OWASP Top 10 2021

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.0p0 Hot Tips

CONFIDENTIAL

CodeSecure Inc

OWASP Top 10 2021

The categories list for each CodeSonar warning includes any relevant members of the OWASP® Top Ten Application Security Risks - 2021.

CSV tables of warning classes by OWASP-2021 rule are provided in OWASP-2021-mapping.csv.

The OWASP Top Ten 2021
Relevant Warning Classes
Management Reports
Enabling OWASP-2021 Checks

The OWASP Top 10 2021

"OWASP-2021" is shorthand for the OWASP Top 10 2021.

See the OWASP Top 10 2021 website for more information.

Relevant Warning Classes

The following table shows the CodeSonar warning classes that are associated with OWASP-2021 top ten security risks.

OWASP-2021	C/C++ Warning Classes	Java Warning Classes	C# Warning Classes	Kotlin Warning Classes	Python Warning Classes
OWASP-2021:A1 Broken access control	Hardcoded Authentication Hardcoded Crypto Key Hardcoded Crypto Salt Null Security Descriptor Plaintext Storage of Password Tainted Filename Tainted Write Use of AddAccessAllowedAce Use of AddAccessDeniedAce Use of crypt Use of cuserid Use of getlogin Weak Cryptography	Fragment Injection (Java) Method Disables Security Setting (Java) Missing Authentication Annotation (Java) Missing isValidFragment Override (Java) Security Annotation Conflict (Java) Tainted Data in Vulnerable Method (Java)	Disabled Input Validation (C#) Method Disables Security Setting (C#) Missing Authentication Annotation (C#) Security Annotation Conflict (C#)	-	-
OWASP-2021:A2 Cryptographic failures	Encryption without Padding Plaintext Storage of Password Redundant Condition Tainted Write Use of crypt Weak Cryptography	Android Message Injection (Java) Android URL Injection (Java) Sensitive Data Cached (Java) Sensitive Data Written to External Storage (Java) Sensitive Data Written to Local File (Java) Weak Cryptographic Value (Java)	Weak Cryptographic Value (C#)	-	-
OWASP-2021:A3 Injection	Command Injection LDAP Injection SQL Injection Untrusted Process Creation Use of system	Code Injection (Java) Command Injection (Java) DLL Injection (Java) DOS Injection (Java) Fragment Injection (Java) Reflection Injection (Java) SQL Injection (Java) Tainted @Trusted Value (Java) Tainted Bundle (Java) Tainted Control (Java) Tainted Data in Vulnerable Method (Java) Tainted Expression Evaluation (Java) Tainted HTTP Response (Java) Tainted Hardware Device Property (Java) Tainted LDAP Attribute (Java) Tainted Log (Java) Tainted Message (Java) Tainted Network Address (Java) Tainted Path (Java) Tainted Regular Expression (Java) Tainted Resource (Java) Tainted Session (Java) Tainted URL (Java) Tainted XAML (Java) Tainted XML (Java) Tainted Xpath (Java)	Code Injection (C#) Command Injection (C#) DLL Injection (C#) DOS Injection (C#) Reflection Injection (C#) SQL Injection (C#) Tainted @Trusted Value (C#) Tainted Bundle (C#) Tainted Control (C#) Tainted Expression Evaluation (C#) Tainted HTTP Response (C#) Tainted Hardware Device Property (C#) Tainted LDAP Attribute (C#) Tainted Log (C#) Tainted Message (C#) Tainted Network Address (C#) Tainted Path (C#) Tainted Regular Expression (C#) Tainted Resource (C#) Tainted Session (C#) Tainted URL (C#) Tainted XAML (C#) Tainted XML (C#) Tainted Xpath (C#)	-	-
OWASP-2021:A4 Insecure design	-	-	-	-	-
OWASP-2021:A5 Security misconfiguration	Encryption without Padding Hardcoded Authentication Hardcoded Crypto Key Hardcoded Crypto Salt Hardcoded DNS Name Hardcoded Seed in PRNG Memory Protection Removal Use of XML_ExternalEntityParserCreate	Possible XML External Entity Reference (Java)	Possible XML External Entity Reference (C#)	-	-
OWASP-2021:A6 Vulnerable and outdated components	Use of AddAccessAllowedAce Use of AddAccessDeniedAce Use of AfxLoadLibrary Use of CoLoadLibrary Use of CreateFile Use of CreateProcess Use of CreateThread Use of FormatMessage Use of GetTempFileName Use of LoadLibrary Use of LoadModule Use of MoveFile Use of OemToAnsi Use of OemToChar Use of crypt Use of gets Use of mkstemp Use of mktemp Use of rand Use of rand48 Function Use of random Use of tmpfile Use of tmpfile_s Use of tmpnam Use of tmpnam_s Weak Cryptography	Deprecated Cryptography Provider (Java) Deprecated Transfer Protocol (Java)	Deprecated Cryptography Provider (C#) Deprecated Transfer Protocol (C#)	-	-
OWASP-2021:A7 Identification and authorization failures	Hardcoded Authentication Hardcoded Crypto Key Hardcoded Crypto Salt Plaintext Storage of Password Use of crypt Weak Cryptography	Anonymous LDAP Authentication (Java) Certificate Added to Root Store (Java) Cryptographic Algorithm with Risky Default Cipher (Java) Cryptographic Algorithm with Weak Cipher (Java) Cryptographic Algorithm with Weak Hash (Java) Hardcoded Password (Java) Hostname in Condition (Java) Inadequate Salt (Java) Insecure Key Derivation (Java) Missing Authentication Annotation (Java) Password in Property File (Java) Risky Cipher Algorithm (Java) Risky Cipher Field (Java) Risky Cryptographic Algorithm (Java) Security Annotation Conflict (Java) Unsafe Base64 Encoding (Java) Weak Cryptographic Value (Java) Weak Hash Algorithm (Java) Weak Hash Algorithm Field (Java) Weak Initialization Vector Field (Java) Weak Initialization Vector Value (Java)	Anonymous LDAP Authentication (C#) Certificate Added to Root Store (C#) Cryptographic Algorithm with Risky Default Cipher (C#) Cryptographic Algorithm with Weak Cipher (C#) Cryptographic Algorithm with Weak Hash (C#) Hardcoded Password (C#) Hostname in Condition (C#) Inadequate Salt (C#) Insecure Key Derivation (C#) Missing Authentication Annotation (C#) Password in Property File (C#) Risky Cipher Algorithm (C#) Risky Cipher Field (C#) Risky Cryptographic Algorithm (C#) Risky Cryptographic Field (C#) Security Annotation Conflict (C#) Unsafe Base64 Encoding (C#) Weak Cryptographic Value (C#) Weak Hash Algorithm (C#) Weak Hash Algorithm Field (C#) Weak Initialization Vector Field (C#) Weak Initialization Vector Value (C#)	-	-
OWASP-2021:A8 Software and data integrity failures	Addition Overflow of Allocation Size Addition Overflow of Size Buffer Overrun Buffer Underrun Integer Overflow of Allocation Size Multiplication Overflow of Allocation Size Multiplication Overflow of Size Pointer Arithmetic Pointer Before Beginning of Object Pointer Past End of Object Subtraction Underflow of Allocation Size Subtraction Underflow of Size Tainted Buffer Access Type Overrun Type Underrun	Deserializable Class (Java) Deserializing Non-Serializable Class (Java)	Deserializable Class (C#)	-	-
OWASP-2021:A9 Security logging and monitoring failures	Not Enough Assertions	-	-	-	-
OWASP-2021:A10 Server-side request forgery	-	-	-	-	-

Management Reports

The predefined OWASP Top Ten 2021 Report management report template allows you to automatically generate a report summarizing all the warnings from a particular analysis that are closely mapped to one or more of the OWASP Top 10 2021.

You can generate this report from the GUI Analysis page for the analysis of interest. For general instructions, see Task: Generate a Management Report

Enabling OWASP-2021 Rules

Because the rules are strongly tied to web application development, many of the associated checks are disabled by default.

CodeSonar ships with a taxonomy preset for OWASP-2021 checks:

owasp2021

Enables warning classes such that a given class C is enabled if all of the following are true.

C is closely mapped to one or more OWASP-2021 members (that is, it appears in the table above), and
no other classes enabled by the preset are more closely related to the same rules, and
C is not diagnostic-only (that is, it does not have a DIAG.* mnemonic).

You can apply the owasp2021 preset to the CodeSonar build/analysis as shown in the following table.

Command Line	Specify -preset owasp2021 as part of your build/analysis command. For example: codesonar analyze MyProj -preset owasp2021 localhost:7340 make
Define as a default preset	Copy owasp2021.conf from $CSONAR/codesonar/presets/ to $CSONAR/codesonar/default_presets/. OR Use the CodeSonar Configuration Tool Modify Analysis Settings option.
Windows Build Wizard	Select owasp2021 from the Preset list on screen 2.
Eclipse Plug-In	Select owasp2021 from the Presets list in the Properties dialog.
Visual Studio Plug-In	Select owasp2021 from the Presets list in the Project Properties dialog.

Enabling checks for specific security risks

To enable checks for all the warning classes associated with a specific OWASP-2021 security risk, include the following in the project configuration file:

WARNING_FILTER += allow categories:"OWASP-2021:Anum"

Anum is the OWASP-2021 item number.
To enable checks for several rule numbers, include several WARNING_FILTER lines of this form.

Enabling individual warning classes

To enable a single warning class check, follow the instructions in the documentation for the corresponding warning class. Warning class documentation links are provided above.