mirror of
https://github.com/securego/gosec.git
synced 2024-12-24 03:25:53 +00:00
Map the G115 rule to an CWE ID
Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
This commit is contained in:
parent
45fbb27d87
commit
c3209fcaac
2 changed files with 31 additions and 30 deletions
60
cwe/data.go
60
cwe/data.go
|
@ -18,6 +18,31 @@ const (
|
|||
)
|
||||
|
||||
var idWeaknesses = map[string]*Weakness{
|
||||
"22": {
|
||||
ID: "22",
|
||||
Description: "The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.",
|
||||
Name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
|
||||
},
|
||||
"78": {
|
||||
ID: "78",
|
||||
Description: "The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.",
|
||||
Name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
|
||||
},
|
||||
"79": {
|
||||
ID: "79",
|
||||
Description: "The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.",
|
||||
Name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
|
||||
},
|
||||
"88": {
|
||||
ID: "88",
|
||||
Description: "The software constructs a string for a command to executed by a separate component\nin another control sphere, but it does not properly delimit the\nintended arguments, options, or switches within that command string.",
|
||||
Name: "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')",
|
||||
},
|
||||
"89": {
|
||||
ID: "89",
|
||||
Description: "The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.",
|
||||
Name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
|
||||
},
|
||||
"118": {
|
||||
ID: "118",
|
||||
Description: "The software does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files.",
|
||||
|
@ -33,11 +58,6 @@ var idWeaknesses = map[string]*Weakness{
|
|||
Description: "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.",
|
||||
Name: "Exposure of Sensitive Information to an Unauthorized Actor",
|
||||
},
|
||||
"22": {
|
||||
ID: "22",
|
||||
Description: "The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.",
|
||||
Name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
|
||||
},
|
||||
"242": {
|
||||
ID: "242",
|
||||
Description: "The program calls a function that can never be guaranteed to work safely.",
|
||||
|
@ -93,41 +113,21 @@ var idWeaknesses = map[string]*Weakness{
|
|||
Description: "The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.",
|
||||
Name: "Improper Handling of Highly Compressed Data (Data Amplification)",
|
||||
},
|
||||
"676": {
|
||||
ID: "676",
|
||||
Description: "The program invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.",
|
||||
Name: "Use of Potentially Dangerous Function",
|
||||
},
|
||||
"703": {
|
||||
ID: "703",
|
||||
Description: "The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software.",
|
||||
Name: "Improper Check or Handling of Exceptional Conditions",
|
||||
},
|
||||
"78": {
|
||||
ID: "78",
|
||||
Description: "The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.",
|
||||
Name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
|
||||
},
|
||||
"79": {
|
||||
ID: "79",
|
||||
Description: "The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.",
|
||||
Name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
|
||||
},
|
||||
"798": {
|
||||
ID: "798",
|
||||
Description: "The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.",
|
||||
Name: "Use of Hard-coded Credentials",
|
||||
},
|
||||
"88": {
|
||||
ID: "88",
|
||||
Description: "The software constructs a string for a command to executed by a separate component\nin another control sphere, but it does not properly delimit the\nintended arguments, options, or switches within that command string.",
|
||||
Name: "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')",
|
||||
},
|
||||
"89": {
|
||||
ID: "89",
|
||||
Description: "The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.",
|
||||
Name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
|
||||
},
|
||||
"676": {
|
||||
ID: "676",
|
||||
Description: "The program invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.",
|
||||
Name: "Use of Potentially Dangerous Function",
|
||||
},
|
||||
}
|
||||
|
||||
// Get Retrieves a CWE weakness by it's id
|
||||
|
|
|
@ -67,6 +67,7 @@ var ruleToCWE = map[string]string{
|
|||
"G112": "400",
|
||||
"G113": "190",
|
||||
"G114": "676",
|
||||
"G115": "190",
|
||||
"G201": "89",
|
||||
"G202": "89",
|
||||
"G203": "79",
|
||||
|
|
Loading…
Reference in a new issue