OWASP Top 10 Security Risks for 2017 mapped to Klocwork Java checkers
See also Java checker reference.
| OWASP Risk ID | Klocwork Checker Code |
|---|---|
| A1 |
ANDROID.LIFECYCLE.SV.GETEXTRA Unvalidated external data SV.DATA.BOUND Untrusted Data leaks into trusted storage SV.DATA.DB Data injection SV.EXEC Process Injection SV.EXEC.DIR Process Injection. Working Directory SV.EXEC.ENV Process Injection. Environment Variables SV.PATH.INJ File injection SV.SQL Sql Injection SV.SQL.DBSOURCE Unchecked information from the database is used in SQL statements SV.TAINT Tainted data SV.TAINT_NATIVE Tainted data goes to native code SV.TMPFILE Temporary file path tampering SV.XPATH Unvalidated user input is used as an XPath expression |
| A2 |
SV.HASH.NO_SALT Use of a one-way cryptographic hash without a salt SV.LDAP Unvalidated user input is used as LDAP filter |
| A3 |
SV.PASSWD.HC Hardcoded Password SV.PASSWD.HC.EMPTY Empty Password SV.PASSWD.PLAIN Plain-text Password SV.RANDOM Use of insecure Random number generator SV.SENSITIVE.DATA Unencrypted sensitive data is written SV.SENSITIVE.OBJ Object with unencrypted sensitive data is stored SV.WEAK.CRYPT Use of a Broken or Risky Cryptographic Algorithm |
| A5 |
SV.PATH Path and file name injection |
| A6 |
ECC.EMPTY Empty catch clause EXC.BROADTHROWS Method has an overly broad throws declaration JD.CATCH Catching runtime exception JD.FINRET Return inside finally JD.UNCAUGHT Uncaught exception SV.IL.DEV Design information leakage SV.IL.FILE File Name Leaking UMC.SYSERR Debug print using System.err method calls is unwanted UMC.SYSOUT Debug print using System.out method calls is unwanted |
| A7 |
SV.EMAIL Unchecked e-mail SV.HTTP_SPLIT Http Response Splitting SV.XSS.DB Cross Site Scripting (Stored XSS) SV.XSS.REF Cross Site Scripting (Reflected XSS) |
| A8 |
SV.SERIAL.INON Interface extends 'Serializable' SV.SERIAL.NON Class implements 'Serializable' SV.SERIAL.NOREAD Method readObject() should be defined for a serializable class SV.SERIAL.NOWRITE Method writeObject() should be defined for a serializable class SV.SERIAL.SIG Methods readObject() and writeObject() in serializable classes should have correct signature |
| A9 |
SV.STRUTS.VER Usage of vulnerable Apache Struts version |
| A10 |
SV.LOG_FORGING Log Forging |
Support Summary:
- 8 rules