Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Veracode OWASP Mobile CWEs to Veracode Categories mapping from https://community.veracode.com/s/question/0D53n00008B34MBCAZ/cwe-mapping-to-owasp-mobile
package main
import (
"encoding/json"
"fmt"
"io/ioutil"
"log"
"os"
)
func main() {
categories := readCategories()
fmt.Println("CWE ID;CWE Name;Static Support;Dynamic Support;Veracode Severity")
for i := 0; i < len(categories); i++ {
category := categories[i]
for k := 0; k < len(category.CWEs); k++ {
categoryCWE := category.CWEs[k]
staticSupport := ""
if categoryCWE.Static {
staticSupport = "X"
}
dynamicSupport := ""
if categoryCWE.Dynamic {
dynamicSupport = "X"
}
severity := "UNKNOWN"
if categoryCWE.Severity == "0" {
severity = "0 - Informational"
}
if categoryCWE.Severity == "1" {
severity = "1 - Very Low"
}
if categoryCWE.Severity == "2" {
severity = "2 - Low"
}
if categoryCWE.Severity == "3" {
severity = "3 - Medium"
}
if categoryCWE.Severity == "4" {
severity = "4 - High"
}
if categoryCWE.Severity == "5" {
severity = "5 - Very High"
}
fmt.Printf("%s;%s;%s;%s;%s\r\n", categoryCWE.ID, categoryCWE.Name, staticSupport, dynamicSupport, severity)
}
}
}
func readCategories() []FlawCategory {
categoriesJson, err := os.Open("categories.json")
if err != nil {
log.Panicln(err)
}
defer categoriesJson.Close()
byteValue, _ := ioutil.ReadAll(categoriesJson)
var categories []FlawCategory
json.Unmarshal(byteValue, &categories)
return categories
}
type FlawCategory struct {
Name string `json:"Flaw Category"`
CWEs []CategoryCWE `json:"CWEs"`
}
type CWE struct {
ID string `json:"CWE ID"`
Name string `json:"CWE Name"`
Static bool `json:"Static"`
VeracodeSeverity string `json:"Veracode Severity"`
CategoryName string `json:"Category Name"`
}
type CategoryCWE struct {
ID string `json:"CWE ID"`
Name string `json:"CWE Name"`
Static bool `json:"Static"`
Dynamic bool `json:"Dynamic"`
VeracodeSeverity string `json:"Veracode Severity"`
Severity string `json:"Flaw Severity"`
CategoryName string `json:"Category Name"`
}
We can make this file beautiful and searchable if this error is corrected: It looks like row 86 should actually have 1 column, instead of 2. in line 85.
CWE ID;CWE Name;Static Support;Dynamic Support;Veracode Severity
234;Failure to Handle Missing Parameter;X;;3 - Medium
243;Creation of Chroot Jail Without Changing Working Directory;X;;4 - High
245;J2EE Bad Practices: Direct Management of Connections;X;;2 - Low
560;Use of Umask() with Chmod-Style Argument;X;;3 - Medium
628;Function Call with Incorrectly Specified Arguments;X;;2 - Low
675;Duplicate Operations on Resource;X;;2 - Low
287;Improper Authentication;X;X;4 - High
352;Cross-Site Request Forgery (CSRF);X;X;3 - Medium
693;Protection Mechanism Failure;X;X;3 - Medium
99;Improper Control of Resource Identifiers;X;;3 - Medium
272;Least Privilege Violation;X;;3 - Medium
273;Improper Check for Dropped Privileges;X;;3 - Medium
274;Improper Handling of Insufficient Privileges;X;;0 - Informational
282;Improper Ownership Management;X;;3 - Medium
285;Improper Authorization;X;X;3 - Medium
346;Origin Validation Error;X;;3 - Medium
350;Reliance on Reverse DNS Resolution for a Security-Critical Action;X;;3 - Medium
639;Authorization Bypass Through User-Controlled Key;X;;4 - High
566;Authorization Bypass Through User-Controlled SQL Primary Key;X;;3 - Medium
708;Incorrect Ownership Assignment;X;;4 - High
732;Incorrect Permission Assignment for Critical Resource;X;;3 - Medium
942;Permissive Cross-domain Policy with Untrusted Domains;X;X;3 - Medium
118;Improper Access of Indexable Resource (Range Error);X;;3 - Medium
125;Out-of-Bounds Read;X;;3 - Medium
129;Improper Validation of Array Index;X;;3 - Medium
135;Incorrect Calculation of Multi-Byte String Length;X;;5 - Very High
170;Improper Null Termination;X;;3 - Medium
193;Off-by-One Error;X;;3 - Medium
787;Out-of-Bounds Write;X;;3 - Medium
823;Use of Out-of-Range Pointer Offset;X;;3 - Medium
824;Access of Uninitialized Pointer;X;;3 - Medium
121;Stack-Based Buffer Overflow;X;;5 - Very High
74;Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection);;X;4 - High
91;XML Injection (Blind XPath Injection);X;X;3 - Medium
94;Improper Control of Generation of Code;X;;3 - Medium
95;Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection');X;X;5 - Very High
98;Improper Control of Filename for Include/Require Statement in PHP Program (PHP File Inclusion);X;X;4 - High
185;Incorrect Regular Expression;X;;2 - Low
830;Inclusion of Web Functionality from an Untrusted Source;;X;2 - Low
111;Direct Use of Unsafe JNI;X;;4 - High
159;Failure to Sanitize Special Element;X;;0 - Informational
401;Improper Release of Memory Before Removing Last Reference (Memory Leak);X;;2 - Low
404;Improper Resource Shutdown or Release;X;;0 - Informational
415;Double Free;X;;3 - Medium
416;Use After Free;X;;2 - Low
477;Use of Obsolete Functions;X;X;0 - Informational
479;Signal Handler Use of a Non-Reentrant Function;X;;3 - Medium
489;Leftover Debug Code;X;;3 - Medium
597;Use of Wrong Operator in String Comparison;X;;2 - Low
77;Improper Neutralization of Special Elements used in a Command (Command Injection);X;;5 - Very High
78;Improper Neutralization of Special Elements used in an OS Command (OS Command Injection);X;X;5 - Very High
88;Argument Injection or Modification;X;;3 - Medium
256;Plaintext Storage of a Password;X;;3 - Medium
259;Use of Hard-coded Password;X;;3 - Medium
522;Insufficiently Protected Credentials;X;X;3 - Medium
798;Use of Hard-code Credentials;X;;3 - Medium
93;Improper Neutralization of CRLF Sequences (CRLF Injection);X;;3 - Medium
113;Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Response Splitting);X;X;3 - Medium
117;Improper Output Neutralization for Logs;X;;3 - Medium
79;Improper Neutralization of Input During Web Page Generation (Cross-site Scripting);X;X;3 - Medium
80;Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS);X;X;3 - Medium
83;Improper Neutralization of Script in Attributes in a Web Page;X;X;3 - Medium
86;Improper Neutralization of Invalid Characters in Identifiers in Web Pages;X;;3 - Medium
261;Weak Cryptography for Passwords;X;;3 - Medium
295;Improper Certificate Validation;X;;3 - Medium
296;Improper Following of Chain of Trust for Certificate Validation;;X;3 - Medium
297;Improper Validation of Host-specific Certificate Data;X;X;3 - Medium
298;Improper Validation of Certificate Expiration;;X;3 - Medium
299;Improper Check for Certificate Revocation;;X;3 - Medium
311;Missing Encryption of Sensitive Data;X;;3 - Medium
312;Cleartext Storage of Sensitive Information;X;;3 - Medium
313;Plaintext Storage in a File or on Disk;X;;3 - Medium
316;Plaintext Storage in Memory;X;;3 - Medium
319;Cleartext Transmission of Sensitive Information;X;;3 - Medium
321;Use of Hard-coded Cryptographic Key;X;X;3 - Medium
326;Inadequate Encryption Strength;X;X;3 - Medium
327;Use of a Broken or Risky Cryptographic Algorithm;X;X;3 - Medium
328;Reversible One-Way Hash;X;;3 - Medium
329;Not Using a Random IV with CBC Mode;X;;2 - Low
330;Use of Insufficiently Random Values;X;;3 - Medium
331;Insufficient Entropy;X;;3 - Medium
338;Use of Cryptographically Weak Pseudo-Random Number Generator;X;;3 - Medium
347;Improper Verification of Cryptographic Signature;X;;2 - Low
354;Improper Validation of Integrity Check Value;X;;3 - Medium
547;Use of Hard-coded, Security-relevant Constants;X;;3 - Medium
614;Sensitive Cookie in HTTPS Session Without Secure Attribute;X;X;2 - Low
760;Use of a One-Way Hash with a Predictable Salt;X;;3 - Medium
780;Use of RSA with Optimal Asymmetric Encryption Padding;X;;3 - Medium
916;Use of Password Hash With Insufficient Computational Effort;X;;3 - Medium
242;Use of Inherently Dangerous Function;X;;5 - Very High
676;Use of Potentially Dangerous Function;X;;3 - Medium
402;Transmission of Private Resources into a New Sphere (Resource Leak);;X;3 - Medium
668;Exposure of Resource to Wrong Sphere;X;X;3 - Medium
926;Improper Export of Android Application Components;X;;3 - Medium
22;Improper Limitation of a Pathname to a Restricted Directory (Path Traversal);X;X;3 - Medium
35;Path Traversal;X;;2 - Low
73;External Control of File Name or Path;X;;3 - Medium
494;Download of Code Without Integrity Check;X;;5 - Very High
501;Trust Boundary Violation;X;;3 - Medium
502;Deserialization of Untrusted Data;X;;3 - Medium
749;Exposed Dangerous Method or Function;X;;4 - High
248;Uncaught Exception;X;;2 - Low
252;Unchecked Return Value;X;;2 - Low
134;Use of Externally-Controlled Format String;X;;5 - Very High
200;Information Exposure;X;X;2 - Low
201;Insertion of Sensitive Information Into Sent Data;X;;2 - Low
209;Information Exposure Through an Error Message;X;X;2 - Low
215;Information Exposure Through Debug Information;X;X;2 - Low
359;Exposure of Private Information (Privacy Violation);X;;2 - Low
497;Exposure of System Data to an Unauthorized Control Sphere;X;;2 - Low
526;Information Exposure Through Environmental Variables;;X;2 - Low
530;Exposure of Backup File to an Unauthorized Control Sphere;;X;2 - Low
532;Insertion of Sensitive Information into Log File;X;;2 - Low
538;File and Directory Information Exposure;;X;0 - Informational
548;Information Exposure Through Directory Listing;;X;2 - Low
611;Information Exposure Through XML External Entity Reference;X;X;3 - Medium
615;Information Exposure Through Comments;X;X;0 - Informational
665;Improper Initialization;X;;2 - Low
918;Server-side Request Forgery;X;X;3 - Medium
829;Inclusion of Functionality from Untrusted Control Sphere;X;X;3 - Medium
20;Improper Input Validation;X;;0 - Informational
90;Improper Neutralization of Special Elements Used in an LDAP Query (LDAP Injection);X;;3 - Medium
103;Struts: Incomplete validate() Method Definition;X;;3 - Medium
104;Struts: Form Bean Does Not Extend Validation Class;X;;3 - Medium
112;Missing XML Validation;X;;3 - Medium
183;Permissive List of Allowed Inputs;X;;3 - Medium
345;Insufficient Verification of Data Authenticity;X;;4 - High
434;Unrestricted Upload of File with Dangerous Type;;X;4 - High
470;Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection);X;;3 - Medium
472;External Control of Assumed-Immutable Web Parameter;X;;3 - Medium
601;URL Redirection to Untrusted Site (Open Redirect);X;X;3 - Medium
618;Exposed Unsafe ActiveX Method;X;;5 - Very High
915;Improperly Controlled Modification of Dynamically-Determined Object Attributes;X;;3 - Medium
1174;ASP.NET Misconfiguration: Improper Model Validation;X;;2 - Low
1236;Improper Neutralization of Formula Elements in a CSV File;X;;3 - Medium
223;Omission of Security-relevant Information;X;X;2 - Low
190;Integer Overflow or Wraparound;X;;5 - Very High
191;Integer Underflow (Wrap or Wraparound);X;;3 - Medium
192;Integer Coercion Error;X;;3 - Medium
195;Signed to Unsigned Conversion Error;X;;3 - Medium
196;Unsigned to Signed Conversion Error;X;;3 - Medium
197;Numeric Truncation Error;X;;3 - Medium
398;Indicator of Poor Code Quality;X;;0 - Informational
506;Embedded Malicious Code;X;;4 - High
511;Logic/Time Bomb;X;;5 - Very High
514;Covert Channel;X;;2 - Low
656;Reliance on Security Through Obscurity;X;;0 - Informational
366;Race Condition within a Thread;X;;3 - Medium
367;Time-of-check Time-of-use (TOCTOU) Race Condition;X;;3 - Medium
421;Race Condition During Access to Alternate Channel;X;;3 - Medium
16;Configuration;;X;0 - Informational
441;Unintended Proxy or Intermediary (Confused Deputy);X;;3 - Medium
642;External Control of Critical State Data;;X;2 - Low
757;Selection of Less-Secure Algorithm During Negotiation (Algorithm Downgrade);X;X;3 - Medium
384;Session Fixation;X;X;3 - Medium
89;Improper Neutralization of Special Elements used in an SQL Command (SQL Injection);X;X;4 - High
564;SQL Injection: Hibernate;X;;4 - High
943;Improper Neutralization of Special Elements in Data Query Logic;X;;4 - High
377;Insecure Temporary File;X;;3 - Medium
382;J2EE Bad Practices: Use of System.exit();X;;2 - Low
557;Concurrency Issues;X;;2 - Low
691;Insufficient Control Flow Management;X;;0 - Informational
15;External Control of System or Configuration Setting;X;;4 - High
454;External Initialization of Trusted Variables or Data Stores;X;;0 - Informational
114;Process Control;X;;5 - Very High
426;Untrusted Search Path;X;;3 - Medium
427;Uncontrolled Search Path Element;X;;3 - Medium
[
{
"Flaw Category":"API Abuse",
"CWEs":[
{
"CWE ID":"234",
"CWE Name":"Failure to Handle Missing Parameter",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"243",
"CWE Name":"Creation of Chroot Jail Without Changing Working Directory",
"Flaw Severity":"4",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"245",
"CWE Name":"J2EE Bad Practices: Direct Management of Connections",
"Flaw Severity":"2",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"560",
"CWE Name":"Use of Umask() with Chmod-Style Argument",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"628",
"CWE Name":"Function Call with Incorrectly Specified Arguments",
"Flaw Severity":"2",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"675",
"CWE Name":"Duplicate Operations on Resource",
"Flaw Severity":"2",
"Static":true,
"Dynamic":false
}
]
},
{
"Flaw Category":"Authentication Issues",
"CWEs":[
{
"CWE ID":"287",
"CWE Name":"Improper Authentication",
"Flaw Severity":"4",
"Static":true,
"Dynamic":true
},
{
"CWE ID":"352",
"CWE Name":"Cross-Site Request Forgery (CSRF)",
"Flaw Severity":"3",
"Static":true,
"Dynamic":true
},
{
"CWE ID":"693",
"CWE Name":"Protection Mechanism Failure",
"Flaw Severity":"3",
"Static":true,
"Dynamic":true
}
]
},
{
"Flaw Category":"Authorization Issues",
"CWEs":[
{
"CWE ID":"99",
"CWE Name":"Improper Control of Resource Identifiers",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"272",
"CWE Name":"Least Privilege Violation",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"273",
"CWE Name":"Improper Check for Dropped Privileges",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"274",
"CWE Name":"Improper Handling of Insufficient Privileges",
"Flaw Severity":"0",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"282",
"CWE Name":"Improper Ownership Management",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"285",
"CWE Name":"Improper Authorization",
"Flaw Severity":"3",
"Static":true,
"Dynamic":true
},
{
"CWE ID":"346",
"CWE Name":"Origin Validation Error",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"350",
"CWE Name":"Reliance on Reverse DNS Resolution for a Security-Critical Action",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"639",
"CWE Name":"Authorization Bypass Through User-Controlled Key",
"Flaw Severity":"4",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"566",
"CWE Name":"Authorization Bypass Through User-Controlled SQL Primary Key",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"708",
"CWE Name":"Incorrect Ownership Assignment",
"Flaw Severity":"4",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"732",
"CWE Name":"Incorrect Permission Assignment for Critical Resource",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"942",
"CWE Name":"Permissive Cross-domain Policy with Untrusted Domains",
"Flaw Severity":"3",
"Static":true,
"Dynamic":true
}
]
},
{
"Flaw Category":"Buffer Management Errors",
"CWEs":[
{
"CWE ID":"118",
"CWE Name":"Improper Access of Indexable Resource (Range Error)",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"125",
"CWE Name":"Out-of-Bounds Read",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"129",
"CWE Name":"Improper Validation of Array Index",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"135",
"CWE Name":"Incorrect Calculation of Multi-Byte String Length",
"Flaw Severity":"5",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"170",
"CWE Name":"Improper Null Termination",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"193",
"CWE Name":"Off-by-One Error",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"787",
"CWE Name":"Out-of-Bounds Write",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"823",
"CWE Name":"Use of Out-of-Range Pointer Offset",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"824",
"CWE Name":"Access of Uninitialized Pointer",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
}
]
},
{
"Flaw Category":"Buffer Overflow",
"CWEs":[
{
"CWE ID":"121",
"CWE Name":"Stack-Based Buffer Overflow",
"Flaw Severity":"5",
"Static":true,
"Dynamic":false
}
]
},
{
"Flaw Category":"Code Injection",
"CWEs":[
{
"CWE ID":"74",
"CWE Name":"Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection)",
"Flaw Severity":"4",
"Static":false,
"Dynamic":true
},
{
"CWE ID":"91",
"CWE Name":"XML Injection (Blind XPath Injection)",
"Flaw Severity":"3",
"Static":true,
"Dynamic":true
},
{
"CWE ID":"94",
"CWE Name":"Improper Control of Generation of Code",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"95",
"CWE Name":"Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')",
"Flaw Severity":"5",
"Static":true,
"Dynamic":true
},
{
"CWE ID":"98",
"CWE Name":"Improper Control of Filename for Include/Require Statement in PHP Program (PHP File Inclusion)",
"Flaw Severity":"4",
"Static":true,
"Dynamic":true
},
{
"CWE ID":"185",
"CWE Name":"Incorrect Regular Expression",
"Flaw Severity":"2",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"830",
"CWE Name":"Inclusion of Web Functionality from an Untrusted Source",
"Flaw Severity":"2",
"Static":false,
"Dynamic":true
}
]
},
{
"Flaw Category":"Code Quality",
"CWEs":[
{
"CWE ID":"111",
"CWE Name":"Direct Use of Unsafe JNI",
"Flaw Severity":"4",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"159",
"CWE Name":"Failure to Sanitize Special Element",
"Flaw Severity":"0",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"401",
"CWE Name":"Improper Release of Memory Before Removing Last Reference (Memory Leak)",
"Flaw Severity":"2",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"404",
"CWE Name":"Improper Resource Shutdown or Release",
"Flaw Severity":"0",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"415",
"CWE Name":"Double Free",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"416",
"CWE Name":"Use After Free",
"Flaw Severity":"2",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"477",
"CWE Name":"Use of Obsolete Functions",
"Flaw Severity":"0",
"Static":true,
"Dynamic":true
},
{
"CWE ID":"479",
"CWE Name":"Signal Handler Use of a Non-Reentrant Function",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"489",
"CWE Name":"Leftover Debug Code",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"597",
"CWE Name":"Use of Wrong Operator in String Comparison",
"Flaw Severity":"2",
"Static":true,
"Dynamic":false
}
]
},
{
"Flaw Category":"Command or Argument Injection",
"CWEs":[
{
"CWE ID":"77",
"CWE Name":"Improper Neutralization of Special Elements used in a Command (Command Injection)",
"Flaw Severity":"5",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"78",
"CWE Name":"Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)",
"Flaw Severity":"5",
"Static":true,
"Dynamic":true
},
{
"CWE ID":"88",
"CWE Name":"Argument Injection or Modification",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
}
]
},
{
"Flaw Category":"Credentials Management",
"CWEs":[
{
"CWE ID":"256",
"CWE Name":"Plaintext Storage of a Password",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"259",
"CWE Name":"Use of Hard-coded Password",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"522",
"CWE Name":"Insufficiently Protected Credentials",
"Flaw Severity":"3",
"Static":true,
"Dynamic":true
},
{
"CWE ID":"798",
"CWE Name":"Use of Hard-code Credentials",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
}
]
},
{
"Flaw Category":"CRLF Injection",
"CWEs":[
{
"CWE ID":"93",
"CWE Name":"Improper Neutralization of CRLF Sequences (CRLF Injection)",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"113",
"CWE Name":"Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Response Splitting)",
"Flaw Severity":"3",
"Static":true,
"Dynamic":true
},
{
"CWE ID":"117",
"CWE Name":"Improper Output Neutralization for Logs",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
}
]
},
{
"Flaw Category":"Cross-Site Scripting (XSS)",
"CWEs":[
{
"CWE ID":"79",
"CWE Name":"Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)",
"Flaw Severity":"3",
"Static":true,
"Dynamic":true
},
{
"CWE ID":"80",
"CWE Name":"Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"Flaw Severity":"3",
"Static":true,
"Dynamic":true
},
{
"CWE ID":"83",
"CWE Name":"Improper Neutralization of Script in Attributes in a Web Page",
"Flaw Severity":"3",
"Static":true,
"Dynamic":true
},
{
"CWE ID":"86",
"CWE Name":"Improper Neutralization of Invalid Characters in Identifiers in Web Pages",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
}
]
},
{
"Flaw Category":"Cryptographic Issues",
"CWEs":[
{
"CWE ID":"261",
"CWE Name":"Weak Cryptography for Passwords",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"295",
"CWE Name":"Improper Certificate Validation",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"296",
"CWE Name":"Improper Following of Chain of Trust for Certificate Validation",
"Flaw Severity":"3",
"Static":false,
"Dynamic":true
},
{
"CWE ID":"297",
"CWE Name":"Improper Validation of Host-specific Certificate Data",
"Flaw Severity":"3",
"Static":true,
"Dynamic":true
},
{
"CWE ID":"298",
"CWE Name":"Improper Validation of Certificate Expiration",
"Flaw Severity":"3",
"Static":false,
"Dynamic":true
},
{
"CWE ID":"299",
"CWE Name":"Improper Check for Certificate Revocation",
"Flaw Severity":"3",
"Static":false,
"Dynamic":true
},
{
"CWE ID":"311",
"CWE Name":"Missing Encryption of Sensitive Data",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"312",
"CWE Name":"Cleartext Storage of Sensitive Information",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"313",
"CWE Name":"Plaintext Storage in a File or on Disk",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"316",
"CWE Name":"Plaintext Storage in Memory",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"319",
"CWE Name":"Cleartext Transmission of Sensitive Information",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"321",
"CWE Name":"Use of Hard-coded Cryptographic Key",
"Flaw Severity":"3",
"Static":true,
"Dynamic":true
},
{
"CWE ID":"326",
"CWE Name":"Inadequate Encryption Strength",
"Flaw Severity":"3",
"Static":true,
"Dynamic":true
},
{
"CWE ID":"327",
"CWE Name":"Use of a Broken or Risky Cryptographic Algorithm",
"Flaw Severity":"3",
"Static":true,
"Dynamic":true
},
{
"CWE ID":"328",
"CWE Name":"Reversible One-Way Hash",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"329",
"CWE Name":"Not Using a Random IV with CBC Mode",
"Flaw Severity":"2",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"330",
"CWE Name":"Use of Insufficiently Random Values",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"331",
"CWE Name":"Insufficient Entropy",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"338",
"CWE Name":"Use of Cryptographically Weak Pseudo-Random Number Generator",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"347",
"CWE Name":"Improper Verification of Cryptographic Signature",
"Flaw Severity":"2",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"354",
"CWE Name":"Improper Validation of Integrity Check Value",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"547",
"CWE Name":"Use of Hard-coded, Security-relevant Constants",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"614",
"CWE Name":"Sensitive Cookie in HTTPS Session Without Secure Attribute",
"Flaw Severity":"2",
"Static":true,
"Dynamic":true
},
{
"CWE ID":"760",
"CWE Name":"Use of a One-Way Hash with a Predictable Salt",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"780",
"CWE Name":"Use of RSA with Optimal Asymmetric Encryption Padding",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"916",
"CWE Name":"Use of Password Hash With Insufficient Computational Effort",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
}
]
},
{
"Flaw Category":"Dangerous Functions",
"CWEs":[
{
"CWE ID":"242",
"CWE Name":"Use of Inherently Dangerous Function",
"Flaw Severity":"5",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"676",
"CWE Name":"Use of Potentially Dangerous Function",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
}
]
},
{
"Flaw Category":"Deployment Configuration",
"CWEs":[
{
"CWE ID":"402",
"CWE Name":"Transmission of Private Resources into a New Sphere (Resource Leak)",
"Flaw Severity":"3",
"Static":false,
"Dynamic":true
},
{
"CWE ID":"668",
"CWE Name":"Exposure of Resource to Wrong Sphere",
"Flaw Severity":"3",
"Static":true,
"Dynamic":true
},
{
"CWE ID":"926",
"CWE Name":"Improper Export of Android Application Components",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
}
]
},
{
"Flaw Category":"Directory Traversal",
"CWEs":[
{
"CWE ID":"22",
"CWE Name":"Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)",
"Flaw Severity":"3",
"Static":true,
"Dynamic":true
},
{
"CWE ID":"35",
"CWE Name":"Path Traversal",
"Flaw Severity":"2",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"73",
"CWE Name":"External Control of File Name or Path",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
}
]
},
{
"Flaw Category":"Encapsulation",
"CWEs":[
{
"CWE ID":"494",
"CWE Name":"Download of Code Without Integrity Check",
"Flaw Severity":"5",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"501",
"CWE Name":"Trust Boundary Violation",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"502",
"CWE Name":"Deserialization of Untrusted Data",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"749",
"CWE Name":"Exposed Dangerous Method or Function",
"Flaw Severity":"4",
"Static":true,
"Dynamic":false
}
]
},
{
"Flaw Category":"Error Handling",
"CWEs":[
{
"CWE ID":"248",
"CWE Name":"Uncaught Exception",
"Flaw Severity":"2",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"252",
"CWE Name":"Unchecked Return Value",
"Flaw Severity":"2",
"Static":true,
"Dynamic":false
}
]
},
{
"Flaw Category":"Format String",
"CWEs":[
{
"CWE ID":"134",
"CWE Name":"Use of Externally-Controlled Format String",
"Flaw Severity":"5",
"Static":true,
"Dynamic":false
}
]
},
{
"Flaw Category":"Information Leakage",
"CWEs":[
{
"CWE ID":"200",
"CWE Name":"Information Exposure",
"Flaw Severity":"2",
"Static":true,
"Dynamic":true
},
{
"CWE ID":"201",
"CWE Name":"Insertion of Sensitive Information Into Sent Data",
"Flaw Severity":"2",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"209",
"CWE Name":"Information Exposure Through an Error Message",
"Flaw Severity":"2",
"Static":true,
"Dynamic":true
},
{
"CWE ID":"215",
"CWE Name":"Information Exposure Through Debug Information",
"Flaw Severity":"2",
"Static":true,
"Dynamic":true
},
{
"CWE ID":"359",
"CWE Name":"Exposure of Private Information (Privacy Violation)",
"Flaw Severity":"2",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"497",
"CWE Name":"Exposure of System Data to an Unauthorized Control Sphere",
"Flaw Severity":"2",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"526",
"CWE Name":"Information Exposure Through Environmental Variables",
"Flaw Severity":"2",
"Static":false,
"Dynamic":true
},
{
"CWE ID":"530",
"CWE Name":"Exposure of Backup File to an Unauthorized Control Sphere",
"Flaw Severity":"2",
"Static":false,
"Dynamic":true
},
{
"CWE ID":"532",
"CWE Name":"Insertion of Sensitive Information into Log File",
"Flaw Severity":"2",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"538",
"CWE Name":"File and Directory Information Exposure",
"Flaw Severity":"0",
"Static":false,
"Dynamic":true
},
{
"CWE ID":"548",
"CWE Name":"Information Exposure Through Directory Listing",
"Flaw Severity":"2",
"Static":false,
"Dynamic":true
},
{
"CWE ID":"611",
"CWE Name":"Information Exposure Through XML External Entity Reference",
"Flaw Severity":"3",
"Static":true,
"Dynamic":true
},
{
"CWE ID":"615",
"CWE Name":"Information Exposure Through Comments",
"Flaw Severity":"0",
"Static":true,
"Dynamic":true
},
{
"CWE ID":"665",
"CWE Name":"Improper Initialization",
"Flaw Severity":"2",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"918",
"CWE Name":"Server-side Request Forgery",
"Flaw Severity":"3",
"Static":true,
"Dynamic":true
}
]
},
{
"Flaw Category":"Insecure Dependencies",
"CWEs":[
{
"CWE ID":"829",
"CWE Name":"Inclusion of Functionality from Untrusted Control Sphere",
"Flaw Severity":"3",
"Static":true,
"Dynamic":true
}
]
},
{
"Flaw Category":"Insufficient Input Validation",
"CWEs":[
{
"CWE ID":"20",
"CWE Name":"Improper Input Validation",
"Flaw Severity":"0",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"90",
"CWE Name":"Improper Neutralization of Special Elements Used in an LDAP Query (LDAP Injection)",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"103",
"CWE Name":"Struts: Incomplete validate() Method Definition",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"104",
"CWE Name":"Struts: Form Bean Does Not Extend Validation Class",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"112",
"CWE Name":"Missing XML Validation",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"183",
"CWE Name":"Permissive List of Allowed Inputs",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"345",
"CWE Name":"Insufficient Verification of Data Authenticity",
"Flaw Severity":"4",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"434",
"CWE Name":"Unrestricted Upload of File with Dangerous Type",
"Flaw Severity":"4",
"Static":false,
"Dynamic":true
},
{
"CWE ID":"470",
"CWE Name":"Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection)",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"472",
"CWE Name":"External Control of Assumed-Immutable Web Parameter",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"601",
"CWE Name":"URL Redirection to Untrusted Site (Open Redirect)",
"Flaw Severity":"3",
"Static":true,
"Dynamic":true
},
{
"CWE ID":"618",
"CWE Name":"Exposed Unsafe ActiveX Method",
"Flaw Severity":"5",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"915",
"CWE Name":"Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"1174",
"CWE Name":"ASP.NET Misconfiguration: Improper Model Validation",
"Flaw Severity":"2",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"1236",
"CWE Name":"Improper Neutralization of Formula Elements in a CSV File",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
}
]
},
{
"Flaw Category":"Insufficient Logging & Monitoring",
"CWEs":[
{
"CWE ID":"223",
"CWE Name":"Omission of Security-relevant Information",
"Flaw Severity":"2",
"Static":true,
"Dynamic":true
}
]
},
{
"Flaw Category":"Numeric Errors",
"CWEs":[
{
"CWE ID":"190",
"CWE Name":"Integer Overflow or Wraparound",
"Flaw Severity":"5",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"191",
"CWE Name":"Integer Underflow (Wrap or Wraparound)",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"192",
"CWE Name":"Integer Coercion Error",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"195",
"CWE Name":"Signed to Unsigned Conversion Error",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"196",
"CWE Name":"Unsigned to Signed Conversion Error",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"197",
"CWE Name":"Numeric Truncation Error",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
}
]
},
{
"Flaw Category":"Potential Backdoor",
"CWEs":[
{
"CWE ID":"398",
"CWE Name":"Indicator of Poor Code Quality",
"Flaw Severity":"0",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"506",
"CWE Name":"Embedded Malicious Code",
"Flaw Severity":"4",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"511",
"CWE Name":"Logic/Time Bomb",
"Flaw Severity":"5",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"514",
"CWE Name":"Covert Channel",
"Flaw Severity":"2",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"656",
"CWE Name":"Reliance on Security Through Obscurity",
"Flaw Severity":"0",
"Static":true,
"Dynamic":false
}
]
},
{
"Flaw Category":"Race Conditions",
"CWEs":[
{
"CWE ID":"366",
"CWE Name":"Race Condition within a Thread",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"367",
"CWE Name":"Time-of-check Time-of-use (TOCTOU) Race Condition",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"421",
"CWE Name":"Race Condition During Access to Alternate Channel",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
}
]
},
{
"Flaw Category":"Server Configuration",
"CWEs":[
{
"CWE ID":"16",
"CWE Name":"Configuration",
"Flaw Severity":"0",
"Static":false,
"Dynamic":true
},
{
"CWE ID":"441",
"CWE Name":"Unintended Proxy or Intermediary (Confused Deputy)",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"642",
"CWE Name":"External Control of Critical State Data",
"Flaw Severity":"2",
"Static":false,
"Dynamic":true
},
{
"CWE ID":"757",
"CWE Name":"Selection of Less-Secure Algorithm During Negotiation (Algorithm Downgrade)",
"Flaw Severity":"3",
"Static":true,
"Dynamic":true
}
]
},
{
"Flaw Category":"Session Fixation",
"CWEs":[
{
"CWE ID":"384",
"CWE Name":"Session Fixation",
"Flaw Severity":"3",
"Static":true,
"Dynamic":true
}
]
},
{
"Flaw Category":"SQL Injection",
"CWEs":[
{
"CWE ID":"89",
"CWE Name":"Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)",
"Flaw Severity":"4",
"Static":true,
"Dynamic":true
},
{
"CWE ID":"564",
"CWE Name":"SQL Injection: Hibernate",
"Flaw Severity":"4",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"943",
"CWE Name":"Improper Neutralization of Special Elements in Data Query Logic",
"Flaw Severity":"4",
"Static":true,
"Dynamic":false
}
]
},
{
"Flaw Category":"Time and State",
"CWEs":[
{
"CWE ID":"377",
"CWE Name":"Insecure Temporary File",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"382",
"CWE Name":"J2EE Bad Practices: Use of System.exit()",
"Flaw Severity":"2",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"557",
"CWE Name":"Concurrency Issues",
"Flaw Severity":"2",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"691",
"CWE Name":"Insufficient Control Flow Management",
"Flaw Severity":"0",
"Static":true,
"Dynamic":false
}
]
},
{
"Flaw Category":"Untrusted Initialization",
"CWEs":[
{
"CWE ID":"15",
"CWE Name":"External Control of System or Configuration Setting",
"Flaw Severity":"4",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"454",
"CWE Name":"External Initialization of Trusted Variables or Data Stores",
"Flaw Severity":"0",
"Static":true,
"Dynamic":false
}
]
},
{
"Flaw Category":"Untrusted Search Path",
"CWEs":[
{
"CWE ID":"114",
"CWE Name":"Process Control",
"Flaw Severity":"5",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"426",
"CWE Name":"Untrusted Search Path",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
},
{
"CWE ID":"427",
"CWE Name":"Uncontrolled Search Path Element",
"Flaw Severity":"3",
"Static":true,
"Dynamic":false
}
]
}
]
[
{
"CWE ID":"15",
"CWE Name":"External Control of System or Configuration Setting",
"Static":true,
"Veracode Severity":"4 - High"
},
{
"CWE ID":"73",
"CWE Name":"External Control of File Name or Path",
"Static":true,
"Veracode Severity":"3 - Medium"
},
{
"CWE ID":"77",
"CWE Name":"Improper Neutralization of Special Elements in a Command",
"Static":true,
"Veracode Severity":"5 - Very High"
},
{
"CWE ID":"78",
"CWE Name":"Improper Neutralization of Special Elements in an OS Command",
"Static":true,
"Veracode Severity":"5 - Very High"
},
{
"CWE ID":"80",
"CWE Name":"Improper Neutralization of Script Related HTML Tags",
"Static":true,
"Veracode Severity":"3 - Medium"
},
{
"CWE ID":"88",
"CWE Name":"Improper Neutralization of Argument Delimeters",
"Static":true,
"Veracode Severity":"3 - Medium"
},
{
"CWE ID":"89",
"CWE Name":"Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)",
"Static":true,
"Veracode Severity":"4 - High"
},
{
"CWE ID":"114",
"CWE Name":"Process Control",
"Static":true,
"Veracode Severity":"5 - Very High"
},
{
"CWE ID":"183",
"CWE Name":"Permissive List of Allowed Inputs",
"Static":true,
"Veracode Severity":"3 - Medium"
},
{
"CWE ID":"201",
"CWE Name":"Information Exposure Through Sent Data",
"Static":true,
"Veracode Severity":"2 - Low"
},
{
"CWE ID":"209",
"CWE Name":"Information Exposure Through an Error Message",
"Static":true,
"Veracode Severity":"2 - Low"
},
{
"CWE ID":"215",
"CWE Name":"Information Exposure Through Debug Information",
"Static":true,
"Veracode Severity":"2 - Low"
},
{
"CWE ID":"242",
"CWE Name":"Use of Inherently Dangerous Function",
"Static":true,
"Veracode Severity":"5 - Very High"
},
{
"CWE ID":"252",
"CWE Name":"Unchecked Return Value",
"Static":true,
"Veracode Severity":"2 - Low"
},
{
"CWE ID":"256",
"CWE Name":"Unprotected Storage of Credentials",
"Static":true,
"Veracode Severity":"3 - Medium"
},
{
"CWE ID":"259",
"CWE Name":"Use of Hard-coded Password",
"Static":true,
"Veracode Severity":"3 - Medium"
},
{
"CWE ID":"287",
"CWE Name":"Improper Authentication",
"Static":true,
"Veracode Severity":"4 - High"
},
{
"CWE ID":"296",
"CWE Name":"Improper Following of a Certificate's Chain of Trust",
"Static":false,
"Veracode Severity":"3 - Medium"
},
{
"CWE ID":"297",
"CWE Name":"Improper Validation of Certificate with Host Mismatch",
"Static":true,
"Veracode Severity":"3 - Medium"
},
{
"CWE ID":"311",
"CWE Name":"Missing Encryption of Sensitive Data",
"Static":true,
"Veracode Severity":"3 - Medium"
},
{
"CWE ID":"312",
"CWE Name":"Cleartext Storage of Sensitive Information",
"Static":true,
"Veracode Severity":"3 - Medium"
},
{
"CWE ID":"313",
"CWE Name":"Cleartext Storage in a File or on Disk",
"Static":true,
"Veracode Severity":"3 - Medium"
},
{
"CWE ID":"316",
"CWE Name":"Cleartext Storage of Sensitive Information in Memory",
"Static":true,
"Veracode Severity":"3 - Medium"
},
{
"CWE ID":"319",
"CWE Name":"Cleartext Transmission of Sensitive Information",
"Static":true,
"Veracode Severity":"3 - Medium"
},
{
"CWE ID":"321",
"CWE Name":"Use of Hard-coded Cryptographic Key",
"Static":true,
"Veracode Severity":"3 - Medium"
},
{
"CWE ID":"326",
"CWE Name":"Inadequate Encryption Strength",
"Static":true,
"Veracode Severity":"3 - Medium"
},
{
"CWE ID":"327",
"CWE Name":"Use of a Broken or Risky Cryptographic Algorithm",
"Static":true,
"Veracode Severity":"3 - Medium"
},
{
"CWE ID":"329",
"CWE Name":"Not Using a Random IV with CBC Mode",
"Static":true,
"Veracode Severity":"2 - Low"
},
{
"CWE ID":"331",
"CWE Name":"Insufficient Entropy",
"Static":true,
"Veracode Severity":"3 - Medium"
},
{
"CWE ID":"345",
"CWE Name":"Insufficient Verification of Data Authenticity",
"Static":true,
"Veracode Severity":"4 - High"
},
{
"CWE ID":"347",
"CWE Name":"Improper Verification of Cryptographic Signature",
"Static":true,
"Veracode Severity":"2 - Low"
},
{
"CWE ID":"354",
"CWE Name":"Improper Validation of Integrity Check Value",
"Static":true,
"Veracode Severity":"3 - Medium"
},
{
"CWE ID":"377",
"CWE Name":"Insecure Temporary File",
"Static":true,
"Veracode Severity":"3 - Medium"
},
{
"CWE ID":"378",
"CWE Name":"Creation of Temporary File With Insecure Permissions",
"Static":false,
"Veracode Severity":"3 - Medium"
},
{
"CWE ID":"404",
"CWE Name":"Improper Resource Shutdown",
"Static":true,
"Veracode Severity":"0 - Informational"
},
{
"CWE ID":"415",
"CWE Name":"Double Free",
"Static":true,
"Veracode Severity":"3 - Medium"
},
{
"CWE ID":"416",
"CWE Name":"Use After Free",
"Static":true,
"Veracode Severity":"2 - Low"
},
{
"CWE ID":"470",
"CWE Name":"Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection)",
"Static":true,
"Veracode Severity":"3 - Medium"
},
{
"CWE ID":"489",
"CWE Name":"Leftover Debug Code",
"Static":true,
"Veracode Severity":"3 - Medium"
},
{
"CWE ID":"497",
"CWE Name":"Exposure of System Data to an Unauthorized Control Sphere",
"Static":true,
"Veracode Severity":"2 - Low"
},
{
"CWE ID":"501",
"CWE Name":"Trust Boundary Violation",
"Static":true,
"Veracode Severity":"3 - Medium"
},
{
"CWE ID":"506",
"CWE Name":"Embedded Malicious Code",
"Static":true,
"Veracode Severity":"4 - High"
},
{
"CWE ID":"511",
"CWE Name":"Logic/Time Bomb",
"Static":true,
"Veracode Severity":"5 - Very High"
},
{
"CWE ID":"514",
"CWE Name":"Covert Channel",
"Static":true,
"Veracode Severity":"2 - Low"
},
{
"CWE ID":"522",
"CWE Name":"Insufficiently Protected Credentials",
"Static":true,
"Veracode Severity":"3 - Medium"
},
{
"CWE ID":"601",
"CWE Name":"URL Redirection to Untrusted Site",
"Static":true,
"Veracode Severity":"3 - Medium"
},
{
"CWE ID":"614",
"CWE Name":"Sensitive Cookie without Secure Attribute",
"Static":true,
"Veracode Severity":"2 - Low"
},
{
"CWE ID":"676",
"CWE Name":"Use of Potentially Dangerous Function",
"Static":true,
"Veracode Severity":"3 - Medium"
},
{
"CWE ID":"693",
"CWE Name":"Protection Mechanism Failure",
"Static":true,
"Veracode Severity":"3 - Medium"
},
{
"CWE ID":"732",
"CWE Name":"Incorrect Permission Assignment for Critical Resource",
"Static":true,
"Veracode Severity":"3 - Medium"
},
{
"CWE ID":"757",
"CWE Name":"Selection of Less Secure Algorithm During Negotiation",
"Static":true,
"Veracode Severity":"3 - Medium"
},
{
"CWE ID":"798",
"CWE Name":"Use of Hard-coded Credentials",
"Static":true,
"Veracode Severity":"3 - Medium"
}
]
package main
import (
"encoding/json"
"fmt"
"io/ioutil"
"log"
"os"
)
func main() {
categories := readCategories()
mobileCWEs := readMobileCWEs()
updatedMobileCWEs := augmentWithCategories(mobileCWEs, categories)
//outputNewJson(updatedMobileCWEs)
outputNewExcelCsv(updatedMobileCWEs)
}
func readCategories() []FlawCategory {
categoriesJson, err := os.Open("categories.json")
if err != nil {
log.Panicln(err)
}
defer categoriesJson.Close()
byteValue, _ := ioutil.ReadAll(categoriesJson)
var categories []FlawCategory
json.Unmarshal(byteValue, &categories)
return categories
}
func readMobileCWEs() []CWE {
mobileCwesJson, err := os.Open("cwes-mobile.json")
if err != nil {
log.Panicln(err)
}
defer mobileCwesJson.Close()
byteValue, _ := ioutil.ReadAll(mobileCwesJson)
var mobileCwes []CWE
json.Unmarshal(byteValue, &mobileCwes)
return mobileCwes
}
func augmentWithCategories(mobileCWEs []CWE, categories []FlawCategory) []CWE {
var newMobileCwes []CWE
// O^3, don't run this on large inputs
for i := 0; i < len(mobileCWEs); i++ {
mobileCWE := mobileCWEs[i]
if !mobileCWE.Static {
//log.Printf("DEBUG: Skipping unsupported CWE %s", mobileCWE.ID)
newMobileCwes = append(newMobileCwes, mobileCWE)
continue
}
//log.Printf("DEBUG: Looking for a category for CWE %s", mobileCWE.ID)
for j := 0; j < len(categories) && mobileCWE.CategoryName == ""; j++ {
category := categories[j]
//log.Printf("DEBUG: Inspecting category %s", category.Name)
for k := 0; k < len(category.CWEs) && mobileCWE.CategoryName == ""; k++ {
categoryCWE := category.CWEs[k]
//log.Printf("DEBUG: Inspecting category CWE %s", categoryCWE.ID)
if mobileCWE.ID == categoryCWE.ID {
// log.Printf(
// "DEBUG: %s==%s MATCH, setting CategoryName to %s",
// mobileCWE.ID,
// categoryCWE.ID,
// category.Name,
// )
mobileCWE.CategoryName = category.Name
}
}
}
if mobileCWE.CategoryName == "" {
log.Printf("WARN no category found for CWE %s", mobileCWE.ID)
}
newMobileCwes = append(newMobileCwes, mobileCWE)
}
return newMobileCwes
}
func outputNewJson(mobileCwes []CWE) {
bytes, _ := json.MarshalIndent(mobileCwes, "", "\t")
fmt.Print(string(bytes))
}
func outputNewExcelCsv(mobileCWEs []CWE) {
fmt.Println("\"Category Name\";\"ID\";\"Name\";\"Static\";\"Veracode Severity\"")
for i := 0; i < len(mobileCWEs); i++ {
mobileCWE := mobileCWEs[i]
static := ""
if mobileCWE.Static {
static = "X"
}
fmt.Printf(
"\"%s\";\"%s\";\"%s\";\"%s\";\"%s\"\n",
mobileCWE.CategoryName,
mobileCWE.ID,
mobileCWE.Name,
static,
mobileCWE.VeracodeSeverity,
)
}
}
type FlawCategory struct {
Name string `json:"Flaw Category"`
CWEs []CategoryCWE `json:"CWEs"`
}
type CWE struct {
ID string `json:"CWE ID"`
Name string `json:"CWE Name"`
Static bool `json:"Static"`
VeracodeSeverity string `json:"Veracode Severity"`
CategoryName string `json:"Category Name"`
}
type CategoryCWE struct {
ID string `json:"CWE ID"`
Name string `json:"CWE Name"`
Static bool `json:"Static"`
Dynamic bool `json:"Dynamic"`
VeracodeSeverity string `json:"Veracode Severity"`
Severity string `json:"Flaw Severity"`
CategoryName string `json:"Category Name"`
}
We can make this file beautiful and searchable if this error is corrected: No commas found in this CSV file in line 0.
"Category Name";"ID";"Name";"Static";"Veracode Severity"
"Untrusted Initialization";"15";"External Control of System or Configuration Setting";"X";"4 - High"
"Directory Traversal";"73";"External Control of File Name or Path";"X";"3 - Medium"
"Command or Argument Injection";"77";"Improper Neutralization of Special Elements in a Command";"X";"5 - Very High"
"Command or Argument Injection";"78";"Improper Neutralization of Special Elements in an OS Command";"X";"5 - Very High"
"Cross-Site Scripting (XSS)";"80";"Improper Neutralization of Script Related HTML Tags";"X";"3 - Medium"
"Command or Argument Injection";"88";"Improper Neutralization of Argument Delimeters";"X";"3 - Medium"
"SQL Injection";"89";"Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)";"X";"4 - High"
"Untrusted Search Path";"114";"Process Control";"X";"5 - Very High"
"Insufficient Input Validation";"183";"Permissive List of Allowed Inputs";"X";"3 - Medium"
"Information Leakage";"201";"Information Exposure Through Sent Data";"X";"2 - Low"
"Information Leakage";"209";"Information Exposure Through an Error Message";"X";"2 - Low"
"Information Leakage";"215";"Information Exposure Through Debug Information";"X";"2 - Low"
"Dangerous Functions";"242";"Use of Inherently Dangerous Function";"X";"5 - Very High"
"Error Handling";"252";"Unchecked Return Value";"X";"2 - Low"
"Credentials Management";"256";"Unprotected Storage of Credentials";"X";"3 - Medium"
"Credentials Management";"259";"Use of Hard-coded Password";"X";"3 - Medium"
"Authentication Issues";"287";"Improper Authentication";"X";"4 - High"
"";"296";"Improper Following of a Certificate's Chain of Trust";"";"3 - Medium"
"Cryptographic Issues";"297";"Improper Validation of Certificate with Host Mismatch";"X";"3 - Medium"
"Cryptographic Issues";"311";"Missing Encryption of Sensitive Data";"X";"3 - Medium"
"Cryptographic Issues";"312";"Cleartext Storage of Sensitive Information";"X";"3 - Medium"
"Cryptographic Issues";"313";"Cleartext Storage in a File or on Disk";"X";"3 - Medium"
"Cryptographic Issues";"316";"Cleartext Storage of Sensitive Information in Memory";"X";"3 - Medium"
"Cryptographic Issues";"319";"Cleartext Transmission of Sensitive Information";"X";"3 - Medium"
"Cryptographic Issues";"321";"Use of Hard-coded Cryptographic Key";"X";"3 - Medium"
"Cryptographic Issues";"326";"Inadequate Encryption Strength";"X";"3 - Medium"
"Cryptographic Issues";"327";"Use of a Broken or Risky Cryptographic Algorithm";"X";"3 - Medium"
"Cryptographic Issues";"329";"Not Using a Random IV with CBC Mode";"X";"2 - Low"
"Cryptographic Issues";"331";"Insufficient Entropy";"X";"3 - Medium"
"Insufficient Input Validation";"345";"Insufficient Verification of Data Authenticity";"X";"4 - High"
"Cryptographic Issues";"347";"Improper Verification of Cryptographic Signature";"X";"2 - Low"
"Cryptographic Issues";"354";"Improper Validation of Integrity Check Value";"X";"3 - Medium"
"Time and State";"377";"Insecure Temporary File";"X";"3 - Medium"
"";"378";"Creation of Temporary File With Insecure Permissions";"";"3 - Medium"
"Code Quality";"404";"Improper Resource Shutdown";"X";"0 - Informational"
"Code Quality";"415";"Double Free";"X";"3 - Medium"
"Code Quality";"416";"Use After Free";"X";"2 - Low"
"Insufficient Input Validation";"470";"Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection)";"X";"3 - Medium"
"Code Quality";"489";"Leftover Debug Code";"X";"3 - Medium"
"Information Leakage";"497";"Exposure of System Data to an Unauthorized Control Sphere";"X";"2 - Low"
"Encapsulation";"501";"Trust Boundary Violation";"X";"3 - Medium"
"Potential Backdoor";"506";"Embedded Malicious Code";"X";"4 - High"
"Potential Backdoor";"511";"Logic/Time Bomb";"X";"5 - Very High"
"Potential Backdoor";"514";"Covert Channel";"X";"2 - Low"
"Credentials Management";"522";"Insufficiently Protected Credentials";"X";"3 - Medium"
"Insufficient Input Validation";"601";"URL Redirection to Untrusted Site";"X";"3 - Medium"
"Cryptographic Issues";"614";"Sensitive Cookie without Secure Attribute";"X";"2 - Low"
"Dangerous Functions";"676";"Use of Potentially Dangerous Function";"X";"3 - Medium"
"Authentication Issues";"693";"Protection Mechanism Failure";"X";"3 - Medium"
"Authorization Issues";"732";"Incorrect Permission Assignment for Critical Resource";"X";"3 - Medium"
"Server Configuration";"757";"Selection of Less Secure Algorithm During Negotiation";"X";"3 - Medium"
"Credentials Management";"798";"Use of Hard-coded Credentials";"X";"3 - Medium"
[
{
"CWE ID": "15",
"CWE Name": "External Control of System or Configuration Setting",
"Static": true,
"Veracode Severity": "4 - High",
"Category Name": "Untrusted Initialization"
},
{
"CWE ID": "73",
"CWE Name": "External Control of File Name or Path",
"Static": true,
"Veracode Severity": "3 - Medium",
"Category Name": "Directory Traversal"
},
{
"CWE ID": "77",
"CWE Name": "Improper Neutralization of Special Elements in a Command",
"Static": true,
"Veracode Severity": "5 - Very High",
"Category Name": "Command or Argument Injection"
},
{
"CWE ID": "78",
"CWE Name": "Improper Neutralization of Special Elements in an OS Command",
"Static": true,
"Veracode Severity": "5 - Very High",
"Category Name": "Command or Argument Injection"
},
{
"CWE ID": "80",
"CWE Name": "Improper Neutralization of Script Related HTML Tags",
"Static": true,
"Veracode Severity": "3 - Medium",
"Category Name": "Cross-Site Scripting (XSS)"
},
{
"CWE ID": "88",
"CWE Name": "Improper Neutralization of Argument Delimeters",
"Static": true,
"Veracode Severity": "3 - Medium",
"Category Name": "Command or Argument Injection"
},
{
"CWE ID": "89",
"CWE Name": "Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)",
"Static": true,
"Veracode Severity": "4 - High",
"Category Name": "SQL Injection"
},
{
"CWE ID": "114",
"CWE Name": "Process Control",
"Static": true,
"Veracode Severity": "5 - Very High",
"Category Name": "Untrusted Search Path"
},
{
"CWE ID": "183",
"CWE Name": "Permissive List of Allowed Inputs",
"Static": true,
"Veracode Severity": "3 - Medium",
"Category Name": "Insufficient Input Validation"
},
{
"CWE ID": "201",
"CWE Name": "Information Exposure Through Sent Data",
"Static": true,
"Veracode Severity": "2 - Low",
"Category Name": "Information Leakage"
},
{
"CWE ID": "209",
"CWE Name": "Information Exposure Through an Error Message",
"Static": true,
"Veracode Severity": "2 - Low",
"Category Name": "Information Leakage"
},
{
"CWE ID": "215",
"CWE Name": "Information Exposure Through Debug Information",
"Static": true,
"Veracode Severity": "2 - Low",
"Category Name": "Information Leakage"
},
{
"CWE ID": "242",
"CWE Name": "Use of Inherently Dangerous Function",
"Static": true,
"Veracode Severity": "5 - Very High",
"Category Name": "Dangerous Functions"
},
{
"CWE ID": "252",
"CWE Name": "Unchecked Return Value",
"Static": true,
"Veracode Severity": "2 - Low",
"Category Name": "Error Handling"
},
{
"CWE ID": "256",
"CWE Name": "Unprotected Storage of Credentials",
"Static": true,
"Veracode Severity": "3 - Medium",
"Category Name": "Credentials Management"
},
{
"CWE ID": "259",
"CWE Name": "Use of Hard-coded Password",
"Static": true,
"Veracode Severity": "3 - Medium",
"Category Name": "Credentials Management"
},
{
"CWE ID": "287",
"CWE Name": "Improper Authentication",
"Static": true,
"Veracode Severity": "4 - High",
"Category Name": "Authentication Issues"
},
{
"CWE ID": "296",
"CWE Name": "Improper Following of a Certificate's Chain of Trust",
"Static": false,
"Veracode Severity": "3 - Medium",
"Category Name": ""
},
{
"CWE ID": "297",
"CWE Name": "Improper Validation of Certificate with Host Mismatch",
"Static": true,
"Veracode Severity": "3 - Medium",
"Category Name": "Cryptographic Issues"
},
{
"CWE ID": "311",
"CWE Name": "Missing Encryption of Sensitive Data",
"Static": true,
"Veracode Severity": "3 - Medium",
"Category Name": "Cryptographic Issues"
},
{
"CWE ID": "312",
"CWE Name": "Cleartext Storage of Sensitive Information",
"Static": true,
"Veracode Severity": "3 - Medium",
"Category Name": "Cryptographic Issues"
},
{
"CWE ID": "313",
"CWE Name": "Cleartext Storage in a File or on Disk",
"Static": true,
"Veracode Severity": "3 - Medium",
"Category Name": "Cryptographic Issues"
},
{
"CWE ID": "316",
"CWE Name": "Cleartext Storage of Sensitive Information in Memory",
"Static": true,
"Veracode Severity": "3 - Medium",
"Category Name": "Cryptographic Issues"
},
{
"CWE ID": "319",
"CWE Name": "Cleartext Transmission of Sensitive Information",
"Static": true,
"Veracode Severity": "3 - Medium",
"Category Name": "Cryptographic Issues"
},
{
"CWE ID": "321",
"CWE Name": "Use of Hard-coded Cryptographic Key",
"Static": true,
"Veracode Severity": "3 - Medium",
"Category Name": "Cryptographic Issues"
},
{
"CWE ID": "326",
"CWE Name": "Inadequate Encryption Strength",
"Static": true,
"Veracode Severity": "3 - Medium",
"Category Name": "Cryptographic Issues"
},
{
"CWE ID": "327",
"CWE Name": "Use of a Broken or Risky Cryptographic Algorithm",
"Static": true,
"Veracode Severity": "3 - Medium",
"Category Name": "Cryptographic Issues"
},
{
"CWE ID": "329",
"CWE Name": "Not Using a Random IV with CBC Mode",
"Static": true,
"Veracode Severity": "2 - Low",
"Category Name": "Cryptographic Issues"
},
{
"CWE ID": "331",
"CWE Name": "Insufficient Entropy",
"Static": true,
"Veracode Severity": "3 - Medium",
"Category Name": "Cryptographic Issues"
},
{
"CWE ID": "345",
"CWE Name": "Insufficient Verification of Data Authenticity",
"Static": true,
"Veracode Severity": "4 - High",
"Category Name": "Insufficient Input Validation"
},
{
"CWE ID": "347",
"CWE Name": "Improper Verification of Cryptographic Signature",
"Static": true,
"Veracode Severity": "2 - Low",
"Category Name": "Cryptographic Issues"
},
{
"CWE ID": "354",
"CWE Name": "Improper Validation of Integrity Check Value",
"Static": true,
"Veracode Severity": "3 - Medium",
"Category Name": "Cryptographic Issues"
},
{
"CWE ID": "377",
"CWE Name": "Insecure Temporary File",
"Static": true,
"Veracode Severity": "3 - Medium",
"Category Name": "Time and State"
},
{
"CWE ID": "378",
"CWE Name": "Creation of Temporary File With Insecure Permissions",
"Static": false,
"Veracode Severity": "3 - Medium",
"Category Name": ""
},
{
"CWE ID": "404",
"CWE Name": "Improper Resource Shutdown",
"Static": true,
"Veracode Severity": "0 - Informational",
"Category Name": "Code Quality"
},
{
"CWE ID": "415",
"CWE Name": "Double Free",
"Static": true,
"Veracode Severity": "3 - Medium",
"Category Name": "Code Quality"
},
{
"CWE ID": "416",
"CWE Name": "Use After Free",
"Static": true,
"Veracode Severity": "2 - Low",
"Category Name": "Code Quality"
},
{
"CWE ID": "470",
"CWE Name": "Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection)",
"Static": true,
"Veracode Severity": "3 - Medium",
"Category Name": "Insufficient Input Validation"
},
{
"CWE ID": "489",
"CWE Name": "Leftover Debug Code",
"Static": true,
"Veracode Severity": "3 - Medium",
"Category Name": "Code Quality"
},
{
"CWE ID": "497",
"CWE Name": "Exposure of System Data to an Unauthorized Control Sphere",
"Static": true,
"Veracode Severity": "2 - Low",
"Category Name": "Information Leakage"
},
{
"CWE ID": "501",
"CWE Name": "Trust Boundary Violation",
"Static": true,
"Veracode Severity": "3 - Medium",
"Category Name": "Encapsulation"
},
{
"CWE ID": "506",
"CWE Name": "Embedded Malicious Code",
"Static": true,
"Veracode Severity": "4 - High",
"Category Name": "Potential Backdoor"
},
{
"CWE ID": "511",
"CWE Name": "Logic/Time Bomb",
"Static": true,
"Veracode Severity": "5 - Very High",
"Category Name": "Potential Backdoor"
},
{
"CWE ID": "514",
"CWE Name": "Covert Channel",
"Static": true,
"Veracode Severity": "2 - Low",
"Category Name": "Potential Backdoor"
},
{
"CWE ID": "522",
"CWE Name": "Insufficiently Protected Credentials",
"Static": true,
"Veracode Severity": "3 - Medium",
"Category Name": "Credentials Management"
},
{
"CWE ID": "601",
"CWE Name": "URL Redirection to Untrusted Site",
"Static": true,
"Veracode Severity": "3 - Medium",
"Category Name": "Insufficient Input Validation"
},
{
"CWE ID": "614",
"CWE Name": "Sensitive Cookie without Secure Attribute",
"Static": true,
"Veracode Severity": "2 - Low",
"Category Name": "Cryptographic Issues"
},
{
"CWE ID": "676",
"CWE Name": "Use of Potentially Dangerous Function",
"Static": true,
"Veracode Severity": "3 - Medium",
"Category Name": "Dangerous Functions"
},
{
"CWE ID": "693",
"CWE Name": "Protection Mechanism Failure",
"Static": true,
"Veracode Severity": "3 - Medium",
"Category Name": "Authentication Issues"
},
{
"CWE ID": "732",
"CWE Name": "Incorrect Permission Assignment for Critical Resource",
"Static": true,
"Veracode Severity": "3 - Medium",
"Category Name": "Authorization Issues"
},
{
"CWE ID": "757",
"CWE Name": "Selection of Less Secure Algorithm During Negotiation",
"Static": true,
"Veracode Severity": "3 - Medium",
"Category Name": "Server Configuration"
},
{
"CWE ID": "798",
"CWE Name": "Use of Hard-coded Credentials",
"Static": true,
"Veracode Severity": "3 - Medium",
"Category Name": "Credentials Management"
}
]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment