DISA STIG version 5 IDs: C#
This article maps DISA Security Technical Implementation Guide version 5 IDs to Klocwork C# checkers. For more information about DISA STIG, see the STIG web site.
| Rule | Checker name and description |
|---|---|
| Executive Orders |
CS.HCC Use of hardcoded credentials CS.HCC.PWD Use of a hardcoded password CS.HCC.USER Use of a hardcoded user name CS.RCA Risky cryptographic algorithm used |
| V-222396 [APSC-DV-000160] (CAT 2) |
CS.XSS.PERSIST Cross-site Scripting Persisting Vulnerability CS.XSS.REFLECT Cross-site Scripting Reflecting Vulnerability |
| V-222396 [APSC-DV-000160] (CAT 2): The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions. |
CS.RCA Risky cryptographic algorithm used CS.XSS.PERSIST Cross-site Scripting Persisting Vulnerability CS.XSS.REFLECT Cross-site Scripting Reflecting Vulnerability |
| V-222396 [APSC-DV-000160](CAT 2) |
CS.RCA Risky cryptographic algorithm used |
| V-222397 [APSC-DV-000170] (CAT 2): The application must implement cryptographic mechanisms to protect the integrity of remote access sessions. |
CS.RCA Risky cryptographic algorithm used |
| V-222397 [APSC-DV-000170](CAT 2) |
CS.RCA Risky cryptographic algorithm used |
| V-222542 [APSC-DV-001740] (CAT 1) |
CS.HCC Use of hardcoded credentials CS.HCC.PWD Use of a hardcoded password CS.HCC.USER Use of a hardcoded user name CS.RCA Risky cryptographic algorithm used |
| V-222542 [APSC-DV-001740] (CAT 1): The application must only store cryptographic representations of passwords. |
CS.HCC Use of hardcoded credentials CS.HCC.PWD Use of a hardcoded password CS.HCC.USER Use of a hardcoded user name CS.RCA Risky cryptographic algorithm used |
| V-222543 [APSC-DV-001750] (CAT 1) |
CS.HCC Use of hardcoded credentials CS.HCC.PWD Use of a hardcoded password CS.HCC.USER Use of a hardcoded user name CS.RCA Risky cryptographic algorithm used |
| V-222543 [APSC-DV-001750] (CAT 1): The application must transmit only cryptographically-protected passwords. |
CS.HCC Use of hardcoded credentials CS.HCC.PWD Use of a hardcoded password CS.HCC.USER Use of a hardcoded user name CS.RCA Risky cryptographic algorithm used |
| V-222555 [APSC-DV-001860] (CAT 1) |
CS.HCC Use of hardcoded credentials CS.HCC.PWD Use of a hardcoded password CS.HCC.USER Use of a hardcoded user name |
| V-222555 [APSC-DV-001860] (CAT 1): The application must use mechanisms meeting the requirements of applicable federal laws |
CS.HCC Use of hardcoded credentials CS.HCC.PWD Use of a hardcoded password CS.HCC.USER Use of a hardcoded user name |
| V-222568 [APSC-DV-002000] (CAT 2): The application must terminate all network connections associated with a communications session at the end of the session. |
CS.RLK Resource leak |
| V-222568 [APSC-DV-002000](CAT 2) |
CS.RLK Resource leak |
| V-222571 [APSC-DV-002030] (CAT 2): The application must utilize FIPS-validated cryptographic modules when generating cryptographic hashes. |
CS.RCA Risky cryptographic algorithm used |
| V-222571 [APSC-DV-002030](CAT 2) |
CS.RCA Risky cryptographic algorithm used |
| V-222572 [APSC-DV-002040] (CAT 2): The application must utilize FIPS-validated cryptographic modules when protecting unclassified information that requires cryptographic protection. |
CS.RCA Risky cryptographic algorithm used |
| V-222572 [APSC-DV-002040](CAT 2) |
CS.RCA Risky cryptographic algorithm used |
| V-222583 [APSC-DV-002290] (CAT 2): The application must use the Federal Information Processing Standard (FIPS) 140-2-validated cryptographic modules and random number generator if the application implements encryption |
CS.RCA Risky cryptographic algorithm used |
| V-222583 [APSC-DV-002290](CAT 2) |
CS.RCA Risky cryptographic algorithm used |
| V-222589 [APSC-DV-002350] (CAT 2): The application must use appropriate cryptography in order to protect stored DoD information when required by the information owner or DoD policy. |
CS.RCA Risky cryptographic algorithm used |
| V-222589 [APSC-DV-002350](CAT 2) |
CS.RCA Risky cryptographic algorithm used |
| V-222594 [APSC-DV-002400] (CAT 2): The application must restrict the ability to launch Denial of Service (DoS) attacks against itself or other information systems. |
CS.SV.TAINTED.ALLOC_SIZE Use of unvalidated integer in memory allocation |
| V-222594 [APSC-DV-002400](CAT 2) |
CS.SV.TAINTED.ALLOC_SIZE Use of unvalidated integer in memory allocation |
| V-222603 [APSC-DV-002500] (CAT 2): The application must protect from Cross-Site Request Forgery (CSRF) vulnerabilities. |
CS.CSRF.ATTR.NOATTR AntiForgery attribute should be added to class or method. CS.CSRF.ATTR.POST AntiForgery attribute should be added to class or method. CS.CSRF.VALIDATE Validation of 'POST request data access' is not done. CS.CSRF.VSUK.CONSTASSIGN A const string is assigned to property 'ViewStateUserKey'. CS.CSRF.VSUK.NOASSIGN Property 'ViewStateUserKey' is not set. |
| V-222603 [APSC-DV-002500](CAT 2) |
CS.CSRF.ATTR.NOATTR AntiForgery attribute should be added to class or method. CS.CSRF.ATTR.POST AntiForgery attribute should be added to class or method. CS.CSRF.VALIDATE Validation of 'POST request data access' is not done. CS.CSRF.VSUK.CONSTASSIGN A const string is assigned to property 'ViewStateUserKey'. CS.CSRF.VSUK.NOASSIGN Property 'ViewStateUserKey' is not set. |
| V-222604 [APSC-DV-002510] (CAT 1) |
CS.SV.TAINTED.INJECTION C# command injection |
| V-222604 [APSC-DV-002510] (CAT 1): The application must protect from command injection. |
CS.SV.TAINTED.INJECTION C# command injection |
| V-222606 [APSC-DV-002530] (CAT 2): The application must validate all input. |
CS.SV.TAINTED.ALLOC_SIZE Use of unvalidated integer in memory allocation CS.SV.TAINTED.BINOP Use of unvalidated integer in binary operation CS.SV.TAINTED.CALL.BINOP Use of unvalidated integer in binary operation CS.SV.TAINTED.CALL.INDEX_ACCESS Use of unvalidated integer as array index by function call CS.SV.TAINTED.CALL.LOOP_BOUND Use of unvalidated integer in loop condition through a function call CS.SV.TAINTED.DESERIALIZATION Use of unvalidated integer during deserialization in object creation CS.SV.TAINTED.FMTSTR Use of unvalidated data in a format string CS.SV.TAINTED.INDEX_ACCESS Use of unvalidated integer as array index CS.SV.TAINTED.LOOP_BOUND Use of unvalidated integer in loop condition CS.SV.TAINTED.PATH_TRAVERSAL Use of unvalidated data in a path traversal |
| V-222606 [APSC-DV-002530](CAT 2) |
CS.SV.TAINTED.ALLOC_SIZE Use of unvalidated integer in memory allocation CS.SV.TAINTED.BINOP Use of unvalidated integer in binary operation CS.SV.TAINTED.CALL.BINOP Use of unvalidated integer in binary operation CS.SV.TAINTED.CALL.INDEX_ACCESS Use of unvalidated integer as array index by function call CS.SV.TAINTED.CALL.LOOP_BOUND Use of unvalidated integer in loop condition through a function call CS.SV.TAINTED.DESERIALIZATION Use of unvalidated integer during deserialization in object creation CS.SV.TAINTED.FMTSTR Use of unvalidated data in a format string CS.SV.TAINTED.INDEX_ACCESS Use of unvalidated integer as array index CS.SV.TAINTED.LOOP_BOUND Use of unvalidated integer in loop condition CS.SV.TAINTED.PATH_TRAVERSAL Use of unvalidated data in a path traversal |
| V-222607 [APSC-DV-002540] (CAT 1) |
CS.SV.USAGERULES.PERMISSIONS Use of Privilege Elevation |
| V-222607 [APSC-DV-002540] (CAT 1): The application must not be vulnerable to SQL Injection. |
CS.SV.USAGERULES.PERMISSIONS Use of Privilege Elevation |
| V-222609 [APSC-DV-002560] (CAT 1) |
CS.SV.TAINTED.ALLOC_SIZE Use of unvalidated integer in memory allocation CS.SV.TAINTED.BINOP Use of unvalidated integer in binary operation CS.SV.TAINTED.CALL.BINOP Use of unvalidated integer in binary operation CS.SV.TAINTED.CALL.INDEX_ACCESS Use of unvalidated integer as array index by function call CS.SV.TAINTED.CALL.LOOP_BOUND Use of unvalidated integer in loop condition through a function call CS.SV.TAINTED.DESERIALIZATION Use of unvalidated integer during deserialization in object creation CS.SV.TAINTED.FMTSTR Use of unvalidated data in a format string CS.SV.TAINTED.INDEX_ACCESS Use of unvalidated integer as array index CS.SV.TAINTED.LOOP_BOUND Use of unvalidated integer in loop condition CS.SV.TAINTED.PATH_TRAVERSAL Use of unvalidated data in a path traversal |
| V-222609 [APSC-DV-002560] (CAT 1): The application must not be subject to input handling vulnerabilities. |
CS.SV.TAINTED.ALLOC_SIZE Use of unvalidated integer in memory allocation CS.SV.TAINTED.BINOP Use of unvalidated integer in binary operation CS.SV.TAINTED.CALL.BINOP Use of unvalidated integer in binary operation CS.SV.TAINTED.CALL.INDEX_ACCESS Use of unvalidated integer as array index by function call CS.SV.TAINTED.CALL.LOOP_BOUND Use of unvalidated integer in loop condition through a function call CS.SV.TAINTED.DESERIALIZATION Use of unvalidated integer during deserialization in object creation CS.SV.TAINTED.FMTSTR Use of unvalidated data in a format string CS.SV.TAINTED.INDEX_ACCESS Use of unvalidated integer as array index CS.SV.TAINTED.LOOP_BOUND Use of unvalidated integer in loop condition CS.SV.TAINTED.PATH_TRAVERSAL Use of unvalidated data in a path traversal |
| V-222612 [APSC-DV-002590] (CAT 1) |
CS.SV.TAINTED.CALL.BINOP Use of unvalidated integer in binary operation CS.SV.TAINTED.CALL.INDEX_ACCESS Use of unvalidated integer as array index by function call CS.SV.TAINTED.CALL.LOOP_BOUND Use of unvalidated integer in loop condition through a function call CS.SV.TAINTED.DESERIALIZATION Use of unvalidated integer during deserialization in object creation CS.SV.TAINTED.INDEX_ACCESS Use of unvalidated integer as array index CS.SV.TAINTED.LOOP_BOUND Use of unvalidated integer in loop condition |
| V-222612 [APSC-DV-002590] (CAT 1): The application must not be vulnerable to overflow attacks. |
CS.SV.TAINTED.BINOP Use of unvalidated integer in binary operation CS.SV.TAINTED.CALL.BINOP Use of unvalidated integer in binary operation CS.SV.TAINTED.CALL.INDEX_ACCESS Use of unvalidated integer as array index by function call CS.SV.TAINTED.CALL.LOOP_BOUND Use of unvalidated integer in loop condition through a function call CS.SV.TAINTED.DESERIALIZATION Use of unvalidated integer during deserialization in object creation CS.SV.TAINTED.INDEX_ACCESS Use of unvalidated integer as array index CS.SV.TAINTED.LOOP_BOUND Use of unvalidated integer in loop condition |
| V-222625 [APSC-DV-002950] (CAT 2) |
CS.BANNED.INVOKE Prefer asynchronous calls to synchronized calls |
| V-222625 [APSC-DV-002950] (CAT 2): Execution flow diagrams and design documents must be created to show how deadlock and recursion issues in web services are being mitigated. |
CS.BANNED.INVOKE Prefer asynchronous calls to synchronized calls |
| V-222641 [APSC-DV-003100] (CAT 2): The application must use encryption to implement key exchange and authenticate endpoints prior to establishing a communication channel for key exchange. |
CS.RCA Risky cryptographic algorithm used |
| V-222641 [APSC-DV-003100](CAT 2) |
CS.RCA Risky cryptographic algorithm used |
| V-254803 [APSC-DV-002010] (CAT 2): The application must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws |
CS.RCA Risky cryptographic algorithm used |
| V-254803 [APSC-DV-002010](CAT 2) |
CS.RCA Risky cryptographic algorithm used |
| VV-222612 [APSC-DV-002590] (CAT 1) |
CS.SV.TAINTED.BINOP Use of unvalidated integer in binary operation |
| and guidance for authentication to a cryptographic module. |
CS.HCC Use of hardcoded credentials CS.HCC.PWD Use of a hardcoded password CS.HCC.USER Use of a hardcoded user name |
| and hash functionality. |
CS.RCA Risky cryptographic algorithm used |
| and standards. |
CS.RCA Risky cryptographic algorithm used |
| digital signature |
CS.RCA Risky cryptographic algorithm used |
| directives |
CS.HCC Use of hardcoded credentials CS.HCC.PWD Use of a hardcoded password CS.HCC.USER Use of a hardcoded user name CS.RCA Risky cryptographic algorithm used |
| key exchange |
CS.RCA Risky cryptographic algorithm used |
| policies |
CS.HCC Use of hardcoded credentials CS.HCC.PWD Use of a hardcoded password CS.HCC.USER Use of a hardcoded user name CS.RCA Risky cryptographic algorithm used |
| regulations |
CS.HCC Use of hardcoded credentials CS.HCC.PWD Use of a hardcoded password CS.HCC.USER Use of a hardcoded user name CS.RCA Risky cryptographic algorithm used |
| standards |
CS.HCC Use of hardcoded credentials CS.HCC.PWD Use of a hardcoded password CS.HCC.USER Use of a hardcoded user name |