GitLab Advanced SAST CWE coverage

Tier: Ultimate
Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

GitLab Advanced SAST finds many types of potential security vulnerabilities in code written in supported languages.

GitLab assigns a matching Common Weakness Enumeration (CWE) identifier to each potential vulnerability. CWE identifiers are an industry-standard way to identify security weaknesses, but it’s important to know:

CWEs are arranged in a tree structure. For example, CWE-22: Path Traversal is a parent of CWE-23: Relative Path Traversal. A scanner that specifically detects relative path traversal weaknesses (CWE-23) by definition also detects a portion of the more general path traversal category (CWE-22).
For clarity, this table identifies the exact CWE identifiers that are assigned to GitLab Advanced SAST rules. It doesn’t report parent identifiers.

To learn more about the rules used in GitLab Advanced SAST, see SAST rules.

CWE coverage by language

GitLab Advanced SAST finds the following types of weaknesses in each programming language:

CWE	CWE Description	C	C++	C#	Go	Java	JavaScript, TypeScript	PHP	Python	Ruby
CWE-15	External Control of System or Configuration Setting	No	No	No	No	Yes	No	No	No	No
CWE-22	Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	No	No	Yes	Yes	Yes	Yes	Yes	Yes	Yes
CWE-23	Relative Path Traversal	No	No	No	No	No	Yes	No	Yes	No
CWE-73	External Control of File Name or Path	No	No	No	No	Yes	No	No	No	Yes
CWE-76	Improper Neutralization of Equivalent Special Elements	No	No	No	No	No	No	No	No	Yes
CWE-77	Improper Neutralization of Special Elements used in a Command (‘Command Injection’)	No	No	No	No	Yes	No	No	No	No
CWE-78	Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)	Yes	No	Yes	Yes	Yes	Yes	Yes	Yes	Yes
CWE-79	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	No	No	Yes	Yes	Yes	Yes	Yes	Yes	Yes
CWE-80	Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)	No	No	No	No	No	Yes	No	No	No
CWE-88	Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’)	No	No	No	No	Yes	No	No	No	No
CWE-89	Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	No	No	Yes	Yes	Yes	Yes	Yes	Yes	Yes
CWE-90	Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’)	No	No	Yes	No	Yes	No	No	Yes	No
CWE-91	XML Injection (aka Blind XPath Injection)	No	No	No	No	Yes	No	No	No	No
CWE-94	Improper Control of Generation of Code (‘Code Injection’)	No	No	No	Yes	Yes	Yes	Yes	Yes	Yes
CWE-95	Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)	No	No	No	No	Yes	Yes	No	Yes	Yes
CWE-113	Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Request/Response Splitting’)	No	No	No	No	Yes	Yes	No	Yes	No
CWE-116	Improper Encoding or Escaping of Output	No	No	No	No	No	Yes	No	Yes	No
CWE-117	Improper Output Neutralization for Logs	No	No	No	No	Yes	No	No	No	No
CWE-118	Incorrect Access of Indexable Resource (‘Range Error’)	No	No	No	Yes	No	No	No	No	No
CWE-125	Out-of-bounds Read	Yes	Yes	No	No	No	Yes	No	No	No
CWE-131	Incorrect Calculation of Buffer Size	Yes	Yes	No	No	No	No	No	No	No
CWE-155	Improper Neutralization of Wildcards or Matching Symbols	No	No	No	No	No	No	No	Yes	No
CWE-180	Incorrect Behavior Order: Validate Before Canonicalize	No	No	No	No	Yes	No	No	No	No
CWE-182	Collapse of Data into Unsafe Value	No	No	No	No	Yes	No	No	No	No
CWE-185	Incorrect Regular Expression	No	No	No	No	No	Yes	No	No	Yes
CWE-190	Integer Overflow or Wraparound	Yes	Yes	No	Yes	Yes	No	No	No	No
CWE-191	Integer Underflow (Wrap or Wraparound)	No	No	No	No	Yes	No	No	No	No
CWE-208	Observable Timing Discrepancy	No	No	No	No	No	Yes	No	No	No
CWE-209	Generation of Error Message Containing Sensitive Information	No	No	No	No	No	No	No	No	Yes
CWE-242	Use of Inherently Dangerous Function	Yes	Yes	No	Yes	No	No	No	No	No
CWE-243	Creation of chroot Jail Without Changing Working Directory	Yes	Yes	No	No	No	No	No	No	No
CWE-252	Unchecked Return Value	Yes	Yes	No	No	No	No	No	No	No
CWE-253	Incorrect Check of Function Return Value	Yes	Yes	No	No	No	No	No	No	No
CWE-256	Plaintext Storage of a Password	No	No	No	No	Yes	No	No	No	No
CWE-271	Privilege Dropping / Lowering Errors	Yes	Yes	No	No	No	No	No	No	No
CWE-272	Least Privilege Violation	No	No	No	No	No	Yes	No	No	No
CWE-276	Incorrect Default Permissions	No	No	No	Yes	No	No	No	No	Yes
CWE-295	Improper Certificate Validation	No	No	Yes	No	Yes	Yes	Yes	Yes	Yes
CWE-297	Improper Validation of Certificate with Host Mismatch	No	No	No	No	Yes	No	No	No	No
CWE-306	Missing Authentication for Critical Function	No	No	No	No	Yes	No	No	No	No
CWE-311	Missing Encryption of Sensitive Data	No	No	No	No	No	No	No	No	Yes
CWE-319	Cleartext Transmission of Sensitive Information	No	No	No	No	Yes	Yes	Yes	Yes	No
CWE-322	Key Exchange without Entity Authentication	No	No	No	Yes	No	No	No	Yes	No
CWE-323	Reusing a Nonce, Key Pair in Encryption	No	No	No	No	Yes	No	No	No	No
CWE-326	Inadequate Encryption Strength	No	No	No	Yes	Yes	No	No	Yes	Yes
CWE-327	Use of a Broken or Risky Cryptographic Algorithm	No	No	Yes	Yes	Yes	Yes	Yes	Yes	No
CWE-328	Use of Weak Hash	No	No	No	No	No	Yes	Yes	No	Yes
CWE-338	Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No
CWE-346	Origin Validation Error	No	No	No	No	No	Yes	No	No	No
CWE-347	Improper Verification of Cryptographic Signature	No	No	No	No	Yes	No	No	Yes	No
CWE-348	Use of Less Trusted Source	No	No	No	No	No	Yes	No	No	No
CWE-352	Cross-Site Request Forgery (CSRF)	No	No	Yes	No	Yes	No	No	Yes	Yes
CWE-358	Improperly Implemented Security Check for Standard	No	No	No	No	No	Yes	No	No	No
CWE-362	Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)	Yes	Yes	No	No	No	No	No	No	No
CWE-369	Divide By Zero	Yes	Yes	No	No	No	No	No	No	Yes
CWE-377	Insecure Temporary File	Yes	Yes	No	Yes	No	No	No	Yes	No
CWE-398	Code Quality	Yes	Yes	No	No	No	No	No	No	No
CWE-400	Uncontrolled Resource Consumption	Yes	Yes	No	No	No	No	No	No	No
CWE-401	Missing Release of Memory after Effective Lifetime	Yes	Yes	No	No	No	No	No	No	No
CWE-404	Improper Resource Shutdown or Release	Yes	Yes	No	No	No	No	No	No	No
CWE-409	Improper Handling of Highly Compressed Data (Data Amplification)	No	No	No	Yes	No	No	No	No	No
CWE-413	Improper Resource Locking	Yes	Yes	No	No	No	No	No	No	No
CWE-415	Double Free	Yes	Yes	No	No	No	No	No	No	No
CWE-416	Use After Free	Yes	Yes	No	No	No	No	No	No	No
CWE-448	Excessive Use of Hard-Coded Literals in Initialization	Yes	Yes	No	No	No	No	No	No	No
CWE-457	Use of Uninitialized Variable	Yes	Yes	No	No	No	No	No	No	No
CWE-459	Incomplete Cleanup	Yes	Yes	No	No	No	No	No	No	No
CWE-466	Return of Pointer Value Outside of Expected Range	Yes	Yes	No	No	No	No	No	No	No
CWE-467	Use of sizeof() on a Pointer Type	Yes	Yes	No	No	No	No	No	No	No
CWE-469	Use of Pointer Subtraction to Determine Size	Yes	Yes	No	No	No	No	No	No	No
CWE-470	Use of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’)	No	No	No	No	Yes	No	No	No	No
CWE-476	NULL Pointer Dereference	Yes	Yes	No	No	No	No	No	No	No
CWE-477	Use of Obsolete Function	Yes	Yes	No	No	No	No	No	No	No
CWE-489	Active Debug Code	No	No	No	Yes	Yes	No	No	Yes	No
CWE-497	Exposure of Sensitive System Information to an Unauthorized Control Sphere	No	No	No	No	No	No	Yes	Yes	No
CWE-501	Trust Boundary Violation	No	No	No	No	Yes	No	No	No	No
CWE-502	Deserialization of Untrusted Data	No	No	Yes	No	Yes	Yes	Yes	Yes	Yes
CWE-521	Weak Password Requirements	No	No	Yes	No	No	No	No	No	No
CWE-522	Insufficiently Protected Credentials	No	No	No	No	No	Yes	No	No	No
CWE-552	Files or Directories Accessible to External Parties	No	No	No	Yes	Yes	No	No	No	No
CWE-554	ASP.NET Misconfiguration: Not Using Input Validation Framework	No	No	Yes	No	No	No	No	No	No
CWE-561	Dead Code	Yes	Yes	No	No	No	No	No	No	No
CWE-562	Return of Stack Variable Address	Yes	Yes	No	No	No	No	No	No	No
CWE-563	Assignment to Variable without Use	Yes	Yes	No	No	No	No	No	No	No
CWE-573	Improper Following of Specification by Caller	Yes	Yes	No	No	No	No	No	No	No
CWE-587	Assignment of a Fixed Address to a Pointer	Yes	Yes	No	No	No	No	No	No	No
CWE-588	Attempt to Access Child of a Non-structure Pointer	Yes	Yes	No	No	No	No	No	No	No
CWE-598	Use of GET Request Method With Sensitive Query Strings	No	No	No	No	No	No	Yes	No	No
CWE-599	Missing Validation of OpenSSL Certificate	No	No	No	No	No	Yes	No	No	No
CWE-601	URL Redirection to Untrusted Site (‘Open Redirect’)	No	No	Yes	Yes	Yes	Yes	Yes	Yes	Yes
CWE-606	Unchecked Input for Loop Condition	No	No	No	No	No	Yes	No	Yes	No
CWE-611	Improper Restriction of XML External Entity Reference	No	No	Yes	Yes	Yes	Yes	Yes	Yes	No
CWE-613	Insufficient Session Expiration	No	No	No	No	No	Yes	No	No	No
CWE-614	Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute	No	No	Yes	Yes	Yes	Yes	Yes	No	No
CWE-639	Authorization Bypass Through User-Controlled Key	No	No	No	No	No	No	No	No	Yes
CWE-643	Improper Neutralization of Data within XPath Expressions (‘XPath Injection’)	No	No	Yes	No	Yes	Yes	No	Yes	No
CWE-667	Improper Locking	Yes	Yes	No	No	No	No	No	No	No
CWE-670	Always-Incorrect Control Flow Implementation	Yes	Yes	No	No	No	No	No	No	No
CWE-672	Operation on a Resource after Expiration or Release	Yes	Yes	No	No	No	No	No	No	No
CWE-676	Use of Potentially Dangerous Function	Yes	Yes	No	No	No	No	No	No	No
CWE-684	Incorrect Provision of Specified Functionality	Yes	Yes	No	No	No	No	No	No	No
CWE-685	Function Call with Incorrect Number of Arguments	Yes	Yes	No	No	No	No	No	No	No
CWE-686	Function Call With Incorrect Argument Type	Yes	Yes	No	No	No	No	No	No	No
CWE-687	Function Call With Incorrectly Specified Argument Value	Yes	Yes	No	No	No	No	No	No	No
CWE-704	Incorrect Type Conversion or Cast	Yes	Yes	No	No	Yes	No	No	No	No
CWE-732	Incorrect Permission Assignment for Critical Resource	Yes	Yes	No	Yes	Yes	No	No	Yes	No
CWE-749	Exposed Dangerous Method or Function	No	No	No	No	Yes	No	No	No	Yes
CWE-754	Improper Check for Unusual or Exceptional Conditions	Yes	Yes	No	No	No	No	No	No	Yes
CWE-757	Selection of Less-Secure Algorithm During Negotiation (‘Algorithm Downgrade’)	No	No	No	No	No	Yes	No	No	No
CWE-758	Reliance on Undefined, Unspecified, or Implementation-Defined Behavior	Yes	Yes	No	No	No	No	No	No	No
CWE-762	Mismatched Memory Management Routines	Yes	Yes	No	No	No	No	No	No	No
CWE-764	Multiple Locks of a Critical Resource	Yes	Yes	No	No	No	No	No	No	No
CWE-770	Allocation of Resources Without Limits or Throttling	Yes	Yes	No	Yes	No	Yes	No	Yes	No
CWE-772	Missing Release of Resource after Effective Lifetime	Yes	Yes	No	No	No	No	No	No	No
CWE-775	Missing Release of File Descriptor or Handle after Effective Lifetime	Yes	Yes	No	No	No	No	No	No	No
CWE-776	Improper Restriction of Recursive Entity References in DTDs (‘XML Entity Expansion’)	No	No	No	No	No	Yes	No	No	No
CWE-780	Use of RSA Algorithm without OAEP	No	No	No	No	Yes	No	No	No	No
CWE-787	Out-of-bounds Write	Yes	Yes	No	No	No	Yes	No	No	No
CWE-789	Memory Allocation with Excessive Size Value	Yes	Yes	No	No	No	No	No	No	No
CWE-798	Use of Hard-coded Credentials	No	No	No	No	No	Yes	No	No	No
CWE-805	Buffer Access with Incorrect Length Value	Yes	Yes	No	No	No	No	No	No	No
CWE-821	Incorrect Synchronization	Yes	Yes	No	No	No	No	No	No	No
CWE-823	Use of Out-of-range Pointer Offset	Yes	Yes	No	No	No	No	No	No	No
CWE-824	Access of Uninitialized Pointer	Yes	Yes	No	No	No	No	No	No	No
CWE-825	Expired Pointer Dereference	Yes	Yes	No	No	No	No	No	No	No
CWE-833	Deadlock	Yes	Yes	No	No	No	No	No	No	No
CWE-843	Access of Resource Using Incompatible Type (‘Type Confusion’)	Yes	Yes	No	No	No	No	No	No	No
CWE-908	Use of Uninitialized Resource	Yes	Yes	No	No	No	No	No	No	No
CWE-913	Improper Control of Dynamically-Managed Code Resources	No	No	No	No	No	Yes	No	No	No
CWE-915	Improperly Controlled Modification of Dynamically-Determined Object Attributes	No	No	No	No	No	No	No	No	Yes
CWE-917	Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’)	No	No	No	No	Yes	No	No	No	No
CWE-918	Server-Side Request Forgery (SSRF)	No	No	Yes	Yes	Yes	Yes	Yes	Yes	Yes
CWE-942	Permissive Cross-domain Policy with Untrusted Domains	No	No	No	Yes	Yes	Yes	No	Yes	No
CWE-943	Improper Neutralization of Special Elements in Data Query Logic	No	No	No	Yes	Yes	Yes	No	No	No
CWE-1004	Sensitive Cookie Without ‘HttpOnly’ Flag	No	No	Yes	Yes	Yes	Yes	Yes	Yes	Yes
CWE-1021	Improper Restriction of Rendered UI Layers or Frames	No	No	No	No	Yes	No	No	No	No
CWE-1024	Comparison of Incompatible Types	Yes	Yes	No	No	No	No	No	No	No
CWE-1061	Insufficient Encapsulation	Yes	Yes	No	No	No	No	No	No	No
CWE-1077	Floating Point Comparison with Incorrect Operator	Yes	Yes	No	No	No	No	No	No	No
CWE-1079	Parent Class without Virtual Destructor Method	Yes	Yes	No	No	No	No	No	No	No
CWE-1098	Data Element containing Pointer Item without Proper Copy Control Element	Yes	Yes	No	No	No	No	No	No	No
CWE-1104	Use of Unmaintained Third Party Components	No	No	No	No	No	No	No	Yes	No
CWE-1116	Inaccurate Comments	Yes	Yes	No	No	No	No	No	No	No
CWE-1164	Irrelevant Code	Yes	Yes	No	No	No	No	No	No	No
CWE-1204	Generation of Weak Initialization Vector (IV)	No	No	No	No	No	Yes	No	No	No
CWE-1260	Improper Handling of Overlap Between Protected Memory Ranges	Yes	Yes	No	No	No	No	No	No	No
CWE-1275	Sensitive Cookie with Improper SameSite Attribute	No	No	No	No	No	Yes	Yes	Yes	No
CWE-1321	Improperly Controlled Modification of Object Prototype Attributes (‘Prototype Pollution’)	No	No	No	No	No	Yes	No	No	No
CWE-1327	Binding to an Unrestricted IP Address	No	No	No	Yes	No	No	No	Yes	No
CWE-1333	Inefficient Regular Expression Complexity	No	No	No	No	No	No	No	Yes	Yes
CWE-1335	Incorrect Bitwise Shift of Integer	Yes	Yes	No	No	No	No	No	No	No
CWE-1336	Improper Neutralization of Special Elements Used in a Template Engine	No	No	No	No	No	No	Yes	No	No
CWE-1390	Weak Authentication	No	No	No	No	Yes	No	No	Yes	No
CWE-1341	Multiple Releases of Same Resource or Handle	Yes	Yes	No	No	No	No	No	No	No
CWE-1419	Incorrect Initialization of Resource	Yes	Yes	No	No	No	No	No	No	No

Did this page answer the question you had? If not, comment on epic 15343 to share your use case.