DISA STIG version 6 IDs: Java
This article maps DISA Security Technical Implementation Guide version 6 IDs to Klocwork Java checkers. For more information about DISA STIG, see the STIG web site.
| Rule | Checker name and description |
|---|---|
| Executive Orders |
JAVA.SV.EMAIL.HOST Sending e-mails to Host without validation. SV.AUTH.HASH.MIGHT Use of weak cryptographic algorithm SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.ECV Empty certificate validation SV.ECV.TRUSTMANAGER Unsafe implementation of the interface X509TrustManager. SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.KEYS.AES Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.DH Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.DSA Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.EC Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.RSA Insufficient key length in Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. SV.XSS.COOKIE Sensitive cookie without setHttpOnly flag SV.XSS.COOKIE.SECURE Sensitive cookie without Secure protocol |
| V-222388 [APSC-DV-000060] (MEDIUM) |
SV.DOS.TMPFILEDEL Leaving temporary file for lifetime of JVM SV.DOS.TMPFILEEXIT Leaving temporary file |
| V-222388 [APSC-DV-000060] (MEDIUM): The application must clear temporary storage and cookies when the session is terminated. |
SV.DOS.TMPFILEDEL Leaving temporary file for lifetime of JVM SV.DOS.TMPFILEEXIT Leaving temporary file |
| V-222396 [APSC-DV-000160] (MEDIUM) |
SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| V-222396 [APSC-DV-000160] (MEDIUM): The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions. |
SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| V-222397 [APSC-DV-000170] (MEDIUM) |
SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| V-222397 [APSC-DV-000170] (MEDIUM): The application must implement cryptographic mechanisms to protect the integrity of remote access sessions. |
SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| V-222425 [APSC-DV-000460] (HIGH) |
SPRING.AUTHC.ABSENT No configuration for a critical resource SPRING.AUTHC.MISSING Missing authentication for critical function SPRING.AUTHZ.ABSENT No configuration for protected resource SPRING.AUTHZ.MISSING Missing Authorization SV.AUTH.BYPASS.MIGHT Incorrect Authentication SV.AUTH.BYPASS.MUST Incorrect Authentication |
| V-222425 [APSC-DV-000460] (HIGH): The application must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
SPRING.AUTHC.ABSENT No configuration for a critical resource SPRING.AUTHC.MISSING Missing authentication for critical function SPRING.AUTHZ.ABSENT No configuration for protected resource SPRING.AUTHZ.MISSING Missing Authorization SV.AUTH.BYPASS.MIGHT Incorrect Authentication SV.AUTH.BYPASS.MUST Incorrect Authentication |
| V-222427 [APSC-DV-000480] (MEDIUM) |
SV.EXPOSE.FIELD Static field may be changed by malicious code SV.EXPOSE.FIN Method finalize() should have protected access modifier, not public SV.EXPOSE.IFIELD Instance field should be made final SV.EXPOSE.MUTABLEFIELD Static mutable field can be accessed by malicious code SV.EXPOSE.RET Internal representation may be exposed SV.EXPOSE.STORE Method stores reference to mutable object |
| V-222427 [APSC-DV-000480] (MEDIUM): The application must enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies. |
SV.EXPOSE.FIELD Static field may be changed by malicious code SV.EXPOSE.FIN Method finalize() should have protected access modifier, not public SV.EXPOSE.IFIELD Instance field should be made final SV.EXPOSE.MUTABLEFIELD Static mutable field can be accessed by malicious code SV.EXPOSE.RET Internal representation may be exposed SV.EXPOSE.STORE Method stores reference to mutable object |
| V-222430 [APSC-DV-000510] (HIGH) |
SPRING.AUTHC.ABSENT No configuration for a critical resource SPRING.AUTHC.MISSING Missing authentication for critical function SPRING.AUTHZ.ABSENT No configuration for protected resource SPRING.AUTHZ.MISSING Missing Authorization SV.CLEXT.POLICY Class extends 'java.security.Policy' SV.PRIVILEGE.MISSING Method invoked should not be inside doPrivileged block SV.USE.POLICY Direct use methods of Policy |
| V-222430 [APSC-DV-000510] (HIGH): The application must execute without excessive account permissions. |
SPRING.AUTHC.ABSENT No configuration for a critical resource SPRING.AUTHC.MISSING Missing authentication for critical function SPRING.AUTHZ.ABSENT No configuration for protected resource SPRING.AUTHZ.MISSING Missing Authorization SV.CLEXT.POLICY Class extends 'java.security.Policy' SV.PRIVILEGE.MISSING Method invoked should not be inside doPrivileged block SV.USE.POLICY Direct use methods of Policy |
| V-222444 [APSC-DV-000650] (MEDIUM) |
SV.LOG_FORGING Log Forging |
| V-222444 [APSC-DV-000650] (MEDIUM): The application must not write sensitive data into the application logs. |
SV.LOG_FORGING Log Forging |
| V-222501 [APSC-DV-001290] (MEDIUM) |
SV.LOG_FORGING Log Forging |
| V-222501 [APSC-DV-001290] (MEDIUM): The application must protect audit information from unauthorized modification. |
SV.LOG_FORGING Log Forging |
| V-222515 [APSC-DV-001460] (MEDIUM) |
SV.EMAIL Unchecked e-mail SV.SSRF.URI URI based on invalidated user input. UMC.SYSERR Debug print using System.err method calls is unwanted UMC.SYSOUT Debug print using System.out method calls is unwanted |
| V-222515 [APSC-DV-001460] (MEDIUM): An application vulnerability assessment must be conducted. |
SV.EMAIL Unchecked e-mail SV.SSRF.URI URI based on invalidated user input. UMC.SYSERR Debug print using System.err method calls is unwanted UMC.SYSOUT Debug print using System.out method calls is unwanted |
| V-222536 [APSC-DV-001680] (HIGH) |
SV.PASSWD.HC.EMPTY Empty Password SV.PASSWD.HC.MINLEN Minimum 15 character length Hardcoded Password |
| V-222536 [APSC-DV-001680] (HIGH): The application must enforce a minimum 15-character password length. |
SV.PASSWD.HC.EMPTY Empty Password SV.PASSWD.HC.MINLEN Minimum 15 character length Hardcoded Password |
| V-222542 [APSC-DV-001740] (HIGH) |
SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.PASSWD.HC Hardcoded Password SV.PASSWD.HC.EMPTY Empty Password SV.PASSWD.PLAIN Plain-text Password SV.PASSWD.PLAIN.HC Plain-text Password SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| V-222542 [APSC-DV-001740] (HIGH): The application must only store cryptographic representations of passwords. |
SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.PASSWD.HC Hardcoded Password SV.PASSWD.HC.EMPTY Empty Password SV.PASSWD.PLAIN Plain-text Password SV.PASSWD.PLAIN.HC Plain-text Password SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| V-222543 [APSC-DV-001750] (HIGH) |
SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.PASSWD.HC Hardcoded Password SV.PASSWD.HC.EMPTY Empty Password SV.PASSWD.PLAIN Plain-text Password SV.PASSWD.PLAIN.HC Plain-text Password SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| V-222543 [APSC-DV-001750] (HIGH): The application must transmit only cryptographically-protected passwords. |
SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.PASSWD.HC Hardcoded Password SV.PASSWD.HC.EMPTY Empty Password SV.PASSWD.PLAIN Plain-text Password SV.PASSWD.PLAIN.HC Plain-text Password SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| V-222550 [APSC-DV-001810] (HIGH) |
SV.CERT.INVALID Certificate must be validated by constructing certification path. SV.ECV.TRUSTMANAGER Unsafe implementation of the interface X509TrustManager. |
| V-222550 [APSC-DV-001810] (HIGH): The application |
SV.CERT.INVALID Certificate must be validated by constructing certification path. SV.ECV.TRUSTMANAGER Unsafe implementation of the interface X509TrustManager. |
| V-222551 [APSC-DV-001820] (HIGH) |
SPRING.AUTHC.ABSENT No configuration for a critical resource SPRING.AUTHC.MISSING Missing authentication for critical function SPRING.AUTHZ.ABSENT No configuration for protected resource SPRING.AUTHZ.MISSING Missing Authorization SV.AUTH.BYPASS.MIGHT Incorrect Authentication SV.AUTH.BYPASS.MUST Incorrect Authentication SV.PERMS.HOME File created in user home directory, without setting permissions SV.PERMS.WIDE Too wide permissions |
| V-222551 [APSC-DV-001820] (HIGH): The application |
SPRING.AUTHC.ABSENT No configuration for a critical resource SPRING.AUTHC.MISSING Missing authentication for critical function SPRING.AUTHZ.ABSENT No configuration for protected resource SPRING.AUTHZ.MISSING Missing Authorization SV.AUTH.BYPASS.MIGHT Incorrect Authentication SV.AUTH.BYPASS.MUST Incorrect Authentication SV.PERMS.HOME File created in user home directory, without setting permissions SV.PERMS.WIDE Too wide permissions |
| V-222554 [APSC-DV-001850] (HIGH) |
SV.PASSWD.PLAIN Plain-text Password |
| V-222554 [APSC-DV-001850] (HIGH): The application must not display passwords/PINs as clear text. |
SV.PASSWD.PLAIN Plain-text Password |
| V-222555 [APSC-DV-001860] (HIGH) |
JAVA.SV.EMAIL.HOST Sending e-mails to Host without validation. SV.AUTH.HASH.MIGHT Use of weak cryptographic algorithm SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.ECV Empty certificate validation SV.ECV.TRUSTMANAGER Unsafe implementation of the interface X509TrustManager. SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.KEYS.AES Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.DH Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.DSA Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.EC Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.RSA Insufficient key length in Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. SV.XSS.COOKIE Sensitive cookie without setHttpOnly flag SV.XSS.COOKIE.SECURE Sensitive cookie without Secure protocol |
| V-222555 [APSC-DV-001860] (HIGH): The application must use mechanisms meeting the requirements of applicable federal laws |
JAVA.SV.EMAIL.HOST Sending e-mails to Host without validation. SV.AUTH.HASH.MIGHT Use of weak cryptographic algorithm SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.ECV Empty certificate validation SV.ECV.TRUSTMANAGER Unsafe implementation of the interface X509TrustManager. SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.KEYS.AES Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.DH Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.DSA Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.EC Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.RSA Insufficient key length in Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. SV.XSS.COOKIE Sensitive cookie without setHttpOnly flag SV.XSS.COOKIE.SECURE Sensitive cookie without Secure protocol |
| V-222567 [APSC-DV-001995] (MEDIUM) |
JD.NEXT Possible 'NoSuchElementException' JD.SYNC.IN Inconsistent synchronization SV.SHARED.VAR Unsynchronized access to static variable from servlet SV.STRUTS.STATIC Struts Forms: static fields SV.UMC.THREADS Bad practices: use of thread management |
| V-222567 [APSC-DV-001995] (MEDIUM): The application must not be vulnerable to race conditions. |
JD.NEXT Possible 'NoSuchElementException' JD.SYNC.IN Inconsistent synchronization SV.SHARED.VAR Unsynchronized access to static variable from servlet SV.STRUTS.STATIC Struts Forms: static fields SV.UMC.THREADS Bad practices: use of thread management |
| V-222568 [APSC-DV-002000] (MEDIUM) |
RLK.NIO NIO object is not closed on exit RLK.SOCK Socket is not closed on exit |
| V-222568 [APSC-DV-002000] (MEDIUM): The application must terminate all network connections associated with a communications session at the end of the session. |
RLK.NIO NIO object is not closed on exit RLK.SOCK Socket is not closed on exit |
| V-222571 [APSC-DV-002030] (MEDIUM) |
SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| V-222571 [APSC-DV-002030] (MEDIUM): The application must utilize FIPS-validated cryptographic modules when generating cryptographic hashes. |
SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| V-222572 [APSC-DV-002040] (MEDIUM) |
SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| V-222572 [APSC-DV-002040] (MEDIUM): The application must utilize FIPS-validated cryptographic modules when protecting unclassified information that requires cryptographic protection. |
SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| V-222577 [APSC-DV-002230] (HIGH) |
SV.IL.SESSION Logging of session id SV.IL.SESSION.CLIENT HttpServletRequest.getRequestedSessionId method should not be used. SV.SESSION.FIXATION.COOKIE Cookies should not be vulnerable to session fixation SV.SPRING.FIXATION Session fixation protection is disabled SV.XSS.COOKIE Sensitive cookie without setHttpOnly flag SV.XSS.COOKIE.SECURE Sensitive cookie without Secure protocol |
| V-222577 [APSC-DV-002230] (HIGH): The application must not expose session IDs. |
SV.IL.SESSION Logging of session id SV.IL.SESSION.CLIENT HttpServletRequest.getRequestedSessionId method should not be used. SV.SESSION.FIXATION.COOKIE Cookies should not be vulnerable to session fixation SV.SPRING.FIXATION Session fixation protection is disabled SV.XSS.COOKIE Sensitive cookie without setHttpOnly flag SV.XSS.COOKIE.SECURE Sensitive cookie without Secure protocol |
| V-222578 [APSC-DV-002240] (HIGH) |
SV.IL.SESSION Logging of session id SV.IL.SESSION.CLIENT HttpServletRequest.getRequestedSessionId method should not be used. SV.SESSION.FIXATION.COOKIE Cookies should not be vulnerable to session fixation SV.SPRING.FIXATION Session fixation protection is disabled SV.XSS.COOKIE Sensitive cookie without setHttpOnly flag SV.XSS.COOKIE.SECURE Sensitive cookie without Secure protocol |
| V-222578 [APSC-DV-002240] (HIGH): The application must destroy the session ID value and/or cookie on logoff or browser close. |
SV.IL.SESSION Logging of session id SV.IL.SESSION.CLIENT HttpServletRequest.getRequestedSessionId method should not be used. SV.SESSION.FIXATION.COOKIE Cookies should not be vulnerable to session fixation SV.SPRING.FIXATION Session fixation protection is disabled SV.XSS.COOKIE Sensitive cookie without setHttpOnly flag SV.XSS.COOKIE.SECURE Sensitive cookie without Secure protocol |
| V-222583 [APSC-DV-002290] (MEDIUM) |
SV.RANDOM Use of insecure Random number generator |
| V-222583 [APSC-DV-002290] (MEDIUM): The application must generate a unique session identifier using a FIPS 140-2/140-3 approved random number generator. |
SV.RANDOM Use of insecure Random number generator |
| V-222585 [APSC-DV-002310] (HIGH) |
ANDROID.RLK.SQLOBJ Sql object is not closed on exit RLK.HIBERNATE Hibernate object is not closed on exit RLK.JNDI JNDI context is not closed on exit RLK.JPA {3} object is not closed on exit. RLK.SQLCON Sql connection is not closed on exit RLK.SQLOBJ Sql object is not closed on exit SV.DOS.TMPFILEDEL Leaving temporary file for lifetime of JVM SV.DOS.TMPFILEEXIT Leaving temporary file |
| V-222585 [APSC-DV-002310] (HIGH): The application must fail to a secure state if system initialization fails |
ANDROID.RLK.SQLOBJ Sql object is not closed on exit RLK.HIBERNATE Hibernate object is not closed on exit RLK.JNDI JNDI context is not closed on exit RLK.JPA {3} object is not closed on exit. RLK.SQLCON Sql connection is not closed on exit RLK.SQLOBJ Sql object is not closed on exit SV.DOS.TMPFILEDEL Leaving temporary file for lifetime of JVM SV.DOS.TMPFILEEXIT Leaving temporary file |
| V-222589 [APSC-DV-002350] (HIGH) |
SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| V-222589 [APSC-DV-002350] (HIGH): The application must use appropriate cryptography in order to protect stored DOD information when required by the information owner or DOD policy. |
SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| V-222590 [APSC-DV-002360] (MEDIUM) |
SV.CLEXT.POLICY Class extends 'java.security.Policy' SV.USE.POLICY Direct use methods of Policy |
| V-222590 [APSC-DV-002360] (MEDIUM): The application must isolate security functions from non-security functions. |
SV.CLEXT.POLICY Class extends 'java.security.Policy' SV.USE.POLICY Direct use methods of Policy |
| V-222594 [APSC-DV-002400] (MEDIUM) |
SV.DOS.ARRINDEX Tainted index used for array access SV.DOS.ARRSIZE Tainted size used for array allocation SV.TAINT_NATIVE Tainted data goes to native code SV.TMPFILE Temporary file path tampering SV.UMC.EXIT The System.exit() and Runtime.exit() method calls should not be used in servlets code |
| V-222594 [APSC-DV-002400] (MEDIUM): The application must restrict the ability to launch Denial of Service (DoS) attacks against itself or other information systems. |
SV.DOS.ARRINDEX Tainted index used for array access SV.DOS.ARRSIZE Tainted size used for array allocation SV.TAINT_NATIVE Tainted data goes to native code SV.TMPFILE Temporary file path tampering SV.UMC.EXIT The System.exit() and Runtime.exit() method calls should not be used in servlets code |
| V-222596 [APSC-DV-002440] (HIGH) |
SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.PASSWD.HC Hardcoded Password SV.PASSWD.HC.EMPTY Empty Password SV.PASSWD.PLAIN Plain-text Password SV.PASSWD.PLAIN.HC Plain-text Password SV.RANDOM Use of insecure Random number generator SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.SERIAL.NOFINAL Methods readObject() and writeObject() in serializable classes should be final SV.SERIAL.NOREAD Method readObject() should be defined for a serializable class SV.SERIAL.NOWRITE Method writeObject() should be defined for a serializable class SV.SERIAL.SIG Methods readObject() and writeObject() in serializable classes should have correct signature SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm |
| V-222596 [APSC-DV-002440] (HIGH): The application must protect the confidentiality and integrity of transmitted information. |
SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.PASSWD.HC Hardcoded Password SV.PASSWD.HC.EMPTY Empty Password SV.PASSWD.PLAIN Plain-text Password SV.PASSWD.PLAIN.HC Plain-text Password SV.RANDOM Use of insecure Random number generator SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.SERIAL.NOFINAL Methods readObject() and writeObject() in serializable classes should be final SV.SERIAL.NOREAD Method readObject() should be defined for a serializable class SV.SERIAL.NOWRITE Method writeObject() should be defined for a serializable class SV.SERIAL.SIG Methods readObject() and writeObject() in serializable classes should have correct signature SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm |
| V-222600 [APSC-DV-002480] (MEDIUM) |
SV.IL.DEV Design information leakage SV.IL.FILE File Name Leaking SV.STRBUF.CLEAN String buffer not cleaned SV.STRUTS.NOTRESET Struts Forms: inconsistent reset |
| V-222600 [APSC-DV-002480] (MEDIUM): The application must not disclose unnecessary information to users. |
SV.IL.DEV Design information leakage SV.IL.FILE File Name Leaking SV.STRBUF.CLEAN String buffer not cleaned SV.STRUTS.NOTRESET Struts Forms: inconsistent reset |
| V-222602 [APSC-DV-002490] (HIGH) |
ANDROID.LIFECYCLE.SV.GETEXTRA Unvalidated external data SV.HTTP_SPLIT Http Response Splitting SV.XSS.COOKIE Sensitive cookie without setHttpOnly flag SV.XSS.DB Cross Site Scripting (Stored XSS) SV.XSS.REF Cross Site Scripting (Reflected XSS) |
| V-222602 [APSC-DV-002490] (HIGH): The application must protect from Cross-Site Scripting (XSS) vulnerabilities. |
ANDROID.LIFECYCLE.SV.GETEXTRA Unvalidated external data SV.HTTP_SPLIT Http Response Splitting SV.XSS.COOKIE Sensitive cookie without setHttpOnly flag SV.XSS.DB Cross Site Scripting (Stored XSS) SV.XSS.REF Cross Site Scripting (Reflected XSS) |
| V-222603 [APSC-DV-002500] (MEDIUM) |
SV.CSRF.GET CSRF Token in GET request SV.CSRF.ORIGIN Request handler without an origin check SV.CSRF.TOKEN State changing request handler without a CSRF check |
| V-222603 [APSC-DV-002500] (MEDIUM): The application must protect from Cross-Site Request Forgery (CSRF) vulnerabilities. |
SV.CSRF.GET CSRF Token in GET request SV.CSRF.ORIGIN Request handler without an origin check SV.CSRF.TOKEN State changing request handler without a CSRF check |
| V-222604 [APSC-DV-002510] (HIGH) |
SV.CLASSDEF.INJ Runtime Class Definition Injection SV.CLASSLOADER.INJ Class Loader URL Injection SV.CLEXT.CLLOADER Class extends 'java.lang.ClassLoader' SV.EMAIL Unchecked e-mail SV.EXEC Process Injection SV.EXEC.DIR Process Injection. Working Directory SV.EXEC.ENV Process Injection. Environment Variables SV.EXEC.LOCAL Process Injection. Local Arguments SV.PATH Path and file name injection SV.PATH.INJ File injection SV.SCRIPT Script Execution SV.SERIAL.INON Interface extends 'Serializable' SV.SERIAL.NON Class implements 'Serializable' SV.SERIAL.NOREAD Method readObject() should be defined for a serializable class SV.SERIAL.NOWRITE Method writeObject() should be defined for a serializable class SV.SERIAL.SIG Methods readObject() and writeObject() in serializable classes should have correct signature |
| V-222604 [APSC-DV-002510] (HIGH): The application must protect from command injection. |
SV.CLASSDEF.INJ Runtime Class Definition Injection SV.CLASSLOADER.INJ Class Loader URL Injection SV.CLEXT.CLLOADER Class extends 'java.lang.ClassLoader' SV.EMAIL Unchecked e-mail SV.EXEC Process Injection SV.EXEC.DIR Process Injection. Working Directory SV.EXEC.ENV Process Injection. Environment Variables SV.EXEC.LOCAL Process Injection. Local Arguments SV.PATH Path and file name injection SV.PATH.INJ File injection SV.SCRIPT Script Execution SV.SERIAL.INON Interface extends 'Serializable' SV.SERIAL.NON Class implements 'Serializable' SV.SERIAL.NOREAD Method readObject() should be defined for a serializable class SV.SERIAL.NOWRITE Method writeObject() should be defined for a serializable class SV.SERIAL.SIG Methods readObject() and writeObject() in serializable classes should have correct signature |
| V-222606 [APSC-DV-002530] (MEDIUM) |
ANDROID.LIFECYCLE.SV.FRAGMENTINJ Unvalidated fragment class name ANDROID.LIFECYCLE.SV.GETEXTRA Unvalidated external data CMP.CLASS Comparing by classname SV.CLASSDEF.INJ Runtime Class Definition Injection SV.CLASSLOADER.INJ Class Loader URL Injection SV.DATA.BOUND Untrusted Data leaks into trusted storage SV.DATA.DB Data injection SV.DOS.ARRINDEX Tainted index used for array access SV.DOS.ARRSIZE Tainted size used for array allocation SV.EMAIL Unchecked e-mail SV.EXEC Process Injection SV.EXEC.DIR Process Injection. Working Directory SV.EXEC.ENV Process Injection. Environment Variables SV.HTTP_SPLIT Http Response Splitting SV.INT_OVF Tainted data may lead to Integer Overflow SV.LDAP Unvalidated user input is used as LDAP filter SV.PATH Path and file name injection SV.PATH.INJ File injection SV.SCRIPT Script Execution SV.SQL Sql Injection SV.SSRF.URI URI based on invalidated user input. SV.STRUTS.NOTVALID Struts Forms: inconsistent validate SV.STRUTS.VALIDMET Struts Forms: validate method SV.TAINT Tainted data SV.TAINT_NATIVE Tainted data goes to native code SV.TMPFILE Temporary file path tampering SV.XPATH Unvalidated user input is used as an XPath expression SV.XSS.REF Cross Site Scripting (Reflected XSS) |
| V-222606 [APSC-DV-002530] (MEDIUM): The application must validate all input. |
ANDROID.LIFECYCLE.SV.FRAGMENTINJ Unvalidated fragment class name ANDROID.LIFECYCLE.SV.GETEXTRA Unvalidated external data CMP.CLASS Comparing by classname SV.CLASSDEF.INJ Runtime Class Definition Injection SV.CLASSLOADER.INJ Class Loader URL Injection SV.DATA.BOUND Untrusted Data leaks into trusted storage SV.DATA.DB Data injection SV.DOS.ARRINDEX Tainted index used for array access SV.DOS.ARRSIZE Tainted size used for array allocation SV.EMAIL Unchecked e-mail SV.EXEC Process Injection SV.EXEC.DIR Process Injection. Working Directory SV.EXEC.ENV Process Injection. Environment Variables SV.HTTP_SPLIT Http Response Splitting SV.INT_OVF Tainted data may lead to Integer Overflow SV.LDAP Unvalidated user input is used as LDAP filter SV.PATH Path and file name injection SV.PATH.INJ File injection SV.SCRIPT Script Execution SV.SQL Sql Injection SV.SSRF.URI URI based on invalidated user input. SV.STRUTS.NOTVALID Struts Forms: inconsistent validate SV.STRUTS.VALIDMET Struts Forms: validate method SV.TAINT Tainted data SV.TAINT_NATIVE Tainted data goes to native code SV.TMPFILE Temporary file path tampering SV.XPATH Unvalidated user input is used as an XPath expression SV.XSS.REF Cross Site Scripting (Reflected XSS) |
| V-222607 [APSC-DV-002540] (HIGH) |
SV.SQL Sql Injection SV.SQL.DBSOURCE Unchecked information from the database is used in SQL statements |
| V-222607 [APSC-DV-002540] (HIGH): The application must not be vulnerable to SQL Injection. |
SV.SQL Sql Injection SV.SQL.DBSOURCE Unchecked information from the database is used in SQL statements |
| V-222608 [APSC-DV-002550] (HIGH) |
SV.XPATH Unvalidated user input is used as an XPath expression SV.XXE.DBF Possibility for XML External Entity attack SV.XXE.SF Possibility for XML External Entity attack SV.XXE.SPF Possibility for XML External Entity attack SV.XXE.TF Possibility for XML External Entity attack SV.XXE.XIF Possibility for XML External Entity attack SV.XXE.XRF Possibility for XML External Entity attack |
| V-222608 [APSC-DV-002550] (HIGH): The application must not be vulnerable to XML-oriented attacks. |
SV.XPATH Unvalidated user input is used as an XPath expression SV.XXE.DBF Possibility for XML External Entity attack SV.XXE.SF Possibility for XML External Entity attack SV.XXE.SPF Possibility for XML External Entity attack SV.XXE.TF Possibility for XML External Entity attack SV.XXE.XIF Possibility for XML External Entity attack SV.XXE.XRF Possibility for XML External Entity attack |
| V-222609 [APSC-DV-002560] (HIGH) |
ANDROID.LIFECYCLE.SV.FRAGMENTINJ Unvalidated fragment class name ANDROID.LIFECYCLE.SV.GETEXTRA Unvalidated external data CMP.CLASS Comparing by classname SV.CLASSDEF.INJ Runtime Class Definition Injection SV.CLASSLOADER.INJ Class Loader URL Injection SV.DATA.BOUND Untrusted Data leaks into trusted storage SV.DATA.DB Data injection SV.DOS.ARRINDEX Tainted index used for array access SV.DOS.ARRSIZE Tainted size used for array allocation SV.EMAIL Unchecked e-mail SV.EXEC Process Injection SV.EXEC.DIR Process Injection. Working Directory SV.EXEC.ENV Process Injection. Environment Variables SV.HTTP_SPLIT Http Response Splitting SV.INT_OVF Tainted data may lead to Integer Overflow SV.LDAP Unvalidated user input is used as LDAP filter SV.PATH Path and file name injection SV.PATH.INJ File injection SV.SCRIPT Script Execution SV.SQL Sql Injection SV.SSRF.URI URI based on invalidated user input. SV.STRUTS.NOTVALID Struts Forms: inconsistent validate SV.STRUTS.VALIDMET Struts Forms: validate method SV.TAINT Tainted data SV.TAINT_NATIVE Tainted data goes to native code SV.TMPFILE Temporary file path tampering SV.XPATH Unvalidated user input is used as an XPath expression SV.XSS.REF Cross Site Scripting (Reflected XSS) |
| V-222609 [APSC-DV-002560] (HIGH): The application must not be subject to input handling vulnerabilities. |
ANDROID.LIFECYCLE.SV.FRAGMENTINJ Unvalidated fragment class name ANDROID.LIFECYCLE.SV.GETEXTRA Unvalidated external data CMP.CLASS Comparing by classname SV.CLASSDEF.INJ Runtime Class Definition Injection SV.CLASSLOADER.INJ Class Loader URL Injection SV.DATA.BOUND Untrusted Data leaks into trusted storage SV.DATA.DB Data injection SV.DOS.ARRINDEX Tainted index used for array access SV.DOS.ARRSIZE Tainted size used for array allocation SV.EMAIL Unchecked e-mail SV.EXEC Process Injection SV.EXEC.DIR Process Injection. Working Directory SV.EXEC.ENV Process Injection. Environment Variables SV.HTTP_SPLIT Http Response Splitting SV.INT_OVF Tainted data may lead to Integer Overflow SV.LDAP Unvalidated user input is used as LDAP filter SV.PATH Path and file name injection SV.PATH.INJ File injection SV.SCRIPT Script Execution SV.SQL Sql Injection SV.SSRF.URI URI based on invalidated user input. SV.STRUTS.NOTVALID Struts Forms: inconsistent validate SV.STRUTS.VALIDMET Struts Forms: validate method SV.TAINT Tainted data SV.TAINT_NATIVE Tainted data goes to native code SV.TMPFILE Temporary file path tampering SV.XPATH Unvalidated user input is used as an XPath expression SV.XSS.REF Cross Site Scripting (Reflected XSS) |
| V-222612 [APSC-DV-002590] (HIGH) |
SV.DOS.ARRINDEX Tainted index used for array access SV.DOS.ARRSIZE Tainted size used for array allocation SV.INT_OVF Tainted data may lead to Integer Overflow SV.TAINT_NATIVE Tainted data goes to native code |
| V-222612 [APSC-DV-002590] (HIGH): The application must not be vulnerable to overflow attacks. |
SV.DOS.ARRINDEX Tainted index used for array access SV.DOS.ARRSIZE Tainted size used for array allocation SV.INT_OVF Tainted data may lead to Integer Overflow SV.TAINT_NATIVE Tainted data goes to native code |
| V-222625 [APSC-DV-002950] (MEDIUM) |
JD.INF.AREC Apparent infinite recursion JD.LOCK Lock without unlock JD.LOCK.NOTIFY Method 'notify' called with locks held JD.LOCK.SLEEP Method 'sleep' called with locks held JD.LOCK.WAIT Method 'wait' called with locks held |
| V-222625 [APSC-DV-002950] (MEDIUM): Execution flow diagrams and design documents must be created to show how deadlock and recursion issues in web services are being mitigated. |
JD.INF.AREC Apparent infinite recursion JD.LOCK Lock without unlock JD.LOCK.NOTIFY Method 'notify' called with locks held JD.LOCK.SLEEP Method 'sleep' called with locks held JD.LOCK.WAIT Method 'wait' called with locks held |
| V-222641 [APSC-DV-003100] (MEDIUM) |
SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| V-222641 [APSC-DV-003100] (MEDIUM): The application must use encryption to implement key exchange and authenticate endpoints prior to establishing a communication channel for key exchange. |
SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| V-222642 [APSC-DV-003110] (HIGH) |
SV.PASSWD.HC Hardcoded Password SV.PASSWD.HC.EMPTY Empty Password SV.PASSWD.PLAIN Plain-text Password SV.PASSWD.PLAIN.HC Plain-text Password |
| V-222642 [APSC-DV-003110] (HIGH): The application must not contain embedded authentication data. |
SV.PASSWD.HC Hardcoded Password SV.PASSWD.HC.EMPTY Empty Password SV.PASSWD.PLAIN Plain-text Password SV.PASSWD.PLAIN.HC Plain-text Password |
| V-222653 [APSC-DV-003215] (LOW) |
JD.THREAD.RUN Explicit call to a 'Thread.run' method JD.UMC.FINALIZE Explicit call to method 'Object.finalize' JD.UMC.RUNFIN runFinalizersOnExit() is called MNA.CAP Method name should start with non-capital letter MNA.CNS Method name is same as constructor name but it is not a constructor MNA.SUS Suspicious method name |
| V-222653 [APSC-DV-003215] (LOW): The application development team must follow a set of coding standards. |
JD.THREAD.RUN Explicit call to a 'Thread.run' method JD.UMC.FINALIZE Explicit call to method 'Object.finalize' JD.UMC.RUNFIN runFinalizersOnExit() is called MNA.CAP Method name should start with non-capital letter MNA.CNS Method name is same as constructor name but it is not a constructor MNA.SUS Suspicious method name |
| V-222656 [APSC-DV-003235] (MEDIUM) |
ECC.EMPTY Empty catch clause EXC.BROADTHROWS Method has an overly broad throws declaration JD.CATCH Catching runtime exception JD.UNCAUGHT Uncaught exception RI.IGNOREDCALL The value returned by a method called on immutable object is ignored RI.IGNOREDNEW Newly created object is ignored RR.IGNORED The returned value is ignored |
| V-222656 [APSC-DV-003235] (MEDIUM): The application must not be subject to error handling vulnerabilities. |
ECC.EMPTY Empty catch clause EXC.BROADTHROWS Method has an overly broad throws declaration JD.CATCH Catching runtime exception JD.UNCAUGHT Uncaught exception RI.IGNOREDCALL The value returned by a method called on immutable object is ignored RI.IGNOREDNEW Newly created object is ignored RR.IGNORED The returned value is ignored |
| V-222662 [APSC-DV-003280] (HIGH) |
SV.PASSWD.HC Hardcoded Password |
| V-222662 [APSC-DV-003280] (HIGH): Default passwords must be changed. |
SV.PASSWD.HC Hardcoded Password |
| V-222667 [APSC-DV-003320] (MEDIUM) |
SV.DOS.ARRINDEX Tainted index used for array access SV.DOS.ARRSIZE Tainted size used for array allocation SV.TAINT_NATIVE Tainted data goes to native code SV.TMPFILE Temporary file path tampering SV.UMC.EXIT The System.exit() and Runtime.exit() method calls should not be used in servlets code |
| V-222667 [APSC-DV-003320] (MEDIUM): Protections against DoS attacks must be implemented. |
SV.DOS.ARRINDEX Tainted index used for array access SV.DOS.ARRSIZE Tainted size used for array allocation SV.TAINT_NATIVE Tainted data goes to native code SV.TMPFILE Temporary file path tampering SV.UMC.EXIT The System.exit() and Runtime.exit() method calls should not be used in servlets code |
| V-265634 [APSC-DV-002010] (MEDIUM) |
SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| V-265634 [APSC-DV-002010] (MEDIUM): The application must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws |
SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| and guidance for authentication to a cryptographic module. |
JAVA.SV.EMAIL.HOST Sending e-mails to Host without validation. SV.AUTH.HASH.MIGHT Use of weak cryptographic algorithm SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.ECV Empty certificate validation SV.ECV.TRUSTMANAGER Unsafe implementation of the interface X509TrustManager. SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.KEYS.AES Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.DH Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.DSA Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.EC Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.RSA Insufficient key length in Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. SV.XSS.COOKIE Sensitive cookie without setHttpOnly flag SV.XSS.COOKIE.SECURE Sensitive cookie without Secure protocol |
| and standards. |
SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. |
| directives |
JAVA.SV.EMAIL.HOST Sending e-mails to Host without validation. SV.AUTH.HASH.MIGHT Use of weak cryptographic algorithm SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.ECV Empty certificate validation SV.ECV.TRUSTMANAGER Unsafe implementation of the interface X509TrustManager. SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.KEYS.AES Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.DH Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.DSA Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.EC Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.RSA Insufficient key length in Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. SV.XSS.COOKIE Sensitive cookie without setHttpOnly flag SV.XSS.COOKIE.SECURE Sensitive cookie without Secure protocol |
| must enforce authorized access to the corresponding private key. |
SPRING.AUTHC.ABSENT No configuration for a critical resource SPRING.AUTHC.MISSING Missing authentication for critical function SPRING.AUTHZ.ABSENT No configuration for protected resource SPRING.AUTHZ.MISSING Missing Authorization SV.AUTH.BYPASS.MIGHT Incorrect Authentication SV.AUTH.BYPASS.MUST Incorrect Authentication SV.PERMS.HOME File created in user home directory, without setting permissions SV.PERMS.WIDE Too wide permissions |
| must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. |
SV.CERT.INVALID Certificate must be validated by constructing certification path. SV.ECV.TRUSTMANAGER Unsafe implementation of the interface X509TrustManager. |
| or aborts fail. |
ANDROID.RLK.SQLOBJ Sql object is not closed on exit RLK.HIBERNATE Hibernate object is not closed on exit RLK.JNDI JNDI context is not closed on exit RLK.JPA {3} object is not closed on exit. RLK.SQLCON Sql connection is not closed on exit RLK.SQLOBJ Sql object is not closed on exit SV.DOS.TMPFILEDEL Leaving temporary file for lifetime of JVM SV.DOS.TMPFILEEXIT Leaving temporary file |
| policies |
JAVA.SV.EMAIL.HOST Sending e-mails to Host without validation. SV.AUTH.HASH.MIGHT Use of weak cryptographic algorithm SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.ECV Empty certificate validation SV.ECV.TRUSTMANAGER Unsafe implementation of the interface X509TrustManager. SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.KEYS.AES Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.DH Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.DSA Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.EC Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.RSA Insufficient key length in Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. SV.XSS.COOKIE Sensitive cookie without setHttpOnly flag SV.XSS.COOKIE.SECURE Sensitive cookie without Secure protocol |
| regulations |
JAVA.SV.EMAIL.HOST Sending e-mails to Host without validation. SV.AUTH.HASH.MIGHT Use of weak cryptographic algorithm SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.ECV Empty certificate validation SV.ECV.TRUSTMANAGER Unsafe implementation of the interface X509TrustManager. SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.KEYS.AES Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.DH Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.DSA Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.EC Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.RSA Insufficient key length in Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. SV.XSS.COOKIE Sensitive cookie without setHttpOnly flag SV.XSS.COOKIE.SECURE Sensitive cookie without Secure protocol |
| shutdown fails |
ANDROID.RLK.SQLOBJ Sql object is not closed on exit RLK.HIBERNATE Hibernate object is not closed on exit RLK.JNDI JNDI context is not closed on exit RLK.JPA {3} object is not closed on exit. RLK.SQLCON Sql connection is not closed on exit RLK.SQLOBJ Sql object is not closed on exit SV.DOS.TMPFILEDEL Leaving temporary file for lifetime of JVM SV.DOS.TMPFILEEXIT Leaving temporary file |
| standards |
JAVA.SV.EMAIL.HOST Sending e-mails to Host without validation. SV.AUTH.HASH.MIGHT Use of weak cryptographic algorithm SV.AUTH.HASH.MUST Use of weak cryptographic algorithm SV.ECV Empty certificate validation SV.ECV.TRUSTMANAGER Unsafe implementation of the interface X509TrustManager. SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm SV.WEAK.KEYS.AES Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.DH Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.DSA Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.EC Insufficient key length in Cryptographic Algorithm SV.WEAK.KEYS.RSA Insufficient key length in Cryptographic Algorithm SV.WEAK.TLS Weak SSL/TLS protocols should not be used. SV.XSS.COOKIE Sensitive cookie without setHttpOnly flag SV.XSS.COOKIE.SECURE Sensitive cookie without Secure protocol |
| when using PKI-based authentication |
SPRING.AUTHC.ABSENT No configuration for a critical resource SPRING.AUTHC.MISSING Missing authentication for critical function SPRING.AUTHZ.ABSENT No configuration for protected resource SPRING.AUTHZ.MISSING Missing Authorization SV.AUTH.BYPASS.MIGHT Incorrect Authentication SV.AUTH.BYPASS.MUST Incorrect Authentication SV.PERMS.HOME File created in user home directory, without setting permissions SV.PERMS.WIDE Too wide permissions |
| when utilizing PKI-based authentication |
SV.CERT.INVALID Certificate must be validated by constructing certification path. SV.ECV.TRUSTMANAGER Unsafe implementation of the interface X509TrustManager. |
Support Summary:
- 38 findings