"GitLab Advanced SAST rules: Java"

• Tier: Ultimate
• Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

Rules used by GitLab Advanced SAST to detect vulnerabilities in Java code.

Rule ID	Rule description	CWE	OWASP Top 10
java-android-crypto-webview-ignore-ssl-certificate-errors-atomic	Improper certificate validation	CWE-295	A3:2017, A02:2021
java-android-misconfiguration-webview-debugging-atomic	Active debug code	CWE-489	A6:2017, A05:2021
java-android-misconfiguration-webview-external-storage-atomic	Exposed dangerous method or function	CWE-749	A1:2017, A03:2021
java-commons-ssrf-httpclient-taint	Server-Side Request Forgery (SSRF)	CWE-918	A1:2017, A10:2021
java-groovy-cmdi-groovyshell-taint	Improper control of generation of code ('Code Injection')	CWE-94	A1:2017, A03:2021
java-hibernate-sqli-taint	Improper neutralization of special elements used in an SQL command ('SQL Injection')	CWE-89	A1:2017, A03:2021
java-jackson-deserialization-objectmapper-atomic	Java Unsafe Jackson Deserialization	CWE-502	A8:2017, A08:2021
java-jackson-deserialization-objectmapper-taint	Deserialization of untrusted data	CWE-502	A8:2017, A08:2021
java-jdbc-sqli-formatted-string-taint	Improper neutralization of special elements used in an SQL command ('SQL Injection')	CWE-89	A1:2017, A03:2021
java-jdbc-sqli-taint	Improper neutralization of special elements used in an SQL command ('SQL Injection')	CWE-89	A1:2017, A03:2021
java-jdbi-sqli-handle-taint	Improper neutralization of special elements used in an SQL command ('SQL Injection')	CWE-89	A1:2017, A03:2021
java-jdo-sqli-taint	Improper neutralization of special elements used in an SQL command ('SQL Injection')	CWE-89	A1:2017, A03:2021
java-jms-deserialization-getobject-taint	Deserialization of untrusted data	CWE-502	A8:2017, A08:2021
java-jpa-sqli-taint	Improper neutralization of special elements used in an SQL command ('SQL Injection')	CWE-89	A1:2017, A03:2021
java-lang-accesscontrol-dangerous-permissions-atomic	Incorrect permission assignment for critical resource	CWE-732	A5:2017, A01:2021
java-lang-accesscontrol-overly-permissive-file-permission-atomic	Incorrect permission assignment for critical resource	CWE-732	A5:2017, A01:2021
java-lang-accesscontrol-saml-ignore-comments-atomic	Weak authentication	CWE-1390	A5:2017, A01:2021
java-lang-accesscontrol-webview-allow-file-access-atomic	External control of file name or path	CWE-73	A5:2017, A01:2021
java-lang-cmdi-FileDisclosureRequestDispatcher-taint	Files or directories accessible to external parties	CWE-552	A5:2017, A01:2021
java-lang-cmdi-env-injection-taint	Improper neutralization of special elements used in an OS command ('OS Command Injection')	CWE-78	A1:2017, A03:2021
java-lang-cmdi-processbuilder-taint	Improper neutralization of special elements used in an OS command ('OS Command Injection')	CWE-78	A1:2017, A03:2021
java-lang-cmdi-runtime-taint	Improper neutralization of special elements used in an OS command ('OS Command Injection')	CWE-78	A1:2017, A03:2021
java-lang-cmdi-smtp-client-taint	Improper neutralization of special elements used in a command	CWE-77	A1:2017, A03:2021
java-lang-codei-scriptinjection-taint	Improper control of generation of code ('Code Injection')	CWE-94	A1:2017, A03:2021
java-lang-codei-unsafe-reflection-taint	Use of externally-controlled input to select classes or code ('Unsafe Reflection')	CWE-470	A1:2017, A03:2021
java-lang-cors-permissive-cors-injection-taint	Permissive cross-domain policy with untrusted domains	CWE-942	A1:2017, A03:2021
java-lang-crlfi-cookie-http-response-splitting-taint	Improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting')	CWE-113	A1:2017, A03:2021
java-lang-crlfi-cookie-request-param-to-header-taint	Improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting')	CWE-113	A1:2017, A03:2021
java-lang-crlfi-logs-injection-taint	Improper output neutralization for logs	CWE-117	A1:2017, A03:2021
java-lang-crypto-blowfish-keysize-atomic	Inadequate encryption strength	CWE-326	A3:2017, A02:2021
java-lang-crypto-ciperintegrity-atomic	Use of a broken or risky cryptographic algorithm	CWE-327	A3:2017, A02:2021
java-lang-crypto-cipher-atomic	Use of a broken or risky cryptographic algorithm	CWE-327	A3:2017, A02:2021
java-lang-crypto-cipherdesedeinsecure-atomic	Use of a broken or risky cryptographic algorithm	CWE-327	A3:2017, A02:2021
java-lang-crypto-cipherpaddingoracle-atomic	Use of a broken or risky cryptographic algorithm	CWE-327	A3:2017, A02:2021
java-lang-crypto-custom-messagedigest-atomic	Use of a broken or risky cryptographic algorithm	CWE-327	A3:2017, A02:2021
java-lang-crypto-defaulthttpclient-atomic	Improper certificate validation	CWE-295	A3:2017, A02:2021
java-lang-crypto-des-atomic	Use of a broken or risky cryptographic algorithm	CWE-327	A3:2017, A02:2021
java-lang-crypto-disallow-old-tls-versions-atomic	Inadequate encryption strength	CWE-326	A3:2017, A02:2021
java-lang-crypto-ftp-insecure-transport-atomic	Cleartext transmission of sensitive information	CWE-319	A3:2017, A02:2021
java-lang-crypto-gcm-nonce-reuse-atomic	Reusing a nonce, key pair in encryption	CWE-323	A3:2017, A02:2021
java-lang-crypto-hazelcast-symmetric-encryption-atomic	Inadequate encryption strength	CWE-326	A3:2017, A02:2021
java-lang-crypto-hostnameverifier-atomic	Improper certificate validation	CWE-295	A3:2017, A02:2021
java-lang-crypto-http-components-request-atomic	Cleartext transmission of sensitive information	CWE-319	A3:2017, A02:2021
java-lang-crypto-httpget-http-request-taint	Cleartext transmission of sensitive information	CWE-319	A3:2017, A02:2021
java-lang-crypto-insecure-random-taint	Use of cryptographically weak pseudo-random number generator (PRNG)	CWE-338	A3:2017, A02:2021
java-lang-crypto-insufficient-keysize-atomic	Inadequate encryption strength	CWE-326	A3:2017, A02:2021
java-lang-crypto-jwt-none-algorithm-atomic	Use of a broken or risky cryptographic algorithm	CWE-327	A3:2017, A02:2021
java-lang-crypto-null-cipher-atomic	Use of a broken or risky cryptographic algorithm	CWE-327	A3:2017, A02:2021
java-lang-crypto-rc2-atomic	Use of a broken or risky cryptographic algorithm	CWE-327	A3:2017, A02:2021
java-lang-crypto-rc4-atomic	Use of a broken or risky cryptographic algorithm	CWE-327	A3:2017, A02:2021
java-lang-crypto-rsanopadding-atomic	Use of RSA algorithm without OAEP	CWE-780	A3:2017, A02:2021
java-lang-crypto-smtp-insecure-atomic	Improper validation of certificate with host mismatch	CWE-297	A3:2017, A02:2021
java-lang-crypto-socket-request-unsafe-protocols-atomic	Cleartext transmission of sensitive information	CWE-319	A3:2017, A02:2021
java-lang-crypto-telnet-request-atomic	Cleartext transmission of sensitive information	CWE-319	A3:2017, A02:2021
java-lang-crypto-tls-unsafe-renegotiation-atomic	Cleartext transmission of sensitive information	CWE-319	A3:2017, A02:2021
java-lang-crypto-weak-messagedigest-atomic	Use of Weak Hash	CWE-328	A3:2017, A02:2021
java-lang-crypto-weaktls-atomic	Inadequate encryption strength	CWE-326	A3:2017, A02:2021
java-lang-crypto-weaktlsprotocolsslcontext-atomic	Inadequate encryption strength	CWE-326	A3:2017, A02:2021
java-lang-crypto-x509trustmanager-atomic	Improper certificate validation	CWE-295	A3:2017, A02:2021
java-lang-deserialization-objectinputstream-taint	Deserialization of untrusted data	CWE-502	A8:2017, A08:2021
java-lang-deserialization-server-dangerous-object-deserialization-atomic	Deserialization of untrusted data	CWE-502	A8:2017, A08:2021
java-lang-file-disclosure-model-and-view-taint	Files or directories accessible to external parties	CWE-552	A5:2017, A01:2021
java-lang-hpp-taint	Improper neutralization of argument delimiters in a command ('Argument Injection')	CWE-88	A1:2017, A03:2021
java-lang-ldapi-anonymous-atomic	Missing authentication for critical function (LDAP)	CWE-306	A2:2017, A07:2021
java-lang-ldapi-taint	Improper neutralization of special elements used in an LDAP query ('LDAP Injection')	CWE-90	A1:2017, A03:2021
java-lang-misconfiguration-bad-hex-conversion-atomic	Incorrect type conversion or cast	CWE-704	A6:2017, A04:2021
java-lang-misconfiguration-cookie-http-url-connection-atomic	Cleartext transmission of sensitive information	CWE-319	A3:2017, A02:2021
java-lang-misconfiguration-cookie-httponly-atomic	Sensitive cookie without 'HttpOnly' flag	CWE-1004	A6:2017, A05:2021
java-lang-misconfiguration-cookie-insecure-atomic	Sensitive cookie in HTTPS session without 'Secure' attribute	CWE-614	A6:2017, A05:2021
java-lang-misconfiguration-cookie-samesite-taint	Sensitive cookie with improper SameSite attribute	CWE-1275	A05:2017, A01:2021
java-lang-misconfiguration-external-general-entities-true-atomic	Improper restriction of XML external entity reference ('XXE')	CWE-611	A4:2017, A05:2021
java-lang-misconfiguration-normalizeaftervalidation-atomic	Incorrect behavior order: validate before canonicalize	CWE-180	A6:2017, A04:2021
java-lang-misconfiguration-properties-input-taint	External control of system or configuration setting	CWE-15	A6:2017, A04:2021
java-lang-misconfiguration-session-manipulation-taint	Trust boundary violation	CWE-501	A04:2021, A6:2017
java-lang-misconfiguration-strings-modify-after-validation-taint	Collapse of data into unsafe value	CWE-182	A6:2017, A04:2021
java-lang-overflow-integer-overflow-taint	Integer overflow or wraparound	CWE-190	A6:2017, A04:2021
java-lang-overflow-integer-underflow-taint	Integer underflow or wraparound	CWE-191	A6:2017, A04:2021
java-lang-pathtraversal-file-low-taint	Improper limitation of a pathname to a restricted directory ('Path Traversal')	CWE-22	A5:2017, A01:2021
java-lang-pathtraversal-file-special-taint	Improper limitation of a pathname to a restricted directory ('Path Traversal')	CWE-22	A5:2017, A01:2021
java-lang-pathtraversal-file-taint	Improper limitation of a pathname to a restricted directory ('Path Traversal')	CWE-22	A5:2017, A01:2021
java-lang-sqli-connection-taint	Improper neutralization of special elements used in an SQL command ('SQL Injection')	CWE-89	A1:2017, A03:2021
java-lang-sqli-external-config-control-taint	External control of system or configuration setting	CWE-15	A5:2017, A01:2021
java-lang-sqli-second-order-taint	Improper neutralization of special elements used in an SQL command ('SQL Injection')	CWE-89	A1:2017, A03:2021
java-lang-ssrf-thirdparty-taint	Server-Side Request Forgery (SSRF)	CWE-918	A1:2017, A10:2021
java-lang-ssrf-url-taint	Server-Side Request Forgery (SSRF)	CWE-918	A1:2017, A10:2021
java-lang-ssti-el-taint	Improper neutralization of special elements used in an expression language statement ('Expression Language Injection')	CWE-917	A1:2017, A03:2021
java-lang-ssti-templateinjection-taint	Improper neutralization of special elements used in a template engine	CWE-1336	A1:2017, A03:2021
java-lang-xpathi-taint	Improper neutralization of data within XPath expressions ('XPath Injection')	CWE-643	A1:2017, A03:2021
java-lang-xss-reflected-taint	Improper neutralization of input during web page generation ('Cross-site Scripting')	CWE-79	A7:2017, A03:2021
java-lang-xss-reqparam-to-servlet-writer-taint	Improper neutralization of input during web page generation ('Cross-site Scripting')	CWE-79	A1:2017, A03:2021
java-lang-xss-stored-taint	Improper neutralization of input during web page generation ('Cross-site Scripting')	CWE-79	A7:2017, A03:2021
java-lang-xxe-documentbuilderfactory-parse-taint	Improper restriction of XML external entity reference ('XXE')	CWE-611	A4:2017, A05:2021
java-lang-xxe-documentbuilderfactory-taint	Improper restriction of XML external entity reference ('XXE')	CWE-611	A4:2017, A05:2021
java-lang-xxe-external-parameter-entities-true-atomic	Improper restriction of XML external entity reference ('XXE')	CWE-611	A4:2017, A05:2021
java-lang-xxe-saxparserfactory-taint	Improper restriction of XML external entity reference ('XXE')	CWE-611	A4:2017, A05:2021
java-lang-xxe-transformerfactory-taint	Improper restriction of XML external entity reference ('XXE')	CWE-611	A4:2017, A05:2021
java-lang-xxe-xml-input-factory-atomic	Improper restriction of XML external entity reference ('XXE')	CWE-611	A4:2017, A05:2021
java-lang-xxe-xml-streamreader-taint	Improper restriction of XML external entity reference ('XXE')	CWE-611	A4:2017, A05:2021
java-lang-xxe-xmldecoder-taint	Improper restriction of XML external entity reference ('XXE')	CWE-611	A4:2017, A05:2021
java-lang-xxe-xmlinputfactory-atomic	Improper restriction of XML external entity reference ('XXE')	CWE-611	A4:2017, A05:2021
java-lang-xxe-xmlreader-taint	Improper restriction of XML external entity reference ('XXE')	CWE-611	A4:2017, A05:2021
java-lang-xxe-xslttransform-taint	XML injection (aka Blind XPath injection)	CWE-91	A1:2017, A03:2021
java-mongodb-nosqli-injection-taint	Improper neutralization of special elements in data query logic	CWE-943	A1:2017, A03:2021
java-opensymphony-ognli-taint	Improper neutralization of special elements used in an expression language statement ('Expression Language Injection').	CWE-917	A1:2017, A03:2021
java-pebble-ssti-literaltemplate-taint	Improper neutralization of special elements used in a template engine	CWE-1336	A1:2017, A03:2021
java-seam-cmdi-loginjection-taint	Improper neutralization of directives in dynamically evaluated code ('Eval Injection')	CWE-95	A1:2017, A03:2021
java-snakeyaml-deserialization-yaml-taint	Deserialization of untrusted data	CWE-502	A8:2017, A08:2021
java-spring-crypto-ftp-request-taint	Cleartext transmission of sensitive information	CWE-319	A3:2017, A02:2021
java-spring-crypto-http-request-resttemplate-taint	Cleartext transmission of sensitive information	CWE-319	A3:2017, A02:2021
java-spring-crypto-jwt-decode-atomic	Improper verification of cryptographic signature	CWE-347	A8:2017, A08:2021
java-spring-crypto-unirest-http-request-atomic	Cleartext transmission of sensitive information	CWE-319	A3:2017, A02:2021
java-spring-csrf-spring-csrf-disabled-atomic	Cross-site request forgery (CSRF)	CWE-352	A5:2017, A01:2021
java-spring-csrf-unrestricted-requestmapping-atomic	Cross-site request forgery (CSRF)	CWE-352	A5:2017, A01:2021
java-spring-misconfiguration-cookie-httponly-atomic	Sensitive cookie without 'HttpOnly' flag	CWE-1004	A06:2017, A05:2021
java-spring-misconfiguration-cookie-samesite-atomic	Sensitive cookie with improper SameSite attribute	CWE-1275	A05:2017, A01:2021
java-spring-misconfiguration-cookie-secure-atomic	Sensitive cookie in HTTPS session without 'Secure' attribute	CWE-614	A06:2017, A05:2021
java-spring-misconfiguration-frameoptions-atomic	Improper restriction of rendered UI layers or frames	CWE-1021	A06:2017, A04:2021
java-spring-misconfiguration-nooppasswordencoder-atomic	Plaintext storage of a password	CWE-256	A2:2017, A04:2021
java-spring-openredirect-unvalidatedredirect-taint	URL redirection to untrusted site ('Open Redirect')	CWE-601	A1:2017, A03:2021
java-spring-ssti-expressionparser-taint	Improper neutralization of special elements used in an expression language statement ('Expression Language Injection')	CWE-917	A1:2017, A03:2021
java-torque-sqli-basepeer-taint	Improper neutralization of special elements used in an SQL command ('SQL Injection')	CWE-89	A1:2017, A03:2021
java-turbine-sqli-taint	Improper neutralization of special elements used in an SQL command ('SQL Injection')	CWE-89	A1:2017, A03:2021
java-vertex-sqli-taint	Improper neutralization of special elements used in an SQL command ('SQL Injection')	CWE-89	A1:2017, A03:2021
java-wicket-xss-escape-false-taint	Improper neutralization of input during web page generation ('Cross-site Scripting')	CWE-79	A1:2017, A03:2021