43 Rules
| ID | Name | Severity |
|---|---|---|
| 1039002 | Avoid using deprecated SSL protocols to secure connection |
high
|
| 1039004 | Avoid using HttpServletRequest.getRequestedSessionId() |
critical
|
| 1039006 | Avoid using predictable SecureRandom Seeds |
high
|
| 1039008 | Avoid thrown Exceptions in servlet methods |
high
|
| 1039010 | Avoid using risky cryptographic hash (JEE) |
critical
|
| 1039012 | Avoid using referer header field in HTTP request |
critical
|
| 1039014 | Avoid using Cipher with no HMAC to ensure data integrity |
high
|
| 1039018 | Avoid using cryptography hash with hard-coded salt |
high
|
| 1039020 | Avoid using javax.crypto.NullCipher |
high
|
| 1039022 | Avoid using Insecure PBE Iteration Count |
high
|
| 1039024 | Avoid using unsecured cookie (JEE) |
high
|
| 1039026 | Avoid creating cookie without setting httpOnly option (JEE) |
high
|
| 1039028 | Avoid weak encryption providing not sufficient key size (JEE) |
high
|
| 1039030 | Avoid using DefaultHttpClient constructor |
high
|
| 1039032 | Avoid using DocumentBuilder without restriction of XML External Entity Reference (XXE) |
high
|
| 1039034 | Avoid using SAXParserFactory without restriction of XML External Entity Reference (XXE) |
high
|
| 1039036 | Avoid using XMLReader without restriction of XML External Entity Reference (XXE) |
high
|
| 1039038 | Avoid using XPathFactory without restriction of XML External Entity Reference (XXE) |
high
|
| 1039040 | Avoid using XMLInputFactory without restriction of XML External Entity Reference (XXE) |
high
|
| 1039044 | Avoid usage of BannedAPI when using ESAPI library |
medium
|
| 1039046 | Always use {@code} to wrap code statements or values such as null |
medium
|
| 1039050 | Add @Override on methods overriding or implementing a method declared in a super type |
medium
|
| 1039052 | Avoid Http Session without expiration |
critical
|
| 1039056 | Avoid insecure use of YAML deserialization when using SnakeYaml (JEE) |
high
|
| 1039062 | Always implement readObject() to prevent untrusted deserialization when loading from ObjectInputStream |
high
|
| 1039064 | Avoid having cookie with an overly broad domain (JEE) |
high
|
| 1039066 | Avoid creating cookie with an overly broad path (JEE) |
high
|
| 1039068 | Avoid using the Non-Serializable Object Stored in Session |
high
|
| 1039070 | Avoid using URL.equals(Object obj) or URL.hashCode() |
medium
|
| 1039072 | Avoid using jYAML to deserialize YAML (JEE) |
high
|
| 1039074 | Avoid using Apache ActiveMQ 5.x before 5.13.0 |
critical
|
| 1039076 | Avoid using HttpURLConnection with HTTP protocol |
high
|
| 1039078 | Avoid using SchemaFactory without restriction of XML External Entity Reference (XXE) |
high
|
| 1039080 | Avoid using TransformerFactory without restriction of XML External Entity Reference (XXE) |
high
|
| 1039082 | Avoid using SAXTransformerFactory without restriction of XML External Entity Reference (XXE) |
high
|
| 1039084 | Avoid using SAXBuilder without restriction of XML External Entity Reference (XXE) |
high
|
| 1039086 | Avoid using DOMParser without restriction of XML External Entity Reference (XXE) |
high
|
| 1039088 | Avoid using Validator without restriction of XML External Entity Reference (XXE) |
high
|
| 1039090 | Avoid using java.beans.XMLDecoder (XXE) |
high
|
| 1039092 | Avoid using JAXB Unmarshaller without a configurable secure parser (XXE) |
high
|
| 1039094 | Avoid using XPathExpression without a configurable secure parser (XXE) |
high
|
| 1039096 | Ensure httpOnly option is enabled when creating session (JEE) |
high
|
| 1039098 | Ensure secure option is enabled when creating session (JEE) |
high
|
