CWE coverage for C#¶
An overview of CWE coverage for C# in the latest release of CodeQL.
Overview¶
| CWE | Language | Query id | Query name |
|---|---|---|---|
| CWE-11 | C# | cs/web/debug-binary | Creating an ASP.NET debug binary may reveal sensitive information |
| CWE-12 | C# | cs/web/missing-global-error-handler | Missing global error handler |
| CWE-13 | C# | cs/password-in-configuration | Password in configuration file |
| CWE-20 | C# | cs/count-untrusted-data-external-api | Frequency counts for external APIs that are used with untrusted data |
| CWE-20 | C# | cs/serialization-check-bypass | Serialization check bypass |
| CWE-20 | C# | cs/untrusted-data-to-external-api | Untrusted data passed to external API |
| CWE-20 | C# | cs/xml/missing-validation | Missing XML validation |
| CWE-20 | C# | cs/assembly-path-injection | Assembly path injection |
| CWE-22 | C# | cs/path-injection | Uncontrolled data used in path expression |
| CWE-22 | C# | cs/zipslip | Arbitrary file access during archive extraction ("Zip Slip") |
| CWE-22 | C# | cs/webclient-path-injection | Uncontrolled data used in a WebClient |
| CWE-23 | C# | cs/path-injection | Uncontrolled data used in path expression |
| CWE-23 | C# | cs/webclient-path-injection | Uncontrolled data used in a WebClient |
| CWE-36 | C# | cs/path-injection | Uncontrolled data used in path expression |
| CWE-36 | C# | cs/webclient-path-injection | Uncontrolled data used in a WebClient |
| CWE-73 | C# | cs/path-injection | Uncontrolled data used in path expression |
| CWE-73 | C# | cs/webclient-path-injection | Uncontrolled data used in a WebClient |
| CWE-74 | C# | cs/path-injection | Uncontrolled data used in path expression |
| CWE-74 | C# | cs/command-line-injection | Uncontrolled command line |
| CWE-74 | C# | cs/web/xss | Cross-site scripting |
| CWE-74 | C# | cs/sql-injection | SQL query built from user-controlled sources |
| CWE-74 | C# | cs/ldap-injection | LDAP query built from user-controlled sources |
| CWE-74 | C# | cs/xml-injection | XML injection |
| CWE-74 | C# | cs/code-injection | Improper control of generation of code |
| CWE-74 | C# | cs/resource-injection | Resource injection |
| CWE-74 | C# | cs/uncontrolled-format-string | Uncontrolled format string |
| CWE-74 | C# | cs/xml/xpath-injection | XPath injection |
| CWE-74 | C# | cs/web/disabled-header-checking | Header checking disabled |
| CWE-74 | C# | cs/webclient-path-injection | Uncontrolled data used in a WebClient |
| CWE-77 | C# | cs/command-line-injection | Uncontrolled command line |
| CWE-78 | C# | cs/command-line-injection | Uncontrolled command line |
| CWE-79 | C# | cs/web/xss | Cross-site scripting |
| CWE-88 | C# | cs/command-line-injection | Uncontrolled command line |
| CWE-89 | C# | cs/sql-injection | SQL query built from user-controlled sources |
| CWE-90 | C# | cs/ldap-injection | LDAP query built from user-controlled sources |
| CWE-91 | C# | cs/xml-injection | XML injection |
| CWE-91 | C# | cs/xml/xpath-injection | XPath injection |
| CWE-93 | C# | cs/web/disabled-header-checking | Header checking disabled |
| CWE-94 | C# | cs/code-injection | Improper control of generation of code |
| CWE-95 | C# | cs/code-injection | Improper control of generation of code |
| CWE-96 | C# | cs/code-injection | Improper control of generation of code |
| CWE-99 | C# | cs/path-injection | Uncontrolled data used in path expression |
| CWE-99 | C# | cs/resource-injection | Resource injection |
| CWE-99 | C# | cs/webclient-path-injection | Uncontrolled data used in a WebClient |
| CWE-112 | C# | cs/xml/missing-validation | Missing XML validation |
| CWE-113 | C# | cs/web/disabled-header-checking | Header checking disabled |
| CWE-114 | C# | cs/assembly-path-injection | Assembly path injection |
| CWE-116 | C# | cs/web/xss | Cross-site scripting |
| CWE-116 | C# | cs/log-forging | Log entries created from user input |
| CWE-116 | C# | cs/inappropriate-encoding | Inappropriate encoding |
| CWE-117 | C# | cs/log-forging | Log entries created from user input |
| CWE-118 | C# | cs/unvalidated-local-pointer-arithmetic | Unvalidated local pointer arithmetic |
| CWE-119 | C# | cs/unvalidated-local-pointer-arithmetic | Unvalidated local pointer arithmetic |
| CWE-120 | C# | cs/unvalidated-local-pointer-arithmetic | Unvalidated local pointer arithmetic |
| CWE-122 | C# | cs/unvalidated-local-pointer-arithmetic | Unvalidated local pointer arithmetic |
| CWE-134 | C# | cs/uncontrolled-format-string | Uncontrolled format string |
| CWE-190 | C# | cs/loss-of-precision | Possible loss of precision |
| CWE-193 | C# | cs/index-out-of-bounds | Off-by-one comparison against container length |
| CWE-197 | C# | cs/loss-of-precision | Possible loss of precision |
| CWE-200 | C# | cs/web/debug-binary | Creating an ASP.NET debug binary may reveal sensitive information |
| CWE-200 | C# | cs/sensitive-data-transmission | Information exposure through transmitted data |
| CWE-200 | C# | cs/information-exposure-through-exception | Information exposure through an exception |
| CWE-200 | C# | cs/cleartext-storage-of-sensitive-information | Clear text storage of sensitive information |
| CWE-200 | C# | cs/exposure-of-sensitive-information | Exposure of private information |
| CWE-200 | C# | cs/web/directory-browse-enabled | ASP.NET config file enables directory browsing |
| CWE-200 | C# | cs/web/persistent-cookie | Cookie security: persistent cookie |
| CWE-201 | C# | cs/sensitive-data-transmission | Information exposure through transmitted data |
| CWE-209 | C# | cs/information-exposure-through-exception | Information exposure through an exception |
| CWE-215 | C# | cs/web/debug-binary | Creating an ASP.NET debug binary may reveal sensitive information |
| CWE-221 | C# | cs/catch-of-all-exceptions | Generic catch clause |
| CWE-221 | C# | cs/web/missing-x-frame-options | Missing X-Frame-Options HTTP header |
| CWE-227 | C# | cs/inconsistent-equals-and-gethashcode | Inconsistent Equals(object) and GetHashCode() |
| CWE-227 | C# | cs/invalid-dynamic-call | Bad dynamic call |
| CWE-227 | C# | cs/web/missing-x-frame-options | Missing X-Frame-Options HTTP header |
| CWE-247 | C# | cs/user-controlled-bypass | User-controlled bypass of sensitive method |
| CWE-248 | C# | cs/web/missing-global-error-handler | Missing global error handler |
| CWE-252 | C# | cs/unchecked-return-value | Unchecked return value |
| CWE-256 | C# | cs/password-in-configuration | Password in configuration file |
| CWE-258 | C# | cs/empty-password-in-configuration | Empty password in configuration file |
| CWE-259 | C# | cs/hardcoded-connection-string-credentials | Hard-coded connection string with credentials |
| CWE-259 | C# | cs/hardcoded-credentials | Hard-coded credentials |
| CWE-260 | C# | cs/empty-password-in-configuration | Empty password in configuration file |
| CWE-260 | C# | cs/password-in-configuration | Password in configuration file |
| CWE-284 | C# | cs/empty-password-in-configuration | Empty password in configuration file |
| CWE-284 | C# | cs/password-in-configuration | Password in configuration file |
| CWE-284 | C# | cs/web/missing-function-level-access-control | Missing function level access control |
| CWE-284 | C# | cs/hard-coded-symmetric-encryption-key | Hard-coded symmetric encryption key |
| CWE-284 | C# | cs/session-reuse | Failure to abandon session |
| CWE-284 | C# | cs/web/insecure-direct-object-reference | Insecure Direct Object Reference |
| CWE-284 | C# | cs/hardcoded-connection-string-credentials | Hard-coded connection string with credentials |
| CWE-284 | C# | cs/hardcoded-credentials | Hard-coded credentials |
| CWE-284 | C# | cs/user-controlled-bypass | User-controlled bypass of sensitive method |
| CWE-284 | C# | cs/web/broad-cookie-domain | Cookie security: overly broad domain |
| CWE-284 | C# | cs/web/broad-cookie-path | Cookie security: overly broad path |
| CWE-285 | C# | cs/empty-password-in-configuration | Empty password in configuration file |
| CWE-285 | C# | cs/web/missing-function-level-access-control | Missing function level access control |
| CWE-285 | C# | cs/web/insecure-direct-object-reference | Insecure Direct Object Reference |
| CWE-287 | C# | cs/empty-password-in-configuration | Empty password in configuration file |
| CWE-287 | C# | cs/password-in-configuration | Password in configuration file |
| CWE-287 | C# | cs/hard-coded-symmetric-encryption-key | Hard-coded symmetric encryption key |
| CWE-287 | C# | cs/session-reuse | Failure to abandon session |
| CWE-287 | C# | cs/hardcoded-connection-string-credentials | Hard-coded connection string with credentials |
| CWE-287 | C# | cs/hardcoded-credentials | Hard-coded credentials |
| CWE-287 | C# | cs/user-controlled-bypass | User-controlled bypass of sensitive method |
| CWE-287 | C# | cs/web/broad-cookie-domain | Cookie security: overly broad domain |
| CWE-287 | C# | cs/web/broad-cookie-path | Cookie security: overly broad path |
| CWE-290 | C# | cs/user-controlled-bypass | User-controlled bypass of sensitive method |
| CWE-311 | C# | cs/password-in-configuration | Password in configuration file |
| CWE-311 | C# | cs/cleartext-storage-of-sensitive-information | Clear text storage of sensitive information |
| CWE-311 | C# | cs/web/requiressl-not-set | 'requireSSL' attribute is not set to true |
| CWE-311 | C# | cs/web/cookie-secure-not-set | 'Secure' attribute is not set to true |
| CWE-312 | C# | cs/password-in-configuration | Password in configuration file |
| CWE-312 | C# | cs/cleartext-storage-of-sensitive-information | Clear text storage of sensitive information |
| CWE-313 | C# | cs/password-in-configuration | Password in configuration file |
| CWE-315 | C# | cs/cleartext-storage-of-sensitive-information | Clear text storage of sensitive information |
| CWE-319 | C# | cs/web/requiressl-not-set | 'requireSSL' attribute is not set to true |
| CWE-319 | C# | cs/web/cookie-secure-not-set | 'Secure' attribute is not set to true |
| CWE-321 | C# | cs/hard-coded-symmetric-encryption-key | Hard-coded symmetric encryption key |
| CWE-321 | C# | cs/hardcoded-connection-string-credentials | Hard-coded connection string with credentials |
| CWE-321 | C# | cs/hardcoded-credentials | Hard-coded credentials |
| CWE-326 | C# | cs/insufficient-key-size | Weak encryption: Insufficient key size |
| CWE-327 | C# | cs/adding-cert-to-root-store | Do not add certificates to the system root store. |
| CWE-327 | C# | cs/insecure-sql-connection | Insecure SQL connection |
| CWE-327 | C# | cs/ecb-encryption | Encryption using ECB |
| CWE-327 | C# | cs/inadequate-rsa-padding | Weak encryption: inadequate RSA padding |
| CWE-327 | C# | cs/weak-encryption | Weak encryption |
| CWE-327 | C# | cs/azure-storage/unsafe-usage-of-client-side-encryption-version | Unsafe usage of v1 version of Azure Storage client-side encryption (CVE-2022-30187). |
| CWE-327 | C# | cs/hash-without-salt | Use of a hash function without a salt |
| CWE-330 | C# | cs/random-used-once | Random used only once |
| CWE-330 | C# | cs/hard-coded-symmetric-encryption-key | Hard-coded symmetric encryption key |
| CWE-330 | C# | cs/hardcoded-connection-string-credentials | Hard-coded connection string with credentials |
| CWE-330 | C# | cs/hardcoded-credentials | Hard-coded credentials |
| CWE-330 | C# | cs/insecure-randomness | Insecure randomness |
| CWE-335 | C# | cs/random-used-once | Random used only once |
| CWE-338 | C# | cs/insecure-randomness | Insecure randomness |
| CWE-344 | C# | cs/hard-coded-symmetric-encryption-key | Hard-coded symmetric encryption key |
| CWE-344 | C# | cs/hardcoded-connection-string-credentials | Hard-coded connection string with credentials |
| CWE-344 | C# | cs/hardcoded-credentials | Hard-coded credentials |
| CWE-345 | C# | cs/web/ambiguous-client-variable | Value shadowing |
| CWE-345 | C# | cs/web/ambiguous-server-variable | Value shadowing: server variable |
| CWE-345 | C# | cs/web/missing-token-validation | Missing cross-site request forgery token validation |
| CWE-348 | C# | cs/web/ambiguous-client-variable | Value shadowing |
| CWE-348 | C# | cs/web/ambiguous-server-variable | Value shadowing: server variable |
| CWE-350 | C# | cs/user-controlled-bypass | User-controlled bypass of sensitive method |
| CWE-352 | C# | cs/web/missing-token-validation | Missing cross-site request forgery token validation |
| CWE-359 | C# | cs/cleartext-storage-of-sensitive-information | Clear text storage of sensitive information |
| CWE-359 | C# | cs/exposure-of-sensitive-information | Exposure of private information |
| CWE-362 | C# | cs/unsafe-sync-on-field | Futile synchronization on field |
| CWE-362 | C# | cs/unsynchronized-static-access | Unsynchronized access to static collection member in non-static context |
| CWE-362 | C# | cs/thread-unsafe-icryptotransform-field-in-class | Thread-unsafe use of a static ICryptoTransform field |
| CWE-362 | C# | cs/thread-unsafe-icryptotransform-captured-in-lambda | Thread-unsafe capturing of an ICryptoTransform object |
| CWE-366 | C# | cs/unsafe-sync-on-field | Futile synchronization on field |
| CWE-384 | C# | cs/session-reuse | Failure to abandon session |
| CWE-390 | C# | cs/empty-catch-block | Poor error handling: empty catch block |
| CWE-391 | C# | cs/empty-catch-block | Poor error handling: empty catch block |
| CWE-395 | C# | cs/catch-nullreferenceexception | Poor error handling: catch of NullReferenceException |
| CWE-396 | C# | cs/catch-of-all-exceptions | Generic catch clause |
| CWE-398 | C# | cs/call-to-obsolete-method | Call to obsolete method |
| CWE-398 | C# | cs/todo-comment | TODO comment |
| CWE-398 | C# | cs/dereferenced-value-is-always-null | Dereferenced variable is always null |
| CWE-398 | C# | cs/dereferenced-value-may-be-null | Dereferenced variable may be null |
| CWE-398 | C# | cs/unused-reftype | Dead reference types |
| CWE-398 | C# | cs/useless-assignment-to-local | Useless assignment to local variable |
| CWE-398 | C# | cs/unused-field | Unused field |
| CWE-398 | C# | cs/unused-method | Unused method |
| CWE-398 | C# | cs/useless-cast-to-self | Cast to same type |
| CWE-398 | C# | cs/useless-is-before-as | Useless 'is' before 'as' |
| CWE-398 | C# | cs/coalesce-of-identical-expressions | Useless ?? expression |
| CWE-398 | C# | cs/useless-type-test | Useless type test |
| CWE-398 | C# | cs/useless-upcast | Useless upcast |
| CWE-398 | C# | cs/empty-collection | Container contents are never initialized |
| CWE-398 | C# | cs/unused-collection | Container contents are never accessed |
| CWE-398 | C# | cs/empty-lock-statement | Empty lock statement |
| CWE-398 | C# | cs/linq/useless-select | Redundant Select |
| CWE-400 | C# | cs/redos | Denial of Service from comparison of user input against expensive regex |
| CWE-400 | C# | cs/regex-injection | Regular expression injection |
| CWE-404 | C# | cs/dispose-not-called-on-throw | Dispose may not be called if an exception is thrown during execution |
| CWE-404 | C# | cs/member-not-disposed | Missing Dispose call |
| CWE-404 | C# | cs/missing-dispose-method | Missing Dispose method |
| CWE-404 | C# | cs/local-not-disposed | Missing Dispose call on local IDisposable |
| CWE-405 | C# | cs/xml/insecure-dtd-handling | Untrusted XML is read insecurely |
| CWE-405 | C# | cs/insecure-xml-read | XML is read insecurely |
| CWE-409 | C# | cs/xml/insecure-dtd-handling | Untrusted XML is read insecurely |
| CWE-409 | C# | cs/insecure-xml-read | XML is read insecurely |
| CWE-434 | C# | cs/web/file-upload | Use of file upload |
| CWE-441 | C# | cs/request-forgery | Server-side request forgery |
| CWE-451 | C# | cs/web/missing-x-frame-options | Missing X-Frame-Options HTTP header |
| CWE-457 | C# | cs/unassigned-field | Field is never assigned a non-default value |
| CWE-459 | C# | cs/dispose-not-called-on-throw | Dispose may not be called if an exception is thrown during execution |
| CWE-459 | C# | cs/member-not-disposed | Missing Dispose call |
| CWE-459 | C# | cs/missing-dispose-method | Missing Dispose method |
| CWE-459 | C# | cs/local-not-disposed | Missing Dispose call on local IDisposable |
| CWE-460 | C# | cs/dispose-not-called-on-throw | Dispose may not be called if an exception is thrown during execution |
| CWE-460 | C# | cs/local-not-disposed | Missing Dispose call on local IDisposable |
| CWE-471 | C# | cs/web/html-hidden-input | Use of HTMLInputHidden |
| CWE-472 | C# | cs/web/html-hidden-input | Use of HTMLInputHidden |
| CWE-476 | C# | cs/dereferenced-value-is-always-null | Dereferenced variable is always null |
| CWE-476 | C# | cs/dereferenced-value-may-be-null | Dereferenced variable may be null |
| CWE-477 | C# | cs/call-to-obsolete-method | Call to obsolete method |
| CWE-480 | C# | cs/non-short-circuit | Potentially dangerous use of non-short-circuit logic |
| CWE-485 | C# | cs/class-name-comparison | Erroneous class compare |
| CWE-485 | C# | cs/cast-from-abstract-to-concrete-collection | Cast from abstract to concrete collection |
| CWE-485 | C# | cs/expose-implementation | Exposing internal representation |
| CWE-485 | C# | cs/web/debug-code | ASP.NET: leftover debug code |
| CWE-486 | C# | cs/class-name-comparison | Erroneous class compare |
| CWE-489 | C# | cs/web/debug-code | ASP.NET: leftover debug code |
| CWE-497 | C# | cs/information-exposure-through-exception | Information exposure through an exception |
| CWE-502 | C# | cs/deserialized-delegate | Deserialized delegate |
| CWE-502 | C# | cs/unsafe-deserialization | Unsafe deserializer |
| CWE-502 | C# | cs/unsafe-deserialization-untrusted-input | Deserialization of untrusted data |
| CWE-521 | C# | cs/empty-password-in-configuration | Empty password in configuration file |
| CWE-522 | C# | cs/empty-password-in-configuration | Empty password in configuration file |
| CWE-522 | C# | cs/password-in-configuration | Password in configuration file |
| CWE-532 | C# | cs/web/debug-binary | Creating an ASP.NET debug binary may reveal sensitive information |
| CWE-538 | C# | cs/web/debug-binary | Creating an ASP.NET debug binary may reveal sensitive information |
| CWE-538 | C# | cs/web/directory-browse-enabled | ASP.NET config file enables directory browsing |
| CWE-538 | C# | cs/web/persistent-cookie | Cookie security: persistent cookie |
| CWE-539 | C# | cs/web/persistent-cookie | Cookie security: persistent cookie |
| CWE-546 | C# | cs/todo-comment | TODO comment |
| CWE-548 | C# | cs/web/directory-browse-enabled | ASP.NET config file enables directory browsing |
| CWE-552 | C# | cs/web/debug-binary | Creating an ASP.NET debug binary may reveal sensitive information |
| CWE-552 | C# | cs/web/directory-browse-enabled | ASP.NET config file enables directory browsing |
| CWE-561 | C# | cs/unused-reftype | Dead reference types |
| CWE-561 | C# | cs/unused-field | Unused field |
| CWE-561 | C# | cs/unused-method | Unused method |
| CWE-561 | C# | cs/useless-cast-to-self | Cast to same type |
| CWE-561 | C# | cs/useless-is-before-as | Useless 'is' before 'as' |
| CWE-561 | C# | cs/coalesce-of-identical-expressions | Useless ?? expression |
| CWE-561 | C# | cs/useless-type-test | Useless type test |
| CWE-561 | C# | cs/useless-upcast | Useless upcast |
| CWE-561 | C# | cs/empty-collection | Container contents are never initialized |
| CWE-561 | C# | cs/unused-collection | Container contents are never accessed |
| CWE-561 | C# | cs/linq/useless-select | Redundant Select |
| CWE-563 | C# | cs/useless-assignment-to-local | Useless assignment to local variable |
| CWE-567 | C# | cs/unsynchronized-static-access | Unsynchronized access to static collection member in non-static context |
| CWE-573 | C# | cs/inconsistent-equals-and-gethashcode | Inconsistent Equals(object) and GetHashCode() |
| CWE-573 | C# | cs/invalid-dynamic-call | Bad dynamic call |
| CWE-581 | C# | cs/inconsistent-equals-and-gethashcode | Inconsistent Equals(object) and GetHashCode() |
| CWE-582 | C# | cs/static-array | Array constant vulnerable to change |
| CWE-585 | C# | cs/empty-lock-statement | Empty lock statement |
| CWE-592 | C# | cs/user-controlled-bypass | User-controlled bypass of sensitive method |
| CWE-595 | C# | cs/reference-equality-with-object | Reference equality test on System.Object |
| CWE-595 | C# | cs/reference-equality-on-valuetypes | Call to ReferenceEquals(...) on value type expressions |
| CWE-601 | C# | cs/web/unvalidated-url-redirection | URL redirection from remote source |
| CWE-609 | C# | cs/unsafe-double-checked-lock | Double-checked lock is not thread-safe |
| CWE-610 | C# | cs/path-injection | Uncontrolled data used in path expression |
| CWE-610 | C# | cs/web/unvalidated-url-redirection | URL redirection from remote source |
| CWE-610 | C# | cs/xml/insecure-dtd-handling | Untrusted XML is read insecurely |
| CWE-610 | C# | cs/insecure-xml-read | XML is read insecurely |
| CWE-610 | C# | cs/webclient-path-injection | Uncontrolled data used in a WebClient |
| CWE-610 | C# | cs/request-forgery | Server-side request forgery |
| CWE-611 | C# | cs/xml/insecure-dtd-handling | Untrusted XML is read insecurely |
| CWE-611 | C# | cs/insecure-xml-read | XML is read insecurely |
| CWE-614 | C# | cs/web/requiressl-not-set | 'requireSSL' attribute is not set to true |
| CWE-614 | C# | cs/web/cookie-secure-not-set | 'Secure' attribute is not set to true |
| CWE-628 | C# | cs/invalid-dynamic-call | Bad dynamic call |
| CWE-639 | C# | cs/web/insecure-direct-object-reference | Insecure Direct Object Reference |
| CWE-642 | C# | cs/web/html-hidden-input | Use of HTMLInputHidden |
| CWE-642 | C# | cs/path-injection | Uncontrolled data used in path expression |
| CWE-642 | C# | cs/webclient-path-injection | Uncontrolled data used in a WebClient |
| CWE-643 | C# | cs/xml/xpath-injection | XPath injection |
| CWE-657 | C# | cs/hard-coded-symmetric-encryption-key | Hard-coded symmetric encryption key |
| CWE-657 | C# | cs/hardcoded-connection-string-credentials | Hard-coded connection string with credentials |
| CWE-657 | C# | cs/hardcoded-credentials | Hard-coded credentials |
| CWE-662 | C# | cs/unsafe-sync-on-field | Futile synchronization on field |
| CWE-662 | C# | cs/inconsistent-lock-sequence | Inconsistent lock sequence |
| CWE-662 | C# | cs/lock-this | Locking the 'this' object in a lock statement |
| CWE-662 | C# | cs/locked-wait | A lock is held during a wait |
| CWE-662 | C# | cs/unsynchronized-getter | Inconsistently synchronized property |
| CWE-662 | C# | cs/unsafe-double-checked-lock | Double-checked lock is not thread-safe |
| CWE-662 | C# | cs/unsynchronized-static-access | Unsynchronized access to static collection member in non-static context |
| CWE-664 | C# | cs/dispose-not-called-on-throw | Dispose may not be called if an exception is thrown during execution |
| CWE-664 | C# | cs/member-not-disposed | Missing Dispose call |
| CWE-664 | C# | cs/missing-dispose-method | Missing Dispose method |
| CWE-664 | C# | cs/local-not-disposed | Missing Dispose call on local IDisposable |
| CWE-664 | C# | cs/class-name-comparison | Erroneous class compare |
| CWE-664 | C# | cs/cast-from-abstract-to-concrete-collection | Cast from abstract to concrete collection |
| CWE-664 | C# | cs/expose-implementation | Exposing internal representation |
| CWE-664 | C# | cs/static-array | Array constant vulnerable to change |
| CWE-664 | C# | cs/web/debug-code | ASP.NET: leftover debug code |
| CWE-664 | C# | cs/web/html-hidden-input | Use of HTMLInputHidden |
| CWE-664 | C# | cs/unsafe-sync-on-field | Futile synchronization on field |
| CWE-664 | C# | cs/inconsistent-lock-sequence | Inconsistent lock sequence |
| CWE-664 | C# | cs/lock-this | Locking the 'this' object in a lock statement |
| CWE-664 | C# | cs/locked-wait | A lock is held during a wait |
| CWE-664 | C# | cs/unsynchronized-getter | Inconsistently synchronized property |
| CWE-664 | C# | cs/unsafe-double-checked-lock | Double-checked lock is not thread-safe |
| CWE-664 | C# | cs/unsynchronized-static-access | Unsynchronized access to static collection member in non-static context |
| CWE-664 | C# | cs/empty-password-in-configuration | Empty password in configuration file |
| CWE-664 | C# | cs/password-in-configuration | Password in configuration file |
| CWE-664 | C# | cs/unassigned-field | Field is never assigned a non-default value |
| CWE-664 | C# | cs/web/file-upload | Use of file upload |
| CWE-664 | C# | cs/catch-of-all-exceptions | Generic catch clause |
| CWE-664 | C# | cs/loss-of-precision | Possible loss of precision |
| CWE-664 | C# | cs/web/debug-binary | Creating an ASP.NET debug binary may reveal sensitive information |
| CWE-664 | C# | cs/path-injection | Uncontrolled data used in path expression |
| CWE-664 | C# | cs/zipslip | Arbitrary file access during archive extraction ("Zip Slip") |
| CWE-664 | C# | cs/code-injection | Improper control of generation of code |
| CWE-664 | C# | cs/sensitive-data-transmission | Information exposure through transmitted data |
| CWE-664 | C# | cs/information-exposure-through-exception | Information exposure through an exception |
| CWE-664 | C# | cs/web/missing-function-level-access-control | Missing function level access control |
| CWE-664 | C# | cs/cleartext-storage-of-sensitive-information | Clear text storage of sensitive information |
| CWE-664 | C# | cs/hard-coded-symmetric-encryption-key | Hard-coded symmetric encryption key |
| CWE-664 | C# | cs/exposure-of-sensitive-information | Exposure of private information |
| CWE-664 | C# | cs/session-reuse | Failure to abandon session |
| CWE-664 | C# | cs/web/missing-x-frame-options | Missing X-Frame-Options HTTP header |
| CWE-664 | C# | cs/deserialized-delegate | Deserialized delegate |
| CWE-664 | C# | cs/unsafe-deserialization | Unsafe deserializer |
| CWE-664 | C# | cs/unsafe-deserialization-untrusted-input | Deserialization of untrusted data |
| CWE-664 | C# | cs/web/directory-browse-enabled | ASP.NET config file enables directory browsing |
| CWE-664 | C# | cs/web/unvalidated-url-redirection | URL redirection from remote source |
| CWE-664 | C# | cs/xml/insecure-dtd-handling | Untrusted XML is read insecurely |
| CWE-664 | C# | cs/insecure-xml-read | XML is read insecurely |
| CWE-664 | C# | cs/web/insecure-direct-object-reference | Insecure Direct Object Reference |
| CWE-664 | C# | cs/redos | Denial of Service from comparison of user input against expensive regex |
| CWE-664 | C# | cs/regex-injection | Regular expression injection |
| CWE-664 | C# | cs/hardcoded-connection-string-credentials | Hard-coded connection string with credentials |
| CWE-664 | C# | cs/hardcoded-credentials | Hard-coded credentials |
| CWE-664 | C# | cs/user-controlled-bypass | User-controlled bypass of sensitive method |
| CWE-664 | C# | cs/web/broad-cookie-domain | Cookie security: overly broad domain |
| CWE-664 | C# | cs/web/broad-cookie-path | Cookie security: overly broad path |
| CWE-664 | C# | cs/web/persistent-cookie | Cookie security: persistent cookie |
| CWE-664 | C# | cs/webclient-path-injection | Uncontrolled data used in a WebClient |
| CWE-664 | C# | cs/request-forgery | Server-side request forgery |
| CWE-665 | C# | cs/unassigned-field | Field is never assigned a non-default value |
| CWE-667 | C# | cs/locked-wait | A lock is held during a wait |
| CWE-667 | C# | cs/unsafe-double-checked-lock | Double-checked lock is not thread-safe |
| CWE-668 | C# | cs/static-array | Array constant vulnerable to change |
| CWE-668 | C# | cs/web/html-hidden-input | Use of HTMLInputHidden |
| CWE-668 | C# | cs/empty-password-in-configuration | Empty password in configuration file |
| CWE-668 | C# | cs/password-in-configuration | Password in configuration file |
| CWE-668 | C# | cs/web/debug-binary | Creating an ASP.NET debug binary may reveal sensitive information |
| CWE-668 | C# | cs/path-injection | Uncontrolled data used in path expression |
| CWE-668 | C# | cs/zipslip | Arbitrary file access during archive extraction ("Zip Slip") |
| CWE-668 | C# | cs/sensitive-data-transmission | Information exposure through transmitted data |
| CWE-668 | C# | cs/information-exposure-through-exception | Information exposure through an exception |
| CWE-668 | C# | cs/cleartext-storage-of-sensitive-information | Clear text storage of sensitive information |
| CWE-668 | C# | cs/exposure-of-sensitive-information | Exposure of private information |
| CWE-668 | C# | cs/web/directory-browse-enabled | ASP.NET config file enables directory browsing |
| CWE-668 | C# | cs/web/persistent-cookie | Cookie security: persistent cookie |
| CWE-668 | C# | cs/webclient-path-injection | Uncontrolled data used in a WebClient |
| CWE-669 | C# | cs/web/file-upload | Use of file upload |
| CWE-669 | C# | cs/web/missing-x-frame-options | Missing X-Frame-Options HTTP header |
| CWE-669 | C# | cs/xml/insecure-dtd-handling | Untrusted XML is read insecurely |
| CWE-669 | C# | cs/insecure-xml-read | XML is read insecurely |
| CWE-670 | C# | cs/non-short-circuit | Potentially dangerous use of non-short-circuit logic |
| CWE-671 | C# | cs/hard-coded-symmetric-encryption-key | Hard-coded symmetric encryption key |
| CWE-671 | C# | cs/hardcoded-connection-string-credentials | Hard-coded connection string with credentials |
| CWE-671 | C# | cs/hardcoded-credentials | Hard-coded credentials |
| CWE-674 | C# | cs/xml/insecure-dtd-handling | Untrusted XML is read insecurely |
| CWE-674 | C# | cs/insecure-xml-read | XML is read insecurely |
| CWE-681 | C# | cs/loss-of-precision | Possible loss of precision |
| CWE-682 | C# | cs/index-out-of-bounds | Off-by-one comparison against container length |
| CWE-682 | C# | cs/loss-of-precision | Possible loss of precision |
| CWE-684 | C# | cs/web/missing-x-frame-options | Missing X-Frame-Options HTTP header |
| CWE-691 | C# | cs/catch-nullreferenceexception | Poor error handling: catch of NullReferenceException |
| CWE-691 | C# | cs/constant-condition | Constant condition |
| CWE-691 | C# | cs/unsafe-sync-on-field | Futile synchronization on field |
| CWE-691 | C# | cs/inconsistent-lock-sequence | Inconsistent lock sequence |
| CWE-691 | C# | cs/lock-this | Locking the 'this' object in a lock statement |
| CWE-691 | C# | cs/locked-wait | A lock is held during a wait |
| CWE-691 | C# | cs/unsynchronized-getter | Inconsistently synchronized property |
| CWE-691 | C# | cs/unsafe-double-checked-lock | Double-checked lock is not thread-safe |
| CWE-691 | C# | cs/unsynchronized-static-access | Unsynchronized access to static collection member in non-static context |
| CWE-691 | C# | cs/catch-of-all-exceptions | Generic catch clause |
| CWE-691 | C# | cs/non-short-circuit | Potentially dangerous use of non-short-circuit logic |
| CWE-691 | C# | cs/thread-unsafe-icryptotransform-field-in-class | Thread-unsafe use of a static ICryptoTransform field |
| CWE-691 | C# | cs/thread-unsafe-icryptotransform-captured-in-lambda | Thread-unsafe capturing of an ICryptoTransform object |
| CWE-691 | C# | cs/linq/inconsistent-enumeration | Bad multiple iteration |
| CWE-691 | C# | cs/code-injection | Improper control of generation of code |
| CWE-691 | C# | cs/web/missing-global-error-handler | Missing global error handler |
| CWE-691 | C# | cs/xml/insecure-dtd-handling | Untrusted XML is read insecurely |
| CWE-691 | C# | cs/insecure-xml-read | XML is read insecurely |
| CWE-693 | C# | cs/empty-password-in-configuration | Empty password in configuration file |
| CWE-693 | C# | cs/password-in-configuration | Password in configuration file |
| CWE-693 | C# | cs/web/ambiguous-client-variable | Value shadowing |
| CWE-693 | C# | cs/web/ambiguous-server-variable | Value shadowing: server variable |
| CWE-693 | C# | cs/count-untrusted-data-external-api | Frequency counts for external APIs that are used with untrusted data |
| CWE-693 | C# | cs/serialization-check-bypass | Serialization check bypass |
| CWE-693 | C# | cs/untrusted-data-to-external-api | Untrusted data passed to external API |
| CWE-693 | C# | cs/xml/missing-validation | Missing XML validation |
| CWE-693 | C# | cs/assembly-path-injection | Assembly path injection |
| CWE-693 | C# | cs/web/missing-function-level-access-control | Missing function level access control |
| CWE-693 | C# | cs/cleartext-storage-of-sensitive-information | Clear text storage of sensitive information |
| CWE-693 | C# | cs/hard-coded-symmetric-encryption-key | Hard-coded symmetric encryption key |
| CWE-693 | C# | cs/adding-cert-to-root-store | Do not add certificates to the system root store. |
| CWE-693 | C# | cs/insecure-sql-connection | Insecure SQL connection |
| CWE-693 | C# | cs/web/missing-token-validation | Missing cross-site request forgery token validation |
| CWE-693 | C# | cs/session-reuse | Failure to abandon session |
| CWE-693 | C# | cs/web/requiressl-not-set | 'requireSSL' attribute is not set to true |
| CWE-693 | C# | cs/web/insecure-direct-object-reference | Insecure Direct Object Reference |
| CWE-693 | C# | cs/hardcoded-connection-string-credentials | Hard-coded connection string with credentials |
| CWE-693 | C# | cs/hardcoded-credentials | Hard-coded credentials |
| CWE-693 | C# | cs/user-controlled-bypass | User-controlled bypass of sensitive method |
| CWE-693 | C# | cs/web/broad-cookie-domain | Cookie security: overly broad domain |
| CWE-693 | C# | cs/web/broad-cookie-path | Cookie security: overly broad path |
| CWE-693 | C# | cs/ecb-encryption | Encryption using ECB |
| CWE-693 | C# | cs/inadequate-rsa-padding | Weak encryption: inadequate RSA padding |
| CWE-693 | C# | cs/insufficient-key-size | Weak encryption: Insufficient key size |
| CWE-693 | C# | cs/weak-encryption | Weak encryption |
| CWE-693 | C# | cs/azure-storage/unsafe-usage-of-client-side-encryption-version | Unsafe usage of v1 version of Azure Storage client-side encryption (CVE-2022-30187). |
| CWE-693 | C# | cs/web/cookie-secure-not-set | 'Secure' attribute is not set to true |
| CWE-693 | C# | cs/hash-without-salt | Use of a hash function without a salt |
| CWE-697 | C# | cs/class-name-comparison | Erroneous class compare |
| CWE-697 | C# | cs/reference-equality-with-object | Reference equality test on System.Object |
| CWE-697 | C# | cs/reference-equality-on-valuetypes | Call to ReferenceEquals(...) on value type expressions |
| CWE-703 | C# | cs/dispose-not-called-on-throw | Dispose may not be called if an exception is thrown during execution |
| CWE-703 | C# | cs/local-not-disposed | Missing Dispose call on local IDisposable |
| CWE-703 | C# | cs/unchecked-return-value | Unchecked return value |
| CWE-703 | C# | cs/catch-nullreferenceexception | Poor error handling: catch of NullReferenceException |
| CWE-703 | C# | cs/empty-catch-block | Poor error handling: empty catch block |
| CWE-703 | C# | cs/catch-of-all-exceptions | Generic catch clause |
| CWE-703 | C# | cs/information-exposure-through-exception | Information exposure through an exception |
| CWE-703 | C# | cs/web/missing-global-error-handler | Missing global error handler |
| CWE-704 | C# | cs/loss-of-precision | Possible loss of precision |
| CWE-705 | C# | cs/catch-nullreferenceexception | Poor error handling: catch of NullReferenceException |
| CWE-705 | C# | cs/catch-of-all-exceptions | Generic catch clause |
| CWE-705 | C# | cs/web/missing-global-error-handler | Missing global error handler |
| CWE-706 | C# | cs/path-injection | Uncontrolled data used in path expression |
| CWE-706 | C# | cs/zipslip | Arbitrary file access during archive extraction ("Zip Slip") |
| CWE-706 | C# | cs/xml/insecure-dtd-handling | Untrusted XML is read insecurely |
| CWE-706 | C# | cs/insecure-xml-read | XML is read insecurely |
| CWE-706 | C# | cs/webclient-path-injection | Uncontrolled data used in a WebClient |
| CWE-707 | C# | cs/path-injection | Uncontrolled data used in path expression |
| CWE-707 | C# | cs/command-line-injection | Uncontrolled command line |
| CWE-707 | C# | cs/web/xss | Cross-site scripting |
| CWE-707 | C# | cs/sql-injection | SQL query built from user-controlled sources |
| CWE-707 | C# | cs/ldap-injection | LDAP query built from user-controlled sources |
| CWE-707 | C# | cs/xml-injection | XML injection |
| CWE-707 | C# | cs/code-injection | Improper control of generation of code |
| CWE-707 | C# | cs/resource-injection | Resource injection |
| CWE-707 | C# | cs/log-forging | Log entries created from user input |
| CWE-707 | C# | cs/uncontrolled-format-string | Uncontrolled format string |
| CWE-707 | C# | cs/xml/xpath-injection | XPath injection |
| CWE-707 | C# | cs/inappropriate-encoding | Inappropriate encoding |
| CWE-707 | C# | cs/web/disabled-header-checking | Header checking disabled |
| CWE-707 | C# | cs/webclient-path-injection | Uncontrolled data used in a WebClient |
| CWE-710 | C# | cs/call-to-obsolete-method | Call to obsolete method |
| CWE-710 | C# | cs/inconsistent-equals-and-gethashcode | Inconsistent Equals(object) and GetHashCode() |
| CWE-710 | C# | cs/todo-comment | TODO comment |
| CWE-710 | C# | cs/dereferenced-value-is-always-null | Dereferenced variable is always null |
| CWE-710 | C# | cs/dereferenced-value-may-be-null | Dereferenced variable may be null |
| CWE-710 | C# | cs/unused-reftype | Dead reference types |
| CWE-710 | C# | cs/useless-assignment-to-local | Useless assignment to local variable |
| CWE-710 | C# | cs/unused-field | Unused field |
| CWE-710 | C# | cs/unused-method | Unused method |
| CWE-710 | C# | cs/useless-cast-to-self | Cast to same type |
| CWE-710 | C# | cs/useless-is-before-as | Useless 'is' before 'as' |
| CWE-710 | C# | cs/coalesce-of-identical-expressions | Useless ?? expression |
| CWE-710 | C# | cs/useless-type-test | Useless type test |
| CWE-710 | C# | cs/useless-upcast | Useless upcast |
| CWE-710 | C# | cs/empty-collection | Container contents are never initialized |
| CWE-710 | C# | cs/unused-collection | Container contents are never accessed |
| CWE-710 | C# | cs/invalid-dynamic-call | Bad dynamic call |
| CWE-710 | C# | cs/empty-lock-statement | Empty lock statement |
| CWE-710 | C# | cs/linq/useless-select | Redundant Select |
| CWE-710 | C# | cs/hard-coded-symmetric-encryption-key | Hard-coded symmetric encryption key |
| CWE-710 | C# | cs/web/missing-x-frame-options | Missing X-Frame-Options HTTP header |
| CWE-710 | C# | cs/hardcoded-connection-string-credentials | Hard-coded connection string with credentials |
| CWE-710 | C# | cs/hardcoded-credentials | Hard-coded credentials |
| CWE-754 | C# | cs/unchecked-return-value | Unchecked return value |
| CWE-755 | C# | cs/dispose-not-called-on-throw | Dispose may not be called if an exception is thrown during execution |
| CWE-755 | C# | cs/local-not-disposed | Missing Dispose call on local IDisposable |
| CWE-755 | C# | cs/catch-nullreferenceexception | Poor error handling: catch of NullReferenceException |
| CWE-755 | C# | cs/empty-catch-block | Poor error handling: empty catch block |
| CWE-755 | C# | cs/catch-of-all-exceptions | Generic catch clause |
| CWE-755 | C# | cs/information-exposure-through-exception | Information exposure through an exception |
| CWE-755 | C# | cs/web/missing-global-error-handler | Missing global error handler |
| CWE-756 | C# | cs/web/missing-global-error-handler | Missing global error handler |
| CWE-759 | C# | cs/hash-without-salt | Use of a hash function without a salt |
| CWE-776 | C# | cs/xml/insecure-dtd-handling | Untrusted XML is read insecurely |
| CWE-776 | C# | cs/insecure-xml-read | XML is read insecurely |
| CWE-780 | C# | cs/inadequate-rsa-padding | Weak encryption: inadequate RSA padding |
| CWE-787 | C# | cs/unvalidated-local-pointer-arithmetic | Unvalidated local pointer arithmetic |
| CWE-788 | C# | cs/unvalidated-local-pointer-arithmetic | Unvalidated local pointer arithmetic |
| CWE-798 | C# | cs/hard-coded-symmetric-encryption-key | Hard-coded symmetric encryption key |
| CWE-798 | C# | cs/hardcoded-connection-string-credentials | Hard-coded connection string with credentials |
| CWE-798 | C# | cs/hardcoded-credentials | Hard-coded credentials |
| CWE-807 | C# | cs/user-controlled-bypass | User-controlled bypass of sensitive method |
| CWE-820 | C# | cs/unsynchronized-static-access | Unsynchronized access to static collection member in non-static context |
| CWE-827 | C# | cs/xml/insecure-dtd-handling | Untrusted XML is read insecurely |
| CWE-827 | C# | cs/insecure-xml-read | XML is read insecurely |
| CWE-829 | C# | cs/web/missing-x-frame-options | Missing X-Frame-Options HTTP header |
| CWE-829 | C# | cs/xml/insecure-dtd-handling | Untrusted XML is read insecurely |
| CWE-829 | C# | cs/insecure-xml-read | XML is read insecurely |
| CWE-833 | C# | cs/locked-wait | A lock is held during a wait |
| CWE-834 | C# | cs/constant-condition | Constant condition |
| CWE-834 | C# | cs/linq/inconsistent-enumeration | Bad multiple iteration |
| CWE-834 | C# | cs/xml/insecure-dtd-handling | Untrusted XML is read insecurely |
| CWE-834 | C# | cs/insecure-xml-read | XML is read insecurely |
| CWE-835 | C# | cs/constant-condition | Constant condition |
| CWE-838 | C# | cs/inappropriate-encoding | Inappropriate encoding |
| CWE-862 | C# | cs/empty-password-in-configuration | Empty password in configuration file |
| CWE-862 | C# | cs/web/missing-function-level-access-control | Missing function level access control |
| CWE-862 | C# | cs/web/insecure-direct-object-reference | Insecure Direct Object Reference |
| CWE-913 | C# | cs/code-injection | Improper control of generation of code |
| CWE-913 | C# | cs/deserialized-delegate | Deserialized delegate |
| CWE-913 | C# | cs/unsafe-deserialization | Unsafe deserializer |
| CWE-913 | C# | cs/unsafe-deserialization-untrusted-input | Deserialization of untrusted data |
| CWE-916 | C# | cs/hash-without-salt | Use of a hash function without a salt |
| CWE-918 | C# | cs/request-forgery | Server-side request forgery |
| CWE-922 | C# | cs/password-in-configuration | Password in configuration file |
| CWE-922 | C# | cs/cleartext-storage-of-sensitive-information | Clear text storage of sensitive information |
| CWE-923 | C# | cs/user-controlled-bypass | User-controlled bypass of sensitive method |
| CWE-943 | C# | cs/sql-injection | SQL query built from user-controlled sources |
| CWE-943 | C# | cs/ldap-injection | LDAP query built from user-controlled sources |
| CWE-943 | C# | cs/xml/xpath-injection | XPath injection |
| CWE-1004 | C# | cs/web/cookie-httponly-not-set | 'HttpOnly' attribute is not set to true |
| CWE-1333 | C# | cs/redos | Denial of Service from comparison of user input against expensive regex |