OWASP Top 10 2021

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.2p0

CONFIDENTIAL

CodeSecure Inc

OWASP Top 10 2021

The categories list for each CodeSonar warning includes any relevant members of the OWASP® Top Ten Application Security Risks - 2021.

A broader set of correspondences is shown in Broad Mapping: OWASP Top Ten 2021.

CSV tables of warning classes by OWASP-2021 rule are provided in OWASP-2021-mapping.csv.

The OWASP Top Ten 2021
Relevant Warning Classes
Management Reports
Enabling OWASP-2021 Checks

The OWASP Top 10 2021

"OWASP-2021" is shorthand for the OWASP Top 10 2021.

See the OWASP Top 10 2021 website for more information.

Relevant Warning Classes

The following table shows the CodeSonar warning classes that are associated with OWASP-2021 top ten security risks.

OWASP-2021	C/C++ Warning Classes	Ada Warning Classes	Java Warning Classes	C# Warning Classes	Kotlin Warning Classes	Python Warning Classes
OWASP-2021:A1 Broken access control	Commented-out Code Hardcoded Authentication Hardcoded Crypto Key Hardcoded Crypto Salt Null Security Descriptor Plaintext Storage of Password Tainted Filename Tainted Write Use of AddAccessAllowedAce Use of AddAccessDeniedAce Use of GetTempFileName Use of crypt Use of cuserid Use of getlogin Use of mkstemp Use of mktemp Use of tmpfile Use of tmpfile_s Use of tmpnam Use of tmpnam_s Weak Cryptography	Tainted Filename (Ada)	Accessing File in Permissive Mode (Java) Certificate Added to Root Store (Java) Fragment Injection (Java) JavaScript Enabled (Java) JavaScript File Access from File URLs (Java) Method Disables Security Setting (Java) Missing Authentication Annotation (Java) Missing JavaScript Entry Point (Java) Missing JavaScript Execution (Java) Missing isValidFragment Override (Java) Open Redirect (Java) Permissive File Mode (Java) Risky JavaScript Interface (Java) Security Annotation Conflict (Java) Sensitive Data Cached (Java) Sensitive Data Written to External Storage (Java) Sensitive Data Written to Local File (Java) Tainted Data in Vulnerable Method (Java) Tainted Path (Java) Tainted URL (Java) Universal JavaScript Access to File URLs (Java) Use of Hardware ID (Java)	Certificate Added to Root Store (C#) Disabled Input Validation (C#) Method Disables Security Setting (C#) Missing Authentication Annotation (C#) Open Redirect (C#) Security Annotation Conflict (C#) Tainted Path (C#) Tainted URL (C#)	KDoc References Non Public Property (detekt) Tainted Data in Vulnerable Method (Java) Tainted Path (Java) Tainted URL (Java)	Bad Open Mode (Pylint)
OWASP-2021:A2 Cryptographic failures	Default Initialization of Random Number Generator Encryption without Padding Hardcoded Crypto Key Hardcoded Crypto Salt Hardcoded Seed in PRNG Plaintext Storage of Password Plaintext Transmission of Password Predictable Seed in PRNG Redundant Condition Tainted Write Use of Weak Cryptographic Algorithm Use of crypt Use of rand Use of rand48 Function Use of random Weak Cryptography	-	Android Message Injection (Java) Android URL Injection (Java) Cryptographic Algorithm with Risky Default Cipher (Java) Cryptographic Algorithm with Weak Cipher (Java) Cryptographic Algorithm with Weak Hash (Java) Deprecated Cryptography Provider (Java) Deprecated Transfer Protocol (Java) Hardcoded Cryptographic Key (Java) Hardcoded Random Seed (Java) Inadequate Salt (Java) Insecure Key Derivation (Java) Insecure Random Number Generator (Java) Legacy Random Generator (Java) Missing Required Cryptographic Step (Java) Risky Cipher Algorithm (Java) Risky Cipher Field (Java) Risky Cryptographic Algorithm (Java) Risky Cryptographic Field (Java) Sensitive Data Written to External Storage (Java) Sensitive Data Written to Local File (Java) Tainted Message (Java) Unsafe Base64 Encoding (Java) Use of Hash without a Salt (Java) Use of Same Seed (Java) Weak Cryptographic Value (Java) Weak Hash Algorithm (Java) Weak Hash Algorithm Field (Java) Weak Initialization Vector Field (Java) Weak Initialization Vector Value (Java)	Cryptographic Algorithm with Risky Default Cipher (C#) Cryptographic Algorithm with Weak Cipher (C#) Cryptographic Algorithm with Weak Hash (C#) Deprecated Cryptography Provider (C#) Deprecated Transfer Protocol (C#) Hardcoded Cryptographic Key (C#) Hardcoded Random Seed (C#) Inadequate Salt (C#) Insecure Key Derivation (C#) Insecure Random Number Generator (C#) Legacy Random Generator (C#) Missing Required Cryptographic Step (C#) Risky Cipher Algorithm (C#) Risky Cipher Field (C#) Risky Cryptographic Algorithm (C#) Risky Cryptographic Field (C#) Tainted Message (C#) Unsafe Base64 Encoding (C#) Use of Hash without a Salt (C#) Use of Same Seed (C#) Weak Cryptographic Value (C#) Weak Hash Algorithm (C#) Weak Hash Algorithm Field (C#) Weak Initialization Vector Field (C#) Weak Initialization Vector Value (C#)	Cryptographic Algorithm with Risky Default Cipher (Java) Cryptographic Algorithm with Weak Cipher (Java) Cryptographic Algorithm with Weak Hash (Java) Deprecated Cryptography Provider (Java) Hardcoded Cryptographic Key (Java) Insecure Key Derivation (Java) Missing Required Cryptographic Step (Java) Risky Cipher Algorithm (Java) Risky Cipher Field (Java) Risky Cryptographic Algorithm (Java) Risky Cryptographic Field (Java) Tainted Message (Java) Use of Hash without a Salt (Java) Weak Cryptographic Value (Java) Weak Hash Algorithm (Java) Weak Hash Algorithm Field (Java) Weak Initialization Vector Field (Java) Weak Initialization Vector Value (Java)	-
OWASP-2021:A3 Injection	Command Injection Format String Injection LDAP Injection Library Injection SQL Injection Tainted Allocation Size Tainted Buffer Access Tainted Configuration Setting Tainted Environment Variable Tainted Filename Tainted Network Address Tainted Write Untrusted Library Load Untrusted Network Host Untrusted Network Port Untrusted Process Creation Use of system	Code Injection (Ada) Command Injection (Ada) Cross Site Scripting (Ada) OS Command Injection (Ada) SQL Injection (Ada) Tainted Filename (Ada)	Android Message Injection (Java) Android URL Injection (Java) Code Injection (Java) Command Injection (Java) Cross Site Scripting (Java) Cross Site Scripting In Error Message Web Page (Java) DLL Injection (Java) DOS Injection (Java) Format String Injection (Java) Fragment Injection (Java) Method Should be final (Java) Missing Call to super (Java) Open Redirect (Java) Reflection Injection (Java) SQL Injection (Java) Static Field Too Visible (Java) Tainted @Trusted Value (Java) Tainted Allocation Size (Java) Tainted Bundle (Java) Tainted Control (Java) Tainted Data in Vulnerable Method (Java) Tainted Expression Evaluation (Java) Tainted HTTP Response (Java) Tainted Hardware Device Property (Java) Tainted LDAP Attribute (Java) Tainted LDAP Filter (Java) Tainted Log (Java) Tainted Message (Java) Tainted Network Address (Java) Tainted Path (Java) Tainted Regular Expression (Java) Tainted Resource (Java) Tainted Session (Java) Tainted URL (Java) Tainted XAML (Java) Tainted XML (Java) Tainted Xpath (Java)	Code Injection (C#) Command Injection (C#) Cross Site Scripting (C#) Cross Site Scripting In Error Message Web Page (C#) DLL Injection (C#) DOS Injection (C#) Disabled Input Validation (C#) Format String Injection (C#) Method Should be final (C#) Open Redirect (C#) Reflection Injection (C#) SQL Injection (C#) Tainted @Trusted Value (C#) Tainted Allocation Size (C#) Tainted Bundle (C#) Tainted Control (C#) Tainted Expression Evaluation (C#) Tainted HTTP Response (C#) Tainted Hardware Device Property (C#) Tainted LDAP Attribute (C#) Tainted LDAP Filter (C#) Tainted Log (C#) Tainted Message (C#) Tainted Network Address (C#) Tainted Path (C#) Tainted Regular Expression (C#) Tainted Resource (C#) Tainted Session (C#) Tainted URL (C#) Tainted XAML (C#) Tainted XML (C#) Tainted Xpath (C#)	Code Injection (Java) Command Injection (Java) Reflection Injection (Java) SQL Injection (Java) Tainted @Trusted Value (Java) Tainted Allocation Size (Java) Tainted Bundle (Java) Tainted Control (Java) Tainted Data in Vulnerable Method (Java) Tainted Expression Evaluation (Java) Tainted HTTP Response (Java) Tainted LDAP Attribute (Java) Tainted LDAP Filter (Java) Tainted Log (Java) Tainted Message (Java) Tainted Network Address (Java) Tainted Path (Java) Tainted Regular Expression (Java) Tainted Resource (Java) Tainted Session (Java) Tainted URL (Java) Tainted XAML (Java) Tainted XML (Java) Tainted Xpath (Java)	Eval Used (Pylint) Exec Used (Pylint)
OWASP-2021:A4 Insecure design	Arctangent Domain Error Argument Too High Argument Too Low Array Parameter Mismatch Data Race File System Race Condition Floating Point Domain Error Floating Point Range Error Format String Type Error Function Call Has No Effect Gamma on Zero GlobalHandle on GMEM_FIXED Memory GlobalLock on GMEM_FIXED Memory GlobalUnlock on GMEM_FIXED Memory Hardcoded Crypto Key Incorrect Privilege Assignment LDAP Injection Library Function Override Library Injection LocalHandle on LMEM_FIXED Memory LocalLock on LMEM_FIXED Memory LocalUnlock on LMEM_FIXED Memory Logarithm on Negative Value Logarithm on Zero MAX_PATH Exceeded Negative Character Value Negative file descriptor Null Security Descriptor Plaintext Storage of Password Plaintext Transmission of Password Raises FE_INVALID Tainted Filename Type Mismatch Undefined Power of Zero Unreasonable Size Argument Use of <cctype> Function Use of <cwctype> Function Use of <fenv.h> Exception Handling Function Use of <signal.h> Use of <stdio.h> Input/Output Macro Use of <stdlib.h> Allocator/Deallocator Use of <tgmath.h> Use of <time.h> Time/Date Function Use of <wchar.h> Input/Output Use of <wchar.h> Input/Output Macro Use of AddAccessAllowedAce Use of AddAccessDeniedAce Use of AfxLoadLibrary Use of AfxParseURL Use of CoLoadLibrary Use of Condition Variable Signal Use of CreateFile Use of CreateProcess Use of CreateThread Use of FormatMessage Use of GetTempFileName Use of LoadLibrary Use of LoadModule Use of MoveFile Use of OemToAnsi Use of OemToChar Use of SHCreateProcessAsUserW Use of ShellExecute Use of StrCatChainW Use of Weak Cryptographic Algorithm Use of WinExec Use of _exec Use of _spawn Use of abort Use of atof Use of atoi Use of atol Use of atoll Use of bsearch Use of catopen Use of chroot Use of crypt Use of cuserid Use of drem Use of execlp Use of execvp Use of exit Use of gamma Use of getenv Use of getlogin Use of getopt Use of getpass Use of gets Use of getwd Use of longjmp Use of memset Use of mkstemp Use of mktemp Use of popen Use of pthread_kill Use of putenv Use of qsort Use of rand Use of rand48 Function Use of random Use of realloc Use of realpath Use of recvmsg Use of setjmp Use of setuid Use of signal Use of strcat Use of strchr Use of strcmp Use of strcoll Use of strcpy Use of strcspn Use of strlen Use of strpbrk Use of strrchr Use of strspn Use of strstr Use of strtok Use of strtrns Use of syslog Use of system Use of t_open Use of tmpfile Use of tmpfile_s Use of tmpnam Use of tmpnam_s Use of ttyname Use of vfork Weak Cryptography chroot without chdir cosh on High Number cosh on Low Number sqrt on Negative Value	Tainted Filename (Ada)	Array Parameter Empty (Java) Debug Call (Java) Hardcoded Cryptographic Key (Java) Hardcoded Password (Java) Insecure Key Derivation (Java) Insecure Random Number Generator (Java) Method Disables Security Setting (Java) Method Names Differ Only in Case (Java) Missing synchronized Statement (Java) Non-overriding Method Signature (Java) Password in Property File (Java) Synchronization on Interned String (Java) Synchronization on static (Java) Tainted Bundle (Java) Tainted Message (Java) Tainted Path (Java) Tainted Session (Java) Unguarded Field (Java) Unguarded Method (Java) Unguarded Parameter (Java)	Hardcoded Cryptographic Key (C#) Hardcoded Password (C#) Insecure Key Derivation (C#) Insecure Random Number Generator (C#) Method Disables Security Setting (C#) Method Names Differ Only in Case (C#) Non-overriding Method Signature (C#) Password in Property File (C#) Tainted Bundle (C#) Tainted Message (C#) Tainted Path (C#) Tainted Session (C#) Unsafe Base64 Encoding (C#)	Hardcoded Cryptographic Key (Java) Hardcoded Password (Java) Insecure Key Derivation (Java) Nullable to String Call (detekt) Tainted Bundle (Java) Tainted Message (Java) Tainted Path (Java) Tainted Session (Java)	Arguments Out of Order (Pylint) Bad Open Mode (Pylint) Bad Thread Instantiation (Pylint) Format Needs Mapping (Pylint) Invalid Envvar Value (Pylint) Invalid Unary Operand Type (Pylint) Isinstance Second Argument Not Valid Type (Pylint) Keyword Arg Before Vararg (Pylint) Kwarg Superseded By Positional Arg (Pylint) Logging Format Truncated (Pylint) Logging Too Few Args (Pylint) Logging Too Many Args (Pylint) Logging Unsupported Format (Pylint) Misplaced Format Function (Pylint) Missing Format Argument Key (Pylint) Missing Format Attribute (Pylint) Missing Format String Key (Pylint) Missing Kwoa (Pylint) No Value for Parameter (Pylint) Not a Mapping (Pylint) Not an Iterable (Pylint) Positional Only Arguments Expected (Pylint) Raising Format Tuple (Pylint) Redundant Keyword Arg (Pylint) Repeated Keyword (Pylint) Super Without Brackets (Pylint) Too Few Format Args (Pylint) Too Many Format Args (Pylint) Too Many Function Args (Pylint) Truncated Format String (Pylint) Unexpected Keyword Arg (Pylint)
OWASP-2021:A5 Security misconfiguration	Encryption without Padding Hardcoded Authentication Hardcoded Crypto Key Hardcoded Crypto Salt Hardcoded DNS Name Hardcoded Seed in PRNG Memory Protection Removal Tainted Configuration Setting Use of XML_ExternalEntityParserCreate	-	Android URL Injection (Java) Class Enables Debug Features (Java) Debug Call (Java) Deprecated Transfer Protocol (Java) Hardcoded Filename (Java) Hardcoded IP Address (Java) Insecure Cookie (Java) Insecure XSLT Execution (Java) Legacy Random Generator (Java) Method Enables Debug Features (Java) Possible XML External Entity Reference (Java)	Class Enables Debug Features (C#) Debug Call (C#) Hardcoded Filename (C#) Hardcoded IP Address (C#) Insecure Cookie (C#) Insecure XSLT Execution (C#) Legacy Random Generator (C#) Method Enables Debug Features (C#) Possible XML External Entity Reference (C#)	Not Implemented Declaration (detekt) Possible XML External Entity Reference (Java)	Forgotten Debug Statement (Pylint)
OWASP-2021:A6 Vulnerable and outdated components	Use of AddAccessAllowedAce Use of AddAccessDeniedAce Use of AfxLoadLibrary Use of CoLoadLibrary Use of CreateFile Use of CreateProcess Use of CreateThread Use of FormatMessage Use of GetTempFileName Use of LoadLibrary Use of LoadModule Use of MoveFile Use of OemToAnsi Use of OemToChar Use of crypt Use of drem Use of gamma Use of gets Use of mkstemp Use of mktemp Use of rand Use of rand48 Function Use of random Use of tmpfile Use of tmpfile_s Use of tmpnam Use of tmpnam_s Weak Cryptography	-	Deprecated Cryptography Provider (Java) Deprecated Transfer Protocol (Java) Sensitive Data Written to External Storage (Java) Unsafe Base64 Encoding (Java)	Deprecated Cryptography Provider (C#) Deprecated Transfer Protocol (C#)	Deprecated Cryptography Provider (Java)	Deprecated Method (Pylint) Deprecated Module (Pylint)
OWASP-2021:A7 Identification and authorization failures	Hardcoded Authentication Hardcoded Crypto Key Hardcoded Crypto Salt Plaintext Storage of Password Use of crypt Weak Cryptography	-	Anonymous LDAP Authentication (Java) Certificate Added to Root Store (Java) Cryptographic Algorithm with Risky Default Cipher (Java) Cryptographic Algorithm with Weak Cipher (Java) Cryptographic Algorithm with Weak Hash (Java) Hardcoded Password (Java) Hostname in Condition (Java) Inadequate Salt (Java) Insecure Key Derivation (Java) Insecure verifier Override for Hostname (Java) Insecure verify Override for Certificate (Java) LDAP Authentication Disabled (Java) Missing Authentication Annotation (Java) Password in Property File (Java) Risky Cipher Algorithm (Java) Risky Cipher Field (Java) Risky Cryptographic Algorithm (Java) Risky Cryptographic Field (Java) Security Annotation Conflict (Java) Unsafe Base64 Encoding (Java) Unsafe Session Expiration Time (Java) Use of Insecure verify for Certificate (Java) Use of Insecure verify for Hostname (Java) Weak Cryptographic Value (Java) Weak Hash Algorithm (Java) Weak Hash Algorithm Field (Java) Weak Initialization Vector Field (Java) Weak Initialization Vector Value (Java)	Anonymous LDAP Authentication (C#) Certificate Added to Root Store (C#) Cryptographic Algorithm with Risky Default Cipher (C#) Cryptographic Algorithm with Weak Cipher (C#) Cryptographic Algorithm with Weak Hash (C#) Hardcoded Password (C#) Hostname in Condition (C#) Inadequate Salt (C#) Insecure Key Derivation (C#) Missing Authentication Annotation (C#) Password in Property File (C#) Risky Cipher Algorithm (C#) Risky Cipher Field (C#) Risky Cryptographic Algorithm (C#) Risky Cryptographic Field (C#) Security Annotation Conflict (C#) Unsafe Session Expiration Time (C#) Weak Cryptographic Value (C#) Weak Hash Algorithm (C#) Weak Hash Algorithm Field (C#) Weak Initialization Vector Field (C#) Weak Initialization Vector Value (C#)	Cryptographic Algorithm with Risky Default Cipher (Java) Cryptographic Algorithm with Weak Cipher (Java) Cryptographic Algorithm with Weak Hash (Java) Hardcoded Password (Java) Insecure Key Derivation (Java) Risky Cipher Algorithm (Java) Risky Cipher Field (Java) Risky Cryptographic Algorithm (Java) Risky Cryptographic Field (Java) Weak Cryptographic Value (Java) Weak Hash Algorithm (Java) Weak Hash Algorithm Field (Java) Weak Initialization Vector Field (Java) Weak Initialization Vector Value (Java)	-
OWASP-2021:A8 Software and data integrity failures	Addition Overflow of Allocation Size Addition Overflow of Size Buffer Overrun Buffer Underrun Hardcoded DNS Name Integer Overflow of Allocation Size Multiplication Overflow of Allocation Size Multiplication Overflow of Size Pointer Arithmetic Pointer Before Beginning of Object Pointer Past End of Object Potential Timebomb Subtraction Underflow of Allocation Size Subtraction Underflow of Size Tainted Buffer Access Tainted Environment Variable Type Overrun Type Underrun Untrusted Network Host Untrusted Network Port	-	Deserializable Class (Java) Deserializing Non-Serializable Class (Java) Potential LDAP Poisoning (Java) Reflection Bypasses Member Accessibility (Java) Reflection Modifies Member Accessibility (Java) Serialization Not Disabled (Java) Tainted Data in Vulnerable Method (Java)	Deserializable Class (C#) Reflection Bypasses Member Accessibility (C#) Reflection Modifies Member Accessibility (C#)	Tainted Data in Vulnerable Method (Java)	Bidirectional Unicode (Pylint) Invalid Character Backspace (Pylint) Invalid Character Carriage Return (Pylint) Invalid Character Esc (Pylint) Invalid Character Nul (Pylint) Invalid Character Sub (Pylint) Invalid Character Zero Width Space (Pylint)
OWASP-2021:A9 Security logging and monitoring failures	Not Enough Assertions	-	Debug Warning (Java) Tainted Log (Java)	Debug Warning (C#) Tainted Log (C#)	Tainted Log (Java)	-
OWASP-2021:A10 Server-side request forgery	-	-	-	-	-	-

Management Reports

The predefined OWASP Top Ten 2021 Report management report template allows you to automatically generate a report summarizing all the warnings from a particular analysis that are closely mapped to one or more of the OWASP Top 10 2021.

You can generate this report from the GUI Analysis page for the analysis of interest. For general instructions, see Task: Generate a Management Report

Enabling OWASP-2021 Rules

Because the rules are strongly tied to web application development, many of the associated checks are disabled by default.

CodeSonar ships with a taxonomy preset for OWASP-2021 checks:

owasp2021

Enables warning classes such that a given class C is enabled if all of the following are true.

C is closely mapped to one or more OWASP-2021 members (that is, it appears in the table above), and
no other classes enabled by the preset are more closely related to the same rules, and
C is not diagnostic-only (that is, it does not have a DIAG.* mnemonic).

You can apply the owasp2021 preset to the CodeSonar build/analysis as shown in the following table.

Command Line	Specify -preset owasp2021 as part of your build/analysis command. For example: codesonar analyze MyProj -preset owasp2021 localhost:7340 make
Define as a default preset	Copy owasp2021.conf from $CSONAR/codesonar/presets/ to $CSONAR/codesonar/default_presets/. OR Use the CodeSonar Configuration Tool Modify Analysis Settings option.
Windows Build Wizard	Select owasp2021 from the Preset list on screen 2.
Eclipse Plug-In	Select owasp2021 from the Presets list in the Properties dialog.
Visual Studio Plug-In	Select owasp2021 from the Presets list in the Project Properties dialog.

Enabling checks for specific security risks

To enable checks for all the warning classes associated with a specific OWASP-2021 security risk, include the following in the project configuration file:

WARNING_FILTER += allow categories:"OWASP-2021:Anum"

Anum is the OWASP-2021 item number.
To enable checks for several rule numbers, include several WARNING_FILTER lines of this form.

Enabling individual warning classes

To enable a single warning class check, follow the instructions in the documentation for the corresponding warning class. Warning class documentation links are provided above.

To report problems with this documentation, please visit https://support.codesecure.com/.