--- template7.3p0.conf 2023-06-16 15:54:18.900059500 -0400 +++ template7.4p0.conf 2023-06-16 15:54:52.605030100 -0400 @@ -1,7 +1,7 @@ # For emacs: -*- Shell-script -*- # ###################################################################### -# CodeSonar 7.3p0 Configuration File +# CodeSonar 7.4p0 Configuration File ###################################################################### # # CodeSonar will use preferences defined in this file when running @@ -272,6 +272,7 @@ # COMPILER_MODELS += icc78k.exe -> icc78k # COMPILER_MODELS += iccarm.exe -> iccarm # COMPILER_MODELS += iccavr.exe -> iccavr +# COMPILER_MODELS += iccm16c.exe -> iccm16c # COMPILER_MODELS += iccm32c.exe -> iccm32c # COMPILER_MODELS += iccrx.exe -> iccrx # COMPILER_MODELS += iccstm8.exe -> iccstm8 @@ -295,6 +296,7 @@ # COMPILER_MODELS += armcpp -> armcc # COMPILER_MODELS += c++ -> gpp # COMPILER_MODELS += cc -> cc +# COMPILER_MODELS += ccblkfn -> visualdsp # COMPILER_MODELS += ch38 -> ch38 # COMPILER_MODELS += clang -> clang # COMPILER_MODELS += clang++ -> clangpp @@ -564,6 +566,7 @@ # DISABLED_COMPILERS += icc78k.exe # DISABLED_COMPILERS += iccarm.exe # DISABLED_COMPILERS += iccavr.exe +# DISABLED_COMPILERS += iccm16c.exe # DISABLED_COMPILERS += iccm32c.exe # DISABLED_COMPILERS += iccrx.exe # DISABLED_COMPILERS += iccstm8.exe @@ -589,6 +592,7 @@ # DISABLED_COMPILERS += armcpp # DISABLED_COMPILERS += c++ # DISABLED_COMPILERS += cc +# DISABLED_COMPILERS += ccblkfn # DISABLED_COMPILERS += ch38 # DISABLED_COMPILERS += clang # DISABLED_COMPILERS += clang++ @@ -1012,7 +1016,8 @@ # systems). # # Behavior -# Ignore compilation command lines matching the specified string. +# Ignore compilation command lines containing the specified +# substring. # # Notes # This can be significantly faster than using IGNORED_COMPILATIONS, @@ -3755,6 +3760,7 @@ # WARNING_FILTER += discard class="Empty switch Statement" # WARNING_FILTER += discard class="Empty while Statement" # WARNING_FILTER += discard class="Encryption without Padding" +# WARNING_FILTER += discard class="File Open for Both Read and Write" # WARNING_FILTER += discard class="File System Race Condition" # WARNING_FILTER += discard class="Float Division By Zero" # WARNING_FILTER += discard class="Floating Point Domain Error" @@ -3773,6 +3779,7 @@ # WARNING_FILTER += discard class="Hardcoded Crypto Salt" # WARNING_FILTER += discard class="Hardcoded Seed in PRNG" # WARNING_FILTER += discard class="Ignored Return Value" +# WARNING_FILTER += discard class="Inappropriate C Atomic Initialization" # WARNING_FILTER += discard class="Inappropriate Call Outside Loop" # WARNING_FILTER += discard class="Input After Output Without Positioning" # WARNING_FILTER += discard class="Integer Overflow of Allocation Size" @@ -3872,12 +3879,15 @@ # WARNING_FILTER += discard class="Cast: Integer to Floating Point (Java)" # WARNING_FILTER += discard class="Cast: int Computation to long (Java)" # WARNING_FILTER += discard class="Class Enables Debug Features (Java)" +# WARNING_FILTER += discard class="Clone Call to Super is Missing (Java)" # WARNING_FILTER += discard class="Closeable Not Closed (Java)" # WARNING_FILTER += discard class="Closeable Not Stored (Java)" # WARNING_FILTER += discard class="Code Injection (Java)" # WARNING_FILTER += discard class="Command Injection (Java)" +# WARNING_FILTER += discard class="Comparison to Class Names (Java)" # WARNING_FILTER += discard class="Comparison to Empty String (Java)" # WARNING_FILTER += discard class="Cross Site Scripting (Java)" +# WARNING_FILTER += discard class="Cross Site Scripting In Error Message Web Page (Java)" # WARNING_FILTER += discard class="Cryptographic Algorithm with Risky Default Cipher (Java)" # WARNING_FILTER += discard class="Cryptographic Algorithm with Weak Cipher (Java)" # WARNING_FILTER += discard class="Cryptographic Algorithm with Weak Hash (Java)" @@ -3888,17 +3898,22 @@ # WARNING_FILTER += discard class="Defines equals but not hashCode (Java)" # WARNING_FILTER += discard class="Defines hashCode but not equals (Java)" # WARNING_FILTER += discard class="Deprecated Cryptography Provider (Java)" +# WARNING_FILTER += discard class="Direct Thread Usage in Http Servlet (Java)" # WARNING_FILTER += discard class="Double-Checked Locking (Java)" # WARNING_FILTER += discard class="Empty Branch Statement (Java)" # WARNING_FILTER += discard class="Empty Exception Handler (Java)" # WARNING_FILTER += discard class="Empty jar File Archived (Java)" # WARNING_FILTER += discard class="Empty zip File Archived (Java)" # WARNING_FILTER += discard class="Exception Information Disclosure (Java)" +# WARNING_FILTER += discard class="Execution After Redirect (Java)" +# WARNING_FILTER += discard class="Explicit Finalize (Java)" # WARNING_FILTER += discard class="Field Never Read (Java)" # WARNING_FILTER += discard class="Field Never Written (Java)" # WARNING_FILTER += discard class="Floating Point Equality (Java)" +# WARNING_FILTER += discard class="Format String Injection (Java)" # WARNING_FILTER += discard class="Fragment Injection (Java)" # WARNING_FILTER += discard class="Generic Exception Handler (Java)" +# WARNING_FILTER += discard class="Hardcoded Cryptographic Key (Java)" # WARNING_FILTER += discard class="Hardcoded Filename (Java)" # WARNING_FILTER += discard class="Hardcoded Password (Java)" # WARNING_FILTER += discard class="Hardcoded Random Seed (Java)" @@ -3937,9 +3952,11 @@ # WARNING_FILTER += discard class="Missing Equals Override (Java)" # WARNING_FILTER += discard class="Missing JavaScript Entry Point (Java)" # WARNING_FILTER += discard class="Missing JavaScript Execution (Java)" +# WARNING_FILTER += discard class="Missing Required Cryptographic Step (Java)" # WARNING_FILTER += discard class="Missing Serial Version Field (Java)" # WARNING_FILTER += discard class="Missing isValidFragment Override (Java)" # WARNING_FILTER += discard class="Mutable Enumeration (Java)" +# WARNING_FILTER += discard class="Mutable Public Static Final Array (Java)" # WARNING_FILTER += discard class="Non-Object compareTo Parameter (Java)" # WARNING_FILTER += discard class="Non-overriding Method Signature (Java)" # WARNING_FILTER += discard class="Nonserializable Field (Java)" @@ -3947,6 +3964,7 @@ # WARNING_FILTER += discard class="Nonserializable Outer Class (Java)" # WARNING_FILTER += discard class="Null Parameter Dereference (Java)" # WARNING_FILTER += discard class="Null Pointer Dereference (Java)" +# WARNING_FILTER += discard class="Open Redirect (Java)" # WARNING_FILTER += discard class="Password in Property File (Java)" # WARNING_FILTER += discard class="Permissive File Mode (Java)" # WARNING_FILTER += discard class="Possible XML External Entity Reference (Java)" @@ -3979,6 +3997,7 @@ # WARNING_FILTER += discard class="Synchronization on static (Java)" # WARNING_FILTER += discard class="Synchronous Call to Thread Body (Java)" # WARNING_FILTER += discard class="Tainted @Trusted Value (Java)" +# WARNING_FILTER += discard class="Tainted Allocation Size (Java)" # WARNING_FILTER += discard class="Tainted Bundle (Java)" # WARNING_FILTER += discard class="Tainted Control (Java)" # WARNING_FILTER += discard class="Tainted Data in Vulnerable Method (Java)" @@ -4004,6 +4023,7 @@ # WARNING_FILTER += discard class="Unnecessary Field (Java)" # WARNING_FILTER += discard class="Unnecessary Instantiation for GetClass (Java)" # WARNING_FILTER += discard class="Unreachable Instruction (Java)" +# WARNING_FILTER += discard class="Unsafe Session Expiration Time (Java)" # WARNING_FILTER += discard class="Untrusted Network Host (Java)" # WARNING_FILTER += discard class="Unused Class (Java)" # WARNING_FILTER += discard class="Unused Field (Java)" @@ -4015,6 +4035,7 @@ # WARNING_FILTER += discard class="Use of Hardware ID (Java)" # WARNING_FILTER += discard class="Use of Insecure verify for Certificate (Java)" # WARNING_FILTER += discard class="Use of Insecure verify for Hostname (Java)" +# WARNING_FILTER += discard class="Use of Same Seed (Java)" # WARNING_FILTER += discard class="Useless Assignment (Java)" # WARNING_FILTER += discard class="Useless Assignment to Default (Java)" # WARNING_FILTER += discard class="Useless Class Cast (Java)" @@ -4068,10 +4089,12 @@ # WARNING_FILTER += discard class="Closeable Not Stored (C#)" # WARNING_FILTER += discard class="Code Injection (C#)" # WARNING_FILTER += discard class="Command Injection (C#)" +# WARNING_FILTER += discard class="Comparison to Class Names (C#)" # WARNING_FILTER += discard class="Comparison to Empty String (C#)" # WARNING_FILTER += discard class="Consider using 'StringBuilder.Append(char)' when applicable (C#)" # WARNING_FILTER += discard class="Consider using 'string.Contains' instead of 'string.IndexOf' (C#)" # WARNING_FILTER += discard class="Cross Site Scripting (C#)" +# WARNING_FILTER += discard class="Cross Site Scripting In Error Message Web Page (C#)" # WARNING_FILTER += discard class="Cryptographic Algorithm with Risky Default Cipher (C#)" # WARNING_FILTER += discard class="Cryptographic Algorithm with Weak Cipher (C#)" # WARNING_FILTER += discard class="Cryptographic Algorithm with Weak Hash (C#)" @@ -4126,12 +4149,15 @@ # WARNING_FILTER += discard class="Ensure Key Derivation Function algorithm is sufficiently strong (C#)" # WARNING_FILTER += discard class="Enums values should not be duplicated (C#)" # WARNING_FILTER += discard class="Exception Information Disclosure (C#)" +# WARNING_FILTER += discard class="Execution After Redirect (C#)" # WARNING_FILTER += discard class="Field Never Read (C#)" # WARNING_FILTER += discard class="Field Never Written (C#)" # WARNING_FILTER += discard class="Floating Point Equality (C#)" +# WARNING_FILTER += discard class="Format String Injection (C#)" # WARNING_FILTER += discard class="Forward the 'CancellationToken' parameter to methods (C#)" # WARNING_FILTER += discard class="Generic Exception Handler (C#)" # WARNING_FILTER += discard class="Generic interface should also be implemented (C#)" +# WARNING_FILTER += discard class="Hardcoded Cryptographic Key (C#)" # WARNING_FILTER += discard class="Hardcoded Filename (C#)" # WARNING_FILTER += discard class="Hardcoded Password (C#)" # WARNING_FILTER += discard class="Hardcoded Random Seed (C#)" @@ -4176,7 +4202,9 @@ # WARNING_FILTER += discard class="Missing Authentication Annotation (C#)" # WARNING_FILTER += discard class="Missing Call to super (C#)" # WARNING_FILTER += discard class="Missing Equals Override (C#)" +# WARNING_FILTER += discard class="Missing Required Cryptographic Step (C#)" # WARNING_FILTER += discard class="Mutable Enumeration (C#)" +# WARNING_FILTER += discard class="Mutable Public Static Final Array (C#)" # WARNING_FILTER += discard class="Named placeholders should not be numeric values (C#)" # WARNING_FILTER += discard class="Non-Object compareTo Parameter (C#)" # WARNING_FILTER += discard class="Non-constant fields should not be visible (C#)" @@ -4186,6 +4214,7 @@ # WARNING_FILTER += discard class="Nonserializable Outer Class (C#)" # WARNING_FILTER += discard class="Null Parameter Dereference (C#)" # WARNING_FILTER += discard class="Null Pointer Dereference (C#)" +# WARNING_FILTER += discard class="Open Redirect (C#)" # WARNING_FILTER += discard class="Overload operator equals on overriding value type Equals (C#)" # WARNING_FILTER += discard class="Override Object.Equals(object) when implementing IEquatable (C#)" # WARNING_FILTER += discard class="Override methods on comparable types (C#)" @@ -4243,6 +4272,7 @@ # WARNING_FILTER += discard class="Synchronization on static (C#)" # WARNING_FILTER += discard class="Synchronous Call to Thread Body (C#)" # WARNING_FILTER += discard class="Tainted @Trusted Value (C#)" +# WARNING_FILTER += discard class="Tainted Allocation Size (C#)" # WARNING_FILTER += discard class="Tainted Bundle (C#)" # WARNING_FILTER += discard class="Tainted Control (C#)" # WARNING_FILTER += discard class="Tainted Expression Evaluation (C#)" @@ -4271,6 +4301,7 @@ # WARNING_FILTER += discard class="Unnecessary Field (C#)" # WARNING_FILTER += discard class="Unnecessary call to 'Dictionary.ContainsKey(key)' (C#)" # WARNING_FILTER += discard class="Unreachable Instruction (C#)" +# WARNING_FILTER += discard class="Unsafe Session Expiration Time (C#)" # WARNING_FILTER += discard class="Unused Class (C#)" # WARNING_FILTER += discard class="Unused Field (C#)" # WARNING_FILTER += discard class="Unused Method (C#)" @@ -4298,6 +4329,7 @@ # WARNING_FILTER += discard class="Use char literal for a single character lookup (C#)" # WARNING_FILTER += discard class="Use correct type parameter (C#)" # WARNING_FILTER += discard class="Use nameof to express symbol names (C#)" +# WARNING_FILTER += discard class="Use of Same Seed (C#)" # WARNING_FILTER += discard class="Use ordinal string comparison (C#)" # WARNING_FILTER += discard class="Use span-based 'string.Concat' (C#)" # WARNING_FILTER += discard class="Use the LoggerMessage delegates (C#)" @@ -4398,6 +4430,7 @@ # WARNING_FILTER += allow class="Global Variable Declared with Different Types" # WARNING_FILTER += allow class="Goto Statement" # WARNING_FILTER += allow class="Hardcoded DNS Name" +# WARNING_FILTER += allow class="High Cyclomatic Complexity (Procedure)" # WARNING_FILTER += allow class="High Risk Loop" # WARNING_FILTER += allow class="Implicit Address of Function" # WARNING_FILTER += allow class="Implicit Function Declaration" @@ -13478,16 +13511,8 @@ # METRIC_WARNING_CATEGORIES or METRIC_WARNING_BASE_RANK specified # in the set will not be used. # -# Examples: -# -# Instruct CodeSonar to issue a warning of class "High Cyclomatic -# Complexity" for any function with a cyclomatic complexity of 20 -# or more. -# METRIC_WARNING_CONDITION = vG[PROCEDURE] >= 20 -# METRIC_WARNING_CLASS_NAME = High Cyclomatic Complexity -# METRIC_WARNING_CATEGORIES = METRIC.VG -# METRIC_WARNING_BASE_RANK = 5.0 -# METRIC_WARNING_SIGNIFICANCE = STYLE +# Examples (note that the categories in these examples are +# arbitrary text): # # Instruct CodeSonar to issue a warning of class "Large procedure" # for any function containing more than 100 lines with code: @@ -13505,9 +13530,10 @@ # METRIC_WARNING_CATEGORIES = METRIC.LCOM # METRIC_WARNING_BASE_RANK = 2.0 # METRIC_WARNING_SIGNIFICANCE = STYLE -# -# Note that the categories in these examples are arbitrary text. -# + +METRIC_WARNING_CONDITION = vG[PROCEDURE] > 20 +METRIC_WARNING_CLASS_NAME = High Cyclomatic Complexity (Procedure) +## categories, rank, and significance are derived from warning class manifest # Parameter WEB_CONSOLE @@ -14058,6 +14084,48 @@ SYSTEM_INCLUDE_PATHS += /qnx650/host/ +# Parameter SRCROOT_PATHS +# +# Purpose +# Specifies base directories for the CodeSonar SARIF generator to +# use when relativizing file paths. +# +# Type +# string +# +# Behavior +# When analysis warning information is exported in SARIF format, +# file paths are expressed relative to the specified absolute +# directory. +# +# If multiple directories are specified, each file path F is +# expressed relative to the one that matches the longest path +# prefix of F. +# +# If the analysis command specifies -srcroot +# [doc/html/Building/BuildingCommandLine.html#srcroot], the +# specified is appended to the list of file paths +# accumulated with SRCROOT_PATH rules. +# +# Notes +# For example, suppose we have the following settings +# SRCROOT_PATHS += /user/alex/ProjectX/ComponentY/ +# SRCROOT_PATHS += /user/alex/ProjectX/ComponentY/GU +# SRCROOT_PATHS += /user/alex/database/ +# +# and the analysis includes files with paths +# /user/alex/ProjectX/ComponentY/GUI/gui.cpp and +# /user/alex/database/db.c. If warning information from the +# analysis is exported in SARIF format, the file paths will be +# expressed as GUI/gui.cpp and db.c, respectively. Note in +# particular that the /user/alex/ProjectX/ComponentY/GUI/gui.cpp +# file path does NOT match /user/alex/ProjectX/ComponentY/GU. +# +# The --src-root option to codesonar dump_warnings.py +# [doc/html/Workings/DumpWarnings.html] takes precedence over this +# setting. + + # Parameter ASSUME_UNDEFINED_PARAMETERS_MAYBE_FREED # Parameter ASSUME_UNDEFINED_PARAMETERS_MAYBE_INITIALIZED # Parameter ASSUME_UNDEFINED_PARAMETERS_MAYBE_MODIFIED @@ -17460,12 +17528,17 @@ # - WC_JAVA.IO.INJ.CODE: Used by Code Injection (Java) # - WC_JAVA.IO.INJ.COMMAND: Used by Command Injection (Java) # - WC_JAVA.IO.INJ.XSS: Used by Cross Site Scripting (Java) +# - WC_JAVA.IO.INJ.XSS.EMWP: Used by Cross Site Scripting In Error +# Message Web Page (Java) # - WC_JAVA.IO.INJ.DLL: Used by DLL Injection (Java) # - WC_JAVA.IO.INJ.DENIAL: Used by DOS Injection (Java) +# - WC_JAVA.IO.INJ.FMT: Used by Format String Injection (Java) +# - WC_JAVA.IO.TAINT.HTTP.OR: Used by Open Redirect (Java) # - WC_JAVA.IO.TAINT.REFLECTION: Used by Reflection Injection # (Java) # - WC_JAVA.IO.INJ.SQL: Used by SQL Injection (Java) # - WC_JAVA.IO.TAINT.TRUSTED: Used by Tainted @Trusted Value (Java) +# - WC_JAVA.IO.TAINT.SIZE: Used by Tainted Allocation Size (Java) # - WC_JAVA.IO.TAINT.BUNDLE: Used by Tainted Bundle (Java) # - WC_JAVA.IO.TAINT.CONTROL: Used by Tainted Control (Java) # - WC_JAVA.IO.TAINT.EVAL: Used by Tainted Expression Evaluation @@ -17710,10 +17783,13 @@ # - WC_JAVA.IO.INJ.COMMAND: Used by Command Injection (Java) # - WC_JAVA.IO.INJ.DLL: Used by DLL Injection (Java) # - WC_JAVA.IO.INJ.DENIAL: Used by DOS Injection (Java) +# - WC_JAVA.IO.INJ.FMT: Used by Format String Injection (Java) +# - WC_JAVA.IO.TAINT.HTTP.OR: Used by Open Redirect (Java) # - WC_JAVA.IO.TAINT.REFLECTION: Used by Reflection Injection # (Java) # - WC_JAVA.IO.INJ.SQL: Used by SQL Injection (Java) # - WC_JAVA.IO.TAINT.TRUSTED: Used by Tainted @Trusted Value (Java) +# - WC_JAVA.IO.TAINT.SIZE: Used by Tainted Allocation Size (Java) # - WC_JAVA.IO.TAINT.BUNDLE: Used by Tainted Bundle (Java) # - WC_JAVA.IO.TAINT.CONTROL: Used by Tainted Control (Java) # - WC_JAVA.IO.TAINT.EVAL: Used by Tainted Expression Evaluation @@ -17785,10 +17861,13 @@ # - WC_JAVA.IO.INJ.COMMAND: Used by Command Injection (Java) # - WC_JAVA.IO.INJ.DLL: Used by DLL Injection (Java) # - WC_JAVA.IO.INJ.DENIAL: Used by DOS Injection (Java) +# - WC_JAVA.IO.INJ.FMT: Used by Format String Injection (Java) +# - WC_JAVA.IO.TAINT.HTTP.OR: Used by Open Redirect (Java) # - WC_JAVA.IO.TAINT.REFLECTION: Used by Reflection Injection # (Java) # - WC_JAVA.IO.INJ.SQL: Used by SQL Injection (Java) # - WC_JAVA.IO.TAINT.TRUSTED: Used by Tainted @Trusted Value (Java) +# - WC_JAVA.IO.TAINT.SIZE: Used by Tainted Allocation Size (Java) # - WC_JAVA.IO.TAINT.BUNDLE: Used by Tainted Bundle (Java) # - WC_JAVA.IO.TAINT.CONTROL: Used by Tainted Control (Java) # - WC_JAVA.IO.TAINT.EVAL: Used by Tainted Expression Evaluation @@ -17861,10 +17940,13 @@ # - WC_JAVA.IO.INJ.COMMAND: Used by Command Injection (Java) # - WC_JAVA.IO.INJ.DLL: Used by DLL Injection (Java) # - WC_JAVA.IO.INJ.DENIAL: Used by DOS Injection (Java) +# - WC_JAVA.IO.INJ.FMT: Used by Format String Injection (Java) +# - WC_JAVA.IO.TAINT.HTTP.OR: Used by Open Redirect (Java) # - WC_JAVA.IO.TAINT.REFLECTION: Used by Reflection Injection # (Java) # - WC_JAVA.IO.INJ.SQL: Used by SQL Injection (Java) # - WC_JAVA.IO.TAINT.TRUSTED: Used by Tainted @Trusted Value (Java) +# - WC_JAVA.IO.TAINT.SIZE: Used by Tainted Allocation Size (Java) # - WC_JAVA.IO.TAINT.BUNDLE: Used by Tainted Bundle (Java) # - WC_JAVA.IO.TAINT.CONTROL: Used by Tainted Control (Java) # - WC_JAVA.IO.TAINT.EVAL: Used by Tainted Expression Evaluation @@ -17938,10 +18020,13 @@ # - WC_JAVA.IO.INJ.COMMAND: Used by Command Injection (Java) # - WC_JAVA.IO.INJ.DLL: Used by DLL Injection (Java) # - WC_JAVA.IO.INJ.DENIAL: Used by DOS Injection (Java) +# - WC_JAVA.IO.INJ.FMT: Used by Format String Injection (Java) +# - WC_JAVA.IO.TAINT.HTTP.OR: Used by Open Redirect (Java) # - WC_JAVA.IO.TAINT.REFLECTION: Used by Reflection Injection # (Java) # - WC_JAVA.IO.INJ.SQL: Used by SQL Injection (Java) # - WC_JAVA.IO.TAINT.TRUSTED: Used by Tainted @Trusted Value (Java) +# - WC_JAVA.IO.TAINT.SIZE: Used by Tainted Allocation Size (Java) # - WC_JAVA.IO.TAINT.BUNDLE: Used by Tainted Bundle (Java) # - WC_JAVA.IO.TAINT.CONTROL: Used by Tainted Control (Java) # - WC_JAVA.IO.TAINT.EVAL: Used by Tainted Expression Evaluation @@ -18013,10 +18098,13 @@ # - WC_JAVA.IO.INJ.COMMAND: Used by Command Injection (Java) # - WC_JAVA.IO.INJ.DLL: Used by DLL Injection (Java) # - WC_JAVA.IO.INJ.DENIAL: Used by DOS Injection (Java) +# - WC_JAVA.IO.INJ.FMT: Used by Format String Injection (Java) +# - WC_JAVA.IO.TAINT.HTTP.OR: Used by Open Redirect (Java) # - WC_JAVA.IO.TAINT.REFLECTION: Used by Reflection Injection # (Java) # - WC_JAVA.IO.INJ.SQL: Used by SQL Injection (Java) # - WC_JAVA.IO.TAINT.TRUSTED: Used by Tainted @Trusted Value (Java) +# - WC_JAVA.IO.TAINT.SIZE: Used by Tainted Allocation Size (Java) # - WC_JAVA.IO.TAINT.BUNDLE: Used by Tainted Bundle (Java) # - WC_JAVA.IO.TAINT.CONTROL: Used by Tainted Control (Java) # - WC_JAVA.IO.TAINT.EVAL: Used by Tainted Expression Evaluation @@ -18103,6 +18191,7 @@ # Statement (Java) # - WC_JAVA.DEEPNULL.DEREF: Used by Null Pointer Dereference (deep) # (Java) +# - WC_JAVA.IO.TAINT.HTTP.OR: Used by Open Redirect (Java) # - WC_JAVA.IO.TAINT.REFLECTION: Used by Reflection Injection # (Java) # - WC_JAVA.IO.INJ.SQL: Used by SQL Injection (Java) @@ -18193,6 +18282,7 @@ # Statement (Java) # - WC_JAVA.DEEPNULL.DEREF: Used by Null Pointer Dereference (deep) # (Java) +# - WC_JAVA.IO.TAINT.HTTP.OR: Used by Open Redirect (Java) # - WC_JAVA.IO.TAINT.REFLECTION: Used by Reflection Injection # (Java) # - WC_JAVA.IO.INJ.SQL: Used by SQL Injection (Java) @@ -18591,8 +18681,11 @@ # - WC_JAVA.DEBUG.CALL: Used by Debug Call (Java) # - WC_JAVA.DEBUG.LOG: Used by Debug Warning (Java) # - WC_JAVA.INSEC.DTP: Used by Deprecated Transfer Protocol (Java) +# - WC_JAVA.INSEC.HTTP.DTU: Used by Direct Thread Usage in Http +# Servlet (Java) # - WC_JAVA.DEBUG.ID: Used by Exception Information Disclosure # (Java) +# - WC_JAVA.FUNCS.EF: Used by Explicit Finalize (Java) # - WC_JAVA.DEEPNULL.EFIELD: Used by Field Element may be null # (deep) (Java) # - WC_JAVA.STRUCT.URFIELD: Used by Field Never Read (Java) @@ -18851,12 +18944,17 @@ # - WC_CSHARP.IO.INJ.CODE: Used by Code Injection (C#) # - WC_CSHARP.IO.INJ.COMMAND: Used by Command Injection (C#) # - WC_CSHARP.IO.INJ.XSS: Used by Cross Site Scripting (C#) +# - WC_CSHARP.IO.INJ.XSS.EMWP: Used by Cross Site Scripting In +# Error Message Web Page (C#) # - WC_CSHARP.IO.INJ.DLL: Used by DLL Injection (C#) # - WC_CSHARP.IO.INJ.DENIAL: Used by DOS Injection (C#) +# - WC_CSHARP.IO.INJ.FMT: Used by Format String Injection (C#) +# - WC_CSHARP.IO.TAINT.HTTP.OR: Used by Open Redirect (C#) # - WC_CSHARP.IO.TAINT.REFLECTION: Used by Reflection Injection # (C#) # - WC_CSHARP.IO.INJ.SQL: Used by SQL Injection (C#) # - WC_CSHARP.IO.TAINT.TRUSTED: Used by Tainted @Trusted Value (C#) +# - WC_CSHARP.IO.TAINT.SIZE: Used by Tainted Allocation Size (C#) # - WC_CSHARP.IO.TAINT.BUNDLE: Used by Tainted Bundle (C#) # - WC_CSHARP.IO.TAINT.CONTROL: Used by Tainted Control (C#) # - WC_CSHARP.IO.TAINT.EVAL: Used by Tainted Expression Evaluation @@ -19097,10 +19195,13 @@ # - WC_CSHARP.IO.INJ.COMMAND: Used by Command Injection (C#) # - WC_CSHARP.IO.INJ.DLL: Used by DLL Injection (C#) # - WC_CSHARP.IO.INJ.DENIAL: Used by DOS Injection (C#) +# - WC_CSHARP.IO.INJ.FMT: Used by Format String Injection (C#) +# - WC_CSHARP.IO.TAINT.HTTP.OR: Used by Open Redirect (C#) # - WC_CSHARP.IO.TAINT.REFLECTION: Used by Reflection Injection # (C#) # - WC_CSHARP.IO.INJ.SQL: Used by SQL Injection (C#) # - WC_CSHARP.IO.TAINT.TRUSTED: Used by Tainted @Trusted Value (C#) +# - WC_CSHARP.IO.TAINT.SIZE: Used by Tainted Allocation Size (C#) # - WC_CSHARP.IO.TAINT.BUNDLE: Used by Tainted Bundle (C#) # - WC_CSHARP.IO.TAINT.CONTROL: Used by Tainted Control (C#) # - WC_CSHARP.IO.TAINT.EVAL: Used by Tainted Expression Evaluation @@ -19168,10 +19269,13 @@ # - WC_CSHARP.IO.INJ.COMMAND: Used by Command Injection (C#) # - WC_CSHARP.IO.INJ.DLL: Used by DLL Injection (C#) # - WC_CSHARP.IO.INJ.DENIAL: Used by DOS Injection (C#) +# - WC_CSHARP.IO.INJ.FMT: Used by Format String Injection (C#) +# - WC_CSHARP.IO.TAINT.HTTP.OR: Used by Open Redirect (C#) # - WC_CSHARP.IO.TAINT.REFLECTION: Used by Reflection Injection # (C#) # - WC_CSHARP.IO.INJ.SQL: Used by SQL Injection (C#) # - WC_CSHARP.IO.TAINT.TRUSTED: Used by Tainted @Trusted Value (C#) +# - WC_CSHARP.IO.TAINT.SIZE: Used by Tainted Allocation Size (C#) # - WC_CSHARP.IO.TAINT.BUNDLE: Used by Tainted Bundle (C#) # - WC_CSHARP.IO.TAINT.CONTROL: Used by Tainted Control (C#) # - WC_CSHARP.IO.TAINT.EVAL: Used by Tainted Expression Evaluation @@ -19239,10 +19343,13 @@ # - WC_CSHARP.IO.INJ.COMMAND: Used by Command Injection (C#) # - WC_CSHARP.IO.INJ.DLL: Used by DLL Injection (C#) # - WC_CSHARP.IO.INJ.DENIAL: Used by DOS Injection (C#) +# - WC_CSHARP.IO.INJ.FMT: Used by Format String Injection (C#) +# - WC_CSHARP.IO.TAINT.HTTP.OR: Used by Open Redirect (C#) # - WC_CSHARP.IO.TAINT.REFLECTION: Used by Reflection Injection # (C#) # - WC_CSHARP.IO.INJ.SQL: Used by SQL Injection (C#) # - WC_CSHARP.IO.TAINT.TRUSTED: Used by Tainted @Trusted Value (C#) +# - WC_CSHARP.IO.TAINT.SIZE: Used by Tainted Allocation Size (C#) # - WC_CSHARP.IO.TAINT.BUNDLE: Used by Tainted Bundle (C#) # - WC_CSHARP.IO.TAINT.CONTROL: Used by Tainted Control (C#) # - WC_CSHARP.IO.TAINT.EVAL: Used by Tainted Expression Evaluation @@ -19312,10 +19419,13 @@ # - WC_CSHARP.IO.INJ.COMMAND: Used by Command Injection (C#) # - WC_CSHARP.IO.INJ.DLL: Used by DLL Injection (C#) # - WC_CSHARP.IO.INJ.DENIAL: Used by DOS Injection (C#) +# - WC_CSHARP.IO.INJ.FMT: Used by Format String Injection (C#) +# - WC_CSHARP.IO.TAINT.HTTP.OR: Used by Open Redirect (C#) # - WC_CSHARP.IO.TAINT.REFLECTION: Used by Reflection Injection # (C#) # - WC_CSHARP.IO.INJ.SQL: Used by SQL Injection (C#) # - WC_CSHARP.IO.TAINT.TRUSTED: Used by Tainted @Trusted Value (C#) +# - WC_CSHARP.IO.TAINT.SIZE: Used by Tainted Allocation Size (C#) # - WC_CSHARP.IO.TAINT.BUNDLE: Used by Tainted Bundle (C#) # - WC_CSHARP.IO.TAINT.CONTROL: Used by Tainted Control (C#) # - WC_CSHARP.IO.TAINT.EVAL: Used by Tainted Expression Evaluation @@ -19383,10 +19493,13 @@ # - WC_CSHARP.IO.INJ.COMMAND: Used by Command Injection (C#) # - WC_CSHARP.IO.INJ.DLL: Used by DLL Injection (C#) # - WC_CSHARP.IO.INJ.DENIAL: Used by DOS Injection (C#) +# - WC_CSHARP.IO.INJ.FMT: Used by Format String Injection (C#) +# - WC_CSHARP.IO.TAINT.HTTP.OR: Used by Open Redirect (C#) # - WC_CSHARP.IO.TAINT.REFLECTION: Used by Reflection Injection # (C#) # - WC_CSHARP.IO.INJ.SQL: Used by SQL Injection (C#) # - WC_CSHARP.IO.TAINT.TRUSTED: Used by Tainted @Trusted Value (C#) +# - WC_CSHARP.IO.TAINT.SIZE: Used by Tainted Allocation Size (C#) # - WC_CSHARP.IO.TAINT.BUNDLE: Used by Tainted Bundle (C#) # - WC_CSHARP.IO.TAINT.CONTROL: Used by Tainted Control (C#) # - WC_CSHARP.IO.TAINT.EVAL: Used by Tainted Expression Evaluation @@ -19468,6 +19581,7 @@ # Statement (C#) # - WC_CSHARP.DEEPNULL.DEREF: Used by Null Pointer Dereference # (deep) (C#) +# - WC_CSHARP.IO.TAINT.HTTP.OR: Used by Open Redirect (C#) # - WC_CSHARP.IO.TAINT.REFLECTION: Used by Reflection Injection # (C#) # - WC_CSHARP.IO.INJ.SQL: Used by SQL Injection (C#) @@ -19552,6 +19666,7 @@ # Statement (C#) # - WC_CSHARP.DEEPNULL.DEREF: Used by Null Pointer Dereference # (deep) (C#) +# - WC_CSHARP.IO.TAINT.HTTP.OR: Used by Open Redirect (C#) # - WC_CSHARP.IO.TAINT.REFLECTION: Used by Reflection Injection # (C#) # - WC_CSHARP.IO.INJ.SQL: Used by SQL Injection (C#)