OWASP Top Ten Application Security Risks

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.2p0

CONFIDENTIAL

CodeSecure Inc

OWASP Top Ten Application Security Risks - 2017

The categories list for each CodeSonar warning includes any relevant members of the OWASP® Top Ten Application Security Risks - 2017.

A broader set of correspondences is shown in Broad Mapping: OWASP Top Ten Application Security Risks - 2017.

CSV tables of warning classes by OWASP-2017 rule are provided in OWASP-2017-mapping.csv.

The OWASP Top Ten 2017
Relevant Warning Classes
Management Reports
Enabling OWASP-2017 Checks

The OWASP Top Ten 2017

"OWASP-2017" is shorthand for the OWASP Top Ten Web Application Security Risks - 2017.

See the OWASP Top Ten 2017 website for more information.

Relevant Warning Classes

The following table shows the CodeSonar warning classes that are associated with OWASP-2017 top ten security risks.

OWASP-2017	C/C++ Warning Classes	Ada Warning Classes	Java Warning Classes	C# Warning Classes	Kotlin Warning Classes	Python Warning Classes
OWASP-2017:A1 Injection	Command Injection Format String Injection LDAP Injection Library Injection SQL Injection Tainted Allocation Size Tainted Buffer Access Tainted Configuration Setting Tainted Environment Variable Tainted Filename Tainted Network Address Tainted Write Untrusted Library Load Untrusted Network Host Untrusted Network Port Untrusted Process Creation Use of system	Code Injection (Ada) Command Injection (Ada) Cross Site Scripting (Ada) OS Command Injection (Ada) SQL Injection (Ada) Tainted Filename (Ada)	Android Message Injection (Java) Android URL Injection (Java) Code Injection (Java) Command Injection (Java) Cross Site Scripting (Java) Cross Site Scripting In Error Message Web Page (Java) DLL Injection (Java) DOS Injection (Java) Format String Injection (Java) Fragment Injection (Java) Method Should be final (Java) Missing Call to super (Java) Open Redirect (Java) Reflection Injection (Java) SQL Injection (Java) Static Field Too Visible (Java) Tainted @Trusted Value (Java) Tainted Allocation Size (Java) Tainted Bundle (Java) Tainted Control (Java) Tainted Data in Vulnerable Method (Java) Tainted Expression Evaluation (Java) Tainted HTTP Response (Java) Tainted Hardware Device Property (Java) Tainted LDAP Attribute (Java) Tainted LDAP Filter (Java) Tainted Log (Java) Tainted Message (Java) Tainted Network Address (Java) Tainted Path (Java) Tainted Regular Expression (Java) Tainted Resource (Java) Tainted Session (Java) Tainted URL (Java) Tainted XAML (Java) Tainted XML (Java) Tainted Xpath (Java)	Code Injection (C#) Command Injection (C#) Cross Site Scripting (C#) Cross Site Scripting In Error Message Web Page (C#) DLL Injection (C#) DOS Injection (C#) Format String Injection (C#) Method Should be final (C#) Open Redirect (C#) Reflection Injection (C#) SQL Injection (C#) Tainted @Trusted Value (C#) Tainted Allocation Size (C#) Tainted Bundle (C#) Tainted Control (C#) Tainted Expression Evaluation (C#) Tainted HTTP Response (C#) Tainted Hardware Device Property (C#) Tainted LDAP Attribute (C#) Tainted LDAP Filter (C#) Tainted Log (C#) Tainted Message (C#) Tainted Network Address (C#) Tainted Path (C#) Tainted Regular Expression (C#) Tainted Resource (C#) Tainted Session (C#) Tainted URL (C#) Tainted XAML (C#) Tainted XML (C#) Tainted Xpath (C#)	Code Injection (Java) Command Injection (Java) Reflection Injection (Java) SQL Injection (Java) Tainted @Trusted Value (Java) Tainted Allocation Size (Java) Tainted Bundle (Java) Tainted Control (Java) Tainted Data in Vulnerable Method (Java) Tainted Expression Evaluation (Java) Tainted HTTP Response (Java) Tainted LDAP Attribute (Java) Tainted LDAP Filter (Java) Tainted Log (Java) Tainted Message (Java) Tainted Network Address (Java) Tainted Path (Java) Tainted Regular Expression (Java) Tainted Resource (Java) Tainted Session (Java) Tainted URL (Java) Tainted XAML (Java) Tainted XML (Java) Tainted Xpath (Java)	Eval Used (Pylint) Exec Used (Pylint)
OWASP-2017:A2 Broken authentication	Hardcoded Authentication Plaintext Storage of Password Use of crypt Weak Cryptography	-	Anonymous LDAP Authentication (Java) Certificate Added to Root Store (Java) Cryptographic Algorithm with Risky Default Cipher (Java) Cryptographic Algorithm with Weak Cipher (Java) Cryptographic Algorithm with Weak Hash (Java) Hardcoded Password (Java) Hostname in Condition (Java) Inadequate Salt (Java) Insecure Key Derivation (Java) Insecure verifier Override for Hostname (Java) Insecure verify Override for Certificate (Java) LDAP Authentication Disabled (Java) Missing Authentication Annotation (Java) Password in Property File (Java) Risky Cipher Algorithm (Java) Risky Cipher Field (Java) Risky Cryptographic Algorithm (Java) Risky Cryptographic Field (Java) Security Annotation Conflict (Java) Unsafe Base64 Encoding (Java) Unsafe Session Expiration Time (Java) Use of Insecure verify for Certificate (Java) Use of Insecure verify for Hostname (Java) Weak Cryptographic Value (Java) Weak Hash Algorithm (Java) Weak Hash Algorithm Field (Java) Weak Initialization Vector Field (Java) Weak Initialization Vector Value (Java)	Anonymous LDAP Authentication (C#) Certificate Added to Root Store (C#) Cryptographic Algorithm with Risky Default Cipher (C#) Cryptographic Algorithm with Weak Cipher (C#) Cryptographic Algorithm with Weak Hash (C#) Hardcoded Password (C#) Hostname in Condition (C#) Inadequate Salt (C#) Insecure Key Derivation (C#) Missing Authentication Annotation (C#) Password in Property File (C#) Risky Cipher Algorithm (C#) Risky Cipher Field (C#) Risky Cryptographic Algorithm (C#) Risky Cryptographic Field (C#) Security Annotation Conflict (C#) Unsafe Base64 Encoding (C#) Unsafe Session Expiration Time (C#) Weak Cryptographic Value (C#) Weak Hash Algorithm (C#) Weak Hash Algorithm Field (C#) Weak Initialization Vector Field (C#) Weak Initialization Vector Value (C#)	Cryptographic Algorithm with Risky Default Cipher (Java) Cryptographic Algorithm with Weak Cipher (Java) Cryptographic Algorithm with Weak Hash (Java) Hardcoded Password (Java) Insecure Key Derivation (Java) Risky Cipher Algorithm (Java) Risky Cipher Field (Java) Risky Cryptographic Algorithm (Java) Risky Cryptographic Field (Java) Weak Cryptographic Value (Java) Weak Hash Algorithm (Java) Weak Hash Algorithm Field (Java) Weak Initialization Vector Field (Java) Weak Initialization Vector Value (Java)	-
OWASP-2017:A3 Sensitive data exposure	Encryption without Padding Plaintext Storage of Password Redundant Condition Tainted Write Use of crypt Weak Cryptography	-	Android Message Injection (Java) Android URL Injection (Java) Sensitive Data Cached (Java) Sensitive Data Written to External Storage (Java) Sensitive Data Written to Local File (Java)	-	-	-
OWASP-2017:A4 XML external entities	Use of XML_ExternalEntityParserCreate	-	Possible XML External Entity Reference (Java)	Possible XML External Entity Reference (C#)	Possible XML External Entity Reference (Java)	-
OWASP-2017:A5 Broken access control	Commented-out Code Hardcoded Authentication Hardcoded Crypto Key Hardcoded Crypto Salt Null Security Descriptor Plaintext Storage of Password Tainted Filename Tainted Write Use of AddAccessAllowedAce Use of AddAccessDeniedAce Use of GetTempFileName Use of crypt Use of cuserid Use of getlogin Use of mkstemp Use of mktemp Use of tmpfile Use of tmpfile_s Use of tmpnam Use of tmpnam_s Weak Cryptography	Tainted Filename (Ada)	Accessing File in Permissive Mode (Java) Certificate Added to Root Store (Java) Fragment Injection (Java) JavaScript Enabled (Java) JavaScript File Access from File URLs (Java) Method Disables Security Setting (Java) Missing Authentication Annotation (Java) Missing JavaScript Entry Point (Java) Missing JavaScript Execution (Java) Missing isValidFragment Override (Java) Open Redirect (Java) Permissive File Mode (Java) Risky JavaScript Interface (Java) Security Annotation Conflict (Java) Sensitive Data Written to External Storage (Java) Sensitive Data Written to Local File (Java) Tainted Data in Vulnerable Method (Java) Tainted Path (Java) Tainted URL (Java) Universal JavaScript Access to File URLs (Java) Use of Hardware ID (Java)	Certificate Added to Root Store (C#) Disabled Input Validation (C#) Method Disables Security Setting (C#) Missing Authentication Annotation (C#) Open Redirect (C#) Security Annotation Conflict (C#) Tainted Path (C#) Tainted URL (C#)	KDoc References Non Public Property (detekt) Tainted Data in Vulnerable Method (Java) Tainted Path (Java) Tainted URL (Java)	Bad Open Mode (Pylint)
OWASP-2017:A6 Security misconfiguration	Encryption without Padding Hardcoded Authentication Hardcoded Crypto Key Hardcoded Crypto Salt Hardcoded DNS Name Hardcoded Seed in PRNG Memory Protection Removal Tainted Configuration Setting	-	Class Enables Debug Features (Java) Debug Call (Java) Deprecated Transfer Protocol (Java) Hardcoded Filename (Java) Hardcoded IP Address (Java) Insecure Cookie (Java) Insecure XSLT Execution (Java) Method Enables Debug Features (Java) Possible XML External Entity Reference (Java)	Class Enables Debug Features (C#) Debug Call (C#) Hardcoded Filename (C#) Hardcoded IP Address (C#) Insecure Cookie (C#) Insecure XSLT Execution (C#) Method Enables Debug Features (C#) Possible XML External Entity Reference (C#)	Not Implemented Declaration (detekt) Possible XML External Entity Reference (Java)	Forgotten Debug Statement (Pylint)
OWASP-2017:A7 Cross site scripting (XSS)	Tainted Write	-	Cross Site Scripting (Java) Cross Site Scripting In Error Message Web Page (Java)	Cross Site Scripting (C#) Cross Site Scripting In Error Message Web Page (C#)	-	-
OWASP-2017:A8 Insecure deserialization	Addition Overflow of Allocation Size Addition Overflow of Size Buffer Overrun Buffer Underrun Integer Overflow of Allocation Size Multiplication Overflow of Allocation Size Multiplication Overflow of Size Pointer Arithmetic Pointer Before Beginning of Object Pointer Past End of Object Subtraction Underflow of Allocation Size Subtraction Underflow of Size Tainted Buffer Access Type Overrun Type Underrun	-	Deserializable Class (Java) Deserializing Non-Serializable Class (Java)	Deserializable Class (C#)	-	-
OWASP-2017:A9 Using components with known vulnerabilities	Use of AddAccessAllowedAce Use of AddAccessDeniedAce Use of AfxLoadLibrary Use of CoLoadLibrary Use of CreateFile Use of CreateProcess Use of CreateThread Use of FormatMessage Use of GetTempFileName Use of LoadLibrary Use of LoadModule Use of MoveFile Use of OemToAnsi Use of OemToChar Use of crypt Use of drem Use of gamma Use of gets Use of mkstemp Use of mktemp Use of rand Use of rand48 Function Use of random Use of tmpfile Use of tmpfile_s Use of tmpnam Use of tmpnam_s Weak Cryptography	-	Deprecated Cryptography Provider (Java) Deprecated Transfer Protocol (Java)	Deprecated Cryptography Provider (C#) Deprecated Transfer Protocol (C#)	Deprecated Cryptography Provider (Java)	Deprecated Method (Pylint) Deprecated Module (Pylint)
OWASP-2017:A10 Insufficient logging and monitoring	Not Enough Assertions	-	Debug Warning (Java) Tainted Log (Java)	Debug Warning (C#) Tainted Log (C#)	Tainted Log (Java)	-

Management Reports

The predefined OWASP Top Ten 2017 Report management report template allows you to automatically generate a report summarizing all the warnings from a particular analysis that are closely mapped to one or more of the OWASP Top Ten Web Application Security Risks.

You can generate this report from the GUI Analysis page for the analysis of interest. For general instructions, see Task: Generate a Management Report.

Enabling OWASP-2017 Rules

Because the rules are strongly tied to web application development, many of the associated checks are disabled by default.

CodeSonar ships with a taxonomy preset for OWASP-2017 checks:

owasp2017

Enables warning classes such that a given class C is enabled if all of the following are true.

C is closely mapped to one or more OWASP-2017 members (that is, it appears in the table above), and
no other classes enabled by the preset are more closely related to the same rules, and
C is not diagnostic-only (that is, it does not have a DIAG.* mnemonic).

You can apply the owasp2017 preset to the CodeSonar build/analysis as shown in the following table.

@PRESET_TABLE[owasp2017]@

Enabling checks for specific security risks

To enable checks for all the warning classes associated with a specific OWASP-2017 security risk, include the following in the project configuration file:

WARNING_FILTER += allow categories:"OWASP-2017:Anum"

Anum is the OWASP-2017 item number.
To enable checks for several rule numbers, include several WARNING_FILTER lines of this form.

Enabling individual classes

To enable a single warning class check, follow the instructions in the documentation for the corresponding warning class. Warning class documentation links are provided above.

To report problems with this documentation, please visit https://support.codesecure.com/.