GitLab Advanced SAST CWE coverage

Tier: Ultimate Offering: GitLab.com, Self-managed, GitLab Dedicated

GitLab Advanced SAST finds many types of potential security vulnerabilities in code written in supported languages.

GitLab assigns a matching Common Weakness Enumeration (CWE) identifier to each potential vulnerability. CWE identifiers are an industry-standard way to identify security weaknesses, but it’s important to know:

  • CWEs are arranged in a tree structure. For example, CWE-22: Path Traversal is a parent of CWE-23: Relative Path Traversal. A scanner that specifically detects relative path traversal weaknesses (CWE-23) by definition also detects a portion of the more general path traversal category (CWE-22).
  • For clarity, this table identifies the exact CWE identifiers that are assigned to Advanced SAST rules. It doesn’t report parent identifiers.

To learn more about the rules used in GitLab Advanced SAST, see SAST rules.

CWE coverage by language

GitLab Advanced SAST finds the following types of weaknesses in each programming language:

CWE CWE Description C# Go Java JavaScript, TypeScript Python Ruby
CWE-15 External Control of System or Configuration Setting No No Yes No No No
CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) Yes Yes Yes Yes Yes Yes
CWE-23 Relative Path Traversal No No No Yes Yes No
CWE-73 External Control of File Name or Path No No Yes No No Yes
CWE-76 Improper Neutralization of Equivalent Special Elements No No No No No Yes
CWE-77 Improper Neutralization of Special Elements used in a Command (‘Command Injection’) No No Yes No No No
CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) Yes Yes Yes Yes Yes Yes
CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) Yes Yes Yes Yes Yes Yes
CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) No No No Yes No No
CWE-88 Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’) No No Yes No No No
CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) Yes Yes Yes Yes Yes Yes
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’) Yes No Yes No No No
CWE-91 XML Injection (aka Blind XPath Injection) No No Yes No No No
CWE-94 Improper Control of Generation of Code (‘Code Injection’) No Yes Yes Yes Yes Yes
CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) No No Yes Yes Yes Yes
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Request/Response Splitting’) No No Yes Yes No No
CWE-116 Improper Encoding or Escaping of Output No No No Yes Yes No
CWE-118 Incorrect Access of Indexable Resource (‘Range Error’) No Yes No No No No
CWE-125 Out-of-bounds Read No No No Yes No No
CWE-134 Use of Externally-Controlled Format String No No Yes No No No
CWE-155 Improper Neutralization of Wildcards or Matching Symbols No No No No Yes No
CWE-180 Incorrect Behavior Order: Validate Before Canonicalize No No Yes No No No
CWE-182 Collapse of Data into Unsafe Value No No Yes No No No
CWE-185 Incorrect Regular Expression No No No Yes No Yes
CWE-190 Integer Overflow or Wraparound No Yes No No No No
CWE-208 Observable Timing Discrepancy No No No Yes No No
CWE-209 Generation of Error Message Containing Sensitive Information No No No No No Yes
CWE-242 Use of Inherently Dangerous Function No Yes No No No No
CWE-272 Least Privilege Violation No No No Yes No No
CWE-276 Incorrect Default Permissions No Yes No No No Yes
CWE-295 Improper Certificate Validation Yes No Yes Yes Yes Yes
CWE-297 Improper Validation of Certificate with Host Mismatch No No Yes No No No
CWE-306 Missing Authentication for Critical Function No No Yes No No No
CWE-311 Missing Encryption of Sensitive Data No No No No No Yes
CWE-319 Cleartext Transmission of Sensitive Information No No Yes Yes Yes No
CWE-322 Key Exchange without Entity Authentication No Yes No No Yes No
CWE-323 Reusing a Nonce, Key Pair in Encryption No No Yes No No No
CWE-326 Inadequate Encryption Strength No Yes Yes No Yes Yes
CWE-327 Use of a Broken or Risky Cryptographic Algorithm Yes Yes Yes Yes Yes No
CWE-328 Use of Weak Hash No No No Yes No Yes
CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) Yes Yes No Yes Yes No
CWE-346 Origin Validation Error No No No Yes No No
CWE-347 Improper Verification of Cryptographic Signature No No Yes No No No
CWE-348 Use of Less Trusted Source No No No Yes No No
CWE-352 Cross-Site Request Forgery (CSRF) Yes No Yes No Yes Yes
CWE-358 Improperly Implemented Security Check for Standard No No No Yes No No
CWE-369 Divide By Zero No No No No No Yes
CWE-377 Insecure Temporary File No Yes No No Yes No
CWE-409 Improper Handling of Highly Compressed Data (Data Amplification) No Yes No No No No
CWE-489 Active Debug Code No Yes Yes No Yes No
CWE-502 Deserialization of Untrusted Data Yes No Yes Yes Yes Yes
CWE-521 Weak Password Requirements Yes No No No No No
CWE-522 Insufficiently Protected Credentials No No No Yes No No
CWE-552 Files or Directories Accessible to External Parties No Yes Yes No No No
CWE-554 ASP.NET Misconfiguration: Not Using Input Validation Framework Yes No No No No No
CWE-599 Missing Validation of OpenSSL Certificate No No No Yes No No
CWE-601 URL Redirection to Untrusted Site (‘Open Redirect’) Yes Yes Yes Yes Yes Yes
CWE-606 Unchecked Input for Loop Condition No No No Yes No No
CWE-611 Improper Restriction of XML External Entity Reference Yes Yes Yes Yes Yes No
CWE-613 Insufficient Session Expiration No No No Yes No No
CWE-614 Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute Yes No Yes Yes No No
CWE-639 Authorization Bypass Through User-Controlled Key No No No No No Yes
CWE-643 Improper Neutralization of Data within XPath Expressions (‘XPath Injection’) Yes No Yes Yes No No
CWE-704 Incorrect Type Conversion or Cast No No Yes No No No
CWE-732 Incorrect Permission Assignment for Critical Resource No Yes Yes No Yes No
CWE-749 Exposed Dangerous Method or Function No No Yes No No Yes
CWE-754 Improper Check for Unusual or Exceptional Conditions No No No No Yes Yes
CWE-757 Selection of Less-Secure Algorithm During Negotiation (‘Algorithm Downgrade’) No No No Yes No No
CWE-770 Allocation of Resources Without Limits or Throttling No Yes No Yes Yes No
CWE-776 Improper Restriction of Recursive Entity References in DTDs (‘XML Entity Expansion’) No No No Yes No No
CWE-780 Use of RSA Algorithm without OAEP No No Yes No No No
CWE-787 Out-of-bounds Write No No No Yes No No
CWE-798 Use of Hard-coded Credentials No No No Yes No No
CWE-913 Improper Control of Dynamically-Managed Code Resources No No No Yes No No
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes No No No No No Yes
CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’) No No Yes No No No
CWE-918 Server-Side Request Forgery (SSRF) Yes Yes Yes Yes Yes Yes
CWE-942 Permissive Cross-domain Policy with Untrusted Domains No No Yes Yes No No
CWE-943 Improper Neutralization of Special Elements in Data Query Logic No Yes Yes Yes No No
CWE-1004 Sensitive Cookie Without ‘HttpOnly’ Flag Yes No Yes Yes No Yes
CWE-1104 Use of Unmaintained Third Party Components No No No No Yes No
CWE-1204 Generation of Weak Initialization Vector (IV) No No No Yes No No
CWE-1275 Sensitive Cookie with Improper SameSite Attribute No No No Yes No No
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes (‘Prototype Pollution’) No No No Yes No No
CWE-1327 Binding to an Unrestricted IP Address No Yes No No Yes No
CWE-1390 Weak Authentication No No Yes No No No
note
Did this page answer the question you had? If not, please comment on epic 15343 to share your use case.