OWASP Top 10 2025

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.2p0

CONFIDENTIAL

CodeSecure Inc

OWASP Top 10 2025

The categories list for each CodeSonar warning includes any relevant members of the OWASP® Top Ten Application Security Risks - 2025.

A broader set of correspondences is shown in Broad Mapping: OWASP Top Ten 2025.

CSV tables of warning classes by OWASP-2025 rule are provided in OWASP-2025-mapping.csv.

The OWASP Top Ten 2025
Relevant Warning Classes
Management Reports
Enabling OWASP-2025 Checks

The OWASP Top 10 2025

"OWASP-2025" is shorthand for the OWASP Top 10 2025.

See the OWASP Top 10 2025 website for more information.

Relevant Warning Classes

The following table shows the CodeSonar warning classes that are associated with OWASP-2025 top ten security risks.

OWASP-2025	C/C++ Warning Classes	Ada Warning Classes	Java Warning Classes	C# Warning Classes	Kotlin Warning Classes	Python Warning Classes
OWASP-2025:A01 Broken Access Control	Commented-out Code Hardcoded Authentication Hardcoded Crypto Key Hardcoded Crypto Salt Null Security Descriptor Plaintext Storage of Password Tainted Filename Tainted Write Use of AddAccessAllowedAce Use of AddAccessDeniedAce Use of GetTempFileName Use of crypt Use of cuserid Use of getlogin Use of mkstemp Use of mktemp Use of tmpfile Use of tmpfile_s Use of tmpnam Use of tmpnam_s Weak Cryptography	Tainted Filename (Ada)	Accessing File in Permissive Mode (Java) Android URL Injection (Java) Certificate Added to Root Store (Java) JavaScript Enabled (Java) JavaScript File Access from File URLs (Java) Missing JavaScript Entry Point (Java) Missing JavaScript Execution (Java) Open Redirect (Java) Permissive File Mode (Java) Risky JavaScript Interface (Java) Security Annotation Conflict (Java) Sensitive Data Cached (Java) Sensitive Data Written to External Storage (Java) Sensitive Data Written to Local File (Java) Tainted Path (Java) Tainted URL (Java) Universal JavaScript Access to File URLs (Java) Use of Hardware ID (Java)	Certificate Added to Root Store (C#) Open Redirect (C#) Security Annotation Conflict (C#) Tainted Path (C#) Tainted URL (C#)	KDoc References Non Public Property (detekt) Tainted Path (Java) Tainted URL (Java)	Bad Open Mode (Pylint)
OWASP-2025:A02 Security Misconfiguration	Hardcoded Authentication Hardcoded Crypto Key Hardcoded Crypto Salt Hardcoded DNS Name Hardcoded Seed in PRNG Tainted Configuration Setting	-	Class Enables Debug Features (Java) Debug Call (Java) Deprecated Transfer Protocol (Java) Hardcoded Filename (Java) Hardcoded IP Address (Java) Insecure Cookie (Java) Insecure XSLT Execution (Java) Method Enables Debug Features (Java) Possible XML External Entity Reference (Java)	Class Enables Debug Features (C#) Debug Call (C#) Hardcoded Filename (C#) Hardcoded IP Address (C#) Insecure Cookie (C#) Insecure XSLT Execution (C#) Method Enables Debug Features (C#) Possible XML External Entity Reference (C#)	Not Implemented Declaration (detekt) Possible XML External Entity Reference (Java)	Forgotten Debug Statement (Pylint)
OWASP-2025:A03 Software Supply Chain Failures	Use of AddAccessAllowedAce Use of AddAccessDeniedAce Use of AfxLoadLibrary Use of CoLoadLibrary Use of CreateFile Use of CreateProcess Use of CreateThread Use of FormatMessage Use of GetTempFileName Use of LoadLibrary Use of LoadModule Use of MoveFile Use of OemToAnsi Use of OemToChar Use of crypt Use of drem Use of gamma Use of gets Use of mkstemp Use of mktemp Use of rand Use of rand48 Function Use of random Use of tmpfile Use of tmpfile_s Use of tmpnam Use of tmpnam_s Weak Cryptography	-	Debug Warning (Java) Deprecated Cryptography Provider (Java) Deprecated Transfer Protocol (Java)	Debug Warning (C#) Deprecated Cryptography Provider (C#) Deprecated Transfer Protocol (C#)	Deprecated Cryptography Provider (Java) Forbidden Import (detekt) Forbidden Method Call (detekt)	Deprecated Method (Pylint) Deprecated Module (Pylint) Preferred Module (Pylint)
OWASP-2025:A04 Cryptographic Failures	Default Initialization of Random Number Generator Encryption without Padding Hardcoded Crypto Key Hardcoded Crypto Salt Hardcoded Seed in PRNG Plaintext Storage of Password Plaintext Transmission of Password Predictable Seed in PRNG Use of Weak Cryptographic Algorithm Use of crypt Use of rand Use of rand48 Function Use of random Weak Cryptography	-	Android Message Injection (Java) Android URL Injection (Java) Cryptographic Algorithm with Risky Default Cipher (Java) Cryptographic Algorithm with Weak Cipher (Java) Cryptographic Algorithm with Weak Hash (Java) Deprecated Cryptography Provider (Java) Deprecated Transfer Protocol (Java) Hardcoded Cryptographic Key (Java) Hardcoded Random Seed (Java) Inadequate Salt (Java) Insecure Key Derivation (Java) Insecure Random Number Generator (Java) Legacy Random Generator (Java) Missing Required Cryptographic Step (Java) Risky Cipher Algorithm (Java) Risky Cipher Field (Java) Risky Cryptographic Algorithm (Java) Risky Cryptographic Field (Java) Tainted Message (Java) Unsafe Base64 Encoding (Java) Use of Hash without a Salt (Java) Use of Same Seed (Java) Weak Cryptographic Value (Java) Weak Hash Algorithm (Java) Weak Hash Algorithm Field (Java) Weak Initialization Vector Field (Java) Weak Initialization Vector Value (Java)	Cryptographic Algorithm with Risky Default Cipher (C#) Cryptographic Algorithm with Weak Cipher (C#) Cryptographic Algorithm with Weak Hash (C#) Deprecated Cryptography Provider (C#) Deprecated Transfer Protocol (C#) Hardcoded Cryptographic Key (C#) Hardcoded Random Seed (C#) Inadequate Salt (C#) Insecure Key Derivation (C#) Insecure Random Number Generator (C#) Legacy Random Generator (C#) Missing Required Cryptographic Step (C#) Risky Cipher Algorithm (C#) Risky Cipher Field (C#) Risky Cryptographic Algorithm (C#) Risky Cryptographic Field (C#) Tainted Message (C#) Unsafe Base64 Encoding (C#) Use of Hash without a Salt (C#) Use of Same Seed (C#) Weak Cryptographic Value (C#) Weak Hash Algorithm (C#) Weak Hash Algorithm Field (C#) Weak Initialization Vector Field (C#) Weak Initialization Vector Value (C#)	Cryptographic Algorithm with Risky Default Cipher (Java) Cryptographic Algorithm with Weak Cipher (Java) Cryptographic Algorithm with Weak Hash (Java) Deprecated Cryptography Provider (Java) Hardcoded Cryptographic Key (Java) Insecure Key Derivation (Java) Missing Required Cryptographic Step (Java) Risky Cipher Algorithm (Java) Risky Cipher Field (Java) Risky Cryptographic Algorithm (Java) Risky Cryptographic Field (Java) Tainted Message (Java) Use of Hash without a Salt (Java) Weak Cryptographic Value (Java) Weak Hash Algorithm (Java) Weak Hash Algorithm Field (Java) Weak Initialization Vector Field (Java) Weak Initialization Vector Value (Java)	-
OWASP-2025:A05 Injection	Command Injection Format String Injection LDAP Injection Library Injection SQL Injection Tainted Allocation Size Tainted Buffer Access Tainted Configuration Setting Tainted Environment Variable Tainted Filename Tainted Network Address Tainted Write Untrusted Library Load Untrusted Network Host Untrusted Network Port Untrusted Process Creation Use of system	Code Injection (Ada) Command Injection (Ada) Cross Site Scripting (Ada) OS Command Injection (Ada) SQL Injection (Ada) Tainted Filename (Ada)	Android Message Injection (Java) Android URL Injection (Java) Code Injection (Java) Command Injection (Java) Cross Site Scripting (Java) Cross Site Scripting In Error Message Web Page (Java) DLL Injection (Java) DOS Injection (Java) Format String Injection (Java) Fragment Injection (Java) Method Should be final (Java) Missing Call to super (Java) Open Redirect (Java) Reflection Injection (Java) SQL Injection (Java) Static Field Too Visible (Java) Tainted @Trusted Value (Java) Tainted Allocation Size (Java) Tainted Bundle (Java) Tainted Control (Java) Tainted Data in Vulnerable Method (Java) Tainted Expression Evaluation (Java) Tainted HTTP Response (Java) Tainted Hardware Device Property (Java) Tainted LDAP Attribute (Java) Tainted LDAP Filter (Java) Tainted Log (Java) Tainted Message (Java) Tainted Network Address (Java) Tainted Path (Java) Tainted Regular Expression (Java) Tainted Resource (Java) Tainted Session (Java) Tainted URL (Java) Tainted XAML (Java) Tainted XML (Java) Tainted Xpath (Java)	Code Injection (C#) Command Injection (C#) Cross Site Scripting (C#) Cross Site Scripting In Error Message Web Page (C#) DLL Injection (C#) DOS Injection (C#) Disabled Input Validation (C#) Format String Injection (C#) Method Should be final (C#) Open Redirect (C#) Reflection Injection (C#) SQL Injection (C#) Tainted @Trusted Value (C#) Tainted Allocation Size (C#) Tainted Bundle (C#) Tainted Control (C#) Tainted Expression Evaluation (C#) Tainted HTTP Response (C#) Tainted Hardware Device Property (C#) Tainted LDAP Attribute (C#) Tainted LDAP Filter (C#) Tainted Log (C#) Tainted Message (C#) Tainted Network Address (C#) Tainted Path (C#) Tainted Regular Expression (C#) Tainted Resource (C#) Tainted Session (C#) Tainted URL (C#) Tainted XAML (C#) Tainted XML (C#) Tainted Xpath (C#)	Code Injection (Java) Command Injection (Java) Reflection Injection (Java) SQL Injection (Java) Tainted @Trusted Value (Java) Tainted Allocation Size (Java) Tainted Bundle (Java) Tainted Control (Java) Tainted Data in Vulnerable Method (Java) Tainted Expression Evaluation (Java) Tainted HTTP Response (Java) Tainted LDAP Attribute (Java) Tainted LDAP Filter (Java) Tainted Log (Java) Tainted Message (Java) Tainted Network Address (Java) Tainted Path (Java) Tainted Regular Expression (Java) Tainted Resource (Java) Tainted Session (Java) Tainted URL (Java) Tainted XAML (Java) Tainted XML (Java) Tainted Xpath (Java)	Eval Used (Pylint) Exec Used (Pylint)
OWASP-2025:A06 Insecure Design	Arctangent Domain Error Argument Too High Argument Too Low Array Parameter Mismatch Data Race File System Race Condition Floating Point Domain Error Floating Point Range Error Format String Type Error Function Call Has No Effect Gamma on Zero GlobalHandle on GMEM_FIXED Memory GlobalLock on GMEM_FIXED Memory GlobalUnlock on GMEM_FIXED Memory Hardcoded Crypto Key Incorrect Privilege Assignment LDAP Injection Library Function Override Library Injection LocalHandle on LMEM_FIXED Memory LocalLock on LMEM_FIXED Memory LocalUnlock on LMEM_FIXED Memory Logarithm on Negative Value Logarithm on Zero MAX_PATH Exceeded Negative Character Value Negative file descriptor Null Security Descriptor Plaintext Storage of Password Plaintext Transmission of Password Raises FE_INVALID Tainted Filename Type Mismatch Undefined Power of Zero Unreasonable Size Argument Use of <cctype> Function Use of <cwctype> Function Use of <fenv.h> Exception Handling Function Use of <signal.h> Use of <stdio.h> Input/Output Macro Use of <stdlib.h> Allocator/Deallocator Use of <tgmath.h> Use of <time.h> Time/Date Function Use of <wchar.h> Input/Output Use of <wchar.h> Input/Output Macro Use of AddAccessAllowedAce Use of AddAccessDeniedAce Use of AfxLoadLibrary Use of AfxParseURL Use of CoLoadLibrary Use of Condition Variable Signal Use of CreateFile Use of CreateProcess Use of CreateThread Use of FormatMessage Use of GetTempFileName Use of LoadLibrary Use of LoadModule Use of MoveFile Use of OemToAnsi Use of OemToChar Use of SHCreateProcessAsUserW Use of ShellExecute Use of StrCatChainW Use of Weak Cryptographic Algorithm Use of WinExec Use of _exec Use of _spawn Use of abort Use of atof Use of atoi Use of atol Use of atoll Use of bsearch Use of catopen Use of chroot Use of crypt Use of cuserid Use of drem Use of execlp Use of execvp Use of exit Use of gamma Use of getenv Use of getlogin Use of getopt Use of getpass Use of gets Use of getwd Use of longjmp Use of memset Use of mkstemp Use of mktemp Use of popen Use of pthread_kill Use of putenv Use of qsort Use of rand Use of rand48 Function Use of random Use of realloc Use of realpath Use of recvmsg Use of setjmp Use of setuid Use of signal Use of strcat Use of strchr Use of strcmp Use of strcoll Use of strcpy Use of strcspn Use of strlen Use of strpbrk Use of strrchr Use of strspn Use of strstr Use of strtok Use of strtrns Use of syslog Use of system Use of t_open Use of tmpfile Use of tmpfile_s Use of tmpnam Use of tmpnam_s Use of ttyname Use of vfork Weak Cryptography chroot without chdir cosh on High Number cosh on Low Number sqrt on Negative Value	Tainted Filename (Ada)	Array Parameter Empty (Java) Debug Call (Java) Hardcoded Cryptographic Key (Java) Hardcoded Password (Java) Insecure Key Derivation (Java) Insecure Random Number Generator (Java) Legacy Random Generator (Java) Method Disables Security Setting (Java) Method Names Differ Only in Case (Java) Missing synchronized Statement (Java) Non-overriding Method Signature (Java) Password in Property File (Java) Sensitive Data Written to External Storage (Java) Synchronization on Interned String (Java) Synchronization on static (Java) Tainted Bundle (Java) Tainted Message (Java) Tainted Path (Java) Tainted Session (Java) Unguarded Field (Java) Unguarded Method (Java) Unguarded Parameter (Java) Unsafe Base64 Encoding (Java)	Hardcoded Cryptographic Key (C#) Hardcoded Password (C#) Insecure Key Derivation (C#) Insecure Random Number Generator (C#) Legacy Random Generator (C#) Method Disables Security Setting (C#) Method Names Differ Only in Case (C#) Non-overriding Method Signature (C#) Password in Property File (C#) Tainted Bundle (C#) Tainted Message (C#) Tainted Path (C#) Tainted Session (C#) Unsafe Base64 Encoding (C#)	Hardcoded Cryptographic Key (Java) Hardcoded Password (Java) Insecure Key Derivation (Java) Nullable to String Call (detekt) Tainted Bundle (Java) Tainted Message (Java) Tainted Path (Java) Tainted Session (Java)	Arguments Out of Order (Pylint) Bad Open Mode (Pylint) Bad Thread Instantiation (Pylint) Format Needs Mapping (Pylint) Invalid Envvar Value (Pylint) Invalid Unary Operand Type (Pylint) Isinstance Second Argument Not Valid Type (Pylint) Keyword Arg Before Vararg (Pylint) Kwarg Superseded By Positional Arg (Pylint) Logging Format Truncated (Pylint) Logging Too Few Args (Pylint) Logging Too Many Args (Pylint) Logging Unsupported Format (Pylint) Misplaced Format Function (Pylint) Missing Format Argument Key (Pylint) Missing Format Attribute (Pylint) Missing Format String Key (Pylint) Missing Kwoa (Pylint) No Value for Parameter (Pylint) Not a Mapping (Pylint) Not an Iterable (Pylint) Positional Only Arguments Expected (Pylint) Raising Format Tuple (Pylint) Redundant Keyword Arg (Pylint) Repeated Keyword (Pylint) Super Without Brackets (Pylint) Too Few Format Args (Pylint) Too Many Format Args (Pylint) Too Many Function Args (Pylint) Truncated Format String (Pylint) Unexpected Keyword Arg (Pylint)
OWASP-2025:A07 Authentication Failures	Hardcoded Authentication Plaintext Storage of Password	-	Anonymous LDAP Authentication (Java) Hardcoded Password (Java) Hostname in Condition (Java) Insecure verifier Override for Hostname (Java) Insecure verify Override for Certificate (Java) LDAP Authentication Disabled (Java) Missing Authentication Annotation (Java) Password in Property File (Java) Unsafe Session Expiration Time (Java) Use of Insecure verify for Certificate (Java) Use of Insecure verify for Hostname (Java)	Anonymous LDAP Authentication (C#) Hardcoded Password (C#) Hostname in Condition (C#) Missing Authentication Annotation (C#) Password in Property File (C#) Unsafe Session Expiration Time (C#)	Hardcoded Password (Java)	-
OWASP-2025:A08 Software or Data Integrity Failures	Hardcoded DNS Name Potential Timebomb Tainted Environment Variable Untrusted Network Host Untrusted Network Port	-	Deserializable Class (Java) Deserializing Non-Serializable Class (Java) Potential LDAP Poisoning (Java) Reflection Bypasses Member Accessibility (Java) Reflection Modifies Member Accessibility (Java) Serialization Not Disabled (Java) Tainted Data in Vulnerable Method (Java)	Reflection Bypasses Member Accessibility (C#) Reflection Modifies Member Accessibility (C#)	Tainted Data in Vulnerable Method (Java)	Bidirectional Unicode (Pylint) Invalid Character Backspace (Pylint) Invalid Character Carriage Return (Pylint) Invalid Character Esc (Pylint) Invalid Character Nul (Pylint) Invalid Character Sub (Pylint) Invalid Character Zero Width Space (Pylint)
OWASP-2025:A09 Security Logging and Alerting Failures	Not Enough Assertions	-	Debug Warning (Java) Tainted Log (Java)	Debug Warning (C#) Tainted Log (C#)	Tainted Log (Java)	-
OWASP-2025:A10 Mishandling of Exceptional Conditions	Branch Into Handler Branch Into try Block Division By Zero Float Division By Zero Ignored Return Value Malformed switch Statement Masked by Default Handler Masked by Handler Missing break Missing default Null Pointer Dereference Unchecked Parameter Dereference	Division By Zero (Ada) Exception Always Raised (Ada) Float Division By Zero (Ada) Null Pointer Dereference (Ada)	Actual Parameter Element may be null (Java) Broad Throws Clause (Java) Call Might Return Null (Java) Empty Exception Handler (Java) Exception Information Disclosure (Java) Field Element may be null (deep) (Java) Field may be null (deep) (Java) Generic Exception Handler (Java) Ignored Return Value (Java) Ignored Return Value for Pure Function (Java) Inappropriate Exception Handler (Java) Method Should Not Return null (Java) Null Parameter Dereference (Java) Null Pointer Dereference (Java) Null Pointer Dereference (deep) (Java) Return Value may Contain null Element (Java) Return Value may be null (Java) Return null Array (Java) Return null Boolean (Java) Return null Optional (Java) Unchecked Parameter Dereference (Java) Unchecked Parameter Dereference (deep) (Java) Unchecked Parameter Element Dereference (deep) (Java) Useless null Test of Return Value (Java) null Passed to Method (deep) (Java)	Actual Parameter Element may be null (C#) Call Might Return Null (C#) Empty Exception Handler (C#) Exception Information Disclosure (C#) Field Element may be null (deep) (C#) Field may be null (deep) (C#) Generic Exception Handler (C#) Ignored Return Value (C#) Ignored Return Value for Pure Function (C#) Inappropriate Exception Handler (C#) Method Should Not Return null (C#) Null Parameter Dereference (C#) Null Pointer Dereference (C#) Null Pointer Dereference (deep) (C#) Return Value may Contain null Element (C#) Return Value may be null (C#) Return null Array (C#) Unchecked Parameter Dereference (C#) Unchecked Parameter Dereference (deep) (C#) Unchecked Parameter Element Dereference (deep) (C#) Useless null Test of Return Value (C#) null Passed to Method (deep) (C#)	Empty Catch Block (detekt) Exception Raised in Unexpected Location (detekt) Ignored Return Value (detekt) Instance of Check for Exception (detekt) Null Check on Mutable Property (detekt) Suspend Fun Swallowed Cancellation (detekt) Swallowed Exception (detekt) Throwing Exception From Finally (detekt) Throwing Exception in Main (detekt) Throwing New Instance of Same Exception (detekt) Throws Count (detekt) Too Generic Exception Caught (detekt) Too Generic Exception Thrown (detekt) Unsafe Call on Nullable Type (detekt)	Bad Except Order (Pylint) Bad Exception Cause (Pylint) Bare Except (Pylint) Binary Op Exception (Pylint) Broad Exception Caught (Pylint) Broad Exception Raised (Pylint) Catching Non Exception (Pylint) Confusing With Statement (Pylint) Continue in Finally (Pylint) Dict Iter Missing Items (Pylint) Duplicate Except (Pylint) Lost Exception (Pylint) Notimplemented Raised (Pylint) Raising Bad Type (Pylint) Raising Format Tuple (Pylint) Raising Non Exception (Pylint) Try Except Raise (Pylint) Wrong Exception Operation (Pylint)

Management Reports

The predefined OWASP Top Ten 2025 Report management report template allows you to automatically generate a report summarizing all the warnings from a particular analysis that are closely mapped to one or more of the OWASP Top 10 2025.

You can generate this report from the GUI Analysis page for the analysis of interest. For general instructions, see Task: Generate a Management Report

Enabling OWASP-2025 Rules

Because the rules are strongly tied to web application development, many of the associated checks are disabled by default.

CodeSonar ships with a taxonomy preset for OWASP-2025 checks:

owasp2025

Enables warning classes such that a given class C is enabled if all of the following are true.

C is closely mapped to one or more OWASP-2025 members (that is, it appears in the table above), and
no other classes enabled by the preset are more closely related to the same rules, and
C is not diagnostic-only (that is, it does not have a DIAG.* mnemonic).

You can apply the owasp2025 preset to the CodeSonar build/analysis as shown in the following table.

Command Line	Specify -preset owasp2025 as part of your build/analysis command. For example: codesonar analyze MyProj -preset owasp2025 localhost:7340 make
Define as a default preset	Copy owasp2025.conf from $CSONAR/codesonar/presets/ to $CSONAR/codesonar/default_presets/. OR Use the CodeSonar Configuration Tool Modify Analysis Settings option.
Windows Build Wizard	Select owasp2025 from the Preset list on screen 2.
Eclipse Plug-In	Select owasp2025 from the Presets list in the Properties dialog.
Visual Studio Plug-In	Select owasp2025 from the Presets list in the Project Properties dialog.

Enabling checks for specific security risks

To enable checks for all the warning classes associated with a specific OWASP-2025 security risk, include the following in the project configuration file:

WARNING_FILTER += allow categories:"OWASP-2025:Anum"

Anum is the OWASP-2025 item number.
To enable checks for several rule numbers, include several WARNING_FILTER lines of this form.

Enabling individual warning classes

To enable a single warning class check, follow the instructions in the documentation for the corresponding warning class. Warning class documentation links are provided above.

To report problems with this documentation, please visit https://support.codesecure.com/.