GitLab Advanced SAST rules: Java
- Tier: Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
Rules used by GitLab Advanced SAST to detect vulnerabilities in Java code.
| Rule ID | Rule description | CWE | OWASP Top 10 |
|---|---|---|---|
java-android-crypto-webview-ignore-ssl-certificate-errors-atomic | Improper certificate validation | CWE-295 | A3:2017, A02:2021 |
java-android-misconfiguration-webview-debugging-atomic | Active debug code | CWE-489 | A6:2017, A05:2021 |
java-android-misconfiguration-webview-external-storage-atomic | Exposed dangerous method or function | CWE-749 | A1:2017, A03:2021 |
java-commons-ssrf-httpclient-taint | Server-Side Request Forgery (SSRF) | CWE-918 | A1:2017, A10:2021 |
java-groovy-cmdi-groovyshell-taint | Improper control of generation of code (‘Code Injection’) | CWE-94 | A1:2017, A03:2021 |
java-hibernate-sqli-taint | Improper neutralization of special elements used in an SQL command (‘SQL Injection’) | CWE-89 | A1:2017, A03:2021 |
java-jackson-deserialization-objectmapper-atomic | Java Unsafe Jackson Deserialization | CWE-502 | A8:2017, A08:2021 |
java-jackson-deserialization-objectmapper-taint | Deserialization of untrusted data | CWE-502 | A8:2017, A08:2021 |
java-jdbc-sqli-formatted-string-taint | Improper neutralization of special elements used in an SQL command (‘SQL Injection’) | CWE-89 | A1:2017, A03:2021 |
java-jdbc-sqli-taint | Improper neutralization of special elements used in an SQL command (‘SQL Injection’) | CWE-89 | A1:2017, A03:2021 |
java-jdbi-sqli-handle-taint | Improper neutralization of special elements used in an SQL command (‘SQL Injection’) | CWE-89 | A1:2017, A03:2021 |
java-jdo-sqli-taint | Improper neutralization of special elements used in an SQL command (‘SQL Injection’) | CWE-89 | A1:2017, A03:2021 |
java-jms-deserialization-getobject-taint | Deserialization of untrusted data | CWE-502 | A8:2017, A08:2021 |
java-jpa-sqli-taint | Improper neutralization of special elements used in an SQL command (‘SQL Injection’) | CWE-89 | A1:2017, A03:2021 |
java-lang-accesscontrol-dangerous-permissions-atomic | Incorrect permission assignment for critical resource | CWE-732 | A5:2017, A01:2021 |
java-lang-accesscontrol-overly-permissive-file-permission-atomic | Incorrect permission assignment for critical resource | CWE-732 | A5:2017, A01:2021 |
java-lang-accesscontrol-saml-ignore-comments-atomic | Weak authentication | CWE-1390 | A5:2017, A01:2021 |
java-lang-accesscontrol-webview-allow-file-access-atomic | External control of file name or path | CWE-73 | A5:2017, A01:2021 |
java-lang-cmdi-FileDisclosureRequestDispatcher-taint | Files or directories accessible to external parties | CWE-552 | A5:2017, A01:2021 |
java-lang-cmdi-env-injection-taint | Improper neutralization of special elements used in an OS command (‘OS Command Injection’) | CWE-78 | A1:2017, A03:2021 |
java-lang-cmdi-processbuilder-taint | Improper neutralization of special elements used in an OS command (‘OS Command Injection’) | CWE-78 | A1:2017, A03:2021 |
java-lang-cmdi-runtime-taint | Improper neutralization of special elements used in an OS command (‘OS Command Injection’) | CWE-78 | A1:2017, A03:2021 |
java-lang-cmdi-smtp-client-taint | Improper neutralization of special elements used in a command | CWE-77 | A1:2017, A03:2021 |
java-lang-codei-scriptinjection-taint | Improper control of generation of code (‘Code Injection’) | CWE-94 | A1:2017, A03:2021 |
java-lang-codei-unsafe-reflection-taint | Use of externally-controlled input to select classes or code (‘Unsafe Reflection’) | CWE-470 | A1:2017, A03:2021 |
java-lang-cors-permissive-cors-injection-taint | Permissive cross-domain policy with untrusted domains | CWE-942 | A1:2017, A03:2021 |
java-lang-crlfi-cookie-http-response-splitting-taint | Improper neutralization of CRLF sequences in HTTP headers (‘HTTP Response Splitting’) | CWE-113 | A1:2017, A03:2021 |
java-lang-crlfi-cookie-request-param-to-header-taint | Improper neutralization of CRLF sequences in HTTP headers (‘HTTP Response Splitting’) | CWE-113 | A1:2017, A03:2021 |
java-lang-crlfi-logs-injection-taint | Improper output neutralization for logs | CWE-117 | A1:2017, A03:2021 |
java-lang-crypto-blowfish-keysize-atomic | Inadequate encryption strength | CWE-326 | A3:2017, A02:2021 |
java-lang-crypto-ciperintegrity-atomic | Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 |
java-lang-crypto-cipher-atomic | Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 |
java-lang-crypto-cipherdesedeinsecure-atomic | Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 |
java-lang-crypto-cipherpaddingoracle-atomic | Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 |
java-lang-crypto-custom-messagedigest-atomic | Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 |
java-lang-crypto-defaulthttpclient-atomic | Improper certificate validation | CWE-295 | A3:2017, A02:2021 |
java-lang-crypto-des-atomic | Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 |
java-lang-crypto-disallow-old-tls-versions-atomic | Inadequate encryption strength | CWE-326 | A3:2017, A02:2021 |
java-lang-crypto-ftp-insecure-transport-atomic | Cleartext transmission of sensitive information | CWE-319 | A3:2017, A02:2021 |
java-lang-crypto-gcm-nonce-reuse-atomic | Reusing a nonce, key pair in encryption | CWE-323 | A3:2017, A02:2021 |
java-lang-crypto-hazelcast-symmetric-encryption-atomic | Inadequate encryption strength | CWE-326 | A3:2017, A02:2021 |
java-lang-crypto-hostnameverifier-atomic | Improper certificate validation | CWE-295 | A3:2017, A02:2021 |
java-lang-crypto-http-components-request-atomic | Cleartext transmission of sensitive information | CWE-319 | A3:2017, A02:2021 |
java-lang-crypto-httpget-http-request-taint | Cleartext transmission of sensitive information | CWE-319 | A3:2017, A02:2021 |
java-lang-crypto-insecure-random-taint | Use of cryptographically weak pseudo-random number generator (PRNG) | CWE-338 | A3:2017, A02:2021 |
java-lang-crypto-insufficient-keysize-atomic | Inadequate encryption strength | CWE-326 | A3:2017, A02:2021 |
java-lang-crypto-jwt-none-algorithm-atomic | Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 |
java-lang-crypto-null-cipher-atomic | Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 |
java-lang-crypto-rc2-atomic | Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 |
java-lang-crypto-rc4-atomic | Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 |
java-lang-crypto-rsanopadding-atomic | Use of RSA algorithm without OAEP | CWE-780 | A3:2017, A02:2021 |
java-lang-crypto-smtp-insecure-atomic | Improper validation of certificate with host mismatch | CWE-297 | A3:2017, A02:2021 |
java-lang-crypto-socket-request-unsafe-protocols-atomic | Cleartext transmission of sensitive information | CWE-319 | A3:2017, A02:2021 |
java-lang-crypto-telnet-request-atomic | Cleartext transmission of sensitive information | CWE-319 | A3:2017, A02:2021 |
java-lang-crypto-tls-unsafe-renegotiation-atomic | Cleartext transmission of sensitive information | CWE-319 | A3:2017, A02:2021 |
java-lang-crypto-weak-messagedigest-atomic | Use of Weak Hash | CWE-328 | A3:2017, A02:2021 |
java-lang-crypto-weaktls-atomic | Inadequate encryption strength | CWE-326 | A3:2017, A02:2021 |
java-lang-crypto-weaktlsprotocolsslcontext-atomic | Inadequate encryption strength | CWE-326 | A3:2017, A02:2021 |
java-lang-crypto-x509trustmanager-atomic | Improper certificate validation | CWE-295 | A3:2017, A02:2021 |
java-lang-deserialization-objectinputstream-taint | Deserialization of untrusted data | CWE-502 | A8:2017, A08:2021 |
java-lang-deserialization-server-dangerous-object-deserialization-atomic | Deserialization of untrusted data | CWE-502 | A8:2017, A08:2021 |
java-lang-file-disclosure-model-and-view-taint | Files or directories accessible to external parties | CWE-552 | A5:2017, A01:2021 |
java-lang-hpp-taint | Improper neutralization of argument delimiters in a command (‘Argument Injection’) | CWE-88 | A1:2017, A03:2021 |
java-lang-ldapi-anonymous-atomic | Missing authentication for critical function (LDAP) | CWE-306 | A2:2017, A07:2021 |
java-lang-ldapi-taint | Improper neutralization of special elements used in an LDAP query (‘LDAP Injection’) | CWE-90 | A1:2017, A03:2021 |
java-lang-misconfiguration-bad-hex-conversion-atomic | Incorrect type conversion or cast | CWE-704 | A6:2017, A04:2021 |
java-lang-misconfiguration-cookie-http-url-connection-atomic | Cleartext transmission of sensitive information | CWE-319 | A3:2017, A02:2021 |
java-lang-misconfiguration-cookie-httponly-atomic | Sensitive cookie without ‘HttpOnly’ flag | CWE-1004 | A6:2017, A05:2021 |
java-lang-misconfiguration-cookie-insecure-atomic | Sensitive cookie in HTTPS session without ‘Secure’ attribute | CWE-614 | A6:2017, A05:2021 |
java-lang-misconfiguration-cookie-samesite-taint | Sensitive cookie with improper SameSite attribute | CWE-1275 | A05:2017, A01:2021 |
java-lang-misconfiguration-external-general-entities-true-atomic | Improper restriction of XML external entity reference (‘XXE’) | CWE-611 | A4:2017, A05:2021 |
java-lang-misconfiguration-normalizeaftervalidation-atomic | Incorrect behavior order: validate before canonicalize | CWE-180 | A6:2017, A04:2021 |
java-lang-misconfiguration-properties-input-taint | External control of system or configuration setting | CWE-15 | A6:2017, A04:2021 |
java-lang-misconfiguration-session-manipulation-taint | Trust boundary violation | CWE-501 | A04:2021, A6:2017 |
java-lang-misconfiguration-strings-modify-after-validation-taint | Collapse of data into unsafe value | CWE-182 | A6:2017, A04:2021 |
java-lang-overflow-integer-overflow-taint | Integer overflow or wraparound | CWE-190 | A6:2017, A04:2021 |
java-lang-overflow-integer-underflow-taint | Integer underflow or wraparound | CWE-191 | A6:2017, A04:2021 |
java-lang-pathtraversal-file-low-taint | Improper limitation of a pathname to a restricted directory (‘Path Traversal’) | CWE-22 | A5:2017, A01:2021 |
java-lang-pathtraversal-file-special-taint | Improper limitation of a pathname to a restricted directory (‘Path Traversal’) | CWE-22 | A5:2017, A01:2021 |
java-lang-pathtraversal-file-taint | Improper limitation of a pathname to a restricted directory (‘Path Traversal’) | CWE-22 | A5:2017, A01:2021 |
java-lang-sqli-connection-taint | Improper neutralization of special elements used in an SQL command (‘SQL Injection’) | CWE-89 | A1:2017, A03:2021 |
java-lang-sqli-external-config-control-taint | External control of system or configuration setting | CWE-15 | A5:2017, A01:2021 |
java-lang-sqli-second-order-taint | Improper neutralization of special elements used in an SQL command (‘SQL Injection’) | CWE-89 | A1:2017, A03:2021 |
java-lang-ssrf-thirdparty-taint | Server-Side Request Forgery (SSRF) | CWE-918 | A1:2017, A10:2021 |
java-lang-ssrf-url-taint | Server-Side Request Forgery (SSRF) | CWE-918 | A1:2017, A10:2021 |
java-lang-ssti-el-taint | Improper neutralization of special elements used in an expression language statement (‘Expression Language Injection’) | CWE-917 | A1:2017, A03:2021 |
java-lang-ssti-templateinjection-taint | Improper neutralization of special elements used in a template engine | CWE-1336 | A1:2017, A03:2021 |
java-lang-xpathi-taint | Improper neutralization of data within XPath expressions (‘XPath Injection’) | CWE-643 | A1:2017, A03:2021 |
java-lang-xss-reflected-taint | Improper neutralization of input during web page generation (‘Cross-site Scripting’) | CWE-79 | A7:2017, A03:2021 |
java-lang-xss-reqparam-to-servlet-writer-taint | Improper neutralization of input during web page generation (‘Cross-site Scripting’) | CWE-79 | A1:2017, A03:2021 |
java-lang-xss-stored-taint | Improper neutralization of input during web page generation (‘Cross-site Scripting’) | CWE-79 | A7:2017, A03:2021 |
java-lang-xxe-documentbuilderfactory-parse-taint | Improper restriction of XML external entity reference (‘XXE’) | CWE-611 | A4:2017, A05:2021 |
java-lang-xxe-documentbuilderfactory-taint | Improper restriction of XML external entity reference (‘XXE’) | CWE-611 | A4:2017, A05:2021 |
java-lang-xxe-external-parameter-entities-true-atomic | Improper restriction of XML external entity reference (‘XXE’) | CWE-611 | A4:2017, A05:2021 |
java-lang-xxe-saxparserfactory-taint | Improper restriction of XML external entity reference (‘XXE’) | CWE-611 | A4:2017, A05:2021 |
java-lang-xxe-transformerfactory-taint | Improper restriction of XML external entity reference (‘XXE’) | CWE-611 | A4:2017, A05:2021 |
java-lang-xxe-xml-input-factory-atomic | Improper restriction of XML external entity reference (‘XXE’) | CWE-611 | A4:2017, A05:2021 |
java-lang-xxe-xml-streamreader-taint | Improper restriction of XML external entity reference (‘XXE’) | CWE-611 | A4:2017, A05:2021 |
java-lang-xxe-xmldecoder-taint | Improper restriction of XML external entity reference (‘XXE’) | CWE-611 | A4:2017, A05:2021 |
java-lang-xxe-xmlinputfactory-atomic | Improper restriction of XML external entity reference (‘XXE’) | CWE-611 | A4:2017, A05:2021 |
java-lang-xxe-xmlreader-taint | Improper restriction of XML external entity reference (‘XXE’) | CWE-611 | A4:2017, A05:2021 |
java-lang-xxe-xslttransform-taint | XML injection (aka Blind XPath injection) | CWE-91 | A1:2017, A03:2021 |
java-mongodb-nosqli-injection-taint | Improper neutralization of special elements in data query logic | CWE-943 | A1:2017, A03:2021 |
java-opensymphony-ognli-taint | Improper neutralization of special elements used in an expression language statement (‘Expression Language Injection’). | CWE-917 | A1:2017, A03:2021 |
java-pebble-ssti-literaltemplate-taint | Improper neutralization of special elements used in a template engine | CWE-1336 | A1:2017, A03:2021 |
java-seam-cmdi-loginjection-taint | Improper neutralization of directives in dynamically evaluated code (‘Eval Injection’) | CWE-95 | A1:2017, A03:2021 |
java-snakeyaml-deserialization-yaml-taint | Deserialization of untrusted data | CWE-502 | A8:2017, A08:2021 |
java-spring-crypto-ftp-request-taint | Cleartext transmission of sensitive information | CWE-319 | A3:2017, A02:2021 |
java-spring-crypto-http-request-resttemplate-taint | Cleartext transmission of sensitive information | CWE-319 | A3:2017, A02:2021 |
java-spring-crypto-jwt-decode-atomic | Improper verification of cryptographic signature | CWE-347 | A8:2017, A08:2021 |
java-spring-crypto-unirest-http-request-atomic | Cleartext transmission of sensitive information | CWE-319 | A3:2017, A02:2021 |
java-spring-csrf-spring-csrf-disabled-atomic | Cross-site request forgery (CSRF) | CWE-352 | A5:2017, A01:2021 |
java-spring-csrf-unrestricted-requestmapping-atomic | Cross-site request forgery (CSRF) | CWE-352 | A5:2017, A01:2021 |
java-spring-misconfiguration-cookie-httponly-atomic | Sensitive cookie without ‘HttpOnly’ flag | CWE-1004 | A06:2017, A05:2021 |
java-spring-misconfiguration-cookie-samesite-atomic | Sensitive cookie with improper SameSite attribute | CWE-1275 | A05:2017, A01:2021 |
java-spring-misconfiguration-cookie-secure-atomic | Sensitive cookie in HTTPS session without ‘Secure’ attribute | CWE-614 | A06:2017, A05:2021 |
java-spring-misconfiguration-frameoptions-atomic | Improper restriction of rendered UI layers or frames | CWE-1021 | A06:2017, A04:2021 |
java-spring-misconfiguration-nooppasswordencoder-atomic | Plaintext storage of a password | CWE-256 | A2:2017, A04:2021 |
java-spring-openredirect-unvalidatedredirect-taint | URL redirection to untrusted site (‘Open Redirect’) | CWE-601 | A1:2017, A03:2021 |
java-spring-ssti-expressionparser-taint | Improper neutralization of special elements used in an expression language statement (‘Expression Language Injection’) | CWE-917 | A1:2017, A03:2021 |
java-torque-sqli-basepeer-taint | Improper neutralization of special elements used in an SQL command (‘SQL Injection’) | CWE-89 | A1:2017, A03:2021 |
java-turbine-sqli-taint | Improper neutralization of special elements used in an SQL command (‘SQL Injection’) | CWE-89 | A1:2017, A03:2021 |
java-vertex-sqli-taint | Improper neutralization of special elements used in an SQL command (‘SQL Injection’) | CWE-89 | A1:2017, A03:2021 |
java-wicket-xss-escape-false-taint | Improper neutralization of input during web page generation (‘Cross-site Scripting’) | CWE-79 | A1:2017, A03:2021 |