PCI DSS IDs mapped to Klocwork Java checkers
The Payment Card Industry Data Security Standard (PCI DSS) provides a baseline of technical and operational requirements designed to protect account data. The PCI DSS was developed to encourage and enhance cardholder data security, and facilitate the broad adoption of consistent data security measures globally.
The tables below map the PCI DSS Version 3.2.1 IDs to Klocwork Java checkers.
| ID | Checker name and description |
|---|---|
| 6.5.1 |
SV.CLASSDEF.INJ Runtime Class Definition Injection SV.CLASSLOADER.INJ Class Loader URL Injection SV.DATA.BOUND Untrusted Data leaks into trusted storage SV.DATA.DB Data injection SV.EXEC Process Injection SV.EXEC.DIR Process Injection. Working Directory SV.EXEC.ENV Process Injection. Environment Variables SV.EXEC.LOCAL Process Injection. Local Arguments SV.PATH Path and file name injection SV.PATH.INJ File injection SV.SQL Sql Injection SV.SQL.DBSOURCE Unchecked information from the database is used in SQL statements |
| 6.5.2 |
SV.DOS.ARRINDEX Tainted index used for array access SV.DOS.ARRSIZE Tainted size used for array allocation |
| 6.5.3 |
SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.PASSWD.HC Hardcoded Password SV.PASSWD.HC.EMPTY Empty Password SV.PASSWD.PLAIN Plain-text Password SV.RANDOM Use of insecure Random number generator SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm |
| 6.5.4 |
SV.EMAIL Unchecked e-mail SV.HTTP_SPLIT Http Response Splitting SV.SERIAL.NOREAD Method readObject() should be defined for a serializable class SV.SERIAL.NOWRITE Method writeObject() should be defined for a serializable class SV.SERIAL.SIG Methods readObject() and writeObject() in serializable classes should have correct signature SV.TAINT Tainted data SV.TAINT_NATIVE Tainted data goes to native code |
| 6.5.5 |
ECC.EMPTY Empty catch clause EXC.BROADTHROWS Method has an overly broad throws declaration JD.CATCH Catching runtime exception JD.FINRET Return inside finally JD.UNCAUGHT Uncaught exception SV.IL.DEV Design information leakage SV.IL.FILE File Name Leaking UMC.SYSERR Debug print using System.err method calls is unwanted UMC.SYSOUT Debug print using System.out method calls is unwanted |
| 6.5.7 |
SV.XSS.DB Cross Site Scripting (Stored XSS) SV.XSS.REF Cross Site Scripting (Reflected XSS) |
| 6.5.8 |
ANDROID.LIFECYCLE.SV.FRAGMENTINJ Unvalidated fragment class name ANDROID.LIFECYCLE.SV.GETEXTRA Unvalidated external data SV.DOS.TMPFILEDEL Leaving temporary file for lifetime of JVM SV.DOS.TMPFILEEXIT Leaving temporary file |
| 6.5.9 |
SV.CSRF.GET CSRF Token in GET request SV.CSRF.ORIGIN Request handler without an origin check SV.CSRF.TOKEN State changing request handler without a CSRF check |
| 6.5.10 |
SV.ECV Empty certificate validation SV.LDAP Unvalidated user input is used as LDAP filter |