Skip to content
代码片段 群组 项目
未验证 提交 a434c35e 编辑于 作者: Russell Dickenson's avatar Russell Dickenson 提交者: GitLab
浏览文件

Merge branch 'connorgilbert/docs-adv-sast-coverage' into 'master' 

Docs: Add page listing Advanced SAST CWE coverage

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/167346



Merged-by: default avatarRussell Dickenson <rdickenson@gitlab.com>
Approved-by: default avatarRussell Dickenson <rdickenson@gitlab.com>
Co-authored-by: default avatarConnor Gilbert <cgilbert@gitlab.com>
上级 0aa1b4a7 eae19097
No related branches found
No related tags found
无相关合并请求
隐藏空白变更内容
行内 左右并排
doc/user/application_security/sast/advanced_sast_coverage.md 0 → 100644
+ 125
0
浏览文件 @ a434c35e
---
stage: Secure
group: Static Analysis
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
---
# GitLab Advanced SAST CWE coverage
DETAILS:
**Tier:** Ultimate
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
[GitLab Advanced SAST](gitlab_advanced_sast.md) finds many types of potential security vulnerabilities in code written in [supported languages](gitlab_advanced_sast.md#supported-languages).
GitLab assigns a matching [Common Weakness Enumeration (CWE)](https://cwe.mitre.org) identifier to each potential vulnerability.
CWE identifiers are an industry-standard way to identify security weaknesses, but it's important to know:
- CWEs are arranged in a tree structure.
For example, [CWE-22: Path Traversal](https://cwe.mitre.org/data/definitions/22.html) is a parent of [CWE-23: Relative Path Traversal](https://cwe.mitre.org/data/definitions/23.html).
A scanner that specifically detects _relative_ path traversal weaknesses (CWE-23) by definition also detects a portion of the more general path traversal category (CWE-22).
- For clarity, this table identifies the exact CWE identifiers that are assigned to Advanced SAST rules.
It doesn't report parent identifiers.
To learn more about the rules used in GitLab Advanced SAST, see [SAST rules](rules.md#advanced-sast).
## CWE coverage by language
GitLab Advanced SAST finds the following types of weaknesses in each programming language:
<!-- Table contents are automatically produced by a job in https://gitlab.com/gitlab-org/security-products/oxeye/product/oxeye-rulez. -->
| CWE | CWE Description | C# | Go | Java | JavaScript, TypeScript | Python | Ruby |
|:-------------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------|:-----------------------|:-----------------------|:-----------------------|:-------------------------|:-----------------------|:-----------------------|
| [CWE-15](https://cwe.mitre.org/data/definitions/15.html) | External Control of System or Configuration Setting | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-22](https://cwe.mitre.org/data/definitions/22.html) | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes |
| [CWE-23](https://cwe.mitre.org/data/definitions/23.html) | Relative Path Traversal | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-73](https://cwe.mitre.org/data/definitions/73.html) | External Control of File Name or Path | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes |
| [CWE-76](https://cwe.mitre.org/data/definitions/76.html) | Improper Neutralization of Equivalent Special Elements | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes |
| [CWE-77](https://cwe.mitre.org/data/definitions/77.html) | Improper Neutralization of Special Elements used in a Command ('Command Injection') | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-78](https://cwe.mitre.org/data/definitions/78.html) | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes |
| [CWE-79](https://cwe.mitre.org/data/definitions/79.html) | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes |
| [CWE-80](https://cwe.mitre.org/data/definitions/80.html) | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-88](https://cwe.mitre.org/data/definitions/88.html) | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-89](https://cwe.mitre.org/data/definitions/89.html) | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes |
| [CWE-90](https://cwe.mitre.org/data/definitions/90.html) | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') | **{check-circle}** Yes | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-91](https://cwe.mitre.org/data/definitions/91.html) | XML Injection (aka Blind XPath Injection) | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-94](https://cwe.mitre.org/data/definitions/94.html) | Improper Control of Generation of Code ('Code Injection') | **{dotted-circle}** No | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes |
| [CWE-95](https://cwe.mitre.org/data/definitions/95.html) | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes |
| [CWE-113](https://cwe.mitre.org/data/definitions/113.html) | Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-116](https://cwe.mitre.org/data/definitions/116.html) | Improper Encoding or Escaping of Output | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{check-circle}** Yes | **{dotted-circle}** No |
| [CWE-118](https://cwe.mitre.org/data/definitions/118.html) | Incorrect Access of Indexable Resource ('Range Error') | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-125](https://cwe.mitre.org/data/definitions/125.html) | Out-of-bounds Read | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-134](https://cwe.mitre.org/data/definitions/134.html) | Use of Externally-Controlled Format String | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-155](https://cwe.mitre.org/data/definitions/155.html) | Improper Neutralization of Wildcards or Matching Symbols | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No |
| [CWE-180](https://cwe.mitre.org/data/definitions/180.html) | Incorrect Behavior Order: Validate Before Canonicalize | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-182](https://cwe.mitre.org/data/definitions/182.html) | Collapse of Data into Unsafe Value | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-185](https://cwe.mitre.org/data/definitions/185.html) | Incorrect Regular Expression | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{check-circle}** Yes |
| [CWE-190](https://cwe.mitre.org/data/definitions/190.html) | Integer Overflow or Wraparound | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-208](https://cwe.mitre.org/data/definitions/208.html) | Observable Timing Discrepancy | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-209](https://cwe.mitre.org/data/definitions/209.html) | Generation of Error Message Containing Sensitive Information | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes |
| [CWE-242](https://cwe.mitre.org/data/definitions/242.html) | Use of Inherently Dangerous Function | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-272](https://cwe.mitre.org/data/definitions/272.html) | Least Privilege Violation | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-276](https://cwe.mitre.org/data/definitions/276.html) | Incorrect Default Permissions | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes |
| [CWE-277](https://cwe.mitre.org/data/definitions/277.html) | Insecure Inherited Permissions | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-295](https://cwe.mitre.org/data/definitions/295.html) | Improper Certificate Validation | **{check-circle}** Yes | **{dotted-circle}** No | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes |
| [CWE-297](https://cwe.mitre.org/data/definitions/297.html) | Improper Validation of Certificate with Host Mismatch | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-306](https://cwe.mitre.org/data/definitions/306.html) | Missing Authentication for Critical Function | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-310](https://cwe.mitre.org/data/definitions/310.html) | Cryptographic Issues | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-311](https://cwe.mitre.org/data/definitions/311.html) | Missing Encryption of Sensitive Data | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes |
| [CWE-319](https://cwe.mitre.org/data/definitions/319.html) | Cleartext Transmission of Sensitive Information | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | **{dotted-circle}** No |
| [CWE-322](https://cwe.mitre.org/data/definitions/322.html) | Key Exchange without Entity Authentication | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No |
| [CWE-323](https://cwe.mitre.org/data/definitions/323.html) | Reusing a Nonce, Key Pair in Encryption | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-326](https://cwe.mitre.org/data/definitions/326.html) | Inadequate Encryption Strength | **{dotted-circle}** No | **{check-circle}** Yes | **{check-circle}** Yes | **{dotted-circle}** No | **{check-circle}** Yes | **{check-circle}** Yes |
| [CWE-327](https://cwe.mitre.org/data/definitions/327.html) | Use of a Broken or Risky Cryptographic Algorithm | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | **{dotted-circle}** No |
| [CWE-328](https://cwe.mitre.org/data/definitions/328.html) | Use of Weak Hash | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{check-circle}** Yes |
| [CWE-338](https://cwe.mitre.org/data/definitions/338.html) | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) | **{check-circle}** Yes | **{check-circle}** Yes | **{dotted-circle}** No | **{check-circle}** Yes | **{check-circle}** Yes | **{dotted-circle}** No |
| [CWE-346](https://cwe.mitre.org/data/definitions/346.html) | Origin Validation Error | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-347](https://cwe.mitre.org/data/definitions/347.html) | Improper Verification of Cryptographic Signature | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-348](https://cwe.mitre.org/data/definitions/348.html) | Use of Less Trusted Source | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-352](https://cwe.mitre.org/data/definitions/352.html) | Cross-Site Request Forgery (CSRF) | **{check-circle}** Yes | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{check-circle}** Yes | **{check-circle}** Yes |
| [CWE-358](https://cwe.mitre.org/data/definitions/358.html) | Improperly Implemented Security Check for Standard | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-369](https://cwe.mitre.org/data/definitions/369.html) | Divide By Zero | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes |
| [CWE-377](https://cwe.mitre.org/data/definitions/377.html) | Insecure Temporary File | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No |
| [CWE-378](https://cwe.mitre.org/data/definitions/378.html) | Creation of Temporary File With Insecure Permissions | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-409](https://cwe.mitre.org/data/definitions/409.html) | Improper Handling of Highly Compressed Data (Data Amplification) | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-489](https://cwe.mitre.org/data/definitions/489.html) | Active Debug Code | **{dotted-circle}** No | **{check-circle}** Yes | **{check-circle}** Yes | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No |
| [CWE-502](https://cwe.mitre.org/data/definitions/502.html) | Deserialization of Untrusted Data | **{check-circle}** Yes | **{dotted-circle}** No | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes |
| [CWE-521](https://cwe.mitre.org/data/definitions/521.html) | Weak Password Requirements | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-522](https://cwe.mitre.org/data/definitions/522.html) | Insufficiently Protected Credentials | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-552](https://cwe.mitre.org/data/definitions/552.html) | Files or Directories Accessible to External Parties | **{dotted-circle}** No | **{check-circle}** Yes | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-554](https://cwe.mitre.org/data/definitions/554.html) | ASP.NET Misconfiguration: Not Using Input Validation Framework | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-599](https://cwe.mitre.org/data/definitions/599.html) | Missing Validation of OpenSSL Certificate | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-601](https://cwe.mitre.org/data/definitions/601.html) | URL Redirection to Untrusted Site ('Open Redirect') | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes |
| [CWE-606](https://cwe.mitre.org/data/definitions/606.html) | Unchecked Input for Loop Condition | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-611](https://cwe.mitre.org/data/definitions/611.html) | Improper Restriction of XML External Entity Reference | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | **{dotted-circle}** No |
| [CWE-613](https://cwe.mitre.org/data/definitions/613.html) | Insufficient Session Expiration | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-614](https://cwe.mitre.org/data/definitions/614.html) | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | **{check-circle}** Yes | **{dotted-circle}** No | **{check-circle}** Yes | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-639](https://cwe.mitre.org/data/definitions/639.html) | Authorization Bypass Through User-Controlled Key | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes |
| [CWE-643](https://cwe.mitre.org/data/definitions/643.html) | Improper Neutralization of Data within XPath Expressions ('XPath Injection') | **{check-circle}** Yes | **{dotted-circle}** No | **{check-circle}** Yes | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-644](https://cwe.mitre.org/data/definitions/644.html) | Improper Neutralization of HTTP Headers for Scripting Syntax | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-704](https://cwe.mitre.org/data/definitions/704.html) | Incorrect Type Conversion or Cast | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-732](https://cwe.mitre.org/data/definitions/732.html) | Incorrect Permission Assignment for Critical Resource | **{dotted-circle}** No | **{check-circle}** Yes | **{check-circle}** Yes | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No |
| [CWE-749](https://cwe.mitre.org/data/definitions/749.html) | Exposed Dangerous Method or Function | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes |
| [CWE-754](https://cwe.mitre.org/data/definitions/754.html) | Improper Check for Unusual or Exceptional Conditions | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{check-circle}** Yes |
| [CWE-757](https://cwe.mitre.org/data/definitions/757.html) | Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-770](https://cwe.mitre.org/data/definitions/770.html) | Allocation of Resources Without Limits or Throttling | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{check-circle}** Yes | **{check-circle}** Yes | **{dotted-circle}** No |
| [CWE-776](https://cwe.mitre.org/data/definitions/776.html) | Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-780](https://cwe.mitre.org/data/definitions/780.html) | Use of RSA Algorithm without OAEP | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-787](https://cwe.mitre.org/data/definitions/787.html) | Out-of-bounds Write | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-798](https://cwe.mitre.org/data/definitions/798.html) | Use of Hard-coded Credentials | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-913](https://cwe.mitre.org/data/definitions/913.html) | Improper Control of Dynamically-Managed Code Resources | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-915](https://cwe.mitre.org/data/definitions/915.html) | Improperly Controlled Modification of Dynamically-Determined Object Attributes | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes |
| [CWE-917](https://cwe.mitre.org/data/definitions/917.html) | Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-918](https://cwe.mitre.org/data/definitions/918.html) | Server-Side Request Forgery (SSRF) | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes |
| [CWE-942](https://cwe.mitre.org/data/definitions/942.html) | Permissive Cross-domain Policy with Untrusted Domains | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-943](https://cwe.mitre.org/data/definitions/943.html) | Improper Neutralization of Special Elements in Data Query Logic | **{dotted-circle}** No | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-1004](https://cwe.mitre.org/data/definitions/1004.html) | Sensitive Cookie Without 'HttpOnly' Flag | **{check-circle}** Yes | **{dotted-circle}** No | **{check-circle}** Yes | **{check-circle}** Yes | **{dotted-circle}** No | **{check-circle}** Yes |
| [CWE-1104](https://cwe.mitre.org/data/definitions/1104.html) | Use of Unmaintained Third Party Components | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No |
| [CWE-1275](https://cwe.mitre.org/data/definitions/1275.html) | Sensitive Cookie with Improper SameSite Attribute | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-1321](https://cwe.mitre.org/data/definitions/1321.html) | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No |
| [CWE-1327](https://cwe.mitre.org/data/definitions/1327.html) | Binding to an Unrestricted IP Address | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No |
| [CWE-1390](https://cwe.mitre.org/data/definitions/1390.html) | Weak Authentication | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | **{dotted-circle}** No |
NOTE:
Did this page answer the question you had? If not, please comment on [epic 15343](https://gitlab.com/groups/gitlab-org/-/epics/15343) to share your use case.
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册