GitLab Advanced SAST CWE coverage
DETAILS: Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
GitLab Advanced SAST finds many types of potential security vulnerabilities in code written in supported languages.
GitLab assigns a matching Common Weakness Enumeration (CWE) identifier to each potential vulnerability. CWE identifiers are an industry-standard way to identify security weaknesses, but it's important to know:
- CWEs are arranged in a tree structure. For example, CWE-22: Path Traversal is a parent of CWE-23: Relative Path Traversal. A scanner that specifically detects relative path traversal weaknesses (CWE-23) by definition also detects a portion of the more general path traversal category (CWE-22).
- For clarity, this table identifies the exact CWE identifiers that are assigned to Advanced SAST rules. It doesn't report parent identifiers.
To learn more about the rules used in GitLab Advanced SAST, see SAST rules.
CWE coverage by language
GitLab Advanced SAST finds the following types of weaknesses in each programming language:
| CWE | CWE Description | C# | Go | Java | JavaScript, TypeScript | Python | Ruby |
|---|---|---|---|---|---|---|---|
| CWE-15 | External Control of System or Configuration Setting | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes |
| CWE-23 | Relative Path Traversal | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No |
| CWE-73 | External Control of File Name or Path | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes |
| CWE-76 | Improper Neutralization of Equivalent Special Elements | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes |
| CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes |
| CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes |
| CWE-80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No |
| CWE-88 | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes |
| CWE-90 | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-91 | XML Injection (aka Blind XPath Injection) | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-94 | Improper Control of Generation of Code ('Code Injection') | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes |
| CWE-95 | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes |
| CWE-113 | Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No |
| CWE-116 | Improper Encoding or Escaping of Output | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No |
| CWE-117 | Improper Output Neutralization for Logs | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-118 | Incorrect Access of Indexable Resource ('Range Error') | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-125 | Out-of-bounds Read | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No |
| CWE-134 | Use of Externally-Controlled Format String | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-155 | Improper Neutralization of Wildcards or Matching Symbols | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No |
| CWE-180 | Incorrect Behavior Order: Validate Before Canonicalize | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-182 | Collapse of Data into Unsafe Value | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-185 | Incorrect Regular Expression | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes |
| CWE-190 | Integer Overflow or Wraparound | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-208 | Observable Timing Discrepancy | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No |
| CWE-209 | Generation of Error Message Containing Sensitive Information | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes |
| CWE-242 | Use of Inherently Dangerous Function | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-272 | Least Privilege Violation | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No |
| CWE-276 | Incorrect Default Permissions | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes |
| CWE-295 | Improper Certificate Validation | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes |
| CWE-297 | Improper Validation of Certificate with Host Mismatch | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-306 | Missing Authentication for Critical Function | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-311 | Missing Encryption of Sensitive Data | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes |
| CWE-319 | Cleartext Transmission of Sensitive Information | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No |
| CWE-322 | Key Exchange without Entity Authentication | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No |
| CWE-323 | Reusing a Nonce, Key Pair in Encryption | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-326 | Inadequate Encryption Strength | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes |
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No |
| CWE-328 | Use of Weak Hash | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes |
| CWE-338 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No |
| CWE-346 | Origin Validation Error | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No |
| CWE-347 | Improper Verification of Cryptographic Signature | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-348 | Use of Less Trusted Source | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No |
| CWE-352 | Cross-Site Request Forgery (CSRF) | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes |
| CWE-358 | Improperly Implemented Security Check for Standard | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No |
| CWE-369 | Divide By Zero | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes |
| CWE-377 | Insecure Temporary File | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No |
| CWE-409 | Improper Handling of Highly Compressed Data (Data Amplification) | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-470 | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-489 | Active Debug Code | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No |
| CWE-502 | Deserialization of Untrusted Data | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes |
| CWE-521 | Weak Password Requirements | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-522 | Insufficiently Protected Credentials | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No |
| CWE-552 | Files or Directories Accessible to External Parties | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-554 | ASP.NET Misconfiguration: Not Using Input Validation Framework | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-599 | Missing Validation of OpenSSL Certificate | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No |
| CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes |
| CWE-606 | Unchecked Input for Loop Condition | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No |
| CWE-611 | Improper Restriction of XML External Entity Reference | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No |
| CWE-613 | Insufficient Session Expiration | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No |
| CWE-614 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No |
| CWE-639 | Authorization Bypass Through User-Controlled Key | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes |
| CWE-643 | Improper Neutralization of Data within XPath Expressions ('XPath Injection') | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No |
| CWE-704 | Incorrect Type Conversion or Cast | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-732 | Incorrect Permission Assignment for Critical Resource | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No |
| CWE-749 | Exposed Dangerous Method or Function | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes |
| CWE-754 | Improper Check for Unusual or Exceptional Conditions | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes |
| CWE-757 | Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No |
| CWE-770 | Allocation of Resources Without Limits or Throttling | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No |
| CWE-776 | Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No |
| CWE-780 | Use of RSA Algorithm without OAEP | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-787 | Out-of-bounds Write | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No |
| CWE-798 | Use of Hard-coded Credentials | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No |
| CWE-913 | Improper Control of Dynamically-Managed Code Resources | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No |
| CWE-915 | Improperly Controlled Modification of Dynamically-Determined Object Attributes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes |
| CWE-917 | Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
| CWE-918 | Server-Side Request Forgery (SSRF) | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes |
| CWE-942 | Permissive Cross-domain Policy with Untrusted Domains | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No |
| CWE-943 | Improper Neutralization of Special Elements in Data Query Logic | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No |
| CWE-1004 | Sensitive Cookie Without 'HttpOnly' Flag | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes | {check-circle} Yes | {dotted-circle} No | {check-circle} Yes |
| CWE-1104 | Use of Unmaintained Third Party Components | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No |
| CWE-1204 | Generation of Weak Initialization Vector (IV) | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No |
| CWE-1275 | Sensitive Cookie with Improper SameSite Attribute | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No |
| CWE-1321 | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No |
| CWE-1327 | Binding to an Unrestricted IP Address | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No |
| CWE-1390 | Weak Authentication | {dotted-circle} No | {dotted-circle} No | {check-circle} Yes | {dotted-circle} No | {dotted-circle} No | {dotted-circle} No |
NOTE: Did this page answer the question you had? If not, please comment on epic 15343 to share your use case.