Add SANS Top 25 to CodeQL query mapping document

[Copilot]

Created comprehensive mapping of SANS Top 25 Most Dangerous Software Weaknesses to CodeQL queries, mirroring the existing OWASP2025-CodeQL.md format.

Changes

• New document: code-scanning-guides/SANS2025-CodeQL.md
  • Maps all 25 SANS CWEs to language-specific CodeQL queries
  • Includes coverage analysis: 68% comprehensive, 20% limited, 12% gaps
  • Documents query availability gaps (CWE-269, CWE-276, CWE-362, CWE-863)

Coverage Highlights

Strong coverage (8 languages): XSS (CWE-79), SQL Injection (CWE-89), Command Injection (CWE-78), Path Traversal (CWE-22)

C/C++ memory safety: Use After Free (CWE-416), Out-of-bounds Write (CWE-787), Buffer Errors (CWE-119), Out-of-bounds Read (CWE-125)

Known gaps requiring manual review: Race Conditions (CWE-362), Privilege Management (CWE-269), Default Permissions (CWE-276), Incorrect Authorization (CWE-863)

Structure

Follows OWASP document pattern:

1. Ranked CWE table with links
2. Query mappings by CWE (Language | Query tables)
3. Coverage statistics with recommendations
4. References to SANS, CodeQL, CWE resources

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repositories/advanced-security/advanced-security-material/copilot_internal/embeddings_index
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Add SANS Top 25 Document to repository</issue_title>
<issue_description>Following the same format as https://github.com/advanced-security/advanced-security-material/blob/main/code-scanning-guides/OWASP2025-CodeQL.md, add a document showing what CodeQL queries cover the SANS Top 25.

The SANS Top 25 list can be found here: https://www.sans.org/top25-software-errors.

Below is a table of the SANS Top 25 and the respective CWEs.

Name	Rank	ID
Out-of-bounds Write	1	CWE-787https://cwe.mitre.org/data/definitions/787.html
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	2	CWE-79https://cwe.mitre.org/data/definitions/79.html
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')	3	CWE-89https://cwe.mitre.org/data/definitions/89.html
Use After Free	4	CWE-416https://cwe.mitre.org/data/definitions/416.html
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')	5	CWE-78https://cwe.mitre.org/data/definitions/78.html
Improper Input Validation	6	CWE-20https://cwe.mitre.org/data/definitions/20.html
Out-of-bounds Read	7	CWE-125https://cwe.mitre.org/data/definitions/125.html
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')	8	CWE-22https://cwe.mitre.org/data/definitions/22.html
Cross-Site Request Forgery (CSRF)	9	CWE-352https://cwe.mitre.org/data/definitions/352.html
Unrestricted Upload of File with Dangerous Type	10	CWE-434https://cwe.mitre.org/data/definitions/434.html
Missing Authorization	11	CWE-862https://cwe.mitre.org/data/definitions/862.html
NULL Pointer Dereference	12	CWE-476https://cwe.mitre.org/data/definitions/476.html
Improper Authentication	13	CWE-287https://cwe.mitre.org/data/definitions/287.html
Integer Overflow or Wraparound	14	CWE-190https://cwe.mitre.org/data/definitions/190.html
Deserialization of Untrusted Data	15	CWE-502https://cwe.mitre.org/data/definitions/502.html
Improper Neutralization of Special Elements used in a Command ('Command Injection')	16	CWE-77https://cwe.mitre.org/data/definitions/77.html
Improper Restriction of Operations within the Bounds of a Memory Buffer	17	CWE-119https://cwe.mitre.org/data/definitions/119.html
Use of Hard-coded Credentials	18	CWE-798https://cwe.mitre.org/data/definitions/798.html
Server-Side Request Forgery (SSRF)	19	CWE-918https://cwe.mitre.org/data/definitions/918.html
Missing Authentication for Critical Function	20	CWE-306https://cwe.mitre.org/data/definitions/306.html
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')	21	CWE-362https://cwe.mitre.org/data/definitions/362.html
Improper Privilege Management	22	CWE-269https://cwe.mitre.org/data/definitions/269.html
Improper Control of Generation of Code ('Code Injection')	23	CWE-94https://cwe.mitre.org/data/definitions/94.html
Incorrect Authorization	24	CWE-863https://cwe.mitre.org/data/definitions/863.html
Incorrect Default Permissions	25	CWE-276https://cwe.mitre.org/data/definitions/276.html
</issue_description>

<agent_instructions>Follow the same format as this document in the repository: https://github.com/advanced-security/advanced-security-material/blob/main/code-scanning-guides/OWASP2025-CodeQL.md</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes Add SANS Top 25 Document to repository #59

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[WritingPanda]

@copilot

Make sure that all of the CodeQL CWEs are in the document. Here is the list: https://codeql.github.com/codeql-query-help/full-cwe/

[Copilot]

@copilot

Make sure that all of the CodeQL CWEs are in the document. Here is the list: https://codeql.github.com/codeql-query-help/full-cwe/

I want to clarify the request: The SANS2025-CodeQL.md document is specifically focused on mapping the SANS Top 25 CWEs to their corresponding CodeQL queries (25 CWEs total).

Are you asking me to:

1. Verify that all CodeQL queries for these specific 25 SANS CWEs are included in the document, or
2. Add all ~118 CWEs that CodeQL covers (not just the SANS Top 25)?

The document currently covers all 25 SANS CWEs with their available CodeQL queries. If you'd like me to expand it to include all CodeQL-covered CWEs (similar to the comprehensive list on the CodeQL site), that would be a significant expansion beyond the SANS Top 25 scope.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• codeql.github.com
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)
• https://api.github.com/repositories/advanced-security/advanced-security-material/copilot_internal/embeddings_index
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)