GitLab Advanced SAST CWE coverage

  • Tier: Ultimate
  • Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

GitLab Advanced SAST finds many types of potential security vulnerabilities in code written in supported languages.

GitLab assigns a matching Common Weakness Enumeration (CWE) identifier to each potential vulnerability. CWE identifiers are an industry-standard way to identify security weaknesses, but it’s important to know:

  • CWEs are arranged in a tree structure. For example, CWE-22: Path Traversal is a parent of CWE-23: Relative Path Traversal. A scanner that specifically detects relative path traversal weaknesses (CWE-23) by definition also detects a portion of the more general path traversal category (CWE-22).
  • For clarity, this table identifies the exact CWE identifiers that are assigned to GitLab Advanced SAST rules. It doesn’t report parent identifiers.

To learn more about the rules used in GitLab Advanced SAST, see SAST rules.

CWE coverage by language

GitLab Advanced SAST finds the following types of weaknesses in each programming language:

CWECWE DescriptionC#GoJavaJavaScript, TypeScriptPythonRuby
CWE-15External Control of System or Configuration Settingdotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle Nodotted-circle No
CWE-22Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)check-circle Yescheck-circle Yescheck-circle Yescheck-circle Yescheck-circle Yescheck-circle Yes
CWE-23Relative Path Traversaldotted-circle Nodotted-circle Nodotted-circle Nocheck-circle Yescheck-circle Yesdotted-circle No
CWE-73External Control of File Name or Pathdotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle Nocheck-circle Yes
CWE-76Improper Neutralization of Equivalent Special Elementsdotted-circle Nodotted-circle Nodotted-circle Nodotted-circle Nodotted-circle Nocheck-circle Yes
CWE-77Improper Neutralization of Special Elements used in a Command (‘Command Injection’)dotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle Nodotted-circle No
CWE-78Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)check-circle Yescheck-circle Yescheck-circle Yescheck-circle Yescheck-circle Yescheck-circle Yes
CWE-79Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)check-circle Yescheck-circle Yescheck-circle Yescheck-circle Yescheck-circle Yescheck-circle Yes
CWE-80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)dotted-circle Nodotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle No
CWE-88Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’)dotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle Nodotted-circle No
CWE-89Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)check-circle Yescheck-circle Yescheck-circle Yescheck-circle Yescheck-circle Yescheck-circle Yes
CWE-90Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’)check-circle Yesdotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle Nodotted-circle No
CWE-91XML Injection (aka Blind XPath Injection)dotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle Nodotted-circle No
CWE-94Improper Control of Generation of Code (‘Code Injection’)dotted-circle Nocheck-circle Yescheck-circle Yescheck-circle Yescheck-circle Yescheck-circle Yes
CWE-95Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)dotted-circle Nodotted-circle Nocheck-circle Yescheck-circle Yescheck-circle Yescheck-circle Yes
CWE-113Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Request/Response Splitting’)dotted-circle Nodotted-circle Nocheck-circle Yescheck-circle Yesdotted-circle Nodotted-circle No
CWE-116Improper Encoding or Escaping of Outputdotted-circle Nodotted-circle Nodotted-circle Nocheck-circle Yescheck-circle Yesdotted-circle No
CWE-117Improper Output Neutralization for Logsdotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle Nodotted-circle No
CWE-118Incorrect Access of Indexable Resource (‘Range Error’)dotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle Nodotted-circle Nodotted-circle No
CWE-125Out-of-bounds Readdotted-circle Nodotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle No
CWE-134Use of Externally-Controlled Format Stringdotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle Nodotted-circle No
CWE-155Improper Neutralization of Wildcards or Matching Symbolsdotted-circle Nodotted-circle Nodotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle No
CWE-180Incorrect Behavior Order: Validate Before Canonicalizedotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle Nodotted-circle No
CWE-182Collapse of Data into Unsafe Valuedotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle Nodotted-circle No
CWE-185Incorrect Regular Expressiondotted-circle Nodotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nocheck-circle Yes
CWE-190Integer Overflow or Wraparounddotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle Nodotted-circle Nodotted-circle No
CWE-208Observable Timing Discrepancydotted-circle Nodotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle No
CWE-209Generation of Error Message Containing Sensitive Informationdotted-circle Nodotted-circle Nodotted-circle Nodotted-circle Nodotted-circle Nocheck-circle Yes
CWE-242Use of Inherently Dangerous Functiondotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle Nodotted-circle Nodotted-circle No
CWE-272Least Privilege Violationdotted-circle Nodotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle No
CWE-276Incorrect Default Permissionsdotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle Nodotted-circle Nocheck-circle Yes
CWE-295Improper Certificate Validationcheck-circle Yesdotted-circle Nocheck-circle Yescheck-circle Yescheck-circle Yescheck-circle Yes
CWE-297Improper Validation of Certificate with Host Mismatchdotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle Nodotted-circle No
CWE-306Missing Authentication for Critical Functiondotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle Nodotted-circle No
CWE-311Missing Encryption of Sensitive Datadotted-circle Nodotted-circle Nodotted-circle Nodotted-circle Nodotted-circle Nocheck-circle Yes
CWE-319Cleartext Transmission of Sensitive Informationdotted-circle Nodotted-circle Nocheck-circle Yescheck-circle Yescheck-circle Yesdotted-circle No
CWE-322Key Exchange without Entity Authenticationdotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle No
CWE-323Reusing a Nonce, Key Pair in Encryptiondotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle Nodotted-circle No
CWE-326Inadequate Encryption Strengthdotted-circle Nocheck-circle Yescheck-circle Yesdotted-circle Nocheck-circle Yescheck-circle Yes
CWE-327Use of a Broken or Risky Cryptographic Algorithmcheck-circle Yescheck-circle Yescheck-circle Yescheck-circle Yescheck-circle Yesdotted-circle No
CWE-328Use of Weak Hashdotted-circle Nodotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nocheck-circle Yes
CWE-338Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)check-circle Yescheck-circle Yesdotted-circle Nocheck-circle Yescheck-circle Yesdotted-circle No
CWE-346Origin Validation Errordotted-circle Nodotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle No
CWE-347Improper Verification of Cryptographic Signaturedotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle Nodotted-circle No
CWE-348Use of Less Trusted Sourcedotted-circle Nodotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle No
CWE-352Cross-Site Request Forgery (CSRF)check-circle Yesdotted-circle Nocheck-circle Yesdotted-circle Nocheck-circle Yescheck-circle Yes
CWE-358Improperly Implemented Security Check for Standarddotted-circle Nodotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle No
CWE-369Divide By Zerodotted-circle Nodotted-circle Nodotted-circle Nodotted-circle Nodotted-circle Nocheck-circle Yes
CWE-377Insecure Temporary Filedotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle No
CWE-409Improper Handling of Highly Compressed Data (Data Amplification)dotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle Nodotted-circle Nodotted-circle No
CWE-470Use of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’)dotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle Nodotted-circle No
CWE-489Active Debug Codedotted-circle Nocheck-circle Yescheck-circle Yesdotted-circle Nocheck-circle Yesdotted-circle No
CWE-502Deserialization of Untrusted Datacheck-circle Yesdotted-circle Nocheck-circle Yescheck-circle Yescheck-circle Yescheck-circle Yes
CWE-521Weak Password Requirementscheck-circle Yesdotted-circle Nodotted-circle Nodotted-circle Nodotted-circle Nodotted-circle No
CWE-522Insufficiently Protected Credentialsdotted-circle Nodotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle No
CWE-552Files or Directories Accessible to External Partiesdotted-circle Nocheck-circle Yescheck-circle Yesdotted-circle Nodotted-circle Nodotted-circle No
CWE-554ASP.NET Misconfiguration: Not Using Input Validation Frameworkcheck-circle Yesdotted-circle Nodotted-circle Nodotted-circle Nodotted-circle Nodotted-circle No
CWE-599Missing Validation of OpenSSL Certificatedotted-circle Nodotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle No
CWE-601URL Redirection to Untrusted Site (‘Open Redirect’)check-circle Yescheck-circle Yescheck-circle Yescheck-circle Yescheck-circle Yescheck-circle Yes
CWE-606Unchecked Input for Loop Conditiondotted-circle Nodotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle No
CWE-611Improper Restriction of XML External Entity Referencecheck-circle Yescheck-circle Yescheck-circle Yescheck-circle Yescheck-circle Yesdotted-circle No
CWE-613Insufficient Session Expirationdotted-circle Nodotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle No
CWE-614Sensitive Cookie in HTTPS Session Without ‘Secure’ Attributecheck-circle Yesdotted-circle Nocheck-circle Yescheck-circle Yesdotted-circle Nodotted-circle No
CWE-639Authorization Bypass Through User-Controlled Keydotted-circle Nodotted-circle Nodotted-circle Nodotted-circle Nodotted-circle Nocheck-circle Yes
CWE-643Improper Neutralization of Data within XPath Expressions (‘XPath Injection’)check-circle Yesdotted-circle Nocheck-circle Yescheck-circle Yesdotted-circle Nodotted-circle No
CWE-704Incorrect Type Conversion or Castdotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle Nodotted-circle No
CWE-732Incorrect Permission Assignment for Critical Resourcedotted-circle Nocheck-circle Yescheck-circle Yesdotted-circle Nocheck-circle Yesdotted-circle No
CWE-749Exposed Dangerous Method or Functiondotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle Nocheck-circle Yes
CWE-754Improper Check for Unusual or Exceptional Conditionsdotted-circle Nodotted-circle Nodotted-circle Nodotted-circle Nocheck-circle Yescheck-circle Yes
CWE-757Selection of Less-Secure Algorithm During Negotiation (‘Algorithm Downgrade’)dotted-circle Nodotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle No
CWE-770Allocation of Resources Without Limits or Throttlingdotted-circle Nocheck-circle Yesdotted-circle Nocheck-circle Yescheck-circle Yesdotted-circle No
CWE-776Improper Restriction of Recursive Entity References in DTDs (‘XML Entity Expansion’)dotted-circle Nodotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle No
CWE-780Use of RSA Algorithm without OAEPdotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle Nodotted-circle No
CWE-787Out-of-bounds Writedotted-circle Nodotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle No
CWE-798Use of Hard-coded Credentialsdotted-circle Nodotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle No
CWE-913Improper Control of Dynamically-Managed Code Resourcesdotted-circle Nodotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle No
CWE-915Improperly Controlled Modification of Dynamically-Determined Object Attributesdotted-circle Nodotted-circle Nodotted-circle Nodotted-circle Nodotted-circle Nocheck-circle Yes
CWE-917Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’)dotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle Nodotted-circle No
CWE-918Server-Side Request Forgery (SSRF)check-circle Yescheck-circle Yescheck-circle Yescheck-circle Yescheck-circle Yescheck-circle Yes
CWE-942Permissive Cross-domain Policy with Untrusted Domainsdotted-circle Nodotted-circle Nocheck-circle Yescheck-circle Yesdotted-circle Nodotted-circle No
CWE-943Improper Neutralization of Special Elements in Data Query Logicdotted-circle Nocheck-circle Yescheck-circle Yescheck-circle Yesdotted-circle Nodotted-circle No
CWE-1004Sensitive Cookie Without ‘HttpOnly’ Flagcheck-circle Yesdotted-circle Nocheck-circle Yescheck-circle Yesdotted-circle Nocheck-circle Yes
CWE-1104Use of Unmaintained Third Party Componentsdotted-circle Nodotted-circle Nodotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle No
CWE-1204Generation of Weak Initialization Vector (IV)dotted-circle Nodotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle No
CWE-1275Sensitive Cookie with Improper SameSite Attributedotted-circle Nodotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle No
CWE-1321Improperly Controlled Modification of Object Prototype Attributes (‘Prototype Pollution’)dotted-circle Nodotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle No
CWE-1327Binding to an Unrestricted IP Addressdotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle No
CWE-1390Weak Authenticationdotted-circle Nodotted-circle Nocheck-circle Yesdotted-circle Nodotted-circle Nodotted-circle No

Did this page answer the question you had? If not, please comment on epic 15343 to share your use case.