Broad Mapping: DISA STIG

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.0p0 Hot Tips

CONFIDENTIAL

CodeSecure Inc

Broad Mapping: DISA STIG

This table contains broad mappings between DISA STIG identifiers and CodeSonar warning classes.

The close mapping from DISA STIG identifiers to CodeSonar warning classes is shown in DISA STIG Checks.

CSV versions of these tables are provided in DISA-6r1-mapping-broad.csv,DISA-5r3-mapping-broad.csv, DISA-4r3-mapping-broad.csv and DISA-3r10-mapping-broad.csv.

Version 6, release 1 (C/C++, Java, and C# warning classes)
Version 5, release 3 (C/C++, Java, and C# warning classes)
Version 4, release 3 (C/C++, Java, and C# warning classes)
Version 3, release 10(C/C++ warning classes only)

Version 6, release 1

(STIG release date June 5, 2024)

A CSV version of this table is provided in DISA-6r1-mapping-broad.csv.

DISA-6r1

Severity

C/C++ Warning Classes

Java Warning Classes

C# Warning Classes

Kotlin Warning Classes

Python Warning Classes

DISA-6r1:V-222396 The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions.

medium

closely mapped	Encryption without Padding

DISA-6r1:V-222397 The application must implement cryptographic mechanisms to protect the integrity of remote access sessions.

medium

closely mapped	Encryption without Padding Use of crypt Use of rand Use of rand48 Function Use of random Weak Cryptography

DISA-6r1:V-222542 The application must only store cryptographic representations of passwords.

high

closely mapped	Plaintext Storage of Password Plaintext Transmission of Password

DISA-6r1:V-222543 The application must transmit only cryptographically-protected passwords.

high

closely mapped	Plaintext Storage of Password Plaintext Transmission of Password

DISA-6r1:V-222567 The application must not be vulnerable to race conditions.

medium

closely mapped	Data Race File System Race Condition
also related	Multiple Accesses of Atomic

DISA-6r1:V-222570 The application must utilize FIPS-validated cryptographic modules when signing application components.

medium

closely mapped	Use of crypt Use of rand Use of rand48 Function Use of random Weak Cryptography

DISA-6r1:V-222571 The application must utilize FIPS-validated cryptographic modules when generating cryptographic hashes.

medium

closely mapped	Use of crypt Use of rand Use of rand48 Function Use of random Weak Cryptography

DISA-6r1:V-222572 The application must utilize FIPS-validated cryptographic modules when protecting unclassified information that requires cryptographic protection.

medium

closely mapped	Use of crypt Use of rand Use of rand48 Function Use of random Weak Cryptography

DISA-6r1:V-222583 The application must use the Federal Information Processing Standard (FIPS) 140-2-validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality.

medium

closely mapped	Use of crypt Use of rand Use of rand48 Function Use of random Weak Cryptography

DISA-6r1:V-222589 The application must use appropriate cryptography in order to protect stored DoD information when required by the information owner or DoD policy.

medium

closely mapped	Encryption without Padding Use of crypt Weak Cryptography

DISA-6r1:V-222596 The application must protect the confidentiality and integrity of transmitted information.

high

closely mapped	Encryption without Padding

DISA-6r1:V-222602 The application must protect from Cross-Site Scripting (XSS) vulnerabilities.

high

closely mapped	Cross Site Scripting (Java) Cross Site Scripting In Error Message Web Page (Java)

closely mapped	Cross Site Scripting (C#) Cross Site Scripting In Error Message Web Page (C#)

DISA-6r1:V-222604 The application must protect from command injection.

high

closely mapped	Command Injection Library Injection Untrusted Library Load Untrusted Process Creation Use of execlp Use of execvp Use of popen Use of system

closely mapped	Command Injection (Java)

closely mapped	Command Injection (C#)

DISA-6r1:V-222606 The application must validate all input.

medium

closely mapped	Command Injection Format String Injection LDAP Injection Library Injection SQL Injection Tainted Allocation Size Tainted Buffer Access Tainted Configuration Setting Tainted Network Address Tainted Write Untrusted Library Load Untrusted Network Host Untrusted Network Port Untrusted Process Creation

DISA-6r1:V-222607 The application must not be vulnerable to SQL Injection.

high

closely mapped	SQL Injection

closely mapped	SQL Injection (Java)

closely mapped	SQL Injection (C#)

DISA-6r1:V-222608 The application must not be vulnerable to XML-oriented attacks.

high

closely mapped	Insecure XSLT Execution (Java) Possible XML External Entity Reference (Java) Tainted XML (Java)

closely mapped	Insecure XSLT Execution (C#) Possible XML External Entity Reference (C#) Tainted XML (C#)

DISA-6r1:V-222609 The application must not be subject to input handling vulnerabilities.

high

closely mapped	Format String Injection LDAP Injection Library Injection SQL Injection Tainted Allocation Size Tainted Buffer Access Tainted Configuration Setting Tainted Network Address Tainted Write Untrusted Library Load Untrusted Network Host Untrusted Network Port

DISA-6r1:V-222612 The application must not be vulnerable to overflow attacks.

high

closely mapped	Addition Overflow of Allocation Size Addition Overflow of Size Buffer Overrun Buffer Underrun Cast Alters Value Coercion Alters Value File System Race Condition Format String Format String Injection Hardcoded DNS Name Inappropriate Character Arithmetic Integer Overflow of Allocation Size Multiplication Overflow of Allocation Size Multiplication Overflow of Size No Space For Null Terminator Risky Integer Promotion Subtraction Underflow of Allocation Size Subtraction Underflow of Size Tainted Buffer Access Tainted Filename Unreasonable Size Argument Use of OemToAnsi Use of OemToChar Use of StrCatChainW Use of getopt Use of getpass Use of gets Use of getwd Use of realpath Use of recvmsg Use of strcat Use of strchr Use of strcmp Use of strcoll Use of strcpy Use of strcspn Use of strlen Use of strpbrk Use of strrchr Use of strspn Use of strstr Use of strtok Use of strtrns Use of syslog
also related	Division By Zero Expression Value Widened by Assignment Expression Value Widened by Other Operand Float Division By Zero Inappropriate Assignment Type Inappropriate Bit-field Type Inappropriate Cast Type Inappropriate Cast Type: Expression Inappropriate Operand Type Negative Character Value Negative Shift Amount Shift Amount Exceeds Bit Width
hierarchy ancestor	Basic Numerical Type Used

DISA-6r1:V-222642 The application must not contain embedded authentication data.

high

closely mapped	Hardcoded Authentication

DISA-6r1:V-222656 The application must not be subject to error handling vulnerabilities.

medium

closely mapped	Ignored Return Value

DISA-6r1:V-222662 Default passwords must be changed.

high

also related	Password in Property File (Java)
hierarchy ancestor	Hardcoded Password (Java)

also related	Hardcoded Password (C#) Password in Property File (C#)

Version 5, release 3

(STIG release date July 26, 2023)

A CSV version of this table is provided in DISA-5r3-mapping-broad.csv.

DISA-5r3

Severity

C/C++ Warning Classes

Java Warning Classes

C# Warning Classes

Kotlin Warning Classes

Python Warning Classes

DISA-5r3:V-69257 The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions.

medium

closely mapped	Encryption without Padding

DISA-5r3:V-69259 The application must implement cryptographic mechanisms to protect the integrity of remote access sessions.

medium

closely mapped	Encryption without Padding Use of crypt Use of rand Use of rand48 Function Use of random Weak Cryptography

DISA-5r3:V-69567 The application must only store cryptographic representations of passwords.

high

closely mapped	Plaintext Storage of Password Plaintext Transmission of Password

DISA-5r3:V-69569 The application must transmit only cryptographically-protected passwords.

high

closely mapped	Plaintext Storage of Password Plaintext Transmission of Password

DISA-5r3:V-70185 The application must not be vulnerable to race conditions.

medium

closely mapped	Data Race File System Race Condition
also related	Multiple Accesses of Atomic

DISA-5r3:V-70191 The application must utilize FIPS-validated cryptographic modules when signing application components.

medium

closely mapped	Use of crypt Use of rand Use of rand48 Function Use of random Weak Cryptography

DISA-5r3:V-70193 The application must utilize FIPS-validated cryptographic modules when generating cryptographic hashes.

medium

closely mapped	Use of crypt Use of rand Use of rand48 Function Use of random Weak Cryptography

DISA-5r3:V-70195 The application must utilize FIPS-validated cryptographic modules when protecting unclassified information that requires cryptographic protection.

medium

closely mapped	Use of crypt Use of rand Use of rand48 Function Use of random Weak Cryptography

DISA-5r3:V-70217 The application must use the Federal Information Processing Standard (FIPS) 140-2-validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality.

medium

closely mapped	Use of crypt Use of rand Use of rand48 Function Use of random Weak Cryptography

DISA-5r3:V-70229 The application must use appropriate cryptography in order to protect stored DoD information when required by the information owner or DoD policy.

medium

closely mapped	Encryption without Padding Use of crypt Weak Cryptography

DISA-5r3:V-70245 The application must protect the confidentiality and integrity of transmitted information.

high

closely mapped	Encryption without Padding

DISA-5r3:V-70257 The application must protect from Cross-Site Scripting (XSS) vulnerabilities.

high

closely mapped	Cross Site Scripting (Java) Cross Site Scripting In Error Message Web Page (Java)

closely mapped	Cross Site Scripting (C#) Cross Site Scripting In Error Message Web Page (C#)

DISA-5r3:V-70261 The application must protect from command injection.

high

closely mapped	Command Injection Library Injection Untrusted Library Load Untrusted Process Creation Use of execlp Use of execvp Use of popen Use of system

closely mapped	Command Injection (Java)

closely mapped	Command Injection (C#)

DISA-5r3:V-70265 The application must validate all input.

medium

closely mapped	Command Injection Format String Injection LDAP Injection Library Injection SQL Injection Tainted Allocation Size Tainted Buffer Access Tainted Configuration Setting Tainted Network Address Tainted Write Untrusted Library Load Untrusted Network Host Untrusted Network Port Untrusted Process Creation

DISA-5r3:V-70267 The application must not be vulnerable to SQL Injection.

high

closely mapped	SQL Injection

closely mapped	SQL Injection (Java)

closely mapped	SQL Injection (C#)

DISA-5r3:V-70269 The application must not be vulnerable to XML-oriented attacks.

high

closely mapped	Insecure XSLT Execution (Java) Possible XML External Entity Reference (Java) Tainted XML (Java)

closely mapped	Insecure XSLT Execution (C#) Possible XML External Entity Reference (C#) Tainted XML (C#)

DISA-5r3:V-70271 The application must not be subject to input handling vulnerabilities.

high

closely mapped	Format String Injection LDAP Injection Library Injection SQL Injection Tainted Allocation Size Tainted Buffer Access Tainted Configuration Setting Tainted Network Address Tainted Write Untrusted Library Load Untrusted Network Host Untrusted Network Port

DISA-5r3:V-70277 The application must not be vulnerable to overflow attacks.

high

closely mapped

also related

DISA-5r3:V-70363 The application must not contain embedded authentication data.

high

closely mapped	Hardcoded Authentication

DISA-5r3:V-70391 The application must not be subject to error handling vulnerabilities.

medium

closely mapped	Ignored Return Value

DISA-5r3:V-70403 Default passwords must be changed.

high

also related	Hardcoded Password (Java) Password in Property File (Java)

also related	Hardcoded Password (C#) Password in Property File (C#)

Version 4, release 3

(STIG release date April 28, 2017)

A CSV version of this table is provided in DISA-4r3-mapping-broad.csv.

DISA-4r3

C/C++ Warning Classes

Java Warning Classes

C# Warning Classes

Kotlin Warning Classes

Python Warning Classes

DISA-4r3:V-69257 The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions.

closely mapped	Encryption without Padding

DISA-4r3:V-69259 The application must implement cryptographic mechanisms to protect the integrity of remote access sessions.

closely mapped	Encryption without Padding Use of crypt Use of rand Use of rand48 Function Use of random Weak Cryptography

DISA-4r3:V-69567 The application must only store cryptographic representations of passwords.

closely mapped	Plaintext Storage of Password Plaintext Transmission of Password

DISA-4r3:V-69569 The application must transmit only cryptographically-protected passwords.

closely mapped	Plaintext Storage of Password Plaintext Transmission of Password

DISA-4r3:V-70185 The application must not be vulnerable to race conditions.

closely mapped	Data Race File System Race Condition
also related	Multiple Accesses of Atomic

DISA-4r3:V-70191 The application must utilize FIPS-validated cryptographic modules when signing application components.

closely mapped	Use of crypt Use of rand Use of rand48 Function Use of random Weak Cryptography

DISA-4r3:V-70193 The application must utilize FIPS-validated cryptographic modules when generating cryptographic hashes.

closely mapped	Use of crypt Use of rand Use of rand48 Function Use of random Weak Cryptography

DISA-4r3:V-70195 The application must utilize FIPS-validated cryptographic modules when protecting unclassified information that requires cryptographic protection.

closely mapped	Use of crypt Use of rand Use of rand48 Function Use of random Weak Cryptography

DISA-4r3:V-70217 The application must use the Federal Information Processing Standard (FIPS) 140-2-validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality.

closely mapped	Use of crypt Use of rand Use of rand48 Function Use of random Weak Cryptography

DISA-4r3:V-70229 The application must use appropriate cryptography in order to protect stored DoD information when required by the information owner or DoD policy.

closely mapped	Encryption without Padding Use of crypt Weak Cryptography

DISA-4r3:V-70245 The application must protect the confidentiality and integrity of transmitted information.

closely mapped	Encryption without Padding

DISA-4r3:V-70257 The application must protect from Cross-Site Scripting (XSS) vulnerabilities.

closely mapped	Cross Site Scripting (Java) Cross Site Scripting In Error Message Web Page (Java)

closely mapped	Cross Site Scripting (C#) Cross Site Scripting In Error Message Web Page (C#)

DISA-4r3:V-70261 The application must protect from command injection.

closely mapped	Command Injection Library Injection Untrusted Library Load Untrusted Process Creation Use of execlp Use of execvp Use of popen Use of system

closely mapped	Command Injection (Java)

closely mapped	Command Injection (C#)

DISA-4r3:V-70265 The application must validate all input.

closely mapped	Command Injection Format String Injection LDAP Injection Library Injection SQL Injection Tainted Allocation Size Tainted Buffer Access Tainted Configuration Setting Tainted Network Address Tainted Write Untrusted Library Load Untrusted Network Host Untrusted Network Port Untrusted Process Creation

DISA-4r3:V-70267 The application must not be vulnerable to SQL Injection.

closely mapped	SQL Injection

closely mapped	SQL Injection (Java)

closely mapped	SQL Injection (C#)

DISA-4r3:V-70269 The application must not be vulnerable to XML-oriented attacks.

closely mapped	Insecure XSLT Execution (Java) Possible XML External Entity Reference (Java) Tainted XML (Java)

closely mapped	Insecure XSLT Execution (C#) Possible XML External Entity Reference (C#) Tainted XML (C#)

DISA-4r3:V-70271 The application must not be subject to input handling vulnerabilities.

closely mapped	Format String Injection LDAP Injection Library Injection SQL Injection Tainted Allocation Size Tainted Buffer Access Tainted Configuration Setting Tainted Network Address Tainted Write Untrusted Library Load Untrusted Network Host Untrusted Network Port

DISA-4r3:V-70277 The application must not be vulnerable to overflow attacks.

closely mapped

also related

DISA-4r3:V-70363 The application must not contain embedded authentication data.

closely mapped	Hardcoded Authentication

DISA-4r3:V-70391 The application must not be subject to error handling vulnerabilities.

closely mapped	Ignored Return Value

DISA-4r3:V-70403 Default passwords must be changed.

also related	Hardcoded Password (Java) Password in Property File (Java)

also related	Hardcoded Password (C#) Password in Property File (C#)

Version 3, release 10

(STIG release date January 23, 2015)

A CSV version of this table is provided in DISA-3r10-mapping-broad.csv.

Mappings for Version 3, release 10 are available for C and C++ warning classes only.

DISA-3r10

C/C++ Warning Classes

DISA-3r10:V-6135 The designer will ensure the appropriate cryptography is used to protect stored DoD information if required by the information owner.

closely mapped	Encryption without Padding Use of crypt

DISA-3r10:V-6136 The designer will ensure data transmitted through a commercial or wireless network is protected using an appropriate form of cryptography.

closely mapped	Encryption without Padding

DISA-3r10:V-6137 The designer will ensure the application uses the Federal Information Processing Standard (FIPS) 140-2 validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality.

closely mapped	Use of crypt Use of rand Use of rand48 Function Use of random

DISA-3r10:V-6149 The designer will ensure the application does not contain source code that is never invoked during operation, except for software components and libraries from approved third-party products.

closely mapped	Unexercised Call Unexercised Computation Unexercised Conditional Unexercised Control Flow Unexercised Data Flow Unreachable Call Unreachable Computation Unreachable Conditional Unreachable Control Flow Unreachable Data Flow Unused Label Unused Macro Unused Parameter Unused Tag Unused Type Unused Value Unused Variable

DISA-3r10:V-6156 The designer will ensure the application does not contain embedded authentication data.

closely mapped	Hardcoded Authentication

DISA-3r10:V-6157 The designer will ensure the application does not contain invalid URL or path references.

closely mapped	Dangerous Include File Name LDAP Injection Tainted Filename Tainted Network Address Use of AfxLoadLibrary Use of CoLoadLibrary Use of CreateProcess Use of LoadLibrary Use of LoadModule Use of MoveFile Use of SHCreateProcessAsUserW Use of ShellExecute Use of WinExec Use of _exec Use of _spawn Use of execlp Use of execvp Use of popen Use of system Use of t_open

DISA-3r10:V-6164 The designer will ensure the application validates all input.

closely mapped	Command Injection Format String Injection LDAP Injection Library Injection SQL Injection Tainted Allocation Size Tainted Buffer Access Tainted Configuration Setting Tainted Network Address Tainted Write

DISA-3r10:V-6165 The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language.

closely mapped

also related

DISA-3r10:V-6166 The designer will ensure the application is not subject to error handling vulnerabilities.

closely mapped	Ignored Return Value

DISA-3r10:V-16793 The designer will ensure the application properly clears or overwrites all memory blocks used to process sensitive data, if required by the information owner, and clears or overwrites all memory blocks used for classified data.

closely mapped	Use of memset

DISA-3r10:V-16796 The designer will ensure the application transmits account passwords in an approved encrypted format.

closely mapped	Plaintext Storage of Password Plaintext Transmission of Password

DISA-3r10:V-16797 The designer will ensure the application stores account passwords in an approved encrypted format.

closely mapped	Plaintext Storage of Password Plaintext Transmission of Password

DISA-3r10:V-16804 The designer will ensure the application does not rely solely on a resource name to control access to a resource.

closely mapped	File System Race Condition Hardcoded DNS Name Tainted Filename

DISA-3r10:V-16807 The designer will ensure the application is not vulnerable to SQL Injection, uses prepared or parameterized statements, does not use concatenation or replacement to build SQL queries, and does not directly access the tables in a database.

closely mapped	SQL Injection

DISA-3r10:V-16808 The designer will ensure the application is not vulnerable to integer arithmetic issues.

closely mapped	Addition Overflow of Allocation Size Addition Overflow of Size Cast Alters Value Coercion Alters Value Division By Zero Inappropriate Character Arithmetic Integer Overflow of Allocation Size Multiplication Overflow of Allocation Size Multiplication Overflow of Size Negative Shift Amount Risky Integer Promotion Subtraction Underflow of Allocation Size Subtraction Underflow of Size
also related	Basic Numerical Type Used Expression Value Widened by Assignment Expression Value Widened by Other Operand Inappropriate Assignment Type Inappropriate Bit-field Type Inappropriate Cast Type Inappropriate Cast Type: Expression Inappropriate Operand Type Negative Character Value Shift Amount Exceeds Bit Width

DISA-3r10:V-16809 The designer will ensure the application does not contain format string vulnerabilities.

closely mapped	Format String Format String Injection

DISA-3r10:V-16810 The designer will ensure the application does not allow command injection.

closely mapped	Command Injection Library Injection Use of execlp Use of execvp Use of popen Use of system

DISA-3r10:V-16815 The designer will ensure the application is not vulnerable to race conditions.

closely mapped	Data Race File System Race Condition
also related	Multiple Accesses of Atomic