OWASP Top Ten Application Security Risks

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.0p0 Hot Tips

CONFIDENTIAL

CodeSecure Inc

OWASP Top Ten Application Security Risks - 2017

The categories list for each CodeSonar warning includes any relevant members of the OWASP® Top Ten Application Security Risks - 2017.

CSV tables of warning classes by OWASP-2017 rule are provided in OWASP-2017-mapping.csv.

The OWASP Top Ten 2017
Relevant Warning Classes
Management Reports
Enabling OWASP-2017 Checks

The OWASP Top Ten 2017

"OWASP-2017" is shorthand for the OWASP Top Ten Web Application Security Risks - 2017.

See the OWASP Top Ten 2017 website for more information.

Relevant Warning Classes

The following table shows the CodeSonar warning classes that are associated with OWASP-2017 top ten security risks.

OWASP-2017	C/C++ Warning Classes	Java Warning Classes	C# Warning Classes	Kotlin Warning Classes	Python Warning Classes
OWASP-2017:A1 Injection	Command Injection LDAP Injection SQL Injection Untrusted Process Creation Use of system	Code Injection (Java) Command Injection (Java) DLL Injection (Java) DOS Injection (Java) Fragment Injection (Java) Reflection Injection (Java) SQL Injection (Java) Tainted @Trusted Value (Java) Tainted Bundle (Java) Tainted Control (Java) Tainted Data in Vulnerable Method (Java) Tainted Expression Evaluation (Java) Tainted HTTP Response (Java) Tainted Hardware Device Property (Java) Tainted LDAP Attribute (Java) Tainted Log (Java) Tainted Message (Java) Tainted Network Address (Java) Tainted Path (Java) Tainted Regular Expression (Java) Tainted Resource (Java) Tainted Session (Java) Tainted URL (Java) Tainted XAML (Java) Tainted XML (Java) Tainted Xpath (Java)	Code Injection (C#) Command Injection (C#) DLL Injection (C#) DOS Injection (C#) Reflection Injection (C#) SQL Injection (C#) Tainted @Trusted Value (C#) Tainted Bundle (C#) Tainted Control (C#) Tainted Expression Evaluation (C#) Tainted HTTP Response (C#) Tainted Hardware Device Property (C#) Tainted LDAP Attribute (C#) Tainted Log (C#) Tainted Message (C#) Tainted Network Address (C#) Tainted Path (C#) Tainted Regular Expression (C#) Tainted Resource (C#) Tainted Session (C#) Tainted URL (C#) Tainted XAML (C#) Tainted XML (C#) Tainted Xpath (C#)	-	-
OWASP-2017:A2 Broken authentication	Plaintext Storage of Password Use of crypt Weak Cryptography	Anonymous LDAP Authentication (Java) Certificate Added to Root Store (Java) Cryptographic Algorithm with Risky Default Cipher (Java) Cryptographic Algorithm with Weak Cipher (Java) Cryptographic Algorithm with Weak Hash (Java) Hardcoded Password (Java) Hostname in Condition (Java) Inadequate Salt (Java) Insecure Key Derivation (Java) Missing Authentication Annotation (Java) Password in Property File (Java) Risky Cipher Algorithm (Java) Risky Cipher Field (Java) Risky Cryptographic Algorithm (Java) Risky Cryptographic Field (Java) Security Annotation Conflict (Java) Unsafe Base64 Encoding (Java) Weak Cryptographic Value (Java) Weak Hash Algorithm (Java) Weak Hash Algorithm Field (Java) Weak Initialization Vector Field (Java) Weak Initialization Vector Value (Java)	Anonymous LDAP Authentication (C#) Certificate Added to Root Store (C#) Cryptographic Algorithm with Risky Default Cipher (C#) Cryptographic Algorithm with Weak Cipher (C#) Cryptographic Algorithm with Weak Hash (C#) Hardcoded Password (C#) Hostname in Condition (C#) Inadequate Salt (C#) Insecure Key Derivation (C#) Missing Authentication Annotation (C#) Password in Property File (C#) Risky Cipher Algorithm (C#) Risky Cipher Field (C#) Risky Cryptographic Algorithm (C#) Risky Cryptographic Field (C#) Security Annotation Conflict (C#) Unsafe Base64 Encoding (C#) Weak Cryptographic Value (C#) Weak Hash Algorithm (C#) Weak Hash Algorithm Field (C#) Weak Initialization Vector Field (C#) Weak Initialization Vector Value (C#)	-	-
OWASP-2017:A3 Sensitive data exposure	Encryption without Padding Plaintext Storage of Password Redundant Condition Tainted Write Use of crypt Weak Cryptography	Android Message Injection (Java) Android URL Injection (Java) Sensitive Data Cached (Java) Sensitive Data Written to External Storage (Java) Sensitive Data Written to Local File (Java)	-	-	-
OWASP-2017:A4 XML external entities	Use of XML_ExternalEntityParserCreate	Possible XML External Entity Reference (Java)	Possible XML External Entity Reference (C#)	-	-
OWASP-2017:A5 Broken access control	Hardcoded Authentication Hardcoded Crypto Key Hardcoded Crypto Salt Null Security Descriptor Plaintext Storage of Password Tainted Filename Tainted Write Use of AddAccessAllowedAce Use of AddAccessDeniedAce Use of crypt Use of cuserid Use of getlogin Weak Cryptography	Fragment Injection (Java) Method Disables Security Setting (Java) Missing Authentication Annotation (Java) Missing isValidFragment Override (Java) Security Annotation Conflict (Java) Tainted Data in Vulnerable Method (Java)	Disabled Input Validation (C#) Method Disables Security Setting (C#) Missing Authentication Annotation (C#) Security Annotation Conflict (C#)	-	-
OWASP-2017:A6 Security misconfiguration	Encryption without Padding Hardcoded Authentication Hardcoded Crypto Key Hardcoded Crypto Salt Hardcoded DNS Name Hardcoded Seed in PRNG Memory Protection Removal	-	-	-	-
OWASP-2017:A7 Cross site scripting (XSS)	Tainted Write	Cross Site Scripting (Java) Cross Site Scripting In Error Message Web Page (Java)	Cross Site Scripting (C#) Cross Site Scripting In Error Message Web Page (C#)	-	-
OWASP-2017:A8 Insecure deserialization	Addition Overflow of Allocation Size Addition Overflow of Size Buffer Overrun Buffer Underrun Integer Overflow of Allocation Size Multiplication Overflow of Allocation Size Multiplication Overflow of Size Pointer Arithmetic Pointer Before Beginning of Object Pointer Past End of Object Subtraction Underflow of Allocation Size Subtraction Underflow of Size Tainted Buffer Access Type Overrun Type Underrun	Deserializable Class (Java) Deserializing Non-Serializable Class (Java)	Deserializable Class (C#)	-	-
OWASP-2017:A9 Using components with known vulnerabilities	Use of AddAccessAllowedAce Use of AddAccessDeniedAce Use of AfxLoadLibrary Use of CoLoadLibrary Use of CreateFile Use of CreateProcess Use of CreateThread Use of FormatMessage Use of GetTempFileName Use of LoadLibrary Use of LoadModule Use of MoveFile Use of OemToAnsi Use of OemToChar Use of crypt Use of gets Use of mkstemp Use of mktemp Use of rand Use of rand48 Function Use of random Use of tmpfile Use of tmpfile_s Use of tmpnam Use of tmpnam_s Weak Cryptography	Deprecated Cryptography Provider (Java) Deprecated Transfer Protocol (Java)	Deprecated Cryptography Provider (C#) Deprecated Transfer Protocol (C#)	-	-
OWASP-2017:A10 Insufficient logging and monitoring	Not Enough Assertions	-	-	-	-

Management Reports

The predefined OWASP Top Ten 2017 Report management report template allows you to automatically generate a report summarizing all the warnings from a particular analysis that are closely mapped to one or more of the OWASP Top Ten Web Application Security Risks.

You can generate this report from the GUI Analysis page for the analysis of interest. For general instructions, see Task: Generate a Management Report.

Enabling OWASP-2017 Rules

Because the rules are strongly tied to web application development, many of the associated checks are disabled by default.

CodeSonar ships with a taxonomy preset for OWASP-2017 checks:

owasp2017

Enables warning classes such that a given class C is enabled if all of the following are true.

C is closely mapped to one or more OWASP-2017 members (that is, it appears in the table above), and
no other classes enabled by the preset are more closely related to the same rules, and
C is not diagnostic-only (that is, it does not have a DIAG.* mnemonic).

You can apply the owasp2017 preset to the CodeSonar build/analysis as shown in the following table.

@PRESET_TABLE[owasp2017]@

Enabling checks for specific security risks

To enable checks for all the warning classes associated with a specific OWASP-2017 security risk, include the following in the project configuration file:

WARNING_FILTER += allow categories:"OWASP-2017:Anum"

Anum is the OWASP-2017 item number.
To enable checks for several rule numbers, include several WARNING_FILTER lines of this form.

Enabling individual classes

To enable a single warning class check, follow the instructions in the documentation for the corresponding warning class. Warning class documentation links are provided above.