...
Built-in Test Configuration | Description |
---|---|
CWE 4.15 | Includes rules that find issues identified in the CWE standard v4.15. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
CWE Top 25 20242023 | Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard v.20242023. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
CWE Top 25 20232022 | Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard v.20232022. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
CWE Top 25 + On the Cusp 20242023 | Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard or included on the CWE Weaknesses On the Cusp list v.20242023. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
CWE Top 25 + On the Cusp 20232022 | Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard or included on the CWE Weaknesses On the Cusp list v.20232022. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
DISA-ASD-STIG | Includes rules that find issues identified in Application Security and Development STIG (Security Technical Implementation Guide) v.5 provided by Defense Information Systems Agency. |
HIPAA | Includes rules that find issues identified by the HIPAA (Health Insurance Portability and Accountability Act) regulations. |
OWASP API Security Top 10-2023 | Includes rules that find issues identified in OWASP’s API Security Top 10 - 2023. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
OWASP API Security Top 10-2019 | Includes rules that find issues identified in OWASP’s API Security Top 10 - 2019. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
OWASP ASVS 4.0.3 | Includes rules that enforce the requirements defined in the ASVS (Application Security Verification Standard). |
OWASP Top 10-2021 | Includes rules that find web application security risks identified in the OWASP Top 10 - 2021. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
OWASP Top 10-2017 | Includes rules that find web application security risks identified in the OWASP Top 10 - 2017. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
PCI DSS 4.0 | Includes rules that find issues identified in PCI Data Security Standard version 4.0. |
PCI DSS 3.2 | Includes rules that find issues identified in PCI Data Security Standard version 3.2. |
Security Assessment | General test configuration that finds security issues. |
UL 2900 | Includes rules that find issues identified in the UL-2900 standard. |
Microsoft Secure Coding Guidelines | Includes rules that enforce Microsoft Secure Coding Guidelines. |
VVSG 2.0 | Includes rules that enforce the specifications and requirements defined in Voluntary Voting System Guidelines 2.0. |
...
CWE Weaknesses On the Cusp 2023 Mapping
CWE ID | CWE name/description | Parasoft rule ID(s) |
---|---|---|
CWE-787 | Out-of-bounds Write |
|
CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|
CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
|
CWE-416 | Use After Free |
|
CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
|
CWE-20 | Improper Input Validation |
|
CWE-125 | Out-of-bounds Read |
|
CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
CWE-352 | Cross-Site Request Forgery (CSRF) |
|
CWE-434 | Unrestricted Upload of File with Dangerous Type |
|
CWE-862 | Missing Authorization |
|
CWE-476 | NULL Pointer Dereference |
|
CWE-287 | Improper Authentication |
|
CWE-190 | Integer Overflow or Wraparound |
|
CWE-502 | Deserialization of Untrusted Data |
|
CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
|
CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer |
|
CWE-798 | Use of Hard-coded Credentials |
|
CWE-918 | Server-Side Request Forgery (SSRF) |
|
CWE-306 | Missing Authentication for Critical Function |
|
CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
|
CWE-269 | Improper Privilege Management |
|
CWE-94 | Improper Control of Generation of Code ('Code Injection') |
|
CWE-863 | Incorrect Authorization |
|
CWE-276 | Incorrect Default Permissions |
|
CWE-617 | Reachable Assertion |
|
CWE-427 | Uncontrolled Search Path Element |
|
CWE-611 | Improper Restriction of XML External Entity Reference |
|
CWE-770 | Allocation of Resources Without Limits or Throttling |
|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
|
CWE-732 | Incorrect Permission Assignment for Critical Resource |
|
CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') |
|
CWE-1321 | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') |
|
CWE-295 | Improper Certificate Validation |
|
CWE-522 | Insufficiently Protected Credentials |
|
CWE-401 | Missing Release of Memory after Effective Lifetime |
|
CWE-400 | Uncontrolled Resource Consumption |
|
CWE-639 | Authorization Bypass Through User-Controlled Key |
|
CWE-59 | Improper Link Resolution Before File Access ('Link Following') |
|
CWE-668 | Exposure of Resource to Wrong Sphere |
|
CWE Top 25 2022 Mapping
CWE ID | CWE name/description | Parasoft rule ID(s) |
---|---|---|
CWE-787 | Out-of-bounds Write |
|
CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|
CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
|
CWE-20 | Improper Input Validation |
|
CWE-125 | Out-of-bounds Read |
|
CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
|
CWE-416 | Use After Free |
|
CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
CWE-352 | Cross-Site Request Forgery (CSRF) |
|
CWE-434 | Unrestricted Upload of File with Dangerous Type |
|
CWE-476 | NULL Pointer Dereference |
|
CWE-502 | Deserialization of Untrusted Data |
|
CWE-190 | Integer Overflow or Wraparound |
|
CWE-287 | Improper Authentication |
|
CWE-798 | Use of Hard-coded Credentials |
|
CWE-862 | Missing Authorization |
|
CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
|
CWE-306 | Missing Authentication for Critical Function |
|
CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer |
|
CWE-276 | Incorrect Default Permissions |
|
CWE-918 | Server-Side Request Forgery (SSRF) |
|
CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
|
CWE-400 | Uncontrolled Resource Consumption |
|
CWE-611 | Improper Restriction of XML External Entity Reference |
|
CWE-94 | Improper Control of Generation of Code ('Code Injection') |
|
CWE Weaknesses On the Cusp 2022 Mapping
CWE ID | CWE name/description | Parasoft rule ID(s) |
---|---|---|
CWE-295 | Improper Certificate Validation |
|
CWE-427 | Uncontrolled Search Path Element |
|
CWE-863 | Incorrect Authorization |
|
CWE-269 | Improper Privilege Management |
|
CWE-732 | Incorrect Permission Assignment for Critical Resource |
|
CWE-843 | Access of Resource Using Incompatible Type ('Type Confusion') |
|
CWE-668 | Exposure of Resource to Wrong Sphere |
|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
|
CWE-1321 | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') |
|
CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') |
|
CWE-401 | Missing Release of Memory after Effective Lifetime |
|
CWE-59 | Improper Link Resolution Before File Access ('Link Following') |
|
CWE-522 | Insufficiently Protected Credentials |
|
CWE-319 | Cleartext Transmission of Sensitive Information |
|
CWE-312 | Cleartext Storage of Sensitive Information |
|
CWE 4.15 Mapping
CWE ID | CWE name/description | Parasoft rule ID(s) |
---|---|---|
CWE-20 | Improper Input Validation |
|
CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
CWE-64 | Windows Shortcut Following (.LNK) |
|
CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
|
CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|
CWE-80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) |
|
CWE-88 | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') |
|
CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
|
CWE-90 | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') |
|
CWE-95 | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
|
CWE-99 | Improper Control of Resource Identifiers ('Resource Injection') |
|
CWE-120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
|
CWE-125 | Out-of-bounds Read |
|
CWE-129 | Improper Validation of Array Index |
|
CWE-131 | Incorrect Calculation of Buffer Size |
|
CWE-134 | Use of Externally-Controlled Format String |
|
CWE-190 | Integer Overflow or Wraparound |
|
CWE-191 | Integer Underflow (Wrap or Wraparound) |
|
CWE-197 | Numeric Truncation Error |
|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
|
CWE-201 | Insertion of Sensitive Information Into Sent Data |
|
CWE-209 | Generation of Error Message Containing Sensitive Information |
|
CWE-212 | Improper Removal of Sensitive Information Before Storage or Transfer |
|
CWE-250 | Execution with Unnecessary Privileges |
|
CWE-252 | Unchecked Return Value |
|
CWE-256 | Plaintext Storage of a Password |
|
CWE-259 | Use of Hard-coded Password |
|
CWE-260 | Password in Configuration File |
|
CWE-269 | Improper Privilege Management |
|
CWE-287 | Improper Authentication |
|
CWE-294 | Authentication Bypass by Capture-replay |
|
CWE-295 | Improper Certificate Validation |
|
CWE-299 | Improper Check for Certificate Revocation |
|
CWE-307 | Improper Restriction of Excessive Authentication Attempts |
|
CWE-311 | Missing Encryption of Sensitive Data |
|
CWE-316 | Cleartext Storage of Sensitive Information in Memory |
|
CWE-319 | Cleartext Transmission of Sensitive Information |
|
CWE-321 | Use of Hard-coded Cryptographic Key |
|
CWE-326 | Inadequate Encryption Strength |
|
CWE-327 | Use of a Broken or Risky Cryptographic Algorithm |
|
CWE-328 | Use of Weak Hash |
|
CWE-329 | Generation of Predictable IV with CBC Mode |
|
CWE-338 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) |
|
CWE-350 | Reliance on Reverse DNS Resolution for a Security-Critical Action |
|
CWE-352 | Cross-Site Request Forgery (CSRF) |
|
CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
|
CWE-369 | Divide By Zero |
|
CWE-391 | Unchecked Error Condition |
|
CWE-395 | Use of NullPointerException Catch to Detect NULL Pointer Dereference |
|
CWE-396 | Declaration of Catch for Generic Exception |
|
CWE-397 | Declaration of Throws for Generic Exception |
|
CWE-400 | Uncontrolled Resource Consumption |
|
CWE-402 | Transmission of Private Resources into a New Sphere ('Resource Leak') |
|
CWE-412 | Unrestricted Externally Accessible Lock |
|
CWE-416 | Use After Free |
|
CWE-426 | Untrusted Search Path |
|
CWE-427 | Uncontrolled Search Path Element |
|
CWE-434 | Unrestricted Upload of File with Dangerous Type |
|
CWE-456 | Missing Initialization of a Variable |
|
CWE-457 | Use of Uninitialized Variable |
|
CWE-470 | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') |
|
CWE-472 | External Control of Assumed-Immutable Web Parameter |
|
CWE-476 | NULL Pointer Dereference |
|
CWE-480 | Use of Incorrect Operator |
|
CWE-481 | Assigning instead of Comparing |
|
CWE-494 | Download of Code Without Integrity Check |
|
CWE-499 | Serializable Class Containing Sensitive Data |
|
CWE-502 | Deserialization of Untrusted Data |
|
CWE-521 | Weak Password Requirements |
|
CWE-532 | Insertion of Sensitive Information into Log File |
|
CWE-546 | Suspicious Comment |
|
CWE-554 | ASP.NET Misconfiguration: Not Using Input Validation Framework |
|
CWE-561 | Dead Code |
|
CWE-563 | Assignment to Variable without Use |
|
CWE-570 | Expression is Always False |
|
CWE-571 | Expression is Always True |
|
CWE-595 | Comparison of Object References Instead of Object Contents |
|
CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') |
|
CWE-611 | Improper Restriction of XML External Entity Reference |
|
CWE-613 | Insufficient Session Expiration |
|
CWE-614 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute |
|
CWE-617 | Reachable Assertion |
|
CWE-624 | Executable Regular Expression Error |
|
CWE-638 | Not Using Complete Mediation |
|
CWE-643 | Improper Neutralization of Data within XPath Expressions ('XPath Injection') |
|
CWE-662 | Improper Synchronization |
|
CWE-676 | Use of Potentially Dangerous Function |
|
CWE-681 | Incorrect Conversion between Numeric Types |
|
CWE-732 | Incorrect Permission Assignment for Critical Resource |
|
CWE-759 | Use of a One-Way Hash without a Salt |
|
CWE-760 | Use of a One-Way Hash with a Predictable Salt |
|
CWE-770 | Allocation of Resources Without Limits or Throttling |
|
CWE-771 | Missing Reference to Active Allocated Resource |
|
CWE-772 | Missing Release of Resource after Effective Lifetime |
|
CWE-778 | Insufficient Logging |
|
CWE-779 | Logging of Excessive Data |
|
CWE-780 | Use of RSA Algorithm without OAEP |
|
CWE-787 | Out-of-bounds Write |
|
CWE-789 | Memory Allocation with Excessive Size Value |
|
CWE-798 | Use of Hard-coded Credentials |
|
CWE-807 | Reliance on Untrusted Inputs in a Security Decision |
|
CWE-827 | Improper Control of Document Type Definition |
|
CWE-829 | Inclusion of Functionality from Untrusted Control Sphere |
|
CWE-833 | Deadlock |
|
CWE-835 | Loop with Unreachable Exit Condition ('Infinite Loop') |
|
CWE-838 | Inappropriate Encoding for Output Context |
|
CWE-862 | Missing Authorization |
|
CWE-863 | Incorrect Authorization |
|
CWE-918 | Server-Side Request Forgery (SSRF) |
|
CWE-1004 | Sensitive Cookie Without 'HttpOnly' Flag |
|
CWE-1386 | Insecure Operation on Windows Junction / Mount Point |
|