pySCG: Missing rules on CWE Top 25 #680
Comments
myteron
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
myteron
changed the title
Most Dangerous Software Weaknesses CWE Top 25 2023 can be interpreted as mandatory for a learning resource on secure coding.
Will need to debate list of rules to add to the Python - Secure Coding One Stop Shop
Missing rule:
1 : CWE-787 Out-of-bounds Write
4 : CWE-416 Use After Free
14 : CWE-190 Integer Overflow or Wraparound
17: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
23 CWE-94 Improper Control of Generation of Code ('Code Injection')
Not Python ?, JavaScript/Web/HTML/Architecture:
2 : CWE-79 Improper Neutralization of Input During Web Generation ('Cross-site Scripting')
7 : CWE-125 Out-of-bounds Read
9 : CWE-352 Cross-Site Request Forgery (CSRF)
11: CWE-434 Missing Authorization
13: CWE-287 Missing Authentication
19: CWE-918 Server-Side Request Forgery (SSRF)
20: CWE-306 Missing Authentication for Critical Function
22: CWE-269 Improper Privilege Management
24: CWE-863 Incorrect Authorization
25: CWE-276 Incorrect Default Permissions
Similar existing rule, need to check:
6 : CWE-20 Improper Input Validation
8 : CWE-22 Improper Limitation of a Path-name to a Restricted Directory ('Path Traversal')
10: CWE-434 Unrestricted Upload of File with Dangerous Type
16: CWE-77 Improper Neutralization of Special Elements used in a Command
Existing Rule, either online or pending publication as part of #531 :
3 : CWE-89 SQL Injection
5 : CWE-78 Os Command Injection
12 : CWE-476 NULL pointer Dereference
15: CWE-502: Deserialization of Untrusted Data
18: CWE-798 Hard-coded Credentials
21 CWE-362 Concurrent Execution Using Shared Resource with Improper Synchronization ("Race Condition")
Rg Helge
The text was updated successfully, but these errors were encountered: