GitLab Advanced SAST CWE coverage
- Tier: Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
GitLab Advanced SAST finds many types of potential security vulnerabilities in code written in supported languages.
GitLab assigns a matching Common Weakness Enumeration (CWE) identifier to each potential vulnerability. CWE identifiers are an industry-standard way to identify security weaknesses, but it's important to know:
- CWEs are arranged in a tree structure. For example, CWE-22: Path Traversal is a parent of CWE-23: Relative Path Traversal. A scanner that specifically detects relative path traversal weaknesses (CWE-23) by definition also detects a portion of the more general path traversal category (CWE-22).
- For clarity, this table identifies the exact CWE identifiers that are assigned to GitLab Advanced SAST rules. It doesn't report parent identifiers.
To learn more about the rules used in GitLab Advanced SAST, see SAST rules.
CWE coverage by language
GitLab Advanced SAST finds the following types of weaknesses in each programming language:
| CWE | CWE Description | C | C++ | C# | Go | Java | JavaScript, TypeScript | PHP | Python | Ruby |
|---|---|---|---|---|---|---|---|---|---|---|
| CWE-15 | External Control of System or Configuration Setting | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes |
| CWE-23 | Relative Path Traversal | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No |
| CWE-73 | External Control of File Name or Path | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes |
| CWE-76 | Improper Neutralization of Equivalent Special Elements | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes |
| CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes |
| CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes |
| CWE-80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-88 | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes |
| CWE-90 | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No |
| CWE-91 | XML Injection (aka Blind XPath Injection) | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-94 | Improper Control of Generation of Code ('Code Injection') | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes |
| CWE-95 | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes |
| CWE-113 | Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No |
| CWE-116 | Improper Encoding or Escaping of Output | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No |
| CWE-117 | Improper Output Neutralization for Logs | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-118 | Incorrect Access of Indexable Resource ('Range Error') | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-125 | Out-of-bounds Read | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-131 | Incorrect Calculation of Buffer Size | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-155 | Improper Neutralization of Wildcards or Matching Symbols | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No |
| CWE-180 | Incorrect Behavior Order: Validate Before Canonicalize | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-182 | Collapse of Data into Unsafe Value | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-185 | Incorrect Regular Expression | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes |
| CWE-190 | Integer Overflow or Wraparound | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-191 | Integer Underflow (Wrap or Wraparound) | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-208 | Observable Timing Discrepancy | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-209 | Generation of Error Message Containing Sensitive Information | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes |
| CWE-242 | Use of Inherently Dangerous Function | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-243 | Creation of chroot Jail Without Changing Working Directory | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-252 | Unchecked Return Value | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-253 | Incorrect Check of Function Return Value | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-256 | Plaintext Storage of a Password | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-271 | Privilege Dropping / Lowering Errors | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-272 | Least Privilege Violation | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-276 | Incorrect Default Permissions | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes |
| CWE-295 | Improper Certificate Validation | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes |
| CWE-297 | Improper Validation of Certificate with Host Mismatch | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-306 | Missing Authentication for Critical Function | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-311 | Missing Encryption of Sensitive Data | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes |
| CWE-319 | Cleartext Transmission of Sensitive Information | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No |
| CWE-322 | Key Exchange without Entity Authentication | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No |
| CWE-323 | Reusing a Nonce, Key Pair in Encryption | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-326 | Inadequate Encryption Strength | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes |
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No |
| CWE-328 | Use of Weak Hash | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes |
| CWE-338 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No |
| CWE-346 | Origin Validation Error | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-347 | Improper Verification of Cryptographic Signature | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No |
| CWE-348 | Use of Less Trusted Source | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-352 | Cross-Site Request Forgery (CSRF) | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes |
| CWE-358 | Improperly Implemented Security Check for Standard | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-369 | Divide By Zero | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes |
| CWE-377 | Insecure Temporary File | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No |
| CWE-398 | Code Quality | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-400 | Uncontrolled Resource Consumption | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-401 | Missing Release of Memory after Effective Lifetime | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-404 | Improper Resource Shutdown or Release | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-409 | Improper Handling of Highly Compressed Data (Data Amplification) | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-413 | Improper Resource Locking | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-415 | Double Free | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-416 | Use After Free | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-448 | Excessive Use of Hard-Coded Literals in Initialization | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-457 | Use of Uninitialized Variable | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-459 | Incomplete Cleanup | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-466 | Return of Pointer Value Outside of Expected Range | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-467 | Use of sizeof() on a Pointer Type | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-469 | Use of Pointer Subtraction to Determine Size | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-470 | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-476 | NULL Pointer Dereference | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-477 | Use of Obsolete Function | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-489 | Active Debug Code | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No |
| CWE-497 | Exposure of Sensitive System Information to an Unauthorized Control Sphere | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No |
| CWE-501 | Trust Boundary Violation | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-502 | Deserialization of Untrusted Data | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes |
| CWE-521 | Weak Password Requirements | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-522 | Insufficiently Protected Credentials | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-552 | Files or Directories Accessible to External Parties | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-554 | ASP.NET Misconfiguration: Not Using Input Validation Framework | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-561 | Dead Code | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-562 | Return of Stack Variable Address | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-563 | Assignment to Variable without Use | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-573 | Improper Following of Specification by Caller | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-587 | Assignment of a Fixed Address to a Pointer | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-588 | Attempt to Access Child of a Non-structure Pointer | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-598 | Use of GET Request Method With Sensitive Query Strings | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No |
| CWE-599 | Missing Validation of OpenSSL Certificate | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes |
| CWE-606 | Unchecked Input for Loop Condition | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No |
| CWE-611 | Improper Restriction of XML External Entity Reference | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No |
| CWE-613 | Insufficient Session Expiration | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-614 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No |
| CWE-639 | Authorization Bypass Through User-Controlled Key | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes |
| CWE-643 | Improper Neutralization of Data within XPath Expressions ('XPath Injection') | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No |
| CWE-667 | Improper Locking | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-670 | Always-Incorrect Control Flow Implementation | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-672 | Operation on a Resource after Expiration or Release | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-676 | Use of Potentially Dangerous Function | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-684 | Incorrect Provision of Specified Functionality | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-685 | Function Call with Incorrect Number of Arguments | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-686 | Function Call With Incorrect Argument Type | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-687 | Function Call With Incorrectly Specified Argument Value | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-704 | Incorrect Type Conversion or Cast | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-732 | Incorrect Permission Assignment for Critical Resource | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No |
| CWE-749 | Exposed Dangerous Method or Function | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes |
| CWE-754 | Improper Check for Unusual or Exceptional Conditions | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes |
| CWE-757 | Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-758 | Reliance on Undefined, Unspecified, or Implementation-Defined Behavior | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-762 | Mismatched Memory Management Routines | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-764 | Multiple Locks of a Critical Resource | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-770 | Allocation of Resources Without Limits or Throttling | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No |
| CWE-772 | Missing Release of Resource after Effective Lifetime | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-775 | Missing Release of File Descriptor or Handle after Effective Lifetime | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-776 | Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-780 | Use of RSA Algorithm without OAEP | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-787 | Out-of-bounds Write | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-789 | Memory Allocation with Excessive Size Value | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-798 | Use of Hard-coded Credentials | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-805 | Buffer Access with Incorrect Length Value | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-821 | Incorrect Synchronization | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-823 | Use of Out-of-range Pointer Offset | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-824 | Access of Uninitialized Pointer | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-825 | Expired Pointer Dereference | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-833 | Deadlock | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-843 | Access of Resource Using Incompatible Type ('Type Confusion') | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-908 | Use of Uninitialized Resource | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-913 | Improper Control of Dynamically-Managed Code Resources | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-915 | Improperly Controlled Modification of Dynamically-Determined Object Attributes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes |
| CWE-917 | Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-918 | Server-Side Request Forgery (SSRF) | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes |
| CWE-942 | Permissive Cross-domain Policy with Untrusted Domains | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No |
| CWE-943 | Improper Neutralization of Special Elements in Data Query Logic | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-1004 | Sensitive Cookie Without 'HttpOnly' Flag | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes |
| CWE-1021 | Improper Restriction of Rendered UI Layers or Frames | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-1024 | Comparison of Incompatible Types | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-1061 | Insufficient Encapsulation | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-1077 | Floating Point Comparison with Incorrect Operator | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-1079 | Parent Class without Virtual Destructor Method | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-1098 | Data Element containing Pointer Item without Proper Copy Control Element | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-1104 | Use of Unmaintained Third Party Components | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No |
| CWE-1116 | Inaccurate Comments | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-1164 | Irrelevant Code | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-1204 | Generation of Weak Initialization Vector (IV) | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-1260 | Improper Handling of Overlap Between Protected Memory Ranges | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-1275 | Sensitive Cookie with Improper SameSite Attribute | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No |
| CWE-1321 | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-1327 | Binding to an Unrestricted IP Address | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No |
| CWE-1333 | Inefficient Regular Expression Complexity | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes |
| CWE-1335 | Incorrect Bitwise Shift of Integer | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-1336 | Improper Neutralization of Special Elements Used in a Template Engine | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No |
| CWE-1390 | Weak Authentication | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No |
| CWE-1341 | Multiple Releases of Same Resource or Handle | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-1419 | Incorrect Initialization of Resource | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
Did this page answer the question you had? If not, comment on epic 15343 to share your use case.