Broad Mapping: OWASP Top Ten Application Security Risks -

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.0p0 Hot Tips

CONFIDENTIAL

CodeSecure Inc

Broad Mapping: OWASP Top Ten Application Security Risks - 2017

This table contains broad mappings between the OWASP Top Ten Application Security Risks - 2017 and CodeSonar warning classes.

The close mapping from OWASP Top Ten 2017 members to CodeSonar warning classes is shown in OWASP Top Ten 2017 Checks.

A CSV version of this table is provided in OWASP-2017-mapping-broad.csv

OWASP-2017

C/C++ Warning Classes

Java Warning Classes

C# Warning Classes

Kotlin Warning Classes

Python Warning Classes

OWASP-2017:A1 Injection

closely mapped	Command Injection LDAP Injection SQL Injection Untrusted Process Creation Use of system

closely mapped

hierarchy ancestor

Tainted LDAP Filter (Java)

closely mapped

hierarchy ancestor

Tainted LDAP Filter (C#)

OWASP-2017:A2 Broken authentication

closely mapped	Plaintext Storage of Password Use of crypt Weak Cryptography
hierarchy ancestor	Hardcoded Authentication Hardcoded Crypto Key Hardcoded Crypto Salt Hardcoded DNS Name Null Security Descriptor

closely mapped

hierarchy ancestor

closely mapped

hierarchy ancestor

OWASP-2017:A3 Sensitive data exposure

closely mapped	Encryption without Padding Plaintext Storage of Password Redundant Condition Tainted Write Use of crypt Weak Cryptography
hierarchy ancestor	Hardcoded Authentication Hardcoded Crypto Key Hardcoded Crypto Salt Hardcoded Seed in PRNG Plaintext Transmission of Password Predictable Seed in PRNG Use of Weak Cryptographic Algorithm Use of rand Use of rand48 Function Use of random

closely mapped

hierarchy ancestor

OWASP-2017:A4 XML external entities

closely mapped	Use of XML_ExternalEntityParserCreate

closely mapped	Possible XML External Entity Reference (Java)
hierarchy ancestor	Insecure XSLT Execution (Java)

closely mapped	Possible XML External Entity Reference (C#)
hierarchy ancestor	Insecure XSLT Execution (C#)

OWASP-2017:A5 Broken access control

closely mapped	Hardcoded Authentication Hardcoded Crypto Key Hardcoded Crypto Salt Null Security Descriptor Plaintext Storage of Password Tainted Filename Tainted Write Use of AddAccessAllowedAce Use of AddAccessDeniedAce Use of crypt Use of cuserid Use of getlogin Weak Cryptography
hierarchy ancestor	Hardcoded DNS Name Ignored Return Value

closely mapped

hierarchy ancestor

closely mapped	Disabled Input Validation (C#) Method Disables Security Setting (C#) Missing Authentication Annotation (C#) Security Annotation Conflict (C#)
hierarchy ancestor	Anonymous LDAP Authentication (C#) Hardcoded Cryptographic Key (C#) Hardcoded Password (C#) Hostname in Condition (C#) Password in Property File (C#) Tainted Path (C#)

hierarchy ancestor	Ignored Return Value (detekt)

hierarchy ancestor	Bad Open Mode (Pylint)

OWASP-2017:A6 Security misconfiguration

closely mapped	Encryption without Padding Hardcoded Authentication Hardcoded Crypto Key Hardcoded Crypto Salt Hardcoded DNS Name Hardcoded Seed in PRNG Memory Protection Removal
hierarchy ancestor	Ignored Return Value Unused Value Use of catch Use of memset Use of throw

hierarchy ancestor

hierarchy ancestor	Exception Information Disclosure (C#) Generic Exception Handler (C#) Inappropriate Exception Handler (C#)

hierarchy ancestor	Ignored Return Value (detekt) Too Generic Exception Caught (detekt)

hierarchy ancestor	Bare Except (Pylint) Broad Exception Caught (Pylint)

OWASP-2017:A7 Cross site scripting (XSS)

closely mapped	Tainted Write

closely mapped	Cross Site Scripting (Java) Cross Site Scripting In Error Message Web Page (Java)

closely mapped	Cross Site Scripting (C#) Cross Site Scripting In Error Message Web Page (C#)

OWASP-2017:A8 Insecure deserialization

closely mapped

closely mapped	Deserializable Class (Java) Deserializing Non-Serializable Class (Java)
hierarchy ancestor	Serialization Not Disabled (Java)

closely mapped	Deserializable Class (C#)

OWASP-2017:A9 Using components with known vulnerabilities

closely mapped

closely mapped	Deprecated Cryptography Provider (Java) Deprecated Transfer Protocol (Java)

closely mapped	Deprecated Cryptography Provider (C#) Deprecated Transfer Protocol (C#)

OWASP-2017:A10 Insufficient logging and monitoring

closely mapped	Not Enough Assertions