbf125c71c9: - categories: - - ALL - - boost-baseline - description: 'CodeBuild Project should be encrypted ' - group: top10-crypto-failures - name: a1423864-2fbc-4f46-bfe1-fbbf125c71c9 - pretty_name: CodeBuild Not Encrypted - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/aws_codebuild_module.html - a14ad534-acbe-4a8e-9404-2f7e1045646e: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'The HTTP port is open to the internet in a Security Group ' - group: cloud-resources-public-access - name: a14ad534-acbe-4a8e-9404-2f7e1045646e - pretty_name: HTTP Port Open To Internet - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html#ansible-collections-amazon-aws-ec2-group-module - a186e82c-1078-4a7b-85d8-579561fde884: - categories: - - ALL - - boost-baseline - description: 'API Gateway should have WAF (Web Application Firewall) enabled ' - group: cloud-resources-public-access - name: a186e82c-1078-4a7b-85d8-579561fde884 - pretty_name: API Gateway without WAF - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafregional_web_acl_association#resource_arn - a187ac47-8163-42ce-8a63-c115236be6fb: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Azurerm Container Registry should contain associated locks, which - means ''azurerm_management_lock.scope'' should be associated with ''azurerm_container_registry'' ' - group: cloud-weak-configuration - name: a187ac47-8163-42ce-8a63-c115236be6fb - pretty_name: Azure Container Registry With No Locks - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/container_registry - a19b2942-142e-4e2b-93b7-6cf6a6c8d90f: - categories: - - ALL - - boost-baseline - description: 'Limits access to AWS AMIs by checking if more than one account is - using the same image ' - group: cloud-insecure-iam - name: a19b2942-142e-4e2b-93b7-6cf6a6c8d90f - pretty_name: AMI Shared With Multiple Accounts - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_ami_module.html - a19c3bbd-c056-40d7-9e1c-eeb0634e320d: - categories: - - ALL - - boost-baseline - description: 'Objects should accept ''additionalProperties'' if it is allOf or - an object with anyOf or oneOf ' - group: cloud-weak-configuration - name: a19c3bbd-c056-40d7-9e1c-eeb0634e320d - pretty_name: Additional Properties Too Restrictive - recommended: true - ref: https://swagger.io/specification/#schema-object - a1bc27c6-7115-48d8-bf9d-5a7e836845ba: - categories: - - ALL - - boost-baseline - description: 'apt is discouraged by the linux distributions as an unattended tool - as its interface may suffer changes between versions. Better use the more stable - apt-get and apt-cache ' - group: supply-chain-scm-weak-configuration - name: a1bc27c6-7115-48d8-bf9d-5a7e836845ba - pretty_name: Run Using apt - recommended: true - ref: https://github.com/containers/buildah/blob/main/docs/buildah-run.1.md - a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2: - categories: - - ALL - - boost-baseline - description: Operation Object should have at least one successful HTTP status - code defined - group: top10-insecure-design - name: a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2 - pretty_name: Operation Without Successful HTTP Status Code (v2) - recommended: true - ref: https://swagger.io/specification/v2/#operationObject - a1ef9d2e-4163-40cb-bd92-04f0d602a15d: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'S3 Buckets should not be readable to all users ' - group: cloud-insecure-iam - name: a1ef9d2e-4163-40cb-bd92-04f0d602a15d - pretty_name: S3 Bucket ACL Allows Read to All Users - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/aws_s3_module.html#parameter-permission - a20be318-cac7-457b-911d-04cc6e812c25: - categories: - - ALL - - boost-baseline - - boost-hardened - description: '''RDP'' (TCP:3389) should not be public in AWS Network ACL ' - group: cloud-resources-public-access - name: a20be318-cac7-457b-911d-04cc6e812c25 - pretty_name: Network ACL With Unrestricted Access To RDP - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl - a21b8df3-c840-4b3d-a41a-10fb2afda171: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Gmail accounts are being used instead of corporate credentials ' - group: cloud-weak-configuration - name: a21b8df3-c840-4b3d-a41a-10fb2afda171 - pretty_name: Not Proper Email Account In Use - recommended: true - ref: https://cloud.google.com/deployment-manager/docs/configuration/set-access-control-resources - a21c8da9-41bf-40cf-941d-330cf0d11fc7: - categories: - - ALL - - boost-baseline - description: 'Azure Active Directory must be used for authentication for Service - Fabric ' - group: cloud-insecure-iam - name: a21c8da9-41bf-40cf-941d-330cf0d11fc7 - pretty_name: Azure Active Directory Authentication - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/service_fabric_cluster#tenant_id - a227ec01-f97a-4084-91a4-47b350c1db54: - categories: - - ALL - - boost-baseline - description: 'S3 bucket should have versioning enabled ' - group: top10-security-logging-monitoring-failures - name: a227ec01-f97a-4084-91a4-47b350c1db54 - pretty_name: S3 Bucket Without Versioning - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html - a25cd877-375c-4121-a640-730929936fac: - categories: - - ALL - - boost-baseline - description: 'Make sure that Amazon GuardDuty is Enabled ' - group: top10-security-logging-monitoring-failures - name: a25cd877-375c-4121-a640-730929936fac - pretty_name: GuardDuty Detector Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-guardduty-detector.html - a2f2800e-614b-4bc8-89e6-fec8afd24800: - categories: - - ALL - - boost-baseline - description: 'AWS Serverless API should enable Content Encoding through the attribute - ''MinimumCompressionSize''. This value should be greater than -1 and smaller - than 10485760 ' - group: top10-crypto-failures - name: a2f2800e-614b-4bc8-89e6-fec8afd24800 - pretty_name: Serverless API Without Content Encoding - recommended: true - ref: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-minimumcompressionsize - a2f548f2-188c-4fff-b172-e9a6acb216bd: - categories: - - ALL - - boost-baseline - description: 'AWS Secretmanager should use AWS KMS customer master key (CMK) to - encrypt the secret values in the versions stored in the secret ' - group: top10-crypto-failures - name: a2f548f2-188c-4fff-b172-e9a6acb216bd - pretty_name: Secretsmanager Secret Without KMS - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret#kms_key_id - a2fdf451-89dd-451e-af92-bf6c0f4bab96: - categories: - - ALL - - boost-baseline - description: 'AWS Config Configuration Aggregator All Regions must be set to True ' - group: top10-security-logging-monitoring-failures - name: a2fdf451-89dd-451e-af92-bf6c0f4bab96 - pretty_name: Configuration Aggregator to All Regions Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/aws_config_aggregator_module.html#parameter-organization_source - a31a5a29-718a-4ff4-8001-a69e5e4d029e: - categories: - - ALL - - boost-baseline - description: 'EC2 Instances should be configured under a VPC network. AWS VPCs - provide the controls to facilitate a formal process for approving and testing - all network connections and changes to the firewall and router configurations. ' - group: cloud-weak-configuration - name: a31a5a29-718a-4ff4-8001-a69e5e4d029e - pretty_name: Instance With No VPC - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance - a31b7b82-d994-48c4-bd21-3bab6c31827a: - categories: - - ALL - - boost-baseline - description: 'Check if Deployment resources don''t have a podAntiAffinity policy, - which prevents multiple pods from being scheduled on the same node. ' - group: cloud-insecure-iam - name: a31b7b82-d994-48c4-bd21-3bab6c31827a - pretty_name: Deployment Has No PodAntiAffinity - recommended: true - ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ - a33e9173-b674-4dfb-9d82-cf3754816e4b: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Check if Pod Security Policies allow containers to share the host - network namespace. ' - group: cloud-weak-configuration - name: a33e9173-b674-4dfb-9d82-cf3754816e4b - pretty_name: PSP Allows Containers To Share The Host Network Namespace - recommended: true - ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ - a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'The Active Directory Administrator is not configured for a SQL server ' - group: cloud-weak-configuration - name: a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b - pretty_name: AD Admin Not Configured For SQL Server - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_active_directory_administrator - a3aa0087-8228-4e7e-b202-dc9036972d02: - categories: - - ALL - - boost-baseline - description: 'Neptune Cluster should have IAM Database Authentication enabled ' - group: cloud-insecure-iam - name: a3aa0087-8228-4e7e-b202-dc9036972d02 - pretty_name: Neptune Cluster With IAM Database Authentication Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-neptune-dbcluster.html#cfn-neptune-dbcluster-iamauthenabled - a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd: - categories: - - ALL - - boost-baseline - description: 'AWS Security Group Ingress CIDR should not be /32 in case of IPV4 - or /128 in case of IPV6 ' - group: top10-insecure-design - name: a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd - pretty_name: Security Group Ingress Has CIDR Not Recommended - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html - a4247b11-890b-45df-bf42-350a7a3af9be: - categories: - - ALL - - boost-baseline - description: 'Security Scheme HTTP should not be using digest authentication ' - group: cloud-insecure-iam - name: a4247b11-890b-45df-bf42-350a7a3af9be - pretty_name: Security Scheme Using HTTP Digest - recommended: true - ref: https://swagger.io/specification/#security-scheme-object - a46928f1-43d7-4671-94e0-2dd99746f389: - categories: - - ALL - - boost-baseline - description: 'Schemes should use ''https'' protocol instead of ''http''. Scheme - using ''http'' allows for clear text credentials ' - group: top10-crypto-failures - name: a46928f1-43d7-4671-94e0-2dd99746f389 - pretty_name: Schemes Uses HTTP - recommended: true - ref: https://swagger.io/specification/v2/#swaggerObject - a478af30-8c3a-404d-aa64-0b673cee509a: - categories: - - ALL - - boost-baseline - description: 'Redshift should not use the default port (5439) because an attacker - can easily guess the port ' - group: cloud-resources-public-access - name: a478af30-8c3a-404d-aa64-0b673cee509a - pretty_name: Redshift Using Default Port - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html#cfn-redshift-cluster-port - a4966c4f-9141-48b8-a564-ffe9959945bc: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'S3 Buckets should not have all permissions, as to prevent leaking - private information to the entire internet or allow unauthorized data tampering - / deletion. This means the ''Effect'' must not be ''Allow'' when the ''Action'' - is ''*'', for all Principals. ' - group: cloud-insecure-iam - name: a4966c4f-9141-48b8-a564-ffe9959945bc - pretty_name: S3 Bucket With All Permissions - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket - a4d32883-aac7-42e1-b403-9415af0f3846: - categories: - - ALL - - boost-baseline - description: 'Serverless FW API should have HTTP Access Logging enabled ' - group: top10-security-logging-monitoring-failures - name: a4d32883-aac7-42e1-b403-9415af0f3846 - pretty_name: Serverless API Access Logging Setting Undefined - recommended: true - ref: https://www.serverless.com/framework/docs/providers/aws/guide/serverless.yml#logs - a4dd69b8-49fa-45d2-a060-c76655405b05: - categories: - - ALL - - boost-baseline - description: 'Property ''explode'' of the encoding object should be defined when - the media type of the request body is ''application/x-www-form-urlencoded''. - If not, it will be ignored. ' - group: top10-insecure-design - name: a4dd69b8-49fa-45d2-a060-c76655405b05 - pretty_name: Property 'explode' of Encoding Object Ignored - recommended: true - ref: https://swagger.io/specification/#encoding-object - a507daa5-0795-4380-960b-dd7bb7c56661: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'ELB Predefined or Custom Security Policies must not use weak ciphers, - to reduce the risk of the SSL connection between the client and the load balancer - being exploited. That means the ''sslPolicy'' of ''Listener'' must not coincide - with any of a predefined list of weak ciphers. ' - group: top10-crypto-failures - name: a507daa5-0795-4380-960b-dd7bb7c56661 - pretty_name: ELB Using Weak Ciphers - recommended: true - ref: https://doc.crds.dev/github.com/crossplane/provider-aws/elbv2.aws.crossplane.io/Listener/v1alpha1@v0.29.0#spec-forProvider-sslPolicy - a5366a50-932f-4085-896b-41402714a388: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Checks if the connection between the CloudFront and the origin server - is encrypted ' - group: top10-crypto-failures - name: a5366a50-932f-4085-896b-41402714a388 - pretty_name: Connection Between CloudFront Origin Not Encrypted - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-distribution.html - a5375be3-521c-43bb-9eab-e2432e368ee4: - categories: - - ALL - - boost-baseline - description: 'The media type prefix should be set as ''application'', ''audio'', - ''font'', ''example'', ''image'', ''message'', ''model'', ''multipart'', ''text'' - or ''video'' ' - group: top10-insecure-design - name: a5375be3-521c-43bb-9eab-e2432e368ee4 - pretty_name: Unknown Prefix (v3) - recommended: true - ref: https://swagger.io/specification/#media-type-object - a5530bd7-225a-48f9-91bb-f40b04200165: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'When using kube-apiserver command, the ''--service-account-lookup'' - flag should be set to true ' - group: cloud-insecure-iam - name: a5530bd7-225a-48f9-91bb-f40b04200165 - pretty_name: Service Account Lookup Set To False - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ - a5613650-32ec-4975-a305-31af783153ea: - categories: - - ALL - - boost-baseline - description: 'Default Azure Storage Account network access should be set to Deny ' - group: cloud-weak-configuration - name: a5613650-32ec-4975-a305-31af783153ea - pretty_name: Default Azure Storage Account Network Access Is Too Permissive - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#default_action - a58d1a2d-4078-4b80-855b-84cc3f7f4540: - categories: - - ALL - - boost-baseline - description: 'IAM Groups should not use inline policies and instead use managed - policies. If a group is deleted, the inline policy is also deleted ' - group: top10-crypto-failures - name: a58d1a2d-4078-4b80-855b-84cc3f7f4540 - pretty_name: IAM Group Inline Policies - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html - a597e05a-c065-44e7-9cc8-742f572a504a: - categories: - - ALL - - boost-baseline - description: 'log_duration parameter should be set to ON for RDS instances ' - group: top10-security-logging-monitoring-failures - name: a597e05a-c065-44e7-9cc8-742f572a504a - pretty_name: RDS Instance Log Duration Disabled - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#parameters - a599b0d1-ff89-4cb8-9ece-9951854c06f6: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'All security requirement objects must be defined in ''securityDefinitions'' ' - group: top10-insecure-design - name: a599b0d1-ff89-4cb8-9ece-9951854c06f6 - pretty_name: Security Requirement Not Defined In Security Definition - recommended: true - ref: https://swagger.io/specification/v2/#securityRequirementObject - a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Checks if backup configuration is enabled for all Cloud SQL Database - instances ' - group: top10-software-data-integrity-failures - name: a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01 - pretty_name: SQL DB Instance Backup Disabled - recommended: true - ref: https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/instances - a62a99d1-8196-432f-8f80-3c100b05d62a: - categories: - - ALL - - boost-baseline - description: 'Containers can mount sensitive folders from the hosts, giving them - potentially dangerous access to critical host configurations and binaries. ' - group: cloud-insecure-iam - name: a62a99d1-8196-432f-8f80-3c100b05d62a - pretty_name: Volume Mount With OS Directory Write Permissions - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#volume_mount - a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3: - categories: - - ALL - - boost-baseline - description: 'Check if Readiness Probe is not configured. ' - group: top10-insecure-design - name: a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3 - pretty_name: Readiness Probe Is Not Configured - recommended: true - ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes - a6847dc6-f4ea-45ac-a81f-93291ae6c573: - categories: - - ALL - - boost-baseline - description: 'The Scheme list of Operation Object should only allow ''HTTPS'' - protocol to ensure an encrypted connection ' - group: top10-crypto-failures - name: a6847dc6-f4ea-45ac-a81f-93291ae6c573 - pretty_name: Path Scheme Accepts HTTP (v2) - recommended: true - ref: https://swagger.io/specification/v2/#operationObject - a68da022-e95a-4bc2-97d3-481e0bd6d446: - categories: - - ALL - - boost-baseline - description: 'Components headers definitions should be referenced or removed from - Open API definition ' - group: top10-insecure-design - name: a68da022-e95a-4bc2-97d3-481e0bd6d446 - pretty_name: Components Header Definition Is Unused - recommended: true - ref: https://swagger.io/specification/#components-object - a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9: - categories: - - ALL - - boost-baseline - description: 'Do not allow pod to request execution as privileged. ' - group: cloud-weak-configuration - name: a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9 - pretty_name: PSP Set To Privileged - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#privileged - a6cd52a1-3056-4910-96a5-894de9f3f3b3: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Cloud Storage Buckets must not be anonymously or publicly accessible, - which means the attribute ''members'' must not possess ''allUsers'' or ''allAuthenticatedUsers'' ' - group: cloud-insecure-iam - name: a6cd52a1-3056-4910-96a5-894de9f3f3b3 - pretty_name: Cloud Storage Anonymous or Publicly Accessible - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam#google_storage_bucket_iam_binding - a6d27cf7-61dc-4bde-ae08-3b353b609f76: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Checks if the connection between CloudFront and the viewer is encrypted ' - group: top10-crypto-failures - name: a6d27cf7-61dc-4bde-ae08-3b353b609f76 - pretty_name: Cloudfront Viewer Protocol Policy Allows HTTP - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html - a6d774b6-d9ea-4bf4-8433-217bf15d2fb8: - categories: - - ALL - - boost-baseline - description: 'Microsoft.DBforPostgreSQL/servers/configurations should have ''connection_throttling'' - property set to ''on'' ' - group: cloud-resources-public-access - name: a6d774b6-d9ea-4bf4-8433-217bf15d2fb8 - pretty_name: PostgresSQL Database Server Connection Throttling Disabled - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/servers/configurations?tabs=json - a6f34658-fdfb-4154-9536-56d516f65828: - categories: - - ALL - - boost-baseline - description: 'Sees if Docker Daemon Socket is not exposed to Containers ' - group: cloud-insecure-iam - name: a6f34658-fdfb-4154-9536-56d516f65828 - pretty_name: Docker Daemon Socket is Exposed to Containers - recommended: true - ref: https://kubernetes.io/docs/concepts/storage/volumes/ - a71ecabe-03b6-456a-b3bc-d1a39aa20c98: - categories: - - ALL - - boost-baseline - description: 'AWS Serverless Function should have associated tags ' - group: cloud-weak-configuration - name: a71ecabe-03b6-456a-b3bc-d1a39aa20c98 - pretty_name: Serverless Function Without Tags - recommended: true - ref: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-tags - a737be28-37d8-4bff-aa6d-1be8aa0a0015: - categories: - - ALL - - boost-baseline - description: 'Workload is mounting a volume with sensitive OS Directory ' - group: cloud-weak-configuration - name: a737be28-37d8-4bff-aa6d-1be8aa0a0015 - pretty_name: Workload Mounting With Sensitive OS Directory - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_path - a77f4d07-c6e0-4a48-8b35-0eeb51576f4f: - categories: - - ALL - - boost-baseline - description: 'When using kube-apiserver command, the ''--enable-admission-plugins'' - flag should have ''AlwaysPullImages'' plugin and the plugin should be correctly - configured in AdmissionControl Config file ' - group: supply-chain-cicd-weak-configuration - name: a77f4d07-c6e0-4a48-8b35-0eeb51576f4f - pretty_name: Always Pull Images Admission Control Plugin Not Set - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ - a7b520bb-2509-4fb0-be05-bc38f54c7a4c: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'MySQL Instance should not have Local Infile On ' - group: cloud-weak-configuration - name: a7b520bb-2509-4fb0-be05-bc38f54c7a4c - pretty_name: MySQL Instance With Local Infile On - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags - a7f8ac28-eed1-483d-87c8-4c325f022572: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'AWS Serverless Function should encrypt environment variables ' - group: top10-crypto-failures - name: a7f8ac28-eed1-483d-87c8-4c325f022572 - pretty_name: Serverless Function Environment Variables Not Encrypted - recommended: true - ref: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-kmskeyarn - a8128dd2-89b0-464b-98e9-5d629041dfe0: - categories: - - ALL - - boost-baseline - description: 'RAM Account Password Policy ''password_reuse_prevention'' should - be defined and set to 24 or less ' - group: cloud-weak-secrets-management - name: a8128dd2-89b0-464b-98e9-5d629041dfe0 - pretty_name: RAM Account Password Policy without Reuse Prevention - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#password_reuse_prevention - a81573f9-3691-4d83-88a0-7d4af63e17a3: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Azure App Service client certificate should be enabled ' - group: cloud-weak-configuration - name: a81573f9-3691-4d83-88a0-7d4af63e17a3 - pretty_name: Azure App Service Client Certificate Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#client_cert_enabled - a829b715-cf75-4e92-b645-54c9b739edfb: - categories: - - ALL - - boost-baseline - description: 'Check if any firewall rule allows too many hosts to access Redis - Cache ' - group: cloud-resources-public-access - name: a829b715-cf75-4e92-b645-54c9b739edfb - pretty_name: Firewall Rule Allows Too Many Hosts To Access Redis Cache - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/redis_firewall_rule - a8852cc0-fd4b-4fc7-9372-1e43fad0732e: - categories: - - ALL - - boost-baseline - description: 'Account admins should be notified by email in the event of security - alerts ' - group: top10-insecure-design - name: a8852cc0-fd4b-4fc7-9372-1e43fad0732e - pretty_name: Account Admins Not Notified By Email - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2017-03-01-preview/servers/securityalertpolicies?tabs=json - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Query to find passwords and secrets in infrastructure code. ' - group: cloud-weak-secrets-management - name: a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - pretty_name: Passwords And Secrets - recommended: true - ref: https://docs.kics.io/latest/secrets/ - a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'EC2 Instance should not have a public IP address. ' - group: cloud-resources-public-access - name: a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1 - pretty_name: EC2 Instance Has Public IP - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_module.html#parameter-assign_public_ip - a8e859da-4a43-4e7f-94b8-25d6e3bf8e90: - categories: - - ALL - - boost-baseline - description: 'Schema/Parameter items should be defined when the schema/parameter - is set to an array. ' - group: top10-insecure-design - name: a8e859da-4a43-4e7f-94b8-25d6e3bf8e90 - pretty_name: Items Undefined (v3) - recommended: true - ref: https://swagger.io/specification/#schema-object - a8fc2180-b3ac-4c93-bd0d-a55b974e4b07: - categories: - - ALL - - boost-baseline - description: 'S3 Bucket object-level CloudTrail logging should be enabled for - read and write events ' - group: top10-security-logging-monitoring-failures - name: a8fc2180-b3ac-4c93-bd0d-a55b974e4b07 - pretty_name: S3 Bucket Object Level CloudTrail Logging Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#event_selector - a9174d31-d526-4ad9-ace4-ce7ddbf52e03: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'A Kubernetes Cluster must not allow unsafe sysctls, to prevent a - pod from having any influence on any other pod on the node, harming the node''s - health or gaining CPU or memory resources outside of the resource limits of - a pod. This means the ''spec.security_context.sysctl'' must not have an unsafe - sysctls and that the attribute ''allowed_unsafe_sysctls'' must be undefined. ' - group: cloud-weak-configuration - name: a9174d31-d526-4ad9-ace4-ce7ddbf52e03 - pretty_name: Cluster Allows Unsafe Sysctls - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#allowed_unsafe_sysctls - a9228976-10cf-4b5f-b902-9e962aad037a: - categories: - - ALL - - boost-baseline - description: 'Schema Object define type should not use a keyword of another type ' - group: top10-insecure-design - name: a9228976-10cf-4b5f-b902-9e962aad037a - pretty_name: Type Has Invalid Keyword (v3) - recommended: true - ref: https://swagger.io/specification/#schema-object - a92be1d5-d762-484a-86d6-8cd0907ba100: - categories: - - ALL - - boost-baseline - description: 'If a response is not head or its code is not 204 or 304, it should - have a schema defined ' - group: cloud-resources-public-access - name: a92be1d5-d762-484a-86d6-8cd0907ba100 - pretty_name: Response on operations that should have a body has undefined schema - (v3) - recommended: true - ref: https://swagger.io/docs/specification/describing-responses/ - a964d6e3-8e1e-4d93-8120-61fa640dd55a: - categories: - - ALL - - boost-baseline - description: 'IAM User Login Profile should exist and have PasswordResetRequired - property set to true ' - group: top10-insecure-design - name: a964d6e3-8e1e-4d93-8120-61fa640dd55a - pretty_name: IAM User Without Password Reset - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user-loginprofile.html - a96bbc06-8cde-4295-ad3c-ee343a7f658e: - categories: - - ALL - - boost-baseline - description: 'The field ''default'' of Schema Object should be consistent with - the schema''s type ' - group: top10-insecure-design - name: a96bbc06-8cde-4295-ad3c-ee343a7f658e - pretty_name: Default Invalid (v3) - recommended: true - ref: https://swagger.io/specification/#schema-object - a976d63f-af0e-46e8-b714-8c1a9c4bf768: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Ensure MSK Cluster encryption in rest and transit is enabled ' - group: top10-crypto-failures - name: a976d63f-af0e-46e8-b714-8c1a9c4bf768 - pretty_name: MSK Cluster Encryption Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-msk-cluster.html - a97a340a-0063-418e-b3a1-3028941d0995: - categories: - - ALL - - boost-baseline - description: 'A security context defines privilege and access control settings - for a Pod or Container ' - group: cloud-weak-configuration - name: a97a340a-0063-418e-b3a1-3028941d0995 - pretty_name: Pod or Container Without Security Context - recommended: true - ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - a99130ab-4c0e-43aa-97f8-78d4fcb30024: - categories: - - ALL - - boost-baseline - description: 'Ensure that the encryption is active on the disk ' - group: top10-crypto-failures - name: a99130ab-4c0e-43aa-97f8-78d4fcb30024 - pretty_name: Encryption On Managed Disk Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/managed_disk#encryption_settings - a9a13d4f-f17a-491b-b074-f54bffffcb4a: - categories: - - ALL - - boost-baseline - description: 'Service Account Tokens are automatically mounted even if not necessary ' - group: cloud-weak-configuration - name: a9a13d4f-f17a-491b-b074-f54bffffcb4a - pretty_name: Service Account Token Automount Not Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#automount_service_account_token - a9becca7-892a-4af7-b9e1-44bf20a4cd9a: - categories: - - ALL - - boost-baseline - description: 'Ensure that Connection Throttling is set for the PostgreSQL server ' - group: top10-security-logging-monitoring-failures - name: a9becca7-892a-4af7-b9e1-44bf20a4cd9a - pretty_name: PostgreSQL Server Without Connection Throttling - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_postgresqlconfiguration_module.html - a9c2f49d-0671-4fc9-9ece-f4e261e128d0: - categories: - - ALL - - boost-baseline - description: 'Check if the root container filesystem is not being mounted read-only. ' - group: supply-chain-cicd-weak-configuration - name: a9c2f49d-0671-4fc9-9ece-f4e261e128d0 - pretty_name: Root Container Not Mounted Read-only - recommended: true - ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - a9dfec39-a740-4105-bbd6-721ba163c053: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Ram Account Password Policy should have ''minimum_password_length'' - defined and set to 14 or above ' - group: cloud-weak-secrets-management - name: a9dfec39-a740-4105-bbd6-721ba163c053 - pretty_name: Ram Account Password Policy Not Required Minimum Length - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#minimum_password_length - aa737abf-6b1d-4aba-95aa-5c160bd7f96e: - categories: - - ALL - - boost-baseline - description: 'Image Pull Policy of the container must be defined and set to Always ' - group: cloud-weak-configuration - name: aa737abf-6b1d-4aba-95aa-5c160bd7f96e - pretty_name: Image Pull Policy Of The Container Is Not Set To Always - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#image_pull_policy - aa8f7a35-9923-4cad-bd61-a19b7f6aac91: - categories: - - ALL - - boost-baseline - description: 'A non kube-system workload should not have hostPath mounted ' - group: cloud-insecure-iam - name: aa8f7a35-9923-4cad-bd61-a19b7f6aac91 - pretty_name: Non Kube System Pod With Host Mount - recommended: true - ref: https://kubernetes.io/docs/concepts/storage/volumes/ - aa93e17f-b6db-4162-9334-c70334e7ac28: - categories: - - ALL - - boost-baseline - description: 'It is considered a best practice for every executable in a container - to be owned by the root user even if it is executed by a non-root user, only - execution permissions are required on the file, not ownership ' - group: top10-insecure-design - name: aa93e17f-b6db-4162-9334-c70334e7ac28 - pretty_name: Chown Flag Exists - recommended: true - ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/ - aafa7d94-62de-4fbf-8838-b69ee217b0e6: - categories: - - ALL - - boost-baseline - description: 'A Pod''s Containers must have the same Memory requests as limits - set, which is recommended to avoid resource DDOS of the node during spikes. - This means the ''requests.memory'' must equal ''limits.memory'', and both be - defined. ' - group: cloud-insecure-iam - name: aafa7d94-62de-4fbf-8838-b69ee217b0e6 - pretty_name: Container Memory Requests Not Equal To It's Limits - recommended: true - ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - ab1263c2-81df-46f0-9f2c-0b62fdb68419: - categories: - - ALL - - boost-baseline - description: 'Security field should be defined in ''#/components/securitySchemes'' ' - group: top10-insecure-design - name: ab1263c2-81df-46f0-9f2c-0b62fdb68419 - pretty_name: Security Field Undefined - recommended: true - ref: https://swagger.io/specification/#security-requirement-object - ab2af219-cd08-4233-b5a1-a788aac88b51: - categories: - - ALL - - boost-baseline - description: 'Property defining minimum has greater value than maximum defined ' - group: top10-insecure-design - name: ab2af219-cd08-4233-b5a1-a788aac88b51 - pretty_name: Property Defining Minimum Greater Than Maximum (v3) - recommended: true - ref: https://swagger.io/specification/#schema-object - ab871897-ec02-4835-9818-702536ee1dda: - categories: - - ALL - - boost-baseline - description: Parameters properties 'name' and 'in' should have unique combinations - group: top10-insecure-design - name: ab871897-ec02-4835-9818-702536ee1dda - pretty_name: Parameters Name In Combination Not Unique (v2) - recommended: true - ref: https://swagger.io/specification/v2/#parameterObject - abb06e5f-ef9a-4a99-98c6-376d396bfcdf: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Checks if the SQS Queue is exposed ' - group: cloud-insecure-iam - name: abb06e5f-ef9a-4a99-98c6-376d396bfcdf - pretty_name: SQS Queue Exposed - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue#policy - abcb818b-5af7-4d72-aba9-6dd84956b451: - categories: - - ALL - - boost-baseline - description: 'The default namespace should not be used ' - group: cloud-weak-configuration - name: abcb818b-5af7-4d72-aba9-6dd84956b451 - pretty_name: Using Default Namespace - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#namespace - abdb29d4-5ca1-4e91-800b-b3569bbd788c: - categories: - - ALL - - boost-baseline - description: 'Check if AWS config rules do not identify Encrypted Volumes as a - source. ' - group: top10-crypto-failures - name: abdb29d4-5ca1-4e91-800b-b3569bbd788c - pretty_name: Config Rule For Encrypted Volumes Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule - ac1564a3-c324-4747-9fa1-9dfc234dace0: - categories: - - ALL - - boost-baseline - description: 'Container should not share the host network namespace ' - group: cloud-insecure-iam - name: ac1564a3-c324-4747-9fa1-9dfc234dace0 - pretty_name: Shared Host Network Namespace - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_network - ac5a0bc0-a54c-45aa-90c3-15f7703b9132: - categories: - - ALL - - boost-baseline - description: 'AWS Config Configuration Aggregator All Regions must be set to True ' - group: top10-security-logging-monitoring-failures - name: ac5a0bc0-a54c-45aa-90c3-15f7703b9132 - pretty_name: Configuration Aggregator to All Regions Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_configuration_aggregator#all_regions - acb6b4e2-a086-4f35-aefd-4db6ea51ada2: - categories: - - ALL - - boost-baseline - description: 'AWS Elasticsearch should have logs enabled ' - group: top10-security-logging-monitoring-failures - name: acb6b4e2-a086-4f35-aefd-4db6ea51ada2 - pretty_name: Elasticsearch Log Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain#log_publishing_options - acc78859-765e-4011-a229-a65ea57db252: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'S3 Buckets must not allow Delete Action From All Principals, as - to prevent leaking private information to the entire internet or allow unauthorized - data tampering / deletion. This means the ''Effect'' must not be ''Allow'' when - the ''Action'' is Delete, for all Principals. ' - group: cloud-insecure-iam - name: acc78859-765e-4011-a229-a65ea57db252 - pretty_name: S3 Bucket Allows Delete Action From All Principals - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html - ace823d1-4432-4dee-945b-cdf11a5a6bd0: - categories: - - ALL - - boost-baseline - description: 'Function App should have ''http2_enabled'' enabled ' - group: cloud-weak-configuration - name: ace823d1-4432-4dee-945b-cdf11a5a6bd0 - pretty_name: Function App HTTP2 Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#http2_enabled - acfdbec6-4a17-471f-b412-169d77553332: - categories: - - ALL - - boost-baseline - description: 'Google Container Node Pool Auto Repair should be enabled. This service - periodically checks for failing nodes and repairs them to ensure a smooth running - state. ' - group: cloud-weak-configuration - name: acfdbec6-4a17-471f-b412-169d77553332 - pretty_name: Google Container Node Pool Auto Repair Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool - ad0875c1-0b39-4890-9149-173158ba3bba: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Cloud Storage Bucket should have versioning enabled ' - group: top10-security-logging-monitoring-failures - name: ad0875c1-0b39-4890-9149-173158ba3bba - pretty_name: Cloud Storage Bucket Versioning Disabled - recommended: true - ref: https://cloud.google.com/storage/docs/json_api/v1/buckets - ad21e616-5026-4b9d-990d-5b007bfe679c: - categories: - - ALL - - boost-baseline - description: 'AWS Auto Scaling Groups must have associated ELBs to ensure high - availability and improve application performance. This means the attribute ''LoadBalancerNames'' - must be defined and not empty. ' - group: top10-insecure-design - name: ad21e616-5026-4b9d-990d-5b007bfe679c - pretty_name: Auto Scaling Group With No Associated ELB - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-as-group.html - ad296c0d-8131-4d6b-b030-1b0e73a99ad3: - categories: - - ALL - - boost-baseline - description: 'Group with privilege escalation by actions ''iam:UpdateLoginProfile'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: ad296c0d-8131-4d6b-b030-1b0e73a99ad3 - pretty_name: Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy - ad432855-b7fb-4429-92a3-93b5ce34f0b1: - categories: - - ALL - - boost-baseline - description: Delete should define at least one success response (200, 201, 202 - or 204) - group: cloud-resources-public-access - name: ad432855-b7fb-4429-92a3-93b5ce34f0b1 - pretty_name: Success Response Code Undefined for Delete Operation (v2) - recommended: true - ref: https://swagger.io/specification/v2/#operation-object - ad5b4e97-2850-4adf-be17-1d293e0b85ee: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Glue Security Configuration Encryption should have ''cloudwatch_encryption'', - ''job_bookmarks_encryption'' and ''s3_encryption'' enabled ' - group: top10-crypto-failures - name: ad5b4e97-2850-4adf-be17-1d293e0b85ee - pretty_name: Glue Security Configuration Encryption Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/glue_security_configuration#encryption_configuration - ad69e38a-d92e-4357-a8da-f2f29d545883: - categories: - - ALL - - boost-baseline - description: 'A security context defines privilege and access control settings - for a Pod or Container ' - group: cloud-weak-configuration - name: ad69e38a-d92e-4357-a8da-f2f29d545883 - pretty_name: Pod or Container Without Security Context - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#security_context - ad7444cf-817a-4765-a79e-2145f7981faf: - categories: - - ALL - - boost-baseline - description: 'AWS Shield Advanced should be used for Amazon Route 53 hosted zone, - AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, - and Amazon CloudFront Distribution to protect these resources against robust - DDoS attacks ' - group: cloud-resources-public-access - name: ad7444cf-817a-4765-a79e-2145f7981faf - pretty_name: Shield Advanced Not In Use - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-fms-policy.html - ad9dabc7-7839-4bae-a957-aa9120013f39: - categories: - - ALL - - boost-baseline - description: 'The attribute ''action'' should not have wildcard ' - group: cloud-insecure-iam - name: ad9dabc7-7839-4bae-a957-aa9120013f39 - pretty_name: Lambda With Vulnerable Policy - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission#action - adcd0082-e90b-4b63-862b-21899f6e6a48: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Security Groups allows 0.0.0.0/0 for all ports and protocols. ' - group: cloud-resources-public-access - name: adcd0082-e90b-4b63-862b-21899f6e6a48 - pretty_name: Security Groups With Meta IP - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html - addc0eab-27f6-4c26-8526-d2ccd3732662: - categories: - - ALL - - boost-baseline - description: Schema discriminator values should match defined properties. - group: top10-insecure-design - name: addc0eab-27f6-4c26-8526-d2ccd3732662 - pretty_name: Schema Discriminator Mismatch Defined Properties (v2) - recommended: true - ref: https://swagger.io/specification/v2/#schema-object - ade36cf4-329f-4830-a83d-9db72c800507: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'MSSQL Server public network access should be disabled ' - group: cloud-resources-public-access - name: ade36cf4-329f-4830-a83d-9db72c800507 - pretty_name: MSSQL Server Public Network Access Enabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server#public_network_access_enabled - ade74944-a674-4e00-859e-c6eab5bde441: - categories: - - ALL - - boost-baseline - description: 'In case of an unresponsive container, a Liveness Probe can help - your application become more available since it restarts the container. However, - it can lead to cascading failures. Define one if you really need it ' - group: top10-insecure-design - name: ade74944-a674-4e00-859e-c6eab5bde441 - pretty_name: Liveness Probe Is Not Defined - recommended: true - ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#when-should-you-use-a-liveness-probe - ae03f542-1423-402f-9cef-c834e7ee9583: - categories: - - ALL - - boost-baseline - description: 'AWS Lambda Functions should not share IAM roles to ensure they will - have the minimum privileges needed to perform the required tasks ' - group: cloud-weak-configuration - name: ae03f542-1423-402f-9cef-c834e7ee9583 - pretty_name: Lambda Functions Without Unique IAM Roles - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html - ae13a37d-943b-47a7-a970-83c8598bcca3: - categories: - - ALL - - boost-baseline - description: 'All path templates should not be empty ' - group: top10-insecure-design - name: ae13a37d-943b-47a7-a970-83c8598bcca3 - pretty_name: Path Template is Empty (v3) - recommended: true - ref: https://swagger.io/specification/#paths-object - ae53ce91-42b5-46bf-a84f-9a13366a4f13: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'SNS Topic Policy should not allow any principal to access ' - group: cloud-insecure-iam - name: ae53ce91-42b5-46bf-a84f-9a13366a4f13 - pretty_name: SNS Topic is Publicly Accessible - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sns-policy.html - ae5b6871-7f45-42e0-bb4c-ab300c4d2026: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Privileged containers should be used with extreme caution, they - have all of the capabilities that the linux kernel offers for docker. ' - group: cloud-insecure-iam - name: ae5b6871-7f45-42e0-bb4c-ab300c4d2026 - pretty_name: Privileged Containers Enabled - recommended: true - ref: https://docs.docker.com/compose/compose-file/#privileged - ae8827e2-4af9-4baa-9998-87539ae0d6f0: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'When using etcd commands, the ''--peer-auto-tls'' should be set - to false ' - group: cloud-weak-secrets-management - name: ae8827e2-4af9-4baa-9998-87539ae0d6f0 - pretty_name: Peer Auto TLS Set To True - recommended: true - ref: https://etcd.io/docs/v3.4/op-guide/security/ - ae9c56a6-3ed1-4ac0-9b54-31267f51151d: - categories: - - ALL - - boost-baseline - description: 'When installing packages, use the ''--no-cache'' switch to avoid - the need to use ''--update'' and remove ''/var/cache/apk/*'' ' - group: supply-chain-scm-weak-configuration - name: ae9c56a6-3ed1-4ac0-9b54-31267f51151d - pretty_name: Apk Add Using Local Cache Path - recommended: true - ref: https://docs.docker.com/engine/reference/builder/#run - aecee30b-8ea1-4776-a99c-d6d600f0862f: - categories: - - ALL - - boost-baseline - description: 'API Keys should not be transported over network ' - group: cloud-insecure-iam - name: aecee30b-8ea1-4776-a99c-d6d600f0862f - pretty_name: API Key Exposed In Global Security (v3) - recommended: true - ref: https://swagger.io/specification/#security-scheme-object - aed98a2a-e680-497a-8886-277cea0f4514: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'PostgreSQL database ''log_min_duration_statement'' flag isn''t set - to ''-1'' ' - group: cloud-weak-configuration - name: aed98a2a-e680-497a-8886-277cea0f4514 - pretty_name: PostgreSQL Misconfigured Logging Duration Flag - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags - aee3c7d2-a811-4201-90c7-11c028be9a46: - categories: - - ALL - - boost-baseline - description: 'Containers must have the same resource requests set as limits. This - is recommended to avoid resource DDoS of the node during spikes and means that - ''requests.memory'' and ''requests.cpu'' must equal ''limits.memory'' and ''limits.cpu'', - respectively ' - group: cloud-insecure-iam - name: aee3c7d2-a811-4201-90c7-11c028be9a46 - pretty_name: Container Requests Not Equal To It's Limits - recommended: true - ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - af167837-9636-4086-b815-c239186b9dda: - categories: - - ALL - - boost-baseline - description: 'Cross-Account IAM Assume Role Policy should require external ID - or MFA to protect cross-account access ' - group: cloud-insecure-iam - name: af167837-9636-4086-b815-c239186b9dda - pretty_name: Cross-Account IAM Assume Role Policy Without ExternalId or MFA - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/iam_role_module.html#parameter-assume_role_policy_document - af173fde-95ea-4584-b904-bb3923ac4bda: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'AWS Redshift Clusters must not be publicly accessible. Check if - ''publicly_accessible'' field is true or undefined (default is true) ' - group: cloud-weak-configuration - name: af173fde-95ea-4584-b904-bb3923ac4bda - pretty_name: Redshift Publicly Accessible - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_cluster - af96d737-0818-4162-8c41-40d969bd65d1: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Customer Master Keys (CMK) must have rotation enabled, which means - the attribute ''enable_key_rotation'' must be set to ''true'' when the key is - enabled. ' - group: top10-security-logging-monitoring-failures - name: af96d737-0818-4162-8c41-40d969bd65d1 - pretty_name: CMK Rotation Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/aws_kms_module.html#parameter-enable_key_rotation - afa36afb-39fe-4d94-b9b6-afb236f7a03d: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'When using kube-apiserver command, the ''--enable-admission-plugins'' - flag should have ''PodSecurityPolicy'' plugin and the plugin should be correctly - configured in AdmissionControl Config file ' - group: supply-chain-cicd-weak-configuration - name: afa36afb-39fe-4d94-b9b6-afb236f7a03d - pretty_name: Pod Security Policy Admission Control Plugin Not Set - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ - afde15cf-9444-4126-8c62-41cd79db1d1d: - categories: - - ALL - - boost-baseline - description: String schema/parameter/header should have 'pattern' defined. - group: cloud-weak-configuration - name: afde15cf-9444-4126-8c62-41cd79db1d1d - pretty_name: Pattern Undefined (v2) - recommended: true - ref: https://swagger.io/specification/v2/#schemaObject - afecd1f1-6378-4f7e-bb3b-60c35801fdd4: - categories: - - ALL - - boost-baseline - description: 'Application Load Balancer should have deletion protection enabled ' - group: cloud-weak-configuration - name: afecd1f1-6378-4f7e-bb3b-60c35801fdd4 - pretty_name: ALB Deletion Protection Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#enable_deletion_protection - b03a748a-542d-44f4-bb86-9199ab4fd2d5: - categories: - - ALL - - boost-baseline - description: 'Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction - tells Docker how to test a container to check that it is still working ' - group: cloud-weak-configuration - name: b03a748a-542d-44f4-bb86-9199ab4fd2d5 - pretty_name: Healthcheck Instruction Missing - recommended: true - ref: https://docs.docker.com/engine/reference/builder/#healthcheck - b05bb927-2df5-43cc-8d7b-6825c0e71625: - categories: - - ALL - - boost-baseline - description: 'Components examples definitions should be referenced or removed - from Open API definition ' - group: top10-insecure-design - name: b05bb927-2df5-43cc-8d7b-6825c0e71625 - pretty_name: Components Example Definition Is Unused - recommended: true - ref: https://swagger.io/specification/#components-object - b0d3ef3f-845d-4b1b-83d6-63a5a380375f: - categories: - - ALL - - boost-baseline - description: 'Secrets Manager secret should be encrypted with customer-managed - KMS keys instead of AWS managed keys ' - group: top10-crypto-failures - name: b0d3ef3f-845d-4b1b-83d6-63a5a380375f - pretty_name: Secretsmanager Secret Encrypted With AWS Managed Key - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret#kms_key_id - b139213e-7d24-49c2-8025-c18faa21ecaa: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Kubernetes nodes must have auto upgrades set to true, which means - Node ''auto_upgrade'' should be enabled for Kubernetes Clusters ' - group: cloud-insecure-iam - name: b139213e-7d24-49c2-8025-c18faa21ecaa - pretty_name: Node Auto Upgrade Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#auto_upgrade - b14d1bc4-a208-45db-92f0-e21f8e2588e9: - categories: - - ALL - - boost-baseline - description: 'Memory limits should be defined for each container. This prevents - potential resource exhaustion by ensuring that containers consume not more than - the designated amount of memory ' - group: cloud-insecure-iam - name: b14d1bc4-a208-45db-92f0-e21f8e2588e9 - pretty_name: Memory Limits Not Defined - recommended: true - ref: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/ - b161c11b-a59b-4431-9a29-4e19f63e6b27: - categories: - - ALL - - boost-baseline - description: 'REST API policy should avoid wildcard in ''Action'' and ''Principal'' ' - group: cloud-insecure-iam - name: b161c11b-a59b-4431-9a29-4e19f63e6b27 - pretty_name: REST API With Vulnerable Policy - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api_policy#policy - b16cdb37-ce15-4ab2-8401-d42b05d123fc: - categories: - - ALL - - boost-baseline - description: 'API Gateway REST API should have an API Gateway Authorizer ' - group: cloud-insecure-iam - name: b16cdb37-ce15-4ab2-8401-d42b05d123fc - pretty_name: API Gateway Without Configured Authorizer - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/aws_api_gateway_module.html - b16e8501-ef3c-44e1-a543-a093238099c9: - categories: - - ALL - - boost-baseline - description: 'Don''t use ''--platform'' flag with FROM ' - group: supply-chain-scm-weak-configuration - name: b16e8501-ef3c-44e1-a543-a093238099c9 - pretty_name: Using Platform Flag with FROM Command - recommended: true - ref: https://docs.docker.com/engine/reference/builder/#from - b176e927-bbe2-44a6-a9c3-041417137e5f: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'The Active Directory Administrator is not configured for a SQL server ' - group: cloud-weak-configuration - name: b176e927-bbe2-44a6-a9c3-041417137e5f - pretty_name: AD Admin Not Configured For SQL Server - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_sqlserver_module.html#parameter-ad_user - b17d8bb8-4c08-4785-867e-cb9e62a622aa: - categories: - - ALL - - boost-baseline - description: 'Azure Container Service (AKS) should use Disk Encryption Set ID - in supported types of disk ' - group: top10-crypto-failures - name: b17d8bb8-4c08-4785-867e-cb9e62a622aa - pretty_name: AKS Disk Encryption Set ID Undefined - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#disk_encryption_set_id - b187edca-b81e-4fdc-aff4-aab57db45edb: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Cloud SQL instances should not be publicly accessible. ' - group: cloud-weak-configuration - name: b187edca-b81e-4fdc-aff4-aab57db45edb - pretty_name: SQL DB Instance Publicly Accessible - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance - b1a72f66-2236-4f3b-87ba-0da1b366956f: - categories: - - ALL - - boost-baseline - description: 'SNS (Simple Notification Service) Topic should be encrypted with - customer-managed KMS keys instead of AWS managed keys ' - group: top10-crypto-failures - name: b1a72f66-2236-4f3b-87ba-0da1b366956f - pretty_name: SNS Topic Encrypted With AWS Managed Key - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic#kms_master_key_id - b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7: - categories: - - ALL - - boost-baseline - description: 'Contact Object Email should be a valid email ' - group: top10-insecure-design - name: b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7 - pretty_name: Invalid Contact Email (v3) - recommended: true - ref: https://swagger.io/specification/#contact-object - b1b20ae3-8fa7-4af5-a74d-a2145920fcb1: - categories: - - ALL - - boost-baseline - description: 'IAM password should have the required minimum length ' - group: top10-insecure-design - name: b1b20ae3-8fa7-4af5-a74d-a2145920fcb1 - pretty_name: IAM Password Without Minimum Length - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user - b1d51728-7270-4991-ac2f-fc26e2695b38: - categories: - - ALL - - boost-baseline - description: 'VM disks for critical VMs must be encrypted with Customer Supplied - Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which - means the attribute ''disk_encryption_key'' must be defined and its sub attributes - ''raw_key'' or ''kms_key_self_link'' must also be defined ' - group: top10-crypto-failures - name: b1d51728-7270-4991-ac2f-fc26e2695b38 - pretty_name: Disk Encryption Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_disk - b1ffa705-19a3-4b73-b9d0-0c97d0663842: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'IAM role policy that allow full administrative privileges (for all - resources) ' - group: cloud-insecure-iam - name: b1ffa705-19a3-4b73-b9d0-0c97d0663842 - pretty_name: IAM Role With Full Privileges - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role - b2315cae-b110-4426-81e0-80bb8640cdd3: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'AWS Athena Database data in S3 should be encrypted ' - group: top10-crypto-failures - name: b2315cae-b110-4426-81e0-80bb8640cdd3 - pretty_name: Athena Database Not Encrypted - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/athena_database#encryption_configuration - b23e9b98-0cb6-4fc9-b257-1f3270442678: - categories: - - ALL - - boost-baseline - description: 'Deployments should be assigned with a PodDisruptionBudget to ensure - high availability ' - group: top10-insecure-design - name: b23e9b98-0cb6-4fc9-b257-1f3270442678 - pretty_name: Deployment Without PodDisruptionBudget - recommended: true - ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ - b2418936-cd47-4ea2-8346-623c0bdb87bd: - categories: - - ALL - - boost-baseline - description: 'Azure Container Service (AKS) instance should have role-based access - control (RBAC) enabled ' - group: cloud-insecure-iam - name: b2418936-cd47-4ea2-8346-623c0bdb87bd - pretty_name: AKS RBAC Disabled - recommended: true - ref: https://doc.crds.dev/github.com/crossplane/provider-azure/compute.azure.crossplane.io/AKSCluster/v1alpha3@v0.19.0#spec-disableRBAC - b2468463-3ac4-4930-890c-f35b2bf4485d: - categories: - - ALL - - boost-baseline - description: All path should be unique, if has more than one operation, all operations - should be part of same Path Object - group: top10-insecure-design - name: b2468463-3ac4-4930-890c-f35b2bf4485d - pretty_name: Path Is Ambiguous (v2) - recommended: true - ref: https://swagger.io/specification/v2/#pathItemObject - b25398a2-0625-4e61-8e4d-a1bb23905bf6: - categories: - - ALL - - boost-baseline - description: 'Content Delivery Network (CDN) service is used within an AWS account - to secure and accelerate the delivery of websites. The use of a CDN can provide - a layer of security between your origin content and the destination. ' - group: top10-insecure-design - name: b25398a2-0625-4e61-8e4d-a1bb23905bf6 - pretty_name: CDN Configuration Is Missing - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html - b26d2b7e-60f6-413d-a3a1-a57db24aa2b3: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'SNS Topic Policy should not allow any principal to access ' - group: cloud-insecure-iam - name: b26d2b7e-60f6-413d-a3a1-a57db24aa2b3 - pretty_name: SNS Topic is Publicly Accessible - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic - b28bcd2f-c309-490e-ab7c-35fc4023eb26: - categories: - - ALL - - boost-baseline - description: 'This query confirms if Google Compute SSL Policy Weak Chyper Suits - is Enabled, to do so we need to check if TLS is TLS_1_2, because other version - have Weak Chypers ' - group: top10-crypto-failures - name: b28bcd2f-c309-490e-ab7c-35fc4023eb26 - pretty_name: Google Compute SSL Policy Weak Cipher In Use - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_ssl_policy_module.html - b2d9dbf6-539c-4374-a1fd-210ddf5563a8: - categories: - - ALL - - boost-baseline - description: 'Global External Documentation URL should be a valid URL ' - group: top10-insecure-design - name: b2d9dbf6-539c-4374-a1fd-210ddf5563a8 - pretty_name: Invalid Global External Documentation URL (v3) - recommended: true - ref: https://swagger.io/specification/#external-documentation-object - b2e8752c-3497-4255-98d2-e4ae5b46bbf5: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'S3 Buckets should have server-side encryption at rest enabled to - protect sensitive data ' - group: top10-crypto-failures - name: b2e8752c-3497-4255-98d2-e4ae5b46bbf5 - pretty_name: S3 Bucket Without Server-side-encryption - recommended: true - ref: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html - b2f275be-7d64-4064-b418-be6b431363a7: - categories: - - ALL - - boost-baseline - description: 'Get should define at least one success response (200 or 202) ' - group: cloud-resources-public-access - name: b2f275be-7d64-4064-b418-be6b431363a7 - pretty_name: Success Response Code Undefined for Get Operation (v3) - recommended: true - ref: https://swagger.io/specification/#operation-object - b2fbf1df-76dd-4d78-a6c0-e538f4a9b016: - categories: - - ALL - - boost-baseline - description: 'Google Firewall should not allow SSH access (port 22) from the Internet - (public CIDR block) to ensure the principle of least privileges ' - group: cloud-resources-public-access - name: b2fbf1df-76dd-4d78-a6c0-e538f4a9b016 - pretty_name: SSH Access Is Not Restricted - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_firewall_module.html - b30981fa-a12e-49c7-a5bb-eeafb61d0f0f: - categories: - - ALL - - boost-baseline - description: 'All global parameters definitions should be in use ' - group: top10-insecure-design - name: b30981fa-a12e-49c7-a5bb-eeafb61d0f0f - pretty_name: Global Parameter Definition Not Being Used - recommended: true - ref: https://swagger.io/specification/v2/#parametersDefinitionsObject - b3871dd8-9333-4d6c-bd52-67eb898b71ab: - categories: - - ALL - - boost-baseline - description: 'Response Object reference must always point to ''#/components/responses'' ' - group: top10-insecure-design - name: b3871dd8-9333-4d6c-bd52-67eb898b71ab - pretty_name: Response Object With Incorrect Ref (v3) - recommended: true - ref: https://swagger.io/specification/#responses-object - b3a41501-f712-4c4f-81e5-db9a7dc0e34e: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'VPC Peering Route Table should restrict CIDR ' - group: cloud-resources-public-access - name: b3a41501-f712-4c4f-81e5-db9a7dc0e34e - pretty_name: VPC Peering Route Table with Unrestricted CIDR - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route - b3a59b8e-94a3-403e-b6e2-527abaf12034: - categories: - - ALL - - boost-baseline - description: 'API Gateway Deployment should have API Gateway UsagePlan defined - and associated. ' - group: top10-security-logging-monitoring-failures - name: b3a59b8e-94a3-403e-b6e2-527abaf12034 - pretty_name: API Gateway Deployment Without API Gateway UsagePlan Associated - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_deployment - b3de4e4c-14be-4159-b99d-9ad194365e4c: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true ' - group: cloud-resources-public-access - name: b3de4e4c-14be-4159-b99d-9ad194365e4c - pretty_name: EC2 Instance Subnet Has Public IP Mapping On Launch - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-subnet.html#cfn-ec2-subnet-mappubliciponlaunch - b4378389-a9aa-44ee-91e7-ef183f11079e: - categories: - - ALL - - boost-baseline - description: 'IAM policies should be attached only to groups or roles ' - group: cloud-insecure-iam - name: b4378389-a9aa-44ee-91e7-ef183f11079e - pretty_name: IAM Policies Attached To User - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment - b47b98ab-e481-4a82-8bb1-1ab39fd36e33: - categories: - - ALL - - boost-baseline - description: 'SSL Client Certificate should be enabled ' - group: cloud-weak-configuration - name: b47b98ab-e481-4a82-8bb1-1ab39fd36e33 - pretty_name: API Gateway Without SSL Certificate - recommended: true - ref: https://docs.ansible.com/ansible/2.8/modules/aws_api_gateway_module.html - b4803607-ed72-4d60-99e2-3fa6edf471c6: - categories: - - ALL - - boost-baseline - description: 'The ''basePath'' value format must match the pattern ''^/'' ' - group: top10-insecure-design - name: b4803607-ed72-4d60-99e2-3fa6edf471c6 - pretty_name: BasePath With Wrong Format - recommended: true - ref: https://swagger.io/specification/v2/#schema - b481d46c-9c61-480f-86d9-af07146dc4a4: - categories: - - ALL - - boost-baseline - description: 'The discriminator property in the Schema Object should be a required - property ' - group: top10-insecure-design - name: b481d46c-9c61-480f-86d9-af07146dc4a4 - pretty_name: Schema Discriminator Not Required (v3) - recommended: true - ref: https://swagger.io/specification/#schema-object - b4a7d925-738b-4219-99d9-87d6ee262a03: - categories: - - ALL - - boost-baseline - description: Tag External Documentation URL should be a valid URL - group: top10-insecure-design - name: b4a7d925-738b-4219-99d9-87d6ee262a03 - pretty_name: Invalid Tag External Documentation URL (v2) - recommended: true - ref: https://swagger.io/specification/v2/#externalDocumentationObject - b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a: - categories: - - ALL - - boost-baseline - description: 'Virtual Network should have DDoS Protection Plan enabled ' - group: top10-insecure-design - name: b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a - pretty_name: Virtual Network with DDoS Protection Plan disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network#ddos_protection_plan - b4d9c12b-bfba-4aeb-9cb8-2358546d8041: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'CloudFront web distributions should use custom (and not default) - SSL certificates. Custom SSL certificates allow only defined users to access - content by using an alternate domain name instead of the default one. ' - group: cloud-weak-configuration - name: b4d9c12b-bfba-4aeb-9cb8-2358546d8041 - pretty_name: Vulnerable Default SSL Certificate - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-distribution.html - b4f65d13-a609-4dc1-af7c-63d2e08bffe9: - categories: - - ALL - - boost-baseline - description: 'Google Container Node Pool Auto Repair should be enabled. This service - periodically checks for failing nodes and repairs them to ensure a smooth running - state. ' - group: cloud-weak-configuration - name: b4f65d13-a609-4dc1-af7c-63d2e08bffe9 - pretty_name: Google Container Node Pool Auto Repair Disabled - recommended: true - ref: https://doc.crds.dev/github.com/crossplane/provider-gcp/container.gcp.crossplane.io/NodePool/v1beta1@v0.21.0#spec-forProvider-management-autoRepair - b5102ea9-6527-4bb7-94fc-9b4076150e55: - categories: - - ALL - - boost-baseline - description: Property defining minimum has greater value than maximum defined - group: top10-insecure-design - name: b5102ea9-6527-4bb7-94fc-9b4076150e55 - pretty_name: Property Defining Minimum Greater Than Maximum (v2) - recommended: true - ref: https://swagger.io/specification/v2/#schemaObject - b5681959-6c09-4f55-b42b-c40fa12d03ec: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Check if the root user is authenticated with MFA ' - group: cloud-weak-configuration - name: b5681959-6c09-4f55-b42b-c40fa12d03ec - pretty_name: IAM User Policy Without MFA - recommended: true - ref: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html - b592ffd4-0577-44b6-bd35-8c5ee81b5918: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'IAM password policies should be set through the password minimum - length and reset password attributes ' - group: cloud-weak-configuration - name: b592ffd4-0577-44b6-bd35-8c5ee81b5918 - pretty_name: No Password Policy Enabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_login_profile - b5c851d5-00f1-43dc-a8de-3218fd6f71be: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Resources of type ''Microsoft.Web/sites'' should define ''properties.siteConfig.minTlsVersion'' - with ''1.2'' ' - group: top10-crypto-failures - name: b5c851d5-00f1-43dc-a8de-3218fd6f71be - pretty_name: Web App Not Using TLS Last Version - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.web/sites?tabs=json#siteconfig-object - b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83: - categories: - - ALL - description: 'A list of S3 resources found. Amazon Simple Storage Service (Amazon - S3) is an object storage service that offers industry-leading scalability, data - availability, security, and performance. ' - group: supply-chain-missing-artifact-integrity-verification - name: b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83 - pretty_name: BOM - AWS S3 Buckets - ref: https://kics.io/ - b5ed026d-a772-4f07-97f9-664ba0b116f8: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'IAM policy should not grant full permissions to resources from the - get-go, instead of granting permissions gradually as necessary. ' - group: cloud-insecure-iam - name: b5ed026d-a772-4f07-97f9-664ba0b116f8 - pretty_name: IAM Policy Grants Full Permissions - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/iam_managed_policy_module.html - b61cce4b-0cc4-472b-8096-15617a6d769b: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Azure App Service should have managed identity enabled ' - group: cloud-insecure-iam - name: b61cce4b-0cc4-472b-8096-15617a6d769b - pretty_name: App Service Managed Identity Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#identity - b69247e5-7e73-464e-ba74-ec9b715c6e12: - categories: - - ALL - - boost-baseline - description: 'User with privilege escalation by actions ''lambda:UpdateFunctionCode'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: b69247e5-7e73-464e-ba74-ec9b715c6e12 - pretty_name: User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy - b6a7e0ae-aed8-4a19-a993-a95760bf8836: - categories: - - ALL - - boost-baseline - description: 'AWS DynamoDB Tables should have serverSideEncryption enabled ' - group: top10-crypto-failures - name: b6a7e0ae-aed8-4a19-a993-a95760bf8836 - pretty_name: DynamoDB Table Not Encrypted - recommended: true - ref: https://www.pulumi.com/registry/packages/aws/api-docs/dynamodb/table/#serversideencryption_yaml - b7063015-6c31-4658-a8e7-14f98f37fd42: - categories: - - ALL - - boost-baseline - description: 'EBS Volume should specify a KmsKeyId value ' - group: cloud-weak-secrets-management - name: b7063015-6c31-4658-a8e7-14f98f37fd42 - pretty_name: EBS Volume Without KmsKeyId - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-ebs-volume.html - b72d0026-f649-4c91-a9ea-15d8f681ac09: - categories: - - ALL - - boost-baseline - description: 'AWS CloudFormation should have stack notifications enabled to be - notified when an event occurs ' - group: top10-security-logging-monitoring-failures - name: b72d0026-f649-4c91-a9ea-15d8f681ac09 - pretty_name: Stack Notifications Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack - b7652612-de4e-4466-a0bf-1cd81f0c6063: - categories: - - ALL - - boost-baseline - description: 'Containers can mount sensitive folders from the hosts, giving them - potentially dangerous access to critical host configurations and binaries. ' - group: cloud-insecure-iam - name: b7652612-de4e-4466-a0bf-1cd81f0c6063 - pretty_name: Volume Mount With OS Directory Write Permissions - recommended: true - ref: https://kubernetes.io/docs/concepts/storage/volumes/ - b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Ensure App Service is using the latest version of TLS encryption ' - group: top10-crypto-failures - name: b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643 - pretty_name: App Service Not Using Latest TLS Encryption Version - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#min_tls_version - b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14: - categories: - - ALL - - boost-baseline - description: 'Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes - secrets are dangerous and should be avoided. In case of compromise, attackers - could abuse these roles to access sensitive data, such as passwords, tokens - and keys ' - group: cloud-insecure-iam - name: b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14 - pretty_name: RBAC Roles with Read Secrets Permissions - recommended: true - ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ - b7c9a40c-23e4-4a2d-8d39-a3352f10f288: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'API Gateway Method Settings Cache should be encrypted ' - group: top10-crypto-failures - name: b7c9a40c-23e4-4a2d-8d39-a3352f10f288 - pretty_name: API Gateway Method Settings Cache Not Encrypted - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method_settings#cache_data_encrypted - b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff: - categories: - - ALL - - boost-baseline - description: 'When using etcd commands, the ''--peer-client-cert-auth'' flag should - be set to true ' - group: cloud-weak-secrets-management - name: b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff - pretty_name: Etcd Peer Client Certificate Authentication Set To False - recommended: true - ref: https://etcd.io/docs/v3.4/op-guide/security/ - b80b14c6-aaa2-4876-b651-8a48b6c32fbf: - categories: - - ALL - - boost-baseline - description: 'Check if any network policy is not targeting any pod. ' - group: cloud-resources-public-access - name: b80b14c6-aaa2-4876-b651-8a48b6c32fbf - pretty_name: Network Policy Is Not Targeting Any Pod - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy#match_labels - b84a0b47-2e99-4c9f-8933-98bcabe2b94d: - categories: - - ALL - - boost-baseline - description: 'apt is discouraged by the linux distributions as an unattended tool - as its interface may suffer changes between versions. Better use the more stable - apt-get and apt-cache ' - group: supply-chain-scm-weak-configuration - name: b84a0b47-2e99-4c9f-8933-98bcabe2b94d - pretty_name: Run Using apt - recommended: true - ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run - b86987e1-6397-4619-81d5-8807f2387c79: - categories: - - ALL - - boost-baseline - description: 'Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments ' - group: supply-chain-cicd-weak-configuration - name: b86987e1-6397-4619-81d5-8807f2387c79 - pretty_name: Not Using JSON In CMD And ENTRYPOINT Arguments - recommended: true - ref: https://docs.docker.com/engine/reference/builder/#entrypoint - b897dfbf-322c-45a8-b67c-1e698beeaa51: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Admin user is enabled for Container Registry ' - group: cloud-insecure-iam - name: b897dfbf-322c-45a8-b67c-1e698beeaa51 - pretty_name: Admin User Enabled For Container Registry - recommended: true - ref: https://www.terraform.io/docs/providers/azurerm/r/container_registry.html - b8a31292-509d-4b61-bc40-13b167db7e9c: - categories: - - ALL - - boost-baseline - description: 'Role with privilege escalation by actions ''iam:AddUserToGroup'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: b8a31292-509d-4b61-bc40-13b167db7e9c - pretty_name: Role With Privilege Escalation By Actions 'iam:AddUserToGroup' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy - b8a9852c-9943-4973-b8d5-77dae9352851: - categories: - - ALL - - boost-baseline - description: 'Amazon Elastic Filesystem should have filesystem tags associated ' - group: supply-chain-cicd-weak-configuration - name: b8a9852c-9943-4973-b8d5-77dae9352851 - pretty_name: EFS Without Tags - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/efs_module.html - b90033cf-ad9f-4fb9-acd1-1b9d6d278c87: - categories: - - ALL - - boost-baseline - description: 'Only one body parameter is allowed on operation''s parameters type - field ' - group: top10-insecure-design - name: b90033cf-ad9f-4fb9-acd1-1b9d6d278c87 - pretty_name: Multiple Body Parameters In The Same Operation - recommended: true - ref: https://swagger.io/specification/v2/#parameterObject - b9033580-6886-401a-8631-5f19f5bb24c7: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'AWS Workspaces Workspace data stored in volumes should be encrypted ' - group: top10-crypto-failures - name: b9033580-6886-401a-8631-5f19f5bb24c7 - pretty_name: Workspaces Workspace Volume Not Encrypted - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/workspaces_workspace#root_volume_encryption_enabled - b90842e5-6779-44d4-9760-972f4c03ba1c: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Check if enable field in the resource azurerm_network_watcher_flow_log - is false. ' - group: cloud-weak-configuration - name: b90842e5-6779-44d4-9760-972f4c03ba1c - pretty_name: Network Watcher Flow Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_watcher_flow_log - b9380fd3-5ffe-4d10-9290-13e18e71eee1: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'When using kube-apiserver command, the ''--insecure-bind-address'' - flag should not be set ' - group: cloud-resources-public-access - name: b9380fd3-5ffe-4d10-9290-13e18e71eee1 - pretty_name: Insecure Bind Address Set - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ - b947809d-dd2f-4de9-b724-04d101c515aa: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Redis Cache is not configured to be updated regularly with security - and operational updates ' - group: cloud-weak-configuration - name: b947809d-dd2f-4de9-b724-04d101c515aa - pretty_name: Redis Not Updated Regularly - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/redis_cache#patch_schedule - b9b7ada8-3868-4a35-854e-6100a2bb863d: - categories: - - ALL - - boost-baseline - description: 'Kubernetes Cluster should have Terway as CNI Network Plugin to configure - network policies ' - group: cloud-resources-public-access - name: b9b7ada8-3868-4a35-854e-6100a2bb863d - pretty_name: Kubernetes Cluster Without Terway as CNI Network Plugin - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/cs_kubernetes#cluster_network_type - b9c524a4-fe76-4021-a6a2-cb978fb4fde1: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'All RDS Instance events trackers should be ''true'' ' - group: top10-security-logging-monitoring-failures - name: b9c524a4-fe76-4021-a6a2-cb978fb4fde1 - pretty_name: RDS Instance Events Not Logged - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/log_audit - b9c83569-459b-4110-8f79-6305aa33cb37: - categories: - - ALL - - boost-baseline - description: 'Kubernetes External Secret Storage and Management System usage should - be considered if you have more complex secret management needs, rather than - using Kubernetes Secrets directly. Additionally, ensure that access to secrets - is carefully limited ' - group: cloud-weak-secrets-management - name: b9c83569-459b-4110-8f79-6305aa33cb37 - pretty_name: Using Kubernetes Native Secret Management - recommended: true - ref: https://kubernetes.io/docs/concepts/configuration/secret/ - b9db8a10-020c-49ca-88c6-780e5fdb4328: - categories: - - ALL - - boost-baseline - description: 'Link object reference must always point to ''#/components/links'' ' - group: top10-insecure-design - name: b9db8a10-020c-49ca-88c6-780e5fdb4328 - pretty_name: Link Object Incorrect Ref - recommended: true - ref: https://swagger.io/specification/#link-object - ba066cda-e808-450d-92b6-f29109754d45: - categories: - - ALL - - boost-baseline - description: 'Callback Object reference must always point to ''#/components/callbacks'' ' - group: top10-insecure-design - name: ba066cda-e808-450d-92b6-f29109754d45 - pretty_name: Callback Object With Incorrect Ref - recommended: true - ref: https://swagger.io/specification/#callback-object - ba239cb9-f342-4c20-812d-7b5a2aa6969e: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'If the security scheme is not of type ''oauth2'', the array value - must be empty ' - group: top10-insecure-design - name: ba239cb9-f342-4c20-812d-7b5a2aa6969e - pretty_name: Non OAuth2 Security Requirement Defining OAuth2 Scopes - recommended: true - ref: https://swagger.io/specification/v2/#securityRequirementObject - ba40ace1-a047-483c-8a8d-bc2d3a67a82d: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'EKS node group remote access is disabled when ''SourceSecurityGroups'' - is missing ' - group: cloud-resources-public-access - name: ba40ace1-a047-483c-8a8d-bc2d3a67a82d - pretty_name: EKS node group remote access disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_node_group#remote_access - ba48df05-eaa1-4d64-905e-4a4b051e7587: - categories: - - ALL - - boost-baseline - description: 'Autoscaling groups should supply tags to configurate ' - group: top10-insecure-design - name: ba48df05-eaa1-4d64-905e-4a4b051e7587 - pretty_name: Autoscaling Groups Supply Tags - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group#tag-and-tags - ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698: - categories: - - ALL - - boost-baseline - description: 'Limits access to AWS AMIs by checking if more than one account is - using the same image ' - group: cloud-insecure-iam - name: ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698 - pretty_name: AMI Shared With Multiple Accounts - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ami_launch_permission - ba766c53-fe71-4bbb-be35-b6803f2ef13e: - categories: - - ALL - - boost-baseline - description: 'ElastiCache should be launched in a Virtual Private Cloud (VPC) ' - group: cloud-resources-public-access - name: ba766c53-fe71-4bbb-be35-b6803f2ef13e - pretty_name: ElastiCache Without VPC - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-cache-cluster.html#cfn-elasticache-cachecluster-cachesubnetgroupname - baa3890f-bed7-46f5-ab8f-1da8fc91c729: - categories: - - ALL - - boost-baseline - description: 'Container should not share the host IPC namespace ' - group: cloud-insecure-iam - name: baa3890f-bed7-46f5-ab8f-1da8fc91c729 - pretty_name: Shared Host IPC Namespace - recommended: true - ref: https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir - baa452f0-1f21-4a25-ace5-844e7a5f410d: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Volume mounts should not be shared, which means that ''propagation'' - should not be set to ''shared'', ''rshared'', ''slave'', or ''rslave'' ' - group: supply-chain-cicd-weak-configuration - name: baa452f0-1f21-4a25-ace5-844e7a5f410d - pretty_name: Volume Mounted In Multiple Containers - recommended: true - ref: https://docs.docker.com/compose/compose-file/compose-file-v3/#volumes - baade968-7467-41e4-bf22-83ca222f5800: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Security object for operations should not be empty object or has - any empty object definition ' - group: cloud-insecure-iam - name: baade968-7467-41e4-bf22-83ca222f5800 - pretty_name: Security Field On Operations Has An Empty Object Definition (v3) - recommended: true - ref: https://swagger.io/specification/#operation-object - babdedcf-d859-43da-9a7b-6d72e661a8fd: - categories: - - ALL - - boost-baseline - description: 'IAM role allows all services or principals to assume it ' - group: cloud-insecure-iam - name: babdedcf-d859-43da-9a7b-6d72e661a8fd - pretty_name: IAM Role Allows All Principals To Assume - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/iam_managed_policy_module.html - bac56e3c-1f71-4a74-8ae6-2fba07efcddb: - categories: - - ALL - - boost-baseline - description: 'Reference to examples should point to #/components/examples ' - group: top10-insecure-design - name: bac56e3c-1f71-4a74-8ae6-2fba07efcddb - pretty_name: Example JSON Reference Outside Components Examples - recommended: true - ref: https://swagger.io/specification/#reference-object - baecd2da-492a-4d59-b9dc-29540a1398e0: - categories: - - ALL - description: 'A list of SQS resources specified. Amazon Simple Queue Service (SQS) - is a fully managed message queuing service that enables you to decouple and - scale microservices, distributed systems, and serverless applications. ' - group: supply-chain-missing-artifact-integrity-verification - name: baecd2da-492a-4d59-b9dc-29540a1398e0 - pretty_name: BOM - AWS SQS - ref: https://kics.io/ - bb0db090-5509-4853-a827-75ced0b3caa0: - categories: - - ALL - - boost-baseline - description: 'Google Storage Bucket Level Access should be enabled ' - group: cloud-weak-configuration - name: bb0db090-5509-4853-a827-75ced0b3caa0 - pretty_name: Google Storage Bucket Level Access Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket - bb241e61-77c3-4b97-9575-c0f8a1e008d0: - categories: - - ALL - - boost-baseline - description: 'StatefulSets should have an existing headless ''serviceName''. The - headless service labels should also be implemented on StatefulSets labels. ' - group: top10-insecure-design - name: bb241e61-77c3-4b97-9575-c0f8a1e008d0 - pretty_name: StatefulSet Without Service Name - recommended: true - ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/ - bb9ac4f7-e13b-423d-a010-c74a1bfbe492: - categories: - - ALL - - boost-baseline - description: 'Memory limits should be defined for each container. This prevents - potential resource exhaustion by ensuring that containers consume not more than - the designated amount of memory ' - group: cloud-insecure-iam - name: bb9ac4f7-e13b-423d-a010-c74a1bfbe492 - pretty_name: Memory Not Limited - recommended: true - ref: https://docs.docker.com/compose/compose-file/compose-file-v3/#resources - bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9: - categories: - - ALL - - boost-baseline - description: 'IAM Password should have at least one lowercase letter ' - group: top10-insecure-design - name: bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9 - pretty_name: IAM Password Without Lowercase Letter - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy - bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54: - categories: - - ALL - - boost-baseline - description: 'All policies, except IAM identity-based policies, should have the - ''Principal'' element defined ' - group: cloud-insecure-iam - name: bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54 - pretty_name: Policy Without Principal - recommended: true - ref: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html - bbf6b3df-4b65-4f87-82cc-da9f30f8c033: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'No Network Security Group is attached to the Virtual Machine ' - group: cloud-weak-configuration - name: bbf6b3df-4b65-4f87-82cc-da9f30f8c033 - pretty_name: VM Not Attached To Network - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_machine#network_interface_ids - bbfc97ab-e92a-4a7b-954c-e88cec815011: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, - which means the attribute ''monitoringService'' must be defined and different - than ''none'' ' - group: top10-security-logging-monitoring-failures - name: bbfc97ab-e92a-4a7b-954c-e88cec815011 - pretty_name: Stackdriver Monitoring Disabled - recommended: true - ref: https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters - bc1f9009-84a0-490f-ae09-3e0ea6d74ad6: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'AWS DOCDB Cluster storage should be encrypted ' - group: top10-crypto-failures - name: bc1f9009-84a0-490f-ae09-3e0ea6d74ad6 - pretty_name: DOCDB Cluster Not Encrypted - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#storage_encrypted - bc20bbc6-0697-4568-9a73-85af1dd97bdd: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'A VM instance is configured to use the default service account with - full access to all Cloud APIs ' - group: cloud-insecure-iam - name: bc20bbc6-0697-4568-9a73-85af1dd97bdd - pretty_name: VM With Full Cloud Access - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html#parameter-service_accounts/scopes - bc280331-27b9-4acb-a010-018e8098aa5d: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'A VM instance is configured to use the default service account with - full access to all Cloud APIs ' - group: cloud-insecure-iam - name: bc280331-27b9-4acb-a010-018e8098aa5d - pretty_name: VM With Full Cloud Access - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#scopes - bc2908f3-f73c-40a9-8793-c1b7d5544f79: - categories: - - ALL - - boost-baseline - description: 'Privileged ports (1 to 1023) should not be mapped. Also you should - drop net_bind_service linux capability from the container unless you absolutely - need to use priviledged ports. ' - group: cloud-resources-public-access - name: bc2908f3-f73c-40a9-8793-c1b7d5544f79 - pretty_name: Privileged Ports Mapped In Container - recommended: true - ref: https://docs.docker.com/compose/compose-file/compose-file-v3/#cap_add-cap_drop - bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e: - categories: - - ALL - - boost-baseline - description: 'Check if any label in the metadata is invalid. ' - group: top10-insecure-design - name: bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e - pretty_name: Metadata Label Is Invalid - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#labels - bc75ce52-a60a-4660-b533-bce837a5019b: - categories: - - ALL - description: 'A list of Redis Instance resources found. Memorystore for Redis - is a fully managed Redis service for Google Cloud. Applications running on Google - Cloud can achieve extreme performance by leveraging the highly scalable, available, - secure Redis service without the burden of managing complex Redis deployments. ' - group: supply-chain-missing-artifact-integrity-verification - name: bc75ce52-a60a-4660-b533-bce837a5019b - pretty_name: BOM - GCP Redis - ref: https://kics.io/ - bca7cc4d-b3a4-4345-9461-eb69c68fcd26: - categories: - - ALL - - boost-baseline - description: 'RDS should not use the default port (an attacker can easily guess - the port). For engines related to Aurora, MariaDB or MySQL, the default port - is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL - Server default port is 1433 ' - group: cloud-resources-public-access - name: bca7cc4d-b3a4-4345-9461-eb69c68fcd26 - pretty_name: RDS Using Default Port - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#port - bccb296f-362c-4b05-9221-86d1437a1016: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Amazon DMS is publicly accessible, therefore exposing possible sensitive - information. To prevent such a scenario, update the attribute ''PubliclyAccessible'' - to false. ' - group: cloud-insecure-iam - name: bccb296f-362c-4b05-9221-86d1437a1016 - pretty_name: Amazon DMS Replication Instance Is Publicly Accessible - recommended: true - ref: https://www.pulumi.com/registry/packages/aws/api-docs/dms/replicationinstance/ - bccfa089-89e4-47e0-a0e5-185fe6902220: - categories: - - ALL - - boost-baseline - description: 'Response Object reference must always point to ''#/responses'' ' - group: top10-insecure-design - name: bccfa089-89e4-47e0-a0e5-185fe6902220 - pretty_name: Response Object With Incorrect Ref (v2) - recommended: true - ref: https://swagger.io/specification/v2/#responses-object - bcd3fc01-5902-4f2a-b05a-227f9bbf5450: - categories: - - ALL - - boost-baseline - description: 'Azure SQL Server must avoid using predictable Active Directory Administrator - Account names, like ''Admin'', which means the attribute ''login'' must be set - to a name that is not easy to predict ' - group: top10-insecure-design - name: bcd3fc01-5902-4f2a-b05a-227f9bbf5450 - pretty_name: SQL Server Predictable Active Directory Account Name - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_active_directory_administrator - bcdcbdc6-a350-4855-ae7c-d1e6436f7c97: - categories: - - ALL - - boost-baseline - description: 'IAM Policy should not grant ''AssumeRole'' permission across all - services. ' - group: cloud-insecure-iam - name: bcdcbdc6-a350-4855-ae7c-d1e6436f7c97 - pretty_name: IAM Policy Grants 'AssumeRole' Permission Across All Services - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role - bd0088a5-c133-4b20-b129-ec9968b16ef3: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'CloudTrail Log Files S3 Bucket should not be publicly accessible ' - group: top10-security-logging-monitoring-failures - name: bd0088a5-c133-4b20-b129-ec9968b16ef3 - pretty_name: CloudTrail Log Files S3 Bucket is Publicly Accessible - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#s3_bucket_name - bd2cbef5-62c4-40f1-af07-4b7f9ced6616: - categories: - - ALL - - boost-baseline - description: Parameter Objects should not have duplicate names for 'header' location, - since HTTP headers are not case sensitive. - group: top10-insecure-design - name: bd2cbef5-62c4-40f1-af07-4b7f9ced6616 - pretty_name: Parameter Objects Headers With Duplicated Name (v2) - recommended: true - ref: https://swagger.io/specification/v2/#parameterObject - bd6bd46c-57db-4887-956d-d372f21291b6: - categories: - - ALL - - boost-baseline - description: 'Containers should be configured with AppArmor for any application - to reduce its potential attack ' - group: cloud-insecure-iam - name: bd6bd46c-57db-4887-956d-d372f21291b6 - pretty_name: Missing App Armor Config - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#annotations - bd77554e-f138-40c5-91b2-2a09f878608e: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Amazon Elastic Filesystem should have filesystem encryption enabled - using KMS CMK customer-managed keys instead of AWS managed-keys ' - group: top10-crypto-failures - name: bd77554e-f138-40c5-91b2-2a09f878608e - pretty_name: EFS Without KMS - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/efs_module.html#parameter-kms_key_id - bdecd6db-2600-47dd-a10c-72c97cf17ae9: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Amazon Elastic Filesystem should have filesystem encryption enabled - using KMS CMK customer-managed keys instead of AWS managed-keys ' - group: top10-crypto-failures - name: bdecd6db-2600-47dd-a10c-72c97cf17ae9 - pretty_name: EFS Without KMS - recommended: true - ref: https://doc.crds.dev/github.com/crossplane/provider-aws/efs.aws.crossplane.io/FileSystem/v1alpha1@v0.29.0#spec-forProvider-kmsKeyID - bdf8dcb4-75df-4370-92c4-606e4ae6c4d3: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'AWS Redshift Clusters must not be publicly accessible, which means - the attribute ''PubliclyAccessible'' must be set to false ' - group: cloud-weak-configuration - name: bdf8dcb4-75df-4370-92c4-606e4ae6c4d3 - pretty_name: Redshift Publicly Accessible - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html - be0e0df7-f3d9-42a1-9b6f-d425f94872c4: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Schema array items type should be defined ' - group: cloud-weak-configuration - name: be0e0df7-f3d9-42a1-9b6f-d425f94872c4 - pretty_name: Array Items Has No Type (v3) - recommended: true - ref: https://swagger.io/docs/specification/data-models/data-types/#string - be1d8733-3731-40c7-a845-734741c6871d: - categories: - - ALL - - boost-baseline - description: 'There is a constraining keyword in a property which is already restricted - by enum values ' - group: top10-insecure-design - name: be1d8733-3731-40c7-a845-734741c6871d - pretty_name: Constraining Enum Property - recommended: true - ref: https://swagger.io/specification/v2/#schemaObject - be2aa235-bd93-4b68-978a-1cc65d49082f: - categories: - - ALL - - boost-baseline - description: 'Role with privilege escalation by actions ''cloudformation:CreateStack'' - and ''iam:PassRole'' and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: be2aa235-bd93-4b68-978a-1cc65d49082f - pretty_name: Role With Privilege Escalation By Actions 'cloudformation:CreateStack' - And 'iam:PassRole' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy - be3e170e-1572-461e-a8b6-d963def581ec: - categories: - - ALL - - boost-baseline - description: 'Operation Object should have ''produces'' feild defined for ''GET''operation ' - group: cloud-weak-configuration - name: be3e170e-1572-461e-a8b6-d963def581ec - pretty_name: Operation Object Without 'produces' - recommended: true - ref: https://swagger.io/specification/v2/#operation-object - be41f891-96b1-4b9d-b74f-b922a918c778: - categories: - - ALL - - boost-baseline - description: 'The node image should be Container-Optimized OS(COS) ' - group: cloud-weak-configuration - name: be41f891-96b1-4b9d-b74f-b922a918c778 - pretty_name: COS Node Image Not Used - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_node_pool_module.html#parameter-config/image_type - be5b230d-4371-4a28-a441-85dc760e2aa3: - categories: - - ALL - - boost-baseline - description: 'IoT Policy should not allow Resource to be set as * ' - group: cloud-insecure-iam - name: be5b230d-4371-4a28-a441-85dc760e2aa3 - pretty_name: IoT Policy Allows Wildcard Resource - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iot-policy.html - be6a3722-af60-438c-b1b9-2a03e2958ab7: - categories: - - ALL - - boost-baseline - description: The discriminator property in the Schema Object should be a required - property - group: top10-insecure-design - name: be6a3722-af60-438c-b1b9-2a03e2958ab7 - pretty_name: Schema Discriminator Not Required (v2) - recommended: true - ref: https://swagger.io/specification/v2/#schema-object - be96849c-3df6-49c2-bc16-778a7be2519c: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Check if secure ciphers aren''t used in CloudFront ' - group: top10-crypto-failures - name: be96849c-3df6-49c2-bc16-778a7be2519c - pretty_name: Secure Ciphers Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-viewercertificate.html - bf36b900-b5ef-4828-adb7-70eb543b7cfb: - categories: - - ALL - - boost-baseline - description: 'Hostnames should not be overrided ' - group: cloud-weak-configuration - name: bf36b900-b5ef-4828-adb7-70eb543b7cfb - pretty_name: Kubelet Hostname Override Is Set - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/ - bf4473f1-c8a2-4b1b-8134-bd32efabab93: - categories: - - ALL - - boost-baseline - description: 'Neptune database cluster storage should have encryption enabled ' - group: top10-crypto-failures - name: bf4473f1-c8a2-4b1b-8134-bd32efabab93 - pretty_name: Neptune Database Cluster Encryption Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-neptune-dbcluster.html - bf4b48b9-fc1f-4552-984a-4becdb5bf503: - categories: - - ALL - - boost-baseline - description: 'API Gateway should have Access Log Settings defined ' - group: top10-security-logging-monitoring-failures - name: bf4b48b9-fc1f-4552-984a-4becdb5bf503 - pretty_name: API Gateway Access Logging Disabled - recommended: true - ref: https://www.pulumi.com/registry/packages/aws/api-docs/apigatewayv2/stage/#accesslogsettings_yaml - bf500309-da53-4dd3-bcf7-95f7974545a5: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Microsoft.DBforPostgreSQL/servers sslEnforcement property should - be set to ''Enabled'' ' - group: cloud-resources-public-access - name: bf500309-da53-4dd3-bcf7-95f7974545a5 - pretty_name: PostgreSQL Database Server SSL Disabled - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/2017-12-01/servers?tabs=json - bf878b1a-7418-4de3-b13c-3a86cf894920: - categories: - - ALL - - boost-baseline - description: 'S3 bucket public access is overridden by S3 bucket Public Access - Block when the following attributes are set to true - ''block_public_acls'', - ''block_public_policy'', ''ignore_public_acls'', and ''restrict_public_buckets'' ' - group: cloud-insecure-iam - name: bf878b1a-7418-4de3-b13c-3a86cf894920 - pretty_name: S3 Bucket Public ACL Overridden By Public Access Block - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket - bf89373a-be40-4c04-99f5-746742dfd7f3: - categories: - - ALL - - boost-baseline - description: 'Elastic MapReduce Cluster (EMR) should be launched in a Virtual - Private Cloud (VPC) ' - group: cloud-resources-public-access - name: bf89373a-be40-4c04-99f5-746742dfd7f3 - pretty_name: EMR Without VPC - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticmapreduce-cluster-jobflowinstancesconfig.html#cfn-elasticmapreduce-cluster-jobflowinstancesconfig-ec2subnetid - bf9d42c7-c2f9-4dfe-942c-c8cc8249a081: - categories: - - ALL - - boost-baseline - description: 'User with privilege escalation by actions ''iam:AddUserToGroup'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: bf9d42c7-c2f9-4dfe-942c-c8cc8249a081 - pretty_name: User With Privilege Escalation By Actions 'iam:AddUserToGroup' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy - c010082c-76e0-4b91-91d9-6e8439e455dd: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Cloud Storage Bucket is anonymously or publicly accessible ' - group: cloud-insecure-iam - name: c010082c-76e0-4b91-91d9-6e8439e455dd - pretty_name: Cloud Storage Bucket Is Publicly Accessible - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam#member/members - c01d10de-c468-4790-b3a0-fc887a56f289: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'OSS Buckets should have secure transport enabled ' - group: cloud-resources-public-access - name: c01d10de-c468-4790-b3a0-fc887a56f289 - pretty_name: OSS Buckets Secure Transport Disabled - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#policy - c065b98e-1515-4991-9dca-b602bd6a2fbb: - categories: - - ALL - - boost-baseline - description: 'Action Trail Logging for all regions should be enabled ' - group: top10-security-logging-monitoring-failures - name: c065b98e-1515-4991-9dca-b602bd6a2fbb - pretty_name: Action Trail Logging For All Regions Disabled - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/actiontrail_trail#trail_region - c09cdac2-7670-458a-bf6c-efad6880973a: - categories: - - ALL - - boost-baseline - description: 'SQL Server Database Auditing Settings should keep the audit logs - in the storage account for at least 90 days ' - group: top10-security-logging-monitoring-failures - name: c09cdac2-7670-458a-bf6c-efad6880973a - pretty_name: SQL Server Database With Unrecommended Retention Days - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/servers/databases/auditingsettings?tabs=json - c09e3ca5-f08a-4717-9c87-3919c5e6d209: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'RDS must not be defined with public interface, which means the field - ''publicly_accessible'' should not be set to ''true'' (default is ''false''). ' - group: cloud-weak-configuration - name: c09e3ca5-f08a-4717-9c87-3919c5e6d209 - pretty_name: RDS DB Instance Publicly Accessible - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-auto_minor_version_upgrade - c09f4d3e-27d2-4d46-9453-abbe9687a64e: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'User Data should not contain a base64 encoded private key. If so, - anyone can decode the private key easily ' - group: top10-crypto-failures - name: c09f4d3e-27d2-4d46-9453-abbe9687a64e - pretty_name: User Data Contains Encoded Private Key - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/ec2_lc_module.html - c0c1e744-0f37-445e-924a-1846f0839f69: - categories: - - ALL - - boost-baseline - description: 'Group with privilege escalation by actions ''iam:PutRolePolicy'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: c0c1e744-0f37-445e-924a-1846f0839f69 - pretty_name: Group With Privilege Escalation By Actions 'iam:PutRolePolicy' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy - c1032cf7-3628-44e2-bd53-38c17cf31b6b: - categories: - - ALL - - boost-baseline - description: 'A Service Account token is shared between workloads ' - group: cloud-weak-secrets-management - name: c1032cf7-3628-44e2-bd53-38c17cf31b6b - pretty_name: Shared Service Account - recommended: true - ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ - c1282e03-b285-4637-aee7-eefe3a7bb658: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Amazon EFS volume does not have encryption for data at transit enabled. - To prevent such a scenario, enable the attribute ''TransitEncryption'' ' - group: top10-crypto-failures - name: c1282e03-b285-4637-aee7-eefe3a7bb658 - pretty_name: EFS Volume With Disabled Transit Encryption - recommended: true - ref: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/efs-volumes.html - c1573577-e494-4417-8854-7e119368dc8b: - categories: - - ALL - - boost-baseline - description: 'Network Interfaces should not be exposed with a public IP address. - If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, - https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline) ' - group: cloud-resources-public-access - name: c1573577-e494-4417-8854-7e119368dc8b - pretty_name: Network Interfaces With Public IP - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface#public_ip_address_id - c19779a9-5774-4d2f-a3a1-a99831730375: - categories: - - ALL - - boost-baseline - description: 'Components links definitions should be referenced or removed from - Open API definition ' - group: top10-insecure-design - name: c19779a9-5774-4d2f-a3a1-a99831730375 - pretty_name: Components Link Definition Is Unused - recommended: true - ref: https://swagger.io/specification/#components-object - c201b7ad-6173-4598-a407-5edb04a1bcd7: - categories: - - ALL - - boost-baseline - description: All path templates should not be empty - group: top10-insecure-design - name: c201b7ad-6173-4598-a407-5edb04a1bcd7 - pretty_name: Path Template is Empty (v2) - recommended: true - ref: https://swagger.io/specification/v2/#pathsObject - c254adc4-ef25-46e1-8270-b7944adb4198: - categories: - - ALL - - boost-baseline - description: 'OperationId should be unique when defined ' - group: top10-insecure-design - name: c254adc4-ef25-46e1-8270-b7944adb4198 - pretty_name: OperationId Not Unique (v3) - recommended: true - ref: https://swagger.io/specification/#operation-object - c2a3efb6-8a58-481c-82f2-bfddf34bb4b7: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'The IP range filter should be defined to secure the data stored ' - group: cloud-resources-public-access - name: c2a3efb6-8a58-481c-82f2-bfddf34bb4b7 - pretty_name: CosmosDB Account IP Range Filter Not Set - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_account#ip_range_filter - c2eae442-d3ba-4cb1-84ca-1db4f80eae3d: - categories: - - ALL - - boost-baseline - description: 'AWS Lambda Function should be configured for a Dead Letter Queue(DLQ) ' - group: cloud-weak-configuration - name: c2eae442-d3ba-4cb1-84ca-1db4f80eae3d - pretty_name: Lambda Function Without Dead Letter Queue - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html#cfn-lambda-function-deadletterconfig - c2f15af3-66a0-4176-a56e-e4711e502e5c: - categories: - - ALL - - boost-baseline - description: 'AWS Access Key should not be hardcoded ' - group: cloud-weak-secrets-management - name: c2f15af3-66a0-4176-a56e-e4711e502e5c - pretty_name: Hardcoded AWS Access Key - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/ec2_instance_module.html - c333e906-8d8b-4275-b999-78b6318f8dc6: - categories: - - ALL - - boost-baseline - description: 'Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST - or PROVISIONED ' - group: supply-chain-cicd-weak-configuration - name: c333e906-8d8b-4275-b999-78b6318f8dc6 - pretty_name: DynamoDB With Not Recommented Table Billing Mode - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dynamodb-table.html#cfn-dynamodb-table-attributedef - c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6: - categories: - - ALL - - boost-baseline - description: 'Expired SSL/TLS certificates should be removed ' - group: cloud-insecure-iam - name: c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6 - pretty_name: Certificate Has Expired - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api - c38d630d-a415-4e3e-bac2-65475979ba88: - categories: - - ALL - - boost-baseline - description: 'The Body Parameter Object should only have the following properties - defined - ''name'', ''in'', ''description'', ''required'', and ''schema'' ' - group: top10-insecure-design - name: c38d630d-a415-4e3e-bac2-65475979ba88 - pretty_name: Body Parameter With Wrong Property - recommended: true - ref: https://swagger.io/specification/v2/#parameterObject - c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d: - categories: - - ALL - - boost-baseline - description: 'Server Access Logging should be enabled on S3 Buckets so that all - changes are logged and trackable ' - group: top10-security-logging-monitoring-failures - name: c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d - pretty_name: S3 Bucket Logging Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html#parameter-debug_botocore_endpoint_logs - c3cab8c4-6c52-47a9-942b-c27f26fbd7d2: - categories: - - ALL - - boost-baseline - description: 'The In field of Parameter Object must be ''formData'' when type - is ''file'' ' - group: top10-insecure-design - name: c3cab8c4-6c52-47a9-942b-c27f26fbd7d2 - pretty_name: Parameter File Type Not In 'formData' - recommended: true - ref: https://swagger.io/specification/v2/#parameterObject - c3ce69fd-e3df-49c6-be78-1db3f802261c: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Server Access Logging should be enabled on S3 Buckets so that all - changes are logged and trackable when the Service used is CloudTrail ' - group: top10-security-logging-monitoring-failures - name: c3ce69fd-e3df-49c6-be78-1db3f802261c - pretty_name: S3 Bucket CloudTrail Logging Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html#cfn-s3-bucket-loggingconfig - c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9: - categories: - - ALL - - boost-baseline - description: 'S3 Bucket allows public access ' - group: cloud-insecure-iam - name: c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9 - pretty_name: S3 Bucket With Public Access - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/aws_s3_module.html#parameter-permission - c407c3cf-c409-4b29-b590-db5f4138d332: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'PostgreSQL Server Threat Detection Policy should be enabled ' - group: cloud-insecure-iam - name: c407c3cf-c409-4b29-b590-db5f4138d332 - pretty_name: PostgreSQL Server Threat Detection Policy Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_server#threat_detection_policy - c44c95fc-ae92-4bb8-bdf8-bb9bc412004a: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'EC2 instances with public IP addresses shouldn''t allow for unrestricted - traffic to their subnets ' - group: cloud-resources-public-access - name: c44c95fc-ae92-4bb8-bdf8-bb9bc412004a - pretty_name: EC2 Public Instance Exposed Through Subnet - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-route.html - c47f90e8-4a19-43f0-8413-cc434d286c4e: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Kubernetes Engine Clusters must have Network Policy enabled, meaning - that the attribute ''networkPolicy.enabled'' must be true and the attribute - ''addonsConfig.networkPolicyConfig.disabled'' must be false ' - group: cloud-weak-configuration - name: c47f90e8-4a19-43f0-8413-cc434d286c4e - pretty_name: Network Policy Disabled - recommended: true - ref: https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters - c48e57d3-d642-4e0b-90db-37f807b41b91: - categories: - - ALL - - boost-baseline - description: 'Do not allow pod to request execution as privileged. ' - group: cloud-weak-configuration - name: c48e57d3-d642-4e0b-90db-37f807b41b91 - pretty_name: PSP Set To Privileged - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#privileged - c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0: - categories: - - ALL - - boost-baseline - description: 'Google Firewall should not allow SSH access (port 22) from the Internet - (public CIDR block) to ensure the principle of least privileges ' - group: cloud-resources-public-access - name: c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0 - pretty_name: SSH Access Is Not Restricted - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall - c53c7a89-f9d7-4c7b-8b66-8a555be99593: - categories: - - ALL - - boost-baseline - description: 'Public and private EC2 istances should not share the same role. ' - group: cloud-insecure-iam - name: c53c7a89-f9d7-4c7b-8b66-8a555be99593 - pretty_name: Public and Private EC2 Share Role - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#iam_instance_profile - c583f0f9-7dfd-476b-a056-f47c62b47b46: - categories: - - ALL - - boost-baseline - description: 'Role with privilege escalation by actions ''lambda:UpdateFunctionCode'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: c583f0f9-7dfd-476b-a056-f47c62b47b46 - pretty_name: Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy - c589f42c-7924-4871-aee2-1cede9bc7cbc: - categories: - - ALL - - boost-baseline - description: 'Roles or ClusterRoles with RBAC permissions to run commands in containers - via ''kubectl exec'' could be abused by attackers to execute malicious code - in case of compromise. To prevent this, the ''pods/exec'' verb should not be - used in production environments ' - group: cloud-insecure-iam - name: c589f42c-7924-4871-aee2-1cede9bc7cbc - pretty_name: RBAC Roles with Exec Permission - recommended: true - ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ - c5b31ab9-0f26-4a49-b8aa-4cc064392f4d: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled - through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) - and enabling versioning and MFA delete by using AWS CLI: ''aws s3api put-bucket-versioning - --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa=''. - Please, also notice that MFA delete can not be used with lifecycle configurations ' - group: cloud-weak-configuration - name: c5b31ab9-0f26-4a49-b8aa-4cc064392f4d - pretty_name: S3 Bucket Without Enabled MFA Delete - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#mfa_delete - c5bb7461-aa57-470b-a714-3bc3d74f4669: - categories: - - ALL - - boost-baseline - description: 'Link object ''OperationId'' should target an existing operation - object in the OpenAPI definition ' - group: top10-insecure-design - name: c5bb7461-aa57-470b-a714-3bc3d74f4669 - pretty_name: Link Object OperationId Does Not Target Operation Object - recommended: true - ref: https://swagger.io/specification/#link-object - c5ff7bc9-d8ea-46dd-81cb-8286f3222249: - categories: - - ALL - - boost-baseline - description: 'IAM password should have at least one uppercase letter ' - group: top10-insecure-design - name: c5ff7bc9-d8ea-46dd-81cb-8286f3222249 - pretty_name: IAM Password Without Uppercase Letter - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy - c606ba1d-d736-43eb-ac24-e16108f3a9e0: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Kubernetes Clusters must be created with Alias IP ranges enabled, - which means the attribut ''ip_allocation_policy'' must be defined and, if defined, - the attribute ''networking_mode'' must be VPC_NATIVE ' - group: cloud-weak-configuration - name: c606ba1d-d736-43eb-ac24-e16108f3a9e0 - pretty_name: IP Aliasing Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster - c62746cf-92d5-4649-9acf-7d48d086f2ee: - categories: - - ALL - - boost-baseline - description: 'Ensure Storage Account is using the latest version of TLS encryption ' - group: top10-crypto-failures - name: c62746cf-92d5-4649-9acf-7d48d086f2ee - pretty_name: Storage Account Not Using Latest TLS Encryption Version - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_storageaccount_module.html#parameter-minimum_tls_version - c62d3b92-9a11-4ffd-b7b7-6faaae83faed: - categories: - - ALL - - boost-baseline - description: 'Azure Kubernetes Service should have the Kubernetes dashboard disabled. ' - group: cloud-weak-configuration - name: c62d3b92-9a11-4ffd-b7b7-6faaae83faed - pretty_name: AKS Dashboard Is Enabled - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.containerservice/managedclusters?tabs=json#managedclusteraddonprofile - c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621: - categories: - - ALL - - boost-baseline - description: 'ELBv2 ALBs should have access log enabled to capture detailed information - about requests sent to your load balancer. ' - group: top10-security-logging-monitoring-failures - name: c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621 - pretty_name: ELBv2 ALB Access Log Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticloadbalancingv2-loadbalancer-loadbalancerattributes.html#cfn-elasticloadbalancingv2-loadbalancer-loadbalancerattributes-key - c640d783-10c5-4071-b6c1-23507300d333: - categories: - - ALL - - boost-baseline - description: 'Make sure that for PostgreSQL Database, server parameter ''log_connections'' - is set to ''ON'' ' - group: top10-security-logging-monitoring-failures - name: c640d783-10c5-4071-b6c1-23507300d333 - pretty_name: PostgreSQL Log Connections Not Set - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_configuration - c66ebeaa-676c-40dc-a3ff-3e49395dcd5e: - categories: - - ALL - - boost-baseline - description: 'The Servers array should have at least one server defined. If not, - the default value would be a Server Object with a URL value of ''/''. ' - group: top10-insecure-design - name: c66ebeaa-676c-40dc-a3ff-3e49395dcd5e - pretty_name: Servers Array Undefined - recommended: true - ref: https://swagger.io/specification/#server-object - c689f51b-9203-43b3-9d8b-caed123f706c: - categories: - - ALL - description: 'A list of Elasticache resources found. Amazon ElastiCache is a fully - managed, in-memory caching service supporting flexible, real-time use cases. - You can use ElastiCache for caching, which accelerates application and database - performance, or as a primary data store for use cases that don''t require durability - like session stores, gaming leaderboards, streaming, and analytics. ElastiCache - is compatible with Redis and Memcached. ' - group: supply-chain-missing-artifact-integrity-verification - name: c689f51b-9203-43b3-9d8b-caed123f706c - pretty_name: BOM - AWS Elasticache - ref: https://kics.io/ - c68b4e6d-4e01-4ca1-b256-1e18e875785c: - categories: - - ALL - - boost-baseline - description: 'Verifies if Google Poject IAM Member Service Account doesn''t have - a Account User or Token Creator associated ' - group: cloud-insecure-iam - name: c68b4e6d-4e01-4ca1-b256-1e18e875785c - pretty_name: Google Project IAM Member Service Account has Token Creator or Account - User Role - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_member - c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e: - categories: - - ALL - - boost-baseline - description: 'A sensitive port, such as port 23 or port 110, is open for wide - private network in either TCP or UDP protocol ' - group: cloud-resources-public-access - name: c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e - pretty_name: Sensitive Port Is Exposed To Wide Private Network - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule - c6fc6f29-dc04-46b6-99ba-683c01aff350: - categories: - - ALL - - boost-baseline - description: 'Google Compute Engine VM instances should not enable serial ports. - When enabled, anyone can access your VM, if they know the username, project - ID, SSH key, instance name and zone ' - group: cloud-resources-public-access - name: c6fc6f29-dc04-46b6-99ba-683c01aff350 - pretty_name: Serial Ports Are Enabled For VM Instances - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html - c7000383-16d0-4509-8cd3-585e5ea2e2f2: - categories: - - ALL - - boost-baseline - description: Contact Object URL should be a valid URL - group: top10-insecure-design - name: c7000383-16d0-4509-8cd3-585e5ea2e2f2 - pretty_name: Invalid Contact URL (v2) - recommended: true - ref: https://swagger.io/specification/v2/#contactObject - c757c6a3-ac87-4b9d-b28d-e5a5add6a315: - categories: - - ALL - - boost-baseline - description: 'AWS Serverless API should have X-Ray Tracing enabled ' - group: top10-security-logging-monitoring-failures - name: c757c6a3-ac87-4b9d-b28d-e5a5add6a315 - pretty_name: Serverless API X-Ray Tracing Disabled - recommended: true - ref: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-tracingenabled - c759d6f2-4dd3-4160-82d3-89202ef10d87: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'MySQL Instance should not have Local Infile On ' - group: cloud-weak-configuration - name: c759d6f2-4dd3-4160-82d3-89202ef10d87 - pretty_name: MySQL Instance With Local Infile On - recommended: true - ref: https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/instances - c7781feb-a955-4f9f-b9cf-0d7c6f54bb59: - categories: - - ALL - description: 'A list of Storage Bucket resources found. Buckets are the basic - containers that hold your data. Everything that you store in Cloud Storage must - be contained in a bucket. ' - group: supply-chain-missing-artifact-integrity-verification - name: c7781feb-a955-4f9f-b9cf-0d7c6f54bb59 - pretty_name: BOM - GCP SB - ref: https://kics.io/ - c7fc1481-2899-4490-bbd8-544a3a61a2f3: - categories: - - ALL - - boost-baseline - description: 'Azure App Service authentication settings should be enabled ' - group: cloud-insecure-iam - name: c7fc1481-2899-4490-bbd8-544a3a61a2f3 - pretty_name: App Service Authentication Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#enabled - c87749b3-ff10-41f5-9df2-c421e8151759: - categories: - - ALL - - boost-baseline - description: 'Azure Function App should have managed identity enabled ' - group: cloud-weak-configuration - name: c87749b3-ff10-41f5-9df2-c421e8151759 - pretty_name: Function App Managed Identity Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#identity - c878abb4-cca5-4724-92b9-289be68bd47c: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Containers should not run with allowPrivilegeEscalation in order - to prevent them from gaining more privileges than their parent process ' - group: cloud-weak-configuration - name: c878abb4-cca5-4724-92b9-289be68bd47c - pretty_name: Privilege Escalation Allowed - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#allow_privilege_escalation - c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22: - categories: - - ALL - - boost-baseline - description: 'Secrets Manager Secret should explicitly specify KmsKeyId, this - will allow the secret to be shared cross-account ' - group: cloud-weak-secrets-management - name: c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22 - pretty_name: Secrets Manager Should Specify KmsKeyId - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html - c8dee387-a2e6-4a73-a942-183c975549ac: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'AWS DynamoDb should be encrypted using AWS Managed CMK, instead - of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned - CMK or true for AWS-Managed CMK. Default value is false. ' - group: top10-crypto-failures - name: c8dee387-a2e6-4a73-a942-183c975549ac - pretty_name: DynamoDB With Aws Owned CMK - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-dynamodb-table-ssespecification.html - c91d7ea0-d4d1-403b-8fe1-c9961ac082c5: - categories: - - ALL - - boost-baseline - description: 'Neptune Cluster should have IAM Database Authentication enabled ' - group: cloud-insecure-iam - name: c91d7ea0-d4d1-403b-8fe1-c9961ac082c5 - pretty_name: Neptune Cluster With IAM Database Authentication Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/neptune_cluster#storage_encrypted - c9846969-d066-431f-9b34-8c4abafe422a: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'The Remote Desktop port is open to the internet in a Security Group ' - group: cloud-resources-public-access - name: c9846969-d066-431f-9b34-8c4abafe422a - pretty_name: Remote Desktop Port Open To Internet - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html - c999cf62-0920-40f8-8dda-0caccd66ed7e: - categories: - - ALL - - boost-baseline - description: 'API Gateway Stage should have API Gateway UsagePlan defined and - associated. ' - group: cloud-insecure-iam - name: c999cf62-0920-40f8-8dda-0caccd66ed7e - pretty_name: API Gateway Stage Without API Gateway UsagePlan Associated - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage - c9d81239-c818-4869-9917-1570c62b81fd: - categories: - - ALL - description: 'A list of Filestore Instance resources found. Filestore instances - are fully managed file servers on Google Cloud that can be connected to Compute - Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you - can scale the capacity of your instances according to need without any downtime. ' - group: supply-chain-missing-artifact-integrity-verification - name: c9d81239-c818-4869-9917-1570c62b81fd - pretty_name: BOM - GCP FI - ref: https://kics.io/ - ca02f4e8-d3ae-4832-b7db-bb037516d9e7: - categories: - - ALL - - boost-baseline - description: 'Request Body reference should exists on components field ' - group: top10-insecure-design - name: ca02f4e8-d3ae-4832-b7db-bb037516d9e7 - pretty_name: Request Body JSON Reference Does Not Exists - recommended: true - ref: https://swagger.io/specification/#components-object - ca2fba76-c1a7-4afd-be67-5249f861cb0e: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Check if Tiller is deployed. ' - group: cloud-weak-configuration - name: ca2fba76-c1a7-4afd-be67-5249f861cb0e - pretty_name: Tiller (Helm v2) Is Deployed - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#image - ca469dd4-c736-448f-8ac1-30a642705e0a: - categories: - - ALL - - boost-baseline - description: 'CPU requests should be set to ensure the sum of the resource requests - of the scheduled Containers is less than the capacity of the node ' - group: cloud-insecure-iam - name: ca469dd4-c736-448f-8ac1-30a642705e0a - pretty_name: CPU Requests Not Set - recommended: true - ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/# - ca4df748-613a-4fbf-9c76-f02cbd580307: - categories: - - ALL - - boost-baseline - description: 'Make sure that your Azure Storage Account access is limited to those - who require it. ' - group: cloud-insecure-iam - name: ca4df748-613a-4fbf-9c76-f02cbd580307 - pretty_name: Default Azure Storage Account Network Access Is Too Permissive - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_storageaccount_module.html#parameter-public_network_access - caa3479d-885d-4882-9aac-95e5e78ef5c2: - categories: - - ALL - - boost-baseline - description: 'Image Pull Policy of the container must be defined and set to Always ' - group: cloud-weak-configuration - name: caa3479d-885d-4882-9aac-95e5e78ef5c2 - pretty_name: Image Pull Policy Of The Container Is Not Set To Always - recommended: true - ref: https://kubernetes.io/docs/concepts/containers/images/#updating-images - caa93370-791f-4fc6-814b-ba6ce0cb4032: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Limit capabilities for a Pod Security Policy ' - group: cloud-weak-configuration - name: caa93370-791f-4fc6-814b-ba6ce0cb4032 - pretty_name: Not Limited Capabilities For Pod Security Policy - recommended: true - ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ - caf1793e-95dd-4b18-8d90-8f3c0ab5bddf: - categories: - - ALL - - boost-baseline - description: The format should be valid for the type defined. For integer type - must be int32 or int64 and number type must be float or double - group: cloud-weak-configuration - name: caf1793e-95dd-4b18-8d90-8f3c0ab5bddf - pretty_name: Invalid Format (v2) - recommended: true - ref: https://swagger.io/specification/v2/ - cb2f612b-ed42-4ff5-9fb9-255c73d39a18: - categories: - - ALL - - boost-baseline - description: 'AWS Serverless Function should be configured for a Dead Letter Queue(DLQ) ' - group: cloud-weak-configuration - name: cb2f612b-ed42-4ff5-9fb9-255c73d39a18 - pretty_name: Serverless Function Without Dead Letter Queue - recommended: true - ref: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-deadletterqueue - cb319d87-b90f-485e-a7e7-f2408380f309: - categories: - - ALL - - boost-baseline - description: 'KMS Key should have automatic rotation enabled and the rotation - period should not be higher than a year ' - group: cloud-weak-secrets-management - name: cb319d87-b90f-485e-a7e7-f2408380f309 - pretty_name: High KMS Key Rotation Period - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/kms_key - cb3f5ed6-0d18-40de-a93d-b3538db31e8c: - categories: - - ALL - - boost-baseline - description: 'It''s considered a best practice for AWS Security Group to have - a description ' - group: top10-insecure-design - name: cb3f5ed6-0d18-40de-a93d-b3538db31e8c - pretty_name: Security Group Rule Without Description - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group#description - cb7e695d-6a85-495c-b15f-23aed2519303: - categories: - - ALL - - boost-baseline - description: 'Certificate Authority should be unique for etcd ' - group: cloud-weak-secrets-management - name: cb7e695d-6a85-495c-b15f-23aed2519303 - pretty_name: Not Unique Certificate Authority - recommended: true - ref: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ - cb8e4bf0-903d-45c6-a278-9a947d82a27b: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Storage Accounts should enforce the use of HTTPS ' - group: top10-crypto-failures - name: cb8e4bf0-903d-45c6-a278-9a947d82a27b - pretty_name: Storage Account Not Forcing HTTPS - recommended: true - ref: https://www.pulumi.com/registry/packages/azure-native/api-docs/storage/storageaccount/#enablehttpstrafficonly_yaml - cbd2db69-0b21-4c14-8a40-7710a50571a9: - categories: - - ALL - - boost-baseline - description: 'When using kube-apiserver commands, the ''--encryption-provider-config'' - flag should be defined and the encryption should be correctly configured in - Encryption Configuration file ' - group: top10-crypto-failures - name: cbd2db69-0b21-4c14-8a40-7710a50571a9 - pretty_name: Encryption Provider Config Is Not Defined - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ - cbff2508-85c9-4448-a8b3-770070edf5ca: - categories: - - ALL - - boost-baseline - description: Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' - and 'not' properties - group: top10-insecure-design - name: cbff2508-85c9-4448-a8b3-770070edf5ca - pretty_name: Schema Object With Circular Ref (v2) - recommended: true - ref: https://swagger.io/specification/v2/#definitionsObject - cc4aaa9d-1070-461a-b519-04e00f42db8a: - categories: - - ALL - - boost-baseline - description: 'Periodically, newer versions are released for Python software either - due to security flaws or to include additional functionality. Using the latest - full Python version for web apps is recommended in order to take advantage of - security fixes, if any, and/or additional functionalities of the newer version. ' - group: top10-insecure-design - name: cc4aaa9d-1070-461a-b519-04e00f42db8a - pretty_name: App Service Without Latest Python Version - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#python_version - cc8b294f-006f-4f8f-b5bb-0a9140c33131: - categories: - - ALL - - boost-baseline - description: 'ACM Certificate should not use wildcards (*) in the domain name ' - group: cloud-weak-configuration - name: cc8b294f-006f-4f8f-b5bb-0a9140c33131 - pretty_name: Wildcard In ACM Certificate Domain Name - recommended: true - ref: https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html - cc997676-481b-4e93-aa81-d19f8c5e9b12: - categories: - - ALL - - boost-baseline - description: 'EBS volumes should be encrypted ' - group: top10-crypto-failures - name: cc997676-481b-4e93-aa81-d19f8c5e9b12 - pretty_name: EBS Volume Encryption Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#encrypted - ccc3100c-0fdd-4a5e-9908-c10107291860: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'DNSSEC should not use the RSASHA1 algorithm, which means if, within - the ''dnssec_config'' block, the ''default_key_specs'' block exists with the - ''algorithm'' field is ''rsasha1'' which is bad. ' - group: top10-crypto-failures - name: ccc3100c-0fdd-4a5e-9908-c10107291860 - pretty_name: DNSSEC Using RSASHA1 - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_managed_zone#algorithm - ccc98ff7-68a7-436e-9218-185cb0b0b780: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'When using kube-controller-manager commands, the ''--service-account-private-key-file'' - should be defined ' - group: top10-crypto-failures - name: ccc98ff7-68a7-436e-9218-185cb0b0b780 - pretty_name: Service Account Private Key File Not Defined - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/ - ccd0613f-cb77-4684-a892-183bd2674d12: - categories: - - ALL - - boost-baseline - description: The property 'required' determines whether the parameter is mandatory. - If the parameter location is 'path', this property is required and its value - must be true. - group: top10-insecure-design - name: ccd0613f-cb77-4684-a892-183bd2674d12 - pretty_name: Path Parameter Not Required (v2) - recommended: true - ref: https://swagger.io/specification/v2/#parameterObject - cd290efd-6c82-4e9d-a698-be12ae31d536: - categories: - - ALL - - boost-baseline - description: 'Container should not share the host IPC namespace ' - group: cloud-insecure-iam - name: cd290efd-6c82-4e9d-a698-be12ae31d536 - pretty_name: Shared Host IPC Namespace - recommended: true - ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ - cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b: - categories: - - ALL - - boost-baseline - description: 'Encoding Map Key should be set in schema defined properties ' - group: top10-insecure-design - name: cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b - pretty_name: Encoding Map Key Mismatch Schema Defined Properties - recommended: true - ref: https://swagger.io/specification/#media-type-object - cdbb0467-2957-4a77-9992-7b55b29df7b7: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Security Groups should not have ports open in (20, 21, 22, 23, 115, - 137, 138, 139, 2049, 3389) ' - group: cloud-resources-public-access - name: cdbb0467-2957-4a77-9992-7b55b29df7b7 - pretty_name: Security Groups With Exposed Admin Ports - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html - cdc8b54e-6b16-4538-a1b0-35849dbe29cf: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'When using kube-apiserver command, the ''--kubelet-https'' flag - should not be set to false ' - group: cloud-resources-public-access - name: cdc8b54e-6b16-4538-a1b0-35849dbe29cf - pretty_name: Kubelet HTTPS Set To False - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ - cdddb86f-95f6-4fc4-b5a1-483d9afceb2b: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'COPY ''--from'' should not mention the current FROM alias, since - it is impossible to copy from itself ' - group: supply-chain-cicd-weak-configuration - name: cdddb86f-95f6-4fc4-b5a1-483d9afceb2b - pretty_name: COPY '--from' References Current FROM Alias - recommended: true - ref: https://docs.docker.com/develop/develop-images/multistage-build/ - ce089fd4-1406-47bd-8aad-c259772bb294: - categories: - - ALL - - boost-baseline - description: 'AWS DynamoDB Tables should have server-side encryption ' - group: top10-crypto-failures - name: ce089fd4-1406-47bd-8aad-c259772bb294 - pretty_name: DynamoDB Table Not Encrypted - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table#server_side_encryption - ce14a68b-1668-41a0-ab7d-facd9f784742: - categories: - - ALL - - boost-baseline - description: 'Setting networks in services ensures you are not using dockers default - bridge (docker0), which shares traffic bewteen all containers. ' - group: cloud-resources-public-access - name: ce14a68b-1668-41a0-ab7d-facd9f784742 - pretty_name: Networks Not Set - recommended: true - ref: https://docs.docker.com/compose/compose-file/compose-file-v3/#networks - ce30e584-b33f-4c7d-b418-a3d7027f8f60: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'When using kube-apiserver command, the ''--enable-admission-plugins'' - flag should not have ''AlwaysAdmit'' plugin ' - group: cloud-insecure-iam - name: ce30e584-b33f-4c7d-b418-a3d7027f8f60 - pretty_name: Always Admit Admission Control Plugin Set - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ - ce60cc6b-6831-4bd7-84a2-cc7f8ee71433: - categories: - - ALL - - boost-baseline - description: 'SSM Session should be encrypted in transit ' - group: top10-crypto-failures - name: ce60cc6b-6831-4bd7-84a2-cc7f8ee71433 - pretty_name: SSM Session Transit Encryption Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_document#content - ce60d060-efb8-4bfd-9cf7-ff8945d00d90: - categories: - - ALL - - boost-baseline - description: 'No password expiration policy ' - group: top10-insecure-design - name: ce60d060-efb8-4bfd-9cf7-ff8945d00d90 - pretty_name: Misconfigured Password Policy Expiration - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy - ce76b7d0-9e77-464d-b86f-c5c48e03e22d: - categories: - - ALL - - boost-baseline - description: 'Some capabilities are not needed in certain (or any) containers. - Make sure that you only add capabilities that your container needs. Drop unnecessary - capabilities as well. ' - group: cloud-insecure-iam - name: ce76b7d0-9e77-464d-b86f-c5c48e03e22d - pretty_name: Container Capabilities Unrestricted - recommended: true - ref: https://docs.docker.com/compose/compose-file/compose-file-v3/#cap_add-cap_drop - ce7c874e-1b88-450b-a5e4-cb76ada3c8a9: - categories: - - ALL - - boost-baseline - description: 'Check if insecure SSL is being used in the GitHub organization webhooks ' - group: top10-crypto-failures - name: ce7c874e-1b88-450b-a5e4-cb76ada3c8a9 - pretty_name: Github Organization Webhook With SSL Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/github/latest/docs/resources/organization_webhook - ce9dfce0-5fc8-433b-944a-3b16153111a8: - categories: - - ALL - - boost-baseline - description: 'SSO permissions should be configured to limit user sessions to no - longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized - access or session hijacking. This is a best practice for security and should - be implemented in SSO permission settings. ' - group: cloud-insecure-iam - name: ce9dfce0-5fc8-433b-944a-3b16153111a8 - pretty_name: SSO Permission With Inadequate User Session Duration - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set - ceefb058-8065-418f-9c4c-584a78c7e104: - categories: - - ALL - - boost-baseline - description: 'Operation Object should not use basic authentication ' - group: cloud-insecure-iam - name: ceefb058-8065-418f-9c4c-584a78c7e104 - pretty_name: Operation Using Basic Auth - recommended: true - ref: https://swagger.io/specification/v2/#operation-object - cefdad16-0dd5-4ac5-8ed2-a37502c78672: - categories: - - ALL - - boost-baseline - description: 'Service account should not have improper privileges like admin, - editor, owner, or write roles ' - group: cloud-insecure-iam - name: cefdad16-0dd5-4ac5-8ed2-a37502c78672 - pretty_name: Service Account with Improper Privileges - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/iam_policy#role - cf34805e-3872-4c08-bf92-6ff7bb0cfadb: - categories: - - ALL - - boost-baseline - description: 'Containers should only run as non-root user. This limits the exploitability - of security misconfigurations and restricts an attacker''s possibilities in - case of compromise ' - group: top10-insecure-design - name: cf34805e-3872-4c08-bf92-6ff7bb0cfadb - pretty_name: Container Running As Root - recommended: true - ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - cf3c7631-cd1e-42f3-8801-a561214a6e79: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Checks if backup configuration is enabled for all Cloud SQL Database - instances ' - group: top10-software-data-integrity-failures - name: cf3c7631-cd1e-42f3-8801-a561214a6e79 - pretty_name: SQL DB Instance Backup Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance - cf4a5f45-a27b-49df-843a-9911dbfe71d4: - categories: - - ALL - - boost-baseline - description: 'The Media Type value should match the following format: /[+suffix][;parameters] ' - group: top10-insecure-design - name: cf4a5f45-a27b-49df-843a-9911dbfe71d4 - pretty_name: Invalid Media Type Value (v3) - recommended: true - ref: https://swagger.io/specification/#media-type-object - cfdcabb0-fc06-427c-865b-c59f13e898ce: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'AWS Redshift Cluster should be encrypted. Check if ''encrypted'' - field is false or undefined (default is false) ' - group: top10-crypto-failures - name: cfdcabb0-fc06-427c-865b-c59f13e898ce - pretty_name: Redshift Not Encrypted - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_cluster#encrypted - cfdef2e5-1fe4-4ef4-bea8-c56e08963150: - categories: - - ALL - - boost-baseline - description: 'ElastiCache Nodes should be created across multi az, which means - ''AZMode'' should be set to ''cross-az'' in multi nodes cluster ' - group: top10-insecure-design - name: cfdef2e5-1fe4-4ef4-bea8-c56e08963150 - pretty_name: ElastiCache Nodes Not Created Across Multi AZ - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-cache-cluster.html - cff9c3f7-e8f0-455f-9fb4-5f72326da96e: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'All Secrets must have an expiration date defined ' - group: top10-insecure-design - name: cff9c3f7-e8f0-455f-9fb4-5f72326da96e - pretty_name: Secret Without Expiration Date - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults/secrets?tabs=json#SecretAttributes - d0b4d550-c001-46c3-bbdb-d5d75d33f05f: - categories: - - ALL - - boost-baseline - description: 'Check if any VM instance disables OSLogin ' - group: cloud-weak-configuration - name: d0b4d550-c001-46c3-bbdb-d5d75d33f05f - pretty_name: OSLogin Is Disabled For VM Instance - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance - d0c13053-d2c8-44a6-95da-d592996e9e67: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'CloudFront Minimum Protocol version should be at least TLS 1.2 ' - group: cloud-weak-configuration - name: d0c13053-d2c8-44a6-95da-d592996e9e67 - pretty_name: CloudFront Without Minimum Protocol TLS 1.2 - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html#parameter-viewer_certificate/minimum_protocol_version - d0cc8694-fcad-43ff-ac86-32331d7e867f: - categories: - - ALL - - boost-baseline - description: 'S3 bucket allows public ACL ' - group: cloud-insecure-iam - name: d0cc8694-fcad-43ff-ac86-32331d7e867f - pretty_name: S3 Bucket Allows Public ACL - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block - d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Cloud SQL Database Instance should have SLL enabled ' - group: top10-crypto-failures - name: d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb - pretty_name: SQL DB Instance With SSL Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/ip_configuration/require_ssl - d15db953-a553-4b8a-9a14-a3d62ea3d79d: - categories: - - ALL - - boost-baseline - description: 'Components callbacks definitions should be referenced or removed - from Open API definition ' - group: top10-insecure-design - name: d15db953-a553-4b8a-9a14-a3d62ea3d79d - pretty_name: Components Callback Definition Is Unused - recommended: true - ref: https://swagger.io/specification/#components-object - d172a060-8569-4412-8045-3560ebd477e8: - categories: - - ALL - - boost-baseline - description: 'OpenAPI Object should contain all of its required fields ' - group: top10-insecure-design - name: d172a060-8569-4412-8045-3560ebd477e8 - pretty_name: Object Without Required Property (v3) - recommended: true - ref: https://swagger.io/specification/ - d1846b12-20c5-4d45-8798-fc35b79268eb: - categories: - - ALL - - boost-baseline - description: 'ECR should have an image tag be immutable. This prevents image tags - from being overwritten. ' - group: cloud-weak-configuration - name: d1846b12-20c5-4d45-8798-fc35b79268eb - pretty_name: ECR Image Tag Not Immutable - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository - d2361d58-361c-49f0-9e50-b957fd608b29: - categories: - - ALL - - boost-baseline - description: 'Schema should not have both ''writeOnly'' and ''readOnly'' set to - true ' - group: top10-insecure-design - name: d2361d58-361c-49f0-9e50-b957fd608b29 - pretty_name: Schema With Both ReadOnly And WriteOnly - recommended: true - ref: https://swagger.io/specification/#schema-object - d24389b4-b209-4ff0-8345-dc7a4569dcdd: - categories: - - ALL - - boost-baseline - description: 'Amazon ECS must have the HealthCheck property defined to give more - control over monitoring the health of tasks ' - group: top10-security-logging-monitoring-failures - name: d24389b4-b209-4ff0-8345-dc7a4569dcdd - pretty_name: ECS Task Definition HealthCheck Missing - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-healthcheck.html - d24c0755-c028-44b1-b503-8e719c898832: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'S3 Buckets must not allow Put Action From All Principals, as to - prevent leaking private information to the entire internet or allow unauthorized - data tampering / deletion. This means the ''Effect'' must not be ''Allow'' when - the ''Action'' is Put, for all Principals. ' - group: cloud-insecure-iam - name: d24c0755-c028-44b1-b503-8e719c898832 - pretty_name: S3 Bucket Allows Put Action From All Principals - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy - d25edb51-07fb-4a73-97d4-41cecdc53a22: - categories: - - ALL - - boost-baseline - description: 'Glue policy should avoid wildcard in ''principals'' and ''actions'' ' - group: cloud-insecure-iam - name: d25edb51-07fb-4a73-97d4-41cecdc53a22 - pretty_name: Glue With Vulnerable Policy - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/glue_resource_policy#policy - d2731f3d-a992-44ed-812e-f4f1c2747d71: - categories: - - ALL - - boost-baseline - description: 'Every VPC resource should have an associated Flow Log ' - group: top10-security-logging-monitoring-failures - name: d2731f3d-a992-44ed-812e-f4f1c2747d71 - pretty_name: VPC Flow Logs Disabled - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/vpc_flow_log - d2ad057f-0928-41ef-a83c-f59203bb855b: - categories: - - ALL - - boost-baseline - description: 'If not needed, disabling the dashboard can prevent from being used - as an attack vector ' - group: cloud-weak-configuration - name: d2ad057f-0928-41ef-a83c-f59203bb855b - pretty_name: Dashboard Is Enabled - recommended: true - ref: https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/ - d31cb911-bf5b-4eb6-9fc3-16780c77c7bd: - categories: - - ALL - - boost-baseline - description: 'AWS CloudFront distributions should have logging enabled to collect - all viewer requests, which means the attribute ''logging'' should be defined - with ''enabled'' set to true ' - group: top10-security-logging-monitoring-failures - name: d31cb911-bf5b-4eb6-9fc3-16780c77c7bd - pretty_name: CloudFront Logging Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html - d3499f6d-1651-41bb-a9a7-de925fea487b: - categories: - - ALL - - boost-baseline - description: 'Package version pinning reduces the range of versions that can be - installed, reducing the chances of failure due to unanticipated changes ' - group: supply-chain-scm-weak-configuration - name: d3499f6d-1651-41bb-a9a7-de925fea487b - pretty_name: Unpinned Package Version in Apk Add - recommended: true - ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/ - d364984a-a222-4b5f-a8b0-e23ab19ebff3: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Athena Workgroup query results should be encrypted, for all queries - that run in the workgroup ' - group: top10-crypto-failures - name: d364984a-a222-4b5f-a8b0-e23ab19ebff3 - pretty_name: Athena Workgroup Not Encrypted - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/athena_workgroup#encryption_configuration - d395a950-12ce-4314-a742-ac5a785ab44e: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'S3 Buckets must not allow List Action From All Principals, as to - prevent leaking private information to the entire internet or allow unauthorized - data tampering / deletion. This means the ''Effect'' must not be ''Allow'' when - the ''Action'' is List, for all Principals. ' - group: cloud-insecure-iam - name: d395a950-12ce-4314-a742-ac5a785ab44e - pretty_name: S3 Bucket Allows List Action From All Principals - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html - d39761d7-94ab-45b0-ab5e-27c44e381d58: - categories: - - ALL - - boost-baseline - description: 'AWS CloudFormation should have stack notifications enabled to be - notified when an event occurs ' - group: top10-security-logging-monitoring-failures - name: d39761d7-94ab-45b0-ab5e-27c44e381d58 - pretty_name: Stack Notifications Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/cloudformation_module.html#parameter-notification_arns - d3ea644a-9a5c-4fee-941f-f8a6786c0470: - categories: - - ALL - - boost-baseline - description: 'Property ''style'' of the encoding object should be defined when - the media type of the request body is ''application/x-www-form-urlencoded''. - If not, it will be ignored. ' - group: top10-insecure-design - name: d3ea644a-9a5c-4fee-941f-f8a6786c0470 - pretty_name: Property 'style' of Encoding Object Ignored - recommended: true - ref: https://swagger.io/specification/#encoding-object - d40210ea-64b9-4cce-a4fb-e8604f3c062c: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'It''s not recommended to use plaintext environment variables for - sensitive information, such as credential data. ' - group: top10-crypto-failures - name: d40210ea-64b9-4cce-a4fb-e8604f3c062c - pretty_name: ECS Task Definition Container With Plaintext Password - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition - d40f27e6-15fb-4b56-90f8-fc0ff0291c51: - categories: - - ALL - - boost-baseline - description: 'Parameter Object reference must always point to ''#/components/parameters'' ' - group: top10-insecure-design - name: d40f27e6-15fb-4b56-90f8-fc0ff0291c51 - pretty_name: Parameter Object With Incorrect Ref (v3) - recommended: true - ref: https://swagger.io/specification/#parameter-object - d43366c5-80b0-45de-bbe8-2338f4ab0a83: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Master authorized networks must be enabled in GKE clusters ' - group: cloud-resources-public-access - name: d43366c5-80b0-45de-bbe8-2338f4ab0a83 - pretty_name: GKE Master Authorized Networks Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html#parameter-master_authorized_networks_config/enabled - d45330fd-f58d-45fb-a682-6481477a0f84: - categories: - - ALL - - boost-baseline - description: 'Roles or ClusterRoles with RBAC permissions to attach to containers - via ''kubectl attach'' could be abused by attackers to read log output (stdout, - stderr) and send input data (stdin) to running processes. Additionally, it would - allow a malicious user to attach to a privileged container resulting in a privilege - escalation attack. To prevent this, the ''pods/attach'' verb should not be used - in production environments ' - group: cloud-insecure-iam - name: d45330fd-f58d-45fb-a682-6481477a0f84 - pretty_name: RBAC Roles with Attach Permission - recommended: true - ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ - d47940ca-5970-45cc-bdd1-4d81398cee1f: - categories: - - ALL - - boost-baseline - description: 'Operation summary should be short (less than 120 characters) ' - group: top10-insecure-design - name: d47940ca-5970-45cc-bdd1-4d81398cee1f - pretty_name: Operation Summary Too Long - recommended: true - ref: https://swagger.io/specification/v2/#operation-object - d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Checks if logging is enabled for CloudTrail. ' - group: top10-security-logging-monitoring-failures - name: d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5 - pretty_name: CloudTrail Logging Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html#parameter-enable_logging - d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd: - categories: - - ALL - - boost-baseline - description: 'The Header Response should not be named as ''Content-Type'', ''Authorization'' - or ''Accept''. If so, it will be ignored. ' - group: top10-insecure-design - name: d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd - pretty_name: Header Response Name Is Invalid (v3) - recommended: true - ref: https://swagger.io/specification/#response-object - d532566b-8d9d-4f3b-80bd-361fe802f9c2: - categories: - - ALL - - boost-baseline - description: 'Check if the root container filesystem is not being mounted as read-only. ' - group: supply-chain-cicd-weak-configuration - name: d532566b-8d9d-4f3b-80bd-361fe802f9c2 - pretty_name: Root Container Not Mounted As Read-only - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#read_only_root_filesystem - d53323be-dde6-4457-9a43-42df737e71d2: - categories: - - ALL - description: 'A list of Kinesis resources found. Amazon Kinesis is a real-time - streaming service that provides collection, processing, and analysis of video - and data streams in real-time ' - group: supply-chain-missing-artifact-integrity-verification - name: d53323be-dde6-4457-9a43-42df737e71d2 - pretty_name: BOM - AWS Kinesis - ref: https://kics.io/ - d53f4123-f8d8-4224-8cb3-f920b151cc98: - categories: - - ALL - - boost-baseline - description: 'log_disconnections parameter should be set to ON for RDS instances ' - group: top10-security-logging-monitoring-failures - name: d53f4123-f8d8-4224-8cb3-f920b151cc98 - pretty_name: RDS Instance Log Disconnections Disabled - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#parameters - d58c6f24-3763-4269-9f5b-86b2569a003b: - categories: - - ALL - - boost-baseline - description: 'Google Container Node Pool Auto Repair should be enabled. This service - periodically checks for failing nodes and repairs them to ensure a smooth running - state. ' - group: cloud-weak-configuration - name: d58c6f24-3763-4269-9f5b-86b2569a003b - pretty_name: Google Container Node Pool Auto Repair Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_node_pool_module.html - d5d1fe08-89db-440c-8725-b93223387309: - categories: - - ALL - - boost-baseline - description: 'Serverless should have API Gateway with Content Encoding enabled - through the attribute ''minimumCompressionSize''. This value should be greater - than -1 and smaller than 10485760 ' - group: top10-crypto-failures - name: d5d1fe08-89db-440c-8725-b93223387309 - pretty_name: Serverless API Without Content Encoding - recommended: true - ref: https://www.serverless.com/framework/docs/providers/aws/events/apigateway#compression - d5e83b32-56dd-4247-8c2e-074f43b38a5e: - categories: - - ALL - - boost-baseline - description: 'Azure Container Service (AKS) instance should have logging enabled - to Azure Monitoring ' - group: top10-security-logging-monitoring-failures - name: d5e83b32-56dd-4247-8c2e-074f43b38a5e - pretty_name: AKS Monitoring Logging Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_aks_module.html - d5ec2080-340a-4259-b885-f833c4ea6a31: - categories: - - ALL - - boost-baseline - description: 'The certificate should use a RSA key with a length equal to or higher - than 256 bytes ' - group: cloud-weak-configuration - name: d5ec2080-340a-4259-b885-f833c4ea6a31 - pretty_name: Certificate RSA Key Bytes Lower Than 256 - recommended: true - ref: https://docs.ansible.com/ansible/2.10/collections/community/aws/aws_acm_module.html - d6047119-a0b2-4b59-a4f2-127a36fb685b: - categories: - - ALL - - boost-baseline - description: 'Role with privilege escalation by actions ''iam:PutGroupPolicy'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: d6047119-a0b2-4b59-a4f2-127a36fb685b - pretty_name: Role With Privilege Escalation By Actions 'iam:PutGroupPolicy' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy - d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Docker socket docker.sock should not be mounted on host. If the - docker socket is mounted, it can allow its processes to execute docker commands. ' - group: supply-chain-cicd-weak-configuration - name: d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b - pretty_name: Docker Socket Mounted In Container - recommended: true - ref: https://docs.docker.com/compose/compose-file/#volumes - d6653eee-2d4d-4e6a-976f-6794a497999a: - categories: - - ALL - - boost-baseline - description: 'API Gateway should have valid compression, which means attribute - ''MinimumCompressionSize'' should be set and its value should be greater than - -1 and smaller than 10485760. ' - group: top10-crypto-failures - name: d6653eee-2d4d-4e6a-976f-6794a497999a - pretty_name: API Gateway With Invalid Compression - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-restapi.html - d674aea4-ba8b-454b-bb97-88a772ea33f0: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Security object need to have defined rules in its array and rules - should be defined on securityScheme ' - group: cloud-insecure-iam - name: d674aea4-ba8b-454b-bb97-88a772ea33f0 - pretty_name: Global Security Field Has An Empty Array (v3) - recommended: true - ref: https://swagger.io/specification/#security-requirement-object - d6c2d06f-43c1-488a-9ba1-8d75b40fc62d: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Amazon Elasticsearch does not have encryption for its domains enabled. - To prevent such a scenario, update the attribute ''EnforceHTTPS'' to true. ' - group: cloud-resources-public-access - name: d6c2d06f-43c1-488a-9ba1-8d75b40fc62d - pretty_name: Elasticsearch with HTTPS disabled - recommended: true - ref: https://docs.ansible.com/ansible/devel/collections/community/aws/opensearch_module.html - d6cabc3a-d57e-48c2-b341-bf3dd4f4a120: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Cloud storage bucket should have logging enabled ' - group: top10-security-logging-monitoring-failures - name: d6cabc3a-d57e-48c2-b341-bf3dd4f4a120 - pretty_name: Cloud Storage Bucket Logging Not Enabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket#log_bucket - d6e10477-2e19-4bcd-b8a8-19c65b89ccdf: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Kubernetes nodes must have auto upgrades set to true, which means - Node ''auto_upgrade'' should be enabled for Kubernetes Clusters ' - group: cloud-insecure-iam - name: d6e10477-2e19-4bcd-b8a8-19c65b89ccdf - pretty_name: Node Auto Upgrade Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_node_pool_module.html#parameter-management/auto_upgrade - d6fae5b6-ada9-46c0-8b36-3108a2a2f77b: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'PostgreSQL database ''log_temp_files'' flag isn''t set to ''0'' ' - group: top10-security-logging-monitoring-failures - name: d6fae5b6-ada9-46c0-8b36-3108a2a2f77b - pretty_name: PostgreSQL Logging Of Temporary Files Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags - d71b5fd7-9020-4b2d-9ec8-b3839faa2744: - categories: - - ALL - - boost-baseline - description: 'Check if any AWS Support policy does not have any role and users - and group associated, which means that is not being managed. ' - group: cloud-insecure-iam - name: d71b5fd7-9020-4b2d-9ec8-b3839faa2744 - pretty_name: Support Has No Role Associated - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html - d72a7869-e8b9-4e12-bcd2-e8be10b39fa7: - categories: - - ALL - - boost-baseline - description: 'IAM password should have the required symbols ' - group: top10-insecure-design - name: d72a7869-e8b9-4e12-bcd2-e8be10b39fa7 - pretty_name: IAM Password Without Symbol - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user - d740d048-8ed3-49d3-b77b-6f072f3b669e: - categories: - - ALL - - boost-baseline - description: 'Check if StatefulSet resources don''t have a podAntiAffinity policy, - which prevents multiple pods from being scheduled on the same node. ' - group: cloud-insecure-iam - name: d740d048-8ed3-49d3-b77b-6f072f3b669e - pretty_name: StatefulSet Has No PodAntiAffinity - recommended: true - ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ - d7467bb6-3ed1-4c82-8095-5e7a818d0aad: - categories: - - ALL - - boost-baseline - description: 'CodeBuild Project should be encrypted, which means ''EncryptionKey'' - should be defined ' - group: top10-crypto-failures - name: d7467bb6-3ed1-4c82-8095-5e7a818d0aad - pretty_name: CodeBuild Not Encrypted - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-codebuild-project.html - d7a5616f-0a3f-4d43-bc2b-29d1a183e317: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'PostgreSQL database instance should have a ''log_connections'' flag - with its value set to ''on'' ' - group: top10-security-logging-monitoring-failures - name: d7a5616f-0a3f-4d43-bc2b-29d1a183e317 - pretty_name: PostgreSQL Log Connections Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags - d7b9d850-3e06-4a75-852f-c46c2e92240b: - categories: - - ALL - - boost-baseline - description: 'AWS Access Key should not be hardcoded ' - group: cloud-weak-secrets-management - name: d7b9d850-3e06-4a75-852f-c46c2e92240b - pretty_name: Hardcoded AWS Access Key - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance - d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28: - categories: - - ALL - - boost-baseline - description: 'Azure SQL Server Accessibility should be set to a minimal address - range to grant the principle of least privileges, which means the difference - between the values of the ''end_ip_address'' and ''start_ip_address'' must be - less than 256. Additionally, both ips must be different from ''0.0.0.0''. ' - group: cloud-resources-public-access - name: d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28 - pretty_name: Unrestricted SQL Server Access - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_firewall_rule - d83bebc8-4e5e-4241-b783-cba9fb5a1c9a: - categories: - - ALL - - boost-baseline - description: Contact Object Email should be a valid email - group: top10-insecure-design - name: d83bebc8-4e5e-4241-b783-cba9fb5a1c9a - pretty_name: Invalid Contact Email (v2) - recommended: true - ref: https://swagger.io/specification/v2/#contactObject - d855ced8-6157-448f-9f1d-f05a41d046f7: - categories: - - ALL - - boost-baseline - description: 'Make sure that your Azure Storage Account access is limited to those - who require it. ' - group: cloud-insecure-iam - name: d855ced8-6157-448f-9f1d-f05a41d046f7 - pretty_name: Default Azure Storage Account Network Access Is Too Permissive - recommended: true - ref: https://learn.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts - d86655c0-92f6-4ffc-b4d5-5b5775804c27: - categories: - - ALL - - boost-baseline - description: 'HTTP Responses status code should be in range of [200-599] ' - group: top10-insecure-design - name: d86655c0-92f6-4ffc-b4d5-5b5775804c27 - pretty_name: Responses With Wrong HTTP Status Code (v3) - recommended: true - ref: https://swagger.io/specification/#responses-object - d89a15bb-8dba-4c71-9529-bef6729b9c09: - categories: - - ALL - - boost-baseline - description: 'When using kube-apiserver command, the ''--request-timeout'' flag - value should not be too long ' - group: top10-insecure-design - name: d89a15bb-8dba-4c71-9529-bef6729b9c09 - pretty_name: Request Timeout Not Properly Set - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ - d8c57c4e-bf6f-4e32-a2bf-8643532de77b: - categories: - - ALL - - boost-baseline - description: 'KMS encryption keys should be rotated every 90 days or less. A short - lifetime of encryption keys reduces the potential blast radius in case of compromise. ' - group: cloud-weak-secrets-management - name: d8c57c4e-bf6f-4e32-a2bf-8643532de77b - pretty_name: High Google KMS Crypto Key Rotation Period - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/kms_crypto_key - d90d4e40-44c1-4125-87a0-e072c3e195b5: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'API Keys should not be sent as cleartext over an unencrypted channel ' - group: cloud-insecure-iam - name: d90d4e40-44c1-4125-87a0-e072c3e195b5 - pretty_name: Cleartext API Key In Operation Security (v3) - recommended: true - ref: https://swagger.io/specification/#security-scheme-object - d926aa95-0a04-4abc-b20c-acf54afe38a1: - categories: - - ALL - - boost-baseline - description: 'Check if any ElasticSearch domain isn''t encrypted with KMS. ' - group: top10-crypto-failures - name: d926aa95-0a04-4abc-b20c-acf54afe38a1 - pretty_name: ElasticSearch Encryption With KMS Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticsearch-domain.html#cfn-elasticsearch-domain-encryptionatrestoptions - d929c031-078f-4241-b802-e224656ad890: - categories: - - ALL - - boost-baseline - description: 'The format should be valid for the type defined. For integer type - must be int32 or int64 and number type must be float or double ' - group: cloud-weak-configuration - name: d929c031-078f-4241-b802-e224656ad890 - pretty_name: Invalid Format (v3) - recommended: true - ref: https://swagger.io/docs/specification/data-models/data-types/ - d991e4ae-42ab-429b-ab43-d5e5fa9ca633: - categories: - - ALL - - boost-baseline - description: 'It''s considered a best practice for an EC2 instance to use an EBS - optimized instance. This provides the best performance for your EBS volumes - by minimizing contention between Amazon EBS I/O and other traffic from your - instance ' - group: top10-insecure-design - name: d991e4ae-42ab-429b-ab43-d5e5fa9ca633 - pretty_name: EC2 Not EBS Optimized - recommended: true - ref: https://www.pulumi.com/registry/packages/aws/api-docs/ec2/instance/#ebsoptimized_yaml - d994585f-defb-4b51-b6d2-c70f020ceb10: - categories: - - ALL - - boost-baseline - description: 'Checks for dangerous permissions in Action statements in an SQS - Queue Policy. This is deemed a potential security risk as it would allow various - attacks to the queue ' - group: cloud-insecure-iam - name: d994585f-defb-4b51-b6d2-c70f020ceb10 - pretty_name: SQS Policy With Public Access - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/sqs_queue_module.html - d9dc6429-5140-498a-8f55-a10daac5f000: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'RDS must not be defined with public interface, which means the attribute - ''PubliclyAccessible'' must be set to false and neither dbSubnetGroupName'' - subnets being part of a VPC that has an Internet gateway attached to it ' - group: cloud-weak-configuration - name: d9dc6429-5140-498a-8f55-a10daac5f000 - pretty_name: RDS DB Instance Publicly Accessible - recommended: true - ref: https://doc.crds.dev/github.com/crossplane/provider-aws/database.aws.crossplane.io/RDSInstance/v1beta1@v0.17.0 - da31d54b-ad54-41dc-95eb-8b3828629213: - categories: - - ALL - - boost-baseline - - boost-hardened - description: Security object need to have defined rules in its array and rules - should be defined on securityScheme - group: cloud-insecure-iam - name: da31d54b-ad54-41dc-95eb-8b3828629213 - pretty_name: Global Security Field Has An Empty Array (v2) - recommended: true - ref: https://swagger.io/specification/v2/#security-requirement-object - da4f2739-174f-4cdd-b9ef-dc3f14b5931f: - categories: - - ALL - - boost-baseline - description: 'Azure Virtual Network subnet must be configured with a Network Security - Group, which means the attribute ''security_group'' must be defined and not - empty ' - group: cloud-weak-configuration - name: da4f2739-174f-4cdd-b9ef-dc3f14b5931f - pretty_name: Security Group is Not Configured - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_subnet_module.html - da905474-7454-43c0-b8d2-5756ab951aba: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'The KMS key has a policy that is too permissive, as it provides - the AWS account owner with access to all AWS KMS operations, therefore violating - the principle of least privilege. ' - group: cloud-weak-configuration - name: da905474-7454-43c0-b8d2-5756ab951aba - pretty_name: KMS Key With Full Permissions - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html#cfn-kms-key-keypolicy - da9f3aa8-fbfb-472f-b5a1-576127944218: - categories: - - ALL - - boost-baseline - description: 'When using kube-apiserver command, the ''--audit-log-maxage'' flag - should be defined and set to 30 or more days ' - group: top10-security-logging-monitoring-failures - name: da9f3aa8-fbfb-472f-b5a1-576127944218 - pretty_name: Audit Log Maxage Not Properly Set - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ - daa581ef-731c-4121-832d-cf078f67759d: - categories: - - ALL - - boost-baseline - description: 'EC2 Instance should have detailed monitoring enabled. With detailed - monitoring enabled data is available in 1-minute periods ' - group: top10-security-logging-monitoring-failures - name: daa581ef-731c-4121-832d-cf078f67759d - pretty_name: EC2 Instance Monitoring Disabled - recommended: true - ref: https://www.pulumi.com/registry/packages/aws/api-docs/ec2/instance/#monitoring_yaml - daaace5f-c0dc-4835-b526-7a116b7f4b4e: - categories: - - ALL - - boost-baseline - description: 'All Enum Names should follow CamelCase and start with Capital Letter ' - group: top10-insecure-design - name: daaace5f-c0dc-4835-b526-7a116b7f4b4e - pretty_name: Enum Name Not CamelCase - recommended: true - ref: https://developers.google.com/protocol-buffers/docs/reference/proto3-spec#enum_definition - dab4ec72-ce2e-4732-b7c3-1757dcce01a1: - categories: - - ALL - - boost-baseline - description: 'When using kube-apiserver command, the ''--service-account-key-file'' - flag should be defined ' - group: cloud-weak-secrets-management - name: dab4ec72-ce2e-4732-b7c3-1757dcce01a1 - pretty_name: Service Account Key File Not Properly Set - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ - dadc2f36-1f5a-46c0-8289-75e626583123: - categories: - - ALL - - boost-baseline - description: 'Schema discriminator property should be a string ' - group: top10-insecure-design - name: dadc2f36-1f5a-46c0-8289-75e626583123 - pretty_name: Schema Discriminator Property Not String (v3) - recommended: true - ref: https://swagger.io/specification/#discriminator-object - dae9c373-8287-462f-8746-6f93dad93610: - categories: - - ALL - - boost-baseline - description: 'AWS Security Group Egress should have a single port ' - group: cloud-resources-public-access - name: dae9c373-8287-462f-8746-6f93dad93610 - pretty_name: Security Group Egress With Port Range - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-security-group-egress.html - dafe30ec-325d-4516-85d1-e8e6776f012c: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Azure Instances should use SSH Key instead of basic authentication ' - group: top10-insecure-design - name: dafe30ec-325d-4516-85d1-e8e6776f012c - pretty_name: Azure Instance Using Basic Authentication - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_virtual_machine#admin_ssh_key - db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8: - categories: - - ALL - - boost-baseline - description: 'CloudWatch Logs destination policy should avoid wildcard in ''principals'' - and ''actions'' ' - group: cloud-insecure-iam - name: db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8 - pretty_name: CloudWatch Logs Destination With Vulnerable Policy - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_destination_policy#access_policy - db78d14b-10e5-4e6e-84b1-dace6327b1ec: - categories: - - ALL - - boost-baseline - description: 'Group with privilege escalation by actions ''iam:AttachUserPolicy'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: db78d14b-10e5-4e6e-84b1-dace6327b1ec - pretty_name: Group With Privilege Escalation By Actions 'iam:AttachUserPolicy' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy - dbbc6705-d541-43b0-b166-dd4be8208b54: - categories: - - ALL - - boost-baseline - description: 'Containers should drop ''ALL'' or at least ''NET_RAW'' capabilities ' - group: cloud-weak-configuration - name: dbbc6705-d541-43b0-b166-dd4be8208b54 - pretty_name: NET_RAW Capabilities Not Being Dropped - recommended: true - ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - dbe058d7-b82e-430b-8426-992b2e4677e7: - categories: - - ALL - - boost-baseline - description: 'The node image should be Container-Optimized OS(COS) ' - group: cloud-weak-configuration - name: dbe058d7-b82e-430b-8426-992b2e4677e7 - pretty_name: COS Node Image Not Used - recommended: true - ref: https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters.nodePools - dbfc834a-56e5-4750-b5da-73fda8e73f70: - categories: - - ALL - - boost-baseline - description: 'SLB Policy should not support insecure versions of TLS protocol ' - group: top10-crypto-failures - name: dbfc834a-56e5-4750-b5da-73fda8e73f70 - pretty_name: SLB Policy With Insecure TLS Version In Use - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/slb_tls_cipher_policy - dc126833-125a-40fb-905a-ce5f2afde240: - categories: - - ALL - - boost-baseline - description: 'Kubernetes Engine Clusters should not be configured to use the default - service account ' - group: cloud-weak-configuration - name: dc126833-125a-40fb-905a-ce5f2afde240 - pretty_name: GKE Using Default Service Account - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html#parameter-node_config/service_account - dc158941-28ce-481d-a7fa-dc80761edf46: - categories: - - ALL - - boost-baseline - description: 'RDS Instance SQL Retention Period should be greater than 180 ' - group: top10-security-logging-monitoring-failures - name: dc158941-28ce-481d-a7fa-dc80761edf46 - pretty_name: RDS Instance Retention Period Not Recommended - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#sql_collector_config_value - dc17ee4b-ddf2-4e23-96e8-7a36abad1303: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'CloudFront Minimum Protocol version should be at least TLS 1.2 ' - group: cloud-weak-configuration - name: dc17ee4b-ddf2-4e23-96e8-7a36abad1303 - pretty_name: CloudFront Without Minimum Protocol TLS 1.2 - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-distribution.html - dc1ab429-1481-4540-9b1d-280e3f15f1f8: - categories: - - ALL - - boost-baseline - description: 'AWS Serverless Function should have Tracing enabled. For this, property - ''Tracing'' should have the value ''Active'' ' - group: top10-security-logging-monitoring-failures - name: dc1ab429-1481-4540-9b1d-280e3f15f1f8 - pretty_name: Serverless Function Without X-Ray Tracing - recommended: true - ref: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-tracing - dc5c5fee-6c53-43b0-ab11-4c660e064aaf: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Kubernetes nodes must have auto upgrades set to true, which means - the attribute ''nodePools'' must be defined and the subattribute ''managment'' - must be defined and have the attribute ''autoUpgrade'' set to true ' - group: cloud-insecure-iam - name: dc5c5fee-6c53-43b0-ab11-4c660e064aaf - pretty_name: Node Auto Upgrade Disabled - recommended: true - ref: https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters - dcda2d32-e482-43ee-a926-75eaabeaa4e0: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'RAM Security preferences should enforce MFA login for RAM users ' - group: cloud-insecure-iam - name: dcda2d32-e482-43ee-a926-75eaabeaa4e0 - pretty_name: RAM Security Preference Not Enforce MFA Login - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_security_preference#enforce_mfa_for_login - dd0971a6-09c3-4168-8474-a7ef8fbfd99d: - categories: - - ALL - - boost-baseline - description: 'Check if the Memcached is disabled on the ElastiCache ' - group: top10-crypto-failures - name: dd0971a6-09c3-4168-8474-a7ef8fbfd99d - pretty_name: Memcached Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-cache-cluster.html#cfn-elasticache-cachecluster-engine - dd29336b-fe57-445b-a26e-e6aa867ae609: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Privileged containers lack essential security restrictions and should - be avoided by removing the ''privileged'' flag or by changing its value to false ' - group: cloud-weak-configuration - name: dd29336b-fe57-445b-a26e-e6aa867ae609 - pretty_name: Container Is Privileged - recommended: true - ref: https://kubernetes.io/docs/concepts/workloads/pods/#privileged-mode-for-containers - dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Anonymous, public read access to a container and its blobs are enabled - in Azure Blob Storage ' - group: cloud-insecure-iam - name: dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299 - pretty_name: Storage Container Is Publicly Accessible - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container#container_access_type - dd667399-8d9d-4a8d-bbb4-e49ab53b2f52: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'The CIDR IP should not be a public interface ' - group: cloud-weak-configuration - name: dd667399-8d9d-4a8d-bbb4-e49ab53b2f52 - pretty_name: DB Security Group Has Public Interface - recommended: true - ref: https://doc.crds.dev/github.com/crossplane/provider-aws/ec2.aws.crossplane.io/SecurityGroup/v1beta1@v0.29.0#spec-forProvider-ingress-ipRanges-cidrIp - dd690686-2bf9-4012-a821-f61912dd77be: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Kubernetes Clusters must be created with Client Certificate enabled, - which means ''masterAuth'' must have ''clientCertificateConfig'' with the attribute - ''issueClientCertificate'' equal to true ' - group: cloud-weak-configuration - name: dd690686-2bf9-4012-a821-f61912dd77be - pretty_name: Client Certificate Disabled - recommended: true - ref: https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters - dd706080-b7a8-47dc-81fb-3e8184430ec0: - categories: - - ALL - - boost-baseline - description: 'A unknown port, such as port 24 or port 111, is open to the public - in either TCP or UDP or ALL protocol/protocols mentioned ' - group: cloud-resources-public-access - name: dd706080-b7a8-47dc-81fb-3e8184430ec0 - pretty_name: Public Security Group Rule Unknown Port - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/security_group_rule#port_range - dd7d70aa-a6ec-460d-b5d2-38b40253b16f: - categories: - - ALL - description: 'A list of Persistent Disk resources found. Persistent Disk is Google''s - local durable storage service, fully integrated with Google Cloud products, - Compute Engine and Google Kubernetes Engine. ' - group: supply-chain-missing-artifact-integrity-verification - name: dd7d70aa-a6ec-460d-b5d2-38b40253b16f - pretty_name: BOM - GCP PD - ref: https://kics.io/ - ddfc4eaa-af23-409f-b96c-bf5c45dc4daa: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'The HTTP port is open to the internet in a Security Group ' - group: cloud-resources-public-access - name: ddfc4eaa-af23-409f-b96c-bf5c45dc4daa - pretty_name: HTTP Port Open To Internet - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html - de2b4910-8484-46d6-a055-dc1e793ee3ff: - categories: - - ALL - - boost-baseline - description: License Object URL should be a valid URL - group: top10-insecure-design - name: de2b4910-8484-46d6-a055-dc1e793ee3ff - pretty_name: Invalid License URL (v2) - recommended: true - ref: https://swagger.io/specification/v2/#licenseObject - de38e1d5-54cb-4111-a868-6f7722695007: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'RDS must not be defined with public interface, which means the attribute - ''PubliclyAccessible'' must be set to false. ' - group: cloud-weak-configuration - name: de38e1d5-54cb-4111-a868-6f7722695007 - pretty_name: RDS DB Instance Publicly Accessible - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html - de4421f1-4e35-43b4-9783-737dd4e4a47e: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'PodSecurityPolicy should set ''readOnly'' to true in every host - path allowed ' - group: cloud-insecure-iam - name: de4421f1-4e35-43b4-9783-737dd4e4a47e - pretty_name: PSP With Unrestricted Access to Host Path - recommended: true - ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems - de76a0d6-66d5-45c9-9022-f05545b85c78: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'AWS Redshift Cluster should have KMS CMK defined ' - group: top10-crypto-failures - name: de76a0d6-66d5-45c9-9022-f05545b85c78 - pretty_name: Redshift Cluster Without KMS CMK - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html - de77cd9f-0e8b-46cc-b4a4-b6b436838642: - categories: - - ALL - - boost-baseline - description: 'AWS CloudFront distributions should have logging enabled to collect - all viewer requests, which means the attribute ''DistributionConfig.Logging'' - should be defined ' - group: top10-security-logging-monitoring-failures - name: de77cd9f-0e8b-46cc-b4a4-b6b436838642 - pretty_name: CloudFront Logging Disabled - recommended: true - ref: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/logging-and-monitoring.html - de7f5e83-da88-4046-871f-ea18504b1d43: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'AWS Application Load Balancer (alb) should not listen on HTTP ' - group: cloud-resources-public-access - name: de7f5e83-da88-4046-871f-ea18504b1d43 - pretty_name: ALB Listening on HTTP - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener - de92dd34-1b88-43e8-b825-6e02d73c4549: - categories: - - ALL - - boost-baseline - description: 'IAM Password should have at least one lowercase letter ' - group: top10-insecure-design - name: de92dd34-1b88-43e8-b825-6e02d73c4549 - pretty_name: IAM Password Without Lowercase Letter - recommended: true - ref: https://www.pulumi.com/registry/packages/aws/api-docs/iam/accountpasswordpolicy/#requirelowercasecharacters_yaml - dec7bc85-d156-4f64-9a33-96ed3d9f3fed: - categories: - - ALL - - boost-baseline - description: 'Serverless Function should be configured for a Dead Letter Queue(DLQ). - A Dead Letter Queue(DLQ) can be set up in ''onError'' config parameter ' - group: cloud-weak-configuration - name: dec7bc85-d156-4f64-9a33-96ed3d9f3fed - pretty_name: Serverless Function Without Dead Letter Queue - recommended: true - ref: https://www.serverless.com/framework/docs/providers/aws/guide/functions#dead-letter-queue-dlq - ded017bf-fb13-4f8d-868b-84aebcc572ad: - categories: - - ALL - - boost-baseline - description: Schema Object Property key should be unique through out the fields - 'properties', 'allOf', 'additionalProperties' - group: top10-insecure-design - name: ded017bf-fb13-4f8d-868b-84aebcc572ad - pretty_name: Schema Object Properties With Duplicated Keys (v2) - recommended: true - ref: https://swagger.io/specification/v2/#schemaObject - dee21308-2a7a-49de-8ff7-c9b87e188575: - categories: - - ALL - - boost-baseline - description: 'Google Firewall should not allow SSH access (port 22) from the Internet - (public CIDR block) to ensure the principle of least privileges ' - group: cloud-resources-public-access - name: dee21308-2a7a-49de-8ff7-c9b87e188575 - pretty_name: SSH Access Is Not Restricted - recommended: true - ref: https://cloud.google.com/compute/docs/reference/rest/v1/firewalls - defe5b18-978d-4722-9325-4d1975d3699f: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Batch Job Definition should not have Privileged Container Properties ' - group: cloud-weak-configuration - name: defe5b18-978d-4722-9325-4d1975d3699f - pretty_name: Batch Job Definition With Privileged Container Properties - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/aws_batch_job_definition_module.html - df58d46c-783b-43e0-bdd0-d99164f712ee: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Kubernetes Engine Clusters must have Legacy Authorization set to - disabled, which means the attribute ''legacyAbac.enabled'' must be false. ' - group: cloud-weak-configuration - name: df58d46c-783b-43e0-bdd0-d99164f712ee - pretty_name: GKE Legacy Authorization Enabled - recommended: true - ref: https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.locations.clusters#Cluster.LegacyAbac - df746b39-6564-4fed-bf85-e9c44382303c: - categories: - - ALL - - boost-baseline - description: 'After using apt-get install, it is needed to delete apt-get lists ' - group: supply-chain-scm-weak-configuration - name: df746b39-6564-4fed-bf85-e9c44382303c - pretty_name: Apt Get Install Lists Were Not Deleted - recommended: true - ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/ - dfa20ffa-f476-428f-a490-424b41e91c7f: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Make sure that for all secrets the expiration date is set ' - group: cloud-weak-secrets-management - name: dfa20ffa-f476-428f-a490-424b41e91c7f - pretty_name: Secret Expiration Not Set - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret - dfb56e5d-ee68-446e-b32a-657b62befe69: - categories: - - ALL - - boost-baseline - description: 'Amplify Branch BasicAuthConfig Password must not be a plaintext - string or a Ref to a Parameter with a Default value. ' - group: cloud-weak-secrets-management - name: dfb56e5d-ee68-446e-b32a-657b62befe69 - pretty_name: Amplify Branch Basic Auth Config Password Exposed - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-amplify-branch.html#cfn-amplify-branch-basicauthconfig - e0099af2-fe17-411f-9991-0de28fe15f3c: - categories: - - ALL - - boost-baseline - description: 'When using kube-apiserver command, the --enable-admission-plugins - flag should have ''EventRateLimit'' plugin and the plugin should be correctly - configured in AdmissionControl Config file ' - group: top10-insecure-design - name: e0099af2-fe17-411f-9991-0de28fe15f3c - pretty_name: Event Rate Limit Admission Control Plugin Not Set - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ - e01de151-a7bd-4db4-b49b-3c4775a5e881: - categories: - - ALL - - boost-baseline - description: 'Redshift should not use the default port (5439) because an attacker - can easily guess the port ' - group: cloud-resources-public-access - name: e01de151-a7bd-4db4-b49b-3c4775a5e881 - pretty_name: Redshift Using Default Port - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/redshift_module.html#parameter-port - e055285c-bc01-48b4-8aa5-8a54acdd29df: - categories: - - ALL - - boost-baseline - description: 'Every ''Microsoft.Sql/servers/databases'' resource should have Auditing - Enabled ' - group: top10-security-logging-monitoring-failures - name: e055285c-bc01-48b4-8aa5-8a54acdd29df - pretty_name: SQL Server Database Without Auditing - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/servers/databases/auditingsettings - e08ed7eb-f3ef-494d-9d22-2e3db756a347: - categories: - - ALL - - boost-baseline - description: 'Lambda Permission Principal should not contain a wildcard. ' - group: cloud-insecure-iam - name: e08ed7eb-f3ef-494d-9d22-2e3db756a347 - pretty_name: Lambda Permission Principal Is Wildcard - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/lambda_policy_module.html - e0e00aba-5f1c-4981-a542-9a9563c0ee20: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Client Certificate Authentication should be Setup with a .pem or - .crt file ' - group: cloud-insecure-iam - name: e0e00aba-5f1c-4981-a542-9a9563c0ee20 - pretty_name: Client Certificate Authentication Not Setup Properly - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/ - e17fa86a-6222-4584-a914-56e8f6c87e06: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Check if any Tiller Deployment container allows access from within - the cluster. ' - group: cloud-resources-public-access - name: e17fa86a-6222-4584-a914-56e8f6c87e06 - pretty_name: Tiller Deployment Is Accessible From Within The Cluster - recommended: true - ref: https://kubernetes.io/docs/concepts/containers/images/ - e1e7b278-2a8b-49bd-a26e-66a7f70b17eb: - categories: - - ALL - - boost-baseline - description: 'Amazon Simple Queue Service (SQS) queue should protect the contents - of their messages using Server-Side Encryption (SSE) ' - group: top10-crypto-failures - name: e1e7b278-2a8b-49bd-a26e-66a7f70b17eb - pretty_name: SQS With SSE Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/sqs_queue_module.html#ansible-collections-community-aws-sqs-queue-module - e200a6f3-c589-49ec-9143-7421d4a2c845: - categories: - - ALL - - boost-baseline - description: "An AWS Elastic Load Balancer (ELB) shouldn\xB4t have security groups\ - \ without outbound rules " - group: cloud-resources-public-access - name: e200a6f3-c589-49ec-9143-7421d4a2c845 - pretty_name: ELB With Security Group Without Inbound Rules - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html#cfn-ec2-securitygroup-securitygroupingress - e227091e-2228-4b40-b046-fc13650d8e88: - categories: - - ALL - - boost-baseline - description: 'User with privilege escalation by actions ''iam:AttachRolePolicy'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: e227091e-2228-4b40-b046-fc13650d8e88 - pretty_name: User With Privilege Escalation By Actions 'iam:AttachRolePolicy' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy - e24e18d9-4c2b-4649-b3d0-18c088145e24: - categories: - - ALL - - boost-baseline - description: 'AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, - store, and access log events ' - group: top10-security-logging-monitoring-failures - name: e24e18d9-4c2b-4649-b3d0-18c088145e24 - pretty_name: CloudWatch Without Retention Period Specified - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/cloudwatchlogs_log_group_module.html - e25b56cd-a4d6-498f-ab92-e6296a082097: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Trusted Microsoft Services should be enabled for Storage Account - access ' - group: cloud-resources-public-access - name: e25b56cd-a4d6-498f-ab92-e6296a082097 - pretty_name: Trusted Microsoft Services Not Enabled - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?tabs=json#networkruleset - e28ceb92-d588-4166-aac5-766c8f5b7472: - categories: - - ALL - - boost-baseline - description: 'Unchangeable passwords in AWS password policy ' - group: cloud-weak-configuration - name: e28ceb92-d588-4166-aac5-766c8f5b7472 - pretty_name: AWS Password Policy With Unchangeable Passwords - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html - e29a75e6-aba3-4896-b42d-b87818c16b58: - categories: - - ALL - - boost-baseline - description: 'Redis Cache resources should not allow non-SSL connections ' - group: cloud-weak-configuration - name: e29a75e6-aba3-4896-b42d-b87818c16b58 - pretty_name: Redis Cache Allows Non SSL Connections - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/redis_cache - e2c83c1f-84d7-4467-966c-ed41fd015bb9: - categories: - - ALL - - boost-baseline - description: 'Ingress Controllers should not expose workload in order to avoid - vulnerabilities and DoS attacks ' - group: cloud-weak-configuration - name: e2c83c1f-84d7-4467-966c-ed41fd015bb9 - pretty_name: Ingress Controller Exposes Workload - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/ingress#http - e2d834b7-8b25-4935-af53-4a60668dcbe0: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Azure Instances should use SSH Key instead of basic authentication ' - group: top10-insecure-design - name: e2d834b7-8b25-4935-af53-4a60668dcbe0 - pretty_name: Azure Instance Using Basic Authentication - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_virtualmachine_module.html#parameter-linux_config/disable_password_authentication - e2e00c97-7171-4fb4-b461-d631df9a711c: - categories: - - ALL - - boost-baseline - description: The header Parameter should not be named as 'Authorization'. If so, - it will be ignored. - group: top10-insecure-design - name: e2e00c97-7171-4fb4-b461-d631df9a711c - pretty_name: Header Parameter Named as 'Authorization' (v2) - recommended: true - ref: https://swagger.io/specification/v2/#parameterObject - e2ffa504-d22a-4c94-b6c5-f661849d2db7: - categories: - - ALL - - boost-baseline - description: 'Schema of the JSON object should have ''type'' defined. ' - group: cloud-weak-configuration - name: e2ffa504-d22a-4c94-b6c5-f661849d2db7 - pretty_name: JSON Object Schema Without Type (v3) - recommended: true - ref: https://swagger.io/specification/#schema-object - e35c16a2-d54e-419d-8546-a804d8e024d0: - categories: - - ALL - - boost-baseline - description: 'A sensitive port, such as port 23 or port 110, is open for a small - public network in either TCP or UDP protocol ' - group: cloud-resources-public-access - name: e35c16a2-d54e-419d-8546-a804d8e024d0 - pretty_name: Sensitive Port Is Exposed To Small Public Network - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group - e36d8880-3f78-4546-b9a1-12f0745ca0d5: - categories: - - ALL - - boost-baseline - description: 'Check if packages installed by npm are pinning a specific version. ' - group: supply-chain-scm-weak-configuration - name: e36d8880-3f78-4546-b9a1-12f0745ca0d5 - pretty_name: NPM Install Command Without Pinned Version - recommended: true - ref: https://docs.docker.com/engine/reference/builder/#run - e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10: - categories: - - ALL - - boost-baseline - description: 'AWS services resource tags are an essential part of managing components. - As a best practice, the field ''tags'' should have additional tags defined other - than ''Name'' ' - group: top10-insecure-design - name: e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10 - pretty_name: Resource Not Using Tags - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/guides/resource-tagging - e39bee8c-fe54-4a3f-824d-e5e2d1cca40a: - categories: - - ALL - - boost-baseline - description: 'Using the iam:passrole action with wildcards (*) in the resource - can be overly permissive because it allows iam:passrole permissions on multiple - resources ' - group: cloud-insecure-iam - name: e39bee8c-fe54-4a3f-824d-e5e2d1cca40a - pretty_name: IAM Role Policy passRole Allows All - recommended: true - ref: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-security-warning-pass-role-with-star-in-resource - e3aa0612-4351-4a0d-983f-aefea25cf203: - categories: - - ALL - - boost-baseline - description: 'Containers must not be allowed to run with root privileges, which - means the attributes ''privileged'',''allowPrivilegeEscalation'' and ''readOnlyRootFilesystem'' - must be set to false, ''runAsUser.rule'' must be set to ''MustRunAsNonRoot'', - and adding the root group must be forbidden ' - group: top10-insecure-design - name: e3aa0612-4351-4a0d-983f-aefea25cf203 - pretty_name: Root Containers Admitted - recommended: true - ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ - e3f026e8-fdb4-4d5a-bcfd-bd94452073fe: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Security Definitions Object should be set and not empty ' - group: cloud-insecure-iam - name: e3f026e8-fdb4-4d5a-bcfd-bd94452073fe - pretty_name: Security Definitions Undefined or Empty - recommended: true - ref: https://swagger.io/specification/v2/#securityDefinitionsObject - e401d614-8026-4f4b-9af9-75d1197461ba: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'IAM policies shouldn''t allow full administrative privileges (for - all resources) ' - group: cloud-insecure-iam - name: e401d614-8026-4f4b-9af9-75d1197461ba - pretty_name: IAM Policies With Full Privileges - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/iam_managed_policy_module.html - e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'ECS Service''s security group should not allow unrestricted access - to all ports from all IPv4 addresses ' - group: cloud-resources-public-access - name: e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5 - pretty_name: Fully Open Ingress - recommended: true - ref: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/get-set-up-for-amazon-ecs.html#create-a-base-security-group - e4239438-e639-44aa-adb8-866e400e3ade: - categories: - - ALL - - boost-baseline - description: 'IAM policies should be applied to groups and not to users ' - group: cloud-insecure-iam - name: e4239438-e639-44aa-adb8-866e400e3ade - pretty_name: IAM Policy On User - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html - e42a3ef0-5325-4667-84bf-075ba1c9d58e: - categories: - - ALL - - boost-baseline - description: 'EC2 Instances should not be configured under a default VPC network ' - group: cloud-resources-public-access - name: e42a3ef0-5325-4667-84bf-075ba1c9d58e - pretty_name: EC2 Instance Using Default VPC - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html#cfn-ec2-instance-subnetid - e4a019f0-9af3-49c8-bf68-1939a6ff240d: - categories: - - ALL - - boost-baseline - description: String schema should restrict the pattern - group: cloud-weak-configuration - name: e4a019f0-9af3-49c8-bf68-1939a6ff240d - pretty_name: String Schema with Broad Pattern (v2) - recommended: true - ref: https://swagger.io/specification/v2/#schema-object - e4ee3903-9225-4b6a-bdfb-e62dbadef821: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Ensure AWS ElastiCache Redis clusters have encryption for data at - rest enabled ' - group: top10-crypto-failures - name: e4ee3903-9225-4b6a-bdfb-e62dbadef821 - pretty_name: ElastiCache With Disabled at Rest Encryption - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticache-replicationgroup.html#cfn-elasticache-replicationgroup-atrestencryptionenabled - e4f54ff4-d352-40e8-a096-5141073c37a2: - categories: - - ALL - - boost-baseline - description: 'Content Delivery Network (CDN) service is used within an AWS account - to secure and accelerate the delivery of websites. The use of a CDN can provide - a layer of security between your origin content and the destination. ' - group: top10-insecure-design - name: e4f54ff4-d352-40e8-a096-5141073c37a2 - pretty_name: CDN Configuration Is Missing - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-distributionconfig.html - e50eb68a-a4af-4048-8bbe-8ec324421469: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'RDS Instance should have its storage encrypted by setting the parameter - to ''true''. The storageEncrypted default value is ''false''. ' - group: top10-crypto-failures - name: e50eb68a-a4af-4048-8bbe-8ec324421469 - pretty_name: DB Instance Storage Not Encrypted - recommended: true - ref: https://doc.crds.dev/github.com/crossplane/provider-aws/database.aws.crossplane.io/RDSInstance/v1beta1@v0.29.0#spec-forProvider-storageEncrypted - e519ed6a-8328-4b69-8eb7-8fa549ac3050: - categories: - - ALL - - boost-baseline - description: 'Check if MQ Brokers don''t have logging enabled in any of the two - options possible (audit and general). ' - group: top10-security-logging-monitoring-failures - name: e519ed6a-8328-4b69-8eb7-8fa549ac3050 - pretty_name: MQ Broker Logging Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-amazonmq-broker.html#cfn-amazonmq-broker-logs - e52395b4-250b-4c60-81d5-2e58c1d37abc: - categories: - - ALL - - boost-baseline - description: 'When StorageEncrypted is set to true, KmsKeyId should be defined, - to avoid the use of the default KMS Key ' - group: top10-crypto-failures - name: e52395b4-250b-4c60-81d5-2e58c1d37abc - pretty_name: Default KMS Key Usage - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html - e542bd46-58c4-4e0f-a52a-1fb4f9548e02: - categories: - - ALL - - boost-baseline - description: 'RDS Cluster backup retention period should be specifically defined ' - group: top10-insecure-design - name: e542bd46-58c4-4e0f-a52a-1fb4f9548e02 - pretty_name: RDS Cluster With Backup Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#backup_retention_period - e5587d53-a673-4a6b-b3f2-ba07ec274def: - categories: - - ALL - - boost-baseline - description: 'Containers should drop ''ALL'' or at least ''NET_RAW'' capabilities ' - group: cloud-weak-configuration - name: e5587d53-a673-4a6b-b3f2-ba07ec274def - pretty_name: NET_RAW Capabilities Not Being Dropped - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#drop - e576ce44-dd03-4022-a8c0-3906acca2ab4: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'BigQuery dataset is anonymously or publicly accessible ' - group: cloud-insecure-iam - name: e576ce44-dd03-4022-a8c0-3906acca2ab4 - pretty_name: BigQuery Dataset Is Public - recommended: true - ref: https://www.terraform.io/docs/providers/google/r/bigquery_dataset.html - e592a0c5-5bdb-414c-9066-5dba7cdea370: - categories: - - ALL - - boost-baseline - description: 'IAM Access Analyzer should be enabled and configured to continuously - monitor resource permissions ' - group: top10-insecure-design - name: e592a0c5-5bdb-414c-9066-5dba7cdea370 - pretty_name: IAM Access Analyzer Not Enabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/accessanalyzer_analyzer - e649a218-d099-4550-86a4-1231e1fcb60d: - categories: - - ALL - - boost-baseline - description: 'AWS RDS backup retention policy should be at least 7 days ' - group: top10-software-data-integrity-failures - name: e649a218-d099-4550-86a4-1231e1fcb60d - pretty_name: Low RDS Backup Retention Period - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html - e65a0733-94a0-4826-82f4-df529f4c593f: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Azure Function App authentication settings should be enabled ' - group: cloud-insecure-iam - name: e65a0733-94a0-4826-82f4-df529f4c593f - pretty_name: Function App Authentication Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#auth_settings - e66e1b71-c810-4b4e-a737-0ab59e7f5e41: - categories: - - ALL - - boost-baseline - description: 'VM instance should have OSLogin enabled ' - group: cloud-weak-configuration - name: e66e1b71-c810-4b4e-a737-0ab59e7f5e41 - pretty_name: OSLogin Is Disabled In VM Instance - recommended: true - ref: https://cloud.google.com/compute/docs/reference/rest/v1/instances - e69890e6-fce5-461d-98ad-cb98318dfc96: - categories: - - ALL - - boost-baseline - description: 'Make sure the AWS RDS configuration has automatic backup configured. - If the retention period is equal to 0 there is no backup ' - group: top10-software-data-integrity-failures - name: e69890e6-fce5-461d-98ad-cb98318dfc96 - pretty_name: RDS With Backup Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-backup_retention_period - e69bda39-e1e2-47ca-b9ee-b6531b23aedd: - categories: - - ALL - - boost-baseline - description: 'Microsoft.DBforPostgreSQL/servers/configurations should have ''log_connections'' - property set to ''on'' ' - group: cloud-resources-public-access - name: e69bda39-e1e2-47ca-b9ee-b6531b23aedd - pretty_name: PostgreSQL Database Server Log Connections Disabled - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/servers/configurations?tabs=json#configurationproperties-object - e6b4b943-6883-47a9-9739-7ada9568f8ca: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'The value on AWS EBS Volume Snapshot Encryptation must be true ' - group: top10-crypto-failures - name: e6b4b943-6883-47a9-9739-7ada9568f8ca - pretty_name: EBS Volume Snapshot Not Encrypted - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_snapshot#encrypted - e6cd49ba-77ed-417f-9bca-4f5303554308: - categories: - - ALL - - boost-baseline - description: 'DocDB logging should be enabled ' - group: top10-security-logging-monitoring-failures - name: e6cd49ba-77ed-417f-9bca-4f5303554308 - pretty_name: DocDB Logging Is Disabled - recommended: true - ref: https://doc.crds.dev/github.com/crossplane/provider-aws/docdb.aws.crossplane.io/DBCluster/v1alpha1@v0.21.1#status-atProvider-enabledCloudwatchLogsExports - e6f61c37-106b-449f-a5bb-81bfcaceb8b4: - categories: - - ALL - - boost-baseline - description: 'Google Compute Network should not use a firewall rule that allows - port range ' - group: cloud-resources-public-access - name: e6f61c37-106b-449f-a5bb-81bfcaceb8b4 - pretty_name: Google Compute Network Using Firewall Rule that Allows Port Range - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall#allow - e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'The AWS Root Account must not have active access keys associated, - which means if there are access keys associated to the Root Account, they must - be inactive. ' - group: cloud-weak-configuration - name: e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40 - pretty_name: Root Account Has Active Access Keys - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/iam_module.html - e7530c3c-b7cf-4149-8db9-d037a0b5268e: - categories: - - ALL - - boost-baseline - description: 'AWS Elasticsearch should ensure IAM Authentication ' - group: cloud-insecure-iam - name: e7530c3c-b7cf-4149-8db9-d037a0b5268e - pretty_name: Elasticsearch Without IAM Authentication - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain - e7656d8d-7288-4bbe-b07b-22b389be75ce: - categories: - - ALL - - boost-baseline - description: The template path must have a corresponding path parameter for a - given operation - group: top10-insecure-design - name: e7656d8d-7288-4bbe-b07b-22b389be75ce - pretty_name: Template Path With No Corresponding Path Parameter (v2) - recommended: true - ref: https://github.com/OAI/OpenAPI-Specification/blob/main/versions/2.0.md#path-templating - e76cca7c-c3f9-4fc9-884c-b2831168ebd8: - categories: - - ALL - - boost-baseline - description: 'Image must be defined and not be empty or equal to latest. ' - group: supply-chain-scm-weak-configuration - name: e76cca7c-c3f9-4fc9-884c-b2831168ebd8 - pretty_name: Invalid Image - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#image - e76fd7ab-7333-40c6-a2d8-ea28af4a319e: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Ram Account Password Policy should have ''max_login_attempts'' to - a maximum of 5 incorrect login attempts ' - group: cloud-weak-secrets-management - name: e76fd7ab-7333-40c6-a2d8-ea28af4a319e - pretty_name: Ram Account Password Policy Max Login Attempts Unrecommended - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#max_login_attempts - e77c89f6-9c85-49ea-b95b-5f960fe5be92: - categories: - - ALL - - boost-baseline - description: 'Group with privilege escalation by actions ''iam:PutGroupPolicy'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: e77c89f6-9c85-49ea-b95b-5f960fe5be92 - pretty_name: Group With Privilege Escalation By Actions 'iam:PutGroupPolicy' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy - e7e961ac-d17e-4413-84bc-8a1fbe242944: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Cloud Storage Bucket should have versioning enabled ' - group: top10-security-logging-monitoring-failures - name: e7e961ac-d17e-4413-84bc-8a1fbe242944 - pretty_name: Cloud Storage Bucket Versioning Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket#enabled - e835bd0d-65da-49f7-b6d1-b646da8727e6: - categories: - - ALL - - boost-baseline - description: 'IAM Policy should not grant ''AssumeRole'' permission across all - services. ' - group: cloud-insecure-iam - name: e835bd0d-65da-49f7-b6d1-b646da8727e6 - pretty_name: IAM Policy Grants 'AssumeRole' Permission Across All Services - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html - e84eaf4d-2f45-47b2-abe8-e581b06deb66: - categories: - - ALL - - boost-baseline - description: 'As a best practice, ensure that is made the correct use of namespaces - to adequately administer your resources. Kubernetes Authorization plugins can - also be used to create policies that segregate user access to namespaces. ' - group: cloud-insecure-iam - name: e84eaf4d-2f45-47b2-abe8-e581b06deb66 - pretty_name: Ensure Administrative Boundaries Between Resources - recommended: true - ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - e86e26fc-489e-44f0-9bcd-97305e4ba69a: - categories: - - ALL - - boost-baseline - description: 'Amazon ECR image repositories shouldn''t have public access ' - group: cloud-insecure-iam - name: e86e26fc-489e-44f0-9bcd-97305e4ba69a - pretty_name: ECR Repository Is Publicly Accessible - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy - e8bb41e4-2f24-4e84-8bea-8c7c070cf93d: - categories: - - ALL - - boost-baseline - description: 'Serving Revision Spec should have Timeout Seconds defined to avoid - Denial of Service ' - group: cloud-weak-configuration - name: e8bb41e4-2f24-4e84-8bea-8c7c070cf93d - pretty_name: Serving Revision Spec Without Timeout Seconds - recommended: true - ref: https://knative.dev/docs/reference/api/serving-api/#serving.knative.dev/v1.RevisionSpec - e8c80448-31d8-4755-85fc-6dbab69c2717: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'The IP range filter should be defined to secure the data stored ' - group: cloud-resources-public-access - name: e8c80448-31d8-4755-85fc-6dbab69c2717 - pretty_name: CosmosDB Account IP Range Filter Not Set - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_cosmosdbaccount_module.html#parameter-ip_range_filter - e8e62026-da63-4904-b402-65adfe3ca975: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Ram policies with admin access should not be associated to users, - groups or roles ' - group: cloud-insecure-iam - name: e8e62026-da63-4904-b402-65adfe3ca975 - pretty_name: Ram Policy Admin Access Not Attached to Users Groups Roles - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_policy - e93bbe63-a631-4c0f-b6ef-700d48441ff2: - categories: - - ALL - - boost-baseline - description: 'ElastiCache Redis cluster should have ''snapshotRetentionLimit'' - higher than 0 ' - group: top10-software-data-integrity-failures - name: e93bbe63-a631-4c0f-b6ef-700d48441ff2 - pretty_name: ElastiCache Redis Cluster Without Backup - recommended: true - ref: https://www.pulumi.com/registry/packages/aws/api-docs/elasticache/cluster/#snapshotretentionlimit_yaml - e94d3121-c2d1-4e34-a295-139bfeb73ea3: - categories: - - ALL - - boost-baseline - description: 'Container should not share the host IPC namespace ' - group: cloud-insecure-iam - name: e94d3121-c2d1-4e34-a295-139bfeb73ea3 - pretty_name: Shared Host IPC Namespace - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_ipc - e979fcbc-df6c-422d-9458-c33d65e71c45: - categories: - - ALL - - boost-baseline - description: 'Ensure that AWS Elasticsearch enables support for slow logs ' - group: top10-security-logging-monitoring-failures - name: e979fcbc-df6c-422d-9458-c33d65e71c45 - pretty_name: ElasticSearch Without Slow Logs - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain#log_publishing_options - e9817ad8-a8c9-4038-8a2f-db0e6e7b284b: - categories: - - ALL - - boost-baseline - description: 'There is a ''securityDefinition'' using implicit flow on OAuth2, - which is deprecated ' - group: cloud-insecure-iam - name: e9817ad8-a8c9-4038-8a2f-db0e6e7b284b - pretty_name: Implicit Flow in OAuth2 (v2) - recommended: true - ref: https://swagger.io/specification/v2/#securitySchemeObject - e9b7acf9-9ba0-4837-a744-31e7df1e434d: - categories: - - ALL - - boost-baseline - description: 'SQS VPC Endpoint should have DNS resolution enabled ' - group: cloud-resources-public-access - name: e9b7acf9-9ba0-4837-a744-31e7df1e434d - pretty_name: SQS VPC Endpoint Without DNS Resolution - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc#enable_dns_support - e9c133e5-c2dd-4b7b-8fff-40f2de367b56: - categories: - - ALL - - boost-baseline - description: 'WebApp should have Azure Active Directory enabled with ''identity.type'' - set to ''SystemAssigned'' or ''userAssignedIdentities'' set to ''true'' ' - group: cloud-insecure-iam - name: e9c133e5-c2dd-4b7b-8fff-40f2de367b56 - pretty_name: Website Azure Active Directory Disabled - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.web/2019-08-01/sites?tabs=json#ManagedServiceIdentity - e9db5fb4-6a84-4abb-b4af-3b94fbdace6d: - categories: - - ALL - - boost-baseline - description: 'Responses reference should exist on responses definition field ' - group: top10-insecure-design - name: e9db5fb4-6a84-4abb-b4af-3b94fbdace6d - pretty_name: Responses JSON Reference Does Not Exists (v2) - recommended: true - ref: https://swagger.io/specification/v2/#responsesDefinitionsObject - e9dee01f-2505-4df2-b9bf-7804d1fd9082: - categories: - - ALL - - boost-baseline - description: 'A sensitive port, such as port 23 or port 110, is open for small - public network in either TCP or UDP protocol ' - group: cloud-resources-public-access - name: e9dee01f-2505-4df2-b9bf-7804d1fd9082 - pretty_name: Sensitive Port Is Exposed To Small Public Network - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule - ea0ed1c7-9aef-4464-b7c7-94c762da3640: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'The IP address in a DB Security Group must not have more than 256 - hosts. ' - group: cloud-resources-public-access - name: ea0ed1c7-9aef-4464-b7c7-94c762da3640 - pretty_name: DB Security Group Open To Large Scope - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html#ansible-collections-amazon-aws-ec2-group-module - ea33fcf7-394b-4d11-a228-985c5d08f205: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Check if default security group does not restrict all inbound and - outbound traffic. ' - group: cloud-resources-public-access - name: ea33fcf7-394b-4d11-a228-985c5d08f205 - pretty_name: Default Security Groups With Unrestricted Traffic - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html - ea6bc7a6-d696-4dcf-a788-17fa03c17c81: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'AWS Security Group should restrict ingress access ' - group: cloud-resources-public-access - name: ea6bc7a6-d696-4dcf-a788-17fa03c17c81 - pretty_name: Security Group Ingress Not Restricted - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html - eaaba502-2f94-411a-a3c2-83d63cc1776d: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Ensure a log metric filter and alarm exist for IAM policy changes ' - group: top10-security-logging-monitoring-failures - name: eaaba502-2f94-411a-a3c2-83d63cc1776d - pretty_name: CloudWatch IAM Policy Changes Alarm Missing - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern - eafe4bc3-1042-4f88-b988-1939e64bf060: - categories: - - ALL - - boost-baseline - description: 'IAM policies should be attached only to groups or roles ' - group: cloud-insecure-iam - name: eafe4bc3-1042-4f88-b988-1939e64bf060 - pretty_name: IAM Policies Attached To User - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/iam_policy_module.html - eb3f9744-d24e-4614-b1ff-2a9514eca21c: - categories: - - ALL - - boost-baseline - description: 'Operation object parameters should not have both ''body'' and ''formatData'' - locations ' - group: top10-insecure-design - name: eb3f9744-d24e-4614-b1ff-2a9514eca21c - pretty_name: Operation Object Parameters With 'body' And 'formatData' locations - recommended: true - ref: https://swagger.io/specification/v2/#parameterObject - eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7: - categories: - - ALL - - boost-baseline - description: 'Role with privilege escalation by actions ''iam:PutRolePolicy'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7 - pretty_name: Role With Privilege Escalation By Actions 'iam:PutRolePolicy' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy - eb8c2560-8bee-4248-9d0d-e80c8641dd91: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Web app should only accept HTTPS traffic in Azure Web App Service. ' - group: cloud-weak-configuration - name: eb8c2560-8bee-4248-9d0d-e80c8641dd91 - pretty_name: Web App Accepting Traffic Other Than HTTPS - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_webapp_module.html#parameter-https_only - ebb2118a-03bc-4d53-ab43-d8750f5cb8d3: - categories: - - ALL - - boost-baseline - description: 'CloudTrail should be integrated with CloudWatch ' - group: top10-security-logging-monitoring-failures - name: ebb2118a-03bc-4d53-ab43-d8750f5cb8d3 - pretty_name: CloudTrail Not Integrated With CloudWatch - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html - ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0: - categories: - - ALL - - boost-baseline - description: 'When using kube-apiserver command, the ''kubelet-certificate-authority'' - flag should be set ' - group: cloud-weak-secrets-management - name: ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0 - pretty_name: Kubelet Certificate Authority Not Set - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ - ec28bf61-a474-4dbe-b414-6dd3a067d6f0: - categories: - - ALL - - boost-baseline - description: 'AWS Cognito UserPool should have MFA (Multi-Factor Authentication) - defined to users ' - group: top10-insecure-design - name: ec28bf61-a474-4dbe-b414-6dd3a067d6f0 - pretty_name: Cognito UserPool Without MFA - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_user_pool - ec49cbfd-fae4-45f3-81b1-860526d66e3f: - categories: - - ALL - - boost-baseline - description: 'Group with privilege escalation by actions ''iam:CreatePolicyVersion'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: ec49cbfd-fae4-45f3-81b1-860526d66e3f - pretty_name: Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy - ec62a32c-a297-41ca-a850-cab40b42094a: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'OSS Buckets should not allow all actions (wildcard) from all principals, - as to prevent leaking private information to the entire internet or allow unauthorized - data tampering/deletion. This means the ''Effect'' must not be ''Allow'' when - the ''Action'' is *, for all Principals. ' - group: cloud-insecure-iam - name: ec62a32c-a297-41ca-a850-cab40b42094a - pretty_name: OSS Bucket Allows All Actions From All Principals - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#policy - eccc4d59-74b9-4974-86f1-74386e0c7f33: - categories: - - ALL - description: 'A list of SNS resources specified. Amazon Simple Notification Service - (Amazon SNS) is a fully managed messaging service for both application-to-application - (A2A) and application-to-person (A2P) communication. ' - group: supply-chain-missing-artifact-integrity-verification - name: eccc4d59-74b9-4974-86f1-74386e0c7f33 - pretty_name: BOM - AWS SNS - ref: https://kics.io/ - ed35928e-195c-4405-a252-98ccb664ab7b: - categories: - - ALL - - boost-baseline - description: 'API Gateway should have valid compression, which means attribute - ''minimum_compression_size'' should be set and its value should be greater than - -1 and smaller than 10485760. ' - group: top10-crypto-failures - name: ed35928e-195c-4405-a252-98ccb664ab7b - pretty_name: API Gateway With Invalid Compression - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api - ed48229d-d43e-4da7-b453-5f98d964a57a: - categories: - - ALL - - boost-baseline - description: 'The Body Parameter Object should have the attribute ''schema'' defined ' - group: top10-insecure-design - name: ed48229d-d43e-4da7-b453-5f98d964a57a - pretty_name: Body Parameter Without Schema - recommended: true - ref: https://swagger.io/specification/v2/#parameterObject - ed4c48b8-eccc-4881-95c1-09fdae23db25: - categories: - - ALL - - boost-baseline - description: 'SSL Client Certificate should be enabled ' - group: cloud-weak-configuration - name: ed4c48b8-eccc-4881-95c1-09fdae23db25 - pretty_name: API Gateway Without SSL Certificate - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-stage.html - ed672a9f-fbf0-44d8-a47d-779501b0db05: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Kubernetes Clusters must be created with Alias IP ranges enabled, - which means the attribute ''ip_allocation_policy'' must be defined and the subattribute - ''use_ip_aliases'' must be set to ''yes''. ' - group: cloud-weak-configuration - name: ed672a9f-fbf0-44d8-a47d-779501b0db05 - pretty_name: IP Aliasing Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html - ed6cf6ff-9a1f-491c-9f88-e03c0807f390: - categories: - - ALL - - boost-baseline - description: 'OSS Log Store should have logging enabled for longer than 90 days, - for better visibility of resources and objects. ' - group: top10-security-logging-monitoring-failures - name: ed6cf6ff-9a1f-491c-9f88-e03c0807f390 - pretty_name: Log Retention Is Not Greater Than 90 Days - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/log_store#retention_period - ed6e3ba0-278f-47b6-a1f5-173576b40b7e: - categories: - - ALL - - boost-baseline - description: 'Alicloud KMS must only possess usable Customer Master Keys (CMK), - which means the CMKs must have the attribute ''is_enabled'' set to true ' - group: top10-insecure-design - name: ed6e3ba0-278f-47b6-a1f5-173576b40b7e - pretty_name: CMK Is Unusable - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/kms_key#is_enabled - ed89b97d-04e9-4fd4-919f-ee5b27e555e9: - categories: - - ALL - - boost-baseline - description: 'The flag --streaming-connection-idle-timeout should not be set to - 0 ' - group: cloud-resources-public-access - name: ed89b97d-04e9-4fd4-919f-ee5b27e555e9 - pretty_name: Kubelet Streaming Connection Timeout Disabled - recommended: true - ref: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ - ed9b3beb-92cf-44d9-a9d2-171eeba569d4: - categories: - - ALL - - boost-baseline - description: 'SQS policy allows ALL (*) actions ' - group: cloud-insecure-iam - name: ed9b3beb-92cf-44d9-a9d2-171eeba569d4 - pretty_name: SQS Policy Allows All Actions - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/sqs_queue_module.html - eda48c88-2b7d-4e34-b6ca-04c0194aee17: - categories: - - ALL - - boost-baseline - description: 'Role with privilege escalation by actions ''glue:UpdateDevEndpoint'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: eda48c88-2b7d-4e34-b6ca-04c0194aee17 - pretty_name: Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy - eda7301d-1f3e-47cf-8d4e-976debc64341: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'The Remote Desktop port is open to the internet in a Security Group ' - group: cloud-resources-public-access - name: eda7301d-1f3e-47cf-8d4e-976debc64341 - pretty_name: Remote Desktop Port Open To Internet - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html#ansible-collections-amazon-aws-ec2-group-module - edbd62d4-8700-41de-b000-b3cfebb5e996: - categories: - - ALL - - boost-baseline - description: 'AWS Elasticsearch should have logs enabled ' - group: top10-security-logging-monitoring-failures - name: edbd62d4-8700-41de-b000-b3cfebb5e996 - pretty_name: Elasticsearch Logs Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticsearch-domain.html#cfn-elasticsearch-domain-logpublishingoptions - edc95c10-7366-4f30-9b4b-f995c84eceb5: - categories: - - ALL - - boost-baseline - description: 'IAM policies should be attached only to groups or roles ' - group: cloud-insecure-iam - name: edc95c10-7366-4f30-9b4b-f995c84eceb5 - pretty_name: IAM Policies Attached To User - recommended: true - ref: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html - ee12ad32-2863-4c0f-b13f-28272d115028: - categories: - - ALL - - boost-baseline - description: 'ELB should have access log enabled ' - group: top10-security-logging-monitoring-failures - name: ee12ad32-2863-4c0f-b13f-28272d115028 - pretty_name: ELB Access Log Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb-accessloggingpolicy.html - ee305555-6b1d-4055-94cf-e22131143c34: - categories: - - ALL - - boost-baseline - description: 'Do not allow pod to request execution as privileged. ' - group: cloud-weak-configuration - name: ee305555-6b1d-4055-94cf-e22131143c34 - pretty_name: PSP Set To Privileged - recommended: true - ref: https://www.pulumi.com/registry/packages/kubernetes/api-docs/policy/v1beta1/podsecuritypolicy/#privileged_yaml - ee3b1557-9fb5-4685-a95d-93f1edf2a0d7: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Application Load Balancer (alb) Listener should not listen on HTTP ' - group: cloud-resources-public-access - name: ee3b1557-9fb5-4685-a95d-93f1edf2a0d7 - pretty_name: ALB Listening on HTTP - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/alb_listener - ee464fc2-54a6-4e22-b10a-c6dcd2474d0c: - categories: - - ALL - - boost-baseline - description: 'AWS Security Group Egress should not specify all protocols to prevent - allow traffic on all ports ' - group: cloud-resources-public-access - name: ee464fc2-54a6-4e22-b10a-c6dcd2474d0c - pretty_name: Security Group Egress With All Protocols - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-security-group-egress.html - ee49557d-750c-4cc1-aa95-94ab36cbefde: - categories: - - ALL - - boost-baseline - description: 'Role with privilege escalation by actions ''iam:CreatePolicyVersion'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: ee49557d-750c-4cc1-aa95-94ab36cbefde - pretty_name: Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy - ee7b93c1-b3f8-4a3b-9588-146d481814f5: - categories: - - ALL - - boost-baseline - description: 'Google Compute Subnetwork should have Private Google Access enabled, - which means ''private_ip_google_access'' should be set to true ' - group: cloud-resources-public-access - name: ee7b93c1-b3f8-4a3b-9588-146d481814f5 - pretty_name: Google Compute Subnetwork with Private Google Access Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork#private_ip_google_access - ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'CloudTrail Log Files S3 Bucket should have ''logging'' enabled ' - group: top10-security-logging-monitoring-failures - name: ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4 - pretty_name: CloudTrail Log Files S3 Bucket with Logging Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#s3_bucket_name - eeb4d37a-3c59-4789-a00c-1509bc3af1e5: - categories: - - ALL - - boost-baseline - description: 'User with privilege escalation by actions ''iam:PutRolePolicy'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: eeb4d37a-3c59-4789-a00c-1509bc3af1e5 - pretty_name: User With Privilege Escalation By Actions 'iam:PutRolePolicy' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy - eee107f9-b3d8-45d3-b9c6-43b5a7263ce1: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Users should authenticate with MFA (Multi-factor Authentication) - to ensure an extra layer of protection when authenticating ' - group: cloud-insecure-iam - name: eee107f9-b3d8-45d3-b9c6-43b5a7263ce1 - pretty_name: Authentication Without MFA - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/iam_mfa_device_info_module.html - ef05a925-8568-4054-8ff1-f5ba82631c16: - categories: - - ALL - description: 'A list of EFS resources found. Amazon Elastic File System (Amazon - EFS) automatically grows and shrinks as you add and remove files with no need - for management or provisioning. ' - group: supply-chain-missing-artifact-integrity-verification - name: ef05a925-8568-4054-8ff1-f5ba82631c16 - pretty_name: BOM - AWS EFS - ref: https://kics.io/ - ef0b316a-211e-42f1-888e-64efe172b755: - categories: - - ALL - - boost-baseline - description: 'AWS CloudWatch Log groups should have retention days specified ' - group: top10-security-logging-monitoring-failures - name: ef0b316a-211e-42f1-888e-64efe172b755 - pretty_name: CloudWatch Without Retention Period Specified - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group - efbf148a-67e9-42d2-ac47-02fa1c0d0b22: - categories: - - ALL - - boost-baseline - description: 'Check if shell commands with pipes (except Powershell) have the - pipefail flag set (-o). ' - group: cloud-weak-configuration - name: efbf148a-67e9-42d2-ac47-02fa1c0d0b22 - pretty_name: Shell Running A Pipe Without Pipefail Flag - recommended: true - ref: https://docs.docker.com/engine/reference/builder/#run - efbf6449-5ec5-4cfe-8f15-acc51e0d787c: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Port 3389 (Remote Desktop) is exposed to the internet ' - group: cloud-resources-public-access - name: efbf6449-5ec5-4cfe-8f15-acc51e0d787c - pretty_name: RDP Is Exposed To The Internet - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule - efd1dfc8-da91-4909-a3f3-c23abc5ec799: - categories: - - ALL - - boost-baseline - description: Numeric schema (type set to 'integer' or 'number') should have 'minimum' - defined. - group: cloud-weak-configuration - name: efd1dfc8-da91-4909-a3f3-c23abc5ec799 - pretty_name: Numeric Schema Without Minimum (v2) - recommended: true - ref: https://swagger.io/specification/v2/#schemaObject - f0104061-8bfc-4b45-8a7d-630eb502f281: - categories: - - ALL - - boost-baseline - description: 'RDS instance should have automatic minor upgrades enabled, which - means the attribute ''AutoMinorVersionUpgrade'' must be set to true. ' - group: top10-insecure-design - name: f0104061-8bfc-4b45-8a7d-630eb502f281 - pretty_name: Automatic Minor Upgrades Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html - f0d8781f-99bf-4958-9917-d39283b168a0: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'The CIDR IP should not be a public interface ' - group: cloud-weak-configuration - name: f0d8781f-99bf-4958-9917-d39283b168a0 - pretty_name: DB Security Group Has Public Interface - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_security_group - f1173d8c-3264-4148-9fdb-61181e031b51: - categories: - - ALL - - boost-baseline - description: 'Role with privilege escalation by actions ''iam:UpdateAssumeRolePolicy'' - and ''sts:AssumeRole'' and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: f1173d8c-3264-4148-9fdb-61181e031b51 - pretty_name: Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' - And 'sts:AssumeRole' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy - f118890b-2468-42b1-9ce9-af35146b425b: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'MySQL Server public access should be disabled ' - group: cloud-resources-public-access - name: f118890b-2468-42b1-9ce9-af35146b425b - pretty_name: MySQL Server Public Access Enabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_server#public_network_access_enabled - f11aec39-858f-4b6f-b946-0a1bf46c0c87: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'AWS DAX Cluster should have server-side encryption at rest ' - group: top10-crypto-failures - name: f11aec39-858f-4b6f-b946-0a1bf46c0c87 - pretty_name: DAX Cluster Not Encrypted - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dax_cluster#enabled - f1adc521-f79a-4d71-b55b-a68294687432: - categories: - - ALL - - boost-baseline - description: 'EC2 instances should not use default security group(s) ' - group: cloud-insecure-iam - name: f1adc521-f79a-4d71-b55b-a68294687432 - pretty_name: EC2 Instance Using Default Security Group - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#security_groups - f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5: - categories: - - ALL - - boost-baseline - description: 'When using the kubelet command, the authorization-mode flag should - not have ''AlwaysAllow'' mode ' - group: cloud-insecure-iam - name: f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5 - pretty_name: Authorization Mode Set To Always Allow - recommended: true - ref: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ - f20e97f9-4919-43f1-9be9-f203cd339cdd: - categories: - - ALL - - boost-baseline - description: 'OSS Bucket should have encryption enabled using Customer Master - Key ' - group: top10-crypto-failures - name: f20e97f9-4919-43f1-9be9-f203cd339cdd - pretty_name: OSS Bucket Encryption Using CMK Disabled - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#server_side_encryption_rule - f262118c-1ac6-4bb3-8495-cc48f1775b85: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Ecs Data Disk Kms Key Id should be set ' - group: top10-crypto-failures - name: f262118c-1ac6-4bb3-8495-cc48f1775b85 - pretty_name: Ecs Data Disk Kms Key Id Undefined - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/disk#kms_key_id - f2702af5-6016-46cb-bbc8-84c766032095: - categories: - - ALL - - boost-baseline - description: 'The header Parameter should not be named as ''Accept''. If so, it - will be ignored. ' - group: top10-insecure-design - name: f2702af5-6016-46cb-bbc8-84c766032095 - pretty_name: Header Parameter Named as 'Accept' (v3) - recommended: true - ref: https://swagger.io/specification/#parameter-object - f27791a5-e2ae-4905-8910-6f995c576d09: - categories: - - ALL - - boost-baseline - description: 'SSL Client Certificate should be defined ' - group: cloud-weak-configuration - name: f27791a5-e2ae-4905-8910-6f995c576d09 - pretty_name: API Gateway Without SSL Certificate - recommended: true - ref: https://www.pulumi.com/registry/packages/aws/api-docs/apigatewayv2/stage/#clientcertificateid_yaml - f29904c8-6041-4bca-b043-dfa0546b8079: - categories: - - ALL - - boost-baseline - description: 'Callback reference should exists on components field ' - group: top10-insecure-design - name: f29904c8-6041-4bca-b043-dfa0546b8079 - pretty_name: Callback JSON Reference Does Not Exists - recommended: true - ref: https://swagger.io/specification/#components-object - f2daed12-c802-49cd-afed-fe41d0b82fed: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Different FROMS cant have the same alias defined ' - group: supply-chain-cicd-weak-configuration - name: f2daed12-c802-49cd-afed-fe41d0b82fed - pretty_name: Same Alias In Different Froms - recommended: true - ref: https://docs.docker.com/develop/develop-images/multistage-build/ - f2ea6481-1d31-4d40-946a-520dc6321dd7: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'AWS Kinesis Streams and metadata should be protected with KMS ' - group: top10-crypto-failures - name: f2ea6481-1d31-4d40-946a-520dc6321dd7 - pretty_name: Kinesis Not Encrypted With KMS - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/kinesis_stream_module.html - f2f903fb-b977-461e-98d7-b3e2185c6118: - categories: - - ALL - - boost-baseline - description: 'When installing packages with pip, the ''--no-cache-dir'' flag should - be set to make Docker images smaller ' - group: supply-chain-scm-weak-configuration - name: f2f903fb-b977-461e-98d7-b3e2185c6118 - pretty_name: Pip install Keeping Cached Packages - recommended: true - ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/ - f30ee711-0082-4480-85ab-31d922d9a2b2: - categories: - - ALL - - boost-baseline - description: 'Global Schemes should use ''https'' protocol instead of ''http'' ' - group: top10-crypto-failures - name: f30ee711-0082-4480-85ab-31d922d9a2b2 - pretty_name: Global Schemes Uses HTTP - recommended: true - ref: https://swagger.io/specification/v2/#swaggerObject - f34508b9-f574-4330-b42d-88c44cced645: - categories: - - ALL - - boost-baseline - description: 'Lambda access/secret keys should not be hardcoded ' - group: cloud-weak-secrets-management - name: f34508b9-f574-4330-b42d-88c44cced645 - pretty_name: Hardcoded AWS Access Key In Lambda - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/lambda_module.html - f34c0c25-47b4-41eb-9c79-249b4dd47b89: - categories: - - ALL - - boost-baseline - description: 'Instances must not have IP forwarding enabled, which means the attribute - ''can_ip_forward'' must not be true ' - group: cloud-resources-public-access - name: f34c0c25-47b4-41eb-9c79-249b4dd47b89 - pretty_name: IP Forwarding Enabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_instance - f34c1c68-4773-4df0-a103-6e2ca32e585f: - categories: - - ALL - - boost-baseline - description: Each field on Open API specification which accepts '$ref', infers - that field is using a reference object, which has only '$ref' key - group: top10-insecure-design - name: f34c1c68-4773-4df0-a103-6e2ca32e585f - pretty_name: JSON '$ref' alongside other properties (v2) - recommended: true - ref: https://swagger.io/specification/v2/#referenceObject - f3674e0c-f6be-43fa-b71c-bf346d1aed99: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'AWS SageMaker should encrypt model artifacts at rest using Amazon - S3 server-side encryption with an AWS KMS ' - group: top10-crypto-failures - name: f3674e0c-f6be-43fa-b71c-bf346d1aed99 - pretty_name: Sagemaker Notebook Instance Without KMS - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sagemaker_notebook_instance#kms_key_id - f368dd2d-9344-4146-a05b-7c6faa1269ad: - categories: - - ALL - - boost-baseline - description: 'Post should define at least one success response (200, 201, 202 - or 204) ' - group: cloud-resources-public-access - name: f368dd2d-9344-4146-a05b-7c6faa1269ad - pretty_name: Success Response Code Undefined for Post Operation (v3) - recommended: true - ref: https://swagger.io/specification/#operation-object - f36e87cc-a209-4f37-8571-66833e4aead7: - categories: - - ALL - - boost-baseline - description: Patch should define at least one success response (200, 201, 202 - or 204) - group: cloud-resources-public-access - name: f36e87cc-a209-4f37-8571-66833e4aead7 - pretty_name: Success Response Code Undefined for Patch Operation (v2) - recommended: true - ref: https://swagger.io/specification/v2/#operation-object - f377b83e-bd07-4f48-a591-60c82b14a78b: - categories: - - ALL - - boost-baseline - description: 'Containers should be configured with a secure Seccomp profile to - restrict potentially dangerous syscalls ' - group: cloud-weak-configuration - name: f377b83e-bd07-4f48-a591-60c82b14a78b - pretty_name: Seccomp Profile Is Not Configured - recommended: true - ref: https://kubernetes.io/docs/tutorials/security/seccomp/#create-pod-that-uses-the-container-runtime-default-seccomp-profile - f42dfe7e-787d-4478-a75e-a5f3d8a2269e: - categories: - - ALL - - boost-baseline - description: 'Operation Object should not use implicit flow ' - group: cloud-insecure-iam - name: f42dfe7e-787d-4478-a75e-a5f3d8a2269e - pretty_name: Operation Using Implicit Flow - recommended: true - ref: https://swagger.io/specification/v2/#operation-object - f45ea400-6bbe-4501-9fc7-1c3d75c32067: - categories: - - ALL - - boost-baseline - description: 'When building images, always tag them with useful tags which codify - version information, intended destination (prod or test, for instance), stability, - or other information that is useful when deploying the application in different - environments. Do not rely on the automatically-created latest tag ' - group: supply-chain-scm-weak-configuration - name: f45ea400-6bbe-4501-9fc7-1c3d75c32067 - pretty_name: Image Version Using 'latest' - recommended: true - ref: https://docs.docker.com/develop/dev-best-practices/ - f465fff1-0a0f-457d-aa4d-1bddb6f204ff: - categories: - - ALL - - boost-baseline - description: 'Role with privilege escalation by actions ''iam:AttachRolePolicy'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: f465fff1-0a0f-457d-aa4d-1bddb6f204ff - pretty_name: Role With Privilege Escalation By Actions 'iam:AttachRolePolicy' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy - f4a6bcd3-e231-4acf-993c-aa027be50d2e: - categories: - - ALL - - boost-baseline - description: 'When using RUN command ''cd'' should only be used for full path. - For relative path make use of WORKDIR command instead. ' - group: supply-chain-cicd-weak-configuration - name: f4a6bcd3-e231-4acf-993c-aa027be50d2e - pretty_name: RUN Instruction Using 'cd' Instead of WORKDIR - recommended: true - ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#workdir - f4c9b5f5-68b8-491f-9e48-4f96644a1d51: - categories: - - ALL - - boost-baseline - description: 'In ECS Task Definition of FARGATE launch type if you specify an - invalid CPU or Memory value, you will receive an error ' - group: cloud-insecure-iam - name: f4c9b5f5-68b8-491f-9e48-4f96644a1d51 - pretty_name: ECS Task Definition Invalid CPU or Memory - recommended: true - ref: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html - f4cf35d6-da92-48de-ab70-57be2b2e6497: - categories: - - ALL - - boost-baseline - description: 'IAM Password should have at least one lowercase letter ' - group: top10-insecure-design - name: f4cf35d6-da92-48de-ab70-57be2b2e6497 - pretty_name: IAM Password Without Lowercase Letter - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user - f4e9ff70-0f3b-4c50-a713-26cbe7ec4039: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. ' - group: cloud-resources-public-access - name: f4e9ff70-0f3b-4c50-a713-26cbe7ec4039 - pretty_name: SQLServer Ingress From Any IP - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_sqlfirewallrule_module.html - f509931b-bbb0-443c-bd9b-10e92ecf2193: - categories: - - ALL - - boost-baseline - description: 'IAM Group should have at least one user associated ' - group: cloud-insecure-iam - name: f509931b-bbb0-443c-bd9b-10e92ecf2193 - pretty_name: IAM Group Without Users - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/iam_group_module.html - f525cc92-9050-4c41-a75c-890dc6f64449: - categories: - - ALL - - boost-baseline - description: 'Security Scheme HTTP should not be using negotiate authentication ' - group: cloud-insecure-iam - name: f525cc92-9050-4c41-a75c-890dc6f64449 - pretty_name: Security Scheme Using HTTP Negotiate - recommended: true - ref: https://swagger.io/specification/#security-scheme-object - f5342045-b935-402d-adf1-8dbbd09c0eef: - categories: - - ALL - - boost-baseline - description: 'Azure Kubernetes Service should have the proper network policy configuration - to ensure the principle of least privileges, which means that ''network_profile.network_policy'' - should be defined ' - group: cloud-weak-configuration - name: f5342045-b935-402d-adf1-8dbbd09c0eef - pretty_name: AKS Network Policy Misconfigured - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/kubernetes_cluster - f53f16d6-46a9-4277-9fbe-617b1e24cdca: - categories: - - ALL - description: 'A list of EFS resources found. Amazon Elastic File System (Amazon - EFS) automatically grows and shrinks as you add and remove files with no need - for management or provisioning. ' - group: supply-chain-missing-artifact-integrity-verification - name: f53f16d6-46a9-4277-9fbe-617b1e24cdca - pretty_name: BOM - AWS EFS - ref: https://kics.io/ - f5587077-3f57-4370-9b4e-4eb5b1bac85b: - categories: - - ALL - - boost-baseline - description: 'Logs delivered by CloudTrail should be encrypted using KMS to increase - security of your CloudTrail ' - group: top10-crypto-failures - name: f5587077-3f57-4370-9b4e-4eb5b1bac85b - pretty_name: CloudTrail Log Files Not Encrypted With KMS - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html - f57f849c-883b-4cb7-85e7-f7b199dff163: - categories: - - ALL - - boost-baseline - description: 'TCP/UDP protocol AWS Network ACL Entry should not allow all ports ' - group: cloud-resources-public-access - name: f57f849c-883b-4cb7-85e7-f7b199dff163 - pretty_name: TCP/UDP Protocol Network ACL Entry Allows All Ports - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-network-acl-entry.html#cfn-ec2-networkaclentry-portrange - f5b2e6af-76f5-496d-8482-8f898c5fdb4a: - categories: - - ALL - - boost-baseline - description: 'Parameters properties ''name'' and ''in'' should have unique combinations ' - group: top10-insecure-design - name: f5b2e6af-76f5-496d-8482-8f898c5fdb4a - pretty_name: Parameters Name In Combination Not Unique (v3) - recommended: true - ref: https://swagger.io/specification/#parameters-object - f5c45127-1d28-4b49-a692-0b97da1c3a84: - categories: - - ALL - - boost-baseline - description: 'ECS Service should have at least 1 task running ' - group: top10-insecure-design - name: f5c45127-1d28-4b49-a692-0b97da1c3a84 - pretty_name: ECS Service Without Running Tasks - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_service_module.html#ansible-collections-community-aws-ecs-service-module - f5f38943-664b-4acc-ab11-f292fa10ed0b: - categories: - - ALL - - boost-baseline - description: 'API Gateway should have WAF (Web Application Firewall) enabled ' - group: cloud-resources-public-access - name: f5f38943-664b-4acc-ab11-f292fa10ed0b - pretty_name: API Gateway without WAF - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/wafv2_resources_module.html#parameter-arn - f6049677-ec4a-43af-8779-5190b6d03cba: - categories: - - ALL - - boost-baseline - description: 'KMS Should not allow Principal parameter to be set as * ' - group: cloud-insecure-iam - name: f6049677-ec4a-43af-8779-5190b6d03cba - pretty_name: KMS Allows Wildcard Principal - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html - f62aa827-4ade-4dc4-89e4-1433d384a368: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'IAM policy should not grant full permissions to resources from the - get-go, instead of granting permissions gradually as necessary. ' - group: cloud-insecure-iam - name: f62aa827-4ade-4dc4-89e4-1433d384a368 - pretty_name: IAM Policy Grants Full Permissions - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html - f6397a20-4cf1-4540-a997-1d363c25ef58: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'S3 Buckets must not allow Put Action From All Principals, as to - prevent leaking private information to the entire internet or allow unauthorized - data tampering / deletion. This means the ''Effect'' must not be ''Allow'' when - the ''Action'' is Put, for all Principals. ' - group: cloud-insecure-iam - name: f6397a20-4cf1-4540-a997-1d363c25ef58 - pretty_name: S3 Bucket Allows Put Action From All Principals - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html - f6d299d2-21eb-41cc-b1e1-fe12d857500b: - categories: - - ALL - - boost-baseline - description: 'Every VPC resource should have an associated Flow Log ' - group: top10-security-logging-monitoring-failures - name: f6d299d2-21eb-41cc-b1e1-fe12d857500b - pretty_name: VPC FlowLogs Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-flowlog.html - f74b9c43-161a-4799-bc95-0b0ec81801b9: - categories: - - ALL - - boost-baseline - description: 'A Service Account token is shared between workloads ' - group: cloud-weak-secrets-management - name: f74b9c43-161a-4799-bc95-0b0ec81801b9 - pretty_name: Shared Service Account - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#service_account_name - f79b9d26-e945-44e7-98a1-b93f0f7a68a0: - categories: - - ALL - - boost-baseline - description: 'The Media Type Object should have the attribute ''schema'' defined ' - group: cloud-weak-configuration - name: f79b9d26-e945-44e7-98a1-b93f0f7a68a0 - pretty_name: Media Type Object Without Schema - recommended: true - ref: https://swagger.io/specification/#media-type-object - f7ab6c83-ef89-40e1-8a99-32e2599fb665: - categories: - - ALL - - boost-baseline - description: Required properties receive value from requests, which makes unnecessary - declare a default value - group: top10-insecure-design - name: f7ab6c83-ef89-40e1-8a99-32e2599fb665 - pretty_name: Required Property With Default Value (v2) - recommended: true - ref: https://swagger.io/specification/v2/#schemaObject - f7e296b0-6660-4bc5-8f87-22ac4a815edf: - categories: - - ALL - - boost-baseline - description: 'Make sure that for SQL Servers, ''Auditing'' is set to ''On'' ' - group: top10-security-logging-monitoring-failures - name: f7e296b0-6660-4bc5-8f87-22ac4a815edf - pretty_name: SQL Server Auditing Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_server - f7fa95b7-d819-484c-9a2b-665dd1bba25e: - categories: - - ALL - - boost-baseline - description: Schema External Documentation URL should be a valid URL - group: top10-insecure-design - name: f7fa95b7-d819-484c-9a2b-665dd1bba25e - pretty_name: Invalid Schema External Documentation URL (v2) - recommended: true - ref: https://swagger.io/specification/v2/#externalDocumentationObject - f80e3aa7-7b34-4185-954e-440a6894dde6: - categories: - - ALL - - boost-baseline - description: 'IAM role allows all services or principals to assume it ' - group: cloud-insecure-iam - name: f80e3aa7-7b34-4185-954e-440a6894dde6 - pretty_name: IAM Role Allows All Principals To Assume - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-assumerolepolicydocument - f81d63d2-c5d7-43a4-a5b5-66717a41c895: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'AWS Application Load Balancer (alb) should not listen on HTTP ' - group: cloud-resources-public-access - name: f81d63d2-c5d7-43a4-a5b5-66717a41c895 - pretty_name: ALB Listening on HTTP - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/elb_application_lb_module.html - f83121ea-03da-434f-9277-9cd247ab3047: - categories: - - ALL - - boost-baseline - description: 'Every VPC resource should have an associated Flow Log ' - group: top10-security-logging-monitoring-failures - name: f83121ea-03da-434f-9277-9cd247ab3047 - pretty_name: VPC FlowLogs Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc - f861041c-8c9f-4156-acfc-5e6e524f5884: - categories: - - ALL - - boost-baseline - description: 'Server Access Logging should be enabled on S3 Buckets so that all - changes are logged and trackable ' - group: top10-security-logging-monitoring-failures - name: f861041c-8c9f-4156-acfc-5e6e524f5884 - pretty_name: S3 Bucket Logging Disabled - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket - f8e08a38-fc6e-4915-abbe-a7aadf1d59ef: - categories: - - ALL - - boost-baseline - description: 'Key Vault Secrets should have set Content Type ' - group: top10-insecure-design - name: f8e08a38-fc6e-4915-abbe-a7aadf1d59ef - pretty_name: Key Vault Secrets Content Type Undefined - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret#content_type - f906113d-cdc0-415a-ba60-609cc6daaf4d: - categories: - - ALL - - boost-baseline - description: 'Role with privilege escalation by actions ''iam:AttachGroupPolicy'' - and Resource set to ''*''. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: f906113d-cdc0-415a-ba60-609cc6daaf4d - pretty_name: Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy - f9112910-c7bb-4864-9f5e-2059ba413bb7: - categories: - - ALL - - boost-baseline - description: 'Microsoft.DBforPostgreSQL/servers/configurations should have ''log_checkpoint'' - property set to ''on'' ' - group: cloud-resources-public-access - name: f9112910-c7bb-4864-9f5e-2059ba413bb7 - pretty_name: PostgreSQL Database Server Log Checkpoints Disabled - recommended: true - ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/2017-12-01/servers/configurations?tabs=json - f914357d-8386-4d56-9ba6-456e5723f9a6: - categories: - - ALL - - boost-baseline - description: 'Check if an EC2 instance refers to an IAM profile, which represents - an IAM Role. ' - group: cloud-insecure-iam - name: f914357d-8386-4d56-9ba6-456e5723f9a6 - pretty_name: EC2 Instance Has No IAM Role - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html - f922827f-aab6-447c-832a-e1ff63312bd3: - categories: - - ALL - - boost-baseline - description: "Check if a container has full access (unmasked) to the host\u2019\ - s /proc command, which would allow to retrieve sensitive information and possibly\ - \ change the kernel parameters in runtime. " - group: cloud-weak-configuration - name: f922827f-aab6-447c-832a-e1ff63312bd3 - pretty_name: Container Runs Unmasked - recommended: true - ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes - f97b7d23-568f-4bcc-9ac9-02df0d57fbba: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'S3 Buckets must not allow Get Action From All Principals, as to - prevent leaking private information to the entire internet or allow unauthorized - data tampering / deletion. This means the ''Effect'' must not be ''Allow'' when - the ''Action'' is Get, for all Principals. ' - group: cloud-insecure-iam - name: f97b7d23-568f-4bcc-9ac9-02df0d57fbba - pretty_name: S3 Bucket Allows Get Action From All Principals - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html - f985a7d2-d404-4a7f-9814-f645f791e46e: - categories: - - ALL - - boost-baseline - description: 'The Media Type value should match the following format: /[+suffix][;parameters] ' - group: top10-insecure-design - name: f985a7d2-d404-4a7f-9814-f645f791e46e - pretty_name: Invalid Media Type Value (v2) - recommended: true - ref: https://swagger.io/specification/#media-type-object - f988a17f-1139-46a3-8928-f27eafd8b024: - categories: - - ALL - - boost-baseline - description: 'DMS Endpoint MongoDbSettings Password must not be a plaintext string - or a Ref to a Parameter with a Default value. ' - group: cloud-weak-secrets-management - name: f988a17f-1139-46a3-8928-f27eafd8b024 - pretty_name: DMS Endpoint MongoDB Settings Password Exposed - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-dms-endpoint-mongodbsettings.html - f99d3482-fa8c-4f79-bad9-35212dded164: - categories: - - ALL - - boost-baseline - description: 'Serverless Function should be have associated tags ' - group: cloud-weak-configuration - name: f99d3482-fa8c-4f79-bad9-35212dded164 - pretty_name: Serverless Function Without Tags - recommended: true - ref: https://www.serverless.com/framework/docs/providers/aws/guide/functions#tags - f9b10cdb-eaab-4e39-9793-e12b94a582ad: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'It''s not recommended to use plaintext environment variables for - sensitive information, such as credential data. ' - group: top10-crypto-failures - name: f9b10cdb-eaab-4e39-9793-e12b94a582ad - pretty_name: ECS Task Definition Container With Plaintext Password - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-containerdefinitions.html#cfn-ecs-taskdefinition-containerdefinition-environment - f9b7086b-deb8-4034-9330-d7fd38f1b8de: - categories: - - ALL - - boost-baseline - description: 'KMS encryption keys should be rotated every 90 days or less. A short - lifetime of encryption keys reduces the potential blast radius in case of compromise. ' - group: cloud-weak-secrets-management - name: f9b7086b-deb8-4034-9330-d7fd38f1b8de - pretty_name: High Google KMS Crypto Key Rotation Period - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_kms_crypto_key_module.html - fa00ce45-386d-4718-8392-fb485e1f3c5b: - categories: - - ALL - - boost-baseline - description: 'Secrets Manager policy should avoid wildcard in ''Principal'' and - ''Action'' ' - group: cloud-insecure-iam - name: fa00ce45-386d-4718-8392-fb485e1f3c5b - pretty_name: Secrets Manager With Vulnerable Policy - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_policy#policy - fa4def8c-1898-4a35-a139-7b76b1acdef0: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'When using kube-apiserver command, the ''--insecure-port'' flag - should be defined and set to 0 ' - group: cloud-resources-public-access - name: fa4def8c-1898-4a35-a139-7b76b1acdef0 - pretty_name: Insecure Port Not Properly Set - recommended: true - ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ - fa62ac4f-f5b9-45b9-97c1-625c8b6253ca: - categories: - - ALL - - boost-baseline - description: 'Role with privilege escalation by actions ''lambda:CreateFunction'' - and ''iam:PassRole'' and ''lambda:InvokeFunction'' and Resource set to ''*''. - For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. ' - group: cloud-insecure-iam - name: fa62ac4f-f5b9-45b9-97c1-625c8b6253ca - pretty_name: Role With Privilege Escalation By Actions 'lambda:CreateFunction' - And 'iam:PassRole' And 'lambda:InvokeFunction' - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy - fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'TSL Connection Certificate files should be Setup ' - group: cloud-resources-public-access - name: fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f - pretty_name: TSL Connection Certificate Not Setup - recommended: true - ref: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ - faa8fddf-c0aa-4b2d-84ff-e993e233ebe9: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'S3 Buckets must not allow List Action From All Principals, as to - prevent leaking private information to the entire internet or allow unauthorized - data tampering / deletion. This means the ''Effect'' must not be ''Allow'' when - the ''Action'' is List, for all Principals. ' - group: cloud-insecure-iam - name: faa8fddf-c0aa-4b2d-84ff-e993e233ebe9 - pretty_name: S3 Bucket Allows List Action From All Principals - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html - faaefc15-51a5-419e-bb5e-51a4b5ab3485: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'The field ''address'' should not be set to ''0.0.0.0/0'' ' - group: cloud-weak-configuration - name: faaefc15-51a5-419e-bb5e-51a4b5ab3485 - pretty_name: RDS DB Instance Publicly Accessible - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#address - fae52418-bb8b-4ac2-b287-0b9082d6a3fd: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'EFS (Elastic File System) policy should avoid wildcard in ''Action'' - and ''Principal''. ' - group: cloud-insecure-iam - name: fae52418-bb8b-4ac2-b287-0b9082d6a3fd - pretty_name: EFS With Vulnerable Policy - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system_policy#policy - fb2b0ecf-1492-491a-a70d-ba1df579175d: - categories: - - ALL - - boost-baseline - description: 'Amazon ECS service should be configured to use Load Balancing to - distribute traffic evenly across the tasks, which means there must exist at - least one LoadBalancer. ' - group: top10-insecure-design - name: fb2b0ecf-1492-491a-a70d-ba1df579175d - pretty_name: ECS No Load Balancer Attached - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html - fb5a5df7-6d74-4243-ab82-ff779a958bfd: - categories: - - ALL - - boost-baseline - description: 'Amazon ECR image repositories shouldn''t have public access ' - group: cloud-insecure-iam - name: fb5a5df7-6d74-4243-ab82-ff779a958bfd - pretty_name: ECR Repository Is Publicly Accessible - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_ecr_module.html#parameter-policy - fb7d81e7-4150-48c4-b914-92fc05da6a2f: - categories: - - ALL - - boost-baseline - description: 'All properties defined in OpenAPI objects should be known ' - group: top10-insecure-design - name: fb7d81e7-4150-48c4-b914-92fc05da6a2f - pretty_name: Unknown Property (v3) - recommended: true - ref: https://swagger.io/specification/ - fb889ae9-2d16-40b5-b41f-9da716c5abc1: - categories: - - ALL - - boost-baseline - description: 'Parameter reference should exist on parameters definition field ' - group: top10-insecure-design - name: fb889ae9-2d16-40b5-b41f-9da716c5abc1 - pretty_name: Parameter JSON Reference Does Not Exists (v2) - recommended: true - ref: https://swagger.io/specification/v2/#parameterObject - fb8f8929-afeb-4c46-99f0-a6cf410f7df4: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'CloudFront web distributions should use custom (and not default) - SSL certificates. Custom SSL certificates allow only defined users to access - content by using an alternate domain name instead of the default one. ' - group: cloud-weak-configuration - name: fb8f8929-afeb-4c46-99f0-a6cf410f7df4 - pretty_name: Vulnerable Default SSL Certificate - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html - fbe9b2d0-a2b7-47a1-a534-03775f3013f7: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Kubernetes Clusters must be configured with labels, which means - the attribute ''resource_labels'' must be defined ' - group: cloud-weak-configuration - name: fbe9b2d0-a2b7-47a1-a534-03775f3013f7 - pretty_name: Cluster Labels Disabled - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html - fbf699b5-ef74-4542-9cf1-f6eeac379373: - categories: - - ALL - - boost-baseline - description: 'Numeric schema (type set to ''integer'' or ''number'') should have - ''format'' defined. ' - group: cloud-weak-configuration - name: fbf699b5-ef74-4542-9cf1-f6eeac379373 - pretty_name: Numeric Schema Without Format (v3) - recommended: true - ref: https://swagger.io/specification/#schema-object - fc040fb6-4c23-4c0d-b12a-39edac35debb: - categories: - - ALL - - boost-baseline - description: 'VM disks for critical VMs must be encrypted with Customer Supplied - Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which - means the attribute ''diskEncryptionKey'' must be defined and its sub attributes - ''rawKey'' or ''kmsKeyName'' must also be defined ' - group: top10-crypto-failures - name: fc040fb6-4c23-4c0d-b12a-39edac35debb - pretty_name: Disk Encryption Disabled - recommended: true - ref: https://cloud.google.com/compute/docs/reference/rest/v1/instances - fc101ca7-c9dd-4198-a1eb-0fbe92e80044: - categories: - - ALL - - boost-baseline - description: 'IAM Group should have at least one user associated ' - group: cloud-insecure-iam - name: fc101ca7-c9dd-4198-a1eb-0fbe92e80044 - pretty_name: IAM Group Without Users - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_membership#users - fc5109bf-01fd-49fb-8bde-4492b543c34a: - categories: - - ALL - - boost-baseline - description: 'All variables should contain a valid type. ' - group: top10-insecure-design - name: fc5109bf-01fd-49fb-8bde-4492b543c34a - pretty_name: Variable Without Type - recommended: true - ref: https://www.terraform.io/docs/language/values/variables.html#input-variable-documentation - fc775e75-fcfb-4c98-b2f2-910c5858b359: - categories: - - ALL - - boost-baseline - description: 'Shouldn''t use both ''wget'' and ''curl'' since they are two tools - that have the same effect ' - group: supply-chain-scm-weak-configuration - name: fc775e75-fcfb-4c98-b2f2-910c5858b359 - pretty_name: Run Using 'wget' and 'curl' - recommended: true - ref: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run - fc7c2c15-f5d0-4b80-adb2-c89019f8f62b: - categories: - - ALL - - boost-baseline - description: 'Ensure MSK Cluster Logging is enabled ' - group: top10-security-logging-monitoring-failures - name: fc7c2c15-f5d0-4b80-adb2-c89019f8f62b - pretty_name: MSK Cluster Logging Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-msk-cluster.html - fcb1b388-f558-4b7f-9b6e-f4e98abb7380: - categories: - - ALL - description: 'A list of MQ resources found. Amazon MQ is a managed message broker - service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate - message brokers on AWS. ' - group: supply-chain-missing-artifact-integrity-verification - name: fcb1b388-f558-4b7f-9b6e-f4e98abb7380 - pretty_name: BOM - AWS MQ - ref: https://kics.io/ - fcbf9019-566c-4832-a65c-af00d8137d2b: - categories: - - ALL - - boost-baseline - description: 'API Gateway should have WAF (Web Application Firewall) enabled ' - group: cloud-resources-public-access - name: fcbf9019-566c-4832-a65c-af00d8137d2b - pretty_name: API Gateway without WAF - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webaclassociation.html#cfn-wafv2-webaclassociation-resourcearn - fcc2612a-1dfe-46e4-8ce6-0320959f0040: - categories: - - ALL - - boost-baseline - description: 'A StatefulSet requests volume storage. ' - group: supply-chain-cicd-weak-configuration - name: fcc2612a-1dfe-46e4-8ce6-0320959f0040 - pretty_name: StatefulSet Requests Storage - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/stateful_set#volume_claim_template - fd097ed0-7fe6-4f58-8b71-fef9f0820a21: - categories: - - ALL - - boost-baseline - description: 'Memory limits should be defined for each container. This prevents - potential resource exhaustion by ensuring that containers consume not more than - the designated amount of memory ' - group: cloud-insecure-iam - name: fd097ed0-7fe6-4f58-8b71-fef9f0820a21 - pretty_name: Memory Limits Not Defined - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#limits - fd54f200-402c-4333-a5a4-36ef6709af2f: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'A user should be specified in the dockerfile, otherwise the image - will run as root ' - group: supply-chain-cicd-weak-configuration - name: fd54f200-402c-4333-a5a4-36ef6709af2f - pretty_name: Missing User Instruction - recommended: true - ref: https://docs.docker.com/engine/reference/builder/#user - fd632aaf-b8a1-424d-a4d1-0de22fd3247a: - categories: - - ALL - - boost-baseline - description: 'VPC should have a Network Firewall associated ' - group: cloud-resources-public-access - name: fd632aaf-b8a1-424d-a4d1-0de22fd3247a - pretty_name: VPC Without Network Firewall - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall#vpc_id - fd8da341-6760-4450-b26c-9f6d8850575e: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Firewall rule allowing unrestricted access to Redis from the Internet ' - group: cloud-resources-public-access - name: fd8da341-6760-4450-b26c-9f6d8850575e - pretty_name: Redis Entirely Accessible - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/redis_firewall_rule - fe286195-e75c-4359-bd58-00847c4f855a: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'OSS Bucket should not allow put action from all principals, as to - prevent leaking private information to the entire internet or allow unauthorized - data tampering/deletion. This means the ''Effect'' must not be ''Allow'' when - the ''Action'' contains ''Put'', for all Principals. ' - group: cloud-insecure-iam - name: fe286195-e75c-4359-bd58-00847c4f855a - pretty_name: OSS Bucket Allows Put Action From All Principals - recommended: true - ref: https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#policy - fe771ff7-ba15-4f8f-ad7a-8aa232b49a28: - categories: - - ALL - - boost-baseline - description: 'Containers should not have extra capabilities allowed ' - group: cloud-weak-configuration - name: fe771ff7-ba15-4f8f-ad7a-8aa232b49a28 - pretty_name: Containers With Added Capabilities - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#capabilities-1 - fe974ae9-858e-4991-bbd5-e040a834679f: - categories: - - ALL - - boost-baseline - description: 'Make sure that retain_stack is enabled to keep the Stack and it''s - associated resources during resource destruction ' - group: top10-software-data-integrity-failures - name: fe974ae9-858e-4991-bbd5-e040a834679f - pretty_name: Stack Retention Disabled - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudformation-stackset-autodeployment.html#cfn-cloudformation-stackset-autodeployment-retainstacksonaccountremoval - ffac8a12-322e-42c1-b9b9-81ff85c39ef7: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'The HTTP port is open to the internet in a Security Group ' - group: cloud-resources-public-access - name: ffac8a12-322e-42c1-b9b9-81ff85c39ef7 - pretty_name: HTTP Port Open To Internet - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group - ffb02aca-0d12-475e-b77c-a726f7aeff4b: - categories: - - ALL - - boost-baseline - description: 'Make sure that for PostgreSQL Database, server parameter ''log_retention'' - is set to ''ON'' ' - group: top10-security-logging-monitoring-failures - name: ffb02aca-0d12-475e-b77c-a726f7aeff4b - pretty_name: Log Retention Is Not Set - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_configuration - ffdf4b37-7703-4dfe-a682-9d2e99bc6c09: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'S3 Buckets must not allow Delete Action From All Principals, as - to prevent leaking private information to the entire internet or allow unauthorized - data tampering / deletion. This means the ''Effect'' must not be ''Allow'' when - the ''Action'' is Delete, for all Principals. ' - group: cloud-insecure-iam - name: ffdf4b37-7703-4dfe-a682-9d2e99bc6c09 - pretty_name: S3 Bucket Allows Delete Action From All Principals - recommended: true - ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy - ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9: - categories: - - ALL - - boost-baseline - description: 'AWS CloudFormation Stack should have a stack policy in order to - protect stack resources from update actions ' - group: cloud-insecure-iam - name: ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9 - pretty_name: No Stack Policy - recommended: true - ref: https://docs.ansible.com/ansible/latest/collections/amazon/aws/cloudformation_module.html - ffee2785-c347-451e-89f3-11aeb08e5c84: - categories: - - ALL - - boost-baseline - - boost-hardened - description: 'Ensure that storage is encrypted. ' - group: top10-crypto-failures - name: ffee2785-c347-451e-89f3-11aeb08e5c84 - pretty_name: CMK Unencrypted Storage - recommended: true - ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html