GitLab Advanced SAST CWE coverage

  • Tier: Ultimate
  • Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

GitLab Advanced SAST finds many types of potential security vulnerabilities in code written in supported languages.

GitLab assigns a matching Common Weakness Enumeration (CWE) identifier to each potential vulnerability. CWE identifiers are an industry-standard way to identify security weaknesses, but it’s important to know:

  • CWEs are arranged in a tree structure. For example, CWE-22: Path Traversal is a parent of CWE-23: Relative Path Traversal. A scanner that specifically detects relative path traversal weaknesses (CWE-23) by definition also detects a portion of the more general path traversal category (CWE-22).
  • For clarity, this table identifies the exact CWE identifiers that are assigned to GitLab Advanced SAST rules. It doesn’t report parent identifiers.

To learn more about the rules used in GitLab Advanced SAST, see SAST rules.

CWE coverage by language

GitLab Advanced SAST finds the following types of weaknesses in each programming language:

CWE CWE Description C# Go Java JavaScript, TypeScript Python Ruby
CWE-15 External Control of System or Configuration Setting dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No dotted-circle No
CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) check-circle Yes check-circle Yes check-circle Yes check-circle Yes check-circle Yes check-circle Yes
CWE-23 Relative Path Traversal dotted-circle No dotted-circle No dotted-circle No check-circle Yes check-circle Yes dotted-circle No
CWE-73 External Control of File Name or Path dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No check-circle Yes
CWE-76 Improper Neutralization of Equivalent Special Elements dotted-circle No dotted-circle No dotted-circle No dotted-circle No dotted-circle No check-circle Yes
CWE-77 Improper Neutralization of Special Elements used in a Command (‘Command Injection’) dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No dotted-circle No
CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) check-circle Yes check-circle Yes check-circle Yes check-circle Yes check-circle Yes check-circle Yes
CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) check-circle Yes check-circle Yes check-circle Yes check-circle Yes check-circle Yes check-circle Yes
CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) dotted-circle No dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No
CWE-88 Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’) dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No dotted-circle No
CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) check-circle Yes check-circle Yes check-circle Yes check-circle Yes check-circle Yes check-circle Yes
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’) check-circle Yes dotted-circle No check-circle Yes dotted-circle No dotted-circle No dotted-circle No
CWE-91 XML Injection (aka Blind XPath Injection) dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No dotted-circle No
CWE-94 Improper Control of Generation of Code (‘Code Injection’) dotted-circle No check-circle Yes check-circle Yes check-circle Yes check-circle Yes check-circle Yes
CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) dotted-circle No dotted-circle No check-circle Yes check-circle Yes check-circle Yes check-circle Yes
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Request/Response Splitting’) dotted-circle No dotted-circle No check-circle Yes check-circle Yes dotted-circle No dotted-circle No
CWE-116 Improper Encoding or Escaping of Output dotted-circle No dotted-circle No dotted-circle No check-circle Yes check-circle Yes dotted-circle No
CWE-117 Improper Output Neutralization for Logs dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No dotted-circle No
CWE-118 Incorrect Access of Indexable Resource (‘Range Error’) dotted-circle No check-circle Yes dotted-circle No dotted-circle No dotted-circle No dotted-circle No
CWE-125 Out-of-bounds Read dotted-circle No dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No
CWE-134 Use of Externally-Controlled Format String dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No dotted-circle No
CWE-155 Improper Neutralization of Wildcards or Matching Symbols dotted-circle No dotted-circle No dotted-circle No dotted-circle No check-circle Yes dotted-circle No
CWE-180 Incorrect Behavior Order: Validate Before Canonicalize dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No dotted-circle No
CWE-182 Collapse of Data into Unsafe Value dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No dotted-circle No
CWE-185 Incorrect Regular Expression dotted-circle No dotted-circle No dotted-circle No check-circle Yes dotted-circle No check-circle Yes
CWE-190 Integer Overflow or Wraparound dotted-circle No check-circle Yes dotted-circle No dotted-circle No dotted-circle No dotted-circle No
CWE-208 Observable Timing Discrepancy dotted-circle No dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No
CWE-209 Generation of Error Message Containing Sensitive Information dotted-circle No dotted-circle No dotted-circle No dotted-circle No dotted-circle No check-circle Yes
CWE-242 Use of Inherently Dangerous Function dotted-circle No check-circle Yes dotted-circle No dotted-circle No dotted-circle No dotted-circle No
CWE-272 Least Privilege Violation dotted-circle No dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No
CWE-276 Incorrect Default Permissions dotted-circle No check-circle Yes dotted-circle No dotted-circle No dotted-circle No check-circle Yes
CWE-295 Improper Certificate Validation check-circle Yes dotted-circle No check-circle Yes check-circle Yes check-circle Yes check-circle Yes
CWE-297 Improper Validation of Certificate with Host Mismatch dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No dotted-circle No
CWE-306 Missing Authentication for Critical Function dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No dotted-circle No
CWE-311 Missing Encryption of Sensitive Data dotted-circle No dotted-circle No dotted-circle No dotted-circle No dotted-circle No check-circle Yes
CWE-319 Cleartext Transmission of Sensitive Information dotted-circle No dotted-circle No check-circle Yes check-circle Yes check-circle Yes dotted-circle No
CWE-322 Key Exchange without Entity Authentication dotted-circle No check-circle Yes dotted-circle No dotted-circle No check-circle Yes dotted-circle No
CWE-323 Reusing a Nonce, Key Pair in Encryption dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No dotted-circle No
CWE-326 Inadequate Encryption Strength dotted-circle No check-circle Yes check-circle Yes dotted-circle No check-circle Yes check-circle Yes
CWE-327 Use of a Broken or Risky Cryptographic Algorithm check-circle Yes check-circle Yes check-circle Yes check-circle Yes check-circle Yes dotted-circle No
CWE-328 Use of Weak Hash dotted-circle No dotted-circle No dotted-circle No check-circle Yes dotted-circle No check-circle Yes
CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) check-circle Yes check-circle Yes dotted-circle No check-circle Yes check-circle Yes dotted-circle No
CWE-346 Origin Validation Error dotted-circle No dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No
CWE-347 Improper Verification of Cryptographic Signature dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No dotted-circle No
CWE-348 Use of Less Trusted Source dotted-circle No dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No
CWE-352 Cross-Site Request Forgery (CSRF) check-circle Yes dotted-circle No check-circle Yes dotted-circle No check-circle Yes check-circle Yes
CWE-358 Improperly Implemented Security Check for Standard dotted-circle No dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No
CWE-369 Divide By Zero dotted-circle No dotted-circle No dotted-circle No dotted-circle No dotted-circle No check-circle Yes
CWE-377 Insecure Temporary File dotted-circle No check-circle Yes dotted-circle No dotted-circle No check-circle Yes dotted-circle No
CWE-409 Improper Handling of Highly Compressed Data (Data Amplification) dotted-circle No check-circle Yes dotted-circle No dotted-circle No dotted-circle No dotted-circle No
CWE-470 Use of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’) dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No dotted-circle No
CWE-489 Active Debug Code dotted-circle No check-circle Yes check-circle Yes dotted-circle No check-circle Yes dotted-circle No
CWE-502 Deserialization of Untrusted Data check-circle Yes dotted-circle No check-circle Yes check-circle Yes check-circle Yes check-circle Yes
CWE-521 Weak Password Requirements check-circle Yes dotted-circle No dotted-circle No dotted-circle No dotted-circle No dotted-circle No
CWE-522 Insufficiently Protected Credentials dotted-circle No dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No
CWE-552 Files or Directories Accessible to External Parties dotted-circle No check-circle Yes check-circle Yes dotted-circle No dotted-circle No dotted-circle No
CWE-554 ASP.NET Misconfiguration: Not Using Input Validation Framework check-circle Yes dotted-circle No dotted-circle No dotted-circle No dotted-circle No dotted-circle No
CWE-599 Missing Validation of OpenSSL Certificate dotted-circle No dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No
CWE-601 URL Redirection to Untrusted Site (‘Open Redirect’) check-circle Yes check-circle Yes check-circle Yes check-circle Yes check-circle Yes check-circle Yes
CWE-606 Unchecked Input for Loop Condition dotted-circle No dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No
CWE-611 Improper Restriction of XML External Entity Reference check-circle Yes check-circle Yes check-circle Yes check-circle Yes check-circle Yes dotted-circle No
CWE-613 Insufficient Session Expiration dotted-circle No dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No
CWE-614 Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute check-circle Yes dotted-circle No check-circle Yes check-circle Yes dotted-circle No dotted-circle No
CWE-639 Authorization Bypass Through User-Controlled Key dotted-circle No dotted-circle No dotted-circle No dotted-circle No dotted-circle No check-circle Yes
CWE-643 Improper Neutralization of Data within XPath Expressions (‘XPath Injection’) check-circle Yes dotted-circle No check-circle Yes check-circle Yes dotted-circle No dotted-circle No
CWE-704 Incorrect Type Conversion or Cast dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No dotted-circle No
CWE-732 Incorrect Permission Assignment for Critical Resource dotted-circle No check-circle Yes check-circle Yes dotted-circle No check-circle Yes dotted-circle No
CWE-749 Exposed Dangerous Method or Function dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No check-circle Yes
CWE-754 Improper Check for Unusual or Exceptional Conditions dotted-circle No dotted-circle No dotted-circle No dotted-circle No check-circle Yes check-circle Yes
CWE-757 Selection of Less-Secure Algorithm During Negotiation (‘Algorithm Downgrade’) dotted-circle No dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No
CWE-770 Allocation of Resources Without Limits or Throttling dotted-circle No check-circle Yes dotted-circle No check-circle Yes check-circle Yes dotted-circle No
CWE-776 Improper Restriction of Recursive Entity References in DTDs (‘XML Entity Expansion’) dotted-circle No dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No
CWE-780 Use of RSA Algorithm without OAEP dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No dotted-circle No
CWE-787 Out-of-bounds Write dotted-circle No dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No
CWE-798 Use of Hard-coded Credentials dotted-circle No dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No
CWE-913 Improper Control of Dynamically-Managed Code Resources dotted-circle No dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes dotted-circle No dotted-circle No dotted-circle No dotted-circle No dotted-circle No check-circle Yes
CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’) dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No dotted-circle No
CWE-918 Server-Side Request Forgery (SSRF) check-circle Yes check-circle Yes check-circle Yes check-circle Yes check-circle Yes check-circle Yes
CWE-942 Permissive Cross-domain Policy with Untrusted Domains dotted-circle No dotted-circle No check-circle Yes check-circle Yes dotted-circle No dotted-circle No
CWE-943 Improper Neutralization of Special Elements in Data Query Logic dotted-circle No check-circle Yes check-circle Yes check-circle Yes dotted-circle No dotted-circle No
CWE-1004 Sensitive Cookie Without ‘HttpOnly’ Flag check-circle Yes dotted-circle No check-circle Yes check-circle Yes dotted-circle No check-circle Yes
CWE-1104 Use of Unmaintained Third Party Components dotted-circle No dotted-circle No dotted-circle No dotted-circle No check-circle Yes dotted-circle No
CWE-1204 Generation of Weak Initialization Vector (IV) dotted-circle No dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No
CWE-1275 Sensitive Cookie with Improper SameSite Attribute dotted-circle No dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes (‘Prototype Pollution’) dotted-circle No dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No
CWE-1327 Binding to an Unrestricted IP Address dotted-circle No check-circle Yes dotted-circle No dotted-circle No check-circle Yes dotted-circle No
CWE-1390 Weak Authentication dotted-circle No dotted-circle No check-circle Yes dotted-circle No dotted-circle No dotted-circle No

Did this page answer the question you had? If not, please comment on epic 15343 to share your use case.